User Tools

Site Tools


doc:howto:ipv6

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revision Previous revision
Next revision
Previous revision
doc:howto:ipv6 [2012/11/07 16:39]
tag Added information on static IP assignment in DHCP
doc:howto:ipv6 [2014/09/18 23:53] (current)
glphvgacs ip6prefix required, password !required
Line 1: Line 1:
-====== IPv6 HowTo on Backfire and later ====== +====== IPv6 HowTo for Backfire and Attitude Adjustment until 12.09 ====== 
-| {{:​meta:​icons:​tango:​48px-construction.svg.png?​nolink}} | This guide is not yet complete, don't hesitate ​to ask for help on the IRC channel #openwrt |+| {{:​meta:​icons:​tango:​48px-construction.svg.png?​nolink}} | This guide DOES not apply to Attitude Adjustment AFTER 12.09, Barrier Breaker or any other upcoming releases. See [[doc/​uci/​network6|OpenWrt native IPv6-stack]] ​for new documentation. |
  
-Please see ->[[doc:howto:ipv6.theory]] for a load of links to IPv6 related documentation.+| {{:meta:icons:​tango:​dialog-warning.png?​nolink}} | Please make sure that ip6tables is installed and enabled before setting up ipv6 interfaces! <​code>​ opkg update && opkg install ip6tables kmod-ip6tables && fw restart </​code>​ |
  
-===== Obtain IPv6 support ===== +Please also see ->[[doc:​howto:​ipv6.theory]] for a load of links to IPv6 related documentation.
-Follow ​[[doc:​howto:​ipv6.essentials]] to obtain full IPv6 support. Then come back and read about the configuration here: +
- +
-There are two big, different steps: +
-  - Set up a working IPv6 connection on the OpenWrt router, either by tunneling (SixXs, TSP, 6to4), or natively. +
-  - Propagate the IPv6 subnet to the LAN with [[#RADVD]] or [[#DHCPv6]].+
  
 ==== Native IPv6 access ==== ==== Native IPv6 access ====
Line 42: Line 37:
  **option mtu 1452**  **option mtu 1452**
 ''​| ''​|
- 
 ==== 6in4 tunneling ==== ==== 6in4 tunneling ====
 [[http://​en.wikipedia.org/​wiki/​6in4|6in4]] is a method to encapsulate IPv6 traffic into an IPv4 tunnel. It is mostly used by tunnel brokers and requires manual configuration. [[http://​en.wikipedia.org/​wiki/​6in4|6in4]] is a method to encapsulate IPv6 traffic into an IPv4 tunnel. It is mostly used by tunnel brokers and requires manual configuration.
Line 55: Line 49:
 === Requirements === === Requirements ===
 The package **6in4** must be installed to use this protocol. This package is available in Backfire 10.3.1-rc4 and later. The package **6in4** must be installed to use this protocol. This package is available in Backfire 10.3.1-rc4 and later.
-  ​opkg update && opkg install 6in4+<​code>​opkg update && opkg install 6in4</​code>​
  
 Notes: Notes:
Line 81: Line 75:
  option proto 6in4  option proto 6in4
  option peeraddr ​ '​216.66.80.30'​  option peeraddr ​ '​216.66.80.30'​
- option ip6addr ​  '​2001:​0db8:​1f0a:​1359::​2/​64'​+ option ip6addr ​  '​2001:​0db8:​1f0**__a__**:​1359::​2/​64'​ 
 +        # see notes below for why ip6prefix is required 
 + option ip6prefix '​2001:​0db8:​1f0**__b__**:​1359::​2/​64'​
  option tunnelid ​ '​12345'​  option tunnelid ​ '​12345'​
- option username ​ '14c4b06b824ec593239362517f538b29+ option username ​ 'username
- option password ​ '5f4dcc3b5aa765d61d8327deb882cf99'+        # you no longer need to use your portal password (see notes below) 
 +option password ​ 'password'​ 
 + # use updatekey for security 
 +        option updatekey '​updatekey'
 ''​| ''​|
  
Line 91: Line 90:
   * **216.66.80.30** ​ is the remote IPv4 address (the other side of the tunnel)   * **216.66.80.30** ​ is the remote IPv4 address (the other side of the tunnel)
   * **2001:​0db8:​1f0a:​1359::​2/​64** is the local IPv6 tunnel endpoint (labeled "​Client IPv6 Address"​ on the Tunnel Details page in your HE account).   * **2001:​0db8:​1f0a:​1359::​2/​64** is the local IPv6 tunnel endpoint (labeled "​Client IPv6 Address"​ on the Tunnel Details page in your HE account).
-  ​* **tunnelid****username**, ​and **password** are provided by the tunnel broker. \\ \\ :!: For Hurricane Electric tunnels, the username is NOT the username for tunnelbroker.net. The username is the user id listed on the main page of your tunnelbroker.net account (called the "API Key" elsewhere). The password is the md5 hash of the tunnelbroker.net password. For details, see [[https://ipv4.tunnelbroker.net/ipv4_end.php|https:​//ipv4.tunnelbroker.net/​ipv4_end.php]]+as of change set 41358 
 +  ​* **tunnelid** ​is provided by the tunnel broker.  
 +  * **username**,​ **password** and **updatekey** are the **//plain text//**  entries from your HE Tunnel Broker account. 
 +and the following no longer applies
  
-:!: Note that Hurricane Electric ​has changed their dynamic negotiation protocoland the 6in4 package ​is not yet (August 2011updated accordinglySee [[https://dev.openwrt.org/ticket/​10019|discussion ​in ticket 10019]]. Based on the discussion HE users need to install the wget package ​to get HTTPS support ​in wget and possibly also modify the URL in 6in4 script.+<del>:!: For Hurricane Electric ​tunnels, the username ​is NOT the username for tunnelbroker.net. The username is the user id listed on the main page of your tunnelbroker.net account ​(called the "API Key" elsewhere). The password is the md5 hash of the tunnelbroker.net password. For details, see [[http://ipv4.tunnelbroker.net/ipv4_end.php|http://​ipv4.tunnelbroker.net/​ipv4_end.php]]</​del>​ 
 + 
 +:!: (from notes here [[doc/​uci/​network#​protocol.dhcpv6]]) HE.net has introduced updatekey as default for new tunnels ​in February 2014. 
 + 
 +:!: (from notes here [[doc/​uci/​network#​protocol.dhcpv6]]) although ip6prefix isn't required, sourcerouting,​ enabled by default, will prevent forwarding of packets unless ip6prefix is specified. 
 + 
 + 
 +With Attitude Adjustment, once you have added the above interface definition you have to run /​etc/​init.d/​network restart ​in order to have it effected.
  
 This tunnel, like a VPN, creates a third network interface, called **henet** in this example. A default IPv6 route using this interface is automatically created when this interface connects successfully. This tunnel, like a VPN, creates a third network interface, called **henet** in this example. A default IPv6 route using this interface is automatically created when this interface connects successfully.
Line 121: Line 130:
  
 <​code>​ <​code>​
-opkg update +opkg update ​&& ​opkg install ip6tables kmod-ip6tables
-opkg install ip6tables kmod-ip6tables+
 </​code>​ </​code>​
  
Line 171: Line 179:
  
 ==== 6to4, 6rd ==== ==== 6to4, 6rd ====
 +(Note: This section lack the 6rd example, so this is for 6to4)
 +
 [[wp>​6to4]] is a translation mechanism to transform ipv6 packets into IPv4, and back, using specific relay servers.\\ [[wp>​6to4]] is a translation mechanism to transform ipv6 packets into IPv4, and back, using specific relay servers.\\
  
Line 245: Line 255:
  
 (note: option '​target'​ '​DROP' ​ stealthed the tunnel; did this along along with dropping UDP and ICMP on the UCI firewall configuration) (note: option '​target'​ '​DROP' ​ stealthed the tunnel; did this along along with dropping UDP and ICMP on the UCI firewall configuration)
 +
 +//rem: In my configuration,​ lan interface did not obtain global ipv6 address automatically,​ while computers in lan did. Because of this ipv6 sites were available when accessing from router, but were inaccessible from lan. Manually adding global ipv6 address to lan interface solved this issue. For example: //
 +<​code>​ ifconfig lan-br 2002:​a5a6:​2131:​1::​1/​64 </​code>​ // for 2002:​a5a6:​2131::​1/​16 6rd address // 
 +
 +//hejnm1am: You need to install package '​ip'​ to fix this. See https://​dev.openwrt.org/​ticket/​14420.
 +Either install '​ip'​ package or change line 163 in /​lib/​netifd/​proto/​6to4.sh to use ifconfig.
 +//
 +
  
 ==== TSP Tunneling ==== ==== TSP Tunneling ====
Line 281: Line 299:
  **option prefixlen 64**  **option prefixlen 64**
  option ifprefix br-lan  option ifprefix br-lan
 +
 +:!: prefixlen 64 did not work for me; prefixlen 56 works !
   
  #DNS server list to which the reverse prefix  #DNS server list to which the reverse prefix
Line 344: Line 364:
  
 :!: to be completed - please help ? :!: to be completed - please help ?
 +
 +==== IPv6 on softwire ====
 +
 +Some ISPs use so-called '''​softwires'''​ to provide IPv6 connectivity (e.g. SFR in France). It's basically L2TP + PPP on top of IPv4, see [[doc:​howto:​ipv6.softwire]].
  
 ===== Propagate IPv6 subnet to LAN ===== ===== Propagate IPv6 subnet to LAN =====
  
-Once IPv6 works on the router, it is necessary to spread it on the internal network. Multiple methods are possible, from static routing to auto-configuration. For the later, two options described below exist. Note that when using static WAN connection, you need to add lines+Once IPv6 works on the router, it is necessary to spread it on the internal network. Multiple methods are possible, from static routing to auto-configuration. For the latter, two options described below exist. Note that when using static WAN connection, you need to add lines
  
  option accept_ra 1  option accept_ra 1
Line 373: Line 397:
 config prefix config prefix
  option interface '​lan'​  option interface '​lan'​
-If not specified, a non-link-local prefix of the interface is used +Optional: only necessary if the lan interface ​has multiple 
- **option prefix '​2001:​123:​456:​789::/​64'​** # Optional ​- only necessary if the lan interface has multiple global IP addresses assigned to it+ # global IP addresses assigned to it; or the subnet ​is larger than /64 
 + **option prefix '​2001:​123:​456:​789::/​64'​** # Optional
  **option ignore 0** # Or delete the line altogether  **option ignore 0** # Or delete the line altogether
         ​         ​
Line 392: Line 417:
 /​etc/​init.d/​radvd start /​etc/​init.d/​radvd start
 </​code>​ </​code>​
 +
 +use logread to check for start up messages
  
 ==== wide-dhcpv6-server ==== ==== wide-dhcpv6-server ====
Line 398: Line 425:
 First, you need to install a DHCPv6 server First, you need to install a DHCPv6 server
  
-<​code>​ +<​code>​opkg update ​&& ​opkg install wide-dhcpv6-server</​code>​
-opkg update +
-opkg install wide-dhcpv6-server +
-</​code>​+
  
  
Line 408: Line 432:
 |''​config '​dhcp6s'​ '​basic'​ |''​config '​dhcp6s'​ '​basic'​
         **option '​enabled'​ '​1'​**         **option '​enabled'​ '​1'​**
-        option '​interface'​ '​lan'​+        option '​interface'​ 'br-lan'
         option '​config_file'​ '/​etc/​dhcp6s.conf'​         option '​config_file'​ '/​etc/​dhcp6s.conf'​
 ''​| ''​|
Line 419: Line 443:
  
 pool pool1 { pool pool1 {
-        range 2001:xxxx:yyyy:zzzz::1000 to 2001:xxxx:yyyy:zzzz:2000 ;+        range 2001:123:456:789::1000 to 2001:123:456:789::2000 ;
 }; };
 ''​| ''​|
Line 428: Line 452:
 |''​host somehostname { |''​host somehostname {
    duid 00:​01:​02:​03:​04:​05:​06:​07:​08:​09:​10:​11:​12:​13;​    duid 00:​01:​02:​03:​04:​05:​06:​07:​08:​09:​10:​11:​12:​13;​
-   ​address 2001:xxxx:yyyy:zzzz::3000 infinity;+   ​address 2001:123:456:789::3000 infinity;
 }; };
 ''​| ''​|
Line 444: Line 468:
  
 Then restart the services and you're away (hopefully!) Then restart the services and you're away (hopefully!)
 +
 +== troubleshooting ==
 +
 +If ps does not show dhcp6s running then you can run it interactively:​
 +|dhcp6s -s /​etc/​dhcp6s.conf -d -f -D br-lan|
 +(where br-lan is your local lan interface). ​ Things to check include:
 +  - the network interface (br-lan in the above) does not match
 +  - typos in /​etc/​dhcp6s.conf
 +
  
 ==== dnsmasq-dhcpv6 ==== ==== dnsmasq-dhcpv6 ====
Line 486: Line 519:
     * <​code>​logread | grep "​SLAAC-CONFIRM"</​code>​     * <​code>​logread | grep "​SLAAC-CONFIRM"</​code>​
     * This may return something like this if everything is working fine: <​code>​Jul 1 12:00:00 openwrt daemon.info dnsmasq-dhcp[1957]:​ SLAAC-CONFIRM(br-lan) 2001:​0db8:​1f0b:​1359:​021d:​baff:​fe06:​3764 pc</​code>​     * This may return something like this if everything is working fine: <​code>​Jul 1 12:00:00 openwrt daemon.info dnsmasq-dhcp[1957]:​ SLAAC-CONFIRM(br-lan) 2001:​0db8:​1f0b:​1359:​021d:​baff:​fe06:​3764 pc</​code>​
 +
 +==== Directly forward ISP's NDP proxy address to LAN ====
 +
 +It can help you, if your ISP give you /64 IPv6 address and radvd,​dhcpv6 useless for you.
 +Original idea by user ([[https://​forum.openwrt.org/​viewtopic.php?​pid=144797#​p144797|diway]]) from openwrt forum
 +This method idea is:
 + ​bridge wan and lan with filter ipv6 packets options, for direct resolve your adress from provider(ISP).
 +
 +  *    Remove (radvd,​dhcpv6,​dnsmasqv6)or others that you install early when tryed methods above. And remove that options that you do at configuration files /​etc/​config/​network or otherone (repair "​before ipv6 state" of your deivce).
 +  *    Install ipv6 support and __ebtables__(if you haven'​t it at your repository, try beta or svn):
 +
 +| ''​opkg update && opkg install kmod-ipv6 ebtables
 +''​|
 +
 +** 1.** At first determine your WAN interface device name, and correct comands below(change **eth0.1** to your WAN device name). Edit __/​etc/​init.d/​network__,​ at end of **start()** section add thoose lines:
 +
 +| ''​ebtables -t broute -A BROUTING -i **eth0.1** -p ! ipv6 -j DROP
 +brctl addif br-lan **eth0.1**
 +''​|
 +
 +** 2.** At __/​etc/​config/​network__,​ make thoose:
 +
 +Add this on the "​config interface lan" section
 +| '' ​   option accept_ra ​   1
 +    option send_rs ​   1
 +''​|
 +Add this on the "​config interface wan" section
 +| '' ​ option accept_ra ​ 0
 +  option send_rs ​ 0
 +''​|
 +
 +** 3.** At __/​etc/​config/​firewall__,​ make thoose:
 +
 +Add this to the "​config defaults"​ section
 +| '' ​ option disable_ipv6 ​    0
 +''​|
 +
 +**4.** At __/​etc/​sysctl.conf__,​ make thoose:
 +
 +Add this at the end to enable firewalling on ipv6 even for bridged interfaces
 +| '' ​ net.bridge.bridge-nf-call-ip6tables=1
 +  net.bridge.bridge-nf-call-iptables=0
 +''​|
 +
 +**5.** If you need IPv6 firewalling ONLY! First install: ​
 +
 +| ''​opkg update && opkg install kmod-ip6tables ip6tables
 +''​|
 +
 +Then correct comands below(change **eth0.1** to your WAN device name). At __/​etc/​firewall.user__,​ add thoose lines:
 +| '' ​
 +# First, delete all:
 +ip6tables -F
 +ip6tables -X
 +
 +# Allow anything on the local link
 +ip6tables -A INPUT  -i lo -j ACCEPT
 +ip6tables -A OUTPUT -o lo -j ACCEPT
 +
 +# Allow anything out on the internet
 +ip6tables -A OUTPUT -o **eth0.1** -j ACCEPT
 +
 +# Allow Link-Local addresses
 +ip6tables -A INPUT -s fe80::/10 -j ACCEPT
 +ip6tables -A OUTPUT -s fe80::/10 -j ACCEPT
 +
 +# Allow multicast
 +ip6tables -A INPUT -s ff00::/8 -j ACCEPT
 +ip6tables -A OUTPUT -s ff00::/8 -j ACCEPT
 +
 +# Allow ICMPv6
 +ip6tables -A INPUT -p icmpv6 --icmpv6-type echo-request -j ACCEPT --match limit --limit 30/minute
 +ip6tables -A INPUT  -p icmpv6 -j ACCEPT
 +ip6tables -A OUTPUT -p icmpv6 -j ACCEPT
 +ip6tables -A FORWARD -p icmpv6 -m physdev ! --physdev-in **eth0.1** -j ACCEPT
 +ip6tables -A FORWARD -p icmpv6 --icmpv6-type echo-request -m physdev --physdev-in **eth0.1** -j ACCEPT
 +ip6tables -A FORWARD -p icmpv6 --icmpv6-type echo-reply -m physdev --physdev-in **eth0.1** -j ACCEPT
 +ip6tables -A FORWARD -p icmpv6 --icmpv6-type neighbor-solicitation -m physdev --physdev-in **eth0.1** -j ACCEPT
 +ip6tables -A FORWARD -p icmpv6 --icmpv6-type neighbor-advertisement -m physdev --physdev-in **eth0.1** -j ACCEPT
 +ip6tables -A FORWARD -p icmpv6 --icmpv6-type router-advertisement -m physdev --physdev-in **eth0.1** -j ACCEPT
 +
 +# Allow forwarding
 +ip6tables -A FORWARD -m state --state NEW -m physdev ! --physdev-in **eth0.1** -j ACCEPT
 +ip6tables -A FORWARD -m state --state NEW -p tcp --dport 22 -m physdev --physdev-in **eth0.1** -j ACCEPT
 +ip6tables -A FORWARD -m state --state ESTABLISHED,​RELATED -j ACCEPT
 +ip6tables -N DROP
 +ip6tables -A DROP -j REJECT --reject-with icmp6-port-unreachable
 +
 +# Set the default policy
 +ip6tables -A INPUT -j DROP
 +ip6tables -A FORWARD -j DROP
 +ip6tables -A OUTPUT -j DROP
 +''​|
 +
 +
 +That's all, reboot your router. After check your LAN PCs and roters WAN ipv6 address.
  
 ==== DNS check and configuration ==== ==== DNS check and configuration ====
doc/howto/ipv6.1352302747.txt.bz2 · Last modified: 2012/11/07 16:39 by tag