Differences
This shows you the differences between two versions of the page.
|
doc:howto:ipv6 [2012/11/07 16:39] tag Added information on static IP assignment in DHCP |
doc:howto:ipv6 [2013/04/26 10:54] (current) steven |
||
|---|---|---|---|
| Line 5: | Line 5: | ||
| ===== Obtain IPv6 support ===== | ===== Obtain IPv6 support ===== | ||
| - | Follow [[doc:howto:ipv6.essentials]] to obtain full IPv6 support. Then come back and read about the configuration here: | + | :!: ** Barrier Breaker and later has native IPv6 support built into the default images. ** |
| - | There are two big, different steps: | + | See the [[/doc/uci/network6|IPv6 examples page]] for generic configuration examples. |
| - | - Set up a working IPv6 connection on the OpenWrt router, either by tunneling (SixXs, TSP, 6to4), or natively. | + | |
| - | - Propagate the IPv6 subnet to the LAN with [[#RADVD]] or [[#DHCPv6]]. | + | |
| ==== Native IPv6 access ==== | ==== Native IPv6 access ==== | ||
| Line 55: | Line 53: | ||
| === Requirements === | === Requirements === | ||
| The package **6in4** must be installed to use this protocol. This package is available in Backfire 10.3.1-rc4 and later. | The package **6in4** must be installed to use this protocol. This package is available in Backfire 10.3.1-rc4 and later. | ||
| - | opkg update && opkg install 6in4 | + | <code>opkg update && opkg install 6in4</code> |
| Notes: | Notes: | ||
| Line 92: | Line 90: | ||
| * **2001:0db8:1f0a:1359::2/64** is the local IPv6 tunnel endpoint (labeled "Client IPv6 Address" on the Tunnel Details page in your HE account). | * **2001:0db8:1f0a:1359::2/64** is the local IPv6 tunnel endpoint (labeled "Client IPv6 Address" on the Tunnel Details page in your HE account). | ||
| * **tunnelid**, **username**, and **password** are provided by the tunnel broker. \\ \\ :!: For Hurricane Electric tunnels, the username is NOT the username for tunnelbroker.net. The username is the user id listed on the main page of your tunnelbroker.net account (called the "API Key" elsewhere). The password is the md5 hash of the tunnelbroker.net password. For details, see [[https://ipv4.tunnelbroker.net/ipv4_end.php|https://ipv4.tunnelbroker.net/ipv4_end.php]] | * **tunnelid**, **username**, and **password** are provided by the tunnel broker. \\ \\ :!: For Hurricane Electric tunnels, the username is NOT the username for tunnelbroker.net. The username is the user id listed on the main page of your tunnelbroker.net account (called the "API Key" elsewhere). The password is the md5 hash of the tunnelbroker.net password. For details, see [[https://ipv4.tunnelbroker.net/ipv4_end.php|https://ipv4.tunnelbroker.net/ipv4_end.php]] | ||
| + | |||
| + | With Attitude Adjustment, once you have added the above interface definition you have to run /etc/init.d/network restart in order to have it effected. | ||
| :!: Note that Hurricane Electric has changed their dynamic negotiation protocol, and the 6in4 package is not yet (August 2011) updated accordingly. See [[https://dev.openwrt.org/ticket/10019|discussion in ticket 10019]]. Based on the discussion HE users need to install the wget package to get HTTPS support in wget and possibly also modify the URL in 6in4 script. | :!: Note that Hurricane Electric has changed their dynamic negotiation protocol, and the 6in4 package is not yet (August 2011) updated accordingly. See [[https://dev.openwrt.org/ticket/10019|discussion in ticket 10019]]. Based on the discussion HE users need to install the wget package to get HTTPS support in wget and possibly also modify the URL in 6in4 script. | ||
| Line 121: | Line 121: | ||
| <code> | <code> | ||
| - | opkg update | + | opkg update && opkg install ip6tables kmod-ip6tables |
| - | opkg install ip6tables kmod-ip6tables | + | |
| </code> | </code> | ||
| Line 281: | Line 280: | ||
| **option prefixlen 64** | **option prefixlen 64** | ||
| option ifprefix br-lan | option ifprefix br-lan | ||
| + | |||
| + | :!: prefixlen 64 did not work for me; prefixlen 56 works ! | ||
| #DNS server list to which the reverse prefix | #DNS server list to which the reverse prefix | ||
| Line 373: | Line 374: | ||
| config prefix | config prefix | ||
| option interface 'lan' | option interface 'lan' | ||
| - | # If not specified, a non-link-local prefix of the interface is used | + | # Optional: only necessary if the lan interface has multiple |
| - | **option prefix '2001:123:456:789::/64'** # Optional - only necessary if the lan interface has multiple global IP addresses assigned to it | + | # global IP addresses assigned to it; or the subnet is larger than /64 |
| + | **option prefix '2001:123:456:789::/64'** # Optional | ||
| **option ignore 0** # Or delete the line altogether | **option ignore 0** # Or delete the line altogether | ||
| Line 392: | Line 394: | ||
| /etc/init.d/radvd start | /etc/init.d/radvd start | ||
| </code> | </code> | ||
| + | |||
| + | use logread to check for start up messages | ||
| ==== wide-dhcpv6-server ==== | ==== wide-dhcpv6-server ==== | ||
| Line 398: | Line 402: | ||
| First, you need to install a DHCPv6 server | First, you need to install a DHCPv6 server | ||
| - | <code> | + | <code>opkg update && opkg install wide-dhcpv6-server</code> |
| - | opkg update | + | |
| - | opkg install wide-dhcpv6-server | + | |
| - | </code> | + | |
| Line 408: | Line 409: | ||
| |''config 'dhcp6s' 'basic' | |''config 'dhcp6s' 'basic' | ||
| **option 'enabled' '1'** | **option 'enabled' '1'** | ||
| - | option 'interface' 'lan' | + | option 'interface' 'br-lan' |
| option 'config_file' '/etc/dhcp6s.conf' | option 'config_file' '/etc/dhcp6s.conf' | ||
| ''| | ''| | ||
| Line 419: | Line 420: | ||
| pool pool1 { | pool pool1 { | ||
| - | range 2001:xxxx:yyyy:zzzz::1000 to 2001:xxxx:yyyy:zzzz:2000 ; | + | range 2001:123:456:789::1000 to 2001:123:456:789::2000 ; |
| }; | }; | ||
| ''| | ''| | ||
| Line 428: | Line 429: | ||
| |''host somehostname { | |''host somehostname { | ||
| duid 00:01:02:03:04:05:06:07:08:09:10:11:12:13; | duid 00:01:02:03:04:05:06:07:08:09:10:11:12:13; | ||
| - | address 2001:xxxx:yyyy:zzzz::3000 infinity; | + | address 2001:123:456:789::3000 infinity; |
| }; | }; | ||
| ''| | ''| | ||
| Line 444: | Line 445: | ||
| Then restart the services and you're away (hopefully!) | Then restart the services and you're away (hopefully!) | ||
| + | |||
| + | == troubleshooting == | ||
| + | |||
| + | If ps does not show dhcp6s running then you can run it interactively: | ||
| + | |dhcp6s -s /etc/dhcp6s.conf -d -f -D br-lan| | ||
| + | (where br-lan is your local lan interface). Things to check include: | ||
| + | - the network interface (br-lan in the above) does not match | ||
| + | - typos in /etc/dhcp6s.conf | ||
| + | |||
| ==== dnsmasq-dhcpv6 ==== | ==== dnsmasq-dhcpv6 ==== | ||
| Line 486: | Line 496: | ||
| * <code>logread | grep "SLAAC-CONFIRM"</code> | * <code>logread | grep "SLAAC-CONFIRM"</code> | ||
| * This may return something like this if everything is working fine: <code>Jul 1 12:00:00 openwrt daemon.info dnsmasq-dhcp[1957]: SLAAC-CONFIRM(br-lan) 2001:0db8:1f0b:1359:021d:baff:fe06:3764 pc</code> | * This may return something like this if everything is working fine: <code>Jul 1 12:00:00 openwrt daemon.info dnsmasq-dhcp[1957]: SLAAC-CONFIRM(br-lan) 2001:0db8:1f0b:1359:021d:baff:fe06:3764 pc</code> | ||
| + | |||
| + | ==== Directly forward ISP's NDP proxy address to LAN ==== | ||
| + | |||
| + | It can help you, if your ISP give you /64 IPv6 address and radvd,dhcpv6 useless for you. | ||
| + | Original idea by user ([[https://forum.openwrt.org/viewtopic.php?pid=144797#p144797|diway]]) from openwrt forum | ||
| + | This method idea is: | ||
| + | bridge wan and lan with filter ipv6 packets options, for direct resolve your adress from provider(ISP). | ||
| + | |||
| + | * Remove (radvd,dhcpv6,dnsmasqv6)or others that you install early when tryed methods above. And remove that options that you do at configuration files /etc/config/network or otherone (repair "before ipv6 state" of your deivce). | ||
| + | * Install ipv6 support and __ebtables__(if you haven't it at your repository, try beta or svn): | ||
| + | |||
| + | | ''opkg update && opkg install kmod-ipv6 ebtables | ||
| + | ''| | ||
| + | |||
| + | ** 1.** At first determine your WAN interface device name, and correct comands below(change **eth0.1** to your WAN device name). Edit __/etc/init.d/network__, at end of **start()** section add thoose lines: | ||
| + | |||
| + | | ''ebtables -t broute -A BROUTING -i **eth0.1** -p ! ipv6 -j DROP | ||
| + | brctl addif br-lan **eth0.1** | ||
| + | ''| | ||
| + | |||
| + | ** 2.** At __/etc/config/network__, make thoose: | ||
| + | |||
| + | Add this on the "config interface lan" section | ||
| + | | '' option accept_ra 1 | ||
| + | option send_rs 1 | ||
| + | ''| | ||
| + | Add this on the "config interface wan" section | ||
| + | | '' option accept_ra 0 | ||
| + | option send_rs 0 | ||
| + | ''| | ||
| + | |||
| + | ** 3.** At __/etc/config/firewall__, make thoose: | ||
| + | |||
| + | Add this to the "config defaults" section | ||
| + | | '' option disable_ipv6 0 | ||
| + | ''| | ||
| + | |||
| + | **4.** At __/etc/sysctl.conf__, make thoose: | ||
| + | |||
| + | Add this at the end to enable firewalling on ipv6 even for bridged interfaces | ||
| + | | '' net.bridge.bridge-nf-call-ip6tables=1 | ||
| + | net.bridge.bridge-nf-call-iptables=0 | ||
| + | ''| | ||
| + | |||
| + | **5.** If you need IPv6 firewalling ONLY! First install: | ||
| + | |||
| + | | ''opkg update && opkg install kmod-ip6tables ip6tables | ||
| + | ''| | ||
| + | |||
| + | Then correct comands below(change **eth0.1** to your WAN device name). At __/etc/firewall.user__, add thoose lines: | ||
| + | | '' | ||
| + | # First, delete all: | ||
| + | ip6tables -F | ||
| + | ip6tables -X | ||
| + | |||
| + | # Allow anything on the local link | ||
| + | ip6tables -A INPUT -i lo -j ACCEPT | ||
| + | ip6tables -A OUTPUT -o lo -j ACCEPT | ||
| + | |||
| + | # Allow anything out on the internet | ||
| + | ip6tables -A OUTPUT -o **eth0.1** -j ACCEPT | ||
| + | |||
| + | # Allow Link-Local addresses | ||
| + | ip6tables -A INPUT -s fe80::/10 -j ACCEPT | ||
| + | ip6tables -A OUTPUT -s fe80::/10 -j ACCEPT | ||
| + | |||
| + | # Allow multicast | ||
| + | ip6tables -A INPUT -s ff00::/8 -j ACCEPT | ||
| + | ip6tables -A OUTPUT -s ff00::/8 -j ACCEPT | ||
| + | |||
| + | # Allow ICMPv6 | ||
| + | ip6tables -A INPUT -p icmpv6 --icmpv6-type echo-request -j ACCEPT --match limit --limit 30/minute | ||
| + | ip6tables -A INPUT -p icmpv6 -j ACCEPT | ||
| + | ip6tables -A OUTPUT -p icmpv6 -j ACCEPT | ||
| + | ip6tables -A FORWARD -p icmpv6 -m physdev ! --physdev-in **eth0.1** -j ACCEPT | ||
| + | ip6tables -A FORWARD -p icmpv6 --icmpv6-type echo-request -m physdev --physdev-in **eth0.1** -j ACCEPT | ||
| + | ip6tables -A FORWARD -p icmpv6 --icmpv6-type echo-reply -m physdev --physdev-in **eth0.1** -j ACCEPT | ||
| + | ip6tables -A FORWARD -p icmpv6 --icmpv6-type neighbor-solicitation -m physdev --physdev-in **eth0.1** -j ACCEPT | ||
| + | ip6tables -A FORWARD -p icmpv6 --icmpv6-type neighbor-advertisement -m physdev --physdev-in **eth0.1** -j ACCEPT | ||
| + | ip6tables -A FORWARD -p icmpv6 --icmpv6-type router-advertisement -m physdev --physdev-in **eth0.1** -j ACCEPT | ||
| + | |||
| + | # Allow forwarding | ||
| + | ip6tables -A FORWARD -m state --state NEW -m physdev ! --physdev-in **eth0.1** -j ACCEPT | ||
| + | ip6tables -A FORWARD -m state --state NEW -p tcp --dport 22 -m physdev --physdev-in **eth0.1** -j ACCEPT | ||
| + | ip6tables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT | ||
| + | ip6tables -N DROP | ||
| + | ip6tables -A DROP -j REJECT --reject-with icmp6-port-unreachable | ||
| + | |||
| + | # Set the default policy | ||
| + | ip6tables -A INPUT -j DROP | ||
| + | ip6tables -A FORWARD -j DROP | ||
| + | ip6tables -A OUTPUT -j DROP | ||
| + | ''| | ||
| + | |||
| + | |||
| + | That's all, reboot your router. After check your LAN PCs and roters WAN ipv6 address. | ||
| ==== DNS check and configuration ==== | ==== DNS check and configuration ==== | ||
doc/howto/ipv6.1352302747.txt.bz2 · Last modified: 2012/11/07 16:39 by tag