You are here: OpenWrt Wiki » Documentation » The UCI System » AICCU (Automatic IPv6 Connectivity Client Utility) configuration

AICCU (Automatic IPv6 Connectivity Client Utility) configuration

Prerequesite

Signup for an SIXXS account and an SIXXS Handle

See for further details on http://www.sixxs.net/signup/create/

Check if your router is IPV6 ready.

opkg list kmod-ipv6
opkg list kmod-ip6tables
opkg list ip6tables
opkg list aiccu
opkg list radvd

Save as test.txt and execute sh test.txt

root@OpenWrt:~# sh test.txt
kmod-ipv6 - 3.0.12-1
kmod-ip6tables - 3.0.12-1
ip6tables - 1.4.10-4
aiccu - 20070115-9
radvd - 1.8.3-2

or something similar. If a package is missing install and update accordingly.

The aiccu package is configured through /etc/config/aiccu.

Sections

There is only a section of type aiccu defined which may only appear once.

AICCU

Below is a listing of defined options in the aiccu section.

Name	Type	Required	Default	Description
`username`	string	yes	(none)	Username to authenticate with the tunnel broker
`password`	string	yes	(none)	Password to authenticate with the tunnel broker
`protocol`	string	yes	`tic`	Authentication protocol, can be one of `tic`, `tsp` or `l2tp`
`server`	ipaddr	no	(none)	Server to use
`interface`	string	no	`aiccu`	Name of the created tunnel interface
`tunnel_id`	integer	no	(none)	Tunnel ID to use if there are multiple tunnels registered with the broker
`requiretls`	boolean	no	`0`	Force the client to abort if the server does not support TLS
`defaultroute`	boolean	no	`1`	Whether to install an IPv6 default route over the established tunnel
`nat`	boolean	no	`1`	Notify if behind NAT
`heartbeat`	boolean	no	`1`	To enable `AYIYA` set heartbeat to 1, in case of an heartbeat tunnel 0

Tunnels

AYIYA

Example of an AYIYA tunnel configuration with the SixXS tunnel broker.

config 'aiccu'
        option 'username'  'test'
        option 'password'  'test'
        option 'tunnelid'  '1234'
        option 'protocol'  'tic'
        option 'server'    'tic.sixxs.net'
        option 'interface' 'sixxs.0

In case you are behind a NAT firewall consult the SixX FAQ and check how to enable proto 41.

Heartbeat

Example of an SIXXS 6in4-heartbeat tunnel.

We will configure /etc/config/aiccu, modify /etc/config/network and /etc/config/firewall. This is tested for firewall2 using the related trunks for DIR-600 B1/B2 and RT-N16. And finally on ALIX Board using ../backfire/10.03.1-rc5/x86_generic/.

You have to request an heartbeat tunnel from SIXXS before. Check and review their documentation.

Prior to any change in your running configuration, create backups using your prefered back method.

Change /etc/config/aiccu using your SIXXS username and Tunnel ID.

config aiccu
       option username         'ABCD-SIXXS/T1234'
       option password         'yourpwasswort'
       option protocol         'tic'
       option server           'tic.sixxs.net'
       option interface        'sixxs.0'
       option tunnel_id        'T1234'
       option requiretls       '0'
       option defaultroute     '1'
       option nat              '1'
       option heartbeat        '1

Static 6in4

tbd

Interface and LAN configuration

Configure an ipv6 IP to your lan interface and create an additional wan6 interface in /etc/config/network using the VLAN interface.0 notation.

config 'interface' 'lan'
        option 'type' 'bridge'
        option 'ifname' 'eth0.0'
        option 'proto' 'static'
        option 'ipaddr' '192.168.1.1'
        option 'netmask' '255.255.255.0'
        option 'ip6addr' '2001:xxxx:yyyyy::1/64

config 'interface' 'wan6'
        option 'proto' 'static'
        option 'ifname' 'sixxs.0'
        option 'send_rs' '0'
        option 'ip6addr' '2001:your:end:point::2

Replace your:end:point with your SIXXS Tunnel individual endpoint address.

Firewall

Add an additional zone wan6 for IPv6 into /etc/config/firewall:

config 'zone'
        option 'name'    'wan6'
        option 'network' 'wan6' 
        option 'input'   'REJECT'
        option 'output'  'ACCEPT'
        option 'forward' 'REJECT' 
        option 'masq'     1

Add a corresponding forwarding rule for ipv6 in /etc/config/firewall:

config 'forwarding'
        option 'dest' 'wan6'
        option 'src' 'lan

If necessary configure your individual ipv6 rules in /etc/config/firewall:

config 'rule'
        option 'name' 'RHO'
        option 'family' 'ipv6'
        option 'target' 'DROP'
        option 'extra' '-m rt –rt-type 0'
        option 'proto' 'all'
        option 'src' 'wan6'

config 'rule'
        option 'name' 'RHO2'
        option 'family' 'ipv6'
        option 'target' 'DROP'
        option 'extra' '-m rt –rt-type 0'
        option 'proto' 'all'
        option 'src' 'wan6'
        option 'dest' 'lan' 

config 'rule'
        option 'target' 'ACCEPT'
        option 'output' 'ACCEPT'
        option 'forward' 'REJECT'
        option 'name' 'Allow-Ping ipv6'
        option 'family' 'ipv6'
        option 'proto' 'icmp'
        option 'src' 'wan6'
        option 'limit' '1000/sec'
        list 'icmp_type' 'echo-request'
        list 'icmp_type' 'destination-unreachable'
        list 'icmp_type' 'packet-too-big'
        list 'icmp_type' 'time-exceeded'
        list 'icmp_type' 'bad-header'
        list 'icmp_type' 'unknown-header-type'
        list 'icmp_type' 'router-solicitation'
        list 'icmp_type' 'neighbour-solicitation'
        list 'icmp_type' 'echo-reply

radvd

Populate your LAN with you local IPv6 ip range.

Therfore adopt /etc/config/radvd using your ipv6 subnet prefix:

config 'interface'
        option 'interface' 'lan'
        option 'AdvSendAdvert' '1'
        option 'AdvManagedFlag' '0'
        option 'AdvOtherConfigFlag' '0'
        list 'client' ' '
        option 'ignore' '0'
 
config 'prefix'
        option 'interface' 'lan'
        option 'AdvOnLink' '1'
        option 'AdvAutonomous' '1'
        list 'prefix' '2001:your:end:point::/64'
        option 'ignore' '0'

……..

Final Check

Prior to a reboot restart the network and firewall

/etc/init.d/network restart
/etc/init.d/firewall restart

The zone wan6 should appear as shown below.

root@OpenWrt:~# logread | grep firewall
Feb 23 09:32:06 OpenWrt user.info firewall: adding lan (br-lan) to zone lan
Feb 23 09:32:06 OpenWrt user.info firewall: adding wan (eth0) to zone wan
Feb 23 09:32:10 OpenWrt user.info firewall: adding wan6 (sixxs.0) to zone wan6

Do a manual restart of aiccu and radvd.

/etc/init.d/aiccu start
/etc/init.d/radvd start

Inspect your logfile and check if you can ping ipv6 sites.

root@OpenWrt:~# ping6 ipv6.google.com
PING ipv6.google.com (2a00:1450:4001:c01::93): 56 data bytes
64 bytes from 2a00:1450:4001:c01::93: seq=0 ttl=57 time=24.144 ms
64 bytes from 2a00:1450:4001:c01::93: seq=1 ttl=57 time=23.581 ms
64 bytes from 2a00:1450:4001:c01::93: seq=2 ttl=57 time=22.934 ms

Do a test from a client in your LAN ipv6 enabled).

C:\Dokumente und Einstellungen\Bilbo_Beutlin>ping6 six.heise.de

six.heise.de [2a02:2e0:3fe:100::6] wird angepingt
von 2001:yyyy:xxxx:0:abcd:dead:beef:1234 mit 32 Bytes Daten:

Antwort von 2a02:2e0:3fe:100::6: Bytes=32 Zeit=10ms
Antwort von 2a02:2e0:3fe:100::6: Bytes=32 Zeit=13ms
Antwort von 2a02:2e0:3fe:100::6: Bytes=32 Zeit=8ms
Antwort von 2a02:2e0:3fe:100::6: Bytes=32 Zeit=8ms

Ping-Statistik für 2a02:2e0:3fe:100::6
    Pakete: Gesendet = 4, Empfangen = 4, Verloren = 0 (0% Verlust),
Ungefähre Zeitangaben in Millisekunden:
    Minimum = 8ms, Maximum = 13ms, Mittelwert = 9ms

If everything works fine enable aiccu and radvd

/etc/init.d/aiccu enable
/etc/init.d/radvd enable

and reboot your router.

doc/uci/aiccu.txt · Last modified: 2012/05/12 19:49 by f41thr

OpenWrt

Wiki Search

Actions

Translations