User Tools

Site Tools


ipv6_brouter

IPv6 Brouter

Bridging IPv6, while routing IPv4

By using bridging for IPv6, it just works. The inside network is connected transparently (for IPv6) to the outside network. Using a v6brouter, allows you to extend the IPv6 network with minimal effort and maximum compatibility, while maintaining current IPv4 NAT-based typologies.

Introduction

The standard way to use IPv6, is that your upstream provider will provide you an address for the outside of your router (as they do with IPv4) and they will issue PD (Prefix Delegation) or a subnet to use on the inside of your network.

But what if your upstream provider isn't providing Prefix Delegation? What to do? Fortunately, there are 3 solutions with OpenWRT

  • v6brouter (this page)
  • Configure odhcpd for relay service
  • NAT6 (not recommended)

Why not NAT?

IPv4 NAT is everywhere. From an IPv6 point of view NAT is bad, as it breaks end to end network connectivity, make it harder to troubleshoot network problems, and does not provide any more security than a modern firewall. NAT is used from large-scale CGNs (Carrier Grade NAT), to little home routers, down to your cell phone, when you want to turn on a hotspot.

With 18,446,744,073,709,551,616 (2^64) potential IPv6 addresses on a LAN segment, there are more than enough addresses to extend the IPv6 network across many of the smaller IPv4-NAT scenarios. By using bridging, all the problems with NAT are eliminated.

In a traditional IPv4 network, a cascaded router would look like this:

Packets from the laptop must flow across double NAT to reach the internet. The green networks (dark and light) may be wired or wireless. This is very common in the IPv4 world.

IPv6 Brouting

By using bridging for IPv6, it just works. The inside network is connected transparently (for IPv6) to the outside network. Using a v6brouter, allows you to extend the IPv6 network with minimal effort and maximum compatibility, while maintaining current IPv4 NAT-based typologies.

For example, given the router with eth0.1 and eth1 interfaces:

  • IPv6: Inside LAN and Outside LAN are one multicast domain or bridged
  • IPv4: Inside LAN and Outside LAN are two broadcast domains and routed (via NAT)

By changing the configuration of Router B, to be a brouter, we see that the IPv6 topology no longer directly maps to the IPv4 topology.

By using a Brouter, IPv6 traffic (including RAs, NDP, etc) is bridged on Router B, while IPv4 traffic continues to be NAT-ed, maintaining the IPv4 topology. Of course there is no reason why IPv4 needs to be NAT-ed at this point, but there are situations (think: smart phone hotspot) where maintaining the existing IPv4 topology will be desired. v6Brouting allows the maintaining of the IPv4 topology, while providing IPv6 access to the downstream networks.

odhcpd relay

It is possible to configure odhcpd for relay mode (RA, NDP, DHCP) and achieve the same effect. This method works reasonably well, and bridges IPv6 at the application layer. The IPv6 Brouter bridges IPv6 at the ethernet (or layer 2) layer.

The advantage of using IPv6 Brouter is that you can configure the firewall to allow incoming connections. While odhcpd is perfectly useful to surfing the IPv6 internet, it does not have a mechanism to allow incoming connections. If you wanted a server (e.g. a web server) on the IPv6 internet, the v6Brouter will allow you to create a traffic entry in the firewall to permit such inbound traffic. An example to block only SSH is provided in the script.

You can find more information on Bridging Firewalls at:

http://ipv6-net.blogspot.ca/2016/03/v6brouter-part-2-v6bridge-firewall.html

Leveraging Netfilter

The v6brouter script leverages Netfilter heavily, by utilizing ebtables (for bridging) and iptables (for NAT). Netfilter does all the heavy lifting, and is well optimized code. More information for ebtables can be found at ebtabes.netfilter.org with specific brouter examples.

Requirements

A brouter, is part bridge, part router, this script sets up a IPv6 bridge, and an IPv4 NAT router.

One only needs to install ebtables, and the v6brouter script. It has been tested on Chaos Calmer (v15.05) of OpenWRT

Download Script

Why is there no UCI configuration? Unfortunately UCI does not support ebtables configuration at this time. But you can download the script to the router, and make it a start up script which will run every time the router boots.

You can find the v6brouter script at https://github.com/cvmiller/v6brouter

ipv6_brouter.txt · Last modified: 2016/06/13 01:42 by cvmiller