IPv6 配置指南(Backfire及更高版本适用)

:!: 本页面替代 旧的 IPv6指南页面。本页面内容有待进一步完善,如有疑问可到 IRC 频道(#openwrt)寻求帮助。本页面内容会不定时更新。

这篇帮助文档将讲述如何在基于Openwrt的路由器上配置IPv6。

我们为什么需要IPv6?(ipv6.theory

开启 IPv6 支持

可以按照这篇帮助文档的介绍在您的路由上开启完整的IPv6支持: ipv6.essentials

主要有两个大步骤,分几步进行:

  1. 设置路由器,使之通过隧道(SixXs、TSP、6to4等)或原生IPv6网络,连接到IPv6公共网络。
  2. 使用radvd或者DHCPv6在LAN口广播IPv6子网信息。

还有第三个小一点的步骤:

  1. 设置ipv6tables,按防火墙规则隔离和保护LAN网络。

准备并检验 IPv6 连网

大多数ISP服务商都在向IPv6迁移。IPv6路由使用了好几种不同的技术,其中包括tunnel brokers 。

要启用 IPv6,我们需要安装如下几个东西:

  • IPv6内核模块(必须)
  • IPv6路由软件(必须,用于实现IPv6路由功能)
  • ip6tables的内核模块(可选,如果想安装IPv6防火墙的话,就必须安装)
  • ip6tables命令行工具(可选,用于配置IPv6防火墙及其规则)

opkg install kmod-ipv6 radvd ip kmod-ip6tables ip6tables

用上述命令安装好IPv6内核模块及相关工具软件之后,telnet或ssh到路由器上,敲入 ping6 ipv6.google.com,应该能ping通。

如果 ping6 ipv6.google.com ping不通,而 ping6 [2a00:1450:8002::93] 却能ping通,这说明你的DNS不支持IPv6域名解释,得更改DNS设置使支持IPv6域名解释(见下文相关章节)。

如果路由开启了防火墙,要记得在防火墙设置文件里面启用IPv6(默认规则下凡IPv6被全部丢弃):

config defaults option syn_flood 1 option drop_invalid 1 option input ACCEPT option output ACCEPT option forward REJECT # 取消注释下面这一行,将禁止IPv6规则: # option disable_ipv6 1

有固定IPv6地址前缀的原生IPv6网络连接

“有固定IPv6地址前缀”指的是你的ISP服务商为每一个客户端提供了至少一个/64地址前缀,如果服务商提供/56或者/48地址前缀,则更好(相当于IPv4网络的“固定IP”)。很多专业ISP服务商都会提供这种固定IPv6地址前缀。以下是目前已知的提供这样的地址前缀的ISP服务商列表:

  1. Nerim (法国)
  2. FDN (法国)
  3. Internode (澳大利亚)
  4. TekSavvy (加拿大)
  5. [..] :!: 请补充更多提供原生IPv6网络地址前缀的ISP服务商。

在下面的例子中,假设ISP服务商分派的网络地址前缀为2001:123:456::/48。在这个前缀所包括的地址范围内,我想让LAN网络使用2001:123:456:789::/64地址子范围,路由器本身对LAN端的固定IPv6地址设置为2001:123:456:789::1

/etc/config/network:

config interface lan option ifname eth1 option type bridge option proto static option ipaddr 192.168.1.1 option netmask 255.255.255.0 option ip6addr '2001:123:456:789::1/64'

如果使用 PPPoEv6,要开启ipv6。可能还要进一步将MTU值减小到1452:根据经验,这样设置可避免许多问题。你可以把MTU值设大一点,但不要超过1492。

config interface wan option ifname eth0 option proto pppoe option username '<username>' option password '<password>' option keepalive 5 option defaultroute 1 option peerdns 1 option ipv6 1 option mtu 1452

6in4 隧道连接

|6in4是一种将IPv6传输封装进IPv4管道内的技术。该技术多由 tunnel brokers 使用,需要手动配置。

关于这种连接方式,这里有一个非常棒的论坛主题讨论。

Both imply a static prefix, and thus a manual configuration.

The ISP known to use this are:

  1. Comcast (USA)
  2. Free.fr (France)

:!: The package 6in4 must be installed to use this protocol.

:!: Examples of 6to4 tunneling are also on the config/network page.

For this connectivity mechanism, a third "interface" is created which will become the default outgoing interface for IPv6 packets.

To allow 6in4 traffic to always reach your tunnel endpoint you might need to add this to your firewall config:

config rule option src wan option proto 41 option target ACCEPT

Static 6in4 tunneling

/etc/config/network for static tunneling:

config interface henet option proto 6in4 option ipaddr '178.24.115.19' option peeraddr '216.66.80.30' option ip6addr '2001:0DB8:1f0a:1359::2/64'

Dynamic 6in4 tunneling

The example below illustrates a dynamic tunnel configuration for the Hurricane Electric broker with enabled IP update. The local IPv4 address is automatically determined and tunnelid, username and password are provided for IP update.

/etc/config/network for dynamic tunneling:

config interface henet option proto 6in4 option peeraddr '216.66.80.30' option ip6addr '2001:0DB8:1f0a:1359::2/64' option tunnelid '12345' option username '098f6bcd4621d373cade4e832627b4f6' option password 'secret'

On these example configuration:

  1. 178.24.115.10 is the local IPv4 address (assigned by ISP)
  2. 216.66.80.30 is the remote IPv4 address (the other side of the tunnel)
  3. 2001:0DB8:1f0a:1359::2/64 is the local IP address
  4. tunnelid,username,password is provided by the ISP or the tunnel broker (where username is the UserID from the main page of your HE account).

This tunnel, like a VPN, creates a third network interface, here called henet. A default ipv6 route using this interface is automatically created when this interface connects successfully.

:!: To apply IPv6 firewall rules to the tunnel interface, add it to the "wan" zone in /etc/config/firewall:

config 'zone' option 'name' 'wan' option 'network' 'wan henet' option 'input' 'REJECT' option 'forward' 'REJECT' option 'output' 'ACCEPT' option 'masq' '1'

:!: Untested - Please correct as needed

You also need to add your prefix to the LAN interface, so that the router knows to send incoming IPv6 packets there:

config interface lan option ifname eth0 option type bridge option proto static option ipaddr 192.168.1.1 option netmask 255.255.255.0 option ip6addr '2001:0DB8:1f0b:1359:1::1/64'

6to4, 6rd

6to4 is a translation mechanism to transform ipv6 packets into IPv4, and back, using specific relay servers.

6rd (for rapid deployment) is similar to 6to4 with some restrictions for large ISP routing. However it is only supported in kernel superior or equal to 2.6.33 due to specific routing scheme.

In order for 6to4 to work, you need to install the package 6to4 available from 10.03.1-rc4.

opkg install 6to4

If, like me, you are working with 10.03, you can still install by downloading the package from the newer source.

opkg install http://downloads.openwrt.org/backfire/10.03.1-rc4/brcm47xx/packages/6to4_2-1_all.ipk

:!: Replace brcm47xx with the architecture you are working with.

For this connectivity mechanism, a third "interface" is created which will become the default outgoing interface for IPv6 packets.

An example of /etc/config/network for the ISP "Qfast.nl", or any ISP for that matter, may be:

config interface 6rd option proto 6to4 option adv_subnet 1 # Selects the advertised /64 prefix, default 1 if not specified

Although there are many more options, most of those (like ipaddress and the advertising interface) are configured automatically by default. Just check out /etc/config/network and search for the paragraph 6to4.

Even radvd and your lan interface is configured automatically by default by taking the lan interface and a /64 prefix of the external IP-range to be routed on. All you need to do is change the ignore 1 on the interface to ignore 0.

My /etc/config/radvd looks as follows:

config interface option interface 'lan' option AdvSendAdvert 1 option AdvManagedFlag 0 option AdvOtherConfigFlag 0 option ignore 0 config prefix option interface 'lan' # If not specified, a non-link-local prefix of the interface is used option prefix \'\' #These are supposed to be 2 single-quotes option AdvOnLink 1 option AdvAutonomous 1 option AdvRouterAddr 0 option ignore 1

To apply IPv6 firewall rules to the tunnel interface, add it to the "wan" zone in /etc/config/firewall:

config zone option name 'wan' option network 'wan wan6' option input REJECT option forward REJECT option output ACCEPT option masq 1

Add the following rules to your /etc/config/firewall to allow incoming encapsulated IPv6 packets:

config 'rule' option 'target' 'ACCEPT' option '_name' '6to4' option 'src' 'wan' option 'proto' '41'

This can also be done via the LuCI webinterface

:!: All tested. Though I'm not sure what the firewall part where we add the wan6 to the wan zone does. Maybe it prevents from IPv4 packets coming in un-firewalled through the IPv6 interface. Anybody shine a light? Since the /etc/config/firewall only handles IPv4, you still need to make your own ip6tables rules as shown in that section.

TSP Tunneling

The Tunnel Setup Protocol is used by some tunnel brokers. Gogo6 (ex Freenet6) is one of the most popular and offers free service for individuals.

:!: The package gw6c must be installed to use this protocol (e.g.: opkg update && opkg install gw6c).

gw6c is configured through a specific config file: /etc/config/gw6c.

First create a free account on freenet6 here then procede to fill gw6c configuration file on your router.

The example below assumes the user have an account, required to redistribute a prefix on a LAN. The userid/passwd fields must be filled with the above registration credentials.

config gw6c basic #Comment out next line to enable gw6c option disabled 0 #Leave empty if connecting anonymously option userid <YOURFREENET6USERID> option passwd <YOURFREENET6PASSWD> #For anonymous use anon.frenet6.net and #account holders should use broker.freenet6.net option server authenticated.freenet6.net #auth_method <anonymous|any|passds-3des-1|digest-md5|plain> #Use anonymous with anonymous access and #any if you are account holder option auth_method any config gw6c routing #host_type <host|router> option host_type router option prefixlen 56 option ifprefix br-lan #DNS server list to which the reverse prefix #will be delegated. Separate servers with : option dns_server config gw6c advanced #Location where to store configuration file option gw6c_conf /tmp/gw6c.conf option gw6c_dir /usr/share/gw6c option auto_retry yes option retry_delay 30 option keepalive yes #keepalive interval option interval 30 #tunnel_mode <v6v4|v6udpv4|v6anyv4|v4v6> option if_tunnel_mode v6anyv4 option if_v6v4 sit1 option if_v6udpv4 tun option if_v4v6 sit0 option client_v4 auto option client_v6 auto option template openwrt option proxy_client no config gw6c broker option broker_list /etc/config/gw6c-broker-list.txt option last_server /etc/config/gw6c-last-server.txt # Always use last known working server? <yes|no> option always_same_serv no config gw6c logging option log_console 0 option log_stderr 1 option log_file 0 option log_syslog 0 option log_filename /var/log/gw6c.log option log_rotation yes #Max size when using log file rotation #possible values: 16|32|128|1024 option log_maxsize 32 #<USER|LOCAL[0-7]> option syslog_facility USER

:!: When installed the program gw6c takes care of a lot of details itself, including radvd configuration : In this case, manual radvd configuration is not requiered: The /etc/config/radvd must be kept disabled.

Start Gateway6 client with the following command: /etc/init.d/gw6c start
Auto-start after Openwrt booted up: /etc/init.d/gw6c enable

:!: Untested - Please correct as needed

NAT64 tunneling

The NAT64 is one technique to provide to the user a routable ipv6 while using a NAT technique to keep access top IPv4 websites (The client may NOT have a routable IPv4 anymore).

Some ISP are experimenting this: AAISP (UK)

:!: to be completed - please help ?

使用radvd或者DHCPv6在LAN口广播IPv6子网信息

一旦路由器上的IPv6运行起来, 那就必定会在内部网络中广播IPv6信息. 广播IPv6的方法有N多种,从静态路由到DHCP自动配置,等等多。为此,以后,有以下两种可供您选择:

1.RADVD

这个 router advertisement daemon (radvd) 已经完美支持OpenWRT了。 请参考 radvd UCI 页, 该页面有全套的配置选项。

使用如下命令安装radvd: opkg update && opkg install radvd

最简单的例子是制作静态的IPv6,见如下:

/etc/config/radvd:

config interface option interface 'lan' option AdvSendAdvert 1 option AdvManagedFlag 0 option AdvOtherConfigFlag 0 option AdvLinkMTU 1452 # Optional - only provide it is also provided in /etc/config/network option ignore 0 config prefix option interface 'lan' # If not specified, a non-link-local prefix of the interface is used option prefix '2001:123:456:789::/64' option AdvOnLink 1 option AdvAutonomous 1 option AdvRouterAddr 0 option ignore 0

上述配置将启用路由器上的radvd ,广播IPv6并自动为局域网中的客户机进行配置IPv6。需要注意以下:

  1. IPv6前缀必须注明
  2. 关于MTU,MTU比较特殊, 指定必须是/etc/config/network 相同的一节中设置一个的, 如若提供有的话。 如果你通过一个隧道连接,确保您的MTU匹配的隧道。否则,别提供。

别忘记将radvd设成开机启用。 你可在LuCI的WEB管理界面中的 Administration管理 → Services服务 → Initscripts初始化脚本中进行此操作。 查找radvd并检查其是否启用。 如果希望不重启就立即启用radvd并设置为自动启动,可以采用如下命令: /etc/init.d/radvd enable /etc/init.d/radvd start 可以使用 logread 命令检查启动信息

2.种 DHCPv6

这说明你如何设置的DHCPv6使LAN客户端池,而不是连接随机数,或一些其MAC地址的功能与您的前缀,IPv6地址。

首先,你得安装一个DHCPv6服务器

opkg update opkg install wide-dhcpv6-server

至此处 /etc/config/dhcp6sdhcp6c服务:

config 'dhcp6s' 'basic' option 'enabled' '1' option 'interface' 'lan' option 'config_file' '/etc/dhcp6s.conf'

然后创建一个像/etc/dhcp6s.conf 这样的配置文件,MS如下:

interface br-lan { address-pool pool1 86400; }; pool pool1 { range 2001:xxxx:yyyy:zzzz::1000 to 2001:xxxx:yyyy:zzzz:2000 ; };

这种分配的地址池从4096开始,租用时间为24小时。

最后, 你需要改变一些radvd并将设置,以便它告诉客户使用DHCPv6获取其设置的其余部分:

config interface option interface 'lan' option AdvSendAdvert 1 option AdvManagedFlag 1 option AdvOtherConfigFlag 1 option ignore 0

然后重新启动服务(祝你好运!)

DNS check and configuration

If you can do a succesful ping6 ipv6.google.com from the router, then obviously your DNSmasq succesfully queries the IPv6 address, and you have IPv6 connectivity.

Congratulations!!!

Though, if you can't do the ping6 above, though you can do a ping6 [2a00:1450:8002::93], then your DNSmasq (or the server from which it queries) does not succesfully query the IPv6 addresses, and you need to fix this problem.

(TBD)

IPv6 only access

:!: (Using an intermediate machine to contact IPv4-only servers)

(TBD)

NAT64

NAT-PT

DSTM

Enable Routing

Don't forget to enable IPv6 routing on your device.

To do this, edit /etc/sysctl.conf

vi /etc/sysctl.conf

And uncomment the following line

# net.ipv6.conf.all.forwarding=1

So it shows

net.ipv6.conf.all.forwarding=1

And restart sysctl

/etc/init.d/sysctl restart

Check whether routing is enabled,

cat /proc/sys/net/ipv6/conf/all/forwarding

should show 1

Protect your LAN with ip6tables

Now that everyone on your LAN has a routed IPv6 address, it means they're accessible from the outside world. You can either configure the firewall on each of your LAN machines, or make some firewall rules on your router to protect them, which is probably easier.

If you have a Hurricane Electric tunnel, they provide a portscan service that you can use on yourself.

The configuration in /etc/config/firewall mainly applies to IPv4 so you need to make your IPv6 it6tables rules in /etc/firewall.user.

The main ip6tables configuration is related to the FORWARD chain that handles connectivity to clients in LAN, while INPUT and OUTPUT concern direct traffic to the router itself and remain mostly unused. INPUT and OUTPUT practically handle only the ICMPv6 traffic (e.g. possible pings from your tunnel provider).

The main thing to do is allow packets out of the router, and only allow them back in if they're part of an established connection. The current firewall v2 has the correct rules built-in, but the old firewall v1 (still in Backfire 10.03.1-rc4 and older releases) needs the rules below:

ip6tables -A FORWARD -i br-lan -j ACCEPT
ip6tables -A FORWARD -m state <nowiki>--</nowiki>state ESTABLISHED,RELATED -j ACCEPT

As there is no NAT in IPv6, simple 'accept' rules for the needed ports replace the IPv4 port forwarding rules. This example allows incoming traffic to port 113 (identd), which is useful if you use IRC. You might want to delete that line if you have no need for it. Similarly, you can open other ports, if necessary.
# forward ident requests
ip6tables -A FORWARD -p tcp --dport 113 -j ACCEPT

Note regarding firewall version:

  • The current Firewall_v2 in trunk (and also in Backfire since r25353) already has some basic rules, so special ip6tables rules are not needed except for allowing special ports.
  • Old Firewall v1 in older releases and still in Backfire 10.03.1-rc4 (and upto r25353) had practically no default rules at all and ip6tabels configuration needs to be done from scratch.

Firewall v2

Example rules for current dual-stack Firewall v2, where the correct place to put own rules allowing forwarding is the sub-chain 'forwarding_rule', part of the FORWARD chain structure:

# Put your custom iptables rules here, they will
# be executed with each firewall (re-)start.
 
## Allow incoming SixXS IPv6 traffic from tunnel PoP in IPv4 firewall 
iptables -A input_wan -s 62.78.96.38 -p 41 -j ACCEPT

# Filter all packets that have RH0 headers: (recommended rule)
ip6tables -I INPUT 2 -m rt --rt-type 0 -j DROP
ip6tables -I FORWARD 2 -m rt --rt-type 0 -j DROP
ip6tables -I OUTPUT 2 -m rt --rt-type 0 -j DROP

## Example: allow packects to port 113 to get forwarded
ip6tables -A forwarding_rule -p tcp --dport 113 -j ACCEPT
ip6tables -A forwarding_rule -p udp --dport 113 -j ACCEPT

Firewall v1

The example below is targeting an empty ip6tables configuration. These rules show the basic principles pretty clearly and are suitable for using with Firewall v1, (e.g. in older releases and still in Backfire before r25353).

Example /etc/firewall.user script starting with empty ip6tables configuration. See, for example this slideshow on why to block type 0 RH packets.

# start with a clean slate
ip6tables -F
ip6tables -X

# allow icmpv6
ip6tables -I INPUT -p ipv6-icmp -j ACCEPT
ip6tables -I OUTPUT -p ipv6-icmp -j ACCEPT
ip6tables -I FORWARD -p ipv6-icmp -j ACCEPT

# allow loopback
ip6tables -A INPUT -i lo -j ACCEPT
ip6tables -A OUTPUT -o lo -j ACCEPT

# allow anything out of the tunnel
ip6tables -A OUTPUT -o 6in4-henet -j ACCEPT

# allow LAN
ip6tables -A INPUT -i br-lan -j ACCEPT
ip6tables -A OUTPUT -o br-lan -j ACCEPT

# drop packets with a type 0 routing header
ip6tables -A INPUT -m rt --rt-type 0 -j DROP
ip6tables -A OUTPUT -m rt --rt-type 0 -j DROP
ip6tables -A FORWARD -m rt --rt-type 0 -j DROP

# allow link-local
ip6tables -A INPUT -s fe80::/10 -j ACCEPT
ip6tables -A INPUT -s fe80::/10 -j ACCEPT

# allow multicast
ip6tables -A INPUT -s ff00::/8 -j ACCEPT
ip6tables -A OUTPUT -s ff00::/8 -j ACCEPT

# allow forwarding
ip6tables -A FORWARD -i br-lan -j ACCEPT
ip6tables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT

# forward ident requests
ip6tables -A FORWARD -p tcp --dport 113 -j ACCEPT

# default policy...
ip6tables -P INPUT DROP
ip6tables -P FORWARD DROP
ip6tables -P OUTPUT DROP

Note: although you named the tunnel interface as just 'henet', it got automatically prefixed with '6in4-', so the name to be used in ip6tables rules is '6in4-henet'.

Source: Adapted from Hannu Nyman's post on the SixXS forums.

Back to top

zh-cn/doc/howto/ipv6.txt · Last modified: 2013/09/22 11:15 (external edit)