dslreports logo
site
 
    All Forums Hot Topics Gallery
spc

spacer




how-to block ads


Search Topic:
uniqs
19
share rss forum feed

isocat

join:2012-06-03
Toronto, ON
reply to mattvmotas

Re: IPv6 beta

Hello, I am having a bit of trouble getting my network working with IPv6, and I was wondering if someone can point me in the right direction.

I am running OpenWRT (Backfire 10.03) on a WRT54GL router.

I am able to ping6 ipv6.google.com from the router, but not from the host:

$ ping6 ipv6.google.com
PING6(56=40+8+8 bytes) 2607:f2c0:a000:xxxx:xxxx:f2ff:fe02:xxxx --> 2001:4860:4008:802::1011
Request timeout for icmp_seq=0
Request timeout for icmp_seq=1
Request timeout for icmp_seq=2


My host gets an IPv6 address, and can ping6 the LL address of the LAN interface on the router.

I am unable to access any IPv6 pages from the host.

This does not seem to be firewall related as opening up the firewall (ip6tables -F) has no effect.

It seems that the router is not passing IPv6 traffic from the LAN to the WAN...?

Config (abridged):

root@DeltaNet:/etc/config# cat /proc/sys/net/ipv6/conf/all/forwarding
1

Network:
config 'interface' 'lan'
option 'type' 'bridge'
option 'ifname' 'eth0.0'
option 'proto' 'static'
option 'ipaddr' '192.168.242.241'
option 'netmask' '255.255.255.240'
option 'ip6addr' '2607:f2c0:a000:xxxx::/64'
option 'mtu' 1452

config 'interface' 'wan'
option 'ifname' 'eth0.1'
option 'proto' 'pppoe'
option 'password' 'xxx'
option 'username' 'xxx@hsiservice.net'
option 'mtu' 1452
option 'ipv6' '1'
option 'ip6addr' '2607:f2c0:f00f:xxxx::/56'

Radvd:
config interface
option interface 'lan'
option AdvSendAdvert 1
option AdvManagedFlag 0
option AdvOtherConfigFlag 0
list client ''
option ignore 0
option AdvLinkMTU 1452

config prefix
option interface 'lan'
option prefix '2607:f2c0:a000:xxxx::/64'
option AdvOnLink 1
option AdvAutonomous 1
option AdvRouterAddr 0
option ignore 0


Running a traceroute to ipv6.google.com from the host returns this:

$ traceroute6 ipv6.google.com
traceroute6 to ipv6.l.google.com (2001:4860:4008:802::1011) from 2607:f2c0:a000:xxxx:xxxx:f2ff:fe02:xxxx, 64 hops max, 12 byte packets
1 2607:f2c0:a000:xxxx:: 0.711 ms !N 0.695 ms !N 0.448 ms !N


And running a traceroute to ipv6.google.com from the router returns this (is this because it isn't traceroute6? And if so, does anyone know how to perform an IPv6 traceroute from OpenWRT?:

traceroute to ipv6.google.com (2001:4860:4008:802::1011), 30 hops max, 38 byte packets
1traceroute: sendto: Invalid argument


And finally, the routing table on the router looks like this:

root@DeltaNet:/etc/config# ip -6 route
2607:f2c0:a000:xxxx::/64 dev br-lan metric 256 mtu 1452 advmss 1392
2607:f2c0:f00f:xxxx::/56 dev pppoe-wan metric 256 mtu 1452 advmss 1392
fe80::/64 dev eth0 metric 256 mtu 1500 advmss 1392
fe80::/64 dev eth0.0 metric 256 mtu 1500 advmss 1392
fe80::/64 dev eth0.1 metric 256 mtu 1452 advmss 1392
fe80::/64 dev br-lan metric 256 mtu 1452 advmss 1392
fe80::/64 dev wl0 metric 256 mtu 1500 advmss 1440
fe80::/64 dev pppoe-wan metric 256 mtu 1452 advmss 1392
fe80::/10 dev pppoe-wan metric 1 mtu 1452 advmss 1392
fe80::/10 dev pppoe-wan metric 256 mtu 1452 advmss 1392
ff00::/8 dev eth0 metric 256 mtu 1500 advmss 1392
ff00::/8 dev eth0.0 metric 256 mtu 1500 advmss 1392
ff00::/8 dev eth0.1 metric 256 mtu 1452 advmss 1392
ff00::/8 dev br-lan metric 256 mtu 1452 advmss 1392
ff00::/8 dev wl0 metric 256 mtu 1500 advmss 1440
ff00::/8 dev pppoe-wan metric 256 mtu 1452 advmss 1392
default via fe80::90:1a00:4243:14a8 dev pppoe-wan metric 1 mtu 1452 advmss 1392
unreachable default dev lo proto none metric -1 error -128 advmss 1392


I'm not exactly a guru when it comes to networking, especially in regards to IPv6, but feel like my problems have something to do with the default route...?

Anyway, sorry for the long post. Just wanted to be thorough. Anyone have any suggestions?


mactalla

join:2008-02-19
kudos:1

What's the default policy on your firewall? (ip6tables -L)


isocat

join:2012-06-03
Toronto, ON

Output of ip6tables -L follows:


root@DeltaNet:/etc/config# ip6tables -L
Chain INPUT (policy ACCEPT)
target prot opt source destination
ACCEPT all anywhere anywhere
syn_flood tcp anywhere anywhere tcp flags:FIN,SYN,RST,ACK/SYN
input_rule all anywhere anywhere
input all anywhere anywhere

Chain FORWARD (policy DROP)
target prot opt source destination
forwarding_rule all anywhere anywhere
forward all anywhere anywhere
reject all anywhere anywhere
ACCEPT icmp anywhere anywhere

Chain OUTPUT (policy ACCEPT)
target prot opt source destination
ACCEPT all anywhere anywhere
output_rule all anywhere anywhere
output all anywhere anywhere

Chain forward (1 references)
target prot opt source destination
zone_lan_forward all anywhere anywhere
zone_wan_forward all anywhere anywhere

Chain forwarding_lan (1 references)
target prot opt source destination

Chain forwarding_rule (1 references)
target prot opt source destination

Chain forwarding_wan (1 references)
target prot opt source destination

Chain input (1 references)
target prot opt source destination
zone_lan all anywhere anywhere
zone_wan all anywhere anywhere

Chain input_lan (1 references)
target prot opt source destination

Chain input_rule (1 references)
target prot opt source destination

Chain input_wan (1 references)
target prot opt source destination

Chain output (1 references)
target prot opt source destination
zone_lan_ACCEPT all anywhere anywhere
zone_wan_ACCEPT all anywhere anywhere

Chain output_rule (1 references)
target prot opt source destination

Chain reject (5 references)
target prot opt source destination
REJECT tcp anywhere anywhere reject-with tcp-reset
REJECT all anywhere anywhere reject-with icmp6-port-unreachable

Chain syn_flood (1 references)
target prot opt source destination
RETURN tcp anywhere anywhere tcp flags:FIN,SYN,RST,ACK/SYN limit: avg 25/sec burst 50
DROP all anywhere anywhere

Chain zone_lan (1 references)
target prot opt source destination
ACCEPT all anywhere anywhere
input_lan all anywhere anywhere
zone_lan_ACCEPT all anywhere anywhere

Chain zone_lan_ACCEPT (2 references)
target prot opt source destination
ACCEPT all anywhere anywhere
ACCEPT all anywhere anywhere

Chain zone_lan_DROP (0 references)
target prot opt source destination
DROP all anywhere anywhere
DROP all anywhere anywhere

Chain zone_lan_REJECT (1 references)
target prot opt source destination
reject all anywhere anywhere
reject all anywhere anywhere

Chain zone_lan_forward (1 references)
target prot opt source destination
zone_wan_ACCEPT all anywhere anywhere
forwarding_lan all anywhere anywhere
zone_lan_REJECT all anywhere anywhere

Chain zone_wan (1 references)
target prot opt source destination
ACCEPT udp fe80::/10 fe80::/10 udp spt:dhcpv6-server dpt:dhcpv6-client
ACCEPT ipv6-icmp anywhere anywhere ipv6-icmp echo-request limit: avg 1000/sec burst 5
ACCEPT ipv6-icmp anywhere anywhere ipv6-icmp destination-unreachable limit: avg 1000/sec burst 5
ACCEPT ipv6-icmp anywhere anywhere ipv6-icmp packet-too-big limit: avg 1000/sec burst 5
ACCEPT ipv6-icmp anywhere anywhere ipv6-icmp time-exceeded limit: avg 1000/sec burst 5
ACCEPT ipv6-icmp anywhere anywhere ipv6-icmp bad-header limit: avg 1000/sec burst 5
ACCEPT ipv6-icmp anywhere anywhere ipv6-icmp unknown-header-type limit: avg 1000/sec burst 5
ACCEPT ipv6-icmp anywhere anywhere ipv6-icmp router-solicitation limit: avg 1000/sec burst 5
ACCEPT ipv6-icmp anywhere anywhere ipv6-icmp neighbour-solicitation limit: avg 1000/sec burst 5
ACCEPT ipv6-icmp anywhere anywhere
input_wan all anywhere anywhere
zone_wan_REJECT all anywhere anywhere

Chain zone_wan_ACCEPT (2 references)
target prot opt source destination
ACCEPT all anywhere anywhere
ACCEPT all anywhere anywhere

Chain zone_wan_DROP (0 references)
target prot opt source destination
DROP all anywhere anywhere
DROP all anywhere anywhere

Chain zone_wan_REJECT (2 references)
target prot opt source destination
reject all anywhere anywhere
reject all anywhere anywhere

Chain zone_wan_forward (1 references)
target prot opt source destination
ACCEPT ipv6-icmp anywhere anywhere ipv6-icmp echo-request limit: avg 1000/sec burst 5
ACCEPT ipv6-icmp anywhere anywhere ipv6-icmp destination-unreachable limit: avg 1000/sec burst 5
ACCEPT ipv6-icmp anywhere anywhere ipv6-icmp packet-too-big limit: avg 1000/sec burst 5
ACCEPT ipv6-icmp anywhere anywhere ipv6-icmp time-exceeded limit: avg 1000/sec burst 5
ACCEPT ipv6-icmp anywhere anywhere ipv6-icmp bad-header limit: avg 1000/sec burst 5
ACCEPT ipv6-icmp anywhere anywhere ipv6-icmp unknown-header-type limit: avg 1000/sec burst 5
forwarding_wan all anywhere anywhere
zone_wan_REJECT all anywhere anywhere
root@DeltaNet:/etc/config#


mactalla

join:2008-02-19
kudos:1

said by isocat:

Chain FORWARD (policy DROP)

Your firewall is dropping by default anything that would need to be forwarded from one interface to another.

Try this: ip6tables -P FORWARD ACCEPT

isocat

join:2012-06-03
Toronto, ON

Thanks for your reply! I have tried your suggestion, but unfortunately there was no change.

Something I forgot to include in the original post was that when I restart my firewall, I get some errors:

root@DeltaNet:/etc/config# /etc/init.d/firewall restart
Loading defaults
ip6tables: No chain/target/match by that name.
ip6tables: No chain/target/match by that name.
ip6tables: No chain/target/match by that name.
ip6tables: No chain/target/match by that name.
ip6tables: No chain/target/match by that name.
ip6tables: No chain/target/match by that name.
Loading synflood protection
Adding custom chains
Loading zones
Loading forwardings
Loading redirects
Loading rules
Loading includes
Loading interfaces
ip6tables: No chain/target/match by that name.
root@DeltaNet:/etc/config#


rpnc

join:2011-06-08
Markham, ON
reply to isocat

isocat,

I am using OpenWRT successfully. However, I'm running version 10.03.1. Version 10.03.1 uses a new integrated IPv4/IPv6 firewall. I was able to add the iputils-traceroute6 package in 10.03.1 to get traceroute6.

I have kept a record of how I configured OpenWRT. I did a lot with the GUI but some had to be done with config files.

In GUI (better with Firefox):
- System > Administration > Router Password
Password: xxxxxxxx
Confirmation: xxxxxxxx
- System > Administration > SSH Access
Interface: lan
Save & Apply.

- Network > Interfaces > WAN > General Setup
Protocol: PPPoE
PAP/CHAP username: xxxxx@hsiservice.net
PAP/CHAP password: xxxxxxxx
Save & Apply.

From PuTTY:
opkg update
opkg install kmod-ipv6 radvd ip kmod-ip6tables ip6tables wide-dhcpv6-server ntpclient iputils-traceroute6
reboot

- Network > DHCP and DNS > Static Leases > Add
Hostname: CanonPrinter
MAC-Address: xx:xx:xx:xx:xx:xx
IPv4-Address: 192.168.1.xx
Save & Apply.

- Network > Wifi > radio0 > Device Configuration > General Setup
Enable
- Network > Wifi > radio0 > Interface Configuration > General Setup
ESSID: xxxxxx
- Network > Wifi > Interface Configuration > Wireless Security
Encryption: WPA2-PSK
Key: xxxxxxxx
Save & Apply.

- Network > Firewall > Zones
wan/Input: drop
wan/Forward: drop
Save & Apply.

- Network > Interfaces > WAN > Advanced Settings
Enable IPv6 negotiation on the PPP link: yes
Save & Apply.

- Network > Interfaces > LAN > General Setup
IPv6 address: 2607:f2c0:f0xx:xxxx::1/56
- Network > Interfaces > LAN > Advanced Setup
Override MTU: 1492
Save & Apply.

From PuTTY:
vi /etc/config/network
- under config 'interface' 'wan', add
option 'ip6addr' '2607:f2c0:a0xx:xxxx::1/64'

vi /etc/sysctl.conf
- remove comment # from net.ipv6.conf.all.forwarding=1
reboot

- System > Startup > Initscripts
enable radvd

Note: get MTU by pinging an IPv6 computer on the internet with -l size and finding the max size (1444) and add
- 40 bytes for the IPv6 header
- 4 bytes for the ICMPv6 header
- 4 bytes for the ICMPv6 echo request header
From PuTTY:
vi /etc/config/radvd
- under config interface
option AdvLinkMTU 1492
option AdvOtherConfigFlag 1
option ignore 0
- under config prefix (note that prefix is /64 not /56)
list prefix '2607:f2c0:f0xx:xxxx::/64'
option AdvValidLifetime 14400
option AdvPreferredLifetime 14400
option ignore 0

vi /etc/config/dhcp6s
- change to
option 'enabled' '1'

vi /etc/dhcp6s.conf (new file)
option domain-name-servers 2607:f2c0:f0xx:xxxx::1;

vi /etc/hosts
fe80::xxxx:xxxx:xxxx:xxxx xxxxxxx
fe80::xxxx:xxxx:xxxx:xxxx xxxxxxx
fe80::xxxx:xxxx:xxxx:xxxx xxxxxxx
fe80::xxxx:xxxx:xxxx:xxxx xxxxxxx
fe80::xxxx:xxxx:xxxx:xxxx xxxxxxx
fe80::xxxx:xxxx:xxxx:xxxx xxxxxxx

reboot

- System > Backup / Flash Firmware
Download backup: Generate archive
Done.

Here are some of the resulting configuration files:
root@OpenWrt:/etc/config# cat /etc/config/network

config 'interface' 'loopback'
option 'ifname' 'lo'
option 'proto' 'static'
option 'ipaddr' '127.0.0.1'
option 'netmask' '255.0.0.0'

config 'interface' 'lan'
option 'ifname' 'eth0'
option 'type' 'bridge'
option 'proto' 'static'
option 'ipaddr' '192.168.1.1'
option 'netmask' '255.255.255.0'
option 'ip6addr' '2607:f2c0:f0xx:xxxx::1/56'
option 'mtu' '1492'

config 'interface' 'wan'
option 'ifname' 'eth1'
option '_orig_ifname' 'eth1'
option '_orig_bridge' 'false'
option 'proto' 'pppoe'
option 'password' 'xxxxx'
option 'ipv6' '1'
option 'ip6addr' '2607:f2c0:a0xx:xxxx::1/64'
option 'username' 'xxxxx@hsiservice.net'

config 'switch'
option 'name' 'rtl8366s'
option 'reset' '1'
option 'enable_vlan' '1'

config 'switch_vlan'
option 'device' 'rtl8366s'
option 'vlan' '1'
option 'ports' '0 1 2 3 5'

root@OpenWrt:/etc/config# cat /etc/config/radvd
config interface
option interface 'lan'
option AdvSendAdvert 1
option AdvManagedFlag 0
option AdvLinkMTU 1492
option AdvOtherConfigFlag 1
list client ''
option ignore 0

config prefix
option interface 'lan'
# If not specified, a non-link-local prefix of the interface is used
list prefix '2607:f2c0:f0xx:xxxx::/64'
option AdvOnLink 1
option AdvAutonomous 1
option AdvRouterAddr 0
option AdvValidLifetime 14400
option AdvPreferredLifetime 14400
option ignore 0

config route
option interface 'lan'
list prefix ''
option ignore 1

config rdnss
option interface 'lan'
# If not specified, the link-local address of the interface is used
list addr ''
option ignore 1

config dnssl
option interface 'lan'
list suffix ''
option ignore 1

root@OpenWrt:/etc# cat /etc/dhcp6s.conf
option domain-name-servers 2607:f2c0:f0xx:xxxx::1;


isocat

join:2012-06-03
Toronto, ON

Thanks very much, rpnc! :)

I also have 10.03.1 (r29592). Are you using bcrm-2.4 or brcm47xx? For some reason I am unable to add traceroute6:

root@DeltaNet:/etc# opkg update
Downloading »downloads.openwrt.org/backfire/1···kages.gz.
Inflating »downloads.openwrt.org/backfire/1···kages.gz.
Updated list of available packages in /var/opkg-lists/packages.
root@DeltaNet:/etc# opkg install iputils-traceroute6
Unknown package 'iputils-traceroute6'.
Collected errors:
* opkg_install_cmd: Cannot install package iputils-traceroute6.


Thanks very kindly for your detailed post, I will go through it and see if I can figure out where I went wrong.


rpnc

join:2011-06-08
Markham, ON

I have openwrt-ar71xx-dir-825-b1-squashfs-*.bin running on a D-Link DIR-825.

My list of packages are at:
»downloads.openwrt.org/backfire/1···ackages/

Yours are at:
»downloads.openwrt.org/backfire/1···ackages/

In my packages, I see iputils-traceroute6_20101006-1_ar71xx.ipk but I don't see it in yours. Yours has tcptraceroute6_1.0.1-1_brcm-2.4.ipk but I can't get tcptraceroute6 to work - apparently due to bug #8153.