IPv6 (tutorial)
From DD-WRT Wiki
| Revision as of 16:00, 24 August 2009 (edit) PStatic (Talk | contribs) (Add section on troubleshooting) ← Previous diff |
Revision as of 02:53, 21 November 2009 (edit) (undo) M00head (Talk | contribs) m (→6to4-specific issues) Next diff → |
||
| Line 339: | Line 339: | ||
| ===6to4-specific issues=== | ===6to4-specific issues=== | ||
| - | 6to4 uses a special IP address (192. | + | 6to4 uses a special IP address (192.88.99.1) to configure the tunnel. Try pinging this IP; if it doesn't work, then 6to4 probably won't work for you. You could bother your ISP about it, but as likely as not they'll just ignore you completely. |
| 6to4 also requires that protocol 41 (different from port 41!) be accessible. It's rare for ISPs to block this, but if they really feel like jerks it's not impossible. proto41 blocking is difficult to detect, unfortunately. | 6to4 also requires that protocol 41 (different from port 41!) be accessible. It's rare for ISPs to block this, but if they really feel like jerks it's not impossible. proto41 blocking is difficult to detect, unfortunately. | ||
Revision as of 02:53, 21 November 2009
Internet Protocol version 6 (IPv6) is a network layer IP standard used by electronic devices to exchange data across a packet-switched internetwork. It follows IPv4 as the second version of the Internet Protocol to be formally adopted for general use.
There are too many devices in the world for 32-bit (232, or 4,294,967,296) IP addresses to be sufficient.
The next version of the TCP/IP protocol, IPv6 offers 128-bit address space, or 2128 (≈ 3.4 x 1038) IP addresses; this is approximately 5×1028 addresses for each of the roughly 6.5 billion people alive today, or about 57 billion addresses for each gram of matter in the Earth.
Contents |
Prerequisites
- DD-WRT compatible router
- Knowledge about the Command Line
- Knowledge about the ip command
- DD-WRT version 22 prefinal 5 minimum with distribution voip or standard only
- IPv6 is apparently NOT WORKING on all versions of DD-WRT version 24 (tested on RC5 and final). If you want IPv6 on v24, try one of the custom builds discussed here.
- IPv6 enabled thru the GUI section Administration/Management/Router Management/Ipv6
- Enabling jffs would be help (optional)
IPv6 on your LAN
Overview
If you already have a working IPv6 router or are not interested in routing IPv6 traffic out of your LAN, your main concern is to allow your wireless clients traffic pass the to the wired side.
When your DD-WRT -box is your IPv6-router, see other solutions below for 6to4 tunneling solutions.
Enabling IPv6 Support
On the Administration>Management page, enable IPv6 and radvd.
Configuring Radvd
Radvd is similar to a DHCP server. It advertises your IPv6 prefix to the local network, so that a new client can generate its own IP address. This config tells radvd to get an IPv6-address from the wired side, and properly announce it to the LAN (br0).
Copy the following into your radvd settings box:
interface br0 {
AdvSendAdvert on;
prefix 0:0:0:1::/64 {
AdvOnLink on;
AdvAutonomous on;
};
};
6to4 Setup
Overview
6to4 is a mechanism which assigns a large block of IPv6 addresses to every IPv4 address on the Internet. You can use 6to4 with DD-WRT to give every computer on your network a globally-accessible IPv6 address without the need to configure explicit tunneling.
Important Reminders :
- In order to use ipv6, you need the Standard or VoIP version of DD-WRT, as these are currently the only ones which support both IPv6 and radvd.
- The detailled configuration steps are targeted toward users with a basic DHCP connection for the WAN part. So, if using PPPoE will require replacing vlan1 with ppp0 in each instance. Other connection types will vary.
- When using DD-WRT standard on a router with 4MB Flash, there is no space available for jffs.
- This guide only rely on nvram variables, so that jffs is not needed.
Enabling IPv6 Support
On the Administration>Management page, enable IPv6 and radvd.
Configuring Radvd
Radvd is similar to a DHCP server. It advertises your IPv6 prefix to the local network, so that a new client can generate its own IP address. This config tells radvd to get a 6to4 prefix from the WAN side (vlan1) and announce it to the LAN (br0)
Copy the following into your radvd settings box:
interface br0 {
MinRtrAdvInterval 3;
MaxRtrAdvInterval 10;
AdvLinkMTU 1280;
AdvSendAdvert on;
prefix 0:0:0:1::/64 {
AdvOnLink on;
AdvAutonomous on;
AdvValidLifetime 86400;
AdvPreferredLifetime 86400;
Base6to4Interface vlan1;
AdvRouterAddr on;
};
};
Startup Script
This startup script acquires your current IPv4 address and uses it to calculate a 6to4 IPv6 address. It then creates the tunnel interface, configures a route, and assigns the address. Afterwards, it sends radvd a SIGHUP so that it will become aware that the prefix has changed.
Go to Administration>Diagnostics or Administration>Commands in v23 SP2, copy the following into the big box, and hit "Save Startup".
sleep 5
WANIP=$(ip -4 addr show dev vlan1 | awk '/inet / {print $2}' | cut -d/ -f1)
if [ -n "$WANIP" ]
then
V6PREFIX=$(printf '2002:%02x%02x:%02x%02x' $(echo $WANIP | tr . ' '))
ip tunnel add tun6to4 mode sit ttl 255 remote any local $WANIP
ip link set tun6to4 mtu 1280
ip link set tun6to4 up
ip addr add $V6PREFIX:0::1/16 dev tun6to4
ip addr add $V6PREFIX:1::1/64 dev br0
ip -6 route add 2000::/3 via ::192.88.99.1 dev tun6to4
kill -HUP $(cat /var/run/radvd.pid)
fi
In the versions of v24 which support IPv6, the above script will work with a few modifications. First, you have to add "insmod ipv6" somewhere before the if, since it seems that the module isn't automatically loaded. Second, Radvd doesn't start automatically, though you can get it to start by disabling/enabling it in the control panel. You can also start it by putting its config file in /jffs, and then adding "radvd -C /jffs/radvd.conf &" to the script.
Performance Concerns
When you send a packet from a 6to4 address to a native IPv6 address, it has to pass through a 6to4 gateway. RFC3068 established the special anycast address 192.88.99.1 which is supposed to lead you to the nearest gateway. However, some ISPs don't handle this properly, so you may find that all of your packets are crossing an ocean or two.
If this affects you, then you may need to do some detective work to locate a closer gateway. One possible approach is to use IPv4 Looking Glass tools to traceroute to 192.88.99.1 from various locations on the Internet and see where you end up.
Or you could bug your ISP about it, but they'll probably be like "IPvWHAT?"
6to4 IPv6 as default protocol
As per RFC3484 §2.1 default policy table, having a 6to4 enabled LAN (using a 6to4 anycast tunel on a DD-WRT enabled box, say) will mean that 6to4 IPv6 will only be used to communicate to a server if the server is having a 6to4 adress too (ie: 2002: prefix on its address) or if there is no IPv4 address assigned to the server name (ie: no A but an AAAA).
In short the following makes IPv4 default on IPv6 enabled Windows boxes using 6to4 prefixes.
1. Start -> Run -> "cmd" -> "netsh" -> "interface" -> "ipv6"
2. To enable IPv6 preference on Microsoft Windows...
set prefix ::1/128 50 0 set prefix ::/0 40 1 set prefix 2002::/16 30 1 set prefix ::/96 20 3 set prefix ::ffff:0/96 10 4 set prefix 2001::/32 5 5
Only the 2002::/16 line (6to4 prefix policy) is changed.
3. To make things goes back to original mode (IPv4 preference)...
set prefix ::1/128 50 0 set prefix ::/0 40 1 set prefix 2002::/16 30 2 set prefix ::/96 20 3 set prefix ::ffff:0/96 10 4 set prefix 2001::/32 5 5
And Voilà ;-)
Notes: ::1/128 == localhost, ::/0 == default, 2002::/16 == 6to4, ::/96 + ::ffff::0/96 == IPv4 compatibility, 2001::/32 == Teredo, 2000::/3 would be All IPv6 Global Unicast address space
SixXS Tunnel Broker
Requesting a Tunnel/Subnet
1. Sign up with a RIPE/ARIN/etc handle or by using the direct signup
2. After your login at the SixXS Home you can request a tunnel and later a subnet.
Note that providing a link to a XING or LinkedIn profile or providing links to projects you work on can provide extra credits!
Static Tunnel
There are instructions at Remoteroot.net with example scripts.
This wiki also offers an example IPv6 startup script
Notice that radvd doesn't work with mini version but requires the full version of DD-WRT. Also if you have problems with pinging and SixXS, notice their FAQ message related to this. By default DD-WRT seems to try to masquerade also the IPv6 packets so the following addition to the firewall rule worked for me:
iptables -t nat -D POSTROUTING -o vlan1 -j MASQUERADE iptables -t nat -I POSTROUTING -p ! ipv6 -o vlan1 -j MASQUERADE
Dynamic Tunnel
Install AICCU
1. Install AICCU using ipkg.
# ipkg install http://downloads.openwrt.org/kamikaze/packages/mipsel/aiccu_20070115-1_mipsel.ipk
2. Configure AICCU.
# vi /jffs/etc/aiccu.conf
# AICCU Configuration # Login information username <your nichandle/username> password <your password> # Interface names to use ipv4_interface vlan1 ipv6_interface sixxs # The tunnel_id to use # (only required when there are multiple tunnels in the list) tunnel_id <your tunnel id> # Be verbose? verbose false # Daemonize? daemonize true # Automatic? automatic true
Note that if you can't write to /jffs/etc/, you can always store the script in another directory (that of course is persistent otherwise you loose it :) and use eg 'aiccu start /tmp/aiccu.conf' to pick a different configuration file location.
Automatically start your Tunnel
1. Create a .startup file and make it executable.
# vi /jffs/etc/config/aiccu.startup
#!/bin/sh /jffs/etc/init.d/S51aiccu start ip -6 addr add 2001:xxxx:xxx::/64 dev br0 # Edit to your assigned subnet settings. (You have to use /64 here)
# chmod +x /jffs/etc/config/aiccu.startup
2. Adjust the AICCU init script.
# vi /jffs/etc/init.d/S51aiccu
#!/bin/sh
case "$1" in
start)
( while [ `date +%Y` -eq 1970 ]; do
sleep 1
done && /jffs/usr/sbin/aiccu start /jffs/etc/aiccu.conf ) &
;;
stop)
aiccu stop /jffs/etc/aiccu.conf
aiccu stop /jffs/etc/aiccu.conf
;;
restart)
$0 stop
$0 start
;;
*)
echo "Usage: $0 {start|stop|restart}"
exit 1
;;
esac
Announce your Subnet with radvd
1. Enable radvd at the webinterface of your router (Administration->Management->IPv6 Support)
2. Insert your radvd.conf into the form and save your settings.(You must use the /64 prefix even if you got a /48 subnet)
interface br0
{
AdvSendAdvert on;
prefix 2001:xxxx:xxxx::/64
{
AdvOnLink on;
AdvAutonomous on;
AdvRouterAddr on;
};
};
Hurricane Electric's Tunnelbroker.net
Registration
1) Sign up for an account with our web based registration at Tunnelbroker.net
2) After creating your account, provide your IPv4 endpoint, and pick the closest tunnel-server to your location:
- Fremont, CA
- New York City, NY
- Chicago, IL
- Dallas, TX
- London, UK
- Frankfurt, DE
- Paris, FR
- Amsterdam, NL
Features
By default you already get a /64 allocation routed to your side of the tunnel.
If you need more than a single /64, with the click of a button you can allocate a single /48 routed to your side of the tunnel.
A large variety of configuration examples are provided for various platforms covering: Linux, *BSD, Windows as well as router platforms.
Tunnelbroker.net is operated and maintained by a business and not individuals, and provided FREE to anyone interested in learning more about IPv6.
Startup Script
This works for me on v24 SP2:
insmod ipv6
sleep 5
WANIP=$(ip -4 addr show dev vlan1 | awk '/inet / {print $2}' | cut -d/ -f1)
MY_TUNNEL_ADDR="2001:470:1f0e:5cd::2" # change me
MY_ROUTED_ADDR="2001:470:1f0f:5cd::1" # change me
echo "External IP:" $WANIP > /jffs/startup.debug
if [ -n $WANIP ]
then
echo "configuring tunnel" >> /jffs/startup.debug
# The following commands are straight from HE's website
ip tunnel add he-ipv6 mode sit remote 216.218.224.42 local $WANIP ttl 255
ip link set he-ipv6 up
ip addr add $MY_TUNNEL_ADDR/64 dev he-ipv6
ip route add ::/0 dev he-ipv6
# These commands aren't on HE's website, but they're necessary for the tunnel to work
ip -6 addr add $MY_ROUTED_ADDR/64 dev he-ipv6
ip -6 addr add $MY_ROUTED_ADDR/64 dev br0
ip route add 2000::/3 dev he-ipv6
echo "starting radvd" >> /jffs/startup.debug
radvd -C /jffs/radvd.conf &
fi
- The tunnel address and routed address are on your Tunnel Details page on HE's website. For MY_TUNNEL_ADDR, use the value for "Client IPv6 Address", and for MY_ROUTER_ADDR, use the value for "Routed /64".
- Many people have working configurations using only the tunnel address for everything, but you need to use the routed address for your network if you want certain things like reverse DNS to work.
- You have to have your radvd config saved in /jffs/radvd.conf. Running radvd from the web interface has never worked for me; if it works for you, you can drop the radvd line from the script.
- This script doesn't handle when your IP address changes; you'll need to manually update it on HE's website, or use the endpoint updater script below.
- I occasionally have issues with the tunnel dying randomly. Pinging the router's IPv6 address fixes it for some reason, I have no idea why. :(
Endpoint updater
If your router gets a dynamic ip, you need to update your endpoint in your tunnelbroker account. This can be done on DDWRT with this busybox-only script: Tunnelbroker.net enpoint address updater
Download it into tmp or jffs, edit the file to set up your credentials or just run it from commandline:
updateipv4.sh username password tunnelid
A successful update means either your current endpoint IP is the same as your previous one, or it has been updated to your current one.
Additional Links
Tunnelbroker.net's user forums
Notes
Anonymous IPv6 at Microsoft Windows
By default on WinXP, Win2003 or WinVista, IPv6 addresses built from IPv6 prefix (stateless configuration for instance) are using the EUI-64 (cf MAC address) of your network card as a suffix. This can lead to some privacy issues, hence another IPv6 address is dynamically computed and used by default. Such an anonymous address changes (according to a computation algorithm) each time the IPv6 stack starts. This can cause some trouble under certain conditions where the server needs a unique and static IPv6 (containing the EUI-64). The solution is to deactivate the creation of those "privacy addresses". But be carefull, this will then lead to leaking the EUI-64 and also enables people to track you (logs, google, etc). So, it's a tradeoff.
If you want to disable temporary IPv6 addresses, try the command :
netsh interface ipv6 set privacy state=disable
or
ipv6 -p gpu UseTemporaryAddresses no
ping6 at dd-wrt v23
Try to install busybox from OpenWRT: http://downloads.openwrt.org/people/florian/bin/packages/
~ # ipkg install http://downloads.openwrt.org/people/florian/bin/packages/busybox_1.1.3-1_mipsel.ipk
Okay now you have to install uclibc (with -force-depends):
http://downloads.openwrt.org/people/florian/bin/packages/
~ # ipkg -force-depends install http://downloads.openwrt.org/people/florian/bin/packages/uclibc_0.9.28-8_mipsel.ipk
After installing these packages you have to change the priority of the /lib path in your shell environment:
~ # export LD_LIBRARY_PATH=/usr/lib:/jffs/lib:/jffs/usr/lib:/jffs/usr/local/lib:/lib
For the last step you have to change the ping6 symlink:
~ # rm /jffs/bin/ping6 ~ # cd /jffs/bin ~ # ln -s /jffs/bin/busybox ping6
Now ping6 should work for the current xterm session.
Troubleshooting
So you've tried to set up IPv6, but it didn't work! Don't panic, it's probably still fixable.
Tunnel issues
The first question to ask is, can you ping the router from the internet? Head over to [1] and use the ping test with your external IPv6 IP. (For HE and SixXS tunnels, this will be your client tunnel IP; for 6to4, it'll be generated from your public IPv4 address.) If the ping goes through, congratulations! Your tunnel isn't the problem.
6to4-specific issues
6to4 uses a special IP address (192.88.99.1) to configure the tunnel. Try pinging this IP; if it doesn't work, then 6to4 probably won't work for you. You could bother your ISP about it, but as likely as not they'll just ignore you completely.
6to4 also requires that protocol 41 (different from port 41!) be accessible. It's rare for ISPs to block this, but if they really feel like jerks it's not impossible. proto41 blocking is difficult to detect, unfortunately.
Hurricane Electric specific issues
Make sure your IPv4 address is set properly on the HE website. If not, your tunnel won't work. Similarly, make sure the IPv6 tunnel addresses you use are correct.
Radvd issues
If you're using radvd and it's not working somehow, then your router will have a working IPv6 connection, but it won't be passed on to your other computers. If your computers aren't receiving IPv6 addresses, then this is the problem.
The best tool for checking this is the radvdump program. Run it as root, and it'll show you any router advertisements your computer sends or receives. If you don't see any after a while, radvd probably isn't running. Try running "ps | grep radvd" on your router to see if it is. If it's not running, you can save your config file to jffs, and then run radvd manually:
radvd -C /jffs/radvd.conf
Beyond making sure IPv6 support is enabled on your client computers, you shouldn't have to configure anything else when using radvd.
Working configuration
For comparison, here's the output of a few commands on my router (which has a working HE.net tunnel):
root@DD-WRT:~# ip -6 addr show
1: lo: <LOOPBACK,MULTICAST,UP>
inet6 ::1/128 scope host
3: eth0: <BROADCAST,MULTICAST,PROMISC,UP>
inet6 fe80::21c:10ff:fe5b:7978/64 scope link
4: eth1: <BROADCAST,MULTICAST,PROMISC,UP>
inet6 fe80::21c:10ff:fe5b:797a/64 scope link
5: vlan0: <BROADCAST,MULTICAST,PROMISC,UP>
inet6 fe80::21c:10ff:fe5b:7978/64 scope link
6: vlan1: <BROADCAST,MULTICAST,UP>
inet6 fe80::21c:10ff:fe5b:7979/64 scope link
7: br0: <BROADCAST,MULTICAST,UP>
inet6 2001:470:1f0f:5cd::1/64 scope global
inet6 fe80::21c:10ff:fe5b:7978/64 scope link
10: he-ipv6: <POINTOPOINT,NOARP,UP>
inet6 2001:470:1f0f:5cd::1/64 scope global
inet6 2001:470:1f0e:5cd::2/64 scope global
inet6 fe80::48b3:3572/128 scope link
root@DD-WRT:~# ip -6 route show 2001:470:1f0e:5cd::/64 via :: dev he-ipv6 metric 256 mtu 1480 advmss 1420 2001:470:1f0f:5cd::/64 via :: dev he-ipv6 metric 256 mtu 1480 advmss 1420 2001:470:1f0f:5cd::/64 dev br0 metric 256 mtu 1500 advmss 1440 2000::/3 dev he-ipv6 metric 1024 mtu 1480 advmss 1420 fe80::/64 dev eth0 metric 256 mtu 1500 advmss 1440 fe80::/64 dev eth1 metric 256 mtu 1500 advmss 1440 fe80::/64 dev vlan0 metric 256 mtu 1500 advmss 1440 fe80::/64 dev vlan1 metric 256 mtu 1500 advmss 1440 fe80::/64 dev br0 metric 256 mtu 1500 advmss 1440 fe80::/64 via :: dev he-ipv6 metric 256 mtu 1480 advmss 1420 ff00::/8 dev eth0 metric 256 mtu 1500 advmss 1440 ff00::/8 dev eth1 metric 256 mtu 1500 advmss 1440 ff00::/8 dev vlan0 metric 256 mtu 1500 advmss 1440 ff00::/8 dev vlan1 metric 256 mtu 1500 advmss 1440 ff00::/8 dev br0 metric 256 mtu 1500 advmss 1440 ff00::/8 dev he-ipv6 metric 256 mtu 1480 advmss 1420 default dev he-ipv6 metric 1024 mtu 1480 advmss 1420