I have a WRT54G v1.1 running OpenWrt Kamikaze - With X-Wrt Extensions 7.09 (extensive details below).
I have IPv4 up and running fine and a 6in4 IPv6 tunnel setup up with a IPv6 /64 subnet from my tunnel broker setup on the LAN.
My 6in4 IPv6 tunnel seems good. From OpenWRT, I can ping6 my tunnel host and beyond, eg. ipv6.google.com. I can likewise ping6 hosts on my LAN segment.
On the LAN, nodes are getting proper IPv6 addresses on my assigned /64 subnet as well as a default IPv6 route to the OpenWRT box. Similarly, LAN nodes can (most times) successfully ping6 hosts on the internet.
However, whenever I try to access an IPv6 web site, the browser eventually times out. Actually I get something this:
The connection to www.sixxs.net was interrupted while the page was loading
or
The server at ipv6.google.com is taking too long to respond.
(If I set Firefox to network.dns.disableIPv6 = true, thus forcing IPv4, connectivity is fine.)
When browsing to an IPv6 web site, I never get a page, but I see netstat stuff like this (in Linux):
[root@Localhost ~]# netstat -l --inet6 -all
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address Foreign Address State
tcp 0 266 2001:0db8:1234:5:204:23:44085 noc.sixxs.net:http ESTABLISH
tcp 0 521 2001:0db8:1234:5:204:23:34937 noc.sixxs.net:http LAST_ACK
and like this on a Mac:
Mac:~ user$ netstat -f inet6 -all
Active Internet connections (including servers)
Proto Recv-Q Send-Q Local Address Foreign Address (state)
tcp6 0 624 2001:0db8:1234:5:200:beef:beef:0003.56746 2001:4860:b002::68.http ESTABLISHED
tcp6 0 505 2001:0db8:1234:5:200:beef:beef:0003.56745 tunnelbroker.net.http ESTABLISHED
tcp6 0 214 2001:0db8:1234:5:200:beef:beef:0003.56743 noc.sixxs.net.https ESTABLISHED
Success with only ICMP made my think of firewall trouble, but my ip6tables are wide-open ALLOW. Likewise, iptable are configured per guides here (to make the tunnel work, which it does.) However, it seems like IPv6 is getting through, but just too unreliably to be of any use.
I'm kind of at a loss to troubleshoot why the IPv6 on the LAN isn't working quite right. I'd appreciate another set of eyes on my configs and stuff (below) in case I'm missing something, as well as any additional troubleshooting suggestions.
My install:
root@wrt:~# ipkg list
base-files-brcm-2.4 - 10-12557 -
bridge - 1.0.6-1 -
busybox - 1.4.2-2 -
dnsmasq - 2.39-1 -
dropbear - 0.50-2 -
haserl - 0.8.0-2 -
ip - 2.6.20-070313-1 -
ip6tables - 1.3.7-1 -
iptables - 1.3.7-1 -
kernel - 2.4.34-brcm-1 -
kmod-brcm-wl - 2.4.34+4.80.53.0-1 -
kmod-diag - 2+2.4.34-brcm-1 -
kmod-ip6tables - 2.4.34-brcm-1 -
kmod-ipt-nathelper - 2.4.34-brcm-1 -
kmod-ipv6 - 2.4.34-brcm-1 -
kmod-ppp - 2.4.34-brcm-1 -
kmod-pppoe - 2.4.34-brcm-1 -
kmod-switch - 2.4.34-brcm-1 -
kmod-wlcompat - 2.4.34+brcm-6 -
libgcc - 3.4.6-10 -
mtd - 5 -
nas - 4.80.53.0-1 -
netstat-nat - 1.4.6-1 -
nvram - 1 -
ppp - 2.4.3-8 -
ppp-mod-pppoe - 2.4.3-8 -
radvd - 1.0-1 -
tcptraceroute6 - 0.5.1-1 -
uclibc - 0.9.28-10 -
webif - 0.3-12 -
wireless-tools - 29-1 -
wlc - 4.80.53.0-1 -
Running modules:
root@wrt:~# lsmod
Module Size Used by Tainted: P
wlcompat 14944 0 (unused)
ip_conntrack_tftp 1712 0 (unused)
ip_nat_irc 2336 0 (unused)
ip_conntrack_irc 3128 1
ip_nat_ftp 2960 0 (unused)
ip_conntrack_ftp 4272 1
ip6t_owner 1020 0 (unused)
ip6t_multiport 556 0 (unused)
ip6t_mark 316 0 (unused)
ip6t_mac 556 0 (unused)
ip6t_limit 892 0 (unused)
ip6t_length 348 0 (unused)
ip6t_eui64 684 0 (unused)
ip6t_MARK 668 0 (unused)
ip6t_LOG 4556 0 (unused)
ip6t_IMQ 684 0 (unused)
ip6table_mangle 2284 0 (unused)
ip6table_filter 1740 0 (unused)
ip6_tables 17440 12 [ip6t_owner ip6t_multiport ip6t_mark ip6t_mac ip6t_limit ip6t_length ip6t_eui64 ip6t_MARK ip6t_LOG ip6t_IMQ ip6table_mangle ip6table_filter]
ppp_async 7884 0 (unused)
ppp_generic 22300 0 [ppp_async]
slhc 6064 0 [ppp_generic]
wl 630776 0 (unused)
ipv6 197376 -1
switch-adm 6372 0 (unused)
switch-core 4864 0 [switch-adm]
diag 25520 0 (unused)
My network config:
root@wrt:~# cat /etc/config/network
#### VLAN configuration
config switch eth0
option vlan0 "1 2 3 4 5*"
option vlan1 "0 5"
#### Loopback configuration
config interface loopback
option ifname "lo"
option proto static
option ipaddr 127.0.0.1
option netmask 255.0.0.0
#### LAN configuration
config interface lan
option type bridge
option ifname "eth0.0"
option proto static
option ipaddr 10.10.10.3
option netmask 255.255.255.0
option ip6addr 2001:0db8:1234:5::1/64
#### WAN configuration
config interface wan
option ifname "eth0.1"
option proto static
option ipaddr 172.16.1.2
option netmask 255.255.255.0
option gateway 172.16.1.1
option dns 10.10.10.2
My tunnel script config:
root@wrt:~# cat /etc/init.d/tunhe-ipv6
#!/bin/sh /etc/rc.common
LOCALIP=172.16.1.2
POPIP=209.51.161.58
LOCTUN=2001:0db8:1234:4::2
REMTUN=2001:0db8:1234:4::1
START=47
start() {
echo -n "Starting TunnelBroker.net IPv6 tunnel: "
ip tunnel add he-ipv6 mode sit local $LOCALIP remote $POPIP
ip link set he-ipv6 up
ip -6 addr add $LOCTUN/64 dev he-ipv6
ip -6 ro add default via $REMTUN dev he-ipv6
echo "Done."
}
stop() {
echo -n "Stopping TunnelBroker.net IPv6 tunnel: "
ip link set he-ipv6 down
ip tunnel del he-ipv6
echo "Done."
}
restart() {
stop
start
}
My radvd config:
root@wrt:~# cat /etc/radvd.conf
# For more examples, see the radvd documentation.
interface br-lan
{
AdvSendAdvert on;
prefix 2001:0db8:1234:5::/64
{
AdvOnLink on;
AdvAutonomous on;
};
};
iptables/iptables6 stuff:
root@wrt:~# iptables -v -L --line-numbers
Chain INPUT (policy DROP 0 packets, 0 bytes)
num pkts bytes target prot opt in out source destination
1 0 0 DROP all -- any any anywhere anywhere state INVALID
2 8477 673K ACCEPT all -- any any anywhere anywhere state RELATED,ESTABLISHED
3 5 200 DROP tcp -- any any anywhere anywhere tcp option=!2 flags:SYN/SYN
4 646 164K input_rule all -- any any anywhere anywhere
5 156 18004 input_wan all -- eth0.1 any anywhere anywhere
6 646 164K LAN_ACCEPT all -- any any anywhere anywhere
7 0 0 ACCEPT icmp -- any any anywhere anywhere
8 0 0 ACCEPT gre -- any any anywhere anywhere
9 0 0 ACCEPT ipv6 -- eth0.1 any anywhere anywhere
10 11 584 REJECT tcp -- any any anywhere anywhere reject-with tcp-reset
11 145 17420 REJECT all -- any any anywhere anywhere reject-with icmp-port-unreachable
Chain FORWARD (policy DROP 27 packets, 1406 bytes)
num pkts bytes target prot opt in out source destination
1 0 0 DROP all -- any any anywhere anywhere state INVALID
2 67 3332 TCPMSS tcp -- any any anywhere anywhere tcp flags:SYN,RST/SYN TCPMSS clamp to PMTU
3 0 0 ACCEPT all -- any any anywhere anywhere state RELATED,ESTABLISHED
4 70 3510 forwarding_rule all -- any any anywhere anywhere
5 27 1406 forwarding_wan all -- eth0.1 any anywhere anywhere
6 0 0 ACCEPT all -- br-lan br-lan anywhere anywhere
7 0 0 ACCEPT all -- br-lan eth0.1 anywhere anywhere
Chain OUTPUT (policy DROP 0 packets, 0 bytes)
num pkts bytes target prot opt in out source destination
1 0 0 DROP all -- any any anywhere anywhere state INVALID
2 8051 886K ACCEPT all -- any any anywhere anywhere state RELATED,ESTABLISHED
3 265 123K output_rule all -- any any anywhere anywhere
4 265 123K ACCEPT all -- any any anywhere anywhere
5 0 0 REJECT tcp -- any any anywhere anywhere reject-with tcp-reset
6 0 0 REJECT all -- any any anywhere anywhere reject-with icmp-port-unreachable
Chain LAN_ACCEPT (1 references)
num pkts bytes target prot opt in out source destination
1 156 18004 RETURN all -- eth0.1 any anywhere anywhere
2 490 146K ACCEPT all -- any any anywhere anywhere
Chain forwarding_rule (1 references)
num pkts bytes target prot opt in out source destination
Chain forwarding_wan (1 references)
num pkts bytes target prot opt in out source destination
Chain input_rule (1 references)
num pkts bytes target prot opt in out source destination
Chain input_wan (1 references)
num pkts bytes target prot opt in out source destination
Chain output_rule (1 references)
num pkts bytes target prot opt in out source destination
root@wrt:~# iptables -t nat -v -L --line-numbers
Chain PREROUTING (policy ACCEPT 1297 packets, 177K bytes)
num pkts bytes target prot opt in out source destination
1 58 2864 NEW tcp -- any any anywhere anywhere state NEW
2 1313 177K prerouting_rule all -- any any anywhere anywhere
3 287 41566 prerouting_wan all -- eth0.1 any anywhere anywhere
Chain POSTROUTING (policy ACCEPT 28 packets, 4583 bytes)
num pkts bytes target prot opt in out source destination
1 39 5023 postrouting_rule all -- any any anywhere anywhere
2 11 440 MASQUERADE !ipv6 -- any eth0.1 anywhere anywhere
Chain OUTPUT (policy ACCEPT 12 packets, 3811 bytes)
num pkts bytes target prot opt in out source destination
Chain NEW (1 references)
num pkts bytes target prot opt in out source destination
1 58 2864 RETURN all -- any any anywhere anywhere limit: avg 50/sec burst 100
2 0 0 DROP all -- any any anywhere anywhere
Chain postrouting_rule (1 references)
num pkts bytes target prot opt in out source destination
1 0 0 ACCEPT esp -- any any anywhere anywhere
2 0 0 ACCEPT ah -- any any anywhere anywhere
Chain prerouting_rule (1 references)
num pkts bytes target prot opt in out source destination
Chain prerouting_wan (1 references)
num pkts bytes target prot opt in out source destination
root@wrt:~# ip6tables -v -L --line-numbers
Chain INPUT (policy ACCEPT 2701 packets, 246K bytes)
num pkts bytes target prot opt in out source destination
Chain FORWARD (policy ACCEPT 8504 packets, 794K bytes)
num pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 1909 packets, 193K bytes)
num pkts bytes target prot opt in out source destination
Connectivity view from the router:
root@wrt:~# ip -6 addr
1: lo: <LOOPBACK,UP>
inet6 ::1/128 scope host
2: eth0: <BROADCAST,MULTICAST,PROMISC,UP> qlen 1000
inet6 fe80::200:beef:beef:0001/64 scope link
4: eth0.0: <BROADCAST,MULTICAST,PROMISC,UP>
inet6 fe80::200:beef:beef:0001/64 scope link
5: eth0.1: <BROADCAST,MULTICAST,UP>
inet6 fe80::200:beef:beef:0001/64 scope link
8: wl0: <BROADCAST,MULTICAST,PROMISC,UP> qlen 1000
inet6 fe80::200:beef:beef:0010/64 scope link
9: br-lan: <BROADCAST,MULTICAST,UP>
inet6 fe80::200:ff:fe00:0/64 scope link
inet6 2001:0db8:1234:5::1/64 scope global
10: he-ipv6: <POINTOPOINT,NOARP,UP>
inet6 2001:0db8:1234:4::2/64 scope global
inet6 fe80::d1d8:4646/128 scope link
root@wrt:~# ip -6 route
2001:0db8:1234:4::/64 via :: dev he-ipv6 metric 256 mtu 1480 advmss 1420
2001:0db8:1234:5::/64 dev br-lan metric 256 mtu 1500 advmss 1440
default via 2001:0db8:1234:4::1 dev he-ipv6 metric 1024 mtu 1480 advmss 1420
root@wrt:~# ping6 ipv6.google.com
PING ipv6.l.google.com (2001:4860:b002::68): 56 data bytes
64 bytes from 2001:4860:b002::68: icmp6_seq=0 ttl=60 time=163.4 ms
root@wrt:~# tcptraceroute6 ipv6.google.com
traceroute to 2001:4860:b002::68 (2001:4860:b002::68) from 2001:0db8:1234:4::2, port 80, 30 hops max
1 * * *
2 * * *
3 * * *
4 * * *
5 * * *
6 * * *
7 2001:4860:b002::68 (2001:4860:b002::68) [open] 163.466 ms 161.816 ms 161.970 ms
Client Connectivity view from a Mac:
Mac:~ user$ ifconfig en0
en0: flags=8963<UP,BROADCAST,SMART,RUNNING,PROMISC,SIMPLEX,MULTICAST> mtu 1500
inet 10.10.10.3 netmask 0xffffff00 broadcast 10.10.10.255
inet6 fe80::200:beef:beef:0003%en0 prefixlen 64 scopeid 0x4
inet6 2001:0db8:1234:5:200:beef:beef:0003 prefixlen 64 autoconf
ether 00:00:00:00:00:03
Mac:~ root# netstat -r -l -f inet6
Routing tables
Internet6:
Destination Gateway Flags Refs Use Mtu Netif Expire
default fe80::200:ff:fe00:0%en0 UGc 3 0 1500 en0
2001:0db8:1234:5:: link#4 UC 1 0 1500 en0
2001:0db8:1234:5::1 0:c:41:ab:9c:cd UHLW 0 20 1500 en0
Mac:~ user$ ping6 ipv6.google.com
PING6(56=40+8+8 bytes) 2001:0db8:1234:5:200:beef:beef:0003 --> 2001:4860:b002::68
16 bytes from 2001:4860:b002::68, icmp_seq=0 hlim=59 time=191.412 ms
Mac:~ user$ traceroute6 ipv6.google.com
traceroute6 to ipv6.l.google.com (2001:4860:b002::68) from 2001:0db8:1234:5:200:beef:beef:0003, 30 hops max, 12 byte packets
1 2001:0db8:1234:5::1 1.056 ms 0.665 ms 0.667 ms
Client Connectivity view from Linux:
[root@Localhost ~]# ifconfig eth1
eth1 Link encap:Ethernet HWaddr 00:00:00:00:00:02
inet addr:10.10.10.2 Bcast:10.10.10.255 Mask:255.255.255.0
inet6 addr: 2001:0db8:1234:5:200:beef:beef:0002/64 Scope:Global
inet6 addr: fe80::200:beef:beef:0002/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:5730699 errors:0 dropped:165 overruns:0 frame:0
TX packets:9003682 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:2305322659 (2.1 GiB) TX bytes:1320775781 (1.2 GiB)
Base address:0xac00 Memory:fc4e0000-fc500000
[root@Localhost ~]# netstat -r -l --inet6
Kernel IPv6 routing table
Destination Next Hop Flags Metric Ref Use Iface
2001:0db8:1234:5::/64 * UA 256 48 0 eth1
*/0 fe80::200:ff:fe00:0 UGDA 1024 315 0 eth1
[root@Localhost ~]# ping6 ipv6.google.com
PING ipv6.google.com(2001:4860:b002::68) 56 data bytes
64 bytes from 2001:4860:b002::68: icmp_seq=0 ttl=59 time=192 ms
64 bytes from 2001:4860:b002::68: icmp_seq=1 ttl=59 time=177 ms
--- ipv6.google.com ping statistics ---
2 packets transmitted, 2 received, 0% packet loss, time 1000ms
rtt min/avg/max/mdev = 177.923/185.220/192.517/7.297 ms, pipe 2
[root@Localhost ~]# traceroute6 ipv6.google.com
traceroute to ipv6.google.com (2001:4860:b002::68), 30 hops max, 40 byte packets
1 2001:0db8:1234:5::1 (2001:0db8:1234:5::1) 0.599 ms 1.596 ms 1.886 ms
2 * * *
3 * * *
4 * * *
5 * * *
6 * * *
7 * * *
8 2001:4860:b002::68 (2001:4860:b002::68) 162.522 ms 171.255 ms 172.155 ms