Ipv6, he.net, firewall basics

Dear Readers,
I just buy a new box with J3160. Everything works fine, but I have a problem with ipv6 tunnel( he.net). I deployed with this guide.
I don't have access from my pc to ipv6 sites. Everything works from the router(ping, trace).

I've tryed diferent types of configuring withous success.

My config.
network:

config interface 'loopback'
	option ifname 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'

config interface 'lan'
	option type 'bridge'
	option ifname 'eth0'
	option proto 'static'
	option netmask '255.255.255.0'
	option ipaddr '192.168.5.5'
	option force_link '0'
	option ip6assign '64'

config interface 'wan'
	option ifname 'eth1'
	option proto 'pppoe'
	option password 'xxxxx'
	option ipv6 'auto'
	option username 'xxxxx'

config interface 'henet'
	option proto '6in4'
	option username 'xxxxx'
	option peeraddr '216.xx.xx.46'
	list ip6prefix '2001:470:1f15:xxx::/64'
	option ip6addr '2001:470:1f14:xxx::2/64'
	option tunnelid 'xxxxxx'
	option password 'xxxxxxxxxx' ```


firewall config:

config defaults
	option syn_flood '1'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'REJECT'

config zone
	option name 'lan'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	option network 'lan'

config zone
	option name 'wan'
	option output 'ACCEPT'
	option masq '1'
	option mtu_fix '1'
	option input 'REJECT'
	option forward 'REJECT'
	option family 'ipv4'
	option network 'wan henet'

config forwarding
	option src 'lan'
	option dest 'wan'

config rule
	option name 'Allow-DHCP-Renew'
	option src 'wan'
	option proto 'udp'
	option dest_port '68'
	option target 'ACCEPT'
	option family 'ipv4'

config rule
	option name 'Allow-Ping'
	option src 'wan'
	option proto 'icmp'
	list icmp_type 'echo-request'
	option target 'ACCEPT'

config rule
	option name 'Allow-IGMP'
	option src 'wan'
	option proto 'igmp'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-DHCPv6'
	option src 'wan'
	option proto 'udp'
	option src_ip 'fc00::/6'
	option dest_ip 'fc00::/6'
	option dest_port '546'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-MLD'
	option src 'wan'
	option proto 'icmp'
	option src_ip 'fe80::/10'
	list icmp_type '130/0'
	list icmp_type '131/0'
	list icmp_type '132/0'
	list icmp_type '143/0'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Input'
	option src 'wan'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	list icmp_type 'router-solicitation'
	list icmp_type 'neighbour-solicitation'
	list icmp_type 'router-advertisement'
	list icmp_type 'neighbour-advertisement'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Forward'
	option src 'wan'
	option dest '*'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-IPSec-ESP'
	option src 'wan'
	option dest 'lan'
	option proto 'esp'
	option target 'ACCEPT'

config rule
	option name 'Allow-ISAKMP'
	option src 'wan'
	option dest 'lan'
	option dest_port '500'
	option proto 'udp'
	option target 'ACCEPT'

config include
	option path '/etc/firewall.user'

config rule
	option name 'openvpn-udp'
	option src 'wan'
	option target 'ACCEPT'
	option proto 'udp'
	option dest_port '1194'

config zone
	option input 'ACCEPT'
	option name 'hezone'
	option output 'ACCEPT'
	option forward 'ACCEPT'


Thank you,
Iw

That's probably it: you have a /64, which means your router cannot hand out /64 to your clients.
You either need a larger prefix (he.net gives you /48 if you ask) or a different configuration in /etc/config/dhcp to enable relay mode.

1 Like

How'd you figure that? The prefix provided by he.net is separate to the subnet provided for the WAN connection. All of it is free for the router to assign to clients. You'd only need a /48 if you had multiple LANs. For a single LAN the default /64 is fine.

2 Likes

AFAIK, the situation is a bit like this:

  • /64 -> relay mode (shares upstream prefix)
  • /48 -> server mode (splits out smaller /64 prefixes from upstream /48)

EDIT: seems like the forum has gone berserk and flagged many of my following replies.
I have no time for this, I'm done.

The /64 provided in this case isn't part of the upstream prefix. It's a separate prefix for allocation to LAN clients.

2 Likes

It won't work if you force the family to ipv4 only.
You also need to open protocol 41 as mentioned at the bottom of the guide.

3 Likes

Try adding to your LAN config:

        option ip6assign '64'        #you have this
        option ip6class 'henet'

This should assign the /64 to LAN.


I am so confused with these flags...it seems like there were two conversations taking place here?

One conversation was complexly unrelated to the OP needing to properly setup their /64 to LAN. Can we all be sure to only focus on an OP's issue - per thread.

That's all.

I flagged the posts, because the topic was hijacked completely. I hope the admins will split the topics and troubleshooting will continue individually.
I pointed out that OP is using ipv4 family in wan zone, but it has gone unnoticed.
Also he[.]net is providing 2* /64. One is for the tunnel and the second is delegated to the lan. OP has these correct.

1 Like

Dear trendy.
Thank you! Solved!

1 Like

If your problem is solved, please consider marking this topic as [Solved]. See How to mark a topic as [Solved] for a short how-to.

1 Like

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.