[SOLVED] LUCI: Config Tunnelbroker 6in4

ledes · July 19, 2018, 5:20am

I got the R7800 now. I already tried copying the tunnelbroker settings for Barrier Breaker. It didn't work. I have a /48, and tried it, didn't help.

It is configured it as follows:

Network:

config interface 'lan'
        option type 'bridge'
        option ifname 'eth1'
        option proto 'static'
        option netmask '255.255.255.0'
        option ipaddr '192.168.1.1'
        option dns '8.8.8.8 4.4.4.4'
        option ip6assign '64'

config interface 'wan'
        option ifname 'eth0'
        option _orig_ifname 'eth0'
        option _orig_bridge 'false'
        option proto 'static'
        option ipaddr '192.168.0.2'
        option netmask '255.255.255.0'
        option gateway '192.168.0.1'
        # I can't put my cable modem in bridge mode
        # but 6in4 works perfectly on a R6250 running tomato.
        # It's firewall is completely off and all ports fwd to the R7900
        option dns '208.67.222.222 208.67.220.220'

config interface 'wan6'
        option _orig_ifname 'eth0'
        option _orig_bridge 'false'
        option proto '6in4'
        option peeraddr 'x.x.x.x' #local PoP for tunnelbroker
        option ip6prefix '2001:x:d:x::/64' #prefix per tunnelbroker
        option ip6addr '2001:x:c:x::2/64' #Client IPv6 Address per tunnelbroker
        # Server IPv6 Address per tunnelbroker doesn't get input anywhere

DHCP:

config dhcp 'lan'
        option interface 'lan'
        option ra 'server'
        option leasetime '4h'
        option start '2'
        option limit '250'
        list dns '2606:4700:4700::1111'
        list dns '2620:fe::fe'
        option dhcpv6 'server'
        option ra_management '1'

Firewall (just to be safe)

config rule
        option name 'Allow-Protocol-41-Tunnelbroker'
        option src      wan
        option proto    41
        option target   ACCEPT

Here's the kicker. I can ping the ubuntu machine on my LAN via http://www.ipv6now.com.au/pingme.php. Some services that depend on IPv6 and are accessed by machines outside of my LAN also report the ubuntu box as up and running. Both of these increase the RX and TX counters in Luci's WAN6 status. When those services don't reach out to my machine, both counters don't increase, no matter what I do (router diag or ubuntu machine curl/ping6.

In diagnostics. IPv6 ping of lede-project.org returns

PING lede-project.org (2a03:b0c0:3:d0::1af1:1): 56 data bytes
ping6: sendto: Network unreachable

In the ubuntu box

$ ping6 ipv6.google.com
PING ipv6.google.com(lax28s10-in-x0e.1e100.net) 56 data bytes
From lax28s10-in-x0e.1e100.net icmp_seq=1 Destination unreachable: No route

Overall I've put over 12 hrs into this. I don't know what else to do. On the R7900 at least it would work for a while before stopping. On this one it just doesn't (for outbound requests, inbound seems to work fine)

ledes · July 20, 2018, 12:37am

Update: the router and the client can ping the tunnel server IPv6 (::1) and client (::2), but neither can ping ipv6.google.com

In my (restricted) understanding, this is related to routing or firewall config. the tunnel itself is working.

ledes · July 21, 2018, 4:53pm

anyone? bueller?

lleachii · July 22, 2018, 9:23am

Your LAN issue still exists if the config you last shared is valid:

I wont be able to provide assistance if you dont configure the device per Tunnelbroker and/or like the config I graciously shared above.

ledes · July 22, 2018, 7:05pm

Thanks @lleachii

I am working with Tunnelbroker support and will report back. If the router itself can't ping in IPv6, not even tunnelbroker's own 2001:470:0:76::2, there is no point in troubleshooting the LAN at this point.

lleachii · July 23, 2018, 4:03pm

By any chance, are you running 17.04.5???

Pilot6 · July 23, 2018, 4:06pm

I am not running a vanilla 17.01.5. I patched kernel to fix sit.
And the upstream patch is pending.

ledes · July 23, 2018, 4:35pm

I'm running 17.01.4 per https://openwrt.org/toh/views/toh_available_864?dataflt[Model*~]=r7800

Reboot (17.01.4, r3560-79f57e422d)

Pilot6 · July 23, 2018, 4:44pm

Does it really show 17.01.4? I don't get what that link gives.
The current "stable" release is 17.01.5 with broken sit.

You can install 17.01.4 from here
https://downloads.openwrt.org/releases/17.01.4/

And wnat is your firewall setting except the 41 proto? Is ping6 allowed there?

ledes · July 23, 2018, 4:48pm

SSH shows Reboot (17.01.4, r3560-79f57e422d)

firewall is proper, I can ping 2001:xxx:a:xxx::1/64 (Server IPv6 Address, about 20ms). I can't ping anything beyond that hop.

Sorry, the link is https://openwrt.org/toh/views/toh_fwdownload?dataflt[Model*~]=r7800 which I used to DL 17.0.4

@Pilot6

cat /etc/config/firewall

config rule
        option name 'Allow-Protocol-41-Tunnelbroker'
        option src 'wan'
        option proto '41'
        option dest 'lan'
        option dest_ip '192.168.1.x'
        option target 'ACCEPT'
        option enabled '0'

config rule
        option name 'Allow-DHCP-Renew'
        option src 'wan'
        option proto 'udp'
        option dest_port '68'
        option target 'ACCEPT'
        option family 'ipv4'

config rule
        option name 'Allow-Ping'
        option src 'wan'
        option proto 'icmp'
        option icmp_type 'echo-request'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-IGMP'
        option src 'wan'
        option proto 'igmp'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-DHCPv6'
        option src 'wan'
        option proto 'udp'
        option src_ip 'fc00::/6'
        option dest_ip 'fc00::/6'
        option dest_port '546'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-MLD'
        option src 'wan'
        option proto 'icmp'
        option src_ip 'fe80::/10'
        list icmp_type '130/0'
        list icmp_type '131/0'
        list icmp_type '132/0'
        list icmp_type '143/0'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Input'
        option src 'wan'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        list icmp_type 'router-solicitation'
        list icmp_type 'neighbour-solicitation'
        list icmp_type 'router-advertisement'
        list icmp_type 'neighbour-advertisement'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Forward'
        option src 'wan'
        option dest '*'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-IPSec-ESP'
        option src 'wan'
        option dest 'lan'
        option proto 'esp'
        option target 'ACCEPT'

config rule
        option name 'Allow-ISAKMP'
        option src 'wan'
        option dest 'lan'
        option dest_port '500'
        option proto 'udp'
        option target 'ACCEPT'

config defaults
        option syn_flood '1'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'REJECT'

config zone
        option name 'lan'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        option network 'lan'

config zone
        option name 'wan'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option masq '1'
        option mtu_fix '1'
        option network 'wan wan6'

config forwarding
        option src 'lan'
        option dest 'wan'

config include
        option path '/etc/firewall.user'

Pilot6 · July 23, 2018, 5:13pm

I looks OK. It works for me on 17.01.4 with sit. And works on 17.01.5 with a patch.

ledes · July 23, 2018, 5:25pm

then it won't solve my problem. AFAIK I am running 17.0.4. Is the ETA on the update hours, days or weeks? I know this is a bad question to ask but I am new to LEDE and have no idea how fast patches are pushed to master.

Luci shows https://i.imgur.com/wupSJzS.png

dmesg |grep  sit
[   10.905761] sit: IPv6 over IPv4 tunneling driver

ledes · August 14, 2018, 11:02pm

I'm on 18.06 now. I cleared nvram. I configured it again from scratch, and again, can't get IPv6 to work.

router (as clients) can ping ip6addr '2001:444:c:442::2/64' and ip6prefix '2001:444:d:441::/64' but nothing else.

config interface 'lan'
        option type 'bridge'
        option ifname 'eth1.1'
        option proto 'static'
        option ipaddr '192.168.1.1'
        option netmask '255.255.255.0'
        option ip6assign '60'

config interface 'wan6'
        option proto '6in4'
        option peeraddr 'nearest tunnelbroker IPv4 '
        option ip6addr '2001:444:c:442::2/64'
        option ip6prefix '2001:444:d:441::/64'

config dhcp 'lan'
        option interface 'lan'
        option dhcpv6 'server'
        option ra 'server'
        option ra_management '1'
        option start '2'
        option limit '200'
        option leasetime '4h'

lleachii · August 14, 2018, 11:43pm

You still haven't assigned an IPv6 address to your LAN.
I don't see the delegation from HE configured anywhere
Since you only have a /64, not sure how you're using /60 for ip6assign anyways

In my instance below, I have a /48, I use it to assign /64s to my LANs (notice I assign an IP to my LAN interface from this range, I also explicitly assign the same range to LAN, also see that the whole /48 from HE is assigned to the WAN tunnel):

config interface 'lan'
	option type 'bridge'
	option ifname 'eth0.1'
	option proto 'static'
	option netmask '255.255.255.0'
	option ipaddr '192.168.1.1'
	option ip6addr '2001:470:xxxx:dxxx::1/64'
	option ip6prefix '2001:470:xxxx:dxxx::/64'

config interface 'henet'                         
	option proto '6in4'                       
	option peeraddr '216.66.22.2'                                           
	option ip6addr '2001:470:x:xxx::2/64'    
	option ip6prefix '2001:470:xxxx::/48'     
	option mtu '1480'

/etc/config/dhcp (notice in IPv6, I assign the given IPv6 address, you can also use the link-local, but that may change if you ever swap equipment):

config dhcp 'lan'              
	option interface 'lan'                    
	option start '100'                       
	option limit '150'     
	option leasetime '12h'                    
	option ra 'server'                       
	list domain 'lan'                  
	list dns '2001:470:xxx:xxxx::1'

ledes · August 15, 2018, 12:51am

Doesn't work. I figured out I had to set DISABLED to ip6assign to be able to enter the rest of the info.

I can't figure out which IPv6 gateway to enter (I tried the ::1 and the ::2 in the /64). it seems that this makes all the difference. Without it, I can't ping ipv6.google.com (only the tunnebroker IPs), with it i get permission denied instead of network unreachable.

could I PM you to share my config without redacting it? i am at my wits end with this. it works flawlessy on the tomato router (too bad tomato's Multiwan is a mess)

lleachii · August 15, 2018, 3:11am

What do you mean by this?

This inormation comes from HE. LuCI even tells you where to put the '::2' IP. You have to properly configure your router, you don't guess.

I'm not sure how this would help, since all you have to do is copy my exact config...but OK...

Are you certain that you permit ping from the tunnel check server?

ledes · August 15, 2018, 7:22am

The gateway entry only shows up when you set the prefix dropdown to disabled.

How do I permit ping from the tunnel check server or check for this? Recall this is a clean install and I haven't changed anything.

lleachii · August 15, 2018, 8:34am

If I understand correctly...leave gateway blank. You're using a tunnel, there is no "gateway."

BTW, I got your PM to a private Live Chat; but no config.

Also, if your IPv6 is in a different Firewall Zone from WAN, you have to permit forwarding to the zone with the HE tunnel.

ledes · August 16, 2018, 6:32am

So I finally got it to work!! Thank you for your help

The only pending issue is when I install the mwan3 package (along with the Luci match) IPv6 stops working, even at router diag level. This is why it wasn't working before, no matter what I tried.

Simply instaling mwan3, without touching it's configuration, and having only 1 WAN connected is stopping 6in4.

Should I open up another thread for this?

lleachii · August 16, 2018, 2:21pm

No...this is actually quite simple...and the mystery to your issue likely lies here:

On a clean install ping is permitted on WAN, so this should be OK...but when your WAN changes is another issue...

If you have 2 WANs, you must somehow force a tunnel update. Since I also use HE DDNS with a purchased domain, I also have another option to update my tunnel - luci-app-ddns. You may have to use a script to bring up/down the tunnel and add the following to your config:

 	option tunnelid 'xxxxx'
	option username 'xxxxxxxxxxxxxxxxx'
	option password '<Tunnel_Key_If_configured_OR_PASSWORD>'