I'm running 17.01.4 per https://openwrt.org/toh/views/toh_available_864?dataflt[Model*~]=r7800
Reboot (17.01.4, r3560-79f57e422d)
Does it really show 17.01.4? I don't get what that link gives.
The current "stable" release is 17.01.5 with broken sit.
You can install 17.01.4 from here
https://downloads.openwrt.org/releases/17.01.4/
And wnat is your firewall setting except the 41 proto? Is ping6 allowed there?
SSH shows Reboot (17.01.4, r3560-79f57e422d)
firewall is proper, I can ping 2001:xxx:a:xxx::1/64 (Server IPv6 Address, about 20ms). I can't ping anything beyond that hop.
Sorry, the link is https://openwrt.org/toh/views/toh_fwdownload?dataflt[Model*~]=r7800 which I used to DL 17.0.4
cat /etc/config/firewall
config rule
option name 'Allow-Protocol-41-Tunnelbroker'
option src 'wan'
option proto '41'
option dest 'lan'
option dest_ip '192.168.1.x'
option target 'ACCEPT'
option enabled '0'
config rule
option name 'Allow-DHCP-Renew'
option src 'wan'
option proto 'udp'
option dest_port '68'
option target 'ACCEPT'
option family 'ipv4'
config rule
option name 'Allow-Ping'
option src 'wan'
option proto 'icmp'
option icmp_type 'echo-request'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-IGMP'
option src 'wan'
option proto 'igmp'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-DHCPv6'
option src 'wan'
option proto 'udp'
option src_ip 'fc00::/6'
option dest_ip 'fc00::/6'
option dest_port '546'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-MLD'
option src 'wan'
option proto 'icmp'
option src_ip 'fe80::/10'
list icmp_type '130/0'
list icmp_type '131/0'
list icmp_type '132/0'
list icmp_type '143/0'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Input'
option src 'wan'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
list icmp_type 'router-solicitation'
list icmp_type 'neighbour-solicitation'
list icmp_type 'router-advertisement'
list icmp_type 'neighbour-advertisement'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Forward'
option src 'wan'
option dest '*'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-IPSec-ESP'
option src 'wan'
option dest 'lan'
option proto 'esp'
option target 'ACCEPT'
config rule
option name 'Allow-ISAKMP'
option src 'wan'
option dest 'lan'
option dest_port '500'
option proto 'udp'
option target 'ACCEPT'
config defaults
option syn_flood '1'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'REJECT'
config zone
option name 'lan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
option network 'lan'
config zone
option name 'wan'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option masq '1'
option mtu_fix '1'
option network 'wan wan6'
config forwarding
option src 'lan'
option dest 'wan'
config include
option path '/etc/firewall.user'
I looks OK. It works for me on 17.01.4 with sit. And works on 17.01.5 with a patch.
then it won't solve my problem. AFAIK I am running 17.0.4. Is the ETA on the update hours, days or weeks? I know this is a bad question to ask but I am new to LEDE and have no idea how fast patches are pushed to master.
Luci shows https://i.imgur.com/wupSJzS.png
dmesg |grep sit
[ 10.905761] sit: IPv6 over IPv4 tunneling driver
I'm on 18.06 now. I cleared nvram. I configured it again from scratch, and again, can't get IPv6 to work.
router (as clients) can ping ip6addr '2001:444:c:442::2/64' and ip6prefix '2001:444:d:441::/64' but nothing else.
config interface 'lan'
option type 'bridge'
option ifname 'eth1.1'
option proto 'static'
option ipaddr '192.168.1.1'
option netmask '255.255.255.0'
option ip6assign '60'
config interface 'wan6'
option proto '6in4'
option peeraddr 'nearest tunnelbroker IPv4 '
option ip6addr '2001:444:c:442::2/64'
option ip6prefix '2001:444:d:441::/64'
config dhcp 'lan'
option interface 'lan'
option dhcpv6 'server'
option ra 'server'
option ra_management '1'
option start '2'
option limit '200'
option leasetime '4h'
- You still haven't assigned an IPv6 address to your LAN.
- I don't see the delegation from HE configured anywhere
- Since you only have a /64, not sure how you're using /60 for
ip6assignanyways
In my instance below, I have a /48, I use it to assign /64s to my LANs (notice I assign an IP to my LAN interface from this range, I also explicitly assign the same range to LAN, also see that the whole /48 from HE is assigned to the WAN tunnel):
config interface 'lan'
option type 'bridge'
option ifname 'eth0.1'
option proto 'static'
option netmask '255.255.255.0'
option ipaddr '192.168.1.1'
option ip6addr '2001:470:xxxx:dxxx::1/64'
option ip6prefix '2001:470:xxxx:dxxx::/64'
config interface 'henet'
option proto '6in4'
option peeraddr '216.66.22.2'
option ip6addr '2001:470:x:xxx::2/64'
option ip6prefix '2001:470:xxxx::/48'
option mtu '1480'
/etc/config/dhcp (notice in IPv6, I assign the given IPv6 address, you can also use the link-local, but that may change if you ever swap equipment):
config dhcp 'lan'
option interface 'lan'
option start '100'
option limit '150'
option leasetime '12h'
option ra 'server'
list domain 'lan'
list dns '2001:470:xxx:xxxx::1'
Doesn't work. I figured out I had to set DISABLED to ip6assign to be able to enter the rest of the info.
I can't figure out which IPv6 gateway to enter (I tried the ::1 and the ::2 in the /64). it seems that this makes all the difference. Without it, I can't ping ipv6.google.com (only the tunnebroker IPs), with it i get permission denied instead of network unreachable.
could I PM you to share my config without redacting it? i am at my wits end with this. it works flawlessy on the tomato router (too bad tomato's Multiwan is a mess)
What do you mean by this?
This inormation comes from HE. LuCI even tells you where to put the '::2' IP. You have to properly configure your router, you don't guess.
I'm not sure how this would help, since all you have to do is copy my exact config...but OK...
Are you certain that you permit ping from the tunnel check server?
The gateway entry only shows up when you set the prefix dropdown to disabled.
How do I permit ping from the tunnel check server or check for this? Recall this is a clean install and I haven't changed anything.
If I understand correctly...leave gateway blank. You're using a tunnel, there is no "gateway."
BTW, I got your PM to a private Live Chat; but no config.
Also, if your IPv6 is in a different Firewall Zone from WAN, you have to permit forwarding to the zone with the HE tunnel.
So I finally got it to work!! Thank you for your help
The only pending issue is when I install the mwan3 package (along with the Luci match) IPv6 stops working, even at router diag level. This is why it wasn't working before, no matter what I tried.
Simply instaling mwan3, without touching it's configuration, and having only 1 WAN connected is stopping 6in4.
Should I open up another thread for this?
No...this is actually quite simple...and the mystery to your issue likely lies here:
On a clean install ping is permitted on WAN, so this should be OK...but when your WAN changes is another issue...
If you have 2 WANs, you must somehow force a tunnel update. Since I also use HE DDNS with a purchased domain, I also have another option to update my tunnel - luci-app-ddns. You may have to use a script to bring up/down the tunnel and add the following to your config:
option tunnelid 'xxxxx'
option username 'xxxxxxxxxxxxxxxxx'
option password '<Tunnel_Key_If_configured_OR_PASSWORD>'
I understand a tunnel update must occur if I have two working WANs in a configured mwan environment.
I have an untouched default mwan config and only one WAN plugged in. How can I make this co-exist with 6in4 for now? I don't plan on making the 2nd WAN available to the router 100% of the time, but I need IPv6 100% of the time.
If the issue here is fixed on the single WAN and HE tunnel, please consider editing the title and appending "[SOLVED]" to the beginning.
1 Like
Done, thanks again!
1 Like
This topic was automatically closed 7 days after the last reply. New replies are no longer allowed.