Question how to use route64.org tunnelbroker

Installing and Using OpenWrt Network and Wireless Configuration
1

Hello there,

i tried to use a ipv6 tunnelbroker from https://route64.org/.
I created in there management dashboard a tunnelbroker with SIT and tried to configure it via luci. Add a new interface ipv6-in-ipv4 with remote address and routed subnet etc. …
I also was able to ping the other end of the tunnel, ping6 google.com from the interface, assign addresses to the clients in the network, but can‘t ping6 from the br-lan interface or the clients are also not able to ping6 external.
I‘m pretty sure i am missing a little bit.
Does anyone has experience with route64.org? Is it even the right way to use the ipv6-in-ipv4 proto?
Here is the example config from route64 (ip addresses changed), but how to translate those to OpenWrt Network Config?

sudo ip tunnel add TUNNEL-922-R64 mode sit remote 92.119.90.35 local 185.51.xxx.xxx ttl 255 
sudo ip link set TUNNEL-922-R64 up
sudo ip -6 addr add 2a11:xxx:xxx:xx::2/64 dev TUNNEL-922-R64

sudo ip route add ::/0 via dev TUNNEL-922-R64

Also this is the info about the routed subnet:
Subnet 2a11:xxx:1000:xxx::/56 routed to 2a11:xxx:xxx:xx::2/64

Thanks in advanced

2

Looking at their web site, the table shows that SIT for IPv6 endpoints is not supported? Not sure if that means terminating the tunnel on an IPv6 address, or tunneling IPv6 inside the SIT tunnel?

Other than that, what's your configuration for the LAN--do you delegate upstream prefixes to the LAN?
Showing redacted contents of /etc/config/network would help

3

I gave it a try to set up a tunnel with route64.org, here's my redacted /etc/config/network:

root@LEDE:~# uci show network.route64
network.route64=interface
network.route64.proto='6in4'
network.route64.auto='0'
network.route64.peeraddr='92.119.90.35'
network.route64.ip6addr='<from "Your IP-Address" in List all tunnels page>'
network.route64.ip6prefix='<from "Subnet" in List IP Subnets page>'
network.route64.peerdns='0'

On manager.route64.org, I used 'SIT' as the type under the "add new tunnelbroker" option

The tunnel seems mostly working, but does get some timeouts suggesting I might need to adjust the tunnel MTU. I don't see documentation at route64.org on what MTU they use.

4

The mtu for a protocol 41 tunnel should be 20 bytes less than the path mtu to the border relay. The most likely value you should use is either 1480 or 1472. Don't try to use fragmentation at the ipv4 layer to get a bigger mtu because the border relay is stateless and therefore won't collect and reassemble the fragments.

5

Thanks for trying. I will try it again and post then my config.
I also tried to ask on route64 discord if someone has OpenWrt experience, but they only suggested to "not use OpenWrt" :roll_eyes:

6

The following configuration should be equivalent:

config interface tun6
  option proto 6in4
  option peeraddr 92.119.90.35
  option tunlink wan                   # obtain local IP from `wan`
  #option local 185.51.xxx.xxx         # alternatively hardcode local ip
  option ttl 255
  option ip6addr 2a11:xxx:xxx:xx::2/64
  #option ip6prefix 2a11:yyy:yyy::/48  # if you also get a routed prefix for redelegation

A default route via the resulting tunnel device is added automatically. The resulting netdev will be named 6in4-tun6 (so 6in4- plus the chosen section name). This requires the 6in4 package to function (reboot or /etc/init.d/network restart after opkg install).

The tunlink option can be omitted if you only have one IPv4 wan. You might need a firewall rule to allow protocol 41 (IPv4 encapsulated IPv6) inbound to prevent connection interruptions or refused IPv6 ingress on conntrack timeout.

1 Like
7

Current config works to some degree:

root@rectangle:~#uci show network.route64
network.route64=interface
network.route64.proto='6in4'
network.route64.local='185.51.xxx.xxx'
network.route64.peeraddr='92.119.90.35'
network.route64.ip6addr='2a11:xxx:f01:25::2/64'
network.route64.ip6prefix='2a11:xxx:1000:f00::/56'
network.route64.ttl='255

ping6 openwrt.org works
ping6 google.com —> 100% packet loss
ping6 -I br-lan openwrt.org —> Network unreachable

LAN was configured to network.lan.ip6assign=64.
Clients gets an address assigned from the ipv6prefix.

Added a firewall rule for proto 41 as described in the wiki.

8

A better tool to debug connectivity issues is mtr (installable via opkg if you have some space).

To check used route and source IP, use ip route get $(resolveip -6 google.com), to check the routing path use mtr -6 google.com

9

Strange, seems to be a heisenbug:
ping6 google.com now also works.

mtr -6 google.com also seems normal

But LAN still has no ipv6 access.

root@rectangle:~#ip route get 2a00:1450:4001:803::20
ip: RTNETLINK answers: Network unreachable
10

Did you add the logical route64 interface to the wan firewall zone? Otherwise forward of traffic from lan to route64 should be denied by default global firewall policies.

Alternatively you can create a dedicated zone for it and allow forwarding from lan to it.

11

Jup, added it to firewall Zone wan

12

Can you report the (redacted) output of ifstatus route64 and ifstatus lan just to see that prefix assignment was done properly by netifd?

Can you also share the output of uci show dhcp to see if odhcpd is configured properly? Is your rectangle client host receiving any IPv6 address, e.g. an fd... ULA one?

13

rectangle is the router itself. it has also an fd... address on the br-lan.
Its just strange. After a full /etc/init.d/network restart google.com is not pingable. openwrt.org is. also from the lan clients. Here the outputs:

root@rectangle:~#ifstatus route64
{
	"up": true,
	"pending": false,
	"available": true,
	"autostart": true,
	"dynamic": false,
	"uptime": 2002,
	"l3_device": "6in4-route64",
	"proto": "6in4",
	"updated": [
		"addresses",
		"routes",
		"prefixes"
	],
	"metric": 0,
	"dns_metric": 0,
	"delegation": true,
	"ipv4-address": [
		
	],
	"ipv6-address": [
		{
			"address": "2a11:xxx:f01:25::2",
			"mask": 64
		}
	],
	"ipv6-prefix": [
		{
			"address": "2a11:xxx:1000:f00::",
			"mask": 56,
			"class": "route64",
			"assigned": {
				"lan": {
					"address": "2a11:xxx:1000:f00::",
					"mask": 64
				}
			}
		}
	],
	"ipv6-prefix-assignment": [
		
	],
	"route": [
		{
			"target": "::",
			"mask": 0,
			"nexthop": "::",
			"source": "2a11:xxx:1000:f00::/56"
		},
		{
			"target": "::",
			"mask": 0,
			"nexthop": "::",
			"source": "2a11:xxx:f01:25::2/64"
		}
	],
	"dns-server": [
		
	],
	"dns-search": [
		
	],
	"neighbors": [
		
	],
	"inactive": {
		"ipv4-address": [
			
		],
		"ipv6-address": [
			
		],
		"route": [
			
		],
		"dns-server": [
			
		],
		"dns-search": [
			
		],
		"neighbors": [
			
		]
	},
	"data": {
		
	}
}
root@rectangle:~#ifstatus lan
{
	"up": true,
	"pending": false,
	"available": true,
	"autostart": true,
	"dynamic": false,
	"uptime": 2095,
	"l3_device": "br-lan",
	"proto": "static",
	"device": "br-lan",
	"updated": [
		"addresses"
	],
	"metric": 0,
	"dns_metric": 0,
	"delegation": true,
	"ipv4-address": [
		{
			"address": "192.168.11.1",
			"mask": 24
		}
	],
	"ipv6-address": [
		
	],
	"ipv6-prefix": [
		
	],
	"ipv6-prefix-assignment": [
		{
			"address": "2a11:xxx:1000:f00::",
			"mask": 64,
			"local-address": {
				"address": "2a11:xxx:1000:f00::1",
				"mask": 64
			}
		},
		{
			"address": "fd90:b8da:502::",
			"mask": 64,
			"local-address": {
				"address": "fd90:b8da:502::1",
				"mask": 64
			}
		}
	],
	"route": [
		
	],
	"dns-server": [
		
	],
	"dns-search": [
		
	],
	"neighbors": [
		
	],
	"inactive": {
		"ipv4-address": [
			
		],
		"ipv6-address": [
			
		],
		"route": [
			
		],
		"dns-server": [
			
		],
		"dns-search": [
			
		],
		"neighbors": [
			
		]
	},
	"data": {
		
	}
}

root@rectangle:~#uci show dhcp.odhcpd
dhcp.odhcpd=odhcpd
dhcp.odhcpd.maindhcp='0'
dhcp.odhcpd.leasefile='/tmp/hosts/odhcpd'
dhcp.odhcpd.leasetrigger='/usr/sbin/odhcpd-update'
dhcp.odhcpd.loglevel='4'
root@rectangle:~#uci show dhcp.lan
dhcp.lan=dhcp
dhcp.lan.interface='lan'
dhcp.lan.start='100'
dhcp.lan.limit='150'
dhcp.lan.dhcpv6='server'
dhcp.lan.ra='server'
dhcp.lan.ra_flags='managed-config' 'other-config'
dhcp.lan.ra_management='1'
dhcp.lan.leasetime='12h'
dhcp.lan.domain='xxx.xx'
14

Out of curiosity i created a second tunnelbroker at route64 on another pops, changed the IPs etc in the config and now all clients have ipv6 access. Sort of.
Except the router itself cant ping/mtr anything ipv6 related.
Well, enough for today.