1 (edited by KillaB 2009-01-17 22:49:01)

Topic: IPv6 Support Thread

Tried to get my SixXS tunnel working on 8.09, r13711 this afternoon, but ran into some basic stumbling blocks.
I followed the Howto on the wiki and installed the following packages as instructed:

kmod-ipv6
radvd
ip
kmod-ip6tables
ip6tables
kmod-tun
aiccu

Packages missing from the Howto (depends of other packages):

sit
kmod-iptunnel4

Added the following to /etc/modules.d/20-ipv6:

ip6_tables
ip6table_filter

But it's not being loaded properly.

root@OpenWrt:~# ip6tables -L
ip6tables v1.4.0: can't initialize ip6tables table `filter': Table does not exist (do you need to insmod?)
Perhaps ip6tables or your kernel needs to be upgraded.

See syslog messages.

Dec 31 16:00:10 OpenWrt user.warn kernel: ipv6: Unknown symbol __ipv6_addr_type
Dec 31 16:00:10 OpenWrt user.warn kernel: ipv6: Unknown symbol inet6_lookup
Dec 31 16:00:10 OpenWrt user.warn kernel: ipv6: Unknown symbol secure_tcpv6_sequence_number
Dec 31 16:00:10 OpenWrt user.warn kernel: ipv6: Unknown symbol ipv6_skip_exthdr
Dec 31 16:00:10 OpenWrt user.warn kernel: ipv6: Unknown symbol inet6_hash_connect
Dec 31 16:00:10 OpenWrt user.warn kernel: ipv6: Unknown symbol ipv6_ext_hdr
Dec 31 16:00:10 OpenWrt user.warn kernel: ipv6: Unknown symbol __inet6_lookup_established
Dec 31 16:00:10 OpenWrt user.warn kernel: ipv6: Unknown symbol __inet6_hash
Dec 31 16:00:10 OpenWrt user.warn kernel: ipv6: Unknown symbol inet6_lookup_listener
Dec 31 16:00:11 OpenWrt user.warn kernel: ip6_tables: Unknown symbol xt_free_table_info
Dec 31 16:00:11 OpenWrt user.warn kernel: ip6_tables: Unknown symbol xt_register_match
Dec 31 16:00:11 OpenWrt user.warn kernel: ip6_tables: Unknown symbol xt_find_match
Dec 31 16:00:11 OpenWrt user.warn kernel: ip6_tables: Unknown symbol xt_alloc_table_info
Dec 31 16:00:11 OpenWrt user.warn kernel: ip6_tables: Unknown symbol xt_check_match
Dec 31 16:00:11 OpenWrt user.warn kernel: ip6_tables: Unknown symbol xt_unregister_match
Dec 31 16:00:11 OpenWrt user.warn kernel: ip6_tables: Unknown symbol xt_register_target
Dec 31 16:00:11 OpenWrt user.warn kernel: ip6_tables: Unknown symbol ipv6_ext_hdr
Dec 31 16:00:11 OpenWrt user.warn kernel: ip6_tables: Unknown symbol xt_register_table
Dec 31 16:00:11 OpenWrt user.warn kernel: ip6_tables: Unknown symbol xt_proto_init
Dec 31 16:00:11 OpenWrt user.warn kernel: ip6_tables: Unknown symbol xt_replace_table
Dec 31 16:00:11 OpenWrt user.warn kernel: ip6_tables: Unknown symbol xt_find_table_lock
Dec 31 16:00:11 OpenWrt user.warn kernel: ip6_tables: Unknown symbol xt_table_unlock
Dec 31 16:00:11 OpenWrt user.warn kernel: ip6_tables: Unknown symbol xt_proto_fini
Dec 31 16:00:11 OpenWrt user.warn kernel: ip6_tables: Unknown symbol xt_check_target
Dec 31 16:00:11 OpenWrt user.warn kernel: ip6_tables: Unknown symbol xt_find_revision
Dec 31 16:00:11 OpenWrt user.warn kernel: ip6_tables: Unknown symbol xt_unregister_table
Dec 31 16:00:11 OpenWrt user.warn kernel: ip6_tables: Unknown symbol xt_find_target
Dec 31 16:00:11 OpenWrt user.warn kernel: ip6_tables: Unknown symbol xt_unregister_target
Dec 31 16:00:11 OpenWrt user.warn kernel: ip6table_filter: Unknown symbol ip6t_unregister_table
Dec 31 16:00:11 OpenWrt user.warn kernel: ip6table_filter: Unknown symbol ip6t_register_table
Dec 31 16:00:11 OpenWrt user.warn kernel: ip6table_filter: Unknown symbol ip6t_do_table
Dec 31 16:00:14 OpenWrt user.warn kernel: sit: Unknown symbol __ipv6_addr_type
Dec 31 16:00:14 OpenWrt user.warn kernel: sit: Unknown symbol ipv6_chk_prefix
Dec 31 16:00:14 OpenWrt user.warn kernel: sit: Unknown symbol icmpv6_send
Dec 31 16:00:16 OpenWrt user.warn kernel: nf_conntrack version 0.5.0 (1024 buckets, 4096 max)
Dec 31 16:00:19 OpenWrt user.warn kernel: ipt_time loading
Dec 31 16:00:21 OpenWrt user.warn kernel: nf_conntrack_ipv6: Unknown symbol ip6_frag_match
Dec 31 16:00:21 OpenWrt user.warn kernel: nf_conntrack_ipv6: Unknown symbol nf_ip6_checksum
Dec 31 16:00:21 OpenWrt user.warn kernel: nf_conntrack_ipv6: Unknown symbol ip6_frag_init
Dec 31 16:00:21 OpenWrt user.warn kernel: nf_conntrack_ipv6: Unknown symbol ipv6_ext_hdr
Dec 31 16:00:21 OpenWrt user.warn kernel: ip6_tables: Unknown symbol ipv6_ext_hdr
Dec 31 16:00:21 OpenWrt user.warn kernel: ip6table_filter: Unknown symbol ip6t_unregister_table
Dec 31 16:00:21 OpenWrt user.warn kernel: ip6table_filter: Unknown symbol ip6t_register_table
Dec 31 16:00:21 OpenWrt user.warn kernel: ip6table_filter: Unknown symbol ip6t_do_table
Dec 31 16:00:21 OpenWrt user.warn kernel: ip6table_mangle: Unknown symbol ip6t_unregister_table
Dec 31 16:00:21 OpenWrt user.warn kernel: ip6table_mangle: Unknown symbol ip6t_register_table
Dec 31 16:00:21 OpenWrt user.warn kernel: ip6table_mangle: Unknown symbol ip6_route_me_harder
Dec 31 16:00:21 OpenWrt user.warn kernel: ip6table_mangle: Unknown symbol ip6t_do_table
Dec 31 16:00:21 OpenWrt user.warn kernel: ip6_queue: Unknown symbol net_ipv6_ctl_path
Dec 31 16:00:21 OpenWrt user.warn kernel: ip6table_raw: Unknown symbol ip6t_unregister_table
Dec 31 16:00:21 OpenWrt user.warn kernel: ip6table_raw: Unknown symbol ip6t_register_table
Dec 31 16:00:21 OpenWrt user.warn kernel: ip6table_raw: Unknown symbol ip6t_do_table
Dec 31 16:00:21 OpenWrt user.warn kernel: ip6t_ah: Unknown symbol ipv6_find_hdr
Dec 31 16:00:21 OpenWrt user.warn kernel: ip6t_frag: Unknown symbol ipv6_find_hdr
Dec 31 16:00:21 OpenWrt user.warn kernel: ip6t_ipv6header: Unknown symbol ip6t_ext_hdr
Dec 31 16:00:22 OpenWrt user.warn kernel: ip6t_hbh: Unknown symbol ipv6_find_hdr
Dec 31 16:00:22 OpenWrt user.warn kernel: ip6t_rt: Unknown symbol ipv6_find_hdr
Dec 31 16:00:22 OpenWrt user.warn kernel: ip6t_LOG: Unknown symbol ip6t_ext_hdr
Dec 31 16:00:22 OpenWrt user.warn kernel: ip6t_REJECT: Unknown symbol __ipv6_addr_type
Dec 31 16:00:22 OpenWrt user.warn kernel: ip6t_REJECT: Unknown symbol ip6_local_out
Dec 31 16:00:22 OpenWrt user.warn kernel: ip6t_REJECT: Unknown symbol ipv6_skip_exthdr
Dec 31 16:00:22 OpenWrt user.warn kernel: ip6t_REJECT: Unknown symbol ip6_route_output
Dec 31 16:00:22 OpenWrt user.warn kernel: ip6t_REJECT: Unknown symbol icmpv6_send

Am I still missing needed packages?

root@OpenWrt:~# opkg list_installed
aiccu - 20070115-1 - 
base-files-ar7 - 13-r13711 - 
br2684ctl - 20040226-1 - 
bridge - 1.4-1 - 
busybox - 1.11.2-2 - 
dnsmasq - 2.46-1 - 
dropbear - 0.51-2 - 
ez-ipupdate - 3.0.11b8-3 - 
firewall - 1-1 - 
hotplug2 - 0.9+r102-2 - 
ip - 2.6.25-1 - 
ip6tables - 1.4.0-1 - 
iptables - 1.4.0-1 - 
iptables-mod-conntrack - 1.4.0-1 - 
iptables-mod-conntrack-extra - 1.4.0-1 - 
iptables-mod-filter - 1.4.0-1 - 
iptables-mod-imq - 1.4.0-1 - 
iptables-mod-ipopt - 1.4.0-1 - 
iptables-mod-nat - 1.4.0-1 - 
kernel - 2.6.26.5-ar7-1 - 
kmod-atm - 2.6.26.5-ar7-1 - 
kmod-ip6tables - 2.6.26.5-ar7-1 - 
kmod-ipt-conntrack - 2.6.26.5-ar7-1 - 
kmod-ipt-conntrack-extra - 2.6.26.5-ar7-1 - 
kmod-ipt-core - 2.6.26.5-ar7-1 - 
kmod-ipt-filter - 2.6.26.5-ar7-1 - 
kmod-ipt-imq - 2.6.26.5-ar7-1 - 
kmod-ipt-ipopt - 2.6.26.5-ar7-1 - 
kmod-ipt-nat - 2.6.26.5-ar7-1 - 
kmod-ipt-nathelper - 2.6.26.5-ar7-1 - 
kmod-iptunnel4 - 2.6.26.5-ar7-1 - 
kmod-ipv6 - 2.6.26.5-ar7-1 - 
kmod-ppp - 2.6.26.5-ar7-1 - 
kmod-pppoe - 2.6.26.5-ar7-1 - 
kmod-sangam-atm-annex-a - 2.6.26.5+D7.03.01.00-ar7-R2 - 
kmod-sched - 2.6.26.5-ar7-1 - 
kmod-sit - 2.6.26.5-ar7-1 - 
kmod-tun - 2.6.26.5-ar7-1 - 
libgcc - 4.1.2-13 - 
libpthread - 0.9.29-13 - 
libuci - 0.6.4-1 - 
libupnp - 1.6.6-1 - 
linux-atm - 2.4.1-1 - 
linuxigd - 1.0-1 - 
mtd - 8 - 
ntpclient - 2007_365-1 - 
opkg - 4564-2 - 
ppp - 2.4.3-10 - 
ppp-mod-pppoe - 2.4.3-10 - 
qos-scripts - 1.2.1-2 - 
radvd - 1.2-1 - 
tc - 2.6.25-1 - 
uci - 0.6.4-1 - 
uclibc - 0.9.29-13 - 
udevtrigger - 106-1 -

Is the 6scripts package also required?

Re: IPv6 Support Thread

KillaB wrote:

Is the 6scripts package also required?

I checked the OpenWrt documentaion, and the answer to my own question is yes.

Still need to figure out why I can't load the ip6tables modules.

Re: IPv6 Support Thread

Testing on a fresh x86 VMWare image and insmoding works fine there.  I'll give it another go on my DG834Gv2 once I've got this all figured out.
Can someone with a SixXs tunnel tell what I need in /etc/config/aiccu?

/etc/config/aiccu

config aiccu
    option username    'handle-RIPE'
    option password    'password'
    option protocol      '???'
    option server        '66.55.128.25'
    option interface    'sixxs?'
    option tunnel_id    'TXXXX'
    option requiretls    '?'
    option defaultroute    '1'
    option nat        '1'
    option heartbeat    '1'

Is "/etc/config/6bridge" needed in a tunnel configuration?

config 6bridge
    option bridge    'bripv6'

/etc/config/6tunnel

config 6tunnel
    option tnlifname     'sixxs'
    option remoteip4     '66.55.128.25'
    option localip4      '192.168.2.1'
    option remoteip6     '2001:48xx:xxxx:xx::1'  #needed?
    option localip6      '2001:48xx:xxxx:xx::2'
    option prefix        '/64'

Do you have to add an "option ip6addr" to "/etc/config/network", or is it not needed?

Also, since I have a subnet, I'd like to statically assign my devices.  Is there an IPv6 method similar to "/etc/ethers"?  If so, do I need DHCPv6, or can radvd handle this?

I'd give this a go right now, but the server I'm on is currently down.

Once online I was thinking of using the example ip6tables script here:  http://www.sixxs.net/wiki/IPv6_Firewalling
I'm guessing I'll need to implement this on both OpenWrt and Ubuntu?

Cheers,
KillaB

Re: IPv6 Support Thread

I've been struggling with it too, and have the following howto to share. Done on kamikaze 8.09 r14511 with a static sixxs tunnel:

Step 1: install the following packages:

6scripts
kmod-ipv6
radvd

Step 2: configure 6tunnel (/etc/config/6tunnel) :

config 6tunnel
        option tnlifname     'sixxs'
        option remoteip4    '<insert sixxs pop ipv4 address>'
    option localip4        '<insert your public ipv4 address>'
    option localip6        '2001:x::2/64'
    option prefix        '2001:y::1/64'

Replace x with the correct entry for your ipv6 tunnel and local prefix (subnet as it is called by sixxs).

Step 3: add firewall rule (/etc/config/firewall):

config 'rule'
    option 'target' 'ACCEPT'
    option '_name' 'sixxs'
    option 'src' 'wan'
    option 'proto' '41'

Now restart the firewall and enable + start /etc/init.d/6tunnel and the tunnel should come up.
There is a small bug in the 6tunnel startup script, it doesn't change the ttl and mtu for the sixxs interface, I'll try and post a diff for that tonight or tomorrow.

Re: IPv6 Support Thread

I've created a small change to the 6scripts package, please find it attached to this ticket:
https://dev.openwrt.org/ticket/4696

Re: IPv6 Support Thread

Thanks for the help vlabakje.

Since I'm on ADSL with a dynamic IPv4 address, I need to use a heartbeat tunnel.
I assume then that the 6tunnel script does not apply and I'll need to use the aiccu script exclusively?

Here's another thread I started over the on the SixXs forum if you're interested.
https://www.sixxs.net/forum/?msg=setup-955506

Re: IPv6 Support Thread

So I've had some luck getting the aiccu UCI script to work.  It sometimes fails after a reboot, but I can at least make it work.

After installing 6scripts you'll probably want to disable 6bridge and 6tunnel since we're focusing on just the heartbeat tunnel:

/etc/init.d/6bridge disable
/etc/init.d/6tunnel disable

Modify /etc/config/aiccu:

config aiccu
    option username        'handle-SIXXS'
    option password        'password'
    option protocol        'heartbeat'
    option server        'tic.sixxs.net'
    option interface    'sixxs'
    option tunnel_id    'T1XXXX'
    option requiretls    ''
    option defaultroute    '1'
    option nat        '1'
    option heartbeat    '1'

And /etc/config/radvd:

config interface
    option interface    'lan'
    option AdvSendAdvert    1
    option AdvManagedFlag    0
    option AdvOtherConfigFlag 0
    option ignore        0

config prefix
    option interface    'lan'
    # If not specified, a non-link-local prefix of the interface is used
    option prefix        '2001:db8::/64'
    option AdvOnLink    1
    option AdvAutonomous    1
    option AdvRouterAddr    0
    option ignore        0

config rdnss
    option interface    'lan'
    # If not specified, the link-local address of the interface is used
    option addr        ''
    option ignore        1

Add the following to /etc/config/firewall:

config rule
    option _name    ping
    option src    wan
    option proto    ICMP
    option target    ACCEPT

config rule
    option _name    sixxs
    option src    wan
    option proto    41
    option target    ACCEPT

After the above modifications I'm able to ping out via the OpenWrt router (after a reboot or two), but my Ubuntu client is not routing properly.  Not sure if I have to add any static routing? or what else I might have missed.

Anyone else testing with AICCU?

Re: IPv6 Support Thread

FYI....

AICCU was not updating my public IPv4 address and therefore the tunnel would not work 90% of the time.
I switched to Hurricane Electric and with the help of placebo and his hotplug scripts it's running great.

Re: IPv6 Support Thread

I use aiccu.  I had a problem where my router could send and receive ipv6 packets just fine, but for some reason, all the computers on my network couldn't.  I found out that aiccu wasn't adding an entry for my subnet.  I had to open /etc/init.d/aiccu and add the following line in the start() function:
ip -6 addr add 2001:blah:blah::1/64 dev br-lan

Of course, replace 2001:blah:blah::1/64 with whatever your subnet is.

I also had an interesting problem with radvd.  For some reason, the /etc/init.d/radvd script was failing and returning 1.  I couldn't figure out why.  I had to create my own script to read from an radvd.conf file before it would work.

10 (edited by KillaB 2009-03-19 16:09:27)

Re: IPv6 Support Thread

@Nalin, that could have been part of my problem, but I also couldn't get SixXs to update my v4 address.

Found the following ticket while troubleshooting my HE.net connection.
https://dev.openwrt.org/ticket/4248

Do you run ar7 hardware?

11

Re: IPv6 Support Thread

Just asking... is there any support in 6scripts for 6to4 or do I need to roll my own script?

Re: IPv6 Support Thread

ath wrote:

Just asking... is there any support in 6scripts for 6to4 or do I need to roll my own script?

Yes, the 6tunnel script is what you're looking for.  I however used a patch supplied by placebo which also takes care of updating the local ipv4 address on HE's end.
https://dev.openwrt.org/browser/package … ipts/files

Just don't confuse the 6tunnel script with the 6tunnel (tunnel proxy) package:
https://dev.openwrt.org/browser/package … l/Makefile

Re: IPv6 Support Thread

KillaB wrote:

Do you run ar7 hardware?

Is that to me?  If so, I run a Linksys WRT54G v4.

14

Re: IPv6 Support Thread

KillaB wrote:

Yes, the 6tunnel script is what you're looking for.

Thanks, I'll take a look...

15 (edited by godfather007 2009-04-21 10:46:46)

Re: IPv6 Support Thread

Hey KillaB,

nice documentation.

I've been using this howto to get my tunnel up.
Can ping6 some fqdn's like sixxs and ipv6.google.com

Not really familiar with the whole ipv6 yet.

For instance i've used the:

option ip6addr

wrongly. By mistake assigned the IP6:1 of my pop there. Should i count the next available IP there?:

IPV6:1 for POP
IPV6:2 for ROUTER
IPV6:3 LAN

I removed the line option ip6addr now and (hopefully) SIXXS will be going to ping6 me.


I've received a subnet already before so i can assign my inside machines their own address.


Does kamikaze contain any nice User Iinterface for ipv6? Subnetting / firewalling ... does it have some interface like UCI? (Which i don't really understand yet).


I'm willing to help writing some wiki whereever i can learn of it.


Martijn

Re: IPv6 Support Thread

@godfather007

Since it sounds like you already have your tunnel working and can ping6 from your router, you'll just need to set "option ip6addr" with the subnet address sixxs gave you and configure radvd for your clients.

/etc/config/network

config interface lan
        option type     bridge
        option ifname   eth0
        option proto    static
        option ipaddr   192.168.1.1
        option netmask  255.255.255.0
        option ip6addr  2001:xxx:x:xxx::1/64
        option nat      1

Re: IPv6 Support Thread

Yes! It's up and running,

all my internal ipv6's have a connection and are able to browse the internet.


BUT...

I found a website, http://www.tdoi.org where you can check your IPv6...


What i saw is that all my internals can be pinged from the outside world.


EEEK! Is there a simple way to manipulate the firewall settings?

Re: IPv6 Support Thread

Sorry, forgot to answer all of your questions.

As far as there being an IPv6 GUI in either LuCI or X-Wrt....I have no idea since I don't run either.

For firewalling, I don't have anything set up just yet.
Here's an example script on the SixXS Wiki:  https://www.sixxs.net/wiki/IPv6_Firewalling

Ubuntu has a pretty crazy IPv6 implementation in ufw.  It would be nice to model a script around that.

19 (edited by placebo 2009-04-22 21:07:02)

Re: IPv6 Support Thread

godfather007 wrote:

What i saw is that all my internals can be pinged from the outside world.

EEEK!

One of the aims of IPv6 is to restore end-to-end connectivity on the internet and do away with all the problems caused by NAT, so being able to ping your systems directly is actually a good thing.

Re: IPv6 Support Thread

Does anyone have this working with aiccu AYIYA connection?  I am about ready to kick the dog because this is so difficult.

I have installed a brand new downloaded today copy of kamizaze latest and install aiccu and radvd.  aiccu starts fine, radvd starts fine.  I follow all the various documentation here.  I can always connect via aiccu just fine.  I can ping ipv6 all day long.  My local pc's on network however can never reach anything.  I tried this on dd-wrt and exact same results using tunnel broker.  I switch to openwrt because I see it has aiccu.

If anyone can help me get this going I would gladly jump up and down and praise your name.  I can reflash and start from scratch easily.  I have never been so frustrated.  I have followed all these guides but they never work for me.  They only work from the router.  I am going crazy.

Re: IPv6 Support Thread

hmm, i just realized why the aiccu connection wasn't working.  I dont have a subnet and I am trying to route with my IP address prefix.

That also explains why my tunnelbroker connection wasn't routing too because I didn't realize there was any difference in the prefix for the routed 64 and client ipv6 addr (they look practically the same, except for a 1 was a 0).

So I am going to try this again with tunnelbroker because i dont have a sixxs subnet.

Re: IPv6 Support Thread

placebo wrote:
godfather007 wrote:

What i saw is that all my internals can be pinged from the outside world.

EEEK!

One of the aims of IPv6 is to restore end-to-end connectivity on the internet and do away with all the problems caused by NAT, so being able to ping your systems directly is actually a good thing.

I understand that it's a good thing to have native communication, no more portredirection and address translation.

But i would like to have a little grip on traffic entering my subnet.

For example i would like to allow:

ping external to internal for all machines.
voip external to internal for all machines.
www to selected machines.
ssl external to internal for all machines.
p2p external to internal for all machines.

and drop the rest.

I know there's FWbuilder and i've been reading and also tried to generate an FW script.

But then i was asking myself; where to place it as the firewall is triggered UCI way and does not contain UCI for IPV6.


Anyone has some info or thoughts about this?

Re: IPv6 Support Thread

try ipv6tables.

Re: IPv6 Support Thread

Hi guys,

where can i find a good howto to configure IPv6 for Openwrt?
I want to test the DS-Lite feature