Topic: Configure Backfire 10.03.1-rc4 for a static 6in4 IPv6 tunnel (SixXS)
Configuring OpenWrt Backfire 10.03.1-rc4 for a static 6in4 tunnel from SixXS to get IPv6 connectivity
I was looking for information about configuring my router (originally Netgear WNDR3700) for supporting a static 6in4 tunnel from SixXS for getting the IPv6 connectivity. The router is currently running OpenWrt Backfire 10.03.1-rc4, published in November 2010, the rc4 version of the forthcoming Backfire Interim Release 1.
Current OpenWrt Backfire 10.03.1-rc4 has an installable package for supporting the 6in4 tunnels, which should make the process relatively easy. However, finding the exactly correct configuration is not that easy. I found useful information in internet, but it was scattered around and to some extent also outdated or incomplete. I write this article to summarize my findings and to list my configuration as an example for others trying to do the same.
Additionally, the rc4 version does not enable configuring some of the required steps through the Luci GUI, so some tasks have to be done by editing configuration files manually.
Background assumptions: you have a "Static" 6in4 tunnel with a fixed tunnel endpoint from SixXS. You also have a subnet, which is routed through that tunnel. You also have installed the OpenWrt to the router.
Main steps in the process:
Configuring the tunnel
Configuring iptables to make sure that the tunnel stays up
Configuring IPv6 address autoconfiguration inside local LAN by using RADVD
Configuring ipv6 firewall - ip6tables
1) Configuring the tunnel
The main steps are explained pretty well in http://wiki.openwrt.org/doc/howto/ipv6 , which is mostly up-to-date. However, it does not discuss SixXS specific issues.
First you need to make sure that the IPv6 support modules and the 6in4 tunnel module have been installed either by using Luci GUI or by running the following command:
opkg install kmod-ipv6 radvd ip kmod-ip6tables ip6tables 6in4
The file '/etc/config/network' needs to be manually edited to include a new interface for the tunnel that will be called 'sixxs':
config 'interface' 'sixxs' option 'proto' '6in4' option 'peeraddr' '18.104.22.168' option 'ip6addr' '2001:14b8:XXXX:XXXX::2/64' option 'ipaddr' '62.78.XXX.XXX'
(peeraddr is the remote PoP tunnel endpoint IPv4 address and optional, ip6addr is the IPv6 tunnel endpoint address at your end, ipaddr is the router's IPv4 WAN address.)
Note: Make sure that there is no "defaultroute=0" statement added by Luci. It may try to automatically add that statement if you just visit the interface's settings in Luci. If you later experience IPv6 traffic problem, double check this.
Additionally, the IPv6 address in the local subnet is added to the router's LAN interface either through Luci (Network/Interfaces/LAN) or by editing the file '/etc/config/network' :
config 'interface' 'lan' option 'ifname' 'eth0' option 'type' 'bridge' option 'proto' 'static' option 'ipaddr' '192.168.1.1' option 'netmask' '255.255.255.0' option 'defaultroute' '0' option 'peerdns' '0' option 'ip6addr' '2001:14b8:YYYY:YYYY::1/64'
(ip6addr is the router's IPv6 address in the new local subnet.)
Third step is to add the new 'sixxs' interface to the 'wan' zone of the firewall. Either use Luci (Network/Firewall/Zones) or edit '/etc/config/firewall' :
config 'zone' option 'name' 'wan' option 'network' 'wan sixxs'
Fourth task is to make sure that the following line in '/etc/sysctl.conf' is uncommented:
2) Making sure that the tunnel stays up - iptables
SixXS pings the static tunnel every 30 minutes and the router needs to respond to that ping, otherwise the tunnel gets turned off. With the default iptables configuration, the router may forget the tunnel connection in the NAT table if there is no IPv6 traffic for a while. You have to make sure that the incoming IPv6 pings from SixXS get accepted even then.
The suggested entry in the SixXS FAQ does not work properly in the OpenWRT 10.03.1-rc4 ( https://www.sixxs.net/faq/connectivity/?faq=conntracking ).
Instead you need an iptables rule for enabling the IPv4 firewall to accept IPv6 connections (protocol 41) from the PoP tunnel endpoint even if they are not related to existing connections. Good discussion e.g. here: https://www.sixxs.net/forum/?msg=setup-2860037
The following line needs to be added to file '/etc/firewall.user' :
iptables -I INPUT 1 -s <remote_ipv4_pop_endpoint_addr> -p 41 -j ACCEPT
In my case: iptables -I INPUT 1 -s 22.214.171.124 -p 41 -j ACCEPT
Alternatively, you can add an accept rule through Luci (Network/Firewall/Traffic Control): add there a new advanced rule (you need to add the additional field for the source IPv4 address and set custom protocol as 41).
3) Configuring IPv6 address autoconfiguration inside local LAN by using RADVD
As explained in http://wiki.openwrt.org/doc/howto/ipv6#radvd , the file ' /etc/config/radvd' is edited to contain the prefix for the local IPv6 subnet and to make sure that the ignore options are 0. Key fields there:
config interface option interface 'lan' option ignore 0 config prefix option interface 'lan' option prefix '2001:14b8:YYYY:YYYY::/64' option AdvOnLink 1 option AdvAutonomous 1 option AdvRouterAddr 0 option ignore 0
To make sure that RADVD get started after the next reboot of the router, run the command:
You can also check from Luci (Services/Initscripts), that all services like RADVD are enabled so that they are started automatically afetr reboots.
4) Configuring ipv6 firewall - ip6tables
Regarding ip6tables rules in the router, the key is to understand that the main configuration is related to the FORWARD chain that handles connectivity to clients in LAN, while INPUT and OUTPUT concern direct traffic to the router itself and remain mostly unused. INPUT and OUTPUT practically handle only the ICMPv6 traffic (at least the SixXS pings).
Note: although you named the tunnel interface as just 'sixxs', it got automatically prefixed with '6in4-', so the name to be used in ip6tables rules is '6in4-sixxs'.
Note: OpenWrt's firewall v2, in Backfire since February 2011 and in Kamikaze/trunk already earlier, does not need the following rules, except for the part where you want to open a certain port (e.g. 49001) for forwarding.
The possible additional rules get set in file '/etc/firewall.user' that is edited manually.
The FORWARD rules should allow all traffic with existing connections, new connections from inside and then selected connections from outside.
I simplified the FORWARD rule regarding new connections from the version presented in Wiki (see below). Additionally my rules allow incoming packets to port 49001 to get accepted for forwarding to clients in local LAN.
# Allow forwarding ip6tables -A FORWARD -i br-lan -j ACCEPT ip6tables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT #allow MLDHT packects ip6tables -A FORWARD -p tcp --dport 49001:49001 -j ACCEPT ip6tables -A FORWARD -p udp --dport 49001:49001 -j ACCEPT
(See the full '/etc/firewall.user' below.)
That is practically all the necessary steps to get a static 6in4 IPv6 tunnel from SixXS configured in OpenWrt Backfire 10.03.1-rc4.
Finally you need to reboot the router to get it to read the configuration in and to start the tunnel. You might first test connectivity from router's command prompt, e.g. just ping ipv6.google.com from there.
The full contents of '/etc/firewall.user' file. (The rules are meant for OpenWrt's firewall v1, which was used in older releases and also in Backfire until February 2011):
# This file is interpreted as shell script. # Put your custom iptables rules here, they will # be executed with each firewall (re-)start. #allow incoming SixXS IPv6 traffic iptables -A input_wan -s 126.96.36.199 -p 41 -j ACCEPT # First, delete all: ip6tables -F # Allow ICMPv6 everywhere ip6tables -A INPUT -p icmpv6 -j ACCEPT ip6tables -I OUTPUT -p icmpv6 -j ACCEPT ip6tables -I FORWARD -p icmpv6 -j ACCEPT # Allow anything on the local loopback link ip6tables -A INPUT -i lo -j ACCEPT ip6tables -A OUTPUT -o lo -j ACCEPT # Allow anything out on the internet ip6tables -A OUTPUT -o sixxs -j ACCEPT # Allow the localnet access us: ip6tables -A INPUT -i br-lan -j ACCEPT ip6tables -A OUTPUT -o br-lan -j ACCEPT # Filter all packets that have RH0 headers: ip6tables -A INPUT -m rt --rt-type 0 -j DROP ip6tables -A FORWARD -m rt --rt-type 0 -j DROP ip6tables -A OUTPUT -m rt --rt-type 0 -j DROP # Allow Link-Local addresses ip6tables -A INPUT -s fe80::/10 -j ACCEPT ip6tables -A OUTPUT -s fe80::/10 -j ACCEPT # Allow multicast ip6tables -A INPUT -s ff00::/8 -j ACCEPT ip6tables -A OUTPUT -s ff00::/8 -j ACCEPT # Allow forwarding #ip6tables -A FORWARD -m state --state NEW -i br-lan -o 6in4-sixxs -s 2001:14b8:119:ABAD::/64 -j ACCEPT ip6tables -A FORWARD -i br-lan -j ACCEPT ip6tables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT #allow packets to port X to get forwarded ip6tables -A FORWARD -p tcp --dport 49001:49001 -j ACCEPT ip6tables -A FORWARD -p udp --dport 49001:49001 -j ACCEPT #log the activity that will get dropped (optional) #ip6tables -A INPUT -j LOG #ip6tables -A FORWARD -j LOG #ip6tables -A OUTPUT -j LOG # Set the default policy ip6tables -P INPUT DROP ip6tables -P FORWARD DROP ip6tables -P OUTPUT DROP