Topic: Native IPv6 with RA on Backfire

Hello,

I'm using Backfire (10.03.1-RC5, r27608) on a WNDR3700. I've a default setup, my OpenWRT Router is connected to a VDSL Modem. The OpenWRT router does PPPoE, does routing with NAT and has bridged LAN/WLAN on the inner side.

I installed IPv6 packages (kmod-ipv6, ip, kmod-ip6tables and ip6tables) and enabled IPv6 on my WAN, and I already get an IPv6 address:
http://img718.imageshack.us/img718/2429/ipv6wan.jpg

I noticed that when I do a reconnect, the first 64-Bit are changing (dynamic IPv6 then..?)

Nice! Testing using ping6 from my router:

# ping6 ipv6.google.com
PING ipv6.google.com (2a00:1450:4001:c01::6a): 56 data bytes
64 bytes from 2a00:1450:4001:c01::6a: seq=0 ttl=57 time=28.818 ms
64 bytes from 2a00:1450:4001:c01::6a: seq=1 ttl=57 time=28.913 ms

Great.

Now I wanted to configure the internal hosts. I installed radvd. But since then I had no more IPv6 address on the WAN interface.

According to a post from jow, I have to set accept_ra to 2. I did this by using

sysctl -w net.ipv6.conf.pppoe-wan.accept_ra=2

But this didn't help. I assume it's because it's not persistent (it looks like the pppoe-wan interface is going to be deleted and recreated somehow when I reconnect with my ISP, after the reconnect accept_ra is back to 0).
Also it should be possible to set option this option in /etc/config/network (option 'accept_ra' '1'), but this did not help for me: Although the accept_ra was set to 2 after reconnecting, I don't get any IPv6 address on my WAN interface. The only solution is removing radvd or disabling IPv6 forward manually...

My questions
1. I think my IPv6 from the provider comes via RA. How can I be sure?
2. How can I enable RA for my WAN permanently even with routing enabled?
3. When I have a IPv6 address and routing enabled, how can I make sure my internal hosts can connect the network? As far as I understand that, I have to create a subnet, set the router's LAN address to an address out of that subnet and propagate that prefix using radvd. But how can I do that, especially when the address on the WAN interface is dynamic?

I called the provider, the supporter said: "IPv6 is implemented, but we can't sell it yet.." I asked which technical solutions they are using/planning to use, the supporter couldn't answer... It looks like their support isn't ready for IPv6, but their infrastructure is..

Thanks for any help

Cheers
Stefan

Re: Native IPv6 with RA on Backfire

I did some more investigation.

As soon as I enable Radvd on the LAN Interface, IPv6 forwarding is going to be enabled:

# cat /proc/sys/net/ipv6/conf/all/forwarding
1

By adding

 option 'send_rs' '1'

I also forced enabling Router Solicitations. But it seems not to help either.

I also tried wide-dhcpv6-client, I enabled it but didn't get an IPv6. The logs didn't helped a lot, even with debugging on. It looks like there simply is no DHCP on my provider...

Any chance to get IPv6 for my LAN with the provided IPv6 over RA only?

Re: Native IPv6 with RA on Backfire

No. If your ISP indeed only gives you a /64 I see no way to use radvd or DHCPv6 server with that. There is prxy_ndp but that is quite hackish to use.

Re: Native IPv6 with RA on Backfire

Perhaps your ISP is also doing ipv6 prefix delegation? That would work with a /64 on your external interface. Unfortunately, I'm not sure how to set that up in OpenWRT. If you could get a packet capture between your router and your modem we could look at the ICMPv6 packets in there to see if your ISP is advertising any additional prefixes to you.

Re: Native IPv6 with RA on Backfire

As far as I know DHCP6 client (wide-dhcpv6-client) should be able to receive prefix delegations. I activated this module by configuring it through /etc/config/dhcp6c:

config 'dhcp6c' 'basic'
        option 'enabled' '1'
        option 'interface' 'wan'
        option 'dns' 'dnsmasq'
        option 'pd' '1'
...

"pd" should enable prefix delegation. But it seems nothing is answering the DHCP requests:

...
Sep 29 10:53:33 netgear daemon.debug dhcp6c[5630]: dhcp6_reset_timer: reset a timer on pppoe-wan, state=SOLICIT, timeo=5, retrans=37411
Sep 29 10:54:11 netgear daemon.debug dhcp6c[5630]: copy_option: set client ID (len 10)
Sep 29 10:54:11 netgear daemon.debug dhcp6c[5630]: copy_option: set rapid commit (len 0)
Sep 29 10:54:11 netgear daemon.debug dhcp6c[5630]: copy_option: set elapsed time (len 2)
Sep 29 10:54:11 netgear daemon.debug dhcp6c[5630]: copy_option: set option request (len 2)
Sep 29 10:54:11 netgear daemon.debug dhcp6c[5630]: copyout_option: set IA_PD
Sep 29 10:54:11 netgear daemon.debug dhcp6c[5630]: client6_send: send solicit to ff02::1:2
Sep 29 10:54:11 netgear daemon.debug dhcp6c[5630]: dhcp6_reset_timer: reset a timer on pppoe-wan, state=SOLICIT, timeo=6, retrans=77354
...

Re: Native IPv6 with RA on Backfire

I have done the following to enable native ipv6 on my LAN (OpenWRT trunk version, WNDR3700v1 but it should work on all devices)

With this there is no need of radvd or anything else and it's working flawlessly on both Linux and Windows systems. I have a 10/10 score here: http://test-ipv6.comcast.net/

/etc/init.d/network
Add this ath the end of the "boot()" function to bridge eth1 and br-lan
ebtables -t broute -A BROUTING -i eth1 -p ! ipv6 -j DROP
brctl addif br-lan eth1

/etc/config/network
Add this on the "config interface lan" section
    option accept_ra    1
    option send_rs    1
Add this on the "config interface wan" section
  option accept_ra  0
  option send_rs  0

/etc/config/firewall
Add this to the "config defaults" section
  option disable_ipv6     1

/etc/sysctl.conf
Add this at the end to enable firewalling on ipv6 even for bridged interfaces
  net.bridge.bridge-nf-call-ip6tables=1
  net.bridge.bridge-nf-call-iptables=0

/etc/firewall.user
Add this to have some firewalling on ipv6 (I'm not a firewall expert so feel free to fix it smile
I don't remember why but I couldn't get OpenWRT default firewalling rules to work on ipv6...
---
# First, delete all:
ip6tables -F
ip6tables -X

# Allow anything on the local link
ip6tables -A INPUT  -i lo -j ACCEPT
ip6tables -A OUTPUT -o lo -j ACCEPT

# Allow anything out on the internet
ip6tables -A OUTPUT -o eth1 -j ACCEPT

# Allow Link-Local addresses
ip6tables -A INPUT -s fe80::/10 -j ACCEPT
ip6tables -A OUTPUT -s fe80::/10 -j ACCEPT

# Allow multicast
ip6tables -A INPUT -s ff00::/8 -j ACCEPT
ip6tables -A OUTPUT -s ff00::/8 -j ACCEPT

# Allow ICMPv6
ip6tables -A INPUT -p icmpv6 --icmpv6-type echo-request -j ACCEPT --match limit --limit 30/minute
ip6tables -A INPUT  -p icmpv6 -j ACCEPT
ip6tables -A OUTPUT -p icmpv6 -j ACCEPT

ip6tables -A FORWARD -p icmpv6 -m physdev ! --physdev-in eth1 -j ACCEPT
ip6tables -A FORWARD -p icmpv6 --icmpv6-type echo-request -m physdev --physdev-in eth1 -j ACCEPT
ip6tables -A FORWARD -p icmpv6 --icmpv6-type echo-reply -m physdev --physdev-in eth1 -j ACCEPT
ip6tables -A FORWARD -p icmpv6 --icmpv6-type neighbor-solicitation -m physdev --physdev-in eth1 -j ACCEPT
ip6tables -A FORWARD -p icmpv6 --icmpv6-type neighbor-advertisement -m physdev --physdev-in eth1 -j ACCEPT
ip6tables -A FORWARD -p icmpv6 --icmpv6-type router-advertisement -m physdev --physdev-in eth1 -j ACCEPT

# Allow forwarding
ip6tables -A FORWARD -m state --state NEW -m physdev ! --physdev-in eth1 -j ACCEPT
ip6tables -A FORWARD -m state --state NEW -p tcp --dport 22 -m physdev --physdev-in eth1 -j ACCEPT
ip6tables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT

ip6tables -N LOG_DROP
ip6tables -A LOG_DROP -j LOG --log-prefix '[ip6tables DROP]:'
ip6tables -A LOG_DROP -j REJECT --reject-with icmp6-port-unreachable

# Set the default policy
ip6tables -A INPUT -j LOG_DROP
ip6tables -A FORWARD -j LOG_DROP
ip6tables -A OUTPUT -j LOG_DROP
--

Re: Native IPv6 with RA on Backfire

Hm, you basically bridge the WAN interface with the LAN interface to get the IP's from the provider directly? Good idea, never thought about that. Does IPv4 works with that bridge? Couldn't we create a new interface which only does IPv6, and bridge only that one?

Re: Native IPv6 with RA on Backfire

IPv4 works flawlessly, il fact all ipv4 trafic is excluded from the bridge with this command:
ebtables -t broute -A BROUTING -i eth1 -p ! ipv6 -j DROP
just before we add the external interface to the bridge

It may be possible to create a new interface only for ipv6 but it will be much harder to configure I think and most important, it's working great right now so "keep it simple" smile

Re: Native IPv6 with RA on Backfire

Note that the above needs bridge firwalling support which is not present in binary releases.

Re: Native IPv6 with RA on Backfire

You mean the 'physdev' module for ip6tables ?

11

Re: Native IPv6 with RA on Backfire

That and also the *-nf-call-iptables sysctls

12 (edited by risa2000 2012-02-19 19:01:56)

Re: Native IPv6 with RA on Backfire

I am currently trying to achieve something like this with French provider Free, which apparently gives one /64 subnet. I am using TL-WR1043ND with OpenWRT built from trunk (r30641). I started with config posted by diway, but it did not work right away. So I tried to do it step by step (except /etc/config/network and /etc/config/firewall parts, which I preconfigured) and it seems that as soon as I hit

brctl addif br-lan eth0.2

I lose the network. I could continue, but the configuration is probably screwed anyway and only way to recover is reboot.

I had also look at this page http://blog.fabroce.info/post/2011/07/09/Free-ipv6-/-ebtables-/-Openwrt  which describes my exact need, but this does not work either.

After it fails, neither logread nor dmesg show any issue, but I cannot reach the router, nor can I pass through it. I do not know how to debug it further. Any advice will be appreciated smile.

EDIT: Just to add, I am executing manually the commands from serial console.

Re: Native IPv6 with RA on Backfire

Hi, I'm not sure I understand how these two lines of code work:

diway wrote:

/etc/init.d/network
Add this ath the end of the "boot()" function to bridge eth1 and br-lan
ebtables -t broute -A BROUTING -i eth1 -p ! ipv6 -j DROP
brctl addif br-lan eth1
--

Where is the executable ebtables? I have searched for executable files, packages with ebtables in their name and came out empty.

Re: Native IPv6 with RA on Backfire

bogdanbiv wrote:

Where is the executable ebtables? I have searched for executable files, packages with ebtables in their name and came out empty.

ebtables is configurable through make menuconfig
in openwrt root. It is not in standalone packages.

15 (edited by strelok-ac 2012-11-25 13:44:43)

Re: Native IPv6 with RA on Backfire

Already add this instuction to wiki.

Im not so understand, is this method of forwarding IPv6 have influence for torrent speed or seed/peer connectivity? Who already tryed it?

16 (edited by risa2000 2012-11-25 15:11:12)

Re: Native IPv6 with RA on Backfire

strelok-ac wrote:

Already add this instuction to wiki.

Im not so understand, is this method of forwarding IPv6 have influence for torrent speed or seed/peer connectivity? Who already tryed it?

It is great that it is available now in Wiki, it was hard to dig in the forums. One warning though. The ebtables setup does not work at some configuration - at least on mine (TL-WR1043ND). I think (but I cannot verify it, since I have tested it only on my setup) the problem lies with RTL switching plane, which is configured using virtual lan for both, external WAN and internal LAN interfaces. As soon as I tried to load ebtables and made a bridge between external and internal interface (which is already a bridge) my network stopped working.

Eventually I had to resort to npd6 (http://code.google.com/p/npd6/).

Re: Native IPv6 with RA on Backfire

risa2000 wrote:

Eventually I had to resort to npd6 (http://code.google.com/p/npd6/).

Need to merge it with trunk... I cannot find npd6 in my repository...

18

Re: Native IPv6 with RA on Backfire

There is an ndppd package already which does the same thing.

Re: Native IPv6 with RA on Backfire

jow wrote:

There is an ndppd package already which does the same thing.

This is interesting information. When I was looking for npd6 in openwrt repository, I did not find it, so I finally got stuck with local repository with build script for npd6.

ndppd seems also quite new, and on first sight, it seems it is "true" proxy, compared to npd6, which (by default) does not query internal network. Right now, I am not sure, which one is better though.

Re: Native IPv6 with RA on Backfire

This setup works perfect for me. But as far as I understood the WAN gets no IPv6 address. So, the router cannot access IPv6 addresses. How can one assign the address to the interface?

Thx in advance.

Bye