OpenWrt Forum Archive

Topic: 6rd and ipv6-support

The content of this topic has been archived between 12 Jul 2015 and 30 Apr 2018. Unfortunately there are posts – most likely complete pages – missing.

Post #1
CyrusFF
1 Dec 2012, 14:12

I split this from here https://forum.openwrt.org/viewtopic.php?pid=184878#p184878:

Manani wrote:

Hello,
This is a very interesting development, big thank you for that.

CyrusFF wrote:

If you have a native IPv6 connection but the upstream router doesn't support prefix delegation wan and lan are automatically put in relay mode (when not otherwise configured) meaning RD-, DHCPv6 and NDP are proxied so that both interfaces operate in the same /64.

I am in this case, with FREE TELECOM, French ISP that offers 6rd.

Here is my network6:

config interface 'wan'
    option mode 'static'
    option request_prefix 'auto'
    option prefix_fallback 'relay'
    option peerdns '1'
    list static_prefix '2a01:e34:xxxx:xxxx::/64'
    option ula_prefix 'fdd9:a5a0:f1f0::/48'

config interface 'lan'
    option mode 'downstream'
    option advertise_prefix '64'
    option relay_master 'wan'

config interface '6in4'
    option mode 'static'
    list static_prefix '2a01:e34:xxxx:xxx::/64

Here is my 6relayd:

config relay
    option network    'wan lan'
    option rd    'relay'
    option dhcpv6    'relay'
    option ndp    'relay'

I get perfectly IPv6 allocations on the LAN

Adresse IPv6: 2a01:e34:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx(préféré)
Adresse IPv6 temporaire: 2a01:e34:xxxx:xxxx:yyyy:yyyy:yyyy:yyyy(préféré)

Serveurs DNS: 2a01:e34:xxxx:xxxx::1
              192.168.1.1

But IPv6 tests still fail (http://test-ipv6.com/)

Do you find a mistake in my settings?

First of all if please don't setup both 6relayd manually and using network6. It will lead to confusion and probably won't work as expected. Also if you are using a tunnel-protocl like 6rd please don't configure the static_prefix to wan.

I guess the best thing is we start from scratch, find a solution to your setup and then add details to the docs.

Ok to start:
I don't know much about 6rd yet, but I assume it works similar to 6in4 or 6to4.
Can you briefly explain how you did the setup before and why you think you need to do NDP-Proxying?

(Last edited by CyrusFF on 1 Dec 2012, 14:13)

Post #2
Manani
1 Dec 2012, 14:27

It is kind of you to consider my request. Before I was doing with brouting ebtable. But setting erases itself every time the router reboots.

ebtables -t broute -A BROUTING -p ! ipv6 -i eth1 -j DROP
ebtables -A FORWARD -p ! ipv6 -o eth1 -j DROP
brctl addif br-lan eth1
ebtables -A OUTPUT -p ! ipv6 -o eth1 -j DROP
Post #3
Manani
1 Dec 2012, 14:55
CyrusFF wrote:

First of all if please don't setup both 6relayd manually and using network6. It will lead to confusion and probably won't work as expected. Also if you are using a tunnel-protocl like 6rd please don't configure the static_prefix to wan.

I guess the best thing is we start from scratch, find a solution to your setup and then add details to the docs.

Ok to start:
I don't know much about 6rd yet, but I assume it works similar to 6in4 or 6to4.
Can you briefly explain how you did the setup before and why you think you need to do NDP-Proxying?

Ok
I disabled the 6relayd and I changed the network6.
Here is my new network6:

Edit: Please, go directly to this post to see my best succesful settings.

(Last edited by Manani on 11 Dec 2012, 15:15)

Post #4
CyrusFF
1 Dec 2012, 14:56

So you have a working public IPv6 address on WAN and want LAN to work as well?
Do you have any radvd or similar running anywhere or are the prefixes announced by your ISP?

Post #5
hnyman
1 Dec 2012, 15:02

Have you enabled the official 6rd support and have you added the 6rd interface to the /etc/config/network config? (and have you added that to firewall WAN zone?) And is the name of the 6rd interface "6in4" like your /etc/config/network6 suggests.

Somehow your approach with ebtables seems to deviate from the 6rd approach suggested in wiki and developer discussion. Support for 6rd was added with r32431 ( https://dev.openwrt.org/changeset/32431/ ) and has been developed since: https://dev.openwrt.org/browser/trunk/package/network/ipv6/6rd

(Last edited by hnyman on 1 Dec 2012, 15:03)

Post #6
Manani
1 Dec 2012, 15:02
CyrusFF wrote:

So you have a working public IPv6 address on WAN and want LAN to work as well?
Do you have any radvd or similar running anywhere or are the prefixes announced by your ISP?

radvd is disabled. IPv6 is announced by my ISP on wan.

Post #7
zzz2002
1 Dec 2012, 15:21

I am trying to understand how I would setup a network6 configuration for my environment.

Currently I/we operate a three servers providing email(smtps,imaps), web, webDAV, DNS (possible futures are funabol, cloud and  DMS/CMS) these are in the DMZ and are all internet facing. The LAN has a variable number of machines (desktops, laptops, WiFi connected (tablets, smartphones) usually around ten machines.

Using the documentation in the Wiki and the “IPv6 oriented Openwrt build for WNDR3700”  thread in the forums I have been trying to work out what my network6 configuration would look like based upon my Current Network configuration.

Assumptions:
The LAN and the DMZ are on and will remain on separate vlans.
No LAN machine will ever be in the DMZ!
The DMZ will continue to be used for my internet facing servers. I assume that these still have to have fixed IPs in order to make the reachable?
Machines on the LAN are not reachable from the internet (outbound only + connected & established).

Other info
Currently running AA Rc1 with uPnP, HEnet and radvd.

.
.
config interface 'lan'
            option proto 'static'
    option ifname 'eth0.1'
    option type 'bridge'
    option ipaddr '192.168.30.1'
    option netmask '255.255.255.224'
    option ip6addr '2001:470:dead:30::1/64'

config interface 'dmz'
    option proto 'static'
    option ifname 'eth0.2'
    option netmask '255.255.255.240'
    option ipaddr '74.nnn.nnn.177'
    option ip6addr '2001:470:dead:10::1/64'

config interface 'wan'
    option ifname 'eth1'
    option _orig_ifname 'eth1'
    option _orig_bridge 'false'
    option proto 'pppoe'
    option username 'isp_user_name'
    option password 'password'

config interface 'HENet'
    option proto '6in4'
    option peeraddr 'nnn.nnn.nnn.nnn'
    option ip6addr '2001:470:de:ad::2/64'
    option tunnelid '123456'
    option username 'he_net_user'
    option password 'password'
.
.

My best "guess" is that it would look something like

config interface 'wan'
    option mode 'static'
    option request_prefix 'no'            
    option prefix_fallback 'relay'                                                      ** A
    option peerdns '0'                                                                  ** B
    option static_prefix '2001:470:dead::/48'
    
config interface 'lan'
    option mode 'downstream'
    option static_prefix '2001:470:dead:30::/64'
    option advertise_prefix '64'
    option relay_master 'wan'

config interface 'dmz'
    option mode 'static'                                                                ** C
    option static_prefix '2001:470:dead:10::/64'
    option relay_master 'wan'

config interface '6in4'
    option mode 'static'
    list static_prefix '2001:470:dead::/48'

A)  not sure what this does
B)  I operate my own DNS for my own domains (includes recursion for local users only).
C)  as none of the machines here use dynamic addresses?

(Last edited by zzz2002 on 1 Dec 2012, 15:28)

Post #8
Manani
1 Dec 2012, 15:33
hnyman wrote:

Have you enabled the official 6rd support and have you added the 6rd interface to the /etc/config/network config? (and have you added that to firewall WAN zone?) And is the name of the 6rd interface "6in4" like your /etc/config/network6 suggests.

I see there was a mistake.

Edit: Please, go directly to this post to see my best succesful settings.

(Last edited by Manani on 11 Dec 2012, 15:16)

Post #10
mikma
1 Dec 2012, 16:22

Are you using radvd to advertise your lan prefix to the devices on the lan?

Post #12
Manani
1 Dec 2012, 16:28
mikma wrote:

Are you using radvd to advertise your lan prefix to the devices on the lan?

This is done by the new package ipv6.

Post #13
CyrusFF
1 Dec 2012, 16:36

@zzz2002:
You don't want to use static_prefix as it automatically splits up your /48 + it doesn't work for downstream interfaces.
Don't set lan to static as otherwise the Router Advertisements are not sent.
Try the following network6 and leave the ip6addr in network as they are:

config interface lan
option mode downstream

config interface dmz
option mode downstream

and no other sections in the file. This will only announce the prefixes you have statically assigned so you don't need radvd anymore.

@Manani: can you try this please:
Leave /etc/config/network as it is if it is working.
Leave /etc/config/network6 completely empty (no interfaces at all)

and try the following /etc/config/6relayd

config relay
option network 'FreeIPv6 lan'
option rd       'relay'
option dhcpv6   'relay'
option ndp      'relay'

If your provider doesn't run a dhcpv6 server you might want to set. option dhcpv6 to 'server' instead. Just try how it works out best for you.

(Last edited by CyrusFF on 1 Dec 2012, 17:05)

Post #14
Manani
1 Dec 2012, 17:15

There is no improvement with these changes. I continue to tweak and come back if I have something new.
@ +

Post #16
Manani
2 Dec 2012, 14:46

It seems that this option should be added to the 6rd interface (FreeIPv6), but I do not know how.

ip -6 route add 2000::/3 via ::192.88.99.201

6rd is missing from the Network configuration space

Edit:
Another thing I must add, my ISP's modem (Freebox, an triple play box) is configured in bridge. In this configuration the Freebox always keeps the router functions for IPv6 packets.

(Last edited by Manani on 2 Dec 2012, 15:42)

Post #17
SkyJeX
2 Dec 2012, 19:08

ISP: ER-Telecom, IPv6 afford dualstack
OpenWrt Attitude Adjustment 12.09-rc1
Install the required packages for IPv6,
/etc/config/network:

config interface 'lan'
        option ifname 'eth0.1'
        option type 'bridge'
        option proto 'static'
        option ipaddr '192.168.1.1'
        option netmask '255.255.255.0'
        option ip6adrr '2001:123:456:789::1/64'

config interface 'wan'
        option ifname 'eth0.2'
        option _orig_ifname 'eth0.2'
        option _orig_bridge 'false'
        option proto 'pppoe'
        option username 'login'
        option password 'pass'
        option mtu '1492'
        option accept_ra '1'
        option send_rs '1'
        option ipv6 '1'

Сonnection properties:

IPv4 WAN Status   

Type: pppoe
Address: *.*.*.*
Netmask: 255.255.255.255
Gateway: *.*.*.*
DNS 1: 212.33.224.136
DNS 2: 212.33.225.212
Connected: 0h 2m 36s

IPv6 WAN Status   

Address: fe80::8029:e4e2:3a82:4d16/128
Gateway: FE80:0:0:0:225:BAFF:FE5B:C7D0
Connected: 0h 2m 36s

But the page does not open:(

Post #19
CyrusFF
6 Dec 2012, 22:28

I just commited a new version of the ipv6-support package including new logic for 6to4 and 6rd.
With this new package a 6relayds-configuration is no longer needed and any 6relayd configuration (refering to lan) needs to be removed in order for this to work.

There is some documentation on the wiki regarding the configuration: http://wiki.openwrt.org/doc/uci/network6#rd.configuration
Please follow it and make sure you insert the right values according to your ISPs setup.

I hope with this we can finally fix the issue.

(Last edited by CyrusFF on 6 Dec 2012, 22:29)

Post #21
CyrusFF
8 Dec 2012, 18:42

Hmm I'm running out of ideas here. Could you maybe give me the output of "ip a l" so that I can see which interfaces got which adresses? And can you ping6 ipv6.google.com from the device itself?

Post #23
CyrusFF
9 Dec 2012, 08:37

addresses assigned look good so I guess either the firewall is blocking things (you could test by disabling it for a short time with: /etc/init.d/firewall stop) then try to ping6 and then reenable it. otherwise maybe check your 6rd settings with those of your isp.

Post #24
Manani
9 Dec 2012, 13:35

After several tests I can say that:

  1. The problem is not the firewall.

  2. 6relayd works better than Network6.

config relay
    option network    'wan lan'
    option rd    'relay'
    option dhcpv6    'relay'
    option ndp    'relay'

It seems that I do not need to create the 6rd interface.

ping6 ipv6.google.com from the device itself

PING ipv6.google.com (2a00:1450:4007:803::1011): 56 data bytes
64 bytes from 2a00:1450:4007:803::1011: seq=0 ttl=57 time=29.244 ms
64 bytes from 2a00:1450:4007:803::1011: seq=1 ttl=57 time=22.964 ms
64 bytes from 2a00:1450:4007:803::1011: seq=2 ttl=57 time=24.100 ms
64 bytes from 2a00:1450:4007:803::1011: seq=3 ttl=57 time=23.395 ms
64 bytes from 2a00:1450:4007:803::1011: seq=4 ttl=57 time=23.998 ms

--- ipv6.google.com ping statistics ---
5 packets transmitted, 5 packets received, 0% packet loss
round-trip min/avg/max = 22.964/24.740/29.244 ms

traceroute ipv6.google.com from the device itself

traceroute to ipv6.google.com (2a00:1450:4007:803::1013), 30 hops max, 16 byte packets
 1  2a01:e3x:xxxx:xxxx::1  0.586 ms
 2  *
 3  2a01:e00:1:f::1  24.170 ms
 4  2a01:e00:1:10::2  22.153 ms
 5  2001:4860:1:1:0:3022::  98.617 ms
 6  2001:4860::1:0:9f2  82.287 ms
 7  2001:4860:0:1::225  23.060 ms
 8  2a00:1450:8000:e::a  74.927 ms

My feeling is that I just need to find a setting that provides a IPv6 gateway for my PC.

Post #25
hnyman
9 Dec 2012, 14:06
Manani wrote:

After several tests I can say that:
The problem is not the firewall.
...
It seems that I do not need to create the 6rd interface.
...
My feeling is that I just need to find a setting that provides a IPv6 gateway for my PC.

Two questions:

How have you defined the firewall zones in /etc/config/firewall? You are sure that FreeIPv6 has been added to the wan zone? Have you defined the tunnel interface at all for the firewall? If there is no tunnel interface in the firewall definition, you might be without a forwarding rule in firewall.
You might give the output of "ip6tables -L -v".

What is the output of "route -A inet6"? I am wondering if a default route gets generated, or if you are left without one.

(Last edited by hnyman on 9 Dec 2012, 14:09)