IPv6 Support

[wpte]

UPDATE:
A simple how-to on how to set things up can be found here: http://code.google.com/p/wl500g/wiki...Pv6Tunnelhowto


Well my idea was to use http://tunnelbroker.net
since they have many different server locations:

Fremont, CA; New York, NY; Dallas, TX; Chicago, IL; London, UK; Frankfurt, Germany; Paris, France; Amsterdam, NL; Miami, FL; Ashburn, VA; Seattle, WA; Los Angeles, CA; Hong Kong; Toronto, ON

for me to Amsterdam it's only 24ms ping, so it's great

basicly it set's up a IPv6 tunnel over IPv4


I googled here and there but I can't find proper information how to get this working on asus routers

after you're logged into your free account you can create a "Regular Tunnel" or a "BGP Tunnel". Regular tunnel is the one we're after I guess, since with BGP tunnel you must own a IPv6 adress already like from your ISP.
http://www.tunnelbroker.net/forums/i...hp?topic=163.0

Anyway, when creating a regular tunnel you have to fill in a static ip adress (your outside internet ip adress) called the "IPv4 endpoint". this is usually the ip from "You are viewing from IP"

Now we have the tunnel... but how do we set this up?
on the tunnel site we have:

Server IPv4 address:
Server IPv6 address:
Client IPv4 address:
Client IPv6 address:
Anycasted IPv6 Caching Nameserver:

and on the webconfig we have:
LAN IPv6 settings

Static IPv6 address: no idea
Netsize (bits of hostpart): (64 I guess)
Enable router advertisements: put on "yes"

Tunnel IPv6 Setting

Enable IPv6-tunnel: put on "yes"
Remote endpoint: the Server IPv4 address?
Local IPv6 address: the Client IPv6 address?
Netsize (bits of hostpart): 64 (ip address says /64 in the end)
Remote IPv6 gateway: the Server IPv6 address
Tunnel MTU: 1280
Tunnel TTL: 64

now this doesn't seem to work
Does anyone know how to get this running?

[libc]

From tunnel site you have

Server IPv4 address:
Server IPv6 address:
Client IPv4 address:
Client IPv6 address:
Routed /48: Allocate
Routed /64:

webconfig:
LAN IPv6 settings

Static IPv6 address: *an address from Routed /64*
Netsize (bits of hostpart): 64
Enable router advertisements: yes

I'd recommend :1 address from Routed /64.
If you have 2001:db8:4242:4242::/64 as routed/64, you put 2001:db8:4242:4242::1 in Static IPv6 address

Tunnel IPv6 Setting

Enable IPv6-tunnel: yes
Remote endpoint: the Server IPv4 address
Local IPv6 address: the Client IPv6 address
Netsize (bits of hostpart): 64
Remote IPv6 gateway: the Server IPv6 address
Tunnel MTU: 1280
Tunnel TTL: 64

And this works for me.

Also note, that routed/64 is different from client and server ipv6 addresses (took me time to note 1a vs 1b in the third 16-bit group).

[wpte]

From tunnel site you have


webconfig:
LAN IPv6 settings


I'd recommend :1 address from Routed /64.
If you have 2001:db8:4242:4242::/64 as routed/64, you put 2001:db8:4242:4242::1 in Static IPv6 address

Tunnel IPv6 Setting


And this works for me.

Also note, that routed/64 is different from client and server ipv6 addresses (took me time to note 1a vs 1b in the third 16-bit group).

thanks for the instructions!
it seems to work after doing the portscan from the website...
I still don't get any ip's leased by my router to computer in the network..
so in the end I still can't use any ipv6
or should I add this manually?

[libc]

You could add them manually.

But it should just work. Make sure you entered the right LAN IPv6 settings. (static router address, 64 as netsize and enabled routing advertisment).

If you ssh to your router, config should be something like that:

Code:

$ cat /etc/radvd.conf 
interface br0 { AdvSendAdvert on; prefix 2001:db8:4242:4242::/64 { AdvOnLink on; AdvAutonomous on; }; };

Where prefix is Routed /64. Also radvd must be running.

[wpte]

no it's not running!

my config atm:

Static IPv6 address: 2001:470:1f15:31e::1
Netsize (bits of hostpart): 64
Enable router advertisements: yes

Enable IPv6-tunnel: yes
Remote endpoint: 216.66.84.46
Local IPv6 address: 2001:470:1f14:31e::2
Netsize (bits of hostpart): 64
Remote IPv6 gateway: 2001:470:1f14:31e::1

I use the wl500g.googlecode.com latest version of oleg...
the portscan doesn't respond to ping, but the portscan says one host is active

[libc]

Have you rebooted your router after changing this settings?

Your config looks reasonable to me. Is connection working on the router?
(try to ping ipv6.he.net or ripe.net from router's ssh)

Code:

$ ping6 ipv6.he.net
PING ipv6.he.net (2001:470:0:64::2): 56 data bytes
64 bytes from 2001:470:0:64::2: icmp6_seq=0 ttl=56 time=220.8 ms

I'm using 1.9.2.7-10 (2008-03-30) for wl500g premium.

[Alex89]

Good evening. I'm lucky to have native Ipv6 address provided on physical vlan1 interface by provider 2001.x.x.x/64 (while ipv4 goes through PPTP). I've set a static ipv6 address on vlan1 and set up default route, so from router i can reach ipv6 hosts w/o any problem. Also I've set another ipv6 address from /64 prefix on my br0 interface + set up radvd with /64 prefix (can't use /80, cause i gives an error). After that i flushed all ip6tables rules and made iptable -A INPUT -p ipv6 -i vlan1 -j accept (just in case). Now i have global addresses provided in my wireless network, and i can ping computers in a network and router with ping6. But still i can't traceroute6 from my local network to ipv6 hosts (only does 1 step to br0 ipv6 address i've assigned for router and then stops) and i also can't traceroute6 from my router to local network (strange, just doesn't jump at all). Would you please give me a hand setting this configuration. Thank you

[wpte]

since my wl-500w is back up running again I tried to use ipv6 in r1000

ping6 works properly on the router
but all the computers inside my network can't browse the internet however they do receive an ipv6 adress from the router.
I think the range from the local ip's are not set properly yet

I have the basic firewall now:

Code:

Chain INPUT (policy ACCEPT)
target     prot opt source               destination
DROP       all      anywhere             anywhere           rt type:0
ACCEPT     all      anywhere             anywhere
ACCEPT     all      anywhere             anywhere
ACCEPT     ipv6-icmp    anywhere             anywhere
ACCEPT     all      fe80::/10            anywhere
ACCEPT     all      ff00::/8             anywhere
ACCEPT     tcp      anywhere             anywhere           tcp dpt:ftp
DROP       all      anywhere             anywhere

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination
DROP       all      anywhere             anywhere           rt type:0
ACCEPT     all      anywhere             anywhere
ACCEPT     ipv6-icmp    anywhere             anywhere
ACCEPT     all      fe80::/10            anywhere
ACCEPT     all      ff00::/8             anywhere
DROP       all      anywhere             anywhere
DROP       all      anywhere             anywhere

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination
DROP       all      anywhere             anywhere           rt type:0

Chain SECURITY (0 references)
target     prot opt source               destination
RETURN     tcp      anywhere             anywhere           tcp flags:SYN,RST,ACK/SYN limit: avg 1/sec burst 5
RETURN     tcp      anywhere             anywhere           tcp flags:FIN,SYN,RST,ACK/RST limit: avg 1/sec burst 5
RETURN     udp      anywhere             anywhere           limit: avg 5/sec burst 5
RETURN     icmp     anywhere             anywhere           limit: avg 5/sec burst 5
DROP       all      anywhere             anywhere

Chain logaccept (0 references)
target     prot opt source               destination
LOG        all      anywhere             anywhere           LOG level warning tcp-sequence tcp-options ip-options prefix `ACCEPT '
ACCEPT     all      anywhere             anywhere

Chain logdrop (0 references)
target     prot opt source               destination
LOG        all      anywhere             anywhere           LOG level warning tcp-sequence tcp-options ip-options prefix `DROP '
DROP       all      anywhere             anywhere

so I've used some tables from my old home made script

PHP Code:

# Get global, link and wan adresses
GLOBALSCOPE=`ifconfig sixtun | grep 'Scope:Global' | awk '{print $3}'`
LINKSCOPE=`ifconfig sixtun | grep 'Scope:Link' | awk '{print $3}'`
WANIF=`echo $GLOBALSCOPE | cut -f1 -d/`

#Allow local traffic
#includes loopback and local adresses
ip6tables -A INPUT -i lo -j ACCEPT
ip6tables -A OUTPUT -o lo -j ACCEPT
#link-local
ip6tables -A INPUT -s $LINKSCOPE -j ACCEPT
ip6tables -A OUTPUT -s $LINKSCOPE -j ACCEPT 


and now I'm able to browse ipv6 sites on my clients

The changes in the list: (-- is added)

Code:

Chain INPUT (policy ACCEPT)
target     prot opt source               destination
DROP       all      anywhere             anywhere           rt type:0
ACCEPT     all      anywhere             anywhere
ACCEPT     all      anywhere             anywhere
ACCEPT     ipv6-icmp    anywhere             anywhere
ACCEPT     all      fe80::/10            anywhere
ACCEPT     all      ff00::/8             anywhere
ACCEPT     tcp      anywhere             anywhere           tcp dpt:ftp
DROP       all      anywhere             anywhere
--ACCEPT     all      anywhere             anywhere
--ACCEPT     all      fe80::/64            anywhere

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination
DROP       all      anywhere             anywhere           rt type:0
ACCEPT     all      anywhere             anywhere
ACCEPT     ipv6-icmp    anywhere             anywhere
ACCEPT     all      fe80::/10            anywhere
ACCEPT     all      ff00::/8             anywhere
DROP       all      anywhere             anywhere
DROP       all      anywhere             anywhere

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination
DROP       all      anywhere             anywhere           rt type:0
--ACCEPT     all      anywhere             anywhere
--ACCEPT     all      fe80::/64            anywhere

Chain SECURITY (0 references)
target     prot opt source               destination
RETURN     tcp      anywhere             anywhere           tcp flags:SYN,RST,ACK/SYN limit: avg 1/sec burst 5
RETURN     tcp      anywhere             anywhere           tcp flags:FIN,SYN,RST,ACK/RST limit: avg 1/sec burst 5
RETURN     udp      anywhere             anywhere           limit: avg 5/sec burst 5
RETURN     icmp     anywhere             anywhere           limit: avg 5/sec burst 5
DROP       all      anywhere             anywhere

Chain logaccept (0 references)
target     prot opt source               destination
LOG        all      anywhere             anywhere           LOG level warning tcp-sequence tcp-options ip-options prefix `ACCEPT '
ACCEPT     all      anywhere             anywhere

Chain logdrop (0 references)
target     prot opt source               destination
LOG        all      anywhere             anywhere           LOG level warning tcp-sequence tcp-options ip-options prefix `DROP '
DROP       all      anywhere             anywhere

so it added code to accept anything from anywhere... (not secure)
but it also added fe80::/64 considered unsafe according to kamil, but it was the final step to make ipv6 browsable again

in the end the current firewall is not complete imo

[theMIROn]

first of all, your ip6tables listings ain't correct, no extra options were copied and no interfaces are visible

Code:

[admin@router root]$ ip6tables -vL INPUT
Chain INPUT (policy DROP 0 packets, 0 bytes)
 pkts bytes target prot opt  in  out source    destination
    0     0 DROP   all       any any anywhere  anywhere    rt type:0
    0     0 ACCEPT all       lo  any anywhere  anywhere
    9   672 ACCEPT all       br0 any anywhere  anywhere
   14  1232 ACCEPT ipv6-icmp any any anywhere  anywhere
    0     0 ACCEPT all       any any fe80::/10 anywhere
    0     0 ACCEPT all       any any ff00::/8  anywhere
    0     0 ACCEPT tcp       any any anywhere  anywhere    tcp dpt:ftp
   60  7158 ACCEPT tcp       any any anywhere  anywhere    tcp dpt:www

second, ifconfig sixtun | grep 'Scope:Link' | awk '{print $3}' wil produce smth like "fe80::xxxx:xxxx/64 fe80::yyyy:yyyy/64", eg 2 ips, what leads to fe80::/64 range.
but there's fe80::/10 INPUT rule already specifies range fe80:0000:0000:0000:0000:0000:0000:0000 -
febf:ffff:ffff:ffff:ffff:ffff:ffff:ffff.
so your INPUT LANSCOPE rule is useless

next, OUTPUT chain has ACCEPT policy and only ping-pong DROP rule
so, your OUTPUT rules are useless

about INPUT chain - it controls only incoming (eg. end-point is router itself) connections, and doesn't affect on your pc internet connectivity, which is pass over FORWARD chain.
moreover, INPUT's ACCEPT rule is dangerous, it makes your web interface accessable from wan, at least.

p.s IPv6-in-IPv4 tunnel needs some time to be established after router reset.
On connect, your local PCs will receive router advertisements 'bout IPv6 adresse prefix and everything will be fine.
Autoconfiguration requires radvd daemon should be running (Enable router advertisements: Yes) and correct LAN IPv6 address should be specified.

Just wait some time, not more than 1 min.

[wpte]

I reconfigured my router and now it seems to work.
kinda weird since the settings are the same

maybe some leftover from the broken psu
the weird thing is that ipv6 did work on the router, but not on any of the pc's

[theMIROn]

I reconfigured my router and now it seems to work.
kinda weird since the settings are the same

maybe some leftover from the broken psu
the weird thing is that ipv6 did work on the router, but not on any of the pc's

another suggestion is to move -p ipv6 -j ACCEPT right after - i br0 -j ACCEPT

Code:

Chain INPUT (policy DROP 3990 packets, 470K bytes)
 pkts bytes target     prot opt in     out     source      destination
    0     0 DROP       all  --  *      *       0.0.0.0/0   0.0.0.0/0   state INVALID
48680 9967K ACCEPT     all  --  *      *       0.0.0.0/0   0.0.0.0/0   state RELATED,ESTABLISHED
    0     0 ACCEPT     all  --  lo     *       0.0.0.0/0   0.0.0.0/0   state NEW
 8332 2792K ACCEPT     all  --  br0    *       0.0.0.0/0   0.0.0.0/0   state NEW
  673 69654 SECURITY   all  --  ppp0   *       0.0.0.0/0   0.0.0.0/0   state NEW
 4167  487K SECURITY   all  --  vlan1  *       0.0.0.0/0   0.0.0.0/0   state NEW
   16   940 ACCEPT     icmp --  *      *       0.0.0.0/0   0.0.0.0/0
    0     0 ACCEPT     41   --  *      *       0.0.0.0/0   0.0.0.0/0

Code:

Chain INPUT (policy DROP 3990 packets, 470K bytes)
 pkts bytes target     prot opt in     out     source      destination
    0     0 DROP       all  --  *      *       0.0.0.0/0   0.0.0.0/0   state INVALID
48680 9967K ACCEPT     all  --  *      *       0.0.0.0/0   0.0.0.0/0   state RELATED,ESTABLISHED
    0     0 ACCEPT     all  --  lo     *       0.0.0.0/0   0.0.0.0/0   state NEW
 8332 2792K ACCEPT     all  --  br0    *       0.0.0.0/0   0.0.0.0/0   state NEW
    0     0 ACCEPT     41   --  *      *       0.0.0.0/0   0.0.0.0/0
  673 69654 SECURITY   all  --  ppp0   *       0.0.0.0/0   0.0.0.0/0   state NEW
 4167  487K SECURITY   all  --  vlan1  *       0.0.0.0/0   0.0.0.0/0   state NEW
   16   940 ACCEPT     icmp --  *      *       0.0.0.0/0   0.0.0.0/0

[radub]

My ISP has started rolling IPv6 and offers native IPv6 dual-stacked with IPv4. The requirements are as follows: the router should support PPPoE Ipv6 and Prefix Delegation via DHCPv6. Also, I have to write "ipv6" in the Service Name box. I currently connect via PPPoE, using an Asus WL500gP v1 with DD-WRT, which apparently doesn't support the reqs. above.
I'd like to try Oleg's, but before I start flashing again, can anyone tell me if those 2 features are supported by Oleg's firmware?

• PPPoE Ipv6
• Prefix Delegation via DHCPv6

[vdorin]

Later edit:

Build 3655 from http://asus.vectormm.net/rtn/ has working pppoe v6 and dhpc6 pd!

Great work! Thank you!

My ISP has started rolling IPv6 and offers native IPv6 dual-stacked with IPv4. The requirements are as follows: the router should support PPPoE Ipv6 and Prefix Delegation via DHCPv6. Also, I have to write "ipv6" in the Service Name box. I currently connect via PPPoE, using an Asus WL500gP v1 with DD-WRT, which apparently doesn't support the reqs. above.
I'd like to try Oleg's, but before I start flashing again, can anyone tell me if those 2 features are supported by Oleg's firmware?

• PPPoE Ipv6
• Prefix Delegation via DHCPv6

Hi Radu (radub), your ISP is RDS?
DHCP6 PD works with oleg firmware?

Thank's

[radub]

Later edit:

Build 3655 from http://asus.vectormm.net/rtn/ has working pppoe v6 and dhpc6 pd!

Great work! Thank you!



Hi Radu (radub), your ISP is RDS?
DHCP6 PD works with oleg firmware?

Thank's

I actually switched to a custom build of TomatoUSB found here. It works perfectly with my ISP (yes it's indeed RDS), with dual-stack and all the other stuff (optware, firewall, etc).