IPv6 Support

[wpte]

since my wl-500w is back up running again I tried to use ipv6 in r1000

ping6 works properly on the router
but all the computers inside my network can't browse the internet however they do receive an ipv6 adress from the router.
I think the range from the local ip's are not set properly yet

I have the basic firewall now:

Code:

Chain INPUT (policy ACCEPT)
target     prot opt source               destination
DROP       all      anywhere             anywhere           rt type:0
ACCEPT     all      anywhere             anywhere
ACCEPT     all      anywhere             anywhere
ACCEPT     ipv6-icmp    anywhere             anywhere
ACCEPT     all      fe80::/10            anywhere
ACCEPT     all      ff00::/8             anywhere
ACCEPT     tcp      anywhere             anywhere           tcp dpt:ftp
DROP       all      anywhere             anywhere

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination
DROP       all      anywhere             anywhere           rt type:0
ACCEPT     all      anywhere             anywhere
ACCEPT     ipv6-icmp    anywhere             anywhere
ACCEPT     all      fe80::/10            anywhere
ACCEPT     all      ff00::/8             anywhere
DROP       all      anywhere             anywhere
DROP       all      anywhere             anywhere

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination
DROP       all      anywhere             anywhere           rt type:0

Chain SECURITY (0 references)
target     prot opt source               destination
RETURN     tcp      anywhere             anywhere           tcp flags:SYN,RST,ACK/SYN limit: avg 1/sec burst 5
RETURN     tcp      anywhere             anywhere           tcp flags:FIN,SYN,RST,ACK/RST limit: avg 1/sec burst 5
RETURN     udp      anywhere             anywhere           limit: avg 5/sec burst 5
RETURN     icmp     anywhere             anywhere           limit: avg 5/sec burst 5
DROP       all      anywhere             anywhere

Chain logaccept (0 references)
target     prot opt source               destination
LOG        all      anywhere             anywhere           LOG level warning tcp-sequence tcp-options ip-options prefix `ACCEPT '
ACCEPT     all      anywhere             anywhere

Chain logdrop (0 references)
target     prot opt source               destination
LOG        all      anywhere             anywhere           LOG level warning tcp-sequence tcp-options ip-options prefix `DROP '
DROP       all      anywhere             anywhere

so I've used some tables from my old home made script

PHP Code:

# Get global, link and wan adresses
GLOBALSCOPE=`ifconfig sixtun | grep 'Scope:Global' | awk '{print $3}'`
LINKSCOPE=`ifconfig sixtun | grep 'Scope:Link' | awk '{print $3}'`
WANIF=`echo $GLOBALSCOPE | cut -f1 -d/`

#Allow local traffic
#includes loopback and local adresses
ip6tables -A INPUT -i lo -j ACCEPT
ip6tables -A OUTPUT -o lo -j ACCEPT
#link-local
ip6tables -A INPUT -s $LINKSCOPE -j ACCEPT
ip6tables -A OUTPUT -s $LINKSCOPE -j ACCEPT 


and now I'm able to browse ipv6 sites on my clients

The changes in the list: (-- is added)

Code:

Chain INPUT (policy ACCEPT)
target     prot opt source               destination
DROP       all      anywhere             anywhere           rt type:0
ACCEPT     all      anywhere             anywhere
ACCEPT     all      anywhere             anywhere
ACCEPT     ipv6-icmp    anywhere             anywhere
ACCEPT     all      fe80::/10            anywhere
ACCEPT     all      ff00::/8             anywhere
ACCEPT     tcp      anywhere             anywhere           tcp dpt:ftp
DROP       all      anywhere             anywhere
--ACCEPT     all      anywhere             anywhere
--ACCEPT     all      fe80::/64            anywhere

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination
DROP       all      anywhere             anywhere           rt type:0
ACCEPT     all      anywhere             anywhere
ACCEPT     ipv6-icmp    anywhere             anywhere
ACCEPT     all      fe80::/10            anywhere
ACCEPT     all      ff00::/8             anywhere
DROP       all      anywhere             anywhere
DROP       all      anywhere             anywhere

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination
DROP       all      anywhere             anywhere           rt type:0
--ACCEPT     all      anywhere             anywhere
--ACCEPT     all      fe80::/64            anywhere

Chain SECURITY (0 references)
target     prot opt source               destination
RETURN     tcp      anywhere             anywhere           tcp flags:SYN,RST,ACK/SYN limit: avg 1/sec burst 5
RETURN     tcp      anywhere             anywhere           tcp flags:FIN,SYN,RST,ACK/RST limit: avg 1/sec burst 5
RETURN     udp      anywhere             anywhere           limit: avg 5/sec burst 5
RETURN     icmp     anywhere             anywhere           limit: avg 5/sec burst 5
DROP       all      anywhere             anywhere

Chain logaccept (0 references)
target     prot opt source               destination
LOG        all      anywhere             anywhere           LOG level warning tcp-sequence tcp-options ip-options prefix `ACCEPT '
ACCEPT     all      anywhere             anywhere

Chain logdrop (0 references)
target     prot opt source               destination
LOG        all      anywhere             anywhere           LOG level warning tcp-sequence tcp-options ip-options prefix `DROP '
DROP       all      anywhere             anywhere

so it added code to accept anything from anywhere... (not secure)
but it also added fe80::/64 considered unsafe according to kamil, but it was the final step to make ipv6 browsable again

in the end the current firewall is not complete imo

[theMIROn]

first of all, your ip6tables listings ain't correct, no extra options were copied and no interfaces are visible

Code:

[admin@router root]$ ip6tables -vL INPUT
Chain INPUT (policy DROP 0 packets, 0 bytes)
 pkts bytes target prot opt  in  out source    destination
    0     0 DROP   all       any any anywhere  anywhere    rt type:0
    0     0 ACCEPT all       lo  any anywhere  anywhere
    9   672 ACCEPT all       br0 any anywhere  anywhere
   14  1232 ACCEPT ipv6-icmp any any anywhere  anywhere
    0     0 ACCEPT all       any any fe80::/10 anywhere
    0     0 ACCEPT all       any any ff00::/8  anywhere
    0     0 ACCEPT tcp       any any anywhere  anywhere    tcp dpt:ftp
   60  7158 ACCEPT tcp       any any anywhere  anywhere    tcp dpt:www

second, ifconfig sixtun | grep 'Scope:Link' | awk '{print $3}' wil produce smth like "fe80::xxxx:xxxx/64 fe80::yyyy:yyyy/64", eg 2 ips, what leads to fe80::/64 range.
but there's fe80::/10 INPUT rule already specifies range fe80:0000:0000:0000:0000:0000:0000:0000 -
febf:ffff:ffff:ffff:ffff:ffff:ffff:ffff.
so your INPUT LANSCOPE rule is useless

next, OUTPUT chain has ACCEPT policy and only ping-pong DROP rule
so, your OUTPUT rules are useless

about INPUT chain - it controls only incoming (eg. end-point is router itself) connections, and doesn't affect on your pc internet connectivity, which is pass over FORWARD chain.
moreover, INPUT's ACCEPT rule is dangerous, it makes your web interface accessable from wan, at least.

p.s IPv6-in-IPv4 tunnel needs some time to be established after router reset.
On connect, your local PCs will receive router advertisements 'bout IPv6 adresse prefix and everything will be fine.
Autoconfiguration requires radvd daemon should be running (Enable router advertisements: Yes) and correct LAN IPv6 address should be specified.

Just wait some time, not more than 1 min.

[wpte]

I reconfigured my router and now it seems to work.
kinda weird since the settings are the same

maybe some leftover from the broken psu
the weird thing is that ipv6 did work on the router, but not on any of the pc's

[theMIROn]

I reconfigured my router and now it seems to work.
kinda weird since the settings are the same

maybe some leftover from the broken psu
the weird thing is that ipv6 did work on the router, but not on any of the pc's

another suggestion is to move -p ipv6 -j ACCEPT right after - i br0 -j ACCEPT

Code:

Chain INPUT (policy DROP 3990 packets, 470K bytes)
 pkts bytes target     prot opt in     out     source      destination
    0     0 DROP       all  --  *      *       0.0.0.0/0   0.0.0.0/0   state INVALID
48680 9967K ACCEPT     all  --  *      *       0.0.0.0/0   0.0.0.0/0   state RELATED,ESTABLISHED
    0     0 ACCEPT     all  --  lo     *       0.0.0.0/0   0.0.0.0/0   state NEW
 8332 2792K ACCEPT     all  --  br0    *       0.0.0.0/0   0.0.0.0/0   state NEW
  673 69654 SECURITY   all  --  ppp0   *       0.0.0.0/0   0.0.0.0/0   state NEW
 4167  487K SECURITY   all  --  vlan1  *       0.0.0.0/0   0.0.0.0/0   state NEW
   16   940 ACCEPT     icmp --  *      *       0.0.0.0/0   0.0.0.0/0
    0     0 ACCEPT     41   --  *      *       0.0.0.0/0   0.0.0.0/0

Code:

Chain INPUT (policy DROP 3990 packets, 470K bytes)
 pkts bytes target     prot opt in     out     source      destination
    0     0 DROP       all  --  *      *       0.0.0.0/0   0.0.0.0/0   state INVALID
48680 9967K ACCEPT     all  --  *      *       0.0.0.0/0   0.0.0.0/0   state RELATED,ESTABLISHED
    0     0 ACCEPT     all  --  lo     *       0.0.0.0/0   0.0.0.0/0   state NEW
 8332 2792K ACCEPT     all  --  br0    *       0.0.0.0/0   0.0.0.0/0   state NEW
    0     0 ACCEPT     41   --  *      *       0.0.0.0/0   0.0.0.0/0
  673 69654 SECURITY   all  --  ppp0   *       0.0.0.0/0   0.0.0.0/0   state NEW
 4167  487K SECURITY   all  --  vlan1  *       0.0.0.0/0   0.0.0.0/0   state NEW
   16   940 ACCEPT     icmp --  *      *       0.0.0.0/0   0.0.0.0/0

[theMIROn]

IPV6 6to4 how-to for static wan/ppp ipv6 address without any tunnel brokers

step 1
check if 192.88.99.1 address is reachable, if not - this manual isn't for you

step 2
suppose your static ipv4 address is 16.32.48.64

convert decimal digits to hexadecimal - 10.20.30.40
add 2002::/16 prefix to get your ipv6 address space - 2002:1020:3040::/48

step 3
configure router at IP Config/IPv6 page

LAN IPv6 Setting
Static IPv6 address: 2002:1020:3040:1::1
Netsize (bits of hostpart): 64
Enable router advertisements: Yes

WAN IPv6 Setting
Static IPv6 address:
Netsize (bits of hostpart):
Remote IPv6 gateway:

Tunnel IPv6 Setting
Enable IPv6-tunnel: Yes
Remote endpoint: any
Local IPv6 address: 2002:1020:3040:0::1
Netsize (bits of hostpart): 64
Remote IPv6 gateway: ::192.88.99.1
Tunnel MTU: 1280
Tunnel TTL: 64

That's all.

[theMIROn]

Preview of new IPv6 web interface.
Supported: Native IPv6, Tunnel 6in4, Tunnel 6to4
Any suggestions?

[wpte]

Looks good theMIROn!
this interface makes a lot more sense than the old one

btw, does ipv6 without tunnel brokers have advantages / disadvantages?

[wpte]

http://www.google.com/intl/en/ipv6/

seems like ipv6 is getting more useful now, since goolge is opening youtube for ipv6 as well!

[theMIROn]

Looks good theMIROn!
this interface makes a lot more sense than the old one

it was changed again in the trunk.

Looks good theMIROn!
btw, does ipv6 without tunnel brokers have advantages / disadvantages?

yep, google for it, I've seen several articles over net

[wpte]

it was changed again in the trunk.

Some bug fixes you mean? http://code.google.com/p/wl500g/source/detail?r=1123

yep, google for it, I've seen several articles over net

short list I've found for other people:
Advantages of 6to4:

• No need to register anything, if you have an IPv4 address then you also have IPv6 6to4 addresses
• Traffic between separate 6to4 sites takes the most direct route possible. This in turn can give you lower latency and may also permit you to take advantage of free traffic (if your ISP has free peering links).

Disadvantages of 6to4:

• If you only have a dynamic IPv4 address then your IPv6 6to4 addresses will also be dynamic.
• There is currently no support for setting reverse DNS entries when using 6to4 addresses.
• The tunneled IPv6 packets may arrive from any IPv4 addresses and therefore filtering becomes both more difficult and more important.

So in short: it might be faster, especially if you're not close to a tunnel broker. But if you don't have a static ip adress you need to reconfigure it now and then. Also you get extra security issues when you don't configure the firewall properly.


OH AND MY 1000th POST

[theMIROn]

Some bug fixes you mean? http://code.google.com/p/wl500g/source/detail?r=1123


short list I've found for other people:
Advantages of 6to4:

• No need to register anything, if you have an IPv4 address then you also have IPv6 6to4 addresses
• Traffic between separate 6to4 sites takes the most direct route possible. This in turn can give you lower latency and may also permit you to take advantage of free traffic (if your ISP has free peering links).

Disadvantages of 6to4:

• If you only have a dynamic IPv4 address then your IPv6 6to4 addresses will also be dynamic.
• There is currently no support for setting reverse DNS entries when using 6to4 addresses.
• The tunneled IPv6 packets may arrive from any IPv4 addresses and therefore filtering becomes both more difficult and more important.

So in short: it might be faster, especially if you're not close to a tunnel broker. But if you don't have a static ip adress you need to reconfigure it now and then. Also you get extra security issues when you don't configure the firewall properly.


OH AND MY 1000th POST

congratz, but no dynamic ipv4 addr is supported yet, only static.

[cap_tcha]

Hi everybody!

I have:
WL-500gp (firmware: WL500gp-1.9.2.7-d-r1445.trx);
Router firewall is disabled.
Static IP;
WinXP SP3;
IPv6-to-IPv4 Tunnel.

Following the instructions:

IPV6 6to4 how-to for static wan/ppp ipv6 address without any tunnel brokers

step 1
check if 192.88.99.1 address is reachable, if not - this manual isn't for you

step 2
suppose your static ipv4 address is 16.32.48.64

convert decimal digits to hexadecimal - 10.20.30.40
add 2002::/16 prefix to get your ipv6 address space - 2002:1020:3040::/48

step 3
configure router at IP Config/IPv6 page

LAN IPv6 Setting
Static IPv6 address: 2002:1020:3040:1::1
Netsize (bits of hostpart): 64
Enable router advertisements: Yes

WAN IPv6 Setting
Static IPv6 address:
Netsize (bits of hostpart):
Remote IPv6 gateway:

Tunnel IPv6 Setting
Enable IPv6-tunnel: Yes
Remote endpoint: any
Local IPv6 address: 2002:1020:3040:0::1
Netsize (bits of hostpart): 64
Remote IPv6 gateway: ::192.88.99.1
Tunnel MTU: 1280
Tunnel TTL: 64

That's all.

still get no luck in connect to IPv6 sites (ipv6.google.com) via router from LAN.

If I connect to the Internet bypassing router it seems OK
(I can open ipv6.google.com)

Unfortunately I don't know Linux at all.

But when I type "ping6 ipv6.google.com" in
router WEB Interface - System Setup - System Command
I get

PING ipv6.google.com (2a00:1450:8004::93): 56 data bytes
64 bytes from 2a00:1450:8004::93: seq=1 ttl=56 time=64.754 ms
64 bytes from 2a00:1450:8004::93: seq=3 ttl=56 time=116.002 ms
64 bytes from 2a00:1450:8004::93: seq=4 ttl=56 time=120.154 ms
64 bytes from 2a00:1450:8004::93: seq=5 ttl=56 time=103.555 ms
64 bytes from 2a00:1450:8004::93: seq=6 ttl=56 time=103.696 ms
64 bytes from 2a00:1450:8004::93: seq=8 ttl=56 time=156.304 ms
64 bytes from 2a00:1450:8004::93: seq=9 ttl=56 time=105.589 ms
64 bytes from 2a00:1450:8004::67: seq=21 ttl=56 time=67.103 ms
64 bytes from 2a00:1450:8004::67: seq=22 ttl=56 time=125.285 ms
64 bytes from 2a00:1450:8004::67: seq=23 ttl=56 time=116.125 ms
64 bytes from 2a00:1450:8004::67: seq=24 ttl=56 time=110.226 ms
64 bytes from 2a00:1450:8004::67: seq=25 ttl=56 time=155.083 ms
64 bytes from 2a00:1450:8004::67: seq=26 ttl=56 time=110.517 ms
64 bytes from 2a00:1450:8004::67: seq=27 ttl=56 time=120.478 ms
64 bytes from 2a00:1450:8004::67: seq=28 ttl=56 time=110.660 ms
64 bytes from 2a00:1450:8004::67: seq=29 ttl=56 time=112.311 ms
64 bytes from 2a00:1450:8004::93: seq=898 ttl=56 time=107.268 ms
64 bytes from 2a00:1450:8004::93: seq=899 ttl=56 time=168.398 ms
64 bytes from 2a00:1450:8004::93: seq=900 ttl=56 time=170.426 ms
64 bytes from 2a00:1450:8004::93: seq=901 ttl=56 time=170.429 ms
64 bytes from 2a00:1450:8004::93: seq=902 ttl=56 time=71.379 ms
64 bytes from 2a00:1450:8004::93: seq=903 ttl=56 time=65.832 ms
64 bytes from 2a00:1450:8004::93: seq=904 ttl=56 time=167.447 ms
64 bytes from 2a00:1450:8004::93: seq=906 ttl=56 time=65.854 ms

Any help?

P.S. My settings in attachment.

[theMIROn]

still get no luck in connect to IPv6 sites (ipv6.google.com) via router from LAN.
Any help?

P.S. My settings in attachment.

Since you're able to ping ipv6 hosts from router itself your tunnel is up and working.
To get ipv6 cennectivity on your lan hosts (pc/notebooks) they have to receice ipv6 RA messages from router. It's used for neighbor discovery and socializtion, so, maybe your pc's firewall blocks them all.
And, I sure, you didn't forget about installing ipv6 transport proto in winxp, and to wait some time to let your local ipv6 address be autoconfigured.
Just check ipv6 ip and route table in winxp

[wpte]

And, I sure, you didn't forget about installing ipv6 transport proto in winxp

usually requires a restart before it actually works, especially in windows xp.

[cap_tcha]

I appreciate your prompt replies very much.

usually requires a restart before it actually works, especially in windows xp.

This is a usefull and important remark.
I followed this tip when established IPv6 tunnel without router (directly).