UPDATE:
A simple how-to on how to set things up can be found here: http://code.google.com/p/wl500g/wiki/GUIIPconfigIPv6Tunnelhowto


Well my idea was to use http://tunnelbroker.net
since they have many different server locations:

Fremont, CA; New York, NY; Dallas, TX; Chicago, IL; London, UK; Frankfurt, Germany; Paris, France; Amsterdam, NL; Miami, FL; Ashburn, VA; Seattle, WA; Los Angeles, CA; Hong Kong; Toronto, ON
for me to Amsterdam it's only 24ms ping, so it's great:D

basicly it set's up a IPv6 tunnel over IPv4


I googled here and there but I can't find proper information how to get this working on asus routers:(

after you're logged into your free account you can create a "Regular Tunnel" or a "BGP Tunnel". Regular tunnel is the one we're after I guess, since with BGP tunnel you must own a IPv6 adress already like from your ISP.
http://www.tunnelbroker.net/forums/index.php?topic=163.0

Anyway, when creating a regular tunnel you have to fill in a static ip adress (your outside internet ip adress) called the "IPv4 endpoint". this is usually the ip from "You are viewing from IP":p

Now we have the tunnel... but how do we set this up?
on the tunnel site we have:

Server IPv4 address:
Server IPv6 address:
Client IPv4 address:
Client IPv6 address:
Anycasted IPv6 Caching Nameserver:


and on the webconfig we have:
LAN IPv6 settings

Static IPv6 address: no idea
Netsize (bits of hostpart): (64 I guess)
Enable router advertisements: put on "yes"
Tunnel IPv6 Setting

Enable IPv6-tunnel: put on "yes"
Remote endpoint: the Server IPv4 address?
Local IPv6 address: the Client IPv6 address?
Netsize (bits of hostpart): 64 (ip address says /64 in the end)
Remote IPv6 gateway: the Server IPv6 address
Tunnel MTU: 1280
Tunnel TTL: 64

now this doesn't seem to work
Does anyone know how to get this running?:confused:

From tunnel site you have

Server IPv4 address:
Server IPv6 address:
Client IPv4 address:
Client IPv6 address:
Routed /48: Allocate
Routed /64:


webconfig:
LAN IPv6 settings


Static IPv6 address: *an address from Routed /64*
Netsize (bits of hostpart): 64
Enable router advertisements: yes


I'd recommend :1 address from Routed /64.
If you have 2001:db8:4242:4242::/64 as routed/64, you put 2001:db8:4242:4242::1 in Static IPv6 address

Tunnel IPv6 Setting

Enable IPv6-tunnel: yes
Remote endpoint: the Server IPv4 address
Local IPv6 address: the Client IPv6 address
Netsize (bits of hostpart): 64
Remote IPv6 gateway: the Server IPv6 address
Tunnel MTU: 1280
Tunnel TTL: 64

And this works for me.

Also note, that routed/64 is different from client and server ipv6 addresses (took me time to note 1a vs 1b in the third 16-bit group).

From tunnel site you have


webconfig:
LAN IPv6 settings


I'd recommend :1 address from Routed /64.
If you have 2001:db8:4242:4242::/64 as routed/64, you put 2001:db8:4242:4242::1 in Static IPv6 address

Tunnel IPv6 Setting


And this works for me.

Also note, that routed/64 is different from client and server ipv6 addresses (took me time to note 1a vs 1b in the third 16-bit group).

thanks for the instructions!:)
it seems to work after doing the portscan from the website...
I still don't get any ip's leased by my router to computer in the network..
so in the end I still can't use any ipv6:p
or should I add this manually?

You could add them manually.

But it should just work. Make sure you entered the right LAN IPv6 settings. (static router address, 64 as netsize and enabled routing advertisment).

If you ssh to your router, config should be something like that:

$ cat /etc/radvd.conf
interface br0 { AdvSendAdvert on; prefix 2001:db8:4242:4242::/64 { AdvOnLink on; AdvAutonomous on; }; };
Where prefix is Routed /64. Also radvd must be running.

no it's not running!:eek:

my config atm:

Static IPv6 address: 2001:470:1f15:31e::1
Netsize (bits of hostpart): 64
Enable router advertisements: yes

Enable IPv6-tunnel: yes
Remote endpoint: 216.66.84.46
Local IPv6 address: 2001:470:1f14:31e::2
Netsize (bits of hostpart): 64
Remote IPv6 gateway: 2001:470:1f14:31e::1

I use the wl500g.googlecode.com latest version of oleg...:confused:
the portscan doesn't respond to ping, but the portscan says one host is active:confused:

Have you rebooted your router after changing this settings?

Your config looks reasonable to me. Is connection working on the router?
(try to ping ipv6.he.net or ripe.net from router's ssh)

$ ping6 ipv6.he.net
PING ipv6.he.net (2001:470:0:64::2): 56 data bytes
64 bytes from 2001:470:0:64::2: icmp6_seq=0 ttl=56 time=220.8 ms


I'm using 1.9.2.7-10 (2008-03-30) for wl500g premium.

Have you rebooted your router after changing this settings?

Your config looks reasonable to me. Is connection working on the router?
(try to ping ipv6.he.net or ripe.net from router's ssh)

$ ping6 ipv6.he.net
PING ipv6.he.net (2001:470:0:64::2): 56 data bytes
64 bytes from 2001:470:0:64::2: icmp6_seq=0 ttl=56 time=220.8 ms


I'm using 1.9.2.7-10 (2008-03-30) for wl500g premium.

I rebooted twice actually...

the ping is resolved to an ipv4 adress:(

PING ipv6.he.net (64.62.200.2): 56 data bytes
64 bytes from 64.62.200.2: seq=0 ttl=54 time=190.575 ms
64 bytes from 64.62.200.2: seq=1 ttl=54 time=192.574 ms
64 bytes from 64.62.200.2: seq=2 ttl=54 time=192.735 ms

use ping6, not ping.

also make sure
ip -f inet6 addr has

7: br0: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc noqueue
inet6 2001:470:1f15:31e::1/64 scope global
inet6 fe80::..../10 scope link
8: sixtun@NONE: <POINTOPOINT,NOARP,UP> mtu 1280 qdisc noqueue
inet6 2001:470:1f14:31e::2/64 scope global
inet6 fe80::..../10 scope link


and ip -f inet6 route looks like this

2001:470:1f14:31e::/64 via :: dev sixtun proto kernel metric 256 mtu 1280 advmss 1220
2001:470:1f15:31e::/64 dev br0 proto kernel metric 256 mtu 1500 advmss 1220
fe80::/10 dev eth0 proto kernel metric 256 mtu 1500 advmss 1220
fe80::/10 dev vlan0 proto kernel metric 256 mtu 1500 advmss 1220
fe80::/10 dev eth1 proto kernel metric 256 mtu 1500 advmss 1220
fe80::/10 dev br0 proto kernel metric 256 mtu 1500 advmss 1220
fe80::/10 dev vlan1 proto kernel metric 256 mtu 1500 advmss 1220
fe80::/10 via :: dev sixtun proto kernel metric 256 mtu 1280 advmss 1220
ff00::/8 dev eth0 proto kernel metric 256 mtu 1500 advmss 1220
ff00::/8 dev vlan0 proto kernel metric 256 mtu 1500 advmss 1220
ff00::/8 dev eth1 proto kernel metric 256 mtu 1500 advmss 1220
ff00::/8 dev br0 proto kernel metric 256 mtu 1500 advmss 1220
ff00::/8 dev vlan1 proto kernel metric 256 mtu 1500 advmss 1220
ff00::/8 dev sixtun proto kernel metric 256 mtu 1280 advmss 1220
default via 2001:470:1f14:31e::1 dev sixtun metric 1024 mtu 1280 advmss 1220

ping6 does not exists...

ip -f inet6 addr does not give anything back


and ip -f inet6 route gives:

192.168.1.1 dev eth1 scope link
192.168.3.2 dev tun0 proto kernel scope link src 192.168.3.1
192.168.3.0/24 via 192.168.3.2 dev tun0
192.168.2.0/24 dev br0 proto kernel scope link src 192.168.2.1
192.168.1.0/24 dev eth1 proto kernel scope link src 192.168.1.10
127.0.0.0/8 dev lo scope link
default via 192.168.1.1 dev eth1

I guess they removed ipv6 support:(

Yeah, looks like..

This is weird though. I'm running the last oleg firmware (1.9.2.7-10 (2008-03-30)) right now and it has ipv6 support.

Yeah, looks like..

This is weird though. I'm running the last oleg firmware (1.9.2.7-10 (2008-03-30)) right now and it has ipv6 support.

yeh well the beta firmware had some kernel upgrades, and so the modules must update as well:p
maybe lly is so kind to put it back in place if possible... most I guess he can since the wl-500 series with 8mb flash are going to have kernel 2.6:D

http://code.google.com/p/wl500g/wiki/NEWS the first thing they did is turned off ipv6 (look at the bottom)

http://code.google.com/p/wl500g/wiki/NEWS the first thing they did is turned off ipv6 (look at the bottom)

I recompiled it with ipv6 support:)

ping6 still does not exists...

ip -f inet6 addr

1: lo: <LOOPBACK,MULTICAST,UP>
inet6 ::1/128 scope host
3: eth0: <BROADCAST,MULTICAST,PROMISC,UP> qlen 1000
inet6 fe80::222:15ff:fe41:186/64 scope link
4: eth1: <BROADCAST,MULTICAST,ALLMULTI,UP> qlen 1000
inet6 fe80::222:15ff:fe41:186/64 scope link
5: eth2: <BROADCAST,MULTICAST,PROMISC,UP> qlen 1000
inet6 fe80::222:15ff:fe41:186/64 scope link
6: br0: <BROADCAST,MULTICAST,ALLMULTI,UP>
inet6 fe80::222:15ff:fe41:186/64 scope link

and ip -f inet6 route gives:

fe80::/64 dev eth0 metric 256 mtu 1500 advmss 1440
fe80::/64 dev eth2 metric 256 mtu 1500 advmss 1440
fe80::/64 dev br0 metric 256 mtu 1500 advmss 1440
fe80::/64 dev eth1 metric 256 mtu 1500 advmss 1440
ff00::/8 dev eth0 metric 256 mtu 1500 advmss 1440
ff00::/8 dev eth2 metric 256 mtu 1500 advmss 1440
ff00::/8 dev br0 metric 256 mtu 1500 advmss 1440
ff00::/8 dev eth1 metric 256 mtu 1500 advmss 1440
default dev eth2 proto kernel metric 256 mtu 1500 advmss 1440
default dev br0 proto kernel metric 256 mtu 1500 advmss 1440
default dev eth0 proto kernel metric 256 mtu 1500 advmss 1440
default dev eth1 proto kernel metric 256 mtu 1500 advmss 1440
unreachable default dev lo proto none metric -1 error -128

I see I still miss some parts in that output:(
and the clients don't receive any ipv6 yet
it's a step closer tho:D

ping6 still does not exists...

Fixed in r728.


I see I still miss some parts in that output:(
and the clients don't receive any ipv6 yet
Check if dnsmasq compiled with IPv6 support. Sorry, currently I haven't time to read IPv6 RFC's & docs, you should dig problem almost yourself.

Fixed in r728.

Check if dnsmasq compiled with IPv6 support. Sorry, currently I haven't time to read IPv6 RFC's & docs, you should dig problem almost yourself.

Thanks lly:)

in the makefile of dnsmasq it says:

ifeq ($(CONFIG_IPV6),y)
COPTS += -DUSE_IPV6
endif
export COPTS

-DUSE_IPV6 in gcc is the enable ipv6 mode I guess:p

Clients don't receive ipv6 cause no global reachable address on your interfaces. Ticket says ipv6 gui might be busted.

Try this (obtained from tunnelbroker, linux-route2):


ip tunnel add he-ipv6 mode sit remote 216.66.84.46 local YOUR_IP ttl 255
ip link set he-ipv6 up
ip addr add 2001:470:1f14:31e::2/64 dev he-ipv6
ip route add ::/0 dev he-ipv6
ip addr add 2001:470:1f15:31e::1/64 dev br0


then try to ping6 2001:470:0:64::2

If works create radvd (router advertisment daemon) config and run it. I posted a config earlier.

nah those codes don't even work for my windows xp/vista/7 machine:p

anyway, ipv6 works! yay:D

ping6 ipv6.he.net
PING ipv6.he.net (2001:470:0:64::2): 56 data bytes

--- ipv6.he.net ping statistics ---
9 packets transmitted, 0 packets received, 100% packet loss

radvd is not running atm
it does exist:

radvd -h
usage: radvd [-vh] [-d level] [-C config_file] [-m log_method] [-l log_file]
[-f facility] [-p pid_file] [-u username] [-t chrootdir]

manual start does not run:

radvd -u root -C /etc/radvd.conf -l /var/log/radvd.log -p /var
/run/radvd.pid
other results are the same as last time:(

they're not for windows, they're for linux. You're supposed to run this on your router. I guess you did or gui start working?

If you can ping ipv6 on router, you need is router advertisements then. You should try to run radvd without any arguments.

You're trying to run radvd from root. But there's no root, there's admin instead. Also you're really don't need logs and pid.

they're not for windows, they're for linux. You're supposed to run this on your router. I guess you did or gui start working?

If you can ping ipv6 on router, you need is router advertisements then. You should try to run radvd without any arguments.

You're trying to run radvd from root. But there's no root, there's admin instead. Also you're really don't need logs and pid.

no I know they're for linux, but the windows versions on that site neither work for me:D
on the router they fail to create a tunnel:p

I can ping, no package is returned tho. I'm still missing a few tunnels and routes I think. radvd without any arguments doesn't work as well:(

I'm root on my router, so there is a root;)

Not sure if my openvpn is in the way with a tun adapter... I couldn't see any difference when it was turned off tho:p

br0 Link encap:Ethernet HWaddr xx:xx:xx:xx:xx:xx
inet addr:192.168.2.1 Bcast:192.168.2.255 Mask:255.255.255.0
inet6 addr: fe80::222:15ff:fe41:186/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:195819 errors:0 dropped:0 overruns:0 frame:0
TX packets:179546 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:43953113 (41.9 MiB) TX bytes:174346099 (166.2 MiB)

eth0 Link encap:Ethernet HWaddr xx:xx:xx:xx:xx:xx
inet6 addr: fe80::222:15ff:fe41:186/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:191381 errors:0 dropped:0 overruns:0 frame:0
TX packets:179034 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:46734704 (44.5 MiB) TX bytes:174131401 (166.0 MiB)
Interrupt:4 Base address:0x1000

eth1 Link encap:Ethernet HWaddr xx:xx:xx:xx:xx:xx
inet addr:192.168.1.10 Bcast:192.168.1.255 Mask:255.255.255.0
inet6 addr: fe80::222:15ff:fe41:186/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:356250 errors:0 dropped:0 overruns:0 frame:0
TX packets:327119 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:197539948 (188.3 MiB) TX bytes:82765266 (78.9 MiB)
Interrupt:5 Base address:0x2000

eth2 Link encap:Ethernet HWaddr xx:xx:xx:xx:xx:xx
inet6 addr: fe80::222:15ff:fe41:186/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:3464 errors:0 dropped:0 overruns:0 frame:675805
TX packets:116038 errors:612 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:618047 (603.5 KiB) TX bytes:33953678 (32.3 MiB)
Interrupt:12 Base address:0x4000

lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
inet6 addr: ::1/128 Scope:Host
UP LOOPBACK RUNNING MULTICAST MTU:16436 Metric:1
RX packets:198866 errors:0 dropped:0 overruns:0 frame:0
TX packets:198866 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:35100976 (33.4 MiB) TX bytes:35100976 (33.4 MiB)

tun0 Link encap:UNSPEC HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
inet addr:192.168.3.1 P-t-P:192.168.3.2 Mask:255.255.255.255
UP POINTOPOINT RUNNING NOARP MULTICAST MTU:1500 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:3248 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:100
RX bytes:0 (0.0 B) TX bytes:1167795 (1.1 MiB)

my guess is I need to get that dnsmasq working with ipv6..

Any have firmware oleg WL500gp-1.9.2.7-d-r740.trx and work IPv6? Any compiled this version included work IPv6?:)

Why IPv6 turned off?:)

Any have firmware oleg WL500gp-1.9.2.7-d-r740.trx and work IPv6? Any compiled this version included work IPv6?:)

Why IPv6 turned off?:)

I have it partially working at the moment...
IPv6 is turned off because nobody could test it and there have been kernel updates etc.:p
when I can get it working maybe lly and theMIRon will turn it on again, after sufficient testing I guess:p

I have it partially working at the moment...
IPv6 is turned off because nobody could test it and there have been kernel updates etc.:p
when I can get it working maybe lly and theMIRon will turn it on again, after sufficient testing I guess:p

I can perform test if anybody put on the web firmware signed "beta":)

I can perform test if anybody put on the web firmware signed "beta":)
This means that most of tests are already done by someone else.

Currently, only qualified testers, like wpte, are needed. I wrote this in Issue 50.

my guess is I need to get that dnsmasq working with ipv6..

No. dnsmasq is a dns forwarder and dhcp. NDP (http://en.wikipedia.org/wiki/Neighbor_Discovery_Protocol) is preferred in ipv6 (also acts as ARP) instead of dhcp. dnsmasq is not your problem. You don't have a tunnel (sit thing).

No. dnsmasq is a dns forwarder and dhcp. NDP (http://en.wikipedia.org/wiki/Neighbor_Discovery_Protocol) is preferred in ipv6 (also acts as ARP) instead of dhcp. dnsmasq is not your problem. You don't have a tunnel (sit thing).

I guess you mean this thing: http://www.linuxfoundation.org/en/Net:Tunneling#SIT_tunnels

these commands do something to the system:

ip tu ad sittun mode sit local 10.7.7.7 remote 10.8.8.8 ttl 64 dev eth0
ip ad ad dev sittun 2001:0DB8:1234::000e/127


since I end up with a new device:

sittun Link encap:IPv6-in-IPv4
inet6 addr: fe80::a07:707/128 Scope:Link
UP POINTOPOINT RUNNING NOARP MTU:1480 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:0 (0.0 B) TX bytes:0 (0.0 B)

further... kernel seems to compile with ipv6 dnsmasq has support for it as well

ndp is not included in the firmware it seems, maybe I can build it in later this week, since I have a week off:D

I guess you mean this thing: http://www.linuxfoundation.org/en/Net:Tunneling#SIT_tunnels

exactly



since I end up with a new device:

sittun Link encap:IPv6-in-IPv4
inet6 addr: fe80::a07:707/128 Scope:Link
UP POINTOPOINT RUNNING NOARP MTU:1480 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:0 (0.0 B) TX bytes:0 (0.0 B)

You don't have ipv6 address on this interface. (only scope:link).



ndp is not included in the firmware it seems, maybe I can build it in later this week, since I have a week off:D

radvd implements ndp. radvd is included.


You're supposed to run these commands to get your hurricane electric tunnel work:

ip tunnel add sit0 mode sit remote 216.66.84.46 local YOUR_IP ttl 255
ip link set sit0 up
ip addr add 2001:470:1f14:31e::2/64 dev sit0
ip route add ::/0 dev sit0
ip addr add 2001:470:1f15:31e::1/64 dev br0

and I have it working:D

ping6 ipv6.he.net
PING ipv6.he.net (2001:470:0:64::2): 56 data bytes
64 bytes from 2001:470:0:64::2: seq=0 ttl=57 time=171.998 ms
64 bytes from 2001:470:0:64::2: seq=1 ttl=57 time=210.141 ms
64 bytes from 2001:470:0:64::2: seq=2 ttl=57 time=171.205 ms
64 bytes from 2001:470:0:64::2: seq=3 ttl=57 time=171.645 ms
64 bytes from 2001:470:0:64::2: seq=4 ttl=57 time=172.449 ms
64 bytes from 2001:470:0:64::2: seq=5 ttl=57 time=170.802 ms
64 bytes from 2001:470:0:64::2: seq=6 ttl=57 time=172.148 ms
64 bytes from 2001:470:0:64::2: seq=7 ttl=57 time=170.720 ms
64 bytes from 2001:470:0:64::2: seq=8 ttl=57 time=170.783 ms
64 bytes from 2001:470:0:64::2: seq=9 ttl=57 time=171.692 ms
64 bytes from 2001:470:0:64::2: seq=10 ttl=57 time=170.938 ms
64 bytes from 2001:470:0:64::2: seq=11 ttl=57 time=171.824 ms
64 bytes from 2001:470:0:64::2: seq=12 ttl=57 time=173.344 ms
64 bytes from 2001:470:0:64::2: seq=13 ttl=57 time=174.109 ms
64 bytes from 2001:470:0:64::2: seq=14 ttl=57 time=171.020 ms
64 bytes from 2001:470:0:64::2: seq=15 ttl=57 time=170.626 ms
64 bytes from 2001:470:0:64::2: seq=16 ttl=57 time=170.944 ms
64 bytes from 2001:470:0:64::2: seq=17 ttl=57 time=171.877 ms

--- ipv6.he.net ping statistics ---
18 packets transmitted, 18 packets received, 0% packet loss
round-trip min/avg/max = 170.626/173.792/210.141 ms

ipv6 adresses are leased to computers in the network, but there is no ipv6 dns server:p
I can ping ipv6 adresses on the computers in the netwerk though!:D

more proof:

sixtun Link encap:IPv6-in-IPv4
inet6 addr: 2001:470:1f14:31e::2/64 Scope:Global
inet6 addr: fe80::c0a8:201/64 Scope:Link
UP POINTOPOINT RUNNING NOARP MTU:1280 Metric:1
RX packets:315 errors:0 dropped:0 overruns:0 frame:0
TX packets:202 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:377536 (368.6 KiB) TX bytes:28747 (28.0 KiB)


1: lo: <LOOPBACK,MULTICAST,UP>
inet6 ::1/128 scope host
3: eth0: <BROADCAST,MULTICAST,PROMISC,UP> qlen 1000
inet6 fe80::222:15ff:fe41:186/64 scope link
4: eth1: <BROADCAST,MULTICAST,UP> qlen 1000
inet6 fe80::222:15ff:fe41:186/64 scope link
5: eth2: <BROADCAST,MULTICAST,PROMISC,UP> qlen 1000
inet6 fe80::222:15ff:fe41:186/64 scope link
6: br0: <BROADCAST,MULTICAST,UP>
inet6 2001:470:1f15:31e::1/64 scope global
inet6 fe80::222:15ff:fe41:186/64 scope link
7: sixtun: <POINTOPOINT,NOARP,UP>
inet6 2001:470:1f14:31e::2/64 scope global
inet6 fe80::c0a8:201/64 scope link



2001:470:1f14:31e::/64 via :: dev sixtun metric 256 mtu 1280 advmss 1220
2001:470:1f15:31e::/64 dev br0 metric 256 mtu 1500 advmss 1220
fe80::/64 dev eth0 metric 256 mtu 1500 advmss 1220
fe80::/64 dev eth2 metric 256 mtu 1500 advmss 1220
fe80::/64 dev br0 metric 256 mtu 1500 advmss 1220
fe80::/64 dev eth1 metric 256 mtu 1500 advmss 1220
fe80::/64 via :: dev sixtun metric 256 mtu 1280 advmss 1220
ff00::/8 dev eth0 metric 256 mtu 1500 advmss 1220
ff00::/8 dev eth2 metric 256 mtu 1500 advmss 1220
ff00::/8 dev br0 metric 256 mtu 1500 advmss 1220
ff00::/8 dev eth1 metric 256 mtu 1500 advmss 1220
ff00::/8 dev sixtun metric 256 mtu 1280 advmss 1220
default via 2001:470:1f14:31e::1 dev sixtun metric 1024 mtu 1280 advmss 1220

as lly said it was indeed the dnsmasq...
just comment out the ifeq in the dnsmasq makefile located in /broadcom/src/gateway/dnsmasq


#ifeq ($(CONFIG_IPV6),y)
COPTS += -DUSE_IPV6
#endif
export COPTS
and done:)

I'll post up some compiled versions tomorrow:)

http://ipv6.he.net/certification/create_badge.php?pass_name=wpte&badge=1

My ipv4 dns (not dnsmasq, good old powerdns) doesn't have problem with AAAA records



as lly said it was indeed the dnsmasq...


no way

My ipv4 dns (not dnsmasq, good old powerdns) doesn't have problem with AAAA records

no way

powerdns? as replacement for dnsmasq:p
it runs properly now so I guess I'll stick with dnsmasq.

and in my enthusiasm I forgot to say thank you libc for your support;)

powerdns? as replacement for dnsmasq:p
it runs properly now so I guess I'll stick with dnsmasq.

and in my enthusiasm I forgot to say thank you libc for your support;)

I don't run it on the router :)

BTW HE gives you dns servers

and I have it working:D
Can you write summary of manual actions that should be done automatically in rc?


just comment out the ifeq in the dnsmasq makefile located in /broadcom/src/gateway/dnsmasq


#ifeq ($(CONFIG_IPV6),y)
COPTS += -DUSE_IPV6
#endif
export COPTS
and done:)

Please provide output of
grep "CONFIG_IPV6" /broadcom/src/gateway/.config

Can you write summary of manual actions that should be done automatically in rc?


Please provide output of
grep "CONFIG_IPV6" /broadcom/src/gateway/.config


grep "CONFIG_IPV6" ./Bureaublad/broadcom/src/gateway/.config
CONFIG_IPV6=y

I didn't change anything apart from adding that line as described by you in issue 50.

ofcourse I executed make koldconf.

Basically the only thing that is need to be set manually is the dnsmasq makefile.
the lines:

ifeq ($(CONFIG_IPV6),y)
COPTS += -DUSE_IPV6
endif
export COPTS

it's testing if CONFIG_IPV6 is yes... but that value is not yes apparently:p
so I just commented the if out of it and now it works.
that's all I did.

speeds are the same as with ipv4 so I think it works great...
I'm not sure if the firewall is activated on ipv6, since port scanning reveals every service is open that supports ipv6:o
nothing dangerous for me at the moment tho:)

Basically the only thing that is need to be set manually is the dnsmasq makefile.
Fixed in r769.

I'm not sure if the firewall is activated on ipv6, since port scanning reveals every service is open that supports ipv6:o
nothing dangerous for me at the moment tho:)
This is a BIG problem, since netfilter in kernel 2.4 has limited IPv6 support. Can you perform some deeper investigation?

Fixed in r769.

This is a BIG problem, since netfilter in kernel 2.4 has limited IPv6 support. Can you perform some deeper investigation?

yes, it's not very handy:p

I read some stuff on internet about the iptables for ipv6. (http://linuxreviews.org/features/ipv6/iptables/)
So far I only did some plain tests and it seems that the just-as-easy command ip6tables seem to have some effect!

before I did

ip6tables -A INPUT -p tcp --dport 23 -j DROP
port 23 was open, afterwards the port was "filtered" according to the ipv6 portscan http://tunnelbroker.net/ipv6_portscan.php

I guess I just need to make a ip6tables chain after the iptables chain:)

I have it working bits by bits now...
the firewall is a bit difficult to configure since you have to allow computers on the inside.

ipv6 tables:

#!/bin/sh

# Flush & default
ip6tables -F INPUT
ip6tables -F OUTPUT
ip6tables -F FORWARD
ip6tables -F

# Allow anything on the local link
ip6tables -A INPUT -i lo -j ACCEPT
ip6tables -A OUTPUT -o lo -j ACCEPT

# Allow Link-Local addresses
ip6tables -A INPUT -s fe80::c0a8:201/64 -j ACCEPT
ip6tables -A OUTPUT -s fe80::c0a8:201/64 -j ACCEPT

# Allow multicast
ip6tables -A INPUT -s 2001:470:1f14:31e::2/64 -j ACCEPT
ip6tables -A OUTPUT -s 2001:470:1f14:31e::2/64 -j ACCEPT

# Allow ICMP
ip6tables -A INPUT -p icmpv6 -j ACCEPT
ip6tables -A OUTPUT -p icmpv6 -j ACCEPT

# Allow certain ports
ip6tables -A INPUT -p tcp --dport 1:79 -j REJECT
ip6tables -A INPUT -p udp --dport 1:79 -j REJECT
ip6tables -A INPUT -p tcp --dport 81:65535 -j REJECT
ip6tables -A INPUT -p udp --dport 81:65535 -j REJECT

it's not written very clean... but so far I managed to block every port except 80, allow icmp multicast and the local pc's:)
as I said before, I'm not an iptables pro, so if anyone has good knowledge of it, he/she is welcome :p

original script from https://www.sixxs.net/wiki/IPv6_Firewalling

I have it working bits by bits now...
the firewall is a bit difficult to configure since you have to allow computers on the inside.
You are the first! Excellent job!

it's not written very clean... but so far I managed to block every port except 80, allow icmp multicast and the local pc's:)
As I understand you right, 2001:470:1f14:31e::2/64 is your WAN IP6?

as I said before, I'm not an iptables pro, so if anyone has good knowledge of it, he/she is welcome :p
At least, you do tests! Where is IPv6 guru's? :p

...

At least, you do tests! Where is IPv6 guru's? :p

Here:

http://ipv6.he.net/certification/create_badge.php?pass_name=nospe&badge=1 (http://ipv6.he.net/certification/scoresheet.php?pass_name=nospe)


:P

Here:

http://ipv6.he.net/certification/create_badge.php?pass_name=nospe&badge=1 (http://ipv6.he.net/certification/scoresheet.php?pass_name=nospe)


:P

showoff;)
Only because I don't have any mailserver installed I can't get any further with my score:D
anyway, do you know anything about ip6tables?:p


As I understand you right, 2001:470:1f14:31e::2/64 is your WAN IP6?

yes that is my wan ip + all the ip's that will exist in my LAN ip.
they can be found when doing an ifconfig:

sixtun Link encap:IPv6-in-IPv4
inet6 addr: 2001:470:1f14:31e::2/64 Scope:Global
inet6 addr: fe80::c0a8:201/64 Scope:Link
UP POINTOPOINT RUNNING NOARP MTU:1280 Metric:1
RX packets:22222 errors:0 dropped:0 overruns:0 frame:0
TX packets:15203 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:27342673 (26.0 MiB) TX bytes:4889045 (4.6 MiB)
these ip ranges are given by the tunnel broker. I guess you can get them out with "sed".

showoff;)
Only because I don't have any mailserver installed I can't get any further with my score:D
anyway, do you know anything about ip6tables?:p
...


yes:)

what is problem?:)

yes:)

what is problem?:)

we need a proper standard ip6tables script, basicly:p

like blocking all ports from the outside standard, but allowing traffic from the inside, and then just open up ports by doing something like:

ip6tables -A INPUT -p tcp --dport 80 -j ACCEPT
the script in my post earlier does that already quite a bit, but is there a "cleaner" way to do it?:p

we need a proper standard ip6tables script, basicly:p
suggest executing iptables-save to get ipv4 rules, and make corresponding ipv6 changes

suggest executing iptables-save to get ipv4 rules, and make corresponding ipv6 changes

hmm... yeh well, they don't seem to fit entirely:(
ipv6 works different than ipv4 like you don't have NAT anymore etc.
I can probably rip out a few lines tho:)

edit: got it:

ifconfig sixtun | grep 'Scope:Global' | awk '{print $3}'
ifconfig sixtun | grep 'Scope:Link' | awk '{print $3}'


any chance you know how to get
"2001:470:1f14:31e::2/64" and "fe80::c0a8:201/64" out of

ifconfig sixtun
sixtun Link encap:IPv6-in-IPv4
inet6 addr: 2001:470:1f14:31e::2/64 Scope:Global
inet6 addr: fe80::c0a8:201/64 Scope:Link
UP POINTOPOINT RUNNING NOARP MTU:1280 Metric:1
RX packets:58 errors:0 dropped:0 overruns:0 frame:0
TX packets:96 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:28655 (27.9 KiB) TX bytes:15705 (15.3 KiB)

that way I can make the scipt unified:)

we need a proper standard ip6tables script, basicly:p

like blocking all ports from the outside standard, but allowing traffic from the inside, and then just open up ports by doing something like:

the script in my post earlier does that already quite a bit, but is there a "cleaner" way to do it?:p

My example script ip6tables: http://pld.pastebin.com/m14831f76

My example script ip6tables:
Since you are IPv6 guru, please explain some moments:

Why you use /10 instead of /64 in following rules?

ip6tables -A INPUT -s fe80::/10 -j ACCEPT
ip6tables -A OUTPUT -s fe80::/10 -j ACCEPT

Since you are IPv6 guru, please explain some moments:

Why you use /10 instead of /64 in following rules?

ip6tables -A INPUT -s fe80::/10 -j ACCEPT
ip6tables -A OUTPUT -s fe80::/10 -j ACCEPT

yes indeed, the code is quite explaining but I don't get those ip's where are they from?:p

ip6tables -A INPUT -s fe80::/10 -j ACCEPT
ip6tables -A OUTPUT -s fe80::/10 -j ACCEPT

ip6tables -A INPUT -s ff00::/8 -j ACCEPT
ip6tables -A OUTPUT -s ff00::/8 -j ACCEPT

the script is quite nice, and maybe we can merge it with the iptables I'm converting at the moment, from the standard firewall:)
together they would cover pretty much anything I guess:)

Since you are IPv6 guru, please explain some moments:

Why you use /10 instead of /64 in following rules?

ip6tables -A INPUT -s fe80::/10 -j ACCEPT
ip6tables -A OUTPUT -s fe80::/10 -j ACCEPT

simple explain:



$ ip -f inet6 add
1: lo: <LOOPBACK,MULTICAST,UP> mtu 16436 qdisc noqueue
inet6 ::1/128 scope host
3: eth0: <BROADCAST,MULTICAST,PROMISC,UP> mtu 1500 qdisc pfifo_fast qlen 100
inet6 fe80::21f:c6ff:fe27:e8a7/10 scope link
4: eth1: <BROADCAST,MULTICAST,PROMISC,UP> mtu 1500 qdisc pfifo_fast qlen 100
inet6 fe80::21f:c6ff:fe27:e8a7/10 scope link
5: vlan0: <BROADCAST,MULTICAST,PROMISC,UP> mtu 1500 qdisc noqueue
inet6 fe80::21f:c6ff:fe27:e8a7/10 scope link
6: vlan1: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc htb
inet6 fe80::21f:c6ff:fe27:e8a7/10 scope link
7: br0: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc noqueue
inet6 2001:6a0:1a9:ffff::/64 scope global
inet6 fe80::21f:c6ff:fe27:e8a7/10 scope link
8: sixtun@NONE: <POINTOPOINT,NOARP,UP> mtu 1280 qdisc noqueue
inet6 2001:6a0:200:113::2/64 scope global
inet6 fe80::a05:2001/10 scope link
9: tap0: <BROADCAST,MULTICAST,PROMISC,UP> mtu 1500 qdisc pfifo_fast qlen 100
inet6 fe80::2ff:7fff:fe20:f7ba/10 scope link


why not /64? because fe80 is link lokal - and not routing in world, only local and this is standard... but you can use /64 - it's only my example script:)

simple explain:

why not /64? because fe80 is link lokal - and not routing in world, only local and this is standard... but you can use /64 - it's only my example script:)

aha, I tought they got rid of private/local ip ranges in ipv6:p
are there any more private ranges? or is this just standard for everyone?

what about using the scope global and the scope link both to be accepted, is that safe?

sixtun@NONE: <POINTOPOINT,NOARP,UP> mtu 1280 qdisc noqueue
inet6 2001:6a0:200:113::2/64 scope global
inet6 fe80::a05:2001/10 scope link

wpte
As the starting point, could you add following recommended rules to your script

# Disable processing of any RH0 packet
# Which could allow a ping-pong of packets
ip6tables -A INPUT -m rt --rt-type 0 -j DROP
ip6tables -A OUTPUT -m rt --rt-type 0 -j DROP
ip6tables -A FORWARD -m rt --rt-type 0 -j DROP

apply rules, issue
ip6tables-save >/tmp/filter6_rules
and send result to me?
I will inject this basic rules to rc, commit to svn trunk, and then you can test new version.

aha, I tought they got rid of private/local ip ranges in ipv6:p
are there any more private ranges? or is this just standard for everyone?

what about using the scope global and the scope link both to be accepted, is that safe?

Yes it's safe... if You be afraid Your Tunnel Broker/ISP then block this INPUT/OUTPUT/FORWARDING in you tunnel SIT/Wan link-local address :)

Private address class IPv6:
fc00::/7

but... i'm not used... link-local address auto configure network... :)

example:

MAC: 00:50:56:C0:00:01

link-local: fe80::0250:56ff:fec0:0001

first 00 - local mac addres... not public mac address... then is not included in address link-local

http://www.faqs.org/rfcs/rfc2460.html :)

wpte
As the starting point, could you add following recommended rules to your script
and send result to me?
I will inject this basic rules to rc, commit to svn trunk, and then you can test new version.

you're talking about the script I was thinking of merging right?
it's not completely finished yet. First I'm going to eat and I'll send it you later on this night?:)



Yes it's safe... if You be afraid Your Tunnel Broker/ISP then block this INPUT/OUTPUT/FORWARDING in you tunnel SIT/Wan link-local address

Private address class IPv6:
fc00::/7

but... i'm not used... link-local address auto configure network...

example:

MAC: 00:50:56:C0:00:01

link-local: fe80::0250:56ff:fec0:0001

first 00 - local mac addres... not public mac address... then is not included in address link-local

http://www.faqs.org/rfcs/rfc2460.html
so basicly when you think your isp is a hacker you want to block it?:p

I'm not sure what you mean by the link-local addresses :confused:
they have parts of the non-public mac address in it...

ip6tables -A INPUT -i $WANIF6 -p tcp -m state --state INVALID -j DROP
ip6tables -A INPUT -m rt --rt-type 0 -j DROP
ip6tables -A OUTPUT -m rt --rt-type 0 -j DROP
ip6tables -A FORWARD -m rt --rt-type 0 -j DROP
ip6tables -A INPUT -i $WANIF6 -m state --state ESTABLISHED,RELATED -j ACCEPT
ip6tables -A FORWARD -m state --state NEW -i $ETHLAN -o $WANIF6 -s $GLOBALSCOPE -j ACCEPT
ip6tables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
these don't work
error message:

ip6tables: No chain/target/match by that name
hmm...

ip6tables -A INPUT -i $WANIF6 -p tcp -m state --state INVALID -j DROP
ip6tables -A INPUT -m rt --rt-type 0 -j DROP
ip6tables -A OUTPUT -m rt --rt-type 0 -j DROP
ip6tables -A FORWARD -m rt --rt-type 0 -j DROP
ip6tables -A INPUT -i $WANIF6 -m state --state ESTABLISHED,RELATED -j ACCEPT
ip6tables -A FORWARD -m state --state NEW -i $ETHLAN -o $WANIF6 -s $GLOBALSCOPE -j ACCEPT
ip6tables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
these don't work
error message:

ip6tables: No chain/target/match by that name
hmm...

i'm test... work... maybe you variables is empty or wrong defined?

so basicly when you think your isp is a hacker you want to block it?:p
no, it's only example :)


I'm not sure what you mean by the link-local addresses :confused:
they have parts of the non-public mac address in it...

maybe you read rfc?:)

IPv4 can't auto configure, IPv6 auto configure when put cable in socket - this simple configuration make connection protocol IP in area network where is or not DHCP server:)

i'm test... work... maybe you variables is empty or wrong defined?

no, these tables are not quite suitable for kernel 2.4:p
we are walking into the limitations I guess:(

I think we need to keep these ip6tables low level only meaning... block anything from the outside, allow everything on the inside and keep track of things like ping and ddos (something which seems to work for now)
going to rewrite my script, since it's not working:(

no, these tables are not quite suitable for kernel 2.4:p
Fortunately, this match is just turned off. Set

CONFIG_IP6_NF_MATCH_RT=y
in kernel .config and rebuild FW. Will be fixed soon.

Could you send to me your /etc/radvd.conf via PM?


maybe you read rfc?:)
It's the best solution, but very time hungry ;)

Fortunately, this match is just turned off. Set

CONFIG_IP6_NF_MATCH_RT=y
in kernel .config and rebuild FW. Will be fixed soon.

I've done that, but ipv6 is turned off again:p
in fact I can't seem to find any

ifeq ($(CONFIG_IPV6),y)
COPTS += -DUSE_IPV6
endif
export COPTS

in the dnsmasq makefile:D
I just added it myself, lets see what happens again:)

edit... nothing :(
ipv6 is dead again... hmm
the sixtun is gone again.

what I did was: clean everything out (kernel, wl500g-1.9.2.7-d and gateway)
update svn
cd /whatever-you-want/broadcom/src/wl500g-1.9.2.7-d
make kernel
make
edit the kernel .config file for the CONFIG_IP6_NF_MATCH_RT=y
Edit /whatever-you-want/broadcom/src/gateway/Makefile and set MODEL=wl500gp or whichever fits your expectance better.
add the ipv6 in the .config file
make koldconfig
cd /whatever-you-want/broadcom/src/gateway
make
make install

just the same as last time :s

ipv6 is dead again... hmm

Very strange, moments ago I build r794:

$ ls /proc/sys/net
802 core ethernet ipv4 ipv6 unix
$ dnsmasq -v
Dnsmasq version 2.51 Copyright (C) 2000-2009 Simon Kelley
Compile time options IPv6 GNU-getopt no-RTC no-DBus no-I18N DHCP no-scripts no-TFTP
...
$ip6tables -A INPUT -m rt --rt-type 0 -j DROP
$ip6tables -L
Chain INPUT (policy ACCEPT)
target prot opt source destination
DROP all anywhere anywhere rt type:0


I didn't perform any manual changes except src/gateway/.config. My build sequence (Sources prepared for compilation):

cd src/gateway
vi .config
make koldconf
make
make install

Very strange, moments ago I build r794:

I didn't perform any manual changes except src/gateway/.config. My build sequence (Sources prepared for compilation):

cd src/gateway
vi .config
make koldconf
make
make install


can you send me a build for the wl500w then?:p

btw, shipped radvd is quite old - 0.7.3, here's the changelog up to the last 1.5
http://cvs.litech.org/viewcvs/radvd/CHANGES?view=markup
size comparsion:
radvd-0.7.3 58Kb, ~20Kb inside FW
radvd-1.5 91Kb, ~28Kb inside FW
Is it worth to?

btw, shipped radvd is quite old - 0.7.3, here's the changelog up to the last 1.5
Personally, I can't score this changes - are they urgent or just minor features. May be kamil can consult us?
Moreover, I really aware moments below from Changelog:

Note: this could break deployments with some very old kernels, see more info at:
i.e. we should spend hours to find all such places due to our 2.4 kernel :(

May be kamil can consult us?
Hope so



Moreover, I really aware moments below from Changelog:
Note: this could break deployments with some very old kernels, see more info at:
i.e. we should spend hours to find all such places due to our 2.4 kernel :(
Don't be afraid, we have the very fresh kernel. openwrt 2.4 uses it already, and there is notice about in changelog.
moreover i had to make same almost the changes for traceroute6 recently

I tried your file lly, but there isn't any sixtun coming up:(
maybe I should try make menuconf...

I tried your file lly, but there isn't any sixtun coming up:(

Updated: seems to be my mistake - too hard week :( Right sequence for compile should be:

cd src/gateway
vi .config
make oldconfig
make
make install


Updated2 13:26: More problems discovered:

ip6tables-save/ip6tables-restore missing - fixed in r802
"state" match missed in kernel for ipv6 - I need extra time to fix this

I'm going to hardcode following ipv6 firewall rules into rc:


# Disable processing of any RH0 packet
ip6tables -A INPUT -m rt --rt-type 0 -j DROP
ip6tables -A OUTPUT -m rt --rt-type 0 -j DROP
ip6tables -A FORWARD -m rt --rt-type 0 -j DROP


ip6tables -A INPUT -t filter -i lo -j ACCEPT
ip6tables -A OUTPUT -t filter -o lo -j ACCEPT
ip6tables -A FORWARD -t filter -o lo -j ACCEPT

ip6tables -A OUTPUT -o sixtun -j ACCEPT

ip6tables -A OUTPUT -o br0 -j ACCEPT
ip6tables -A INPUT -i br0 -j ACCEPT

# Allow ICMP (conditional?)
ip6tables -A INPUT -p icmpv6 -j ACCEPT
ip6tables -A OUTPUT -p icmpv6 -j ACCEPT
ip6tables -A FORWARD -p icmpv6 -j ACCEPT

# Allow Link-Local addresses
ip6tables -A INPUT -s fe80::/10 -j ACCEPT
ip6tables -A OUTPUT -s fe80::/10 -j ACCEPT

# Allow multicast
ip6tables -A INPUT -s ff00::/8 -j ACCEPT
ip6tables -A OUTPUT -s ff00::/8 -j ACCEPT

kamil - is it OK for the first step?

I'm going to hardcode following ipv6 firewall rules into rc:


# Disable processing of any RH0 packet
ip6tables -A INPUT -m rt --rt-type 0 -j DROP
ip6tables -A OUTPUT -m rt --rt-type 0 -j DROP
ip6tables -A FORWARD -m rt --rt-type 0 -j DROP


ip6tables -A INPUT -t filter -i lo -j ACCEPT
ip6tables -A OUTPUT -t filter -o lo -j ACCEPT
ip6tables -A FORWARD -t filter -o lo -j ACCEPT

ip6tables -A OUTPUT -o sixtun -j ACCEPT

ip6tables -A OUTPUT -o br0 -j ACCEPT
ip6tables -A INPUT -i br0 -j ACCEPT

# Allow ICMP (conditional?)
ip6tables -A INPUT -p icmpv6 -j ACCEPT
ip6tables -A OUTPUT -p icmpv6 -j ACCEPT
ip6tables -A FORWARD -p icmpv6 -j ACCEPT

# Allow Link-Local addresses
ip6tables -A INPUT -s fe80::/10 -j ACCEPT
ip6tables -A OUTPUT -s fe80::/10 -j ACCEPT

# Allow multicast
ip6tables -A INPUT -s ff00::/8 -j ACCEPT
ip6tables -A OUTPUT -s ff00::/8 -j ACCEPT

kamil - is it OK for the first step?
yes, but i not see default policy:)

ps: scripts i'm tested in VirtualBox and iso rescuecd - http://rescuecd.pld-linux.org/download/2009-02-21/x86/RCDx86_297.iso :)

btw, shipped radvd is quite old - 0.7.3, here's the changelog up to the last 1.5
http://cvs.litech.org/viewcvs/radvd/CHANGES?view=markup
size comparsion:
radvd-0.7.3 58Kb, ~20Kb inside FW
radvd-1.5 91Kb, ~28Kb inside FW
Is it worth to?
radvd-0.7.x great works on my ASUS wl500g, but...
0.7.x - 2005
1.5.x - 2009
4 year:)

radvd-0.7.x great works on my ASUS wl500g, but...
0.7.x - 2005
1.5.x - 2009
4 year:)
I'm afraid that build date shouldn't be the main reason to update

yes, but i not see default policy:)
default policy will be ACCEPT, for tests period at least. As I can understand - your sample firewall script not from Oleg's 1.9.2.7-10 (which based on 2.4 kernel too), isn't it?

Bad news - kernel 2.4.X don't support ipv6 connection tracking(ip6_conntrack) at all. And nobody done backport from 2.6 line :(

Also, I can't find ipv6 TCPMSS module for 2.4 ...

About radvd - many software developers increase versions too rapid, without real core functionality change, especially commercial software. So, I don't want to repair new bugs in new version due to incompatibility with our obsolete 2.4 kernel.

yes, but i not see default policy:)

default policy is always accept

or lly can add something like this into the beginning:

POLICY="DROP"
ip6tables -P OUTPUT $POLICY
ip6tables -P INPUT $POLICY
ip6tables -P FORWARD $POLICY

I'm not sure how drop will work out, I always had bad luck with it, meaning that the tunnel was blocked:p

Bad news - kernel 2.4.X don't support ipv6 connection tracking(ip6_conntrack) at all. And nobody done backport from 2.6 line :(

http://www.linux-ipv6.org/ml/usagi-users/msg02587.html

But ip6_conntrack is highly independent, so I think it isn't difficult
to port it to Linux 2.4. Please try below.
maybe when there is more time we can give it a shot?:p

"state" match missed in kernel for ipv6 - I need extra time to fix thisthe onlly way is to backport it from 2.6. btw, we could even merge ipv4 and ipv6 modules/extensions to save space, like it was done in mainstream

http://www.linux-ipv6.org/ml/usagi-users/msg02587.html
maybe when there is more time we can give it a shot?:p
I found this link. It is real task, but since nobody done it, seems to be it is not so easy.
Unfortunately, I haven't enough time to do this backport. We will be happy if someone send us patches against 2.4.3x.

What your opinion about significance of TCPMSS for ipv6?

Just set up ipv6 tunnel via http://tunnelbroker.net, works fine
http://ipv6.he.net/certification/create_badge.php?pass_name=theMIROn&badge=3

btw, do we need following (for the first approach without detailed ifs names)?

iptables -I FORWARD -p ipv6 (-i/o sixtun/br0) - j ACCEPT
iptables -t nat -I POSTROUTING -p ! ipv6 ... -j MASQUERADE

default policy will be ACCEPT, for tests period at least. As I can understand - your sample firewall script not from Oleg's 1.9.2.7-10 (which based on 2.4 kernel too), isn't it?
...


Oleg's 1.9.2.7-10 don't have ip6tables :)

My scripts write in other routers where base system is linux with kernel 2.6.x :)

Oleg's soft is poor support ipv6 (no mtr6, traceroute6, ip6tables)... but basic support have (ping6, firmaware 1.9.2.7-10 compiled with ipv6)... - i can't create scripts where base system not full support ipv6 (Oleg's firmware) :)

btw, do we need following (for the first approach without detailed ifs names)?

iptables -t nat -I POSTROUTING -p ! ipv6 ... -j MASQUERADEnat is absent for IPv6 :)


My scripts write in other routers where base system is linux with kernel 2.6.x :)
You are happy man :)
One more question - have you ever use TCPMSS for IPv6?

nat is absent for IPv6 :)
yep, it's abs useless for that, in case or routed ipv6 range

I have the new build and it works great:)

I'm proudly running:
1.9.2.7-d-r815

is it just me or is that portscanner from he.net quite slow?:p
maybe I'll make a c# ipv6 portscanner, you need a mono version theMIROn?

I have the new build and it works great:)
is it just me or is that portscanner from he.net quite slow?:p
maybe I'll make a c# ipv6 portscanner, you need a mono version theMIROn?

what for?
he.net uses nmap 5.00, you could use the same from optware.

btw, http://wpte.crabdance.com/ isn't accessable via ipv6, but themiron.ru is =)

Thoughts 'bout ip6tables defaults:
1. filter6_ruses should be grouped by chain, not by match/target, following changes should be applied to rc internally
2. OUTPUT chain should always have default ACCEPT policy, and only REJECT/DROP targets (for ex. -m rt --rt-type - -j DROP/REJECT)
coz output ifs could be br0/vlan1/sixtun/lo - to much to enum them all
3. ipv6-icmp proto used for ipv6 advert (radvd), auto conf, etc, so it shouldn't depend on firewall coz it'll break the overall netability
4. did I miss smth?

Thoughts 'bout ip6tables defaults:
1. filter6_ruses should be grouped by chain, not by match/target, following changes should be applied to rc internally
Sounds resonable. No problem, we still on the way :)

2. OUTPUT chain should always have default ACCEPT policy, and only REJECT/DROP targets (for ex. -m rt --rt-type - -j DROP/REJECT)
coz output ifs could be br0/vlan1/sixtun/lo - to much to enum them all

3. ipv6-icmp proto used for ipv6 advert (radvd), auto conf, etc, so it shouldn't depend on firewall coz it'll break the overall netability
Unfortunately, I don't know yet. Maybe kamil or someone else can help us and answer to this questions?

what for?
he.net uses nmap 5.00, you could use the same from optware.

btw, http://wpte.crabdance.com/ isn't accessable via ipv6, but themiron.ru is =)
I know it's not accessable, though I opened up the port:p

-A INPUT -p tcp -m tcp --dport 80 -j ACCEPT

after I added the line

-A INPUT -d 2001:470:1f14:31e::2/128 -i sixtun -p tcp -m tcp --dport 80 -j ACCEPT
everything goes open:confused:
what do you use to open up ports then?

after I added the line

-A INPUT -d 2001:470:1f14:31e::2/128 -i sixtun -p tcp -m tcp --dport 80 -j ACCEPT
everything goes open:confused:
what do you use to open up ports then?

you should open it with

ip6tables -A INPUT -d 2001:470:1f14:31e::2/128 -i sixtun -p tcp -m tcp --dport 80 -j ACCEPT
and not to forget about (in case of lighttpd)

server.use-ipv6 = "enable"

and not to forget about (in case of lighttpd)

server.use-ipv6 = "enable"

yes I enabled that:p
hmmm still odd with the mixed results from the he portscanner.. only online working ipv6 portscanner as far as I can see:confused:

yes I enabled that:p
hmmm still odd with the mixed results from the he portscanner.. only online working ipv6 portscanner as far as I can see:confused:

i'm able ping you, and you http is working for now. test completed

i'm able ping you, and you http is working for now. test completed
yes but the rest is open as well:p

With r821 (http://code.google.com/p/wl500g/source/detail?r=821) introduced new ipv6 rules in more flexible way.
Some of rules are auto generated depending on connection type (in my case lanif=br0, manif=vlan1, wanif=ppp0), services enabled (ssh port, ftp port)
Security chain isn't used yet, logaccept/logdrop chains will be used after turning packet logging on



*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:SECURITY - [0:0]
:logaccept - [0:0]
:logdrop - [0:0]
-A INPUT -m rt --rt-type 0 -j DROP
-A INPUT -i lo -j ACCEPT
-A INPUT -i <lanif> -j ACCEPT
-A INPUT -p ipv6-icmp -j ACCEPT
-A INPUT -s fe80::/10 -j ACCEPT
-A INPUT -s ff00::/8 -j ACCEPT
-A INPUT -p tcp -m tcp --dport <ssh port> -j ACCEPT
-A INPUT -p tcp -m tcp --dport <ftp port> -j ACCEPT
-A INPUT -j DROP
-A FORWARD -m rt --rt-type 0 -j DROP
-A FORWARD -i <lanif> -o <lanif> -j ACCEPT
-A FORWARD -p ipv6-icmp -j ACCEPT
-A FORWARD -s fe80::/10 -j ACCEPT
-A FORWARD -s ff00::/8 -j ACCEPT
-A FORWARD -i ! br0 -o sixtun -j DROP
-A FORWARD -i ! br0 -o <wanif> -j DROP
-A FORWARD -i ! br0 -o <manif> -j DROP
-A OUTPUT -m rt --rt-type 0 -j DROP
-A SECURITY -p tcp -m tcp --tcp-flags SYN,RST,ACK SYN -m limit --limit 1/sec -j RETURN
-A SECURITY -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK RST -m limit --limit 1/sec -j RETURN
-A SECURITY -p udp -m limit --limit 5/sec -j RETURN
-A SECURITY -p icmp -m limit --limit 5/sec -j RETURN
-A SECURITY -j DROP
-A logaccept -j LOG --log-prefix "ACCEPT " --log-tcp-sequence --log-tcp-options --log-ip-options
-A logaccept -j ACCEPT
-A logdrop -j LOG --log-prefix "DROP " --log-tcp-sequence --log-tcp-options --log-ip-options
-A logdrop -j DROP
COMMIT

good stuff... compiling it now

I had about the same script as that, only it was working half:p

good stuff... compiling it now

I had about the same script as that, only it was working half:p

can't seem to open up port 80 anymore with both

ip6tables -A INPUT -p tcp -m tcp --dport 80 -j ACCEPT
ip6tables -A INPUT -d 2001:470:1f14:31e::2/128 -i sixtun -p tcp -m tcp --dport 80 -j ACCEPT

ftp seems to be open tho...:p

# Generated by ip6tables-save v1.3.8 on Wed Nov 18 00:09:58 2009
*mangle
:PREROUTING ACCEPT [5823:1448054]
:INPUT ACCEPT [4022:326204]
:FORWARD ACCEPT [1276:988388]
:OUTPUT ACCEPT [165:20009]
:POSTROUTING ACCEPT [1443:1008589]
COMMIT
# Completed on Wed Nov 18 00:09:58 2009
# Generated by ip6tables-save v1.3.8 on Wed Nov 18 00:09:58 2009
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [1276:988388]
:OUTPUT ACCEPT [154:19053]
:SECURITY - [0:0]
:logaccept - [0:0]
:logdrop - [0:0]
-A INPUT -m rt --rt-type 0 -j DROP
-A INPUT -i lo -j ACCEPT
-A INPUT -i br0 -j ACCEPT
-A INPUT -p ipv6-icmp -j ACCEPT
-A INPUT -s fe80::/10 -j ACCEPT
-A INPUT -s ff00::/8 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 21 -j ACCEPT
-A INPUT -j DROP
-A INPUT -d 2001:470:1f14:31e::2/128 -i sixtun -p tcp -m tcp --dport 80 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 80 -j ACCEPT
-A FORWARD -m rt --rt-type 0 -j DROP
-A FORWARD -i br0 -o br0 -j ACCEPT
-A FORWARD -p ipv6-icmp -j ACCEPT
-A FORWARD -s fe80::/10 -j ACCEPT
-A FORWARD -s ff00::/8 -j ACCEPT
-A FORWARD -i ! br0 -o sixtun -j DROP
-A FORWARD -i ! br0 -o eth1 -j DROP
-A OUTPUT -m rt --rt-type 0 -j DROP
-A SECURITY -p tcp -m tcp --tcp-flags SYN,RST,ACK SYN -m limit --limit 1/sec -j RETURN
-A SECURITY -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK RST -m limit --limit 1/sec -j RETURN
-A SECURITY -p udp -m limit --limit 5/sec -j RETURN
-A SECURITY -p icmp -m limit --limit 5/sec -j RETURN
-A SECURITY -j DROP
-A logaccept -j LOG --log-prefix "ACCEPT " --log-tcp-sequence --log-tcp-options --log-ip-options
-A logaccept -j ACCEPT
-A logdrop -j LOG --log-prefix "DROP " --log-tcp-sequence --log-tcp-options --log-ip-options
-A logdrop -j DROP
COMMIT
# Completed on Wed Nov 18 00:09:58 2009

-A INPUT -j DROP
-A INPUT -d 2001:470:1f14:31e::2/128 -i sixtun -p tcp -m tcp --dport 80 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 80 -j ACCEPT

take a more closely look at ruleset.
everything in input chain will drop like it goes tith ipv4 filter table
the main reason - to implement logdrop action, coz chain policy doesn't support anything besides accept and drop only.
so you need post-firewall stuff like following


# set default input rule
iptables -P INPUT DROP
ip6tables -P INPUT DROP
# remove last default rule (i don't use logdrop)
iptables -D INPUT -j DROP
ip6tables -D INPUT -j DROP
# allow http access
iptables -A INPUT -p tcp -m tcp --dport 80 -j ACCEPT
ip6tables -A INPUT -p tcp -m tcp --dport 80 -j ACCEPT

that does kill your ipv6 tunnel you know...:rolleyes:

Good evening. I'm lucky to have native Ipv6 address provided on physical vlan1 interface by provider 2001.x.x.x/64 (while ipv4 goes through PPTP). I've set a static ipv6 address on vlan1 and set up default route, so from router i can reach ipv6 hosts w/o any problem. Also I've set another ipv6 address from /64 prefix on my br0 interface + set up radvd with /64 prefix (can't use /80, cause i gives an error). After that i flushed all ip6tables rules and made iptable -A INPUT -p ipv6 -i vlan1 -j accept (just in case). Now i have global addresses provided in my wireless network, and i can ping computers in a network and router with ping6. But still i can't traceroute6 from my local network to ipv6 hosts (only does 1 step to br0 ipv6 address i've assigned for router and then stops) and i also can't traceroute6 from my router to local network (strange, just doesn't jump at all). Would you please give me a hand setting this configuration. Thank you

since my wl-500w is back up running again I tried to use ipv6 in r1000

ping6 works properly on the router
but all the computers inside my network can't browse the internet however they do receive an ipv6 adress from the router.
I think the range from the local ip's are not set properly yet

I have the basic firewall now:

Chain INPUT (policy ACCEPT)
target prot opt source destination
DROP all anywhere anywhere rt type:0
ACCEPT all anywhere anywhere
ACCEPT all anywhere anywhere
ACCEPT ipv6-icmp anywhere anywhere
ACCEPT all fe80::/10 anywhere
ACCEPT all ff00::/8 anywhere
ACCEPT tcp anywhere anywhere tcp dpt:ftp
DROP all anywhere anywhere

Chain FORWARD (policy ACCEPT)
target prot opt source destination
DROP all anywhere anywhere rt type:0
ACCEPT all anywhere anywhere
ACCEPT ipv6-icmp anywhere anywhere
ACCEPT all fe80::/10 anywhere
ACCEPT all ff00::/8 anywhere
DROP all anywhere anywhere
DROP all anywhere anywhere

Chain OUTPUT (policy ACCEPT)
target prot opt source destination
DROP all anywhere anywhere rt type:0

Chain SECURITY (0 references)
target prot opt source destination
RETURN tcp anywhere anywhere tcp flags:SYN,RST,ACK/SYN limit: avg 1/sec burst 5
RETURN tcp anywhere anywhere tcp flags:FIN,SYN,RST,ACK/RST limit: avg 1/sec burst 5
RETURN udp anywhere anywhere limit: avg 5/sec burst 5
RETURN icmp anywhere anywhere limit: avg 5/sec burst 5
DROP all anywhere anywhere

Chain logaccept (0 references)
target prot opt source destination
LOG all anywhere anywhere LOG level warning tcp-sequence tcp-options ip-options prefix `ACCEPT '
ACCEPT all anywhere anywhere

Chain logdrop (0 references)
target prot opt source destination
LOG all anywhere anywhere LOG level warning tcp-sequence tcp-options ip-options prefix `DROP '
DROP all anywhere anywhere


so I've used some tables from my old home made script:)

# Get global, link and wan adresses
GLOBALSCOPE=`ifconfig sixtun | grep 'Scope:Global' | awk '{print $3}'`
LINKSCOPE=`ifconfig sixtun | grep 'Scope:Link' | awk '{print $3}'`
WANIF=`echo $GLOBALSCOPE | cut -f1 -d/`

#Allow local traffic
#includes loopback and local adresses
ip6tables -A INPUT -i lo -j ACCEPT
ip6tables -A OUTPUT -o lo -j ACCEPT
#link-local
ip6tables -A INPUT -s $LINKSCOPE -j ACCEPT
ip6tables -A OUTPUT -s $LINKSCOPE -j ACCEPT

and now I'm able to browse ipv6 sites on my clients:)

The changes in the list: (-- is added)

Chain INPUT (policy ACCEPT)
target prot opt source destination
DROP all anywhere anywhere rt type:0
ACCEPT all anywhere anywhere
ACCEPT all anywhere anywhere
ACCEPT ipv6-icmp anywhere anywhere
ACCEPT all fe80::/10 anywhere
ACCEPT all ff00::/8 anywhere
ACCEPT tcp anywhere anywhere tcp dpt:ftp
DROP all anywhere anywhere
--ACCEPT all anywhere anywhere
--ACCEPT all fe80::/64 anywhere

Chain FORWARD (policy ACCEPT)
target prot opt source destination
DROP all anywhere anywhere rt type:0
ACCEPT all anywhere anywhere
ACCEPT ipv6-icmp anywhere anywhere
ACCEPT all fe80::/10 anywhere
ACCEPT all ff00::/8 anywhere
DROP all anywhere anywhere
DROP all anywhere anywhere

Chain OUTPUT (policy ACCEPT)
target prot opt source destination
DROP all anywhere anywhere rt type:0
--ACCEPT all anywhere anywhere
--ACCEPT all fe80::/64 anywhere

Chain SECURITY (0 references)
target prot opt source destination
RETURN tcp anywhere anywhere tcp flags:SYN,RST,ACK/SYN limit: avg 1/sec burst 5
RETURN tcp anywhere anywhere tcp flags:FIN,SYN,RST,ACK/RST limit: avg 1/sec burst 5
RETURN udp anywhere anywhere limit: avg 5/sec burst 5
RETURN icmp anywhere anywhere limit: avg 5/sec burst 5
DROP all anywhere anywhere

Chain logaccept (0 references)
target prot opt source destination
LOG all anywhere anywhere LOG level warning tcp-sequence tcp-options ip-options prefix `ACCEPT '
ACCEPT all anywhere anywhere

Chain logdrop (0 references)
target prot opt source destination
LOG all anywhere anywhere LOG level warning tcp-sequence tcp-options ip-options prefix `DROP '
DROP all anywhere anywhere


so it added code to accept anything from anywhere... (not secure)
but it also added fe80::/64 considered unsafe according to kamil, but it was the final step to make ipv6 browsable again:confused:

in the end the current firewall is not complete imo

first of all, your ip6tables listings ain't correct, no extra options were copied and no interfaces are visible


[admin@router root]$ ip6tables -vL INPUT
Chain INPUT (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 DROP all any any anywhere anywhere rt type:0
0 0 ACCEPT all lo any anywhere anywhere
9 672 ACCEPT all br0 any anywhere anywhere
14 1232 ACCEPT ipv6-icmp any any anywhere anywhere
0 0 ACCEPT all any any fe80::/10 anywhere
0 0 ACCEPT all any any ff00::/8 anywhere
0 0 ACCEPT tcp any any anywhere anywhere tcp dpt:ftp
60 7158 ACCEPT tcp any any anywhere anywhere tcp dpt:www


second, ifconfig sixtun | grep 'Scope:Link' | awk '{print $3}' wil produce smth like "fe80::xxxx:xxxx/64 fe80::yyyy:yyyy/64", eg 2 ips, what leads to fe80::/64 range.
but there's fe80::/10 INPUT rule already specifies range fe80:0000:0000:0000:0000:0000:0000:0000 -
febf:ffff:ffff:ffff:ffff:ffff:ffff:ffff.
so your INPUT LANSCOPE rule is useless

next, OUTPUT chain has ACCEPT policy and only ping-pong DROP rule
so, your OUTPUT rules are useless

about INPUT chain - it controls only incoming (eg. end-point is router itself) connections, and doesn't affect on your pc internet connectivity, which is pass over FORWARD chain.
moreover, INPUT's ACCEPT rule is dangerous, it makes your web interface accessable from wan, at least.

p.s IPv6-in-IPv4 tunnel needs some time to be established after router reset.
On connect, your local PCs will receive router advertisements 'bout IPv6 adresse prefix and everything will be fine.
Autoconfiguration requires radvd daemon should be running (Enable router advertisements: Yes) and correct LAN IPv6 address should be specified.

Just wait some time, not more than 1 min.

I reconfigured my router and now it seems to work.
kinda weird since the settings are the same:confused:

maybe some leftover from the broken psu:o
the weird thing is that ipv6 did work on the router, but not on any of the pc's:p

I reconfigured my router and now it seems to work.
kinda weird since the settings are the same:confused:

maybe some leftover from the broken psu:o
the weird thing is that ipv6 did work on the router, but not on any of the pc's:p

another suggestion is to move -p ipv6 -j ACCEPT right after - i br0 -j ACCEPT



Chain INPUT (policy DROP 3990 packets, 470K bytes)
pkts bytes target prot opt in out source destination
0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 state INVALID
48680 9967K ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
0 0 ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0 state NEW
8332 2792K ACCEPT all -- br0 * 0.0.0.0/0 0.0.0.0/0 state NEW
673 69654 SECURITY all -- ppp0 * 0.0.0.0/0 0.0.0.0/0 state NEW
4167 487K SECURITY all -- vlan1 * 0.0.0.0/0 0.0.0.0/0 state NEW
16 940 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT 41 -- * * 0.0.0.0/0 0.0.0.0/0




Chain INPUT (policy DROP 3990 packets, 470K bytes)
pkts bytes target prot opt in out source destination
0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 state INVALID
48680 9967K ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
0 0 ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0 state NEW
8332 2792K ACCEPT all -- br0 * 0.0.0.0/0 0.0.0.0/0 state NEW
0 0 ACCEPT 41 -- * * 0.0.0.0/0 0.0.0.0/0
673 69654 SECURITY all -- ppp0 * 0.0.0.0/0 0.0.0.0/0 state NEW
4167 487K SECURITY all -- vlan1 * 0.0.0.0/0 0.0.0.0/0 state NEW
16 940 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0

IPV6 6to4 how-to for static wan/ppp ipv6 address without any tunnel brokers

step 1
check if 192.88.99.1 address is reachable, if not - this manual isn't for you :(

step 2
suppose your static ipv4 address is 16.32.48.64

convert decimal digits to hexadecimal - 10.20.30.40
add 2002::/16 prefix to get your ipv6 address space - 2002:1020:3040::/48

step 3
configure router at IP Config/IPv6 page

LAN IPv6 Setting
Static IPv6 address: 2002:1020:3040:1::1
Netsize (bits of hostpart): 64
Enable router advertisements: Yes

WAN IPv6 Setting
Static IPv6 address:
Netsize (bits of hostpart):
Remote IPv6 gateway:

Tunnel IPv6 Setting
Enable IPv6-tunnel: Yes
Remote endpoint: any
Local IPv6 address: 2002:1020:3040:0::1
Netsize (bits of hostpart): 64
Remote IPv6 gateway: ::192.88.99.1
Tunnel MTU: 1280
Tunnel TTL: 64

That's all.

Preview of new IPv6 web interface.
Supported: Native IPv6, Tunnel 6in4, Tunnel 6to4
Any suggestions?

Looks good theMIROn!
this interface makes a lot more sense than the old one;)

btw, does ipv6 without tunnel brokers have advantages / disadvantages?

http://www.google.com/intl/en/ipv6/

seems like ipv6 is getting more useful now, since goolge is opening youtube for ipv6 as well! :)

Looks good theMIROn!
this interface makes a lot more sense than the old one;)

it was changed again in the trunk.


Looks good theMIROn!
btw, does ipv6 without tunnel brokers have advantages / disadvantages?
yep, google for it, I've seen several articles over net

it was changed again in the trunk.
Some bug fixes you mean? http://code.google.com/p/wl500g/source/detail?r=1123


yep, google for it, I've seen several articles over net
short list I've found for other people:
Advantages of 6to4:

No need to register anything, if you have an IPv4 address then you also have IPv6 6to4 addresses
Traffic between separate 6to4 sites takes the most direct route possible. This in turn can give you lower latency and may also permit you to take advantage of free traffic (if your ISP has free peering links).

Disadvantages of 6to4:

If you only have a dynamic IPv4 address then your IPv6 6to4 addresses will also be dynamic.
There is currently no support for setting reverse DNS entries when using 6to4 addresses.
The tunneled IPv6 packets may arrive from any IPv4 addresses and therefore filtering becomes both more difficult and more important.


So in short: it might be faster, especially if you're not close to a tunnel broker. But if you don't have a static ip adress you need to reconfigure it now and then. Also you get extra security issues when you don't configure the firewall properly.


OH AND MY 1000th POST :D

Some bug fixes you mean? http://code.google.com/p/wl500g/source/detail?r=1123


short list I've found for other people:
Advantages of 6to4:

No need to register anything, if you have an IPv4 address then you also have IPv6 6to4 addresses
Traffic between separate 6to4 sites takes the most direct route possible. This in turn can give you lower latency and may also permit you to take advantage of free traffic (if your ISP has free peering links).

Disadvantages of 6to4:

If you only have a dynamic IPv4 address then your IPv6 6to4 addresses will also be dynamic.
There is currently no support for setting reverse DNS entries when using 6to4 addresses.
The tunneled IPv6 packets may arrive from any IPv4 addresses and therefore filtering becomes both more difficult and more important.


So in short: it might be faster, especially if you're not close to a tunnel broker. But if you don't have a static ip adress you need to reconfigure it now and then. Also you get extra security issues when you don't configure the firewall properly.


OH AND MY 1000th POST :D

congratz, but no dynamic ipv4 addr is supported yet, only static.

Hi everybody!

I have:
WL-500gp (firmware: WL500gp-1.9.2.7-d-r1445.trx);
Router firewall is disabled.
Static IP;
WinXP SP3;
IPv6-to-IPv4 Tunnel.

Following the instructions:


IPV6 6to4 how-to for static wan/ppp ipv6 address without any tunnel brokers

step 1
check if 192.88.99.1 address is reachable, if not - this manual isn't for you :(

step 2
suppose your static ipv4 address is 16.32.48.64

convert decimal digits to hexadecimal - 10.20.30.40
add 2002::/16 prefix to get your ipv6 address space - 2002:1020:3040::/48

step 3
configure router at IP Config/IPv6 page

LAN IPv6 Setting
Static IPv6 address: 2002:1020:3040:1::1
Netsize (bits of hostpart): 64
Enable router advertisements: Yes

WAN IPv6 Setting
Static IPv6 address:
Netsize (bits of hostpart):
Remote IPv6 gateway:

Tunnel IPv6 Setting
Enable IPv6-tunnel: Yes
Remote endpoint: any
Local IPv6 address: 2002:1020:3040:0::1
Netsize (bits of hostpart): 64
Remote IPv6 gateway: ::192.88.99.1
Tunnel MTU: 1280
Tunnel TTL: 64

That's all.

still get no luck in connect to IPv6 sites (ipv6.google.com) via router from LAN.

If I connect to the Internet bypassing router it seems OK
(I can open ipv6.google.com)

Unfortunately I don't know Linux at all.

But when I type "ping6 ipv6.google.com" in
router WEB Interface - System Setup - System Command
I get

PING ipv6.google.com (2a00:1450:8004::93): 56 data bytes
64 bytes from 2a00:1450:8004::93: seq=1 ttl=56 time=64.754 ms
64 bytes from 2a00:1450:8004::93: seq=3 ttl=56 time=116.002 ms
64 bytes from 2a00:1450:8004::93: seq=4 ttl=56 time=120.154 ms
64 bytes from 2a00:1450:8004::93: seq=5 ttl=56 time=103.555 ms
64 bytes from 2a00:1450:8004::93: seq=6 ttl=56 time=103.696 ms
64 bytes from 2a00:1450:8004::93: seq=8 ttl=56 time=156.304 ms
64 bytes from 2a00:1450:8004::93: seq=9 ttl=56 time=105.589 ms
64 bytes from 2a00:1450:8004::67: seq=21 ttl=56 time=67.103 ms
64 bytes from 2a00:1450:8004::67: seq=22 ttl=56 time=125.285 ms
64 bytes from 2a00:1450:8004::67: seq=23 ttl=56 time=116.125 ms
64 bytes from 2a00:1450:8004::67: seq=24 ttl=56 time=110.226 ms
64 bytes from 2a00:1450:8004::67: seq=25 ttl=56 time=155.083 ms
64 bytes from 2a00:1450:8004::67: seq=26 ttl=56 time=110.517 ms
64 bytes from 2a00:1450:8004::67: seq=27 ttl=56 time=120.478 ms
64 bytes from 2a00:1450:8004::67: seq=28 ttl=56 time=110.660 ms
64 bytes from 2a00:1450:8004::67: seq=29 ttl=56 time=112.311 ms
64 bytes from 2a00:1450:8004::93: seq=898 ttl=56 time=107.268 ms
64 bytes from 2a00:1450:8004::93: seq=899 ttl=56 time=168.398 ms
64 bytes from 2a00:1450:8004::93: seq=900 ttl=56 time=170.426 ms
64 bytes from 2a00:1450:8004::93: seq=901 ttl=56 time=170.429 ms
64 bytes from 2a00:1450:8004::93: seq=902 ttl=56 time=71.379 ms
64 bytes from 2a00:1450:8004::93: seq=903 ttl=56 time=65.832 ms
64 bytes from 2a00:1450:8004::93: seq=904 ttl=56 time=167.447 ms
64 bytes from 2a00:1450:8004::93: seq=906 ttl=56 time=65.854 ms

Any help?

P.S. My settings in attachment.

still get no luck in connect to IPv6 sites (ipv6.google.com) via router from LAN.
Any help?

P.S. My settings in attachment.

Since you're able to ping ipv6 hosts from router itself your tunnel is up and working.
To get ipv6 cennectivity on your lan hosts (pc/notebooks) they have to receice ipv6 RA messages from router. It's used for neighbor discovery and socializtion, so, maybe your pc's firewall blocks them all.
And, I sure, you didn't forget about installing ipv6 transport proto in winxp, and to wait some time to let your local ipv6 address be autoconfigured.
Just check ipv6 ip and route table in winxp

And, I sure, you didn't forget about installing ipv6 transport proto in winxp

usually requires a restart before it actually works, especially in windows xp.

I appreciate your prompt replies very much.


usually requires a restart before it actually works, especially in windows xp.

This is a usefull and important remark.
I followed this tip when established IPv6 tunnel without router (directly).

Thank you for giving me a hint.


Since you're able to ping ipv6 hosts from router itself your tunnel is up and working.
To get ipv6 cennectivity on your lan hosts (pc/notebooks) they have to receice ipv6 RA messages from router. It's used for neighbor discovery and socializtion, so, maybe your pc's firewall blocks them all.
And, I sure, you didn't forget about installing ipv6 transport proto in winxp, and to wait some time to let your local ipv6 address be autoconfigured.
Just check ipv6 ip and route table in winxp

When I connected to ipv6.google.com without router I checked firewall
settings (in my case BitDefender Total Security 2009) and added
all addresses (including IPv6) in BitDefender's "trusted zone".
And it works.

Now, when I connected via router I found some more addresses in
BitDefender's settings and added them all to the "trusted zone".
And it does not work.

After that I did some work around (still suspecting my firewall) and found
out BitDefender's "stealth mode" and turned it OFF.

And it works now.

I've tried version 1.9.2.7.-d-r2295 from SVN and IPv6 (6in4 tunnel) is working OK. However, when I tried to use ipv6 conntrack, it seemed to be reasonably unstable.

CONFIG_IP6_NF_CONNTRACK=y cause random system restarts within a few hours and CONFIG_IP6_NF_MATCH_STATE=m and ip6t_state module loaded cause total freeze within an hour afrer boot.

I know, these options are not enabled in default config, so I reverted back to original settings and use ! --syn option for incoming tcp and disable udp ports 1024:65535 instead.

It's a pity that backported ip6 conntrack doesn't work, but it will in the future, I hope ;-)

I've tried version 1.9.2.7.-d-r2295 from SVN and IPv6 (6in4 tunnel) is working OK. However, when I tried to use ipv6 conntrack, it seemed to be reasonably unstable.yes, it's known bug.


It's a pity that backported ip6 conntrack doesn't work, but it will in the future, I hope ;-)
1.9.2.7-rtn FW has fully working ipv6 conntrack.

BTW, since r2354/r2355 ipv6 desing was changed.
6to4 tunnels should work out-of-box with dynamic WAN, PPP connection type introduced, many bugs were fixed.
so, please, test
http://www.webpagescreenshot.info/img/275681-1118201080123PM

BTW, since r2354/r2355 ipv6 desing was changed.
6to4 tunnels should work out-of-box with dynamic WAN, PPP connection type introduced, many bugs were fixed.
so, please, test

that broke my ipv6 setup again :(
after flashing the ipv6 page had other ipv6 addresses listed (not mine), I guess that's the out of the box?:p

now, the part that always breaks here is sharing the tunnel with other computers. With both the out-of-box and mine configuration the router can ping ipv6 hostnames but the computers can't, yet they can resolve the hostnames:confused:

The only thing that fixed it for me so far was a complete reset of the nvram and a reconfiguration (manually) to make it work again. I always used the same values tho. So I guess something is going wrong with some logic codes?

with 6to4 type, whatever ipv6 you set, prefix will always be 2002:ip:v4, but other part has the meaning.

that broke my ipv6 setup again :(
check r2361/r2362, should work.


So I guess something is going wrong with some logic codes?yep, was, I'm pretty sure :)

fixed it indeed:)

fixed it indeed:)

So, any new suggestion?
p.s. Tunnel local address is useless input box now

So, any new suggestion?
p.s. Tunnel local address is useless input box now

Not really actually, I mean it works quite nice right?:)

So tunnel local address is auto configured?

Not really actually, I mean it works quite nice right?:)
So tunnel local address is auto configured?

Yes, right from r2363/r2364 it should works quite well.
And tunnel local address is auto configured with wan ip address, no matter if it static, automatic or ppp.

Hi.

I've been playing around with an IPv6 tunnel from HE, whilst It works, sort of, I have a few problems.

First, the settings for the router interface. Lets say, for example, I am issued the following:

Client IPv6 address: 2001:123:abcd:123::2
Server IPv6 address: 2001:123:abcd:123::1

In the router interface settings (WL500gpV2) we have:

LAN IPv6 Setting
Static IPv6 address: (Not sure what I should enter here)
Netsize (bits of hostpart): 64
Enable router advertisements: Yes

WAN IPv6 Setting
Static or local IPv6 address: 2001:123:abcd:123::2 (I assume?)
Netsize (bits of hostpart): 64
Remote IPv6 gateway: 2001:123:abcd:123::1 (I assume?)

WAN DNS IPv6 Setting
DNS Server: (Not sure what goes here there's only RDNS listed on the tunnel page at HE)

Having used the settings above, I can ping6 various sites from the router, however, I get request timed out when I try to ping -6 any ipv6 site from my PC.

Another problem, if I go to testmyipv6.net or any similar sites, they all report I'm using IPv4 and not IPv6, so something is obviously broken with my configuration.

Finally, once I get this working correctly, is there anything else that needs to be done. I did notice that running an iptables -L on the router only had entries for IPv4. Will I need to manually enter rules for IPv6?

Windows 7
Firmware: WL500gpv2-1.9.2.7-d-r2381

Thanks

Edit: made some changes and now a little closer:

In the router I changed the Static LAN address to 2001:470:1f0b:823::1
I used The DNS address 2001:470:0:70::2
I reset the IPv4 and IPv6 stack via netsh and rebooted

I was able to reach ipvg.he.net from the router but I got Destination host unreachable from the PC.

I manually added the address 2001:470:1f0b:823::3 to the IPv6 interface and added the DNS address also.

After a release and renew I was able to ping -6 ipv6.he.net from the PC and I was able to reach ipv6.google.com via the browser. I was not able to reach ipv6.he.net from the browser and when I checked whatsmyipv6.com it still showed only an IPv4 address. Clearly, I am still doing something wrong.

Here is the most recent ipconfig:



Windows IP Configuration

Host Name . . . . . . . . . . . . : ******
Primary Dns Suffix . . . . . . . :
Node Type . . . . . . . . . . . . : Hybrid
IP Routing Enabled. . . . . . . . : No
WINS Proxy Enabled. . . . . . . . : No

Ethernet adapter Local Area Connection:

Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Realtek PCIe GBE Family Controller
Physical Address. . . . . . . . . : 00-1D-7D-04-77-**
DHCP Enabled. . . . . . . . . . . : Yes
Autoconfiguration Enabled . . . . : Yes
IPv6 Address. . . . . . . . . . . : 2001:***:1f0b:823::3(Preferred)
IPv6 Address. . . . . . . . . . . : 2001:***:1f0b:823:972:322:9617:bc8d(Preferred)
Link-local IPv6 Address . . . . . : fe80::972:***:9617:bc8d%11(Preferred)
IPv4 Address. . . . . . . . . . . : 192.168.1.143(Preferred)
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Lease Obtained. . . . . . . . . . : Saturday, January 15, 2011 12:32:23 AM
Lease Expires . . . . . . . . . . : Sunday, January 16, 2011 12:32:23 AM
Default Gateway . . . . . . . . . : 2001:470:1f0a:823::1
fe80::e2cb:4eff:fea8:6ef3%11
192.168.1.1
DHCP Server . . . . . . . . . . . : 192.168.1.1
DNS Servers . . . . . . . . . . . : 2001:470:0:70::2
192.168.1.1
NetBIOS over Tcpip. . . . . . . . : Enabled

Tunnel adapter isatap.{3DEBEC41-0DB9-4781-8058-726218A5B202}:

Media State . . . . . . . . . . . : Media disconnected
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Microsoft ISATAP Adapter
Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
DHCP Enabled. . . . . . . . . . . : No
Autoconfiguration Enabled . . . . : Yes

C:\Windows\System32>ping -6 ipv6.he.net

Pinging ipv6.he.net [2001:470:0:64::2] with 32 bytes of data:
Reply from 2001:470:0:64::2: time=332ms
Reply from 2001:470:0:64::2: time=332ms
Reply from 2001:470:0:64::2: time=331ms
Reply from 2001:470:0:64::2: time=334ms

http://whatsmyipv6.com/ doesn't work for me either, but that's because no ipv6 dns record seems to be available:p
http://ipv6.he.net/ does show up an ipv6 address.

Also, sometimes windows doesn't like to enable ipv6 instantly after receiving an address, so you might need to reboot.

Settings should look like this when using ipv6-in-ipv4 tunnel:

Static IPv6 address: 2001:123:abcd:123::1 ("Server IPv6 address" without the /64)
Netsize (bits of hostpart): 64
Enable router advertisements: Yes

Static or local IPv6 address: 2001:123:abcd:123::2 ("Client IPv6 address" without the /64)
Netsize (bits of hostpart): 64
Remote IPv6 gateway: 2001:123:abcd:123::1 ("Server IPv6 address" without the /64)

DNS Server: 2001:470:20::2 ("Anycasted IPv6 Caching Nameserver" value)

6in4 IPv4 remote endpoint: 216.66.84.46 ("Server IPv4 address" value)
6to4 IPv4 anycast relay: (should be un-editable)
Tunnel MTU: 128
Tunnel TTL: 64

that should work:)

Thanks for the reply wpte, unfortunately, I still cannot get this to work. My settings are as you described and whilst I can ping ipv6 sites from both the router and the PC, I cannot connect to any via the browser. This would suggest the tunnel is probably failing.

Here's my settings:



Ethernet adapter Local Area Connection:

Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Realtek PCIe GBE Family Controller
Physical Address. . . . . . . . . : 00-1D-7D-04-77-6B
DHCP Enabled. . . . . . . . . . . : Yes
Autoconfiguration Enabled . . . . : Yes
IPv6 Address. . . . . . . . . . . : 2001:470:1f0b:823:972:322:9617:bc8d(Preferred)
Link-local IPv6 Address . . . . . : fe80::972:322:9617:bc8d%11(Preferred)
IPv4 Address. . . . . . . . . . . : 192.168.1.143(Preferred)
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Lease Obtained. . . . . . . . . . : Saturday, January 15, 2011 10:30:00 AM
Lease Expires . . . . . . . . . . : Sunday, January 16, 2011 10:30:00 AM
Default Gateway . . . . . . . . . : fe80::e2cb:4eff:fea8:6ef3%11
192.168.1.1
DHCP Server . . . . . . . . . . . : 192.168.1.1
DNS Servers . . . . . . . . . . . : 2001:470:20::2
192.168.1.1
NetBIOS over Tcpip. . . . . . . . : Enabled

Tunnel adapter isatap.{3DEBEC41-0DB9-4781-8058-726218A5B202}:

Media State . . . . . . . . . . . : Media disconnected
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Microsoft ISATAP Adapter
Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
DHCP Enabled. . . . . . . . . . . : No
Autoconfiguration Enabled . . . . : Yes

C:\Windows\System32>ping -6 ipv6.he.net

Pinging ipv6.he.net [2001:470:0:64::2] with 32 bytes of data:
Reply from 2001:470:0:64::2: time=335ms
Reply from 2001:470:0:64::2: time=335ms
Reply from 2001:470:0:64::2: time=335ms
Reply from 2001:470:0:64::2: time=336ms

I also get a temporary ipv6 address, and that's the one I browse with:)

Just to be sure... you're using windows vista or higher (xp needs ipv6 patches)?
latest firmware?
default windows firewall (others tend to block ipv6)
restarted your nic or pc?

And obviously... compatible browser, which you should restart after you introduced ipv6 to the computer? Most browsers don't detect the change while running:)

Unreal! It seems it's a conflict between ipv6.he.net and some browsers. After some testing, I can connect to ipv6.he.net with IE 8 (haven't tried 9 yet) but not with my default browser firefox (minefield nightly), Opera 11 or iron 8.0.555. I can, however, connect to other sites such as test-ipv6.com...

Thanks for your help wpte :)

Edit: One further question, if I may. What do I need to do regarding ip6tables rules, as there doesn't appear to be any default rules allocated. Also, HE requires the client end-point to be 'pinagable' in order to establish a tunnel. Whilst I enabled pings from the WAN in te router interface, I feel this is less than ideal...

Edit 2: I spoke too soon. It would appear that I cannot connect to a whole host of ipv6 enabled sites, with any browser, when IPv6 is enabled. This is true, even though I received at perfect score on test-ipv6.com.

Also, HE requires the client end-point to be 'pinagable' in order to establish a tunnel.

oh yes, forgot that one in the checklist:o


Edit 2: I spoke too soon. It would appear that I cannot connect to a whole host of ipv6 enabled sites, with any browser, when IPv6 is enabled. This is true, even though I received at perfect score on test-ipv6.com.
Sites like?
if that's the case you might need to contact HE about this for support

Sites like?

A few of those I tried were Sixxes, sixy.ch and ipv6.internode.on.net as well as any of the HE sites. All failed with IPv6 enabled.



if that's the case you might need to contact HE about this for support


I've posted pretty much the same stuff in their forums as posted here. So far, there's not really any answers.

Just checked, all these sites are working and accessable via he.net ipv6 tunnel from router. I'm using Windows XP, Windows 7 and Debian as clients with radvd enabled.
And, btw, about ipv6 firewalling. It's here for ages. ip6tables --help

Just checked, all these sites are working and accessable via he.net ipv6 tunnel from router. I'm using Windows XP, Windows 7 and Debian as clients with radvd enabled.
And, btw, about ipv6 firewalling. It's here for ages. ip6tables --help


Thanks for the reply. I don't doubt the sites work, they just won't work for me, with the configuration I'm currently using, even though test-ipv6 tells me everything is up and running. Clearly, I am doing something wrong and that's what I'm trying to sort out.

Hopefully, I'll get some more time tomorrow, so I'll set-up a tunnel without the router, just to see if it makes a difference. I also have an account with gogo6, so I'll create a tunnel with their client, too.

Thanks for the info on ip6tables, I'll take a look at that, once I have a correctly working tunnel.

Is your modem also pingable?
or does it send the ping to the router?
either way, HE tunnel needs that:p

I was thinking, because I have my router in DMZ by default, if the router is behind a firewall and accept pings it doesn't make any difference:)

Hi,
I've setup the 6to4 tunel - I'm able to ping ipv6 sites from router.


$ traceroute6 www.abclinuxu.cz
traceroute to www.abclinuxu.cz (2a01:430:10:ab::3), 30 hops max, 16 byte packets
1 2002:c058:6301::1 (2002:c058:6301::1) 7.590 ms 6.985 ms 7.065 ms
2 2001:1488::1 (2001:1488::1) 7.506 ms 7.686 ms 7.186 ms
3 nix-ipv6.masterinter.net (2001:7f8:14::11:1) 8.761 ms 7.549 ms 7.369 ms
4 2a01:430:10:ab::3 (2a01:430:10:ab::3) 21.780 ms 11.335 ms 7.479 ms


But I'm not able to use IPv6 from clients. First, they didn't have IPv6 address. I found I should use radvd daemon. I used following configuration:



$ cat /opt/etc/radvd.conf
interface br0 {
AdvSendAdvert on;
MinRtrAdvInterval 3;
MaxRtrAdvInterval 10;
prefix 2002:bcaf:2821::/64 {
AdvOnLink off;
AdvAutonomous on;
AdvRouterAddr on;
Base6to4Interface vlan1;
AdvPreferredLifetime 20;
AdvValidLifetime 30;
};
};


Now clients have IPv6 address, but ping6 still does not work.



|20:34:25 marian@nb ~| $ tracepath6 www.abclinuxu.cz
1?: [LOCALHOST] 0.047ms pmtu 1500
1: no reply
2: no reply
3: no reply
4: no reply
5: no reply
6: no reply
7: no reply
8: no reply
9: no reply
10: no reply
11: no reply
12: no reply
13: no reply
14: no reply
15: no reply
16: no reply
17: no reply
18: no reply
19: no reply
20: no reply
21: no reply
22: no reply
23: no reply
24: no reply
25: no reply
26: no reply
27: no reply
28: no reply
29: no reply
30: no reply
31: no reply
Too many hops: pmtu 1500
Resume: pmtu 1500


I'm using 1.9.2.7-d-r2381.

Does I need setup something more?
Is starting of radvd somewhere in web interface?

EDIT: I did touch nothing, but now it works. So the only question is about radvd.

Does I need setup something more?
Is starting of radvd somewhere in web interface?

EDIT: I did touch nothing, but now it works. So the only question is about radvd.

Yes, in the menu you can select to broadcast the ipv6 availability.
It's in the ipv6 menu.

For clients you might need to reboot, or reconfigure the interface:)

Yes, in the menu you can select to broadcast the ipv6 availability.
It's in the ipv6 menu.

Do you mean "Enable router advertisements:"? I've set it to 'Yes'.


For clients you might need to reboot, or reconfigure the interface:)

I did a re-connect to wifi. On NB it works now, but on my second computer still does not work. Even after restart. Unfotunately, I've no time to investigate it deeply this week :-(

Apologies for the delay in posting, I've been very busy.

I finally had some time to come back to this problem and I've established the cause of the problem to be the router.

In trouble shooting, I performed the following tasks:

1. Configured IPv6 in the router and updated the tunnel details with HE.
2. Verified connectivity by ping -6 (from the PC) to various IPv6 enabled sites (ipv6.he.net, ipv6.google.com etc.)
3. Tried browsing to various ipv6 enabled sites. Connectivity was available but it was incredibly slow and often timed out completely.
4. Placed the PC in the router DMZ and performed the steps above. No difference was discernible.
5. Turned off the firewall in the router and performed the steps above. No difference discernible.
5. Removed the router from the equation by connecting the PC directly to the Internet.
6. Updated the tunnel details and ran the netsh script from he to configure the tunnel endpoint on the PC.
7. Everything worked as expected

Clearly the router configuration is incorrect but I don't know what I've done wrong. The configuration is as I outlined in my earlier posts and as I say, I can ping -6 various hosts from the PC and although it's horribly slow, I can connect via the browser.

So any clues as to what I may have done wrong or ideas about what I can do to rectify the problem, would be most welcome.

Thanks

So any clues as to what I may have done wrong or ideas about what I can do to rectify the problem, would be most welcome

Oh yes, the thing I always forget to mention actually:p
Is your router pingable from the internet, that's required by HE

Oh yes, the thing I always forget to mention actually:p
Is your router pingable from the internet, that's required by HE

Would it be usefull to open icmp on the firewall automagicaly from 6to4 tunnel server?

Would it be usefull to open icmp on the firewall automagicaly from 6to4 tunnel server?

would be a good idea, since many people have problems with that part

but it should also be mentioned then somewhere on the web-gui perhaps?

Oh yes, the thing I always forget to mention actually:p
Is your router pingable from the internet, that's required by HE

It is 'pingable' if it wasn't I wouldn't have been able to configure it as the end-point for the tunnel. (For now, I have a dynamic address, which changes when the router is booted)

As I said, once the tunnel is established, I can ping ipv6 sites and I can, albeit painfully slowly, connect to ipv6 sites from within the browser.

If there were some issue with ICMP, would this cause the browser issues?



Would it be usefull to open icmp on the firewall automagicaly from 6to4 tunnel server?


I think this would be a good idea. As wpte mentioned, it's something easily overlooked.

I could really use some help here, please. I feel like I'm banging my head against a wall.

After more testing today, I've found that when testing against http://www.test-ipv6.com

A. With the router connected the 'IPv6 large packet test' always fails with a timeout. All other tests pass.
B. With the router removed and a direct connection to the Internet from the PC, the test is always passed.

According to the site, if this test fails, it may be due to "PMTUD issues; possibly involving IP tunnels." If this is a possible reason for the problems I'm encountering, which settings in the router might be the cause

Sorry Dapper, I'm also not quite sure what the problem is.
but concerning the path MTU... are you sure the tunnel mtu and ttl is filled in?
for mtu I use 1280, and ttl 64.
perhaps you can try to make the MTU larger?:confused:

for me everything runs fine except "Test with IPv4 DNS record" because I use openDNS, which is a false positive :)

Sorry Dapper, I'm also not quite sure what the problem is.
but concerning the path MTU... are you sure the tunnel mtu and ttl is filled in?
for mtu I use 1280, and ttl 64.
perhaps you can try to make the MTU larger?:confused:

for me everything runs fine except "Test with IPv4 DNS record" because I use openDNS, which is a false positive :)

Thanks for taking the time to reply. Te details of my configuration can be seen in the screen shot on the previous page. The values for the settings you mentioned are the same.

When I did an ICMP buffer test, with the router in place, the mtu maximum was 1232, anything above that gave a destination unreachable. The problem is, I'm not sure what the ICMP overhead for IPv6 is. On Ipv4 it's 28 bits.

There is obviously something wrong with the configuration of my router, but I have no idea what it may be or where to look. As I said in an earlier post, placing the PC in the DMZ and/or disabling the firewall has no effect on the problem, which is simply that with IPv6 enabled, sites sit continuously in the 'waiting for xxxxx site' If I disable IPv6 on the network adapter, I connect instantly. If I remove the router but leave IPv6 enabled and configured on the PC, I connect instantly.

I'm thinking now I might just reset the router to factory defaults and see what happens. I might also try some different firmware, perhaps Tomato or OpenWRT.

Final question, could this be an iptables issue, if so, what might it be?

Thanks

I'm thinking now I might just reset the router to factory defaults and see what happens. I might also try some different firmware, perhaps Tomato or OpenWRT.

Final question, could this be an iptables issue, if so, what might it be?

Reset to factory defaults might help. Back in the days IPv6 settings couldn't be saved correctly or something, so it might be a bug from older firmwares:)
I had some major trouble when restoring setting files actually.
obviously you have to manually enter all settings again;)

I heard a lot of good stories about tomato, but I'm not to fond of dd-wrt:p

ip-tables stopping you from browsing? it sounds very specific to be just an ip-tables issue imo:confused:

Which version of the firmware are you using? I have 1.9.2.7-d-r2381 installed.

I wasn't that keen on dd-wrt either. Tomato looks interesting, I just need to find a distribution that supports IPv6 and L2TP tunnels. The latter is needed to connect to my ISP. Still, I'd rather not go down that path yet, as I'm mostly happy with the current firmware.

favour, if I may. If I post screen shots of my config, along with diagnostics, could you take a look and see if you can spot anything...

Thanks again

I'm at revision 2605 at the moment.
When you flash a newer version try resetting to factory defaults first.
It might help:)

Hi,
I'm on 1.9.2.7-d-r2381 (wl500gP) and I have some problems with the 6to4 tunnel.

I'm able to ping ipv6.google.com from the router. But it does not works from clients. I've found this message in log: "Dead loop on virtual device six0, fix it urgently!"

I had to ping the ip6 address of the br0 interface. Then I'm able to ping ipv6.google.com from client. I've also found the same error on http://wl500g.info/showthread.php?t=24357&page=4 - but it is unreadable for me :-(



[00:01:15 marian@gool ~]$ ping6 ipv6.google.com
PING ipv6.google.com(2a00:1450:8007::69) 56 data bytes
^C
--- ipv6.google.com ping statistics ---
4 packets transmitted, 0 received, 100% packet loss, time 2999ms

[00:01:20 marian@gool ~]$ ping6 ipv6.google.com
PING ipv6.google.com(2a00:1450:8007::69) 56 data bytes
^C
--- ipv6.google.com ping statistics ---
4 packets transmitted, 0 received, 100% packet loss, time 2999ms

[00:04:19 marian@gool ~]$ ping6 2002:bcaf:2821::1
PING 2002:bcaf:2821::1(2002:bcaf:2821::1) 56 data bytes
^C
--- 2002:bcaf:2821::1 ping statistics ---
16 packets transmitted, 0 received, 100% packet loss, time 14999ms

[00:04:38 marian@gool ~]$ ping6 2002:bcaf:2821::1
PING 2002:bcaf:2821::1(2002:bcaf:2821::1) 56 data bytes
64 bytes from 2002:bcaf:2821::1: icmp_seq=8 ttl=64 time=2.65 ms
64 bytes from 2002:bcaf:2821::1: icmp_seq=9 ttl=64 time=0.771 ms
64 bytes from 2002:bcaf:2821::1: icmp_seq=10 ttl=64 time=0.760 ms
64 bytes from 2002:bcaf:2821::1: icmp_seq=11 ttl=64 time=0.724 ms
64 bytes from 2002:bcaf:2821::1: icmp_seq=12 ttl=64 time=0.758 ms
64 bytes from 2002:bcaf:2821::1: icmp_seq=13 ttl=64 time=0.728 ms
64 bytes from 2002:bcaf:2821::1: icmp_seq=14 ttl=64 time=0.703 ms
64 bytes from 2002:bcaf:2821::1: icmp_seq=15 ttl=64 time=0.723 ms
64 bytes from 2002:bcaf:2821::1: icmp_seq=16 ttl=64 time=0.722 ms
^C
--- 2002:bcaf:2821::1 ping statistics ---
16 packets transmitted, 9 received, 43% packet loss, time 15002ms
rtt min/avg/max/mdev = 0.703/0.949/2.652/0.602 ms
[00:04:55 marian@gool ~]$ ping6 ipv6.google.com
PING ipv6.google.com(2a00:1450:8007::69) 56 data bytes
64 bytes from 2a00:1450:8007::69: icmp_seq=1 ttl=57 time=23.8 ms
64 bytes from 2a00:1450:8007::69: icmp_seq=2 ttl=57 time=23.9 ms
64 bytes from 2a00:1450:8007::69: icmp_seq=3 ttl=57 time=23.6 ms
64 bytes from 2a00:1450:8007::69: icmp_seq=4 ttl=57 time=24.0 ms
64 bytes from 2a00:1450:8007::69: icmp_seq=5 ttl=57 time=23.9 ms
64 bytes from 2a00:1450:8007::69: icmp_seq=6 ttl=57 time=24.0 ms
^C
--- ipv6.google.com ping statistics ---
6 packets transmitted, 6 received, 0% packet loss, time 5006ms
rtt min/avg/max/mdev = 23.671/23.929/24.089/0.188 ms
[00:05:09 marian@gool ~]$


Should I try the -ng firmware?

Hi,
I'm on 1.9.2.7-d-r2381 (wl500gP) and I have some problems with the 6to4 tunnel.

http://translate.google.com/translate?js=n&prev=_t&hl=nl&ie=UTF-8&layout=2&eotf=1&sl=auto&tl=en&u=http://wl500g.info/showthread.php%3Ft%3D24357%26page%3D4%26langid%3D3
you need to set the langid to 3 so russian characters are displayed correctly:)

Anyway, why don't you try out more recent firmware?
Many changes have been made for the ipv6 tunnel.
Also you might need to reconfigure the router manually for it to work (I had issues with that)

http://translate.google.com/translate?js=n&prev=_t&hl=nl&ie=UTF-8&layout=2&eotf=1&sl=auto&tl=en&u=http://wl500g.info/showthread.php%3Ft%3D24357%26page%3D4%26langid%3D3
you need to set the langid to 3 so russian characters are displayed correctly:)

Anyway, why don't you try out more recent firmware?
Many changes have been made for the ipv6 tunnel.
Also you might need to reconfigure the router manually for it to work (I had issues with that)

Thanks, I probably do. I used the last available for download, but now I've found there is core.dumped.ru.

Thanks, I probably do. I used the last available for download, but now I've found there is core.dumped.ru.

and never mention the link in my signature of every post I make:o

and never mention the link in my signature of every post I make:o

Ouuu. It must be my personal adblock :-(

Which fw do you recommend? The kernel 2.4 or 2.6 based?

Ouuu. It must be my personal adblock :-(

Which fw do you recommend? The kernel 2.4 or 2.6 based?

So I flashed 1.9.2.7-d-r2609. Situation unchanged. Radvd is not started automaticaly, I had to do it manually. And clients are not able to ping ipv6.google.com :-(

Since no logs and settings described, I'm sure you have IPv6 under/misconfigurated, so it's not FW related issue.

Since no logs and settings described, I'm sure you have IPv6 under/misconfigurated, so it's not FW related issue.

What logs you need?

I just found in log these rows:


Jan 1 01:00:09 radvd[78]: attempting to reread config file
Jan 1 01:00:09 radvd[78]: automatically selecting the prefix and Base6to4Interface are mutually exclusive
Jan 1 01:00:09 radvd[78]: error parsing or activating the config file: /etc/radvd.conf


And /etc/radvd.conf content:


interface br0 {IgnoreIfMissing on;AdvSendAdvert on;AdvLinkMTU 1280;prefix ::/64 {AdvOnLink on;AdvAutonomous on;Base6to4Interface vlan1;};};


Diagnostics log is attached. The strange thing is that I'm able to access ipv6 sites from clients after I connect from one to another client via ssh.

7680

Edit: my initial post is there: http://wl500g.info/showpost.php?p=224199&postcount=126

I just found in log these rows:


Jan 1 01:00:09 radvd[78]: attempting to reread config file
Jan 1 01:00:09 radvd[78]: automatically selecting the prefix and Base6to4Interface are mutually exclusive
Jan 1 01:00:09 radvd[78]: error parsing or activating the config file: /etc/radvd.conf

And /etc/radvd.conf content:


interface br0 {IgnoreIfMissing on;AdvSendAdvert on;AdvLinkMTU 1280;prefix ::/64 {AdvOnLink on;AdvAutonomous on;Base6to4Interface vlan1;};};



currently lan prefix should not be blank or equal x:y:z:0::/64
wan prefix should not be equal lan prefix.

I added documentation on how to configure a tunnel due to the amount of problems and questions:)
http://code.google.com/p/wl500g/wiki/GUIIPConfigIPv6HowTo6in4o
Obviously things still could go wrong, but this makes things easier;)

Also added the link in the first post of this thread

currently lan prefix should not be blank or equal x:y:z:0::/64
wan prefix should not be equal lan prefix.

But this config is automatically generated :-(

I'm using the 6to4 tunel (not 6in4):

http://www.kyralovi.cz/tmp/6to4.png

My radvd config:


$ cat /opt/etc/radvd.conf
interface br0 {
AdvSendAdvert on;
MinRtrAdvInterval 3;
MaxRtrAdvInterval 10;
prefix 2002:bcaf:2821::/64 {
AdvOnLink off;
AdvAutonomous on;
AdvRouterAddr on;
Base6to4Interface vlan1;
AdvPreferredLifetime 20;
AdvValidLifetime 30;
};
};

I added documentation on how to configure a tunnel due to the amount of problems and questions:)
http://code.google.com/p/wl500g/wiki/GUIIPconfigIPv6Tunnelhowto
Obviously things still could go wrong, but this makes things easier;)

Also added the link in the first post of this thread

Thanks for the guide wpte. I haven't had a chance to upgrade the firmware yet, hopefully I'll get to that tomorrow. Just a couple of things to point out about the guide.

The IPv4 server endpoint address is not the same for everyone. In my case it's 216.66.80.30

There are three different /64 used in the connection. in my case:

The Client endpoint - 2001:470:***a:823::2/64 - I believe this should be the WAN Static or local IPv6 address:
The Server endpoint - 2001:470:***a:823::1/64 - I believe this should be the WAN Remote IPv6 gateway:

The Routed /64 for LAN address allocation - 2001:470:***b:823::/64 - I believe this should be the LAN Static IPv6 address:

I'm using the 6to4 tunel (not 6in4)

that's ment for when you only have an IPv6 address and still like to access IPv4 addresses on the internet.
So I suggest the 6in4 tunnel;)

the rest looks allright:)
Is this also from HE?

There are three different /64 used in the connection. in my case:

The Client endpoint - 2001:470:***a:823::2/64 - I believe this should be the WAN Static or local IPv6 address:
The Server endpoint - 2001:470:***a:823::1/64 - I believe this should be the WAN Remote IPv6 gateway:

The Routed /64 for LAN address allocation - 2001:470:***b:823::/64 - I believe this should be the LAN Static IPv6 address:

Yes correct
But I believe the LAN Static IPv6 address should be just like the WAN Remote IPv6 gateway.:)

that's ment for when you only have an IPv6 address and still like to access IPv4 addresses on the internet.
So I suggest the 6in4 tunnel;)

the rest looks allright:)
Is this also from HE?

No:


6to4 is an Internet transition mechanism for migrating from IPv4 to IPv6, a system that allows IPv6 packets to be transmitted over an IPv4 network (generally the IPv4 Internet) without the need to configure explicit tunnels. Special relay servers are also in place that allow 6to4 networks to communicate with native IPv6 networks.

wiki:6to4 (http://en.wikipedia.org/wiki/6to4)


The advantage is, that the relay server is in my country and it is quicker.

Yes correct
But I believe the LAN Static IPv6 address should be just like the WAN Remote IPv6 gateway.:)

But that's the server address. The client endpoint is ::2

Finally!

Reset the router to factory defaults
Installed r6214
Reapplied the IPv6 settings described in my post above

Works! :)

Am I correct in thinking ip6tables are now activated by default with IPv6?

Following on from my previous post, if, as I suspect from reading this thread, ip6tables are active in the router, once IPv6 has been enabled, I'm a little curious about the results of the HE Ipv6 Port scanner.

When I run the test I get:

Not shown: 991 closed ports
PORT STATE SERVICE
135/tcp open msrpc
445/tcp open microsoft-ds
5357/tcp open unknown
49152/tcp open unknown
49153/tcp open unknown
49154/tcp open unknown
49155/tcp open unknown
49156/tcp open unknown
49158/tcp open unknown

I can get my system to filter these and report a clean slate by enabling the Windows 7 firewall.

In terms of what these represent:

135/tcp open msrpc - RPC service

445/tcp open microsoft-ds - SMB over TCP

5357/tcp open unknown - Network Discovery

49152/tcp open unknown - Wininit.exe (Core Windows service)

49153/tcp open unknown - A svchost instance
49154/tcp open unknown - A svchost instance
49155/tcp open unknown - A svchost instance
49156/tcp open unknown - A svchost instance

Each of the svchost containers relate to different services, some of which could be disabled but other not.

49158/tcp open unknown - lsass.exe (Local security authentication server)
This one really needs to be closed.

Because I can filter these using a software firewall, does it mean the ip6tables are opening holes to these services?

Edit: I found another scanner http://www.vikingscan.org/home which also shows ports 134 and 445 as open in the base test against the IPv6 addresses and stealthed against the IPv4 address. On the advanced test the higher number ports were also reported open against the IPv6 address.

Because I can filter these using a software firewall, does it mean the ip6tables are opening holes to these services?

it looks like you're scanning your client pc?
if so: ipv6 does not have NAT, but every ip6 address is unique and can be accessed without forwarding, which means your own computer needs proper protection from the outside:)
Windows firewall (by the looks you're using windows) should be able to filter IPv6 traffic;)

If you scan from a local machine, it might access the other computers via the local ipv6 address range starting with "fe80".

Anyway, good stuff you have it working.
Is it the way I said or did you simply use the range you mentioned?

firmware has ipv6 auto firewall already, check ip6tables -nvL

it looks like you're scanning your client pc?
if so: ipv6 does not have NAT, but every ip6 address is unique and can be accessed without forwarding, which means your own computer needs proper protection from the outside:)
Windows firewall (by the looks you're using windows) should be able to filter IPv6 traffic;)

If you scan from a local machine, it might access the other computers via the local ipv6 address range starting with "fe80".


The scans were online scans and they were using the IPv6 address of the PC as opposed to the IPv6 tunnel endpoint address, on the router. If I scan the endpoint address, it just finds TCP port 21 (FTP) as closed.

I understand IPv6 goes straight through NAT but I thought the point of the rules in the ip6tables, would be to filter unwanted IPv6 traffic from reaching the LAN?

I am on Windows, XP, 7 and 2008R2 and it's easy enough to create firewall rules that block these ports, providing one uses a firewall that works correctly with IPv6. However, if I'm correct, this means I now have to firewall all my LAN clients to explicitly block IPv6 traffic that comes through the router?

Surely it's possible to filter this at the point of entry?



Anyway, good stuff you have it working.
Is it the way I said or did you simply use the range you mentioned?

I used the blocks I mentioned in my earlier post, with the routed block for LAN allocation.



firmware has ipv6 auto firewall already, check ip6tables -nvL


Thanks for that :)


I have a feeling I'm missing something fundamental here!

Am I right in thinking the 2.4 kernel doesn't support 'STATE' for ip6tables? If so, is this the reason why the implemented ip6tables, if I'm understanding correctly, simply forward all tcp packets?

Assuming the aforementioned is correct, what would be the solutions/work-arounds, to provide better inbound security for IPv6?

Thanks

Am I right in thinking the 2.4 kernel doesn't support 'STATE' for ip6tables? If so, is this the reason why the implemented ip6tables, if I'm understanding correctly, simply forward all tcp packets?

Assuming the aforementioned is correct, what would be the solutions/work-arounds, to provide better inbound security for IPv6?

Thanks

Unfortunately, linux 2.4 ipv6 stateful firewall isn't finished yet, there're things to be fixed before it gets usable.
linux 2.6-based firmware hasn't this issue, and could be installed into wl500gp/gpv2/w/rt-n10/n12/n16 as well

Am I right in thinking the 2.4 kernel doesn't support 'STATE' for ip6tables?
Yes, you are right.

We done experimental backport of IPv6 conntrack from 2.6 kernel, but it still incomplete. Unfortunately, IPv6 stack in 2.4 kernel not fully compatible with netfilter too. So, ip6_conntrack for 2.4 has serious memory leaks for now.

Thank you both for your replies :)

Just curious, what impact, if any, do the latest changes to the firmware


backports from upstream (IPv6, bridge, mm, net, vfs, netfilter, scsi, netlink)

have on the issues we discussed above?

Thanks

Just curious, what impact, if any, do the latest changes to the firmware

have on the issues we discussed above?

Please, read the news carefully - changes you mentioned, relates to 1.9.2.7-rtn branch which is kernel 2.6.22 based.

Please, read the news carefully - changes you mentioned, relates to 1.9.2.7-rtn branch which is kernel 2.6.22 based.

My apologies, I stupidly missed the large bold characters at the top :o

May I ask, will there be much work relating to ipv6 on the 'd' builds?

Thanks.

May I ask, will there be much work relating to ipv6 on the 'd' builds?

Not planned. Backport of IPv6 stack & netfilter features really huge task and, since all modern devices supports 2.6, has zero priority. Anyway, if someone will contribute some patches, we gladly accept it.

Not planned. Backport of IPv6 stack & netfilter features really huge task and, since all modern devices supports 2.6, has zero priority. Anyway, if someone will contribute some patches, we gladly accept it.

Ok lly, thanks :) I guess it's time to try the rtn build...

I can't believe this! :(

I've just upgraded to 1.9.2.7-rtn-r2775 and all the problems I was experiencing before have returned, can't connect to various ipv6 sites, score 1 out of 10 on test-ipv6 etc.

The tunnel is correctly configured and I can ping -6 all over the place. I can also connect to some ipv6 sites like ipv6.google.com. I've tried this from two different PCs and the results are the same.

Could these problems have anything to do with the way I connect to the Internet, it's Russian Dual Access, with an l2tp tunnel through the ISP LAN to the Internet gateway?

Edit: Out of curiosity, I put SUSE 11.4 on a box and it had the same problems, so whatever the issue is, it's platform independent

Dapper, that is possible yes.
When I upgraded my WL500W to the rt-n firmware I noticed some settings couldn't be found.
There is a good chance you might need to reconfigure your router for the rt-n firmware, or at least try to restore the settings;)

I give up! :(

1. Fresh installation of Windows 7 (nothing else added)
2. Reset router to factory defaults
3. Configured router for IPv6
4. Enabled ping
5. Configured the tunnel
6. Confirmed connectivity with ping and tracert
7. Tried to browse to ipv6 enabled sites such as tunnelbroker.net - Failed
8. Tried test-ipv6 - 1 out or 10

There has to be something obvious I'm missing with the router, because if I remove it from the equation and end the tunnel at a PC, it works. Likewise, if I disable ipv6 on the adapter so I'm connecting with ipv4, it works.

For what it's worth, the problem I'm having is the same as the one reported here: http://code.google.com/p/wl500g/issues/detail?id=198 As mentioned above, I too am using l2tp.

I have no idea what the OP did to 'fix' his problem, it would seem a custom compile...

I seem to have found a temporary solution by modifying the ipv6 MTU via netsh:

netsh interface ipv6 set subinterface "name of adapter" mtu=1280

Doing so gives me 10 out of 10 on test-ipv6 and sites load as quickly as they do with ipv4 alone.

However, I don't really understand why I should need to do this only when the router is terminating the tunnel. It seems to suggest PMTU is breaking down somewhere?

I added documentation on how to configure a tunnel due to the amount of problems and questions:)
http://code.google.com/p/wl500g/wiki/GUIIPconfigIPv6Tunnelhowto
Obviously things still could go wrong, but this makes things easier;)

Also added the link in the first post of this thread
Page "GUIIPconfigIPv6Tunnelhowto" Not Found

Can you repost pls?

Can you repost pls?

ah excuse me, the file name has changed, but it can still be found in the wiki menu:)
anyway, direct link: http://code.google.com/p/wl500g/wiki/GUIIPConfigIPv6HowTo6in4
And I'll edit my post;)

thank you

can you suggest some good or prefered iptables rules with ipv6 tunnel?

thank you

can you suggest some good or prefered iptables rules with ipv6 tunnel?

The main IPv6 firewall is active by default when the main firewall is turned on, so you shouldn't need extra configuration:)

but you should be able to add some extra things, like opening up port 80 for your router:


#Remove last drop
ip6tables -D INPUT -j DROP
#add extra rules
ip6tables -A INPUT -p tcp --dport 80 -j ACCEPT
#add the final drop again
ip6tables -A INPUT -j DROP

this way is more secure and convenient, imho:


# set default input rule
iptables -P INPUT DROP
ip6tables -P INPUT DROP
# remove last default rule
iptables -D INPUT -j DROP
ip6tables -D INPUT -j DROP
# allow ...
iptables -A INPUT ... -j ACCEPT
ip6tables -A INPUT ... -j ACCEPT
# allow ...
iptables -A INPUT ... -j ACCEPT
ip6tables -A INPUT ... -j ACCEPT

True, if "ip6tables -A INPUT -j DROP" for some reason doesn't execute correctly:)
Or if you don't have a default firewall running:)

it works either way:D

My ISP has started rolling IPv6 and offers native IPv6 dual-stacked with IPv4. The requirements are as follows: the router should support PPPoE Ipv6 and Prefix Delegation via DHCPv6. Also, I have to write "ipv6" in the Service Name box. I currently connect via PPPoE, using an Asus WL500gP v1 with DD-WRT, which apparently doesn't support the reqs. above.
I'd like to try Oleg's, but before I start flashing again, can anyone tell me if those 2 features are supported by Oleg's firmware?

PPPoE Ipv6
Prefix Delegation via DHCPv6

Recently my tunnel stopped working with
IP is not ICMP pingable. Please make sure ICMP is not blocked. If you are blocking ICMP, please allow 66.220.2.74 through your firewall. error message.

Can you suggest an IPTABLES rule to allow ICMP for given ip again?
Thanks

Recently my tunnel stopped working with error message.

Can you suggest an IPTABLES rule to allow ICMP for given ip again?
Thanks



iptables -I INPUT -p icmp --icmp-type 8 -s 0/0 -d 66.220.2.74 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
iptables -I OUTPUT -p icmp --icmp-type 0 -s 66.220.2.74 -d 0/0 -m state --state ESTABLISHED,RELATED -j ACCEPT

I'm not sure if you need to have the output one as well... I have ping enabled in the firewall admin page:)

i was thinking of trying that, isnt that a security issue though?

no luck with iptables either :)
iptables v1.4.3.2: Couldn't load match `state':File not found

wpte
Since r2972 "-m state --state" replaced with "-m conntrack --ctstate", see NEWS (http://code.google.com/p/wl500g/wiki/News)

i was thinking of trying that, isnt that a security issue though?
Well... it used to be, nowadays it's all patched up:p
I mean, people might send a ping to see if your host is alive, but if they want to scan for open ports they usually don't even bother to ping.


wpte
Since r2972 "-m state --state" replaced with "-m conntrack --ctstate", see NEWS (http://code.google.com/p/wl500g/wiki/News)
My bad:o
it was late:p

so it's:

iptables -I INPUT -p icmp --icmp-type 8 -s 0/0 -d 66.220.2.74 -m conntrack --ctstate NEW,ESTABLISHED,RELATED -j ACCEPT
iptables -I OUTPUT -p icmp --icmp-type 0 -s 66.220.2.74 -d 0/0 -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
then:)

Later edit:

Build 3655 from http://asus.vectormm.net/rtn/ has working pppoe v6 and dhpc6 pd!

Great work! Thank you!


My ISP has started rolling IPv6 and offers native IPv6 dual-stacked with IPv4. The requirements are as follows: the router should support PPPoE Ipv6 and Prefix Delegation via DHCPv6. Also, I have to write "ipv6" in the Service Name box. I currently connect via PPPoE, using an Asus WL500gP v1 with DD-WRT, which apparently doesn't support the reqs. above.
I'd like to try Oleg's, but before I start flashing again, can anyone tell me if those 2 features are supported by Oleg's firmware?

PPPoE Ipv6
Prefix Delegation via DHCPv6


Hi Radu (radub), your ISP is RDS?
DHCP6 PD works with oleg firmware?

Thank's

Later edit:

Build 3655 from http://asus.vectormm.net/rtn/ has working pppoe v6 and dhpc6 pd!

Great work! Thank you!



Hi Radu (radub), your ISP is RDS?
DHCP6 PD works with oleg firmware?

Thank's
I actually switched to a custom build of TomatoUSB found here (http://openlinksys.info/news.php). It works perfectly with my ISP (yes it's indeed RDS), with dual-stack and all the other stuff (optware, firewall, etc).