Page 4 of 13 FirstFirst ... 23456 ... LastLast
Results 46 to 60 of 187

Thread: IPv6 Support

  1. #46
    Join Date
    Nov 2009
    Location
    Poland - Trójmiasto
    Posts
    17
    Quote Originally Posted by lly View Post
    Since you are IPv6 guru, please explain some moments:

    Why you use /10 instead of /64 in following rules?
    Code:
      ip6tables -A INPUT -s fe80::/10 -j ACCEPT
      ip6tables -A OUTPUT -s fe80::/10 -j ACCEPT
    simple explain:

    Code:
    $ ip -f inet6 add
    1: lo: <LOOPBACK,MULTICAST,UP> mtu 16436 qdisc noqueue
        inet6 ::1/128 scope host
    3: eth0: <BROADCAST,MULTICAST,PROMISC,UP> mtu 1500 qdisc pfifo_fast qlen 100
        inet6 fe80::21f:c6ff:fe27:e8a7/10 scope link
    4: eth1: <BROADCAST,MULTICAST,PROMISC,UP> mtu 1500 qdisc pfifo_fast qlen 100
        inet6 fe80::21f:c6ff:fe27:e8a7/10 scope link
    5: vlan0: <BROADCAST,MULTICAST,PROMISC,UP> mtu 1500 qdisc noqueue
        inet6 fe80::21f:c6ff:fe27:e8a7/10 scope link
    6: vlan1: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc htb
        inet6 fe80::21f:c6ff:fe27:e8a7/10 scope link
    7: br0: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc noqueue
        inet6 2001:6a0:1a9:ffff::/64 scope global
        inet6 fe80::21f:c6ff:fe27:e8a7/10 scope link
    8: sixtun@NONE: <POINTOPOINT,NOARP,UP> mtu 1280 qdisc noqueue
        inet6 2001:6a0:200:113::2/64 scope global
        inet6 fe80::a05:2001/10 scope link
    9: tap0: <BROADCAST,MULTICAST,PROMISC,UP> mtu 1500 qdisc pfifo_fast qlen 100
        inet6 fe80::2ff:7fff:fe20:f7ba/10 scope link
    why not /64? because fe80 is link lokal - and not routing in world, only local and this is standard... but you can use /64 - it's only my example script

  2. #47
    Join Date
    Dec 2007
    Location
    The Netherlands - Eindhoven
    Posts
    1,767
    Quote Originally Posted by kamil View Post
    simple explain:

    why not /64? because fe80 is link lokal - and not routing in world, only local and this is standard... but you can use /64 - it's only my example script
    aha, I tought they got rid of private/local ip ranges in ipv6
    are there any more private ranges? or is this just standard for everyone?

    what about using the scope global and the scope link both to be accepted, is that safe?
    sixtun@NONE: <POINTOPOINT,NOARP,UP> mtu 1280 qdisc noqueue
    inet6 2001:6a0:200:113::2/64 scope global
    inet6 fe80::a05:2001/10 scope link
    Last edited by wpte; 12-11-2009 at 01:40.

  3. #48
    Join Date
    Nov 2006
    Location
    Russia, Moscow
    Posts
    3,640
    wpte
    As the starting point, could you add following recommended rules to your script
    Code:
    # Disable processing of any RH0 packet
    # Which could allow a ping-pong of packets
    ip6tables -A INPUT -m rt --rt-type 0 -j DROP
    ip6tables -A OUTPUT -m rt --rt-type 0 -j DROP
    ip6tables -A FORWARD -m rt --rt-type 0 -j DROP
    apply rules, issue
    Code:
    ip6tables-save >/tmp/filter6_rules
    and send result to me?
    I will inject this basic rules to rc, commit to svn trunk, and then you can test new version.

  4. #49
    Join Date
    Nov 2009
    Location
    Poland - Trójmiasto
    Posts
    17
    Quote Originally Posted by wpte View Post
    aha, I tought they got rid of private/local ip ranges in ipv6
    are there any more private ranges? or is this just standard for everyone?

    what about using the scope global and the scope link both to be accepted, is that safe?
    Yes it's safe... if You be afraid Your Tunnel Broker/ISP then block this INPUT/OUTPUT/FORWARDING in you tunnel SIT/Wan link-local address

    Private address class IPv6:
    fc00::/7

    but... i'm not used... link-local address auto configure network...

    example:

    MAC: 00:50:56:C0:00:01

    link-local: fe80::0250:56ff:fec0:0001

    first 00 - local mac addres... not public mac address... then is not included in address link-local

    http://www.faqs.org/rfcs/rfc2460.html
    Last edited by kamil; 12-11-2009 at 18:02.

  5. #50
    Join Date
    Dec 2007
    Location
    The Netherlands - Eindhoven
    Posts
    1,767
    Quote Originally Posted by lly View Post
    wpte
    As the starting point, could you add following recommended rules to your script
    and send result to me?
    I will inject this basic rules to rc, commit to svn trunk, and then you can test new version.
    you're talking about the script I was thinking of merging right?
    it's not completely finished yet. First I'm going to eat and I'll send it you later on this night?


    Yes it's safe... if You be afraid Your Tunnel Broker/ISP then block this INPUT/OUTPUT/FORWARDING in you tunnel SIT/Wan link-local address

    Private address class IPv6:
    fc00::/7

    but... i'm not used... link-local address auto configure network...

    example:

    MAC: 00:50:56:C0:00:01

    link-local: fe80::0250:56ff:fec0:0001

    first 00 - local mac addres... not public mac address... then is not included in address link-local

    http://www.faqs.org/rfcs/rfc2460.html
    so basicly when you think your isp is a hacker you want to block it?

    I'm not sure what you mean by the link-local addresses
    they have parts of the non-public mac address in it...

  6. #51
    Join Date
    Dec 2007
    Location
    The Netherlands - Eindhoven
    Posts
    1,767
    ip6tables -A INPUT -i $WANIF6 -p tcp -m state --state INVALID -j DROP
    ip6tables -A INPUT -m rt --rt-type 0 -j DROP
    ip6tables -A OUTPUT -m rt --rt-type 0 -j DROP
    ip6tables -A FORWARD -m rt --rt-type 0 -j DROP
    ip6tables -A INPUT -i $WANIF6 -m state --state ESTABLISHED,RELATED -j ACCEPT
    ip6tables -A FORWARD -m state --state NEW -i $ETHLAN -o $WANIF6 -s $GLOBALSCOPE -j ACCEPT
    ip6tables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
    these don't work
    error message:
    ip6tables: No chain/target/match by that name
    hmm...
    Last edited by wpte; 12-11-2009 at 21:07.

  7. #52
    Join Date
    Nov 2009
    Location
    Poland - Trójmiasto
    Posts
    17
    Quote Originally Posted by wpte View Post
    Code:
    ip6tables -A INPUT -i $WANIF6 -p tcp -m state --state INVALID -j DROP
    ip6tables -A INPUT -m rt --rt-type 0 -j DROP
    ip6tables -A OUTPUT -m rt --rt-type 0 -j DROP
    ip6tables -A FORWARD -m rt --rt-type 0 -j DROP
    ip6tables -A INPUT -i $WANIF6 -m state --state ESTABLISHED,RELATED -j ACCEPT
    ip6tables -A FORWARD -m state --state NEW -i $ETHLAN -o $WANIF6 -s $GLOBALSCOPE -j ACCEPT
    ip6tables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
    these don't work
    error message:
    Code:
    ip6tables: No chain/target/match by that name
    hmm...
    i'm test... work... maybe you variables is empty or wrong defined?

  8. #53
    Join Date
    Nov 2009
    Location
    Poland - Trójmiasto
    Posts
    17
    Quote Originally Posted by wpte View Post
    so basicly when you think your isp is a hacker you want to block it?
    no, it's only example

    I'm not sure what you mean by the link-local addresses
    they have parts of the non-public mac address in it...
    maybe you read rfc?

    IPv4 can't auto configure, IPv6 auto configure when put cable in socket - this simple configuration make connection protocol IP in area network where is or not DHCP server

  9. #54
    Join Date
    Dec 2007
    Location
    The Netherlands - Eindhoven
    Posts
    1,767
    Quote Originally Posted by kamil View Post
    i'm test... work... maybe you variables is empty or wrong defined?
    no, these tables are not quite suitable for kernel 2.4
    we are walking into the limitations I guess

    I think we need to keep these ip6tables low level only meaning... block anything from the outside, allow everything on the inside and keep track of things like ping and ddos (something which seems to work for now)
    going to rewrite my script, since it's not working

  10. #55
    Join Date
    Nov 2006
    Location
    Russia, Moscow
    Posts
    3,640
    Quote Originally Posted by wpte View Post
    no, these tables are not quite suitable for kernel 2.4
    Fortunately, this match is just turned off. Set
    Code:
    CONFIG_IP6_NF_MATCH_RT=y
    in kernel .config and rebuild FW. Will be fixed soon.

    Could you send to me your /etc/radvd.conf via PM?

    Quote Originally Posted by kamil View Post
    maybe you read rfc?
    It's the best solution, but very time hungry

  11. #56
    Join Date
    Dec 2007
    Location
    The Netherlands - Eindhoven
    Posts
    1,767
    Quote Originally Posted by lly View Post
    Fortunately, this match is just turned off. Set
    Code:
    CONFIG_IP6_NF_MATCH_RT=y
    in kernel .config and rebuild FW. Will be fixed soon.
    I've done that, but ipv6 is turned off again
    in fact I can't seem to find any
    Code:
    ifeq ($(CONFIG_IPV6),y)
     COPTS += -DUSE_IPV6
    endif
    export COPTS
    in the dnsmasq makefile
    I just added it myself, lets see what happens again

    edit... nothing
    ipv6 is dead again... hmm
    the sixtun is gone again.

    what I did was: clean everything out (kernel, wl500g-1.9.2.7-d and gateway)
    update svn
    cd /whatever-you-want/broadcom/src/wl500g-1.9.2.7-d
    make kernel
    make
    edit the kernel .config file for the CONFIG_IP6_NF_MATCH_RT=y
    Edit /whatever-you-want/broadcom/src/gateway/Makefile and set MODEL=wl500gp or whichever fits your expectance better.
    add the ipv6 in the .config file
    make koldconfig
    cd /whatever-you-want/broadcom/src/gateway
    make
    make install

    just the same as last time :s
    Last edited by wpte; 13-11-2009 at 21:00.

  12. #57
    Join Date
    Nov 2006
    Location
    Russia, Moscow
    Posts
    3,640
    Quote Originally Posted by wpte View Post
    ipv6 is dead again... hmm
    Very strange, moments ago I build r794:
    $ ls /proc/sys/net
    802 core ethernet ipv4 ipv6 unix
    $ dnsmasq -v
    Dnsmasq version 2.51 Copyright (C) 2000-2009 Simon Kelley
    Compile time options IPv6 GNU-getopt no-RTC no-DBus no-I18N DHCP no-scripts no-TFTP
    ...
    $ip6tables -A INPUT -m rt --rt-type 0 -j DROP
    $ip6tables -L
    Chain INPUT (policy ACCEPT)
    target prot opt source destination
    DROP all anywhere anywhere rt type:0
    I didn't perform any manual changes except src/gateway/.config. My build sequence (Sources prepared for compilation):
    • cd src/gateway
    • vi .config
    • make koldconf
    • make
    • make install

  13. #58
    Join Date
    Dec 2007
    Location
    The Netherlands - Eindhoven
    Posts
    1,767
    Quote Originally Posted by lly View Post
    Very strange, moments ago I build r794:

    I didn't perform any manual changes except src/gateway/.config. My build sequence (Sources prepared for compilation):
    • cd src/gateway
    • vi .config
    • make koldconf
    • make
    • make install
    can you send me a build for the wl500w then?

  14. #59
    btw, shipped radvd is quite old - 0.7.3, here's the changelog up to the last 1.5
    http://cvs.litech.org/viewcvs/radvd/CHANGES?view=markup
    size comparsion:
    radvd-0.7.3 58Kb, ~20Kb inside FW
    radvd-1.5 91Kb, ~28Kb inside FW
    Is it worth to?

  15. #60
    Join Date
    Nov 2006
    Location
    Russia, Moscow
    Posts
    3,640
    Quote Originally Posted by theMIROn View Post
    btw, shipped radvd is quite old - 0.7.3, here's the changelog up to the last 1.5
    Personally, I can't score this changes - are they urgent or just minor features. May be kamil can consult us?
    Moreover, I really aware moments below from Changelog:
    Note: this could break deployments with some very old kernels, see more info at:
    i.e. we should spend hours to find all such places due to our 2.4 kernel

Page 4 of 13 FirstFirst ... 23456 ... LastLast

Similar Threads

  1. New oleg firmware version
    By Lesiuk in forum WL-500gP Firmware Discussion
    Replies: 713
    Last Post: 13-05-2016, 05:55
  2. Broadcom 63xx SOCs support in linux-mips and OpenWrt
    By goundoulf in forum WL-600g Firmware Discussion
    Replies: 0
    Last Post: 22-10-2008, 18:48
  3. About to remove IPv6 support from the firmware
    By Oleg in forum WL-500g Firmware Releases
    Replies: 7
    Last Post: 25-04-2008, 19:51
  4. HOWTO use your WL-500g as IPv6 router
    By phedny in forum WL-500g/WL-500gx Tutorials
    Replies: 8
    Last Post: 17-02-2008, 08:19

Tags for this Thread

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •