[TriLUG] Late night IPv6

Igor Partola igor at igorpartola.com
Mon Jun 10 12:16:30 EDT 2013 

Bill,

Over the weekend I installed OpenWRT on my router, so I can see what is
going on here, and because OpenWRT seems pretty cool compared to DD-WRT.

So, first of all, it looks like OpenWRT has wrapped lots of
application-specific configuration into its own config file format that
lives in /etc/config/ and is often, but not always controlled via the web
interface (LuCI). This is both good and bad. It's good because you now have
a standard unified interface for lots of different apps. Bad, because
instructions like the ones I provided do not work well here since there is
way more than meets the eye.

Having said that, I think I figured out a good way to do things. What I
ended up doing is loosely following instructions at
http://wiki.openwrt.org/doc/howto/ipv6 to set up the Hurricane Electric
tunnel and then the firewall. The tunnel setup is fairly straightforward:
install 6in4 and luci-proto-6x4 packages, create a new interface in
/etc/config/network:

config interface henet
        option proto 6in4
        option peeraddr  '209.51.161.14'
        option ip6addr   '2001:470:XXXX:XXXX::2/64'
        option tunnelid  '123456'
        option username  '764efa883dda1e11db47671c4a3bbd9e'
        option password  '91fc14ad02afd60985bb8165bda320a6'

(Note: username and password are md5sum() of your actual username and
password). You will also want to add an IPv6 address based out of your
"routed subnet" to your "lan" interface:

config interface 'lan'
        ...
        option ip6addr '2001:470:XXXX:XXXX::1/64'
        ...

Next, edit /etc/config/firewall, and add the new henet interface to your
"wan" zone:

config zone
        option name 'wan'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option masq '1'
        option mtu_fix '1'
        option network 'wan henet'

Next, edit /etc/config/firewall again, and add the following rules:

config rule
        option target 'ACCEPT'
        option name '6to4'
        option src 'wan'
        option proto '41'

config rule
        option name 'allow-ssh'
        option dest '*'
        option proto 'tcp'
        option dest_port '22'
        option family 'ipv6'
        option target 'ACCEPT'
        option src '*'

config rule
        option name 'my-workstation-that-has-own-firewall'
        option src '*'
        option family 'ipv6'
        option target 'ACCEPT'
        option dest '*'
        option dest_ip '2001:470:XXXX:XXXX:XXXX:XXXX:XXXX:XXXX'

I am not certain that the first rule is necessary, but the docs say it will
explicitly allow IPv6-in-IPv4 (protocol 41) to pass through to the router.

You will also want to make sure radvd is installed (LuCI has a separate UI
module for that as well), so that your LAN devices will get their own IPv6
addresses, but that is well documented already and should be
straightforward. The biggest thing: make sure that you use the "routed
subnet" not the tunnel endpoint IP address.

The above configuration seems to work for me. If you look under the web GUI
for your router under Network -> Firewall -> Traffic Rules, you should see
these rules detailed there in a reasonably human-readable format. You can
definitely use `ip6tables -L -nv` to verify them too, but it seems to me
that because of how OpenWRT breaks all the rules into more tables than just
INPUT, OUTPUT, FORWARD, it may be easier to go with the flow and just use
their interfaces for this.

Hope this helps.

Igor

More information about the TriLUG mailing list