[TriLUG] Late night IPv6
Igor Partola
igor at igorpartola.com
Mon Jun 10 12:18:05 EDT 2013
Forgot to mention, of course you'll have to restart various services if you
edit the config files directly. After you are done editing things, simply
run:
$ /etc/init.d/network restart
$ /etc/init.d/firewall restart
or reboot the router.
Igor
On Mon, Jun 10, 2013 at 12:16 PM, Igor Partola <igor at igorpartola.com> wrote:
> Bill,
>
> Over the weekend I installed OpenWRT on my router, so I can see what is
> going on here, and because OpenWRT seems pretty cool compared to DD-WRT.
>
> So, first of all, it looks like OpenWRT has wrapped lots of
> application-specific configuration into its own config file format that
> lives in /etc/config/ and is often, but not always controlled via the web
> interface (LuCI). This is both good and bad. It's good because you now have
> a standard unified interface for lots of different apps. Bad, because
> instructions like the ones I provided do not work well here since there is
> way more than meets the eye.
>
> Having said that, I think I figured out a good way to do things. What I
> ended up doing is loosely following instructions at
> http://wiki.openwrt.org/doc/howto/ipv6 to set up the Hurricane Electric
> tunnel and then the firewall. The tunnel setup is fairly straightforward:
> install 6in4 and luci-proto-6x4 packages, create a new interface in
> /etc/config/network:
>
> config interface henet
> option proto 6in4
> option peeraddr '209.51.161.14'
> option ip6addr '2001:470:XXXX:XXXX::2/64'
> option tunnelid '123456'
> option username '764efa883dda1e11db47671c4a3bbd9e'
> option password '91fc14ad02afd60985bb8165bda320a6'
>
> (Note: username and password are md5sum() of your actual username and
> password). You will also want to add an IPv6 address based out of your
> "routed subnet" to your "lan" interface:
>
> config interface 'lan'
> ...
> option ip6addr '2001:470:XXXX:XXXX::1/64'
> ...
>
> Next, edit /etc/config/firewall, and add the new henet interface to your
> "wan" zone:
>
> config zone
> option name 'wan'
> option input 'REJECT'
> option output 'ACCEPT'
> option forward 'REJECT'
> option masq '1'
> option mtu_fix '1'
> option network 'wan henet'
>
> Next, edit /etc/config/firewall again, and add the following rules:
>
> config rule
> option target 'ACCEPT'
> option name '6to4'
> option src 'wan'
> option proto '41'
>
> config rule
> option name 'allow-ssh'
> option dest '*'
> option proto 'tcp'
> option dest_port '22'
> option family 'ipv6'
> option target 'ACCEPT'
> option src '*'
>
> config rule
> option name 'my-workstation-that-has-own-firewall'
> option src '*'
> option family 'ipv6'
> option target 'ACCEPT'
> option dest '*'
> option dest_ip '2001:470:XXXX:XXXX:XXXX:XXXX:XXXX:XXXX'
>
> I am not certain that the first rule is necessary, but the docs say it
> will explicitly allow IPv6-in-IPv4 (protocol 41) to pass through to the
> router.
>
> You will also want to make sure radvd is installed (LuCI has a separate UI
> module for that as well), so that your LAN devices will get their own IPv6
> addresses, but that is well documented already and should be
> straightforward. The biggest thing: make sure that you use the "routed
> subnet" not the tunnel endpoint IP address.
>
> The above configuration seems to work for me. If you look under the web
> GUI for your router under Network -> Firewall -> Traffic Rules, you should
> see these rules detailed there in a reasonably human-readable format. You
> can definitely use `ip6tables -L -nv` to verify them too, but it seems to
> me that because of how OpenWRT breaks all the rules into more tables than
> just INPUT, OUTPUT, FORWARD, it may be easier to go with the flow and just
> use their interfaces for this.
>
> Hope this helps.
>
> Igor
>
More information about the TriLUG
mailing list