[TriLUG] OpenWRT, IPv6 and Firewall

Igor Partola igor at igorpartola.com
Sun Feb 2 20:10:13 EST 2014 

Brian,

I was thinking of luci-proto-6x4. You would also need the following:`6in4
ip6tables kmod-ip6tables kmod-ipv6`.

The firewall rules I have (all defined in the GUI, but as listed in
/etc/config/firewall) are:

# Allow pinging over IPv6 of any host on the LAN
config rule
        option target 'ACCEPT'
        option src '*'
        option dst '*'
        option name 'Allow-Ping6'
        option family 'ipv6'
        option proto 'icmp'
        list icmp_type 'echo-request'

# Allow SSH to any host on the LAN over IPv6

config rule
        option target 'ACCEPT'
        option dest_port '22'
        option dest '*'
        option src 'wan'
        option proto 'tcp'
        option family 'ipv6'
        option name 'ssh-ipv6'

I believe the docs suggest allowing IPv4 protocol 41, but I didn't find
that necessary as I don't think it's restricted.

As for the networking setup in /etc/config/network, here's what I had:

# Added this at the end of `config interface 'lan'`:

        option ip6addr '2001:470:xxxx:xxxx::1/64' # first address in the
routed subnet from Tunnel Broker

# Added this at the end (once again defined via the web GUI):

config interface 'henet'
        option proto '6in4'
        option peeraddr '209.51.161.14'
        option ip6addr '2001:470:xxxx:xxxx::2'
        option tunnelid 'SECRET'
        option username 'SECRET'
        option password 'BIG SECRET'
        option ttl '64'
        option mtu '1480'

My radvd config in /etc/config/radvd looks like this:

onfig interface
    option interface 'lan'
    option AdvSendAdvert '1'
    list client ''
    option ignore '0'
    option IgnoreIfMissing '1'
    option AdvSourceLLAddress '1'
    option AdvDefaultPreference 'medium'
    option MinRtrAdvInterval '30'
    option MaxRtrAdvInterval '600'

config prefix
    option interface 'lan'
    list prefix '2001:470:xxxx:xxxx::/64'
    option AdvOnLink '1'
    option AdvAutonomous '1'
    option AdvRouterAddr '0'
    option ignore '0'

config route
    option interface 'lan'
    list prefix ''
    option ignore '1'

config rdnss
    option interface 'lan'
    list addr '2001:470:xxxx:xxxx::2'
    option ignore '0'

config dnssl
    option interface 'lan'
    list suffix ''
    option ignore '1'

Hope that helps. I really should either figure out how to update the
OpenWRT Wiki or just write a blog post about this since questions about
OpenWRT + TunnelBroker keep coming up.

Let us know how you make out.

Igor

More information about the TriLUG mailing list