Ipv6: 6to4 on OpenWRT behind NAT

On this page... (hide)

1. 1. Step 1) Flashing router with OpenWRT 2. 2. Step 2) Installing packages 3. 3. Step 3) Calculate your IPv6 prefix and numbers 4. 4. Step 4) Set addresses and routes 5. 5. Step 5) Announce to LAN via radvd 6. 6. Step 6) Verify from client side

Summary

In this little guide, we demonstrate how to activate IPv6 on low cost wireless routers, offering a chance to try out IPv6 even while most ISPs and larger organizations are not yet offering it.

You will be able to useIPv6 on your local LAN, as well as connect to IPv6 resources out on the net.

Remember that this is not the real thing! It is not true Ipv6 – it is a transition technique to get us familiar with Ipv6. It should not keep us from going all the way (request your Ipv6 address space today! :) )

We will be using OpenWRT on a WRT54GL router - but any other device that can run OpenWRT (e.g. Ubiquiti) is fine.

This guide owes a lot to the following guides and their authors (thank you!): 1. http://cagnazzo.name/drupal/6to4 - Carlos Martinez 2. http://olekvi.livejournal.com/866.html - Ole Bendik Kvisberg also: • http://www.757.org/~joat/wiki/index.php/IPv6_on_the_WRT54G_via_OpenWRT • http://www.exit2shell.com/~skreuzer/openwrt-ipv6.html • What we are doing here is different from

1. in that we put a 6to4 gateway directly on to the wireless router, not on a PC behind it, and from

2. in that we are using a 6to4 gateway rather than a designated tunnel. A tunnel depends on your IPv4 being public and pingable, whereas our approach also works for devices behind NAT and firewalls prohibiting ping / ICMP.

This guide does not explain background and concepts behind IPv6, addressing, tunneling or the tools we are using - you might want to read up on these, to fully understad what you are doing. Wikipedia is a good start point: http://en.wikipedia.org/wiki/Ipv6 Step 1) Flashing router with OpenWRT

Flash your router with the appropriate version of OpenWRT http://openwrt.org/ - in our case, for a Linksys WRT54GL, this: http://downloads.openwrt.org/kamikaze/8.09.2/brcm-2.4/openwrt-wrt54g-squashfs.bin or for Ubiquiti devices, look here: http://downloads.openwrt.org/kamikaze/8.09.2/atheros/ Step 2) Installing packages ssh into router and edit

/etc/opkg.conf to point at valid repository, e.g. http://downloads.openwrt.org/kamikaze/8.09.2/brcm- 2.4/packages/

Add the packages needed for Ipv6:

# opkg update

# opkg install kmod­ipv6 kmod­tun kmod­ip6tables ip ip6tables radvd

Step 3) Calculate your IPv6 prefix and numbers Find out about your routers publicly visible IPv4 number, e.g. by going to

http://www.whatismyip.com/ or doing a

ifconfig or

ip ­4 addr show

From here on we will assume as a example an IPv4 number of 130.226.141.57 – of course you should use your own public IP here!

My Ipv4 number in decimals: ......

You can use the command

sipcalc to express this in hexadecimals (hex):

82E2:8D39

My Ipv4 number in hexadecimals: ...... My IPv6 for use in a 6to4 gateway becomes

2002:::1 so in our case

2002:82E2:8D39::1

My Ipv6 number for 6to4: ......

Note that you now have a /48 net, which we complete to make a 64 bit prefix, by adding a arbitrary 4th quartet – for use as prefix for our LAN. We will announce this via radvd later. e.g. 2002:82E2:8D39:ffff::1

My Ipv6 prefix for my LAN: ......

Step 4) Set addresses and routes

So we will need the following addresses and prefixes - remember that the values here are just examples - you need to adjust them based on your public IPv4 number!

Example My own numbers:

our public IPv4 ipv4_public = 130.226.141.57

our global ipv6 for the tunnel: ipv6_tunnel = 2002:82E2:8D39::1

our ipv6 prefix for the LAN: ipv6_prefix=2002:82E2:8D39:ffff/64

ipv6 address for our LAN interface: ipv6_LAN=2002:82E2:8D39:ffff::1/64 then we do:

# create and bring up tunnel ip tunnel add tun6to4 mode sit remote any local ip link set dev tun6to4 up # assign ipv6 addr to tunnel ip ­6 addr add /48 dev tun6to4 # assign ipv6 addr to LAN ip ­6 addr add /64 dev br­lan # add a default route via 6to4 magic ip ­6 route add 2000::/3 via ::192.88.99.1 dev tun6to4 metric 1 ::192.88.99.1 is the "magic" anycast address of the 6to4 protocol

After this, you should be able to verify by pinging any existing ipv6 resource, e.g. ipv6.google.com

root@OpenWrt:/etc/config# ping6 2a00:1450:8001::68 PING 2a00:1450:8001::68 (2a00:1450:8001::68): 56 data bytes 64 bytes from 2a00:1450:8001::68: seq=0 ttl=56 time=36.657 ms 64 bytes from 2a00:1450:8001::68: seq=1 ttl=56 time=35.738 ms 64 bytes from 2a00:1450:8001::68: seq=2 ttl=56 time=43.656 ms 5. Step 5) Announce to LAN via radvd

We will be using radvd, the route advertisement demon, to tell LAN clients about the routes available to them. This replaces DHCP as we know it from IPv4. Clients will learn about the IPv6 prfix and then self-configure the rest of their address.

Here s an example for a /etc/radvd.conf

#announce our net on the interface bridging LAN and WAN/ interface br­lan { IgnoreIfMissing on; AdvSendAdvert on; # Advertise at least every 30 seconds MaxRtrAdvInterval 30; #announce the prefix ­ it leaves the first 3 quartets free for the existing 2002: prefix 0:0:0:ffff::/64 { AdvOnLink on; AdvAutonomous on; # for 6to4, need to announce the 6to4 interface ­ check out which one that is! Base6to4Interface eth0.1; # Very short lifetimes for dynamic addresses ­ bit TOO short here :) for testing purposes AdvValidLifetime 60; AdvPreferredLifetime 10; }; };

Once you have configured this, you can test it by doing

radvd ­C /etc/radvd.conf ­d 4 ­m stderr

Watch the output for problems! 6. Step 6) Verify from client side

At this point, your clients should receive the radvd adverts, and you can check this by doing

radvdump example output: root@sbut:/home/sebastian# radvdump # # radvd configuration generated by radvdump 1.2 # based on Router Advertisement from fe80::200:ff:fe00:0 # received by interface eth0 # interface eth0 { AdvSendAdvert on; # Note: {Min,Max}RtrAdvInterval cannot be obtained with radvdump AdvManagedFlag off; AdvOtherConfigFlag off; AdvReachableTime 0; AdvRetransTimer 0; AdvCurHopLimit 64; AdvDefaultLifetime 0; AdvHomeAgentFlag off; AdvDefaultPreference medium; AdvSourceLLAddress on;

prefix 2002:82e2:8d39:ffff::/64 { AdvValidLifetime 600; AdvPreferredLifetime 300; AdvOnLink on; AdvAutonomous on; AdvRouterAddr off; }; # End of prefix definition

}; # End of interface definition and

ip ­6 addr show example output:

2: eth0: mtu 1500 qlen 100 inet6 2002:82e2:8d39:ffff:21f:16ff:fe2e:4801/64 scope global dynamic valid_lft 587sec preferred_lft 287sec inet6 fe80::21f:16ff:fe2e:4801/64 scope link valid_lft forever preferred_lft forever to check whether the ipv6 addresses autoconfigured properly. Also,

ip ­6 neigh show should show you the neighbouring routers, like so, example output:

root@sbut:/home/sebastian# ip ­6 neigh show fe80::200:ff:fe00:0 dev eth0 lladdr 00:25:9c:3c:12:98 router REACHABLE

All your LAN clients should be able to fully use IPv6 at this point - but note: we have not configured any IPv6 firewalls or ip6tables so far. We have not prepared any security tools for Ipv6.

So there s still work to be done .... and also, dont forget to get your real Ipv6 address space :)