Ipv6: 6to4 on OpenWRT router behind NAT
On this page... (hide)
1. 1. Step 1) Flashing router with OpenWRT 2. 2. Step 2) Installing packages 3. 3. Step 3) Calculate your IPv6 prefix and numbers 4. 4. Step 4) Set addresses and routes 5. 5. Step 5) Announce to LAN via radvd 6. 6. Step 6) Verify from client side
Summary
In this little guide, we demonstrate how to activate IPv6 on low cost wireless routers, offering a chance to try out IPv6 even while most ISPs and larger organizations are not yet offering it.
You will be able to useIPv6 on your local LAN, as well as connect to IPv6 resources out on the net.
Remember that this is not the real thing! It is not true Ipv6 – it is a transition technique to get us familiar with Ipv6. It should not keep us from going all the way (request your Ipv6 address space today! :) )
We will be using OpenWRT on a Linksys WRT54GL router - but any other device that can run OpenWRT (e.g. Ubiquiti) is fine.
This guide owes a lot to the following guides and their authors (thank you!): 1. http://cagnazzo.name/drupal/6to4 - Carlos Martinez 2. http://olekvi.livejournal.com/866.html - Ole Bendik Kvisberg also: • http://www.757.org/~joat/wiki/index.php/IPv6_on_the_WRT54G_via_OpenWRT • http://www.exit2shell.com/~skreuzer/openwrt-ipv6.html • What we are doing here is different from
1. in that we put a 6to4 gateway directly on to the wireless router, not on a PC behind it, and from
2. in that we are using a 6to4 gateway rather than a designated tunnel. A tunnel depends on your IPv4 being public and pingable, whereas our approach also works for devices behind NAT and firewalls prohibiting ping / ICMP.
This guide does not explain background and concepts behind IPv6, addressing, tunneling or the tools we are using - you might want to read up on these, to fully understad what you are doing. Wikipedia is a good start point: http://en.wikipedia.org/wiki/Ipv6 Step 1) Flashing router with OpenWRT
Flash your router with the appropriate version of OpenWRT http://openwrt.org/ - in our case, for a Linksys WRT54GL, this: http://downloads.openwrt.org/kamikaze/8.09.2/brcm-2.4/openwrt-wrt54g-squashfs.bin or for Ubiquiti devices, look here: http://downloads.openwrt.org/kamikaze/8.09.2/atheros/ Step 2) Installing packages ssh into router and edit
/etc/opkg.conf to point at valid repository, e.g. http://downloads.openwrt.org/kamikaze/8.09.2/brcm- 2.4/packages/
Add the packages needed for Ipv6:
# opkg update
# opkg install kmodipv6 kmodtun kmodip6tables ip ip6tables radvd
Step 3) Calculate your IPv6 prefix and numbers Find out about your routers publicly visible IPv4 number, e.g. by going to
http://www.whatismyip.com/ or doing a
ifconfig or
ip 4 addr show
From here on we will assume as a example an IPv4 number of 130.226.141.57 – of course you should use your own public IP here!
My Ipv4 number in decimals: ......
You can use the command
sipcalc to express this in hexadecimals (hex):
82E2:8D39
My Ipv4 number in hexadecimals: ...... My IPv6 for use in a 6to4 gateway becomes
2002:
2002:82E2:8D39::1
My Ipv6 number for 6to4: ......
Note that you now have a /48 net, which we complete to make a 64 bit prefix, by adding a arbitrary 4th quartet – for use as prefix for our LAN. We will announce this via radvd later. e.g. 2002:82E2:8D39:ffff::1
My Ipv6 prefix for my LAN: ......
Step 4) Set addresses and routes
So we will need the following addresses and prefixes - remember that the values here are just examples - you need to adjust them based on your public IPv4 number!
Example My own numbers:
our public IPv4 ipv4_public = 130.226.141.57
our global ipv6 for the tunnel: ipv6_tunnel = 2002:82E2:8D39::1
our ipv6 prefix for the LAN: ipv6_prefix=2002:82E2:8D39:ffff/64
ipv6 address for our LAN interface: ipv6_LAN=2002:82E2:8D39:ffff::1/64 then we do:
# create and bring up tunnel ip tunnel add tun6to4 mode sit remote any local
After this, you should be able to verify by pinging any existing ipv6 resource, e.g. ipv6.google.com
root@OpenWrt:/etc/config# ping6 2a00:1450:8001::68 PING 2a00:1450:8001::68 (2a00:1450:8001::68): 56 data bytes 64 bytes from 2a00:1450:8001::68: seq=0 ttl=56 time=36.657 ms 64 bytes from 2a00:1450:8001::68: seq=1 ttl=56 time=35.738 ms 64 bytes from 2a00:1450:8001::68: seq=2 ttl=56 time=43.656 ms 5. Step 5) Announce to LAN via radvd
We will be using radvd, the route advertisement demon, to tell LAN clients about the routes available to them. This replaces DHCP as we know it from IPv4. Clients will learn about the IPv6 prfix and then self-configure the rest of their address.
Here s an example for a /etc/radvd.conf
#announce our net on the interface bridging LAN and WAN/internet interface brlan { IgnoreIfMissing on; AdvSendAdvert on; # Advertise at least every 30 seconds MaxRtrAdvInterval 30; #announce the prefix it leaves the first 3 quartets free for the existing 2002:
Once you have configured this, you can test it by doing
radvd C /etc/radvd.conf d 4 m stderr
Watch the output for problems! 6. Step 6) Verify from client side
At this point, your clients should receive the radvd adverts, and you can check this by doing
radvdump example output: root@sbut:/home/sebastian# radvdump # # radvd configuration generated by radvdump 1.2 # based on Router Advertisement from fe80::200:ff:fe00:0 # received by interface eth0 # interface eth0 { AdvSendAdvert on; # Note: {Min,Max}RtrAdvInterval cannot be obtained with radvdump AdvManagedFlag off; AdvOtherConfigFlag off; AdvReachableTime 0; AdvRetransTimer 0; AdvCurHopLimit 64; AdvDefaultLifetime 0; AdvHomeAgentFlag off; AdvDefaultPreference medium; AdvSourceLLAddress on;
prefix 2002:82e2:8d39:ffff::/64 { AdvValidLifetime 600; AdvPreferredLifetime 300; AdvOnLink on; AdvAutonomous on; AdvRouterAddr off; }; # End of prefix definition
}; # End of interface definition and
ip 6 addr show example output:
2: eth0:
ip 6 neigh show should show you the neighbouring routers, like so, example output:
root@sbut:/home/sebastian# ip 6 neigh show fe80::200:ff:fe00:0 dev eth0 lladdr 00:25:9c:3c:12:98 router REACHABLE
All your LAN clients should be able to fully use IPv6 at this point - but note: we have not configured any IPv6 firewalls or ip6tables so far. We have not prepared any security tools for Ipv6.
So there s still work to be done .... and also, dont forget to get your real Ipv6 address space :)