Difference between revisions of "OpenWRT: IPv6"

From OnnoWiki
Jump to navigation Jump to search
Line 1: Line 1:
==Native IPv6 access==
+
Sumber: http://wiki.openwrt.org/doc/uci/network6
  
For this, you need to obtain an IPv6 address from your ISP. Technically this could be a /128 prefix (exactly one IPv6 address), but according to rfc6177 this should be a /64 prefix. You may also get bigger range, like /56 or /48. Within this range you may use all the IPv6 addresses to your liking without any NAT-induced headaches.
 
  
Some of the ISPs currently known to support IPv6 to the customer are listed here: ipv6.isp.
+
OpenWrt native IPv6-stack
 +
This page applies to Barrier Breaker, Attitude Adjustment release 12.09.1 and later OpenWrt versions only. It is not valid for Backfire 10.03 or Attitude Adjustment 12.09. See Old IPv6 HowTo for these versions.
 +
Obtaining IPv6 support
 +
Barrier Breaker and later
  
In the following example, the assigned prefix is 2001:123:456::/48. Within this prefix, I choose to affect the network 2001:123:456:789::/64 to the internal LAN. The router has the fixed IP 2001:123:456:789::1
+
    Native IPv6-support with DHCPv6, an RA & DHCPv6-Server and an IPv6-firewall are installed and configured by default.
 +
    Transitioning technologies like 6in4, 6rd, 6to4 or ds-lite can be installed using the packages with the same names.
 +
    For WebUI-support install the package luci-proto-ipv6.
  
/etc/config/network:
+
Implementation
 +
Features
  
config interface lan option ifname eth1 option type bridge option proto static option ipaddr 192.168.1.1 option netmask 255.255.255.0 option ip6addr '2001:123:456:789::1/64'
+
    Prefix Handling
 +
        Management of prefixes, addresses and routes from upstream connections and local ULA-prefixes
 +
        Management of prefix unreachable-routes, prefix deprecation (RFC 7084) and prefix classes
 +
        Distribution of prefixes onto downstream interfaces (including size, ID and class hints)
 +
        Source-based policy routing to correctly handle multiple uplink interfaces, ingress policy filtering (RFC 7084)
  
When using PPPoEv6, enable ipv6. You may also further reduce the MTU from 1492 to 1452: Experience shows that it prevents many problems. You can try to increase this size, not bigger than 1492.
+
    Native IPv6 configuration
config interface wan option ifname eth0 option proto pppoe option username '<username>' option password '<password>' option keepalive 5 option defaultroute 1 option peerdns 1 option ipv6 1 option mtu 1452
+
        Automatic bootstrap from SLAAC, stateless DHCPv6, stateful DHCPv6, DHCPv6-PD and any combination
 +
        Handling of preferred and valid address and prefix lifetimes
 +
        Duplicate address and Link-MTU detection
 +
        DHCPv6 Extensions: Reconfigure, Information-Refresh, SOL_MAX_RT=3600
 +
        DHCPv6 Extensions: RDNSS, DNS Search Domain, NTP, SIP, ds-lite, prefix exclusion (experimental)
  
==6in4 tunneling==
+
    IPv6 transitioning technologies
 +
        Setup and management of IPv6-in-IPv4 tunnels (6rd, 6to4, 6in4)
 +
        Setup and management of IPv4-in-IPv6 tunnels (ds-lite, lw4o6, map-e)
 +
        Setup and management of IPv4-to-IPv6 translation (map-t, 464xlat CLAT) [since Chaos Calmer]
 +
        Automatic setup of tunnels from DHCP and DHCPv6 [since Chaos Calmer]
  
6in4 is a method to encapsulate IPv6 traffic into an IPv4 tunnel. It is mostly used by tunnel brokers and requires manual configuration.
+
    Downstream IPv6 configuration
 +
        Server support for Router Advertisement, DHCPv6 (stateless and stateful) and DHCPv6-PD
 +
        Automatic detection of announced prefixes, delegated prefixes, default routes and MTU
 +
        Change detection for prefixes and routes triggering resending of RAs and DHCPv6-Reconfigure
 +
        Detection of client hostnames and export as augmented hosts-file
 +
        Support for RA & DHCPv6-relaying and NDP-proxying to e.g. support uplinks without prefix delegation
  
A very excellent forum topic on the topic of a static 6in4 tunnels is at https://forum.openwrt.org/viewtopic.php?pid=126285
+
Compliance
  
Both resources assume a static prefix, and thus a manual configuration.
+
Our aim is to follow RFC 7084 where possible. Nevertheless compliance has not been verified yet. Please notify us if you find any standard violations.
  
The ISP known to use this are:
+
The following requirements of RFC 7084 are currently known not to be met.
  
     Free.fr (France)
+
     RFC 7084 WAA-5 (SHOULD-requirement): The NTP-Server is requested and received but currently not processed or used.
  
==Requirements==
+
Upstream configuration for WAN-Interfaces
  
The package 6in4 must be installed to use this protocol. This package is available in Backfire 10.3.1-rc4 and later.
+
The following sections describe the configuration of IPv6 connections to your ISP or an upstream router. Please note that most tunneling mechanisms like 6in4, 6rd and 6to4 may not work behind a NAT-router.
 +
Native IPv6 connection
  
opkg update && opkg install 6in4
+
For an uplink with native IPv6-connectivity you can use the following example configuration. It will work both for uplinks supporting DHCPv6 with Prefix Delegation and those that don't support DHCPv6-PD or DHCPv6 at all (SLAAC-only).
  
Notes:
+
/etc/config/network
  
* Examples of 6in4 tunneling are also on the config/network page.
+
config interface wan
* For this connectivity mechanism, a third "interface" is created which will become the default outgoing interface for IPv6 packets.
+
        option ipv6 1 # only required for PPP-based protocols
 +
        ...
 +
 +
config interface wan6
 +
        option ifname  eth1 # use same ifname as in wan-section or "@wan"
 +
        option proto    dhcpv6
 +
 +
config interface lan
 +
        option proto    static
 +
        option ip6assign 60
 +
        ...
  
==Static 6in4 tunneling==
+
:!: The package odhcp6c must be installed to use dhcpv6. See protocol.dhcpv6 for advanced configuration options.
 +
Static IPv6 connection
  
/etc/config/network for static tunneling:
+
Static configuration of the IPv6 uplink is supported as well. The following example demonstrates this.
  
config interface henet
+
/etc/config/network
        option proto 6in4
 
        option ipaddr '178.24.115.19'
 
        option peeraddr '216.66.80.30'
 
        option ip6addr '2001:0db8:1f0a:1359::2/64'
 
  
Note: you may want to check that your public IP is matching the IP address on your WAN interface. Details in Static IPv6-in-IPv4 tunnel behind one-to-one NAT.
+
config interface wan
 +
        option ifname  eth1
 +
        option proto    static
 +
        option ip6addr  2001:db80::2/64  # Own address
 +
        option ip6gw    2001:db80::1      # Gateway address
 +
        option ip6prefix 2001:db80:1::/48 # Prefix addresses for distribution to downstream interfaces
 +
        option dns      2001:db80::1      # DNS server
 +
 +
config interface lan
 +
        option proto    static
 +
        option ip6assign 60
 +
        ...
  
==Dynamic 6in4 tunneling==
+
For advanced configuration options see protocol.static
  
The example below illustrates a dynamic tunnel configuration for the Hurricane Electric broker with dynamic IP update enabled. The local IPv4 address is automatically determined and tunnelid, username and password are provided for IP update.
+
6in4 tunnel (HEnet tunnelbroker, sixxs static tunnel, ...)
  
/etc/config/network for dynamic tunneling:
+
6in4 tunnels are usually provided by external tunnel providers like HE.net or Sixxs. You can use the following example configuration as a basis.
  
config interface henet
+
/etc/config/network:
        option proto 6in4
 
        option peeraddr '216.66.80.30'
 
        option ip6addr '2001:0db8:1f0a:1359::2/64'
 
        option tunnelid '12345'
 
        option username '14c4b06b824ec593239362517f538b29'
 
        option password '5f4dcc3b5aa765d61d8327deb882cf99'
 
  
In this example configuration:
+
config 'interface' 'wan6'
 +
        option 'proto' '6in4'
 +
        option 'mtu' '1424'                          # the IPv6 tunnel MTU (optional)
 +
        option 'peeraddr' '62.12.34.56'              # the IPv4 tunnel endpoint
 +
        option 'ip6addr' '2001:DB8:2222:EFGH::2/64'  # the IPv6 tunnel
 +
        option 'ip6prefix' '2001:DB8:1234:ABCD::/64' # Your routed prefix (required!)
 +
        # configuration options below are only valid for HEnet tunnels. ignore them for other tunnel providers.
 +
        option tunnelid '123456' # HE.net tunnel id
 +
        option username 'username' # HE.net username, which you use to login into tunnelbroker, not the User ID shows after you have login in.
 +
        option password 'password' # HE.net password if there is no updatekey for tunnel
 +
        option updatekey 'updatekey' # HE.net updatekey instead of password, default for new tunnels
  
    178.24.115.10 is the local IPv4 address (assigned by ISP)
+
config 'interface' 'lan'
    216.66.80.30 is the remote IPv4 address (the other side of the tunnel)
+
        option 'proto' 'static'
    2001:0db8:1f0a:1359::2/64 is the local IPv6 tunnel endpoint (labeled "Client IPv6 Address" on the Tunnel Details page in your HE account).
+
        option ip6assign 60
    tunnelid, username, and password are provided by the tunnel broker.
+
...
  
    :!: For Hurricane Electric tunnels, the username is NOT the username for tunnelbroker.net. The username is the user id listed on the main page of your tunnelbroker.net account (called the "API Key" elsewhere). The password is the md5 hash of the tunnelbroker.net password. For details, see https://ipv4.tunnelbroker.net/ipv4_end.php
+
:!: If you choose a name for your tunnel-interface that is different from 'wan6' make sure to add that name to the network-option of the firewall-zone 'wan' in /etc/config/firewall.
  
With Attitude Adjustment, once you have added the above interface definition you have to run /etc/init.d/network restart in order to have it effected.
+
:!: The package 6in4 must be installed to use 6in4-tunnels. See protocol.6in4.ipv6-in-ipv4.tunnel for advanved configuration options.
  
:!: Note that Hurricane Electric has changed their dynamic negotiation protocol, and the 6in4 package is not yet (August 2011) updated accordingly. See discussion in ticket 10019. Based on the discussion HE users need to install the wget package to get HTTPS support in wget and possibly also modify the URL in 6in4 script.
+
:!: Note that HE.net assigns an "updatekey" by default for new tunnels since February 2014. If updatekey exists (visible in tunnel's advanced info page at the he.net site), it needs to be used instead of the password. Support for that option has been introduced in Openwrt trunk by r39646. Old tunnels without updatekey will continue to work with password.
 +
6rd tunnel (ISP-provided IPv6 transition)
  
This tunnel, like a VPN, creates a third network interface, called henet in this example. A default IPv6 route using this interface is automatically created when this interface connects successfully.
+
6rd is a tunnelmechanism based on 6to4. Unlike other tunneling mechanisms 6rd is usually provided by the ISP itself. The values for the tunnel are usually obtained with the DHCPv4 request for the WAN interface.
Firewalling
 
  
:!: To apply IPv6 firewall rules to the tunnel interface, add it to the "wan" zone in /etc/config/firewall:
+
:!: In Chaos Calmer and later the configuration is usually auto-detected and manual configuration is not needed, simply installing the 6rd package (and rebooting) is usually enough.
config 'zone' option 'name' 'wan' option 'network' 'wan henet' option 'input' 'REJECT' option 'forward' 'REJECT' option 'output' 'ACCEPT' option 'masq' '1'
 
  
:!: To allow 6in4 traffic to always reach your tunnel endpoint, it may be necessary to pass IPv4 protocol 41 traffic with the following firewall configuration stanza:
+
/etc/config/network:
config rule option src wan option proto 41 option target ACCEPT
 
  
You will need the ip6tables package for these firewall rules to work. You can run the following command to install this package:
+
config interface 'wan'
 +
        option ifname 'eth0.2'
 +
        option proto 'dhcp'
 +
       
 +
        # The following two lines are only needed in Barrier Breaker
 +
        option iface6rd wan_6rd
 +
        option zone6rd wan
  
opkg update && opkg install ip6tables kmod-ip6tables
+
To debug 6rd via DHCP, first check if the parameters are sent. Create a /etc/udhcpc.user with the following content:
  
==Routing==
+
#!/bin/sh
 +
env >> /tmp/udhcpc.log
  
===Routed Addresses==
+
Reboot the router and check the log file for the following line:
  
To enable routing of IPv6 traffic through the tunnel, add a static IPv6 address in a valid routed subnet to the local-facing interface.
+
ip6rd=16 40 2001:0838:ad00:0000:0000:0000:0000:0000 77.174.0.2
  
:!: For Hurricane Electric tunnels, the prefix for the routed subnet is specified in tunnel details page on tunnelbroker.net in the Routed IPv6 Prefixes section, and is formed by incrementing the last digit of the third quad in the tunneling prefix. For example, if the IP address 2001:0db8:1f0a:1359::2/64 is the local IPv6 tunnel endpoint, the local interface would be assigned an address in 2001:0db8:1f0b:1359::/64 subnet, typically 2001:0db8:1f0b:1359::1/64
+
If this line isn't present, you need to obtain the correct values for peeraddr, ip6prefix, ip6prefixlen and ip4prefixlen from your ISP. The above ip6rd or the obtained values can be used to hardcode the 6RD tunnel. Remove or comment out the iface6rd line in the wan section.
config interface lan option ifname eth0 option type bridge option proto static option ipaddr 192.168.1.1 option netmask 255.255.255.0 option ip6addr '2001:0db8:1f0b:1359::1/64'
 
  
Clients that auto-configure using SLAAC (stateless address auto-configuration) will need to know this routed prefix. To broadcast the prefix to clients on the local network, use radvd.
+
/etc/config/network:
Packet Forwarding
 
  
The router must be configured forward packets between the remote and local interfaces. See the Enable Routing section. The forwarding is enabled by default in trunk, but must be manually enabled in Backfire.
+
config interface 'wan6'
Enable Routing in Backfire
+
        option proto '6rd'
 +
        option peeraddr '77.174.0.2'
 +
        option ip6prefix '2001:838:ad00::'
 +
        option ip6prefixlen '40'
 +
        option ip4prefixlen '16'
  
To forward packets between interfaces, a kernel-level setting must be enabled. To enable packet forwarding, edit /etc/sysctl.conf
+
:!: In Chaos Calmer the default /etc/config/network works after installing the 6rd package. The mentioned dhcpv6 is ignored if it doesn't succeed. The above configuration for Barrier Breaker works also in later variants and may be less confusing.
  
And uncomment the following line in /etc/sysctl.conf:
+
:!: If you choose a name for your tunnel-interface that is different from 'wan6' make sure to add that name to the network-option of the firewall-zone 'wan' in /etc/config/firewall.
  
# net.ipv6.conf.all.forwarding=1
+
:!: The package 6rd must be installed to use 6rd-tunnels. See protocol_6rd_ipv6_rapid_deployment for advanved configuration options.
 +
6pe, L2TP tunnel, softwire (ISP-provided IPv6 transition)
  
The line should look like this:
+
This is another transitional mechanism for IPv6, used by some ISPs. It relies on a L2TPv2 tunnel.
  
net.ipv6.conf.all.forwarding=1
+
Detailed configuration: ipv6.softwire
 +
6to4 tunnel
  
Now restart sysctl to apply the new setting.
+
6to4 is the simplest IPv6 tunneling mechanism and relies on publicly available gateways.
  
/etc/init.d/sysctl restart
+
/etc/config/network:
  
To verify the setting has been applied, issue the following command:
+
config 'interface' 'wan6'
 +
        option 'proto' '6to4'
 +
 +
config 'interface' 'lan'
 +
        option 'proto' 'static'
 +
        option ip6assign 60
 +
...
  
cat /proc/sys/net/ipv6/conf/all/forwarding
+
:!: If you choose a name for your tunnel-interface that is different from 'wan6' make sure to add that name to the network-option of the firewall-zone 'wan' in /etc/config/firewall.
  
should return 1
+
:!: The package 6to4 must be installed to use 6to4-tunnels. See protocol.6to4.ipv6-in-ipv4.tunnel for advanved configuration options.
 +
Dual-Stack Lite tunnel (ds-lite IPv4 in IPv6)
  
Troubleshooting
+
ds-lite is a transitioning-mechanism which is used by ISPs to support legacy IPv4-connectivity over a native IPv6 connection.
  
    Enable firewall logging
+
:!: In Chaos Calmer and later the configuration is usually auto-detected and manual configuration is not needed, simply installing the ds-lite package (and rebooting) is usually enough.
    On the router, ping ipv6.google.com
 
    On a local host, ping the public IP address of the router's local interface (2001:0db8:1f0b:1359::1 in the example configuration).
 
    On a local host, ping ipv6.google.com
 
  
==6to4, 6rd==
+
/etc/config/network:
  
6to4 is a translation mechanism to transform ipv6 packets into IPv4, and back, using specific relay servers.
+
config 'interface' 'wan6'
 +
        option 'ifname' 'eth1'
 +
        option 'proto' 'dhcpv6'
 +
 +
config 'interface' 'wan'
 +
        option 'proto' 'dslite'
 +
        option 'peeraddr' '2001:db80::1' # Your ISP's DS-Lite AFTR
  
6rd (rapid deployment) is similar to 6to4 with some restrictions for large ISP routing. However it is only supported in kernel superior or equal to 2.6.33 due to specific routing scheme.
+
:!: If you choose a name for your tunnel-interface that is different from 'wan' make sure to add that name to the network-option of the firewall-zone 'wan' in /etc/config/firewall.
  
In order for 6to4 to work, you need to install the package 6to4 and kmod-sit available from 10.03.1-rc4.
+
:!: The package ds-lite must be installed to use ds-lite-tunnels. See protocol.dslite.dual-stack.lite for advanved configuration options.
 +
Downstream configuration for LAN-Interfaces
  
opkg install 6to4 kmod-sit
+
OpenWrt includes a flexible local prefix delegation mechanism. It can be tuned for each downstream-interface individually with 3 parameters which are all optional:
  
If, like me, you are working with 10.03, you can still install by downloading the package from the newer source.
+
    ip6assign: Prefix size used for assigned prefix to the interface (e.g. 64 will assign /64-prefixes)
 +
    ip6hint: Subprefix ID to be used if available (e.g. 1234 with an ip6assign of 64 will assign prefixes of the form …:1234::/64)
 +
    ip6class: Filter for prefix classes to accept on this interface (e.g. wan6 will only assign prefixes with class "wan6" but not e.g. "local")
  
opkg install http://downloads.openwrt.org/backfire/10.03.1-rc4/brcm47xx/packages/6to4_2-1_all.ipk
+
ip6assign and / or ip6hint-settings might be ignored if the desired subprefix cannot be assigned. In this case OpenWrt will first try to assign a prefix with the same length but different subprefix-ID. If this fails as well the prefix length is reduced until the assignment can be satisfied. If ip6hint is not set an arbitrary ID will be chosen. Setting the ip6assign-parameter to a value < 64 will allow the DHCPv6-server to hand out all but the first /64 via DHCPv6-Prefix Delegation to downstream routers on the interface. If the ip6hint is not suitable for the given ip6assign it will be rounded down to the nearest possible value.
  
:!: Replace brcm47xx with the architecture you are working with.
+
If ip6class is not set then all prefix classes are accepted on this interface. The default class for a prefix is the interface-name (e.g. "wan6") or "local" for the ULA-prefix. This can be used to select upstream interfaces from which subprefixes are assigned. For prefixes received from dynamic-configuration methods like DHCPv6 it is possible that the prefix-class is not equal to the source-interface but e.g. augmented with an ISP-provided numeric prefix class-value.
  
For this connectivity mechanism, a third "interface" is created which will become the default outgoing interface for IPv6 packets.
+
Example (/etc/config/network):
  
An example of /etc/config/network for the ISP "Qfast.nl", or any ISP for that matter, may be:
+
config globals globals
config interface 6rd option proto 6to4 option adv_subnet 1 # Selects the advertised /64 prefix, default 1 if not specified option adv_interface lan
+
        option ula_prefix fd00:db80::/48 
 +
 +
config interface wan6
 +
        option proto static
 +
        option ip6prefix 2001:db80::/56
 +
        ...
 +
 +
config interface lan
 +
        option proto static
 +
        option ip6assign 60
 +
        option ip6hint 10
 +
        ...
 +
 +
config interface guest
 +
        option proto static
 +
        option ip6assign 64
 +
        option ip6hint abcd
 +
        list ip6class wan6
 +
        ...
  
Although there are many more options, most of those (like ipaddress and the advertising interface) are configured automatically by default. Just check out /etc/config/network and search for the paragraph 6to4.
+
The results of that configuration would be:
  
Even radvd and your lan interface is configured automatically by default by taking the lan interface and a /64 prefix of the external IP-range to be routed on. All you need to do is change the ignore 1 on the interface to ignore 0. Also remember to enable radvd (/etc/init.d/radvd enable) before doing ifup on the 6to4 interface. Otherwise the auto configuration of radvd will fail.
+
    The lan interface will be assigned the prefixes 2001:db80:0:10::/60 and fd00:db80:0:10::/60.
 +
    The DHCPv6-server can offer both prefixes except 2001:db80:0:10::/64 and fd00:db80:0:10::/64 to downstream routers on lan via DHCPv6-PD.
 +
    The guest interface will only get assinged the prefix 2001:db80:0:abcd::/64 due to the class filter.
  
My /etc/config/radvd looks as follows:
+
Router Advertisement & DHCPv6
  
config interface
+
OpenWrt features a versatile RA & DHCPv6 server and relay. Per default SLAAC, stateless and stateful DHCPv6 are enabled on an interface. If there are prefix of size /64 or greater present then addresses will be handed out from each prefix. If all prefixes on an interface have a size greater /64 then DHCPv6-Prefix Delegation is enabled for downstream-routers. If a default route is present the router advertises itself as default router on the interface.
  option interface 'lan'
 
  option AdvSendAdvert 1
 
  option AdvManagedFlag 0
 
  option AdvOtherConfigFlag 0
 
  option ignore 0
 
  config prefix
 
  
option interface 'lan'
+
OpenWrt is also able to detect when there is no prefix available from an upstream interface and can switch into relaying mode automatically to extend the upstream interface configuration onto its downstream interfaces. This is useful for putting an OpenWrt behind another IPv6-router which doesn't offer prefixes via DHCPv6-PD.
  # If not specified, a non-link-local prefix of the interface is used option prefix \'\'
 
  #These are supposed to be 2 single-quotes
 
  option AdvOnLink 1
 
  option AdvAutonomous 1
 
  option AdvRouterAddr 0
 
  option ignore 1
 
  
To apply IPv6 firewall rules to the tunnel interface, add it to the "wan" zone in /etc/config/firewall:
+
Example configuration section for SLAAC + DHCPv6 server mode (/etc/config/dhcp)
  
  config zone
+
  config dhcp lan
  option name 'wan'
+
    option dhcpv6 server
  option network 'wan 6rd'
+
    option ra server
  option input REJECT
 
  option forward REJECT
 
  option output ACCEPT
 
  option masq 1
 
  
Add the following rules to your /etc/config/firewall to allow incoming encapsulated IPv6 packets:
+
Example configuration section for SLAAC alone (/etc/config/dhcp)
config 'rule' option 'target' 'ACCEPT' option 'name' '6to4' option 'src' 'wan' option 'proto' '41'
 
  
This can also be done via the LuCI webinterface.
+
config dhcp lan
 +
    option dhcpv6 disabled
 +
    option ra server
  
(note: option 'target' 'DROP' stealthed the tunnel; did this along along with dropping UDP and ICMP on the UCI firewall configuration)
+
Example configuration section for relaying (/etc/config/dhcp)
  
==TSP Tunneling==
+
config dhcp wan6
 +
    option dhcpv6 relay
 +
    option ra relay
 +
    option ndp relay
 +
    option master 1
 +
 +
config dhcp lan
 +
    option dhcpv6 relay
 +
    option ra relay
 +
    option ndp relay
  
The Tunnel Setup Protocol is used by some tunnel brokers. Gogo6 (ex Freenet6) is one of the most popular and offers free service for individuals.
+
:!: The package odhcpd must be installed to provide these services.
 +
Routing Mangement
  
:!: The packages gw6c and kmod-sit must be installed to use this protocol (e.g.: opkg update && opkg install gw6c kmod-sit).
+
OpenWrt uses a source-address and source-interface based policy-routing system. This is required to correctly handle different uplink interfaces. Each delegated prefix is added with an unreachable route to avoid IPv6-routing loops.
  
gw6c is configured through a specific config file: /etc/config/gw6c.
+
To determine the current status of routes you can consult the information provided by ifstatus.
  
First create a free account on freenet6 here then procede to fill gw6c configuration file on your router.
+
Example (ifstatus wan6):
  
The example below assumes the user have an account, required to redistribute a prefix on a LAN. The userid/passwd fields must be filled with the above registration credentials.
+
...
 +
        "ipv6-address": [
 +
                {
 +
                        "address": "2001:db80::a00:27ff:fe67:cd9c",
 +
                        "mask": 64,
 +
                        "preferred": 1681,
 +
                        "valid": 7081
 +
                }
 +
        ],
 +
        "ipv6-prefix": [
 +
                {
 +
                        "address": "2001:db80:0:100::",
 +
                        "mask": 56,
 +
                        "preferred": 86282,
 +
                        "valid": 86282,
 +
                        "class": "wan6",
 +
                        "assigned": {
 +
                                "lan": {
 +
                                        "address": "2001:db80:0:110::",
 +
                                        "mask": 60
 +
                                }
 +
                        }
 +
                }
 +
        ],
 +
        "route": [
 +
                {
 +
                        "target": "2001:db80::",
 +
                        "mask": 48,
 +
                        "nexthop": "fe80::800:27ff:fe00:0",
 +
                        "metric": 1024,
 +
                        "valid": 7081
 +
                  },
 +
                {
 +
                        "target": "::",
 +
                        "mask": 0,
 +
                        "nexthop": "fe80::800:27ff:fe00:0",
 +
                        "metric": 1024,
 +
                        "valid": 7081
 +
                }
 +
        ],
 +
...
  
config gw6c basic
+
Interpretation:
  #Comment out next line to enable gw6c
 
  option disabled 0
 
  #Leave empty if connecting anonymously
 
  option userid <YOURFREENET6USERID> option passwd <YOURFREENET6PASSWD>
 
  #For anonymous use anon.frenet6.net and
 
  #account holders should use broker.freenet6.net
 
  option server authenticated.freenet6.net
 
  #auth_method <anonymous|any|passds-3des-1|digest-md5|plain>
 
  #Use anonymous with anonymous access and
 
  #any if you are account holder
 
  option auth_method any
 
  
config gw6c routing
+
    On the interface 2 routes are provided: 2001:db80::/48 and a default-route via the router fe80::800:27ff:fe00:0.
  #host_type <host|router>
+
    These routes can only be used by locally generated traffic and traffic with a suitable source-address, that is either one of the local addresses or an address out of the delegated prefix.
  option host_type router
 
  option prefixlen 64
 
  option ifprefix br-lan
 
  
:!: prefixlen 64 did not work for me; prefixlen 56 works ! #DNS server list to which the reverse prefix #will be delegated. Separate servers with : option dns_server config gw6c advanced #Location where to store configuration file option gw6c_conf /tmp/gw6c.conf option gw6c_dir /usr/share/gw6c option auto_retry yes option retry_delay 30 option keepalive yes #keepalive interval option interval 30 #tunnel_mode <v6v4|v6udpv4|v6anyv4|v4v6> option if_tunnel_mode v6anyv4 option if_v6v4 sit1 option if_v6udpv4 tun option if_v4v6 sit0 option client_v4 auto option client_v6 auto option template openwrt option proxy_client no config gw6c broker option broker_list /etc/config/gw6c-broker-list.txt option last_server /etc/config/gw6c-last-server.txt # Always use last known working server? <yes|no> option always_same_serv no config gw6c logging option log_console 0 option log_stderr 1 option log_file 1 #optional, good for debugging option log_syslog 0 option log_filename /var/log/gw6c.log option log_rotation yes #Max size when using log file rotation #possible values: 16|32|128|1024 option log_maxsize 32 #<USER|LOCAL[0-7]> option syslog_facility USER
+
:!: OpenWrt adds IPv6-routes (like default routes) to specific routing-tables and not the main-table thus they may not be seen by default. You can use the command ip -6 rule to list all current routing policies.
 +
Migration from Attitude Adjustment 12.09 and earlier
 +
IPv6 Forwarding
  
:!: When installed the program gw6c takes care of a lot of details itself, including radvd configuration : In this case, manual radvd configuration is not requiered: The /etc/config/radvd must be kept disabled.
+
To ensure that IPv6 forwarding is working correctly, please check that your /etc/sysctl.conf contains the following entries:
  
Start Gateway6 client with the following command: /etc/init.d/gw6c start
+
net.ipv6.conf.default.forwarding=1
Auto-start after Openwrt booted up: /etc/init.d/gw6c enable
+
net.ipv6.conf.all.forwarding=1
Use /etc/init.d/gw6c with reload or restart to load the latest config file.
 
 
 
:!: Untested - Please correct as needed
 
 
 
:!: In newest ATTITUDE ADJUSTMENT dependencies might be broken. You might have to check manually if the Packet kmod-sit gets instaleld. If it is missing radvd startscript will fail: INTERFACE_SETUP_FAILED.
 
NAT64 tunneling
 
 
 
The NAT64 is one technique to provide to the user a routable ipv6 while using a NAT technique to keep access top IPv4 websites (The client may NOT have a routable IPv4 anymore).
 
 
 
Some ISP are experimenting this: AAISP (UK)
 
 
 
:!: to be completed - please help ?
 
Propagate IPv6 subnet to LAN
 
 
 
Once IPv6 works on the router, it is necessary to spread it on the internal network. Multiple methods are possible, from static routing to auto-configuration. For the later, two options described below exist. Note that when using static WAN connection, you need to add lines
 
 
 
option accept_ra 1
 
option send_rs 0
 
 
 
to config interface wan section of your /etc/config/network.
 
 
 
==RADVD==
 
 
 
The router advertisement daemon (radvd) is fully supported by OpenWRT. Please consult the radvd UCI page, for a full complement of configuration options.
 
 
 
To begin with, install RADVD with:
 
 
 
opkg update && opkg install radvd
 
 
 
The simplest case is static IPv6 affectation:
 
 
 
/etc/config/radvd:
 
config interface option interface 'lan' option AdvSendAdvert 1 option AdvLinkMTU 1452 # Optional - only provide if it is also provided in /etc/config/network option ignore 0 # Or delete the line altogether config prefix option interface 'lan' # Optional: only necessary if the lan interface has multiple # global IP addresses assigned to it; or the subnet is larger than /64 option prefix '2001:123:456:789::/64' # Optional option ignore 0 # Or delete the line altogether config 'rdnss' option 'interface' 'lan'
 
 
 
This configuration is sufficient to enable radvd on the router, and broadcast auto-configuration announces (default routes and dns servers) to the clients on LAN.
 
 
 
The MTU specified MUST be identical to the one set in the /etc/config/network section, if provided. If you're connecting through a tunnel, ensure that your MTU matches that of your tunnel. Otherwise, do not provide it.
 
 
 
Don't forget to enable radvd at boot. You can do this in the LuCI web interface at Administration → Services → Initscripts. Look for radvd and check whether it is enabled. To enable radvd at boot and to start radvd right now without rebooting, do
 
 
 
/etc/init.d/radvd enable
 
/etc/init.d/radvd start
 
 
 
use logread to check for start up messages
 
wide-dhcpv6-server
 
 
 
This shows you how to set up DHCPv6 so that LAN clients have their IPv6 addresses from a pool, instead of concatenating random numbers, or some function of their MAC address, with your prefix.
 
  
First, you need to install a DHCPv6 server
+
Downstream configuration for LAN-Interfaces
  
opkg update && opkg install wide-dhcpv6-server
+
It is discouraged to use ip6addr to set addresses / prefixes on downstream interfaces (e.g. lan) because it can easily lead to conflicts with the local address delegation. Also it might lead to unexpected result or brokenness due to the source-based policy-routing used in the IPv6-stack.
  
Now enable the server in /etc/config/dhcp6s
+
Please use the new options ip6assign and ip6hint instead.
config 'dhcp6s' 'basic' option 'enabled' '1' option 'interface' 'br-lan' option 'config_file' '/etc/dhcp6s.conf'
 
  
Then create a config file /etc/dhcp6s.conf with something like:
+
Example: If your delegated prefix is 2001:db80:1234::/48 and you want your lan interface to have the subprefix 2001:db80:1234:5678::/64 you could use the following configuration:
interface br-lan { address-pool pool1 86400; }; pool pool1 { range 2001:123:456:789::1000 to 2001:123:456:789::2000 ; };
 
  
This allocates addresses from a pool of 4096 with a lease time of 24 hours.
+
config 'interface' 'lan'
 +
        option 'proto' 'static'
 +
        option 'ip6assign' '64'
 +
        option 'ip6hint' '5678'
 +
        ...
  
If you will need static IPv6 (::3000) assigned to host you can specify this with something like:
+
If the router can ping6 the internet, but lan machines get "Destination unreachable: Unknown code 5" or "Source address failed ingress/egress policy" then the ip6assign option is missing on your lan interface.
host somehostname { duid 00:01:02:03:04:05:06:07:08:09:10:11:12:13; address 2001:123:456:789::3000 infinity; };
+
Router Advertisement & DHCPv6
  
Where duid is DHCPv6 Client DUID (can be found in Windows at "ipconfig /all" for example).
+
The use of radvd is now unnecessary. The service 6relayd is used for Router Advertisement and DHCPv6 and picks up addresses from interfaces automatically. To configure the 6relayd service see 6relayd.
 +
Upstream Configuration for WAN-Interfaces
 +
Generic Changes
  
Finally, you need to change some radvd settings so that it tells clients to use DHCPv6 to get the rest of their settings:
+
Router Advertisements are not accepted by default anymore and thus OpenWrt will not configure itself with default routes and / or addresses. Also the interface-options accept_ra and send_rs have been removed. You should add an interface with proto dhcpv6 - also for receiving RAs only - as described in Native IPv6 Connection.
config interface option interface 'lan' option AdvSendAdvert 1 option AdvManagedFlag 1 option AdvOtherConfigFlag 1 option ignore 0
+
6in4 tunnel and Static IPv6 connection
  
Then restart the services and you're away (hopefully!)
+
It is now necessary to add your routed-prefix (e.g. routed /48 of your tunnel) as option ip6prefix to the tunnel/static-interface in /etc/config/network. If you omit this option your lan-clients will not be able to reach the internet.
troubleshooting
 
  
If ps does not show dhcp6s running then you can run it interactively:
+
Example:
dhcp6s -s /etc/dhcp6s.conf -d -f -D br-lan
 
  
(where br-lan is your local lan interface). Things to check include:
+
config 'interface' 'wan6'
 +
        option 'proto' '6in4'
 +
        option 'peeraddr' '62.12.34.56
 +
        option 'ip6addr' '2001:DB8:2222:EFGH::2/64'
 +
        option 'ip6prefix' '2001:DB8:1234:ABCD::/64' # <- Your routed prefix
 +
        ...
  
    the network interface (br-lan in the above) does not match
+
6rd and 6to4 tunnel
    typos in /etc/dhcp6s.conf
 
  
dnsmasq-dhcpv6
+
Your public address prefix is now automatically calculated and sent to the network subsystem (netifd). You should follow the advice for lan-interface configuration.
This feature is new and not yet supported by UCI. You will need Attitude Adjustment to make this work.
 
  
We can use DHCPv6 enabled version of dnsmasq for:
 
  
    Router advertisement
 
    Configuration of clients
 
        SLAAC
 
        DHCPv6
 
  
With dnsmasq-dhcpv6 you will replace dnsmasq, radvd or wide-dhcpv6-server, depending on your current configuration.
 
  
opkg remove dnsmasq
 
opkg update && opkg install dnsmasq-dhcpv6
 
  
Once we have dnsmasq-dhcpv6 installed we need to enable router advertisement and choose in what mode we want to configure clients. For details on modes, see dnsmasq man page. The modes are:
 
  
    ra-only
 
    slaac
 
    ra-names
 
    ra-stateless
 
  
Since there is not UCI support yet, we have to add the configuration manually to /etc/dnsmasq.conf file. Configuration in this file is merged with the UCI generated config.
 
  
dhcp-range=2001:0db8:1f0b:1359::,ra-names
 
enable-ra
 
  
The dhcp-range option defines IPv6 prefix used by clients and configuration mode, here ra-names (SLAAC). Last line enables router advertisement.
 
Troubleshooting
 
  
    Your client's global unique IPv6 address has to be generated in SLAAC mode using modified EUI-64 method. Correct address look like this:
 
  
        2001:0db8:1f0b:1359:021d:baff:fe06:3764
 
  
        in case your client's MAC address is 00:1D:BA:06:37:64.
 
        If your address isn't EUI-64 based, you should disable privacy extensions for your global unique IPv6 address.
 
    The global unique IPv6 address has to be pingable from your router. SSH into your router and run:
 
  
        ping 2001:0db8:1f0b:1359:021d:baff:fe06:3764
 
  
        In case you can't ping it, its probably your client's firewall blocking ICMPv6 Echo Requests from 2001:0db8:1f0b:1359::/64 network. You need to make accept rule in the firewall. Note that despite you have no problem to ping fe80::021d:baff:fe06:3764%br-lan, you still have to create the accept rule for the mentioned network.
 
  
To see if it works, follow these steps:
 
  
    Add log-dhcp entry to /etc/dnsmasq.conf config file.
 
    Restart dnsmasq with /etc/init.d/dnsmasq restart.
 
    See if dnsmasq obtained the ping confirmation, and thus was able to add AAAA record to its DNS cache.
 
  
        logread | grep "SLAAC-CONFIRM"
 
  
        This may return something like this if everything is working fine:
 
 
        Jul 1 12:00:00 openwrt daemon.info dnsmasq-dhcp[1957]: SLAAC-CONFIRM(br-lan) 2001:0db8:1f0b:1359:021d:baff:fe06:3764 pc
 
 
Directly forward ISP's NDP proxy address to LAN
 
 
It can help you, if your ISP give you /64 IPv6 address and radvd,dhcpv6 useless for you. Original idea by user (diway) from openwrt forum This method idea is: bridge wan and lan with filter ipv6 packets options, for direct resolve your adress from provider(ISP).
 
 
    Remove (radvd,dhcpv6,dnsmasqv6)or others that you install early when tryed methods above. And remove that options that you do at configuration files /etc/config/network or otherone (repair "before ipv6 state" of your deivce).
 
    Install ipv6 support and ebtables(if you haven't it at your repository, try beta or svn):
 
 
opkg update && opkg install kmod-ipv6 ebtables
 
 
1. At first determine your WAN interface device name, and correct comands below(change eth0.1 to your WAN device name). Edit /etc/init.d/network, at end of start() section add thoose lines:
 
ebtables -t broute -A BROUTING -i eth0.1 -p ! ipv6 -j DROP brctl addif br-lan eth0.1
 
 
2. At /etc/config/network, make thoose:
 
 
Add this on the "config interface lan" section
 
option accept_ra 1 option send_rs 1
 
 
Add this on the "config interface wan" section
 
option accept_ra 0 option send_rs 0
 
 
3. At /etc/config/firewall, make thoose:
 
 
Add this to the "config defaults" section
 
option disable_ipv6 0
 
 
4. At /etc/sysctl.conf, make thoose:
 
 
Add this at the end to enable firewalling on ipv6 even for bridged interfaces
 
net.bridge.bridge-nf-call-ip6tables=1 net.bridge.bridge-nf-call-iptables=0
 
 
5. If you need IPv6 firewalling ONLY! First install:
 
opkg update && opkg install kmod-ip6tables ip6tables
 
 
Then correct comands below(change eth0.1 to your WAN device name). At /etc/firewall.user, add thoose lines:
 
# First, delete all: ip6tables -F ip6tables -X # Allow anything on the local link ip6tables -A INPUT -i lo -j ACCEPT ip6tables -A OUTPUT -o lo -j ACCEPT # Allow anything out on the internet ip6tables -A OUTPUT -o eth0.1 -j ACCEPT # Allow Link-Local addresses ip6tables -A INPUT -s fe80::/10 -j ACCEPT ip6tables -A OUTPUT -s fe80::/10 -j ACCEPT # Allow multicast ip6tables -A INPUT -s ff00::/8 -j ACCEPT ip6tables -A OUTPUT -s ff00::/8 -j ACCEPT # Allow ICMPv6 ip6tables -A INPUT -p icmpv6 –icmpv6-type echo-request -j ACCEPT –match limit –limit 30/minute ip6tables -A INPUT -p icmpv6 -j ACCEPT ip6tables -A OUTPUT -p icmpv6 -j ACCEPT ip6tables -A FORWARD -p icmpv6 -m physdev ! –physdev-in eth0.1 -j ACCEPT ip6tables -A FORWARD -p icmpv6 –icmpv6-type echo-request -m physdev –physdev-in eth0.1 -j ACCEPT ip6tables -A FORWARD -p icmpv6 –icmpv6-type echo-reply -m physdev –physdev-in eth0.1 -j ACCEPT ip6tables -A FORWARD -p icmpv6 –icmpv6-type neighbor-solicitation -m physdev –physdev-in eth0.1 -j ACCEPT ip6tables -A FORWARD -p icmpv6 –icmpv6-type neighbor-advertisement -m physdev –physdev-in eth0.1 -j ACCEPT ip6tables -A FORWARD -p icmpv6 –icmpv6-type router-advertisement -m physdev –physdev-in eth0.1 -j ACCEPT # Allow forwarding ip6tables -A FORWARD -m state –state NEW -m physdev ! –physdev-in eth0.1 -j ACCEPT ip6tables -A FORWARD -m state –state NEW -p tcp –dport 22 -m physdev –physdev-in eth0.1 -j ACCEPT ip6tables -A FORWARD -m state –state ESTABLISHED,RELATED -j ACCEPT ip6tables -N DROP ip6tables -A DROP -j REJECT –reject-with icmp6-port-unreachable # Set the default policy ip6tables -A INPUT -j DROP ip6tables -A FORWARD -j DROP ip6tables -A OUTPUT -j DROP
 
 
That's all, reboot your router. After check your LAN PCs and roters WAN ipv6 address.
 
DNS check and configuration
 
 
If you can do a succesful ping6 ipv6.google.com from the router, then obviously your DNSmasq succesfully queries the IPv6 address, and you have IPv6 connectivity.
 
 
Congratulations!!!
 
 
Though, if you can't do the ping6 above, though you can do a ping6 [2a00:1450:8002::93], then your DNSmasq (or the server from which it queries) does not succesfully query the IPv6 addresses, and you need to fix this problem.
 
 
(TBD)
 
IPv6 only access
 
 
:!: (Using an intermediate machine to contact IPv4-only servers)
 
 
(TBD)
 
NAT64
 
 
TAYGA is an out-of-kernel stateless NAT64 implementation for Linux that uses the TUN driver to exchange IPv4 and IPv6 packets with the kernel.
 
 
First, install tayga:
 
 
opkg update && opkg install tayga
 
 
Now, create NAT64 interface:
 
config interface nat64 option proto tayga option ipv4_addr 192.0.2.1 option ipv6_addr 2001:db8:1::7f00:1 option prefix 64:ff9b::/96 option dynamic_pool 192.0.2.0/24 option accept_ra 0 option send_rs 0
 
 
where 192.0.2.0/24 is your dynamic pool, 64:ff9b::/96 is "unused /96 prefix" and 2001:db8:1::/64 is your IPv6 prefix used in LAN.
 
 
Don't forget to add this interface to LAN firewall zone.
 
 
ifup tayga && ping6 64:ff9b::8.8.8.8
 
 
DNS64
 
 
DNS64 is a special mechanism, that returns AAAA records for hosts that only have A records. ATTENTION! This breaks DNSSEC!
 
 
ISC bind supports DNS64 since version 9.8.0.
 
 
opkg update && opkg install bind-server bind-host
 
 
Modify default configuration (/etc/bind/named.conf):
 
acl rfc1918 { 10/8; 192.168/16; 172.16/12; }; options { directory "/tmp"; auth-nxdomain no; # conform to RFC1035 allow-query { localnets; localhost; }; listen-on { any; }; listen-on-v6 { any; }; dns64 64:ff9b::/96 { clients { any; }; mapped { !rfc1918; any; }; exclude { 64:ff9b::/96; ::ffff:0000:0000/96; }; suffix ::; }; edns-udp-size 512; max-udp-size 512; };
 
 
# /etc/init.d/bind restart
 
 
Point your resolver to 127.0.0.1 (or ::1) and try it:
 
# host www.ru www.ru has address 194.87.0.50 www.ru has IPv6 address 64:ff9b::c257:32 www.ru mail is handled by 5 hq.demos.ru. # host www.kame.net www.kame.net is an alias for orange.kame.net. orange.kame.net has address 203.178.141.194 orange.kame.net has IPv6 address 2001:200:dff:fff1:216:3eff:feb1:44d7
 
 
Normal AAAA records are returned for hosts that have it and translated ones for those who don't.
 
NAT-PT
 
DSTM
 
Privacy Extensions
 
Microsoft Windows
 
 
Privacy extensions are enabled by default. Correct working of some services sometimes require disabling part or all privacy extensions.
 
Disabling privacy extensions for global IPv6 addresses
 
 
With this settings the Windows client will obtain modified EUI-64 global unique address, while it will also generate global temporary IPv6 address. This is recommended setup, because you only make public your MAC address, but your privacy is retained (you won't be easily traceable by your IP).
 
 
    One time settings (reseted with reboot):
 
 
        netsh interface ipv6 set global randomizeidentifiers=disabled store=active
 
 
    Permanent settings:
 
 
        netsh interface ipv6 set global randomizeidentifiers=disabled store=persistent
 
 
    Current settings can be viewed with:
 
 
        netsh interface ipv6 show global store=active
 
        netsh interface ipv6 show global store=persistent
 
 
Disabling privacy extensions for all IPv6 addresses
 
 
This settings disables all privacy extensions. Your global unique IPv6 address will be generated using modified EUI-64 method and your global temporary IPv6 address will be disabled. Your MAC address is made public and :!: you will be easily traceable.
 
 
    One time settings (reseted with reboot):
 
 
        netsh interface ipv6 set privacy state=disabled store=active
 
 
    Permanent settings:
 
 
        netsh interface ipv6 set privacy state=disabled store=persistent
 
 
    Current settings can be viewed with:
 
 
        netsh interface ipv6 show privacy store=active
 
        netsh interface ipv6 show privacy store=persistent
 
 
Notes
 
 
    http://www.heise.de/netze/artikel/OpenWRT-wuerfelt-IPv6-Praefixe-1445607.html
 
    http://andatche.com/blog/2012/02/disabling-rfc4941-ipv6-privacy-extensions-in-windows/
 
 
Packet filter
 
 
    → to configure the UCI config file /etc/config/firewall see there. IPv6 rules can be set up with this alone.
 
    → to set up a firewall without UCI please read netfilter, especially ip6tables and ipv6
 
 
Warning No1: There is no NAT in IPv6. While NAT was never intended as a security feature, it did nonetheless serve as one, because unless you specified portforwardings the ports were unavailable. However, the same level of security can be achieved by setting the policies to DROP and inserting -j ACCEPT -m conntrack –ctstate ESTABLISHED,RELATED at the beginning of the chains.
 
Warning No2: IPv6 specs demand, that Path MTU Discovery is working correctly because a packet fragmentation is not being performed! So if you configure your packet filter like an imbecile and drop all ICMPv6 packets without distinguishing, you will break this functionality and funny things will occur! Cf. → RFC4890 – ICMPv6 Filtering Recommendations
 
Note: firewall v1 (e.g. still in Backfire 10.03.1-rc4 and up to r25353) has no default rules at all and ip6tables configuration needs to be done from scratch. Insert the rules below to make the packet filter function properly.
 
 
ip6tables -A FORWARD -i br-lan -j ACCEPT
 
ip6tables -A FORWARD -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
 
ip6tables -A FORWARD -j REJECT
 
  
  
 
==Referensi==
 
==Referensi==
  
* http://wiki.openwrt.org/doc/howto/ipv6
+
* http://wiki.openwrt.org/doc/uci/network6
 
 
==Pranala Menarik==
 
 
 
* [[OpenWRT]]
 
* [[OpenWRT: Download Firmware yang sudah jadi]]
 
* [[OpenWRT: Source Repository Download]]
 
* [[OpenWRT: Melihat Daftar Package]]
 
 
 
===Build Firmware===
 
 
 
* [[OpenWRT: Build Firmware]]
 
* [[OpenWRT: Build Firmware Download Source Pendukung]]
 
* [[OpenWRT: Build Firmware Buffalo WZRHPG450H]]
 
* [[OpenWRT: Build Firmware Buffalo WZRHPG300N]]
 
* [[OpenWRT: Build Firmware Buffalo WZRHPG300NH2]]
 
* [[Buffalo]]
 
* [[Buffalo: WZRHPG450H Cara Recovery]]
 
* [[Buffalo: WZRHPG450H OpenWRT mengaktifkan setelah di flash]]
 
* '''[[Buffalo: WZRHPG450H Membuat Firmware OpenWRT Sendiri]]''' '''COOL'''
 
* [[Buffalo: WZRHPG450H OpenWRT instalasi aplikasi Pendukung OLSRD]]
 
* [[OpenWRT: Build Firmware Ubiquiti NanoStation2]]
 
* [[OpenWRT: Build Firmware Mikrotik RB433]]
 
* [[OpenWRT: Build Firmware Linksys WRT160NL]]
 
* [[OpenWRT: Build Firmware Linksys WRT54GL]]
 
 
 
===IPv6===
 
 
 
* [[OpenWRT: IPv6]]
 
* [[OpenWRT IPv6: Build Firmware Linksys WRT160NL]]
 
* [[OpenWRT IPv6: Build Firmware Linksys WRT160NL Tanpa WebGUI]]
 
* [[OpenWRT IPv6: Build Firmware Buffalo WZRHPG450H]]
 
* [[OpenWRT IPv6: Build Firmware Buffalo WZRHPG300NH2]]
 
* [[OpenWRT IPv6: Setup tunnel ke tunnelbroker]]
 
* [[OpenWRT IPv6: Konfigurasi]]
 
* [[OpenWRT IPv6: Konfigurasi WAN6 dengan radvd]]
 
 
 
===Flash Firmware===
 
 
 
* [[OpenWRT: Flash Linksys WRT54GL]]
 
* [[OpenWRT: Flash Linksys WRT160NL]]
 
* [[OpenWRT: Flash Buffalo WZRHP450H]]
 
* [[OpenWRT: Flash Buffalo WZRHP300N]]
 
* [[OpenWRT: Flash UBNT NanoStation2]]
 
* [[OpenWRT: Flash UBNT NanoStation M2]]
 
* [[OpenWRT: Flash UBNT NanoStation Loco M2]]
 
 
 
===Misc===
 
 
 
* [[OpenWRT: Setup WiFi]]
 
* [[OpenWRT: Setup PPTP VPN Server]]
 
* [[OpenWRT: Setup OLSR di UBNT via CLI]]
 
* [[OpenWRT: Mikrotik RB433]]
 
* [[OpenWRT: Setup OLSR Sederhana]]
 
* [[OLSR - di OpenWRT]]
 
* [[OpenWRT: 3G modem]]
 
* [[OpenWRT: Build Firmware dengan 3G Modem Support]]
 
* [[OpenWRT: Setup Firewall]]
 
* [[OpenWRT: Konfigurasi UBNT NanoStation2 tanpa WebGUI]]
 
 
 
===UBNT===
 
 
 
* [[UBNT]]
 
* [[UBNT: Teknik Recovery]]
 
* [[UBNT: Upload Firmware]]
 
* [[UBNT: Rebuild Firmware]]
 
* [[UBNT: firmware dengan OLSR]]
 
* [[UBNT: openwrt]]
 
* [[UBNT: olsr dengan openwrt]]
 
* [[UBNT: olsr dengan kamikaze openwrt]]
 
* [[UBNT: olsr dengan backfire openwrt]] '''RECOMMENDED'''
 
* [[UBNT: UniFi]]
 
* [[UBNT: UniFi Konfigurasi Awal]]
 
* [[UBNT: UniFi Manajemen HotSpot]]
 
* [[UBNT: OLSR Pembuatan Firmware]]
 
* [[UBNT: OLSR Konfigurasi]]
 
* [[OLSR - di UBNT]]
 
* [[OLSR - di Ubuntu]]
 
* [[OpenWRT]]
 

Revision as of 07:15, 11 July 2015

Sumber: http://wiki.openwrt.org/doc/uci/network6


OpenWrt native IPv6-stack This page applies to Barrier Breaker, Attitude Adjustment release 12.09.1 and later OpenWrt versions only. It is not valid for Backfire 10.03 or Attitude Adjustment 12.09. See Old IPv6 HowTo for these versions. Obtaining IPv6 support Barrier Breaker and later 

   Native IPv6-support with DHCPv6, an RA & DHCPv6-Server and an IPv6-firewall are installed and configured by default.
   Transitioning technologies like 6in4, 6rd, 6to4 or ds-lite can be installed using the packages with the same names.
   For WebUI-support install the package luci-proto-ipv6.

Implementation Features 

   Prefix Handling
       Management of prefixes, addresses and routes from upstream connections and local ULA-prefixes
       Management of prefix unreachable-routes, prefix deprecation (RFC 7084) and prefix classes
       Distribution of prefixes onto downstream interfaces (including size, ID and class hints)
       Source-based policy routing to correctly handle multiple uplink interfaces, ingress policy filtering (RFC 7084)

   Native IPv6 configuration
       Automatic bootstrap from SLAAC, stateless DHCPv6, stateful DHCPv6, DHCPv6-PD and any combination
       Handling of preferred and valid address and prefix lifetimes
       Duplicate address and Link-MTU detection
       DHCPv6 Extensions: Reconfigure, Information-Refresh, SOL_MAX_RT=3600
       DHCPv6 Extensions: RDNSS, DNS Search Domain, NTP, SIP, ds-lite, prefix exclusion (experimental)

   IPv6 transitioning technologies
       Setup and management of IPv6-in-IPv4 tunnels (6rd, 6to4, 6in4)
       Setup and management of IPv4-in-IPv6 tunnels (ds-lite, lw4o6, map-e)
       Setup and management of IPv4-to-IPv6 translation (map-t, 464xlat CLAT) [since Chaos Calmer]
       Automatic setup of tunnels from DHCP and DHCPv6 [since Chaos Calmer]

   Downstream IPv6 configuration
       Server support for Router Advertisement, DHCPv6 (stateless and stateful) and DHCPv6-PD
       Automatic detection of announced prefixes, delegated prefixes, default routes and MTU
       Change detection for prefixes and routes triggering resending of RAs and DHCPv6-Reconfigure
       Detection of client hostnames and export as augmented hosts-file
       Support for RA & DHCPv6-relaying and NDP-proxying to e.g. support uplinks without prefix delegation

Compliance

Our aim is to follow RFC 7084 where possible. Nevertheless compliance has not been verified yet. Please notify us if you find any standard violations.

The following requirements of RFC 7084 are currently known not to be met. 

   RFC 7084 WAA-5 (SHOULD-requirement): The NTP-Server is requested and received but currently not processed or used.

Upstream configuration for WAN-Interfaces

The following sections describe the configuration of IPv6 connections to your ISP or an upstream router. Please note that most tunneling mechanisms like 6in4, 6rd and 6to4 may not work behind a NAT-router. Native IPv6 connection

For an uplink with native IPv6-connectivity you can use the following example configuration. It will work both for uplinks supporting DHCPv6 with Prefix Delegation and those that don't support DHCPv6-PD or DHCPv6 at all (SLAAC-only).

/etc/config/network 

config interface wan
        option ipv6 1 # only required for PPP-based protocols
        ...

config interface wan6
        option ifname   eth1 # use same ifname as in wan-section or "@wan"
        option proto    dhcpv6 

config interface lan
        option proto    static
        option ip6assign 60
        ...
!: The package odhcp6c must be installed to use dhcpv6. See protocol.dhcpv6 for advanced configuration options.

Static IPv6 connection

Static configuration of the IPv6 uplink is supported as well. The following example demonstrates this.

/etc/config/network 

config interface wan
        option ifname   eth1
        option proto    static
        option ip6addr  2001:db80::2/64   # Own address
        option ip6gw    2001:db80::1      # Gateway address
        option ip6prefix 2001:db80:1::/48 # Prefix addresses for distribution to downstream interfaces
        option dns      2001:db80::1      # DNS server

config interface lan
        option proto    static
        option ip6assign 60
        ...

For advanced configuration options see protocol.static

6in4 tunnel (HEnet tunnelbroker, sixxs static tunnel, ...)

6in4 tunnels are usually provided by external tunnel providers like HE.net or Sixxs. You can use the following example configuration as a basis.

/etc/config/network: 

config 'interface' 'wan6'
        option 'proto' '6in4'
        option 'mtu' '1424'                          # the IPv6 tunnel MTU (optional)
        option 'peeraddr' '62.12.34.56'              # the IPv4 tunnel endpoint
        option 'ip6addr' '2001:DB8:2222:EFGH::2/64'  # the IPv6 tunnel 
        option 'ip6prefix' '2001:DB8:1234:ABCD::/64' # Your routed prefix (required!)
        # configuration options below are only valid for HEnet tunnels. ignore them for other tunnel providers.
        option tunnelid '123456' # HE.net tunnel id
        option username 'username' # HE.net username, which you use to login into tunnelbroker, not the User ID shows after you have login in.
        option password 'password' # HE.net password if there is no updatekey for tunnel
        option updatekey 'updatekey' # HE.net updatekey instead of password, default for new tunnels

config 'interface' 'lan'
        option 'proto' 'static'
        option ip6assign 60
...
!: If you choose a name for your tunnel-interface that is different from 'wan6' make sure to add that name to the network-option of the firewall-zone 'wan' in /etc/config/firewall.
!: The package 6in4 must be installed to use 6in4-tunnels. See protocol.6in4.ipv6-in-ipv4.tunnel for advanved configuration options.
!: Note that HE.net assigns an "updatekey" by default for new tunnels since February 2014. If updatekey exists (visible in tunnel's advanced info page at the he.net site), it needs to be used instead of the password. Support for that option has been introduced in Openwrt trunk by r39646. Old tunnels without updatekey will continue to work with password.

6rd tunnel (ISP-provided IPv6 transition)

6rd is a tunnelmechanism based on 6to4. Unlike other tunneling mechanisms 6rd is usually provided by the ISP itself. The values for the tunnel are usually obtained with the DHCPv4 request for the WAN interface.

!: In Chaos Calmer and later the configuration is usually auto-detected and manual configuration is not needed, simply installing the 6rd package (and rebooting) is usually enough.

/etc/config/network: 

config interface 'wan'
        option ifname 'eth0.2'
        option proto 'dhcp'
        
        # The following two lines are only needed in Barrier Breaker
        option iface6rd wan_6rd
        option zone6rd wan

To debug 6rd via DHCP, first check if the parameters are sent. Create a /etc/udhcpc.user with the following content:

  1. !/bin/sh

env >> /tmp/udhcpc.log

Reboot the router and check the log file for the following line: 

ip6rd=16 40 2001:0838:ad00:0000:0000:0000:0000:0000 77.174.0.2

If this line isn't present, you need to obtain the correct values for peeraddr, ip6prefix, ip6prefixlen and ip4prefixlen from your ISP. The above ip6rd or the obtained values can be used to hardcode the 6RD tunnel. Remove or comment out the iface6rd line in the wan section.

/etc/config/network: 

config interface 'wan6'
        option proto '6rd'
        option peeraddr '77.174.0.2'
        option ip6prefix '2001:838:ad00::'
        option ip6prefixlen '40'
        option ip4prefixlen '16'
!: In Chaos Calmer the default /etc/config/network works after installing the 6rd package. The mentioned dhcpv6 is ignored if it doesn't succeed. The above configuration for Barrier Breaker works also in later variants and may be less confusing.
!: If you choose a name for your tunnel-interface that is different from 'wan6' make sure to add that name to the network-option of the firewall-zone 'wan' in /etc/config/firewall.
!: The package 6rd must be installed to use 6rd-tunnels. See protocol_6rd_ipv6_rapid_deployment for advanved configuration options.

6pe, L2TP tunnel, softwire (ISP-provided IPv6 transition)

This is another transitional mechanism for IPv6, used by some ISPs. It relies on a L2TPv2 tunnel.

Detailed configuration: ipv6.softwire 6to4 tunnel

6to4 is the simplest IPv6 tunneling mechanism and relies on publicly available gateways.

/etc/config/network: 

config 'interface' 'wan6'
        option 'proto' '6to4'

config 'interface' 'lan'
        option 'proto' 'static'
        option ip6assign 60
...
!: If you choose a name for your tunnel-interface that is different from 'wan6' make sure to add that name to the network-option of the firewall-zone 'wan' in /etc/config/firewall.
!: The package 6to4 must be installed to use 6to4-tunnels. See protocol.6to4.ipv6-in-ipv4.tunnel for advanved configuration options.

Dual-Stack Lite tunnel (ds-lite IPv4 in IPv6)

ds-lite is a transitioning-mechanism which is used by ISPs to support legacy IPv4-connectivity over a native IPv6 connection.

!: In Chaos Calmer and later the configuration is usually auto-detected and manual configuration is not needed, simply installing the ds-lite package (and rebooting) is usually enough.

/etc/config/network: 

config 'interface' 'wan6'
        option 'ifname' 'eth1'
        option 'proto' 'dhcpv6'

config 'interface' 'wan'
        option 'proto' 'dslite'
        option 'peeraddr' '2001:db80::1' # Your ISP's DS-Lite AFTR
!: If you choose a name for your tunnel-interface that is different from 'wan' make sure to add that name to the network-option of the firewall-zone 'wan' in /etc/config/firewall.
!: The package ds-lite must be installed to use ds-lite-tunnels. See protocol.dslite.dual-stack.lite for advanved configuration options.

Downstream configuration for LAN-Interfaces

OpenWrt includes a flexible local prefix delegation mechanism. It can be tuned for each downstream-interface individually with 3 parameters which are all optional: 

   ip6assign: Prefix size used for assigned prefix to the interface (e.g. 64 will assign /64-prefixes)
   ip6hint: Subprefix ID to be used if available (e.g. 1234 with an ip6assign of 64 will assign prefixes of the form …:1234::/64)
   ip6class: Filter for prefix classes to accept on this interface (e.g. wan6 will only assign prefixes with class "wan6" but not e.g. "local")

ip6assign and / or ip6hint-settings might be ignored if the desired subprefix cannot be assigned. In this case OpenWrt will first try to assign a prefix with the same length but different subprefix-ID. If this fails as well the prefix length is reduced until the assignment can be satisfied. If ip6hint is not set an arbitrary ID will be chosen. Setting the ip6assign-parameter to a value < 64 will allow the DHCPv6-server to hand out all but the first /64 via DHCPv6-Prefix Delegation to downstream routers on the interface. If the ip6hint is not suitable for the given ip6assign it will be rounded down to the nearest possible value.

If ip6class is not set then all prefix classes are accepted on this interface. The default class for a prefix is the interface-name (e.g. "wan6") or "local" for the ULA-prefix. This can be used to select upstream interfaces from which subprefixes are assigned. For prefixes received from dynamic-configuration methods like DHCPv6 it is possible that the prefix-class is not equal to the source-interface but e.g. augmented with an ISP-provided numeric prefix class-value.

Example (/etc/config/network): 

config globals globals
        option ula_prefix fd00:db80::/48  

config interface wan6
        option proto static
        option ip6prefix 2001:db80::/56
        ...

config interface lan
        option proto static
        option ip6assign 60
        option ip6hint 10
        ...

config interface guest
        option proto static
        option ip6assign 64
        option ip6hint abcd
        list ip6class wan6
        ...

The results of that configuration would be: 

   The lan interface will be assigned the prefixes 2001:db80:0:10::/60 and fd00:db80:0:10::/60.
   The DHCPv6-server can offer both prefixes except 2001:db80:0:10::/64 and fd00:db80:0:10::/64 to downstream routers on lan via DHCPv6-PD.
   The guest interface will only get assinged the prefix 2001:db80:0:abcd::/64 due to the class filter.

Router Advertisement & DHCPv6

OpenWrt features a versatile RA & DHCPv6 server and relay. Per default SLAAC, stateless and stateful DHCPv6 are enabled on an interface. If there are prefix of size /64 or greater present then addresses will be handed out from each prefix. If all prefixes on an interface have a size greater /64 then DHCPv6-Prefix Delegation is enabled for downstream-routers. If a default route is present the router advertises itself as default router on the interface.

OpenWrt is also able to detect when there is no prefix available from an upstream interface and can switch into relaying mode automatically to extend the upstream interface configuration onto its downstream interfaces. This is useful for putting an OpenWrt behind another IPv6-router which doesn't offer prefixes via DHCPv6-PD.

Example configuration section for SLAAC + DHCPv6 server mode (/etc/config/dhcp) 

config dhcp lan
    option dhcpv6 server
    option ra server

Example configuration section for SLAAC alone (/etc/config/dhcp) 

config dhcp lan
    option dhcpv6 disabled
    option ra server

Example configuration section for relaying (/etc/config/dhcp) 

config dhcp wan6
    option dhcpv6 relay
    option ra relay
    option ndp relay
    option master 1

config dhcp lan
    option dhcpv6 relay
    option ra relay
    option ndp relay
!: The package odhcpd must be installed to provide these services.

Routing Mangement

OpenWrt uses a source-address and source-interface based policy-routing system. This is required to correctly handle different uplink interfaces. Each delegated prefix is added with an unreachable route to avoid IPv6-routing loops.

To determine the current status of routes you can consult the information provided by ifstatus.

Example (ifstatus wan6): 

...
        "ipv6-address": [
                {
                        "address": "2001:db80::a00:27ff:fe67:cd9c",
                        "mask": 64,
                        "preferred": 1681,
                        "valid": 7081
                }
        ],
        "ipv6-prefix": [
                {
                        "address": "2001:db80:0:100::",
                        "mask": 56,
                        "preferred": 86282,
                        "valid": 86282,
                        "class": "wan6",
                        "assigned": {
                                "lan": {
                                        "address": "2001:db80:0:110::",
                                        "mask": 60
                                }
                        }
                }
        ],
        "route": [
                {
                        "target": "2001:db80::",
                        "mask": 48,
                        "nexthop": "fe80::800:27ff:fe00:0",
                        "metric": 1024,
                        "valid": 7081
                 },
                {
                        "target": "::",
                        "mask": 0,
                        "nexthop": "fe80::800:27ff:fe00:0",
                        "metric": 1024,
                        "valid": 7081
                }
        ],
...

Interpretation: 

   On the interface 2 routes are provided: 2001:db80::/48 and a default-route via the router fe80::800:27ff:fe00:0.
   These routes can only be used by locally generated traffic and traffic with a suitable source-address, that is either one of the local addresses or an address out of the delegated prefix.
!: OpenWrt adds IPv6-routes (like default routes) to specific routing-tables and not the main-table thus they may not be seen by default. You can use the command ip -6 rule to list all current routing policies.

Migration from Attitude Adjustment 12.09 and earlier IPv6 Forwarding

To ensure that IPv6 forwarding is working correctly, please check that your /etc/sysctl.conf contains the following entries: 

net.ipv6.conf.default.forwarding=1
net.ipv6.conf.all.forwarding=1

Downstream configuration for LAN-Interfaces

It is discouraged to use ip6addr to set addresses / prefixes on downstream interfaces (e.g. lan) because it can easily lead to conflicts with the local address delegation. Also it might lead to unexpected result or brokenness due to the source-based policy-routing used in the IPv6-stack.

Please use the new options ip6assign and ip6hint instead.

Example: If your delegated prefix is 2001:db80:1234::/48 and you want your lan interface to have the subprefix 2001:db80:1234:5678::/64 you could use the following configuration: 

config 'interface' 'lan'
       option 'proto' 'static'
       option 'ip6assign' '64'
       option 'ip6hint' '5678'
       ...

If the router can ping6 the internet, but lan machines get "Destination unreachable: Unknown code 5" or "Source address failed ingress/egress policy" then the ip6assign option is missing on your lan interface. Router Advertisement & DHCPv6

The use of radvd is now unnecessary. The service 6relayd is used for Router Advertisement and DHCPv6 and picks up addresses from interfaces automatically. To configure the 6relayd service see 6relayd. Upstream Configuration for WAN-Interfaces Generic Changes

Router Advertisements are not accepted by default anymore and thus OpenWrt will not configure itself with default routes and / or addresses. Also the interface-options accept_ra and send_rs have been removed. You should add an interface with proto dhcpv6 - also for receiving RAs only - as described in Native IPv6 Connection. 6in4 tunnel and Static IPv6 connection

It is now necessary to add your routed-prefix (e.g. routed /48 of your tunnel) as option ip6prefix to the tunnel/static-interface in /etc/config/network. If you omit this option your lan-clients will not be able to reach the internet.

Example: 

config 'interface' 'wan6'
        option 'proto' '6in4'
        option 'peeraddr' '62.12.34.56
        option 'ip6addr' '2001:DB8:2222:EFGH::2/64'
        option 'ip6prefix' '2001:DB8:1234:ABCD::/64' # <- Your routed prefix
        ...

6rd and 6to4 tunnel

Your public address prefix is now automatically calculated and sent to the network subsystem (netifd). You should follow the advice for lan-interface configuration.











Referensi

Retrieved from "https://onnocenter.or.id/wiki/index.php?title=OpenWRT:_IPv6&oldid=43739"