OpenWRT: IPv6
Native IPv6 access
For this, you need to obtain an IPv6 address from your ISP. Technically this could be a /128 prefix (exactly one IPv6 address), but according to rfc6177 this should be a /64 prefix. You may also get bigger range, like /56 or /48. Within this range you may use all the IPv6 addresses to your liking without any NAT-induced headaches.
Some of the ISPs currently known to support IPv6 to the customer are listed here: ipv6.isp.
In the following example, the assigned prefix is 2001:123:456::/48. Within this prefix, I choose to affect the network 2001:123:456:789::/64 to the internal LAN. The router has the fixed IP 2001:123:456:789::1
/etc/config/network: config interface lan option ifname eth1 option type bridge option proto static option ipaddr 192.168.1.1 option netmask 255.255.255.0 option ip6addr '2001:123:456:789::1/64'
When using PPPoEv6, enable ipv6. You may also further reduce the MTU from 1492 to 1452: Experience shows that it prevents many problems. You can try to increase this size, not bigger than 1492. config interface wan option ifname eth0 option proto pppoe option username '<username>' option password '<password>' option keepalive 5 option defaultroute 1 option peerdns 1 option ipv6 1 option mtu 1452 6in4 tunneling
6in4 is a method to encapsulate IPv6 traffic into an IPv4 tunnel. It is mostly used by tunnel brokers and requires manual configuration.
A very excellent forum topic on the topic of a static 6in4 tunnels is at https://forum.openwrt.org/viewtopic.php?pid=126285
Both resources assume a static prefix, and thus a manual configuration.
The ISP known to use this are:
Free.fr (France)
Requirements
The package 6in4 must be installed to use this protocol. This package is available in Backfire 10.3.1-rc4 and later.
opkg update && opkg install 6in4
Notes:
Examples of 6in4 tunneling are also on the config/network page. For this connectivity mechanism, a third "interface" is created which will become the default outgoing interface for IPv6 packets.
Static 6in4 tunneling
/etc/config/network for static tunneling: config interface henet option proto 6in4 option ipaddr '178.24.115.19' option peeraddr '216.66.80.30' option ip6addr '2001:0db8:1f0a:1359::2/64'
Note: you may want to check that your public IP is matching the IP address on your WAN interface. Details in Static IPv6-in-IPv4 tunnel behind one-to-one NAT. Dynamic 6in4 tunneling
The example below illustrates a dynamic tunnel configuration for the Hurricane Electric broker with dynamic IP update enabled. The local IPv4 address is automatically determined and tunnelid, username and password are provided for IP update.
/etc/config/network for dynamic tunneling: config interface henet option proto 6in4 option peeraddr '216.66.80.30' option ip6addr '2001:0db8:1f0a:1359::2/64' option tunnelid '12345' option username '14c4b06b824ec593239362517f538b29' option password '5f4dcc3b5aa765d61d8327deb882cf99'
In this example configuration:
178.24.115.10 is the local IPv4 address (assigned by ISP) 216.66.80.30 is the remote IPv4 address (the other side of the tunnel) 2001:0db8:1f0a:1359::2/64 is the local IPv6 tunnel endpoint (labeled "Client IPv6 Address" on the Tunnel Details page in your HE account). tunnelid, username, and password are provided by the tunnel broker.
:!: For Hurricane Electric tunnels, the username is NOT the username for tunnelbroker.net. The username is the user id listed on the main page of your tunnelbroker.net account (called the "API Key" elsewhere). The password is the md5 hash of the tunnelbroker.net password. For details, see https://ipv4.tunnelbroker.net/ipv4_end.php
With Attitude Adjustment, once you have added the above interface definition you have to run /etc/init.d/network restart in order to have it effected.
- !: Note that Hurricane Electric has changed their dynamic negotiation protocol, and the 6in4 package is not yet (August 2011) updated accordingly. See discussion in ticket 10019. Based on the discussion HE users need to install the wget package to get HTTPS support in wget and possibly also modify the URL in 6in4 script.
This tunnel, like a VPN, creates a third network interface, called henet in this example. A default IPv6 route using this interface is automatically created when this interface connects successfully. Firewalling
- !: To apply IPv6 firewall rules to the tunnel interface, add it to the "wan" zone in /etc/config/firewall:
config 'zone' option 'name' 'wan' option 'network' 'wan henet' option 'input' 'REJECT' option 'forward' 'REJECT' option 'output' 'ACCEPT' option 'masq' '1'
- !: To allow 6in4 traffic to always reach your tunnel endpoint, it may be necessary to pass IPv4 protocol 41 traffic with the following firewall configuration stanza:
config rule option src wan option proto 41 option target ACCEPT
You will need the ip6tables package for these firewall rules to work. You can run the following command to install this package:
opkg update && opkg install ip6tables kmod-ip6tables
Routing Routed Addresses
To enable routing of IPv6 traffic through the tunnel, add a static IPv6 address in a valid routed subnet to the local-facing interface.
- !: For Hurricane Electric tunnels, the prefix for the routed subnet is specified in tunnel details page on tunnelbroker.net in the Routed IPv6 Prefixes section, and is formed by incrementing the last digit of the third quad in the tunneling prefix. For example, if the IP address 2001:0db8:1f0a:1359::2/64 is the local IPv6 tunnel endpoint, the local interface would be assigned an address in 2001:0db8:1f0b:1359::/64 subnet, typically 2001:0db8:1f0b:1359::1/64
config interface lan option ifname eth0 option type bridge option proto static option ipaddr 192.168.1.1 option netmask 255.255.255.0 option ip6addr '2001:0db8:1f0b:1359::1/64'
Clients that auto-configure using SLAAC (stateless address auto-configuration) will need to know this routed prefix. To broadcast the prefix to clients on the local network, use radvd. Packet Forwarding
The router must be configured forward packets between the remote and local interfaces. See the Enable Routing section. The forwarding is enabled by default in trunk, but must be manually enabled in Backfire. Enable Routing in Backfire
To forward packets between interfaces, a kernel-level setting must be enabled. To enable packet forwarding, edit /etc/sysctl.conf
And uncomment the following line in /etc/sysctl.conf:
- net.ipv6.conf.all.forwarding=1
The line should look like this:
net.ipv6.conf.all.forwarding=1
Now restart sysctl to apply the new setting.
/etc/init.d/sysctl restart
To verify the setting has been applied, issue the following command:
cat /proc/sys/net/ipv6/conf/all/forwarding
should return 1
Troubleshooting
Enable firewall logging On the router, ping ipv6.google.com On a local host, ping the public IP address of the router's local interface (2001:0db8:1f0b:1359::1 in the example configuration). On a local host, ping ipv6.google.com
6to4, 6rd
6to4 is a translation mechanism to transform ipv6 packets into IPv4, and back, using specific relay servers.
6rd (rapid deployment) is similar to 6to4 with some restrictions for large ISP routing. However it is only supported in kernel superior or equal to 2.6.33 due to specific routing scheme.
In order for 6to4 to work, you need to install the package 6to4 and kmod-sit available from 10.03.1-rc4.
opkg install 6to4 kmod-sit
If, like me, you are working with 10.03, you can still install by downloading the package from the newer source.
opkg install http://downloads.openwrt.org/backfire/10.03.1-rc4/brcm47xx/packages/6to4_2-1_all.ipk
- !: Replace brcm47xx with the architecture you are working with.
For this connectivity mechanism, a third "interface" is created which will become the default outgoing interface for IPv6 packets.
An example of /etc/config/network for the ISP "Qfast.nl", or any ISP for that matter, may be: config interface 6rd option proto 6to4 option adv_subnet 1 # Selects the advertised /64 prefix, default 1 if not specified option adv_interface lan
Although there are many more options, most of those (like ipaddress and the advertising interface) are configured automatically by default. Just check out /etc/config/network and search for the paragraph 6to4.
Even radvd and your lan interface is configured automatically by default by taking the lan interface and a /64 prefix of the external IP-range to be routed on. All you need to do is change the ignore 1 on the interface to ignore 0. Also remember to enable radvd (/etc/init.d/radvd enable) before doing ifup on the 6to4 interface. Otherwise the auto configuration of radvd will fail.
My /etc/config/radvd looks as follows: config interface option interface 'lan' option AdvSendAdvert 1 option AdvManagedFlag 0 option AdvOtherConfigFlag 0 option ignore 0 config prefix option interface 'lan' # If not specified, a non-link-local prefix of the interface is used option prefix \'\' #These are supposed to be 2 single-quotes option AdvOnLink 1 option AdvAutonomous 1 option AdvRouterAddr 0 option ignore 1
To apply IPv6 firewall rules to the tunnel interface, add it to the "wan" zone in /etc/config/firewall: config zone option name 'wan' option network 'wan 6rd' option input REJECT option forward REJECT option output ACCEPT option masq 1
Add the following rules to your /etc/config/firewall to allow incoming encapsulated IPv6 packets: config 'rule' option 'target' 'ACCEPT' option 'name' '6to4' option 'src' 'wan' option 'proto' '41'
This can also be done via the LuCI webinterface.
(note: option 'target' 'DROP' stealthed the tunnel; did this along along with dropping UDP and ICMP on the UCI firewall configuration) TSP Tunneling
The Tunnel Setup Protocol is used by some tunnel brokers. Gogo6 (ex Freenet6) is one of the most popular and offers free service for individuals.
- !: The packages gw6c and kmod-sit must be installed to use this protocol (e.g.: opkg update && opkg install gw6c kmod-sit).
gw6c is configured through a specific config file: /etc/config/gw6c.
First create a free account on freenet6 here then procede to fill gw6c configuration file on your router.
The example below assumes the user have an account, required to redistribute a prefix on a LAN. The userid/passwd fields must be filled with the above registration credentials. config gw6c basic #Comment out next line to enable gw6c option disabled 0 #Leave empty if connecting anonymously option userid <YOURFREENET6USERID> option passwd <YOURFREENET6PASSWD> #For anonymous use anon.frenet6.net and #account holders should use broker.freenet6.net option server authenticated.freenet6.net #auth_method <anonymous|any|passds-3des-1|digest-md5|plain> #Use anonymous with anonymous access and #any if you are account holder option auth_method any config gw6c routing #host_type <host|router> option host_type router option prefixlen 64 option ifprefix br-lan :!: prefixlen 64 did not work for me; prefixlen 56 works ! #DNS server list to which the reverse prefix #will be delegated. Separate servers with : option dns_server config gw6c advanced #Location where to store configuration file option gw6c_conf /tmp/gw6c.conf option gw6c_dir /usr/share/gw6c option auto_retry yes option retry_delay 30 option keepalive yes #keepalive interval option interval 30 #tunnel_mode <v6v4|v6udpv4|v6anyv4|v4v6> option if_tunnel_mode v6anyv4 option if_v6v4 sit1 option if_v6udpv4 tun option if_v4v6 sit0 option client_v4 auto option client_v6 auto option template openwrt option proxy_client no config gw6c broker option broker_list /etc/config/gw6c-broker-list.txt option last_server /etc/config/gw6c-last-server.txt # Always use last known working server? <yes|no> option always_same_serv no config gw6c logging option log_console 0 option log_stderr 1 option log_file 1 #optional, good for debugging option log_syslog 0 option log_filename /var/log/gw6c.log option log_rotation yes #Max size when using log file rotation #possible values: 16|32|128|1024 option log_maxsize 32 #<USER|LOCAL[0-7]> option syslog_facility USER
- !: When installed the program gw6c takes care of a lot of details itself, including radvd configuration : In this case, manual radvd configuration is not requiered: The /etc/config/radvd must be kept disabled.
Start Gateway6 client with the following command: /etc/init.d/gw6c start Auto-start after Openwrt booted up: /etc/init.d/gw6c enable Use /etc/init.d/gw6c with reload or restart to load the latest config file.
- !: Untested - Please correct as needed
- !: In newest ATTITUDE ADJUSTMENT dependencies might be broken. You might have to check manually if the Packet kmod-sit gets instaleld. If it is missing radvd startscript will fail: INTERFACE_SETUP_FAILED.
NAT64 tunneling
The NAT64 is one technique to provide to the user a routable ipv6 while using a NAT technique to keep access top IPv4 websites (The client may NOT have a routable IPv4 anymore).
Some ISP are experimenting this: AAISP (UK)
- !: to be completed - please help ?
Propagate IPv6 subnet to LAN
Once IPv6 works on the router, it is necessary to spread it on the internal network. Multiple methods are possible, from static routing to auto-configuration. For the later, two options described below exist. Note that when using static WAN connection, you need to add lines
option accept_ra 1 option send_rs 0
to config interface wan section of your /etc/config/network. RADVD
The router advertisement daemon (radvd) is fully supported by OpenWRT. Please consult the radvd UCI page, for a full complement of configuration options.
To begin with, install RADVD with:
opkg update && opkg install radvd
The simplest case is static IPv6 affectation:
/etc/config/radvd: config interface option interface 'lan' option AdvSendAdvert 1 option AdvLinkMTU 1452 # Optional - only provide if it is also provided in /etc/config/network option ignore 0 # Or delete the line altogether config prefix option interface 'lan' # Optional: only necessary if the lan interface has multiple # global IP addresses assigned to it; or the subnet is larger than /64 option prefix '2001:123:456:789::/64' # Optional option ignore 0 # Or delete the line altogether config 'rdnss' option 'interface' 'lan'
This configuration is sufficient to enable radvd on the router, and broadcast auto-configuration announces (default routes and dns servers) to the clients on LAN.
The MTU specified MUST be identical to the one set in the /etc/config/network section, if provided. If you're connecting through a tunnel, ensure that your MTU matches that of your tunnel. Otherwise, do not provide it.
Don't forget to enable radvd at boot. You can do this in the LuCI web interface at Administration → Services → Initscripts. Look for radvd and check whether it is enabled. To enable radvd at boot and to start radvd right now without rebooting, do
/etc/init.d/radvd enable /etc/init.d/radvd start
use logread to check for start up messages wide-dhcpv6-server
This shows you how to set up DHCPv6 so that LAN clients have their IPv6 addresses from a pool, instead of concatenating random numbers, or some function of their MAC address, with your prefix.
First, you need to install a DHCPv6 server
opkg update && opkg install wide-dhcpv6-server
Now enable the server in /etc/config/dhcp6s config 'dhcp6s' 'basic' option 'enabled' '1' option 'interface' 'br-lan' option 'config_file' '/etc/dhcp6s.conf'
Then create a config file /etc/dhcp6s.conf with something like: interface br-lan { address-pool pool1 86400; }; pool pool1 { range 2001:123:456:789::1000 to 2001:123:456:789::2000 ; };
This allocates addresses from a pool of 4096 with a lease time of 24 hours.
If you will need static IPv6 (::3000) assigned to host you can specify this with something like: host somehostname { duid 00:01:02:03:04:05:06:07:08:09:10:11:12:13; address 2001:123:456:789::3000 infinity; };
Where duid is DHCPv6 Client DUID (can be found in Windows at "ipconfig /all" for example).
Finally, you need to change some radvd settings so that it tells clients to use DHCPv6 to get the rest of their settings: config interface option interface 'lan' option AdvSendAdvert 1 option AdvManagedFlag 1 option AdvOtherConfigFlag 1 option ignore 0
Then restart the services and you're away (hopefully!) troubleshooting
If ps does not show dhcp6s running then you can run it interactively: dhcp6s -s /etc/dhcp6s.conf -d -f -D br-lan
(where br-lan is your local lan interface). Things to check include:
the network interface (br-lan in the above) does not match typos in /etc/dhcp6s.conf
dnsmasq-dhcpv6 This feature is new and not yet supported by UCI. You will need Attitude Adjustment to make this work.
We can use DHCPv6 enabled version of dnsmasq for:
Router advertisement
Configuration of clients
SLAAC
DHCPv6
With dnsmasq-dhcpv6 you will replace dnsmasq, radvd or wide-dhcpv6-server, depending on your current configuration.
opkg remove dnsmasq opkg update && opkg install dnsmasq-dhcpv6
Once we have dnsmasq-dhcpv6 installed we need to enable router advertisement and choose in what mode we want to configure clients. For details on modes, see dnsmasq man page. The modes are:
ra-only slaac ra-names ra-stateless
Since there is not UCI support yet, we have to add the configuration manually to /etc/dnsmasq.conf file. Configuration in this file is merged with the UCI generated config.
dhcp-range=2001:0db8:1f0b:1359::,ra-names enable-ra
The dhcp-range option defines IPv6 prefix used by clients and configuration mode, here ra-names (SLAAC). Last line enables router advertisement. Troubleshooting
Your client's global unique IPv6 address has to be generated in SLAAC mode using modified EUI-64 method. Correct address look like this:
2001:0db8:1f0b:1359:021d:baff:fe06:3764
in case your client's MAC address is 00:1D:BA:06:37:64.
If your address isn't EUI-64 based, you should disable privacy extensions for your global unique IPv6 address.
The global unique IPv6 address has to be pingable from your router. SSH into your router and run:
ping 2001:0db8:1f0b:1359:021d:baff:fe06:3764
In case you can't ping it, its probably your client's firewall blocking ICMPv6 Echo Requests from 2001:0db8:1f0b:1359::/64 network. You need to make accept rule in the firewall. Note that despite you have no problem to ping fe80::021d:baff:fe06:3764%br-lan, you still have to create the accept rule for the mentioned network.
To see if it works, follow these steps:
Add log-dhcp entry to /etc/dnsmasq.conf config file. Restart dnsmasq with /etc/init.d/dnsmasq restart. See if dnsmasq obtained the ping confirmation, and thus was able to add AAAA record to its DNS cache.
logread | grep "SLAAC-CONFIRM"
This may return something like this if everything is working fine:
Jul 1 12:00:00 openwrt daemon.info dnsmasq-dhcp[1957]: SLAAC-CONFIRM(br-lan) 2001:0db8:1f0b:1359:021d:baff:fe06:3764 pc
Directly forward ISP's NDP proxy address to LAN
It can help you, if your ISP give you /64 IPv6 address and radvd,dhcpv6 useless for you. Original idea by user (diway) from openwrt forum This method idea is: bridge wan and lan with filter ipv6 packets options, for direct resolve your adress from provider(ISP).
Remove (radvd,dhcpv6,dnsmasqv6)or others that you install early when tryed methods above. And remove that options that you do at configuration files /etc/config/network or otherone (repair "before ipv6 state" of your deivce). Install ipv6 support and ebtables(if you haven't it at your repository, try beta or svn):
opkg update && opkg install kmod-ipv6 ebtables
1. At first determine your WAN interface device name, and correct comands below(change eth0.1 to your WAN device name). Edit /etc/init.d/network, at end of start() section add thoose lines: ebtables -t broute -A BROUTING -i eth0.1 -p ! ipv6 -j DROP brctl addif br-lan eth0.1
2. At /etc/config/network, make thoose:
Add this on the "config interface lan" section option accept_ra 1 option send_rs 1
Add this on the "config interface wan" section option accept_ra 0 option send_rs 0
3. At /etc/config/firewall, make thoose:
Add this to the "config defaults" section option disable_ipv6 0
4. At /etc/sysctl.conf, make thoose:
Add this at the end to enable firewalling on ipv6 even for bridged interfaces net.bridge.bridge-nf-call-ip6tables=1 net.bridge.bridge-nf-call-iptables=0
5. If you need IPv6 firewalling ONLY! First install: opkg update && opkg install kmod-ip6tables ip6tables
Then correct comands below(change eth0.1 to your WAN device name). At /etc/firewall.user, add thoose lines:
- First, delete all: ip6tables -F ip6tables -X # Allow anything on the local link ip6tables -A INPUT -i lo -j ACCEPT ip6tables -A OUTPUT -o lo -j ACCEPT # Allow anything out on the internet ip6tables -A OUTPUT -o eth0.1 -j ACCEPT # Allow Link-Local addresses ip6tables -A INPUT -s fe80::/10 -j ACCEPT ip6tables -A OUTPUT -s fe80::/10 -j ACCEPT # Allow multicast ip6tables -A INPUT -s ff00::/8 -j ACCEPT ip6tables -A OUTPUT -s ff00::/8 -j ACCEPT # Allow ICMPv6 ip6tables -A INPUT -p icmpv6 –icmpv6-type echo-request -j ACCEPT –match limit –limit 30/minute ip6tables -A INPUT -p icmpv6 -j ACCEPT ip6tables -A OUTPUT -p icmpv6 -j ACCEPT ip6tables -A FORWARD -p icmpv6 -m physdev ! –physdev-in eth0.1 -j ACCEPT ip6tables -A FORWARD -p icmpv6 –icmpv6-type echo-request -m physdev –physdev-in eth0.1 -j ACCEPT ip6tables -A FORWARD -p icmpv6 –icmpv6-type echo-reply -m physdev –physdev-in eth0.1 -j ACCEPT ip6tables -A FORWARD -p icmpv6 –icmpv6-type neighbor-solicitation -m physdev –physdev-in eth0.1 -j ACCEPT ip6tables -A FORWARD -p icmpv6 –icmpv6-type neighbor-advertisement -m physdev –physdev-in eth0.1 -j ACCEPT ip6tables -A FORWARD -p icmpv6 –icmpv6-type router-advertisement -m physdev –physdev-in eth0.1 -j ACCEPT # Allow forwarding ip6tables -A FORWARD -m state –state NEW -m physdev ! –physdev-in eth0.1 -j ACCEPT ip6tables -A FORWARD -m state –state NEW -p tcp –dport 22 -m physdev –physdev-in eth0.1 -j ACCEPT ip6tables -A FORWARD -m state –state ESTABLISHED,RELATED -j ACCEPT ip6tables -N DROP ip6tables -A DROP -j REJECT –reject-with icmp6-port-unreachable # Set the default policy ip6tables -A INPUT -j DROP ip6tables -A FORWARD -j DROP ip6tables -A OUTPUT -j DROP
That's all, reboot your router. After check your LAN PCs and roters WAN ipv6 address. DNS check and configuration
If you can do a succesful ping6 ipv6.google.com from the router, then obviously your DNSmasq succesfully queries the IPv6 address, and you have IPv6 connectivity.
Congratulations!!!
Though, if you can't do the ping6 above, though you can do a ping6 [2a00:1450:8002::93], then your DNSmasq (or the server from which it queries) does not succesfully query the IPv6 addresses, and you need to fix this problem.
(TBD) IPv6 only access
- !: (Using an intermediate machine to contact IPv4-only servers)
(TBD) NAT64
TAYGA is an out-of-kernel stateless NAT64 implementation for Linux that uses the TUN driver to exchange IPv4 and IPv6 packets with the kernel.
First, install tayga:
opkg update && opkg install tayga
Now, create NAT64 interface: config interface nat64 option proto tayga option ipv4_addr 192.0.2.1 option ipv6_addr 2001:db8:1::7f00:1 option prefix 64:ff9b::/96 option dynamic_pool 192.0.2.0/24 option accept_ra 0 option send_rs 0
where 192.0.2.0/24 is your dynamic pool, 64:ff9b::/96 is "unused /96 prefix" and 2001:db8:1::/64 is your IPv6 prefix used in LAN.
Don't forget to add this interface to LAN firewall zone.
ifup tayga && ping6 64:ff9b::8.8.8.8
DNS64
DNS64 is a special mechanism, that returns AAAA records for hosts that only have A records. ATTENTION! This breaks DNSSEC!
ISC bind supports DNS64 since version 9.8.0.
opkg update && opkg install bind-server bind-host
Modify default configuration (/etc/bind/named.conf): acl rfc1918 { 10/8; 192.168/16; 172.16/12; }; options { directory "/tmp"; auth-nxdomain no; # conform to RFC1035 allow-query { localnets; localhost; }; listen-on { any; }; listen-on-v6 { any; }; dns64 64:ff9b::/96 { clients { any; }; mapped { !rfc1918; any; }; exclude { 64:ff9b::/96; ::ffff:0000:0000/96; }; suffix ::; }; edns-udp-size 512; max-udp-size 512; };
- /etc/init.d/bind restart
Point your resolver to 127.0.0.1 (or ::1) and try it:
- host www.ru www.ru has address 194.87.0.50 www.ru has IPv6 address 64:ff9b::c257:32 www.ru mail is handled by 5 hq.demos.ru. # host www.kame.net www.kame.net is an alias for orange.kame.net. orange.kame.net has address 203.178.141.194 orange.kame.net has IPv6 address 2001:200:dff:fff1:216:3eff:feb1:44d7
Normal AAAA records are returned for hosts that have it and translated ones for those who don't. NAT-PT DSTM Privacy Extensions Microsoft Windows
Privacy extensions are enabled by default. Correct working of some services sometimes require disabling part or all privacy extensions. Disabling privacy extensions for global IPv6 addresses
With this settings the Windows client will obtain modified EUI-64 global unique address, while it will also generate global temporary IPv6 address. This is recommended setup, because you only make public your MAC address, but your privacy is retained (you won't be easily traceable by your IP).
One time settings (reseted with reboot):
netsh interface ipv6 set global randomizeidentifiers=disabled store=active
Permanent settings:
netsh interface ipv6 set global randomizeidentifiers=disabled store=persistent
Current settings can be viewed with:
netsh interface ipv6 show global store=active
netsh interface ipv6 show global store=persistent
Disabling privacy extensions for all IPv6 addresses
This settings disables all privacy extensions. Your global unique IPv6 address will be generated using modified EUI-64 method and your global temporary IPv6 address will be disabled. Your MAC address is made public and :!: you will be easily traceable.
One time settings (reseted with reboot):
netsh interface ipv6 set privacy state=disabled store=active
Permanent settings:
netsh interface ipv6 set privacy state=disabled store=persistent
Current settings can be viewed with:
netsh interface ipv6 show privacy store=active
netsh interface ipv6 show privacy store=persistent
Notes
http://www.heise.de/netze/artikel/OpenWRT-wuerfelt-IPv6-Praefixe-1445607.html http://andatche.com/blog/2012/02/disabling-rfc4941-ipv6-privacy-extensions-in-windows/
Packet filter
→ to configure the UCI config file /etc/config/firewall see there. IPv6 rules can be set up with this alone. → to set up a firewall without UCI please read netfilter, especially ip6tables and ipv6
Warning No1: There is no NAT in IPv6. While NAT was never intended as a security feature, it did nonetheless serve as one, because unless you specified portforwardings the ports were unavailable. However, the same level of security can be achieved by setting the policies to DROP and inserting -j ACCEPT -m conntrack –ctstate ESTABLISHED,RELATED at the beginning of the chains. Warning No2: IPv6 specs demand, that Path MTU Discovery is working correctly because a packet fragmentation is not being performed! So if you configure your packet filter like an imbecile and drop all ICMPv6 packets without distinguishing, you will break this functionality and funny things will occur! Cf. → RFC4890 – ICMPv6 Filtering Recommendations Note: firewall v1 (e.g. still in Backfire 10.03.1-rc4 and up to r25353) has no default rules at all and ip6tables configuration needs to be done from scratch. Insert the rules below to make the packet filter function properly.
ip6tables -A FORWARD -i br-lan -j ACCEPT ip6tables -A FORWARD -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT ip6tables -A FORWARD -j REJECT