Securifi Community Forum

Securifi Products => Almond+ => Topic started by: jake on August 15, 2014, 04:58:53 pm

Title: IPv6 via 6in4 Tunnel
Post by: jake on August 15, 2014, 04:58:53 pm

I have been meaning to play with IPv6 for a while, and the arrival of my Almond+ gave me an excuse.

Since Verizon FIOS still doesn't support native IPv6 (apparently) I went with a Hurricane Electric tunnel.   (https://tunnelbroker.net)

First, it should be noted that I'm far from an expert on this IPv6 stuff.  You could easily configure things in a way that exposes your internal devices directly to the internet.  Proceed at your own risk.  I'd value any more experienced IPv6 users to comment and help me (and others) learn.  Also you're modifying config files out from under the web and LCD interfaces, so you could theoretically break or brick your router.


Step 1.  In order to create the tunnel with HE, your router needs to respond to ICMP pings.  Add the following segment to your /etc/config/firewall file:

Code: [Select]

config 'rule'
        option src wan
        option proto icmp
        option icmp_type echo-request
        option target ACCEPT
        option src_ip xx.yy.zz.aa

The IP address in the last option (src_ip) IP address was provided by HE as the address they PING from, so I think this rule will only open pings to Hurricane and not every IP.  I'm not sure if they use differnet IP addresses, so fill in the IP address they give you in the error message when you try and create the tunnel for the first time.  Also I'm not sure if I wrote the rule correctly, it works, but it might not be fully secure.  You can reboot after this change and retry making the tunnel at tunnelbroker.net

Step 2. you need to setup the IPv6 interface.  Add the following to your /etc/config/network file:

Code: [Select]

config interface henet
option proto    6in4
option peeraddr   'xx.yy.zz.aa'
option ip6addr  'aa:bb:cccc:ddd::e/64'
option ip6prefix 'aa:bb:cccc:ddd::e/64'
option tunnelid '123456'
option username 'userID'
option updatekey 'updatekey'
Fill in the proper items from your tunnel details page provided by tunnelbroker.net

• peeraddr = the IPv4 address of the tunnel server
• ip6addr = the IPv6 address of the client
• ip6prefix = the the routed /64 prefix
• tunnelid = the HE provided tunnel ID number
• userid = your HE tunnelbroker username
• updatekey = available on the "advanced" tab of the tunnel details page

Step 3. Under the config 'interface' 'lan' section, add the following option in /etc/config/network, filling in your routed/64 prefix:

Code: [Select]

config 'interface' 'lan'
...
option ip6addr 'aa:bb:cccc:ddd::/64'
...

NOTE: This line is probably not the right way to do this.   According to the OpenWRT documentation:

Quote

It is discouraged to use ip6addr to set addresses / prefixes on downstream interfaces (e.g. lan) because it can easily lead to conflicts with the local address delegation. Also it might lead to unexpected result or brokenness due to the source-based policy-routing used in the IPv6-stack. Please use the new options ip6assign and ip6hint instead.

I couldn't get ip6hint and ip6assign to work right though.  Maybe someone can figure it out and let me know what I'm doing wrong.

Step 4. you need to add the henet interface to the 'zone' in /etc/config/firewall.  In the "config 'zone'" section, update the "option 'network'" line, adding henet after the wan interface:

Code: [Select]

config 'zone'
...
option 'network' 'wan henet'
...
After a reboot, you should be able to ping from the router:

Code: [Select]

ping -6 ipv6.google.com
Step 5. you need to setup radvd to assign IP addresses to the devices on the inside of your network.  I used the OpenWRT webpages to do this, enabling the "Interfaces" and "Prefixes" section.

(http://forum.securifi.com/index.php?action=dlattach;topic=1431.0;attach=285)

After all of this was done, I was able ping6 from my computers and access ipv6.google.com from a web browser.

One note, the tunnelbroker is sensitive to WAN IPv4 address changes, and there are options for setting up dyndns to inform HE when an IP address changes.  I haven't explored this.

I'm not leaving the tunnel active for now, since I don't have a real need for ipv6 and I'm not sure if I'm fully protected firewall-wise.  When I want to play with v6, I'll enable it.

This was assembled from various tutorials, how-to's and reference pages.  Thanks to those people, but there were too many sources and too much trial and error to keep track and acknowledge the sources here.

Title: Re: IPv6 via 6in4 Tunnel
Post by: sorphin on August 15, 2014, 06:09:03 pm

Nice find. I too use he.net for ipv6.. The '65' firmware removed ipv6 configuration according to Lars (at least from NutOS), so i'll have to give this a shot later.

btw, you can do the firewall stuff in the NUTS firewall GUI.

Title: Re: IPv6 via 6in4 Tunnel
Post by: gergles on August 21, 2014, 11:37:21 pm

It would be great if we could get an RFE to have this put in the GUI. Using IPv6 makes Youtube and Netflix much more watchable on most ISPs because HE has better peering than the ISP.

Title: Re: IPv6 via 6in4 Tunnel
Post by: The19th on August 22, 2014, 01:18:56 am

Quote from: jake on August 15, 2014, 04:58:53 pm

One note, the tunnelbroker is sensitive to WAN IPv4 address changes, and there are options for setting up dyndns to inform HE when an IP address changes.  I haven't explored this.

Coincidentally, I got my A+ to update my tunnelbroker IPv4 endpoint using the OpenWRT -> Services -> Dynamic DNS option.  See my post here (http://forum.securifi.com/index.php?topic=1199.msg4924#msg4924)