Configuring OpenWrt Backfire 10.03.1-rc4 for a static tunnel
Shadow Hawkins on Wednesday, 01 December 2010 21:18:32
Configuring OpenWrt Backfire 10.03.1-rc4 for a static tunnel from SixXS to get IPv6 connectivity
I was looking for information about configuring my router (originally Netgear WNDR3700) for supporting a static 6in4 tunnel from SixXS for getting the IPv6 connectivity. The router is currently running OpenWrt Backfire 10.03.1-rc4, published in November 2010, the rc4 version of the forthcoming Backfire Interim Release 1.
Current OpenWrt Backfire 10.03.1-rc4 has an installable package for supporting the 6in4 tunnels, which should make the process relatively easy. However, finding the exactly correct configuration is not that easy. I found useful information in internet, but it was scattered around and to some extent also outdated or incomplete. I write this article to summarize my findings and to list my configuration as an example for others trying to do the same.
Additionally, the rc4 version does not enable configuring some of the required steps through the Luci GUI, so some tasks have to be done by editing configuration files manually.
Background assumptions: you have a "Static" 6in4 tunnel with a fixed tunnel endpoint from SixXS. You also have a subnet, which is routed through that tunnel. You also have installed the OpenWrt to the router.
Main steps in the process:
Configuring the tunnel
Configuring iptables to make sure that the tunnel stays up
Configuring IPv6 address autoconfiguration inside local LAN by using RADVD
Configuring ipv6 firewall - ip6tables
1) Configuring the tunnel
The main steps are explained pretty well in http://wiki.openwrt.org/doc/howto/ipv6 , which is mostly up-to-date. However, it does not discuss SixXS specific issues.
First you need to make sure that the IPv6 support modules and the 6in4 tunnel module have been installed either by using Luci GUI or by running the following command:
opkg install kmod-ipv6 radvd ip kmod-ip6tables ip6tables 6in4
The file '/etc/config/network' needs to be manually edited to include a new interface for the tunnel that will be called 'sixxs':
config 'interface' 'sixxs'
option 'proto' '6in4'
option 'peeraddr' '62.78.96.38'
option 'ip6addr' '2001:14b8:XXXX:XXXX::2/64'
option 'ipaddr' '62.78.XXX.XXX'
(peeraddr is the remote PoP tunnel endpoint IPv4 address, ip6addr is the IPv6 tunnel endpoint address at your end, ipaddr is the router's IPv4 WAN address.)
Additionally, the IPv6 address in the local subnet is added to the router's LAN interface either through Luci (Network/Interfaces/LAN) or by editing the file '/etc/config/network' :
config 'interface' 'lan'
option 'ifname' 'eth0'
option 'type' 'bridge'
option 'proto' 'static'
option 'ipaddr' '192.168.1.1'
option 'netmask' '255.255.255.0'
option 'defaultroute' '0'
option 'peerdns' '0'
option 'ip6addr' '2001:14b8:YYYY:YYYY::1/64'
(ip6addr is the router's IPv6 address in the new local subnet.)
Third step is to add the new 'sixxs' interface to the 'wan' zone of the firewall. Either use Luci (Network/Firewall/Zones) or edit '/etc/config/network' :
config 'zone'
option 'name' 'wan'
option 'network' 'wan sixxs'
Fourth task is to make sure that the following line in '/etc/sysctl.conf' is uncommented:
net.ipv6.conf.all.forwarding=1
2) Making sure that the tunnel stays up - iptables
SixXS pings the static tunnel every 30 minutes and the router needs to respond to that ping, otherwise the tunnel gets turned off. With the default iptables configuration, the router may forget the tunnel connection in the NAT table if there is no IPv6 traffic for a while. You have to make sure that the incoming IPv6 pings from SixXS get accepted even then.
The suggested entry in the SixXS FAQ does not work properly in the OpenWRT 10.03.1-rc4 ( https://www.sixxs.net/faq/connectivity/?faq=conntracking ).
Instead you need an iptables rule for enabling the IPv4 firewall to accept IPv6 connections (protocol 41) from the PoP tunnel endpoint even if they are not related to existing connections. Good discussion e.g. here: https://www.sixxs.net/forum/?msg=setup-2860037
The following line needs to be added to file '/etc/firewall.user' :
iptables -I INPUT 1 -s <remote_ipv4_pop_endpoint_addr> -p 41 -j ACCEPT
In my case: iptables -I INPUT 1 -s 62.78.96.38 -p 41 -j ACCEPT
Alternatively, you can add an accept rule through Luci (Network/Firewall/Traffic Control): add there a new advanced rule (you need to add the additional field for the source IPv4 address and set custom protocol as 41).
3) Configuring IPv6 address autoconfiguration inside local LAN by using RADVD
As explained in http://wiki.openwrt.org/doc/howto/ipv6#radvd , the file ' /etc/config/radvd' is edited to contain the prefix for the local IPv6 subnet. Key fields there:
config interface
option interface 'lan'
option ignore 0
config prefix
option interface'lan'
option prefix'2001:14b8:YYYY:YYYY::/64'
option AdvOnLink1
option AdvAutonomous1
option AdvRouterAddr0
option ignore0
See also: https://www.sixxs.net/wiki/Aiccu/Installing_on_OpenWRT#Kamikaze_2
To make sure that RADVD get started after the next reboot of the router, run the command:
/etc/init.d/radvd enable
You can also check from Luci (Services/Initscripts), that all services like RADVD are enabled so that they are started automatically afetr reboots.
4) Configuring ipv6 firewall - ip6tables
Good overview in: https://www.sixxs.net/wiki/IPv6_Firewalling#Example_IPv6_firewall_script_.28with_state.29
Regarding ip6tables rules in the router, the key is to understand that the main configuration is related to the FORWARD chain that handles connectivity to clients in LAN, while INPUT and OUTPUT concern direct traffic to the router itself and remain mostly unused. INPUT and OUTPUT practically handle only the ICMPv6 traffic (at least the SixXS pings).
Note: although you named the tunnel interface as just 'sixxs', it got automatically prefixed with '6in4-', so the name to be used in ip6tables rules is '6in4-sixxs'.
The rules get set in file '/etc/firewall.user' that is edited manually.
The FORWARD rules should allow all traffic with existing connections, new connections from inside and then selected connections from outside.
I simplified the FORWARD rule regarding new connections from the version presented in Wiki (see below). Additionally my rules allow incoming packets to port 49001 to get accepted for forwarding to clients in local LAN.
Key part:
# Allow forwarding
#ip6tables -A FORWARD -m state --state NEW -i br-lan -o 6in4-sixxs -s 2001:14b8:YYYY:YYYY::/64 -j ACCEPT
ip6tables -A FORWARD -i br-lan -j ACCEPT
ip6tables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
#allow MLDHT packects
ip6tables -A FORWARD -p tcp --dport 49001:49001 -j ACCEPT
ip6tables -A FORWARD -p udp --dport 49001:49001 -j ACCEPT
(See the full '/etc/firewall.user' below.)
That is practically all the necessary steps to get a static 6in4 IPv6 tunnel from SixXS configured in OpenWrt Backfire 10.03.1-rc4.
Finally you need to reboot the router to get it to read the configuration in and to start the tunnel. You might first test connectivity from router's command prompt, e.g. just ping ipv6.google.com from there.
-------------------------
The full contents of '/etc/firewall.user' file:
# This file is interpreted as shell script.
# Put your custom iptables rules here, they will
# be executed with each firewall (re-)start.
#allow incoming SixXS IPv6 traffic
iptables -A input_wan -s 62.78.96.38 -p 41 -j ACCEPT
# First, delete all:
ip6tables -F
# Allow ICMPv6 everywhere
ip6tables -A INPUT -p icmpv6 -j ACCEPT
ip6tables -I OUTPUT -p icmpv6 -j ACCEPT
ip6tables -I FORWARD -p icmpv6 -j ACCEPT
# Allow anything on the local loopback link
ip6tables -A INPUT -i lo -j ACCEPT
ip6tables -A OUTPUT -o lo -j ACCEPT
# Allow anything out on the internet
ip6tables -A OUTPUT -o sixxs -j ACCEPT
# Allow the localnet access us:
ip6tables -A INPUT -i br-lan -j ACCEPT
ip6tables -A OUTPUT -o br-lan -j ACCEPT
# Filter all packets that have RH0 headers:
ip6tables -A INPUT -m rt --rt-type 0 -j DROP
ip6tables -A FORWARD -m rt --rt-type 0 -j DROP
ip6tables -A OUTPUT -m rt --rt-type 0 -j DROP
# Allow Link-Local addresses
ip6tables -A INPUT -s fe80::/10 -j ACCEPT
ip6tables -A OUTPUT -s fe80::/10 -j ACCEPT
# Allow multicast
ip6tables -A INPUT -s ff00::/8 -j ACCEPT
ip6tables -A OUTPUT -s ff00::/8 -j ACCEPT
# Allow forwarding
#ip6tables -A FORWARD -m state --state NEW -i br-lan -o 6in4-sixxs -s 2001:14b8:119:ABAD::/64 -j ACCEPT
ip6tables -A FORWARD -i br-lan -j ACCEPT
ip6tables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
#allow MLDHT packects
ip6tables -A FORWARD -p tcp --dport 49001:49001 -j ACCEPT
ip6tables -A FORWARD -p udp --dport 49001:49001 -j ACCEPT
#drop priviledged ports
ip6tables -A INPUT -p tcp --dport 1:1024 -j DROP
ip6tables -A INPUT -p udp --dport 1:1024 -j DROP
#log the activity that will get dropped (optional)
#ip6tables -A INPUT -j LOG
#ip6tables -A FORWARD -j LOG
#ip6tables -A OUTPUT -j LOG
# Set the default policy
ip6tables -P INPUT DROP
ip6tables -P FORWARD DROP
ip6tables -P OUTPUT DROP
Configuring OpenWrt Backfire 10.03.1-rc4 for a static tunnel
Shadow Hawkins on Wednesday, 12 January 2011 15:43:38
Thank you very much for this awesome howto.
Worked perfectly fine.
just one question, why did uncomment:
#ip6tables -A FORWARD -m state --state NEW -i br-lan -o 6in4-sixxs -s 2001:14b8:119:ABAD::/64 -j ACCEPT
Configuring OpenWrt Backfire 10.03.1-rc4 for a static tunnel
Shadow Hawkins on Thursday, 13 January 2011 00:19:00
Because it is encompassed by the more general rule in the following line.
Configuring OpenWrt Backfire 10.03.1-rc4 for a static tunnel
Shadow Hawkins on Thursday, 13 January 2011 00:21:56 #drop priviledged ports
ip6tables -A INPUT -p tcp --dport 1:1024 -j DROP
ip6tables -A INPUT -p udp --dport 1:1024 -j DROP
^^^^^
I think it should read 'OUTPUT' in the second rule
Configuring OpenWrt Backfire 10.03.1-rc4 for a static tunnel
Shadow Hawkins on Thursday, 13 January 2011 00:23:13
Sorry, just forget the OP
Configuring OpenWrt Backfire 10.03.1-rc4 for a static tunnel
Shadow Hawkins on Tuesday, 08 February 2011 21:33:33
Backfire got switched to the dual-stack firewall v2 with SVN r25353, and that firewall seems to have decent ip6tables rules in place already in the default config. Need for additional rules has decreased quite much. Practically the only rules needed in /etc/firewall.user are the ones keeping the tunnel up and those allowing selected ports to get forwarded. (This firewall has already been some time in Kamikaze/trunk, but now also Backfire branch got it.)
Example rules for current dual-stack Firewall v2, where the correct place to put own rules allowing forwarding seems to be the sub-chain 'forwarding_rule', part of the FORWARD structure:
# Put your custom iptables rules here, they will
# be executed with each firewall (re-)start.
## Allow incoming SixXS IPv6 traffic from tunnel PoP in IPv4 firewall
iptables -A input_wan -s 62.78.96.38 -p 41 -j ACCEPT
# Filter all packets that have RH0 headers: (recommended rule)
ip6tables -I INPUT 2 -m rt --rt-type 0 -j DROP
ip6tables -I FORWARD 2 -m rt --rt-type 0 -j DROP
ip6tables -I OUTPUT 2 -m rt --rt-type 0 -j DROP
## Example: allow packects to port 113 to get forwarded
ip6tables -A forwarding_rule -p tcp --dport 113:113 -j ACCEPT
ip6tables -A forwarding_rule -p udp --dport 113:113 -j ACCEPT
|