I don't mean to hijack this thread, but I see there is a lot of IPv6 concepts here that I didn't find anywhere on this forum or the wiki.
I'm very new to the whole IPv6 world and I'm trying to setup mine.
What I know so far is that if I plug my modem directly to my computer I get IPv6 and IPv4, but I don't know the prefix length, so my first question is:
1- How to discover prefix length?
I'm running build "BS 30880 big" on my RT-N16, if I select "DHCPv6 with Prefix Delegation" in "Setup->IPv6" I do get an IPv6 like this one: 2804:7f1:2080:4536:200:ff:fe00:0 but in ipv6-test.com I get "Not supported".
I'm using PPPoE.
2- I would like to leave my LAN on IPv4, do I need IPv6 on LAN to make IPv6 work on the tests?
Let me know if I can provide any other useful information, thanks!
Issues I had: 1) Modem provided by TWC didn't support IPv6 2) TWC DNS don't support IPv6 3) TWC Tech Supports gave conflicting info
Working now without my router after swapping the modem and using Google DNS 2001:4860:4860::8888,2001:4860:4860::8844
Switch the IPv4 also to 8.8.8.8, 8.8.4.4
Now I'll put the router back in the loop.
You need both running (at least initially) to passed the IPv6 test without a warning about not having IPv4. I think the custom thing "Halfbit" is doing might have the intent of keeping the channels separate?
Google has a NAT64 gateway thing that I believe is intended for IPv6 only users
The prefix is still somewhat unclear although one of the TWC techs finally read something about 56 or 64 working, so...
Issues I had: 1) Modem provided by TWC didn't support IPv6 2) TWC DNS don't support IPv6 3) TWC Tech Supports gave conflicting info
Working now without my router after swapping the modem and using Google DNS 2001:4860:4860::8888,2001:4860:4860::8844
Switch the IPv4 also to 8.8.8.8, 8.8.4.4
Now I'll put the router back in the loop.
You need both running (at least initially) to passed the IPv6 test without a warning about not having IPv4. I think the custom thing "Halfbit" is doing might have the intent of keeping the channels separate?
Google has a NAT64 gateway thing that I believe is intended for IPv6 only users
The prefix is still somewhat unclear although one of the TWC techs finally read something about 56 or 64 working, so...
If you're referring to my configuration and the references to br0 and br1, that is to separate networks. Bridge br0 is my network, br1 is my guest network. Both have SSIDs on the 2.4G and 5G bands, and the router's switch is still tied to br0 which is default. _________________ R7000 Nighthawk - DD-WRT v3.0-r50308
R7000 Nighthawk - DD-WRT v3.0-r50308
~~~~~~~~~~Dismantled for learning opportunities~~~~~~~~~~
WRT54Gv2
WRT54Gv8.2
~~~~~~~~~~Other Settings~~~~~~~~~
https://nextdns.io/?from=2d3sq39x https://pi-hole.net/ https://github.com/DNSCrypt/dnscrypt-proxy
Where to start... My ISP & VPN providers don’t support IPv6 as of yet and I haven’t run to any limitation with IPv4 either. But IPv6 is the future and I wanted to get access to it. The past couple of weeks was a steep learning curve with a lot of reading with trial and error to get IPv6 working on my network the way I wanted it and it works great. Many thanks to JAMESMTL and many others for posting examples but all the information was all over the place and I just want to post my working configuration that may help others. This configuration is for FOUR Bridges br0,br1,br2 &br3 with assigned interfaces, modify it to your liking. I don’t understand all of it but it works.
I selected HE Tunnel Broker for my IPv6 services.
I didn’t want to experiment with my working two R7000s configuration and setup a dedicated R7000 (now a E2000) to experiment with IPv6.
This configuration will give 4 networks access to IPv6 and the Builds used on the R7000 is Kong’s 31870.
You need a registered account with HE Tunnel Broker at https://tunnelbroker.net/ Once you are registered you are automaticly given a /64 Prefix which good for one interface but in your account tunnel details you can assign yourself /48 Prefix to give many interfaces IPv6 access.
1) In the Assigned / Routed Prefix in the DD-WRT IPv6 GUI it assigns your br0 IPv6 address space so use 2001:470:CCCC:1:: and leave the Prefix Length at 64.
2) Disable the Radvd, I will be using DNSMasq in this configuration.
Now in the “Additional DNSMasq Options” to configure IPv6 settings. I did remark out quiet-dhcp6 to see the messages in the syslog...
The Firewall script I used, just change to use your assigned /48 Prefix ...
Code:
# HE-IPv6 Firewall Script
#
# IPv6 GUI only sets up br0, Load missing brX routes
ip addr add 2001:470:CCCC:2::/64 dev br1
ip addr add 2001:470:CCCC:3::/64 dev br2
ip addr add 2001:470:CCCC:4::/64 dev br3
#
# Use OpenDNS IPv6 DNS Servers
echo "nameserver 2620:0:ccc::2" > /tmp/resolv.dnsmasq
echo "nameserver 2620:0:ccd::2" >> /tmp/resolv.dnsmasq
#
# Respond to HE Tunnel Server PING
iptables -I INPUT 2 -p icmp -s 66.220.2.74 -j ACCEPT
#
# More IPv6 Configuration
ip6tables -I INPUT 5 -i br3 -j ACCEPT
ip6tables -I INPUT 5 -i br2 -j ACCEPT
ip6tables -I INPUT 5 -i br1 -j ACCEPT
ip6tables -I INPUT 2 -i br+ -p udp --dport 53 -j ACCEPT
ip6tables -I INPUT 2 -i br+ -p udp --dport 547 -j ACCEPT
Having a dedicated R7000 for only IPv6 services was not CPU intensive at all. So I switched it for a Linksys E2000 with Build K3.X BS 31899 with the same configuration. The dedicated E2000 is working fine to service IPv6 for all 4 networks.
UPDATE...
I was doing some IPv6 Tunnel speed tests and the E2000 was very limited even overclocked to 400Mhz it would max out at 26Mbit/s. I reinstated the 3rd R7000 in the network for IPv6 Tunnel services that maxes out my 150Mbit/s ISP with only about 50% cpu usage.
UPDATE...
Changes JAMESMTL recommended, tested and working. TIA!! _________________ Home Network on Telus 1Gb PureFibre - 10GbE Copper Backbone
2x R7800 - Gateway & WiFi & 3xWireGuard - DDWRT r53562 Std k4.9
Off Site 1
R7000 - Gateway & WiFi & WireGuard - DDWRT r54517 Std
E3000 - Station Bridge - DDWRT r49626 Mega K4.4
Off Site 2
R7000 - Gateway & WiFi - DDWRT r54517 Std
E2000 - Wired ISP IPTV PVR Blocker - DDWRT r35531
Joined: 13 Mar 2014 Posts: 856 Location: Montreal, QC
Posted: Sat May 27, 2017 3:41 Post subject:
@mac913
The configuration of dhcp6c for a 6in4 tunnel is irrelevant and honestly dhcp6c options in the GUI should be disabled when 6in4 is selected.
dhcp6c is a dhcpv6 / dhcpv6-pd client whose sole purpose is to obtain an ipv6 address and / or prefixes from an upstream dhcpv6(-pd) server and assign addresses to local interfaces.
As you don't have any upstream dhcpv6 providers, running dhp6c will needlessly send solicits which will never be replied to.
on a side note, pushing external ipv6 dns servers ex. dhcp-option=br1,option6:dns-server,[2620:0:ccc::2],[2620:0:ccd::2] defeats running a caching dns forwarder on those interfaces. ideally dnsmasq would forward all ipv4 / ipv6 dns upstream and cache the results locally for best performance.
Is their a Firewall Rule that will direct all DNS IPv6 inquires to the router and nameservers, so users don't use their preferred DNS IPv6 Servers on my newtork.
Joined: 13 Mar 2014 Posts: 856 Location: Montreal, QC
Posted: Wed May 31, 2017 19:43 Post subject:
you could use the same logic as ipv4 and use -j DNAT or REDIRECT depending on your desired outcome. On my linux boxes I use the following which redirects only if the origin prefix is part of a predefined ipset
ip6tables -t nat -A PREROUTING -p udp --dport 53 -m set --match-set DNS-LOCAL-V6 src -j REDIRECT --to-port 53
the problem your going to run into with ddwrt is that I doubt the required modules are loaded or even included in the distro. They may be available via kong's repo.
Looking quickly at my setup, I believe the required modules are ip6table_nat + nf_nat_ipv6
unfortunately I dont have access to any of my ddwrt routers to look into it at the moment nor will i have the time for a while to even play around with it but at least you have a starting point for your research.
Kernal version of ip6tables is v1.3.7
OPKG version of /opt/usr/sbin/ip6tables is v1.4.21
I tried running these commands without any luck.
root@HE-IPv6:~# ip6tables -t nat -A PREROUTING -i br1 -p tcp --dport 53 -j DNAT --destination ::1
ip6tables v1.3.7: can't initialize ip6tables table `nat': Table does not exist (do you need to insmod?)
Perhaps ip6tables or your kernel needs to be upgraded.
root@HE-IPv6:~# /opt/usr/sbin/ip6tables -t nat -A PREROUTING -i br1 -p tcp --dport 53 -j DNAT --to-destination ::1
ip6tables v1.4.21: can't initialize ip6tables table `nat': Table does not exist (do you need to insmod?)
Perhaps ip6tables or your kernel needs to be upgraded. _________________ Home Network on Telus 1Gb PureFibre - 10GbE Copper Backbone
2x R7800 - Gateway & WiFi & 3xWireGuard - DDWRT r53562 Std k4.9
Off Site 1
R7000 - Gateway & WiFi & WireGuard - DDWRT r54517 Std
E3000 - Station Bridge - DDWRT r49626 Mega K4.4
Off Site 2
R7000 - Gateway & WiFi - DDWRT r54517 Std
E2000 - Wired ISP IPTV PVR Blocker - DDWRT r35531
Joined: 13 Mar 2014 Posts: 856 Location: Montreal, QC
Posted: Thu Jun 01, 2017 5:43 Post subject:
hmmm not sure what was installed from ip6tables-mod-nat but I only see ip6table_filter & ip6table_mangle so only those chains are available. if you browse though /opt is there a log or something that shows ip6tables-mod-nat actually installed?
Best bet would be for kong to add it directly to distro as nf_nat_ipv6 is already included in base distro
***edit sent Kong a PM, lets see what he says about adding to base distro
Since Kong's Build 31870M (K4.4.61) can't do NAT with IP6TABLES, I took a different approach...
I enabled Encrpy DNS with resolver Cisco OpenNDS over IPv6 which uses port 30.
I added without quotes "server=::1#30" to the DNSMasq Options and the following ip6tables in the firewall...
# Drop all IPv6 DNS Requests on port 53
ip6tables -I FORWARD -p tcp --dport 53 -j DROP
ip6tables -I FORWARD -p udp --dport 53 -j DROP
On 2 OSes (Windows & Ubuntu) I manually setup the IPv6 DNS to 2001:4860:4860::8888 and 2001:4860:4860::8844 in the network adapters
Checked a website that is blocked on OpenDNS but not on GOOGLE and I received an OpenDNS webpage that the site was blocked.
UPDATE (in Bold): I added 2 line of code to view the DNS Cache via CLI command...
cat /tmp/DNSCache.log
Viewing the DNSMasq cache showed me there wasn't cached DNS. By changing the DNSv6 server for all BR's from [::1] to [::] caused the DNS Caching to work.
Updated Scripts....
# -- HE IPv6 DNSMasq --
#
# Log the results of DNS queries with EXTRAs
log-queries=extra
# Best to store DNS Cache in file for viewing
log-facility=/tmp/DNSCache.log
# IPv6 DNS Crypt Resolver
server=::1#30
# Reject & Log addresses from upstream nameservers which are in the private IP ranges
stop-dns-rebind
# Increase local DNS queries
cache-size=5000
# IPv6 and RA configuration
enable-ra
# Listen to br0 with follow services
interface=br0
ra-param=br0,60,1800
dhcp-range=br0,::1000,::FFFF,constructor:br0,ra-stateless,ra-names,4h
dhcp-option=br0,option6:dns-server,[::]
dhcp-option=br0,option6:ntp-server,[2001:470:0:50::2]
# Listen to br1 with follow services
interface=br1
ra-param=br1,60,1800
dhcp-range=br1,::1000,::FFFF,constructor:br1,ra-stateless,ra-names,4h
dhcp-option=br1,option6:dns-server,[::]
dhcp-option=br1,option6:ntp-server,[2001:470:0:50::2]
# Listen to br2 with follow services
interface=br2
ra-param=br2,60,1800
dhcp-range=br2,::1000,::FFFF,constructor:br2,ra-stateless,ra-names,4h
dhcp-option=br2,option6:dns-server,[::]
dhcp-option=br2,option6:ntp-server,[2001:470:0:50::2]
# Listen to br3 with follow services
interface=br3
ra-param=br3,60,1800
dhcp-range=br3,::1000,::FFFF,constructor:br3,ra-stateless,ra-names,4h
dhcp-option=br3,option6:dns-server,[::]
dhcp-option=br3,option6:ntp-server,[2001:470:0:50::2]
# Dont fill syslog
quiet-ra
quiet-dhcp
#quiet-dhcp6
# HE-IPv6 Firewall Script
#
# IPv6 GUI only sets up br0, Load missing brX routes
ip addr add 2001:470:CCCC:2::/64 dev br1
ip addr add 2001:470:CCCC:3::/64 dev br2
ip addr add 2001:470:CCCC:4::/64 dev br3
#
# Use OpenDNS IPv6 DNS Servers
echo "nameserver 2620:0:ccc::2" > /tmp/resolv.dnsmasq
echo "nameserver 2620:0:ccd::2" >> /tmp/resolv.dnsmasq
#
# Respond to HE Tunnel Server PING
iptables -I INPUT 2 -p icmp -s 66.220.2.74 -j ACCEPT
#
# More IPv6 Configuartion
ip6tables -I INPUT 5 -i br3 -j ACCEPT
ip6tables -I INPUT 5 -i br2 -j ACCEPT
ip6tables -I INPUT 5 -i br1 -j ACCEPT
ip6tables -I INPUT 2 -i br+ -p udp --dport 53 -j ACCEPT
ip6tables -I INPUT 2 -i br+ -p udp --dport 547 -j ACCEPT
#
# Force Users to use Encypt DNS by blocking port 53
ip6tables -I FORWARD -p tcp --dport 53 -j DROP
ip6tables -I FORWARD -p udp --dport 53 -j DROP _________________ Home Network on Telus 1Gb PureFibre - 10GbE Copper Backbone
2x R7800 - Gateway & WiFi & 3xWireGuard - DDWRT r53562 Std k4.9
Off Site 1
R7000 - Gateway & WiFi & WireGuard - DDWRT r54517 Std
E3000 - Station Bridge - DDWRT r49626 Mega K4.4
Off Site 2
R7000 - Gateway & WiFi - DDWRT r54517 Std
E2000 - Wired ISP IPTV PVR Blocker - DDWRT r35531