R7000 and IPv6

Post new topic   Reply to topic    DD-WRT Forum Index -> Broadcom SoC based Hardware
Goto page Previous  1, 2, 3 ... 18, 19, 20 ... 35, 36, 37  Next
Author Message
garyd9
DD-WRT Novice


Joined: 10 Aug 2014
Posts: 28

PostPosted: Tue Aug 12, 2014 0:16    Post subject: Reply with quote
JAMESMTL wrote:
Try custom dhcp6c...
Okay, this worked (I think.) At least ifconfig is showing a /60 global scope address on the br0 device.

Now, I just need to figure out what to do with it. I should probably also spend a few days with my friend Google and get up to speed on dhcp6c, dhcp6s and radvd.

(Aren't radvd and dhcp6s mutually exclusive?)

So much research to do... so little free time to do it in. Sad

One quick question: On the dd-wrt web interface, on the ipv6 page, when "DHCPv6 with PD" is selected as the type, there's an edit box for the "prefix length." Where or what is the value entered used for?

Take care and thank you
Gary
Sponsor
JAMESMTL
DD-WRT Guru


Joined: 13 Mar 2014
Posts: 856
Location: Montreal, QC

PostPosted: Tue Aug 12, 2014 6:18    Post subject: Reply with quote
garyd9 wrote:
JAMESMTL wrote:
Try custom dhcp6c...
Okay, this worked (I think.) At least ifconfig is showing a /60 global scope address on the br0 device.

Now, I just need to figure out what to do with it. I should probably also spend a few days with my friend Google and get up to speed on dhcp6c, dhcp6s and radvd.

(Aren't radvd and dhcp6s mutually exclusive?)

So much research to do... so little free time to do it in. Sad

One quick question: On the dd-wrt web interface, on the ipv6 page, when "DHCPv6 with PD" is selected as the type, there's an edit box for the "prefix length." Where or what is the value entered used for?

Take care and thank you
Gary


Actually if you used the custom config I posted as is you should have a /64 on br0 and another on wl0.1 and not a /60. Normally you would only use a /64 Pn br0 not a /60

No radvd and dhcp6s (dhcpv6 server) are not exclusive. radvd is required to advertise the default path to the clients on the network. In addition it tells those clients

A) if there is a dhcpv6 server providing other in formation such as dns servers, ntp, etc
b) if there is a dhcpv6 server managing the address space (address reservation and non-reserved addresses) - Stateful addresses. Meaning they come from the server
C) if the clients are to Use SLAAC - stateless. meaning the come from the client
D) which recursive dns servers the client are to use. (Works or for apple products but not supported by windows)

Radvd is generally required for proper ipv6 operation

Dhcp6s provides as mentioned above stateful address along with dns servers etc.

If you had ipv6 servers or devices for which you wanted fixed address reservation you would need to use dhcp6s to mange them. Dhcp6s is only generally required if you want or need those additional services.

I believe the intent of the prefix box in the webif is to request prefix sixpzes grater than 64. As ipv6 is a work in progress not everything is fully functional at this time.

nitrus has been testing dhcp6c with comcast and could probably give you a better idea of exactly what is presently working with comcast via dhcp-pd. I only test dhcp-pd in a closed environment and have not put the latest version through its paces. I use 6rd and 6in4.
garyd9
DD-WRT Novice


Joined: 10 Aug 2014
Posts: 28

PostPosted: Tue Aug 12, 2014 16:46    Post subject: Reply with quote
JAMESMTL wrote:
Actually if you used the custom config I posted as is you should have a /64 on br0 and another on wl0.1 and not a /60. Normally you would only use a /64 Pn br0 not a /60
I didn't use it quite as-is. I just took the default dhcp6c config from /tmp and inserted the prefix suggestion, and that worked to get comcast to assign a /60. I'm still not entirely what I'm doing, so I'm basically just trying things here and there to better understand stuff.

JAMESMTL wrote:
No radvd and dhcp6s (dhcpv6 server) are not exclusive.
I'm starting to figure this all out. Not getting it all working the way I want, but I'm learning... radvd is a router announcement daemon. dhcp6s is a full DHCPv6 server.

JAMESMTL wrote:
I believe the intent of the prefix box in the webif is to request prefix sixpzes grater than 64. As ipv6 is a work in progress not everything is fully functional at this time.
okay, so eventually that will probably be used to do exactly what I used a custom config for. That's good to know.

Thank you again for your help.

Gary
rolfl
DD-WRT Novice


Joined: 01 Aug 2010
Posts: 47

PostPosted: Tue Aug 12, 2014 17:57    Post subject: Reply with quote
Is it possible to have hostnames with global-IPv6 addresses added to dnsmasq server?
Using either radvd and/or dhcp6s?
NiTrus
DD-WRT User


Joined: 25 Dec 2010
Posts: 295
Location: Twin Cities, MN

PostPosted: Tue Aug 12, 2014 18:03    Post subject: Reply with quote
garyd9 wrote:
JAMESMTL wrote:
Actually if you used the custom config I posted as is you should have a /64 on br0 and another on wl0.1 and not a /60. Normally you would only use a /64 Pn br0 not a /60
I didn't use it quite as-is. I just took the default dhcp6c config from /tmp and inserted the prefix suggestion, and that worked to get comcast to assign a /60. I'm still not entirely what I'm doing, so I'm basically just trying things here and there to better understand stuff.

JAMESMTL wrote:
No radvd and dhcp6s (dhcpv6 server) are not exclusive.
I'm starting to figure this all out. Not getting it all working the way I want, but I'm learning... radvd is a router announcement daemon. dhcp6s is a full DHCPv6 server.

JAMESMTL wrote:
I believe the intent of the prefix box in the webif is to request prefix sixpzes grater than 64. As ipv6 is a work in progress not everything is fully functional at this time.
okay, so eventually that will probably be used to do exactly what I used a custom config for. That's good to know.

Thank you again for your help.

Gary


Gary, i have dhcp6-pd working with 2-guest networks (br0/wl0.1/wl1.1)...pm me if u have any questions..

_________________
NETGEAR R9000 | RT | 40134
NETGEAR R7800 | AP | 40134

garyd9
DD-WRT Novice


Joined: 10 Aug 2014
Posts: 28

PostPosted: Tue Aug 12, 2014 18:13    Post subject: Reply with quote
NiTrus wrote:
Gary, i have dhcp6-pd working with 2-guest networks (br0/wl0.1/wl1.1)...pm me if u have any questions..
I appreciate the offer. I don't suppose you have a Windows AD in the mix, do you? Wink

I happen to have a windows small business server 2011 machine in my home, and I've decided that Windows DHCP Server doesn't work well with dynamically allocated IP addresses. It wasn't much of an issue with IPv4, as the "internal" network always uses dummy IP's. (192.168.x.x)

With IPv6 and global addressing, it's a very different story. Unless I can convince comcast to give a "home user" a static prefix, I guess I need to keep using stateless for the global addressing.

Sadly, dynamic addresses made perfectly good sense with the limited IPv4 pool. With IPv6, Comcast could give every person (including newborn babies) in the entire US their own private 60 bit prefix and still not even scratch the surface of their pool.

On the other hand, I'm currently having a blast playing with DD-WRT in general. I just managed to get RADIUS running on my AD server, and now have a couple of virtual adapters authenticating against it. I still haven't managed to get the PPTP server to auth against the AD radius, but I'm working on it. Oh, and just to keep this paragraph on-topic: the PPTP server doesn't assign IPv6 addresses.

Take care
Gary
JAMESMTL
DD-WRT Guru


Joined: 13 Mar 2014
Posts: 856
Location: Montreal, QC

PostPosted: Tue Aug 12, 2014 21:30    Post subject: Reply with quote
rolfl wrote:
Is it possible to have hostnames with global-IPv6 addresses added to dnsmasq server?
Using either radvd and/or dhcp6s?


As radvd is a RA it has absolutely no idea of client addresses since each client creates their own address. dhcp6s is a dhcpv6 server and can be used to assign specific addresses to devices but does not respond to dns queries.

You can add ipv6 global addresses to dns queries via dnsmasq by adding the following commands to the dnsmasq options box in webif or appending them to /tmp/dnsmasq.conf and restarting the service via scripting. 1 line per address

address=/device name/deviceaddress

Ex : address=/iphone/2001:DB8::1000

Now this will only be usefull if you have static prefixes and use either static device configuration or ipv6 address reservations via dhcp6s. If your ipv6 is either dhcp-pd or 6rd the prefix is dynamic so adding these dns lookups to dnsmasq would become useless on every prefix change.

Kong has not yet implemented dynamic prefix ipv6 reservations in dhcp6s via webif.

Creating dynamic dhcpv6 reservations and appending that information to dnsmasq can be achieved via script. See attached sample script. Note to use this script you will need to create a config file containing the duids for each device reservation. This test version of the script does not support sequential ipv6 addresses.

On a side note it looks like Kong has recently implement the ipv6 version of dnsmasq

dnsmasq -v
Dnsmasq version 2.45 Copyright (C) 2000-2008 Simon Kelley
Compile time options IPv6 GNU-getopt no-RTC no-ISC-leasefile no-DBus no-I18N no-TFTP

The ipv6 version can be used as both an RA and dhcpv6 server replacing both radvd and dhcp6s. I haven't had a chance to play with its ipv6 functionality but will do so soon.



dhcp6s-br0-server.ipup.txt
 Description:

Download
 Filename:  dhcp6s-br0-server.ipup.txt
 Filesize:  3.1 KB
 Downloaded:  765 Time(s)

kiwiis
DD-WRT Novice


Joined: 09 Aug 2014
Posts: 11

PostPosted: Tue Aug 12, 2014 23:48    Post subject: Reply with quote
2.45 is unfortunately still a really old version of dnsmasq and missing things such as DNSSEC validation/caching:

http://lists.thekelleys.org.uk/pipermail/dnsmasq-discuss/2014q1/008086.html
JAMESMTL
DD-WRT Guru


Joined: 13 Mar 2014
Posts: 856
Location: Montreal, QC

PostPosted: Tue Aug 12, 2014 23:58    Post subject: Reply with quote
kiwiis wrote:
2.45 is unfortunately still a really old version of dnsmasq and missing things such as DNSSEC validation/caching:

http://lists.thekelleys.org.uk/pipermail/dnsmasq-discuss/2014q1/008086.html


The current version is available via repo
kiwiis
DD-WRT Novice


Joined: 09 Aug 2014
Posts: 11

PostPosted: Wed Aug 13, 2014 5:40    Post subject: Reply with quote
JAMESMTL wrote:
kiwiis wrote:
2.45 is unfortunately still a really old version of dnsmasq and missing things such as DNSSEC validation/caching:

http://lists.thekelleys.org.uk/pipermail/dnsmasq-discuss/2014q1/008086.html


The current version is available via repo


Does it overwrite/replace the one used by the webif? Or do you basically get two seperate installations and have to disable the webif dnsmasq?
DaveTheNerd
DD-WRT User


Joined: 15 Jul 2008
Posts: 317

PostPosted: Wed Aug 13, 2014 7:13    Post subject: Firewall vs. Port Forwarding with IPv6 Reply with quote
As we migrate to IPv6 there will still be a need for external access to services (media server, maybe file sharing, etc). With IPv4 we do this with static internal addresses (or assignments) and port forwarding. And as much as we hate that we have to do port forwarding, this works... for the most part. Smile

With IPv6 and every device having its own 'real' IP address we don't need port forwarding, of course, but we do need to be able to open up those specific ports on the firewall to let people in to use those services on specific devices... And we also need/want to be able to have some consistency in the addresses we use.

Obviously Kong/DD-WRT-in-general hasn't built any of this "open port [x] for IP [y]" into the webif yet, but I'm sure we can do it with ip6tables (and eventually the webif). But what I'm more concerned about is the changing prefix I hear about. If the prefix is constantly changing via DHCPv6-PD, then that makes things like this very difficult. Even if we were to use a dynamic IP provider for our IPv6 machines, wouldn't the firewall still have to be reconfigured each time the prefix changes? Or am I misunderstanding everything? Smile
JAMESMTL
DD-WRT Guru


Joined: 13 Mar 2014
Posts: 856
Location: Montreal, QC

PostPosted: Wed Aug 13, 2014 7:27    Post subject: Reply with quote
kiwiis wrote:
JAMESMTL wrote:
kiwiis wrote:
2.45 is unfortunately still a really old version of dnsmasq and missing things such as DNSSEC validation/caching:

http://lists.thekelleys.org.uk/pipermail/dnsmasq-discuss/2014q1/008086.html


The current version is available via repo


Does it overwrite/replace the one used by the webif? Or do you basically get two seperate installations and have to disable the webif dnsmasq?


You get two separate versions of dnsmasq.

What I did in limited testing was to copy the files /tmp/dnsmasq.conf and /tmp/resolv.dnsmasq to my /jffs/etc/config dir. I then edited dnsmasq.conf to point to the new resolv file.

Once that was done I created a script to start dnsmasq via
/opt/usr/sbin/dnsmasq --conf-file=/jffs/etc/config/dnsmasq.conf

Then I disabled anything related to dnsmasq on the setup and services pages. This is very important as there is a keep alive function which will kill the repo version and start the included version.

Everything seems to work fine for my uses which is basically for ipv6 testing, I can't guarantee they will for yours.

Here are the compile options for the ipv6 version I installed. I have no idea what the regular version compile options are.

dnsmasq -v
Dnsmasq version 2.71 Copyright (c) 2000-2014 Simon Kelley
Compile time options: IPv6 GNU-getopt no-DBus no-i18n no-IDN DHCP DHCPv6 no-Lua TFTP no-conntrack no-ipset no-auth no-DNSSEC


Last edited by JAMESMTL on Wed Aug 13, 2014 8:03; edited 1 time in total
JAMESMTL
DD-WRT Guru


Joined: 13 Mar 2014
Posts: 856
Location: Montreal, QC

PostPosted: Wed Aug 13, 2014 8:02    Post subject: Reply with quote
DaveTheNerd wrote:
As we migrate to IPv6 there will still be a need for external access to services (media server, maybe file sharing, etc). With IPv4 we do this with static internal addresses (or assignments) and port forwarding. And as much as we hate that we have to do port forwarding, this works... for the most part. Smile

With IPv6 and every device having its own 'real' IP address we don't need port forwarding, of course, but we do need to be able to open up those specific ports on the firewall to let people in to use those services on specific devices... And we also need/want to be able to have some consistency in the addresses we use.

Obviously Kong/DD-WRT-in-general hasn't built any of this "open port [x] for IP [y]" into the webif yet, but I'm sure we can do it with ip6tables (and eventually the webif). But what I'm more concerned about is the changing prefix I hear about. If the prefix is constantly changing via DHCPv6-PD, then that makes things like this very difficult. Even if we were to use a dynamic IP provider for our IPv6 machines, wouldn't the firewall still have to be reconfigured each time the prefix changes? Or am I misunderstanding everything? Smile


It's not that complicated an issue. As far as opening the ports it's a simple ip6tables command along the lines of

ip6tables -A FORWARD -d 2001:DB8::1000 -p tcp --dport 80 -j ACCEPT

Now to make it work with dynamic prefixes I use a script which parses a config file which then creates the appropriate dhcp6s.conf where the hosts and their reserved addresses are appended to the prefix found on br0. This way webserver X will always be assigned an address of AAAA:AAAA::1000 where AAAA:AAAA is the current prefix.

I uses a slightly different ipv6 hosts file than the one in my dhcp6s script found earlier in this thread. This version includes and extra field for open port number. I then have a firewall script parse the same file and dynamically create the ip6tables rule set.

Last of all that config file is parsed a third time to do per host ddns entries. www.my host.com will always point to AAAA:AAAA::1000 and the firewall will permit that traffic.

Kong has implemented dhcp6s in the webif and there is a section for reserved hosts. At this time it will only work with static prefixes but he is aware of the issue and I believe it will be addressed at some point in the future. Honestly I feel 6rd, 6to4, etc support is more important at this time so that all client types are available but he's the dev and will do what is the best of ddwrt at large. Not to mention there are plenty of other issues other than ipv6.

Kong has recently adjusted the startup order to ensure that the firewall commands runs after ipv6 is assigned via webif so ther is nothing stopping anyone from using a script to address the firewall rules for dynamic prefixes or to do ipv6 ddns.

So basically all the tools needed to do what you mention are available now. Some webif support will follow. To what degree only kong knows for sure.

For dhcp-pd if your ISP respects the infinity prefix lifetime argument, then the assigned prefix should not change. Nitrus has had the same prefix with comcast since /60 has been supported.
garyd9
DD-WRT Novice


Joined: 10 Aug 2014
Posts: 28

PostPosted: Wed Aug 13, 2014 13:16    Post subject: Re: Firewall vs. Port Forwarding with IPv6 Reply with quote
DaveTheNerd wrote:
But what I'm more concerned about is the changing prefix I hear about. If the prefix is constantly changing via DHCPv6-PD, then that makes things like this very difficult. Even if we were to use a dynamic IP provider for our IPv6 machines, wouldn't the firewall still have to be reconfigured each time the prefix changes? Or am I misunderstanding everything? Smile
From the outside looking in (from global to router and internal LAN), getting dynamic prefixes would be little different than a dynamic IPv4 address. You have to use some type of provider that updates it.

For the more internal issue (firewall), it shouldn't be too difficult once we get over the hurdles. In fact, the problems to be solved are probably easier than the ones long ago solved with single dynamic IPv4 using IP Masquerading (NAT) and port forwarding.

The most brute force approach would be to force the IPv6 system into a more IPv4/NAT system: The router would block all access to internal IP's, and forward specific ports on it's own global IPv6 to internal-only ULA's (the IPv6 equivalent to 192.168.x.x type addresses.) The router would have to assign those ULA's via DHCPv6.

A prettier approach would be for the router to use hostnames (or MAC addresses?) to identify hosts that should have ports forwarded. The hostnames would be resolved at runtime allowing IPv6 mechanisms to resolve them. That might be via DNS, or via Neighbor Discovery Protocol (which allows a machine to discover the link local address of a peer.) (disclaimer: I'm not sure if NDP is the proper mechanism for discovering a peer hostname ipv6 link local address... there is a mechanism, but I don't remember it off the top of my head.)

The point is that anything can be done, and there's actually quite a bit more flexibility to doing it with ipv6. We only need to remove the mental constraints of IPv4 to do it well.

Take care
Gary
<Kong>
DD-WRT Guru


Joined: 15 Dec 2010
Posts: 4339
Location: Germany

PostPosted: Wed Aug 13, 2014 13:55    Post subject: Reply with quote
JAMESMTL wrote:
kiwiis wrote:
JAMESMTL wrote:
kiwiis wrote:
2.45 is unfortunately still a really old version of dnsmasq and missing things such as DNSSEC validation/caching:

http://lists.thekelleys.org.uk/pipermail/dnsmasq-discuss/2014q1/008086.html


The current version is available via repo


Does it overwrite/replace the one used by the webif? Or do you basically get two seperate installations and have to disable the webif dnsmasq?


You get two separate versions of dnsmasq.

What I did in limited testing was to copy the files /tmp/dnsmasq.conf and /tmp/resolv.dnsmasq to my /jffs/etc/config dir. I then edited dnsmasq.conf to point to the new resolv file.

Once that was done I created a script to start dnsmasq via
/opt/usr/sbin/dnsmasq --conf-file=/jffs/etc/config/dnsmasq.conf

Then I disabled anything related to dnsmasq on the setup and services pages. This is very important as there is a keep alive function which will kill the repo version and start the included version.

Everything seems to work fine for my uses which is basically for ipv6 testing, I can't guarantee they will for yours.

Here are the compile options for the ipv6 version I installed. I have no idea what the regular version compile options are.

dnsmasq -v
Dnsmasq version 2.71 Copyright (c) 2000-2014 Simon Kelley
Compile time options: IPv6 GNU-getopt no-DBus no-i18n no-IDN DHCP DHCPv6 no-Lua TFTP no-conntrack no-ipset no-auth no-DNSSEC


By the way, I have the latest dnsmasq version in my ddwrt trunk, as I'm using it at work. Just have to enable inclusion in public builds:-)

_________________
KONG PB's: http://www.desipro.de/ddwrt/
KONG Info: http://tips.desipro.de/
Goto page Previous  1, 2, 3 ... 18, 19, 20 ... 35, 36, 37  Next Display posts from previous:    Page 19 of 37
Post new topic   Reply to topic    DD-WRT Forum Index -> Broadcom SoC based Hardware All times are GMT

Navigation

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You can attach files in this forum
You can download files in this forum