R7000 and IPv6

Post new topic   Reply to topic    DD-WRT Forum Index -> Broadcom SoC based Hardware
Goto page Previous  1, 2, 3, 4 ... 35, 36, 37  Next
Author Message
NiTrus
DD-WRT User


Joined: 25 Dec 2010
Posts: 295
Location: Twin Cities, MN

PostPosted: Sat Apr 05, 2014 19:02    Post subject: Reply with quote
JAMESMTL wrote:
NiTrus wrote:

i used ipkg install package


Did you notice during the install if there were dependencies?

Here's what I did to get basic ip6tables working on my 6rd install

Added the following lines to my startup script

insmod nf_defrag_ipv6
insmod ip6_tables
insmod nf_conntrack_ipv6
insmod ip6table_filter

Copied the following lines to the command box on administration->commands. Then Save firewall

ip6tables -F INPUT
ip6tables -F FORWARD
ip6tables -F OUTPUT
ip6tables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
ip6tables -A INPUT -s fe80::/64 -j ACCEPT
ip6tables -A INPUT -j DROP
ip6tables -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
ip6tables -A FORWARD -o tun6rd -j ACCEPT
ip6tables -A FORWARD -j DROP

I basically cut and pasted this from Bascom's post.
I removed the line permitting ping from WAN.

Note I suspect tun6rd would be vlan2 for native ipv6

These rules worked ok with my ipad but blocked my pc from getting out so I created unblock.wanup script containing

---- Start
#!/bin/sh

pdprefix=$(ifconfig br0 | grep Global | awk '{ print $3 }' | awk -F'::' '{print $1}')
prefixsize=$(ifconfig br0 | grep Global | awk '{ print $3 }' | awk -F'/' '{print $2}')

ip6tables -I INPUT 3 -s $pdprefix::/$prefixsize -j ACCEPT
---- End

This script inserts a rule permitting my subnet to get out


yes, around 7-8 dependant files needed for ip6tables..i downloaded those manually also..kind of a pain, but necessary to install..

i pasted in bascom's script, but ip6tables blocked my testip6.com...0/10..

_________________
NETGEAR R9000 | RT | 40134
NETGEAR R7800 | AP | 40134

Sponsor
JAMESMTL
DD-WRT Guru


Joined: 13 Mar 2014
Posts: 856
Location: Montreal, QC

PostPosted: Sat Apr 05, 2014 19:16    Post subject: Reply with quote
NiTrus wrote:
JAMESMTL wrote:
NiTrus wrote:

i used ipkg install package


Did you notice during the install if there were dependencies?

Here's what I did to get basic ip6tables working on my 6rd install

Added the following lines to my startup script

insmod nf_defrag_ipv6
insmod ip6_tables
insmod nf_conntrack_ipv6
insmod ip6table_filter

Copied the following lines to the command box on administration->commands. Then Save firewall

ip6tables -F INPUT
ip6tables -F FORWARD
ip6tables -F OUTPUT
ip6tables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
ip6tables -A INPUT -s fe80::/64 -j ACCEPT
ip6tables -A INPUT -j DROP
ip6tables -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
ip6tables -A FORWARD -o tun6rd -j ACCEPT
ip6tables -A FORWARD -j DROP

I basically cut and pasted this from Bascom's post.
I removed the line permitting ping from WAN.

Note I suspect tun6rd would be vlan2 for native ipv6

These rules worked ok with my ipad but blocked my pc from getting out so I created unblock.wanup script containing

---- Start
#!/bin/sh

pdprefix=$(ifconfig br0 | grep Global | awk '{ print $3 }' | awk -F'::' '{print $1}')
prefixsize=$(ifconfig br0 | grep Global | awk '{ print $3 }' | awk -F'/' '{print $2}')

ip6tables -I INPUT 3 -s $pdprefix::/$prefixsize -j ACCEPT
---- End

This script inserts a rule permitting my subnet to get out


yes, around 7-8 dependant files needed for ip6tables..i downloaded those manually also..kind of a pain, but necessary to install..

i pasted in bascom's script, but ip6tables blocked my testip6.com...0/10..


Ip -6 route show should give you a better idea why

Fairly sure the ppp0 needs to be changed to vlan2. Like I said in my previous post I had the same issue needed to add a line to iptables allowing subnet as source

Ip6tables -vnL
NiTrus
DD-WRT User


Joined: 25 Dec 2010
Posts: 295
Location: Twin Cities, MN

PostPosted: Sat Apr 05, 2014 19:32    Post subject: Reply with quote
JAMESMTL wrote:
NiTrus wrote:
JAMESMTL wrote:
NiTrus wrote:

i used ipkg install package


Did you notice during the install if there were dependencies?

Here's what I did to get basic ip6tables working on my 6rd install

Added the following lines to my startup script

insmod nf_defrag_ipv6
insmod ip6_tables
insmod nf_conntrack_ipv6
insmod ip6table_filter

Copied the following lines to the command box on administration->commands. Then Save firewall

ip6tables -F INPUT
ip6tables -F FORWARD
ip6tables -F OUTPUT
ip6tables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
ip6tables -A INPUT -s fe80::/64 -j ACCEPT
ip6tables -A INPUT -j DROP
ip6tables -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
ip6tables -A FORWARD -o tun6rd -j ACCEPT
ip6tables -A FORWARD -j DROP

I basically cut and pasted this from Bascom's post.
I removed the line permitting ping from WAN.

Note I suspect tun6rd would be vlan2 for native ipv6

These rules worked ok with my ipad but blocked my pc from getting out so I created unblock.wanup script containing

---- Start
#!/bin/sh

pdprefix=$(ifconfig br0 | grep Global | awk '{ print $3 }' | awk -F'::' '{print $1}')
prefixsize=$(ifconfig br0 | grep Global | awk '{ print $3 }' | awk -F'/' '{print $2}')

ip6tables -I INPUT 3 -s $pdprefix::/$prefixsize -j ACCEPT
---- End

This script inserts a rule permitting my subnet to get out


yes, around 7-8 dependant files needed for ip6tables..i downloaded those manually also..kind of a pain, but necessary to install..

i pasted in bascom's script, but ip6tables blocked my testip6.com...0/10..


Ip -6 route show should give you a better idea why

Fairly sure the ppp0 needs to be changed to vlan2. Like I said in my previous post I had the same issue needed to add a line to iptables allowing subnet as source

Ip6tables -vnL


i had pm'd Bas..he said to just remove the pppoe part.. it works now...thx Bascom!!!

_________________
NETGEAR R9000 | RT | 40134
NETGEAR R7800 | AP | 40134

BasCom
DD-WRT Guru


Joined: 29 Jul 2009
Posts: 1378
Location: Germany

PostPosted: Sat Apr 05, 2014 19:46    Post subject: Reply with quote
dont forget about all this: access restrictions on websites wont work, if you reach them via ipv6

example: blocking facebook through "www.facebook.com" does only work on ipv4 connectivity. just my two cents.

would be nice if ipv6 restrictions would be added by dev´s

_________________
RT-N66U @ Build 25697M K3.10.63
TL-WR842ND v1 @ BS-build 23919 WDS AP
TL-WR841ND @ BS-build 23919 WDS Client
TL-WR841ND @ BS-build 23919 Client Bridge ( Routed )
NiTrus
DD-WRT User


Joined: 25 Dec 2010
Posts: 295
Location: Twin Cities, MN

PostPosted: Mon Apr 07, 2014 15:38    Post subject: Reply with quote
BasCom wrote:
dont forget about all this: access restrictions on websites wont work, if you reach them via ipv6

example: blocking facebook through "www.facebook.com" does only work on ipv4 connectivity. just my two cents.

would be nice if ipv6 restrictions would be added by dev´s


Bas, just curious..do u run rdisc6 with your wide-dhcpv6 install? Just wondering if its needed?

_________________
NETGEAR R9000 | RT | 40134
NETGEAR R7800 | AP | 40134

BasCom
DD-WRT Guru


Joined: 29 Jul 2009
Posts: 1378
Location: Germany

PostPosted: Tue Apr 08, 2014 9:59    Post subject: Reply with quote
no. rdisc wont work for me
_________________
RT-N66U @ Build 25697M K3.10.63
TL-WR842ND v1 @ BS-build 23919 WDS AP
TL-WR841ND @ BS-build 23919 WDS Client
TL-WR841ND @ BS-build 23919 Client Bridge ( Routed )
NiTrus
DD-WRT User


Joined: 25 Dec 2010
Posts: 295
Location: Twin Cities, MN

PostPosted: Fri Apr 11, 2014 12:32    Post subject: Reply with quote
Comcast Native-IPv6 *** Updated on pg-4 ***

1-install wide-dhcpv6-client & rdisc6 from Kong's Repo (built into KongAC firmware): *** UPDATED ***

ipkg update
ipkg -force-depends install opkg
opkg update

opkg install wide-dhcpv6-client
opkg install rdisc6

2-go here and follow steps 7-14:
http://fibredsum.wordpress.com/2012/08/10/adding-dhcpv6-pd-support-to-dd-wrt/

3-install ip6tables:
opkg install ip6tables

4-create a script called load-ipv6.sh with code below..thx to Bascom
put it in /jffs/etc/config

Code:
#!/bin/sh

insmod nf_defrag_ipv6
insmod ip6_tables.ko
insmod nf_conntrack_ipv6.ko
insmod ip6table_filter.ko
ip6tables -F INPUT
ip6tables -F FORWARD
ip6tables -F OUTPUT
ip6tables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
ip6tables -A INPUT -p icmpv6 -j ACCEPT
ip6tables -A INPUT -s fe80::/64 -j ACCEPT
ip6tables -A INPUT -j DROP
ip6tables -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
ip6tables -A FORWARD -o vlan2 -j ACCEPT
ip6tables -A FORWARD -j DROP

5-make sure to add these to router startup scripts:
/jffs/etc/config/dhcp6c.wanup
/jffs/etc/config/rdisc6.wanup
/jffs/etc/config/load-ipv6.sh

6-reboot

7-test ipv6 connection
http://test-ipv6.com
http://ipv6-test.com

hopefully 10/10 on ipv6 test!!

_________________
NETGEAR R9000 | RT | 40134
NETGEAR R7800 | AP | 40134



Last edited by NiTrus on Sat May 10, 2014 22:03; edited 34 times in total
pules
DD-WRT Novice


Joined: 16 Apr 2014
Posts: 3

PostPosted: Wed Apr 16, 2014 18:51    Post subject: Reply with quote
NiTrus wrote:
Comcast Native-IPv6

1-install wide-dhcpv6-client & rdisc6 from Kong's Repo (built into KongAC firmware): *** UPDATED ***

ipkg update
ipkg -force-depends install opkg
opkg update

opkg install wide-dhcpv6-client
opkg install rdisc6

2-go here and follow steps 7-14:
http://fibredsum.wordpress.com/2012/08/10/adding-dhcpv6-pd-support-to-dd-wrt/

3-install ip6tables:
opkg install ip6tables

4-create a script called load-ipv6.sh with code below..thx to Bascom
put it in /jffs/etc/config

Code:
#!/bin/sh

insmod nf_defrag_ipv6
insmod ip6_tables.ko
insmod nf_conntrack_ipv6.ko
insmod ip6table_filter.ko
ip6tables -F INPUT
ip6tables -F FORWARD
ip6tables -F OUTPUT
ip6tables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
ip6tables -A INPUT -p icmpv6 -j ACCEPT
ip6tables -A INPUT -s fe80::/64 -j ACCEPT
ip6tables -A INPUT -j DROP
ip6tables -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
ip6tables -A FORWARD -o vlan2 -j ACCEPT
ip6tables -A FORWARD -j DROP

5-make sure to add these to router startup scripts:
/jffs/etc/config/dhcp6c.wanup
/jffs/etc/config/rdisc6.wanup
/jffs/etc/config/load-ipv6.sh


6-reboot

7-test ipv6 connection
http://test-ipv6.com
http://ipv6-test.com

hopefully 10/10 on ipv6 test!!



what am I doing wrong here?

Code:
root@fw1:~# ipkg update
Downloading http://www.desipro.de/bcm53xx/packages/Packages ...
Connecting to www.desipro.de (82.165.77.220:80)
Packages             100% |******************************************************|   222k  0:00:00 ETA
Done.
Updated list of available packages in /jffs/usr/lib/ipkg/lists/kongarm
root@fw1:~# ipkg -force-depends install opkg

Downloading http://www.desipro.de/bcm53xx/packages/libgcc_4.6-linaro-1_bcm53xx.ipk ...
Connecting to www.desipro.de (82.165.77.220:80)
libgcc_4.6-linaro-1_ 100% |******************************************************| 20387   0:00:00 ETA
Done.
Unpacking libgcc...Done.
Configuring libgcc...Done.

Downloading http://www.desipro.de/bcm53xx/packages/libc_0.9.33.2-1_bcm53xx.ipk ...
Connecting to www.desipro.de (82.165.77.220:80)
libc_0.9.33.2-1_bcm5 100% |******************************************************|   236k  0:00:00 ETA
Done.
ipkg_install_file: Warning: libc depends on the following uninstalled programs:  libgcc
Unpacking libc...Done.
Configuring libc...Done.

Downloading http://www.desipro.de/bcm53xx/packages/opkg_9c97d5ecd795709c8584e972bfdf3aee3a5b846d-6_bcm53xx.ipk ...
Connecting to www.desipro.de (82.165.77.220:80)
opkg_9c97d5ecd795709 100% |******************************************************| 56002   0:00:00 ETA
Done.
ipkg_install_file: Warning: opkg depends on the following uninstalled programs:  libc libgcc
Unpacking opkg...Done.
Configuring opkg...Done.
root@fw1:~# opkg install wide-dhcpv6-client
Installing wide-dhcpv6-client (20080615-11) to root...
Downloading http://www.desipro.de/bcm53xx/packages/wide-dhcpv6-client_20080615-11_bcm53xx.ipk.
Collected errors:
 * satisfy_dependencies_for: Cannot satisfy the following dependencies for wide-dhcpv6-client:
 *    kernel (= 3.10.24-1-88195fd7c4e81d344be404da9a6ba099) *
 * opkg_install_cmd: Cannot install package wide-dhcpv6-client.


I'm running:
DD-WRT v24-sp2 kongac (c) 2014 NewMedia-NET GmbH
Release: 04/08/14 (SVN revision: 23884M)

Thanks for any help
JAMESMTL
DD-WRT Guru


Joined: 13 Mar 2014
Posts: 856
Location: Montreal, QC

PostPosted: Wed Apr 16, 2014 18:57    Post subject: Reply with quote
Opkg install wide-dhcpv6-client --nodeps
pules
DD-WRT Novice


Joined: 16 Apr 2014
Posts: 3

PostPosted: Wed Apr 16, 2014 19:00    Post subject: Reply with quote
JAMESMTL wrote:
Opkg install wide-dhcpv6-client --nodeps


THANK YOU!!! got past error...now to next steps!
pules
DD-WRT Novice


Joined: 16 Apr 2014
Posts: 3

PostPosted: Wed Apr 16, 2014 22:25    Post subject: Reply with quote
Thank you NiTrus for the great write up and thank you JAMESMTL for your input

http://test-ipv6.com/ = 10/10
http://ipv6-test.com/ = 19 / 20
*

* How can you improve your score ?

1. Get a reverse DNS record
There is no reverse DNS record to associate your IPv6 address with a host name. Reverse DNS records are required by some Internet protocols and are usually managed at the ISP level.
MrDoh
DD-WRT Guru


Joined: 04 Dec 2012
Posts: 647

PostPosted: Wed May 07, 2014 8:26    Post subject: Reply with quote
Okay, I've followed Nitrus's instructions above. However, I have some questions.

1. All okay up to manually trying the four insmod's:

root@DD-WRT:/jffs# insmod nf_defrag_ipv6
insmod: cannot insert '/lib/modules/3.10.33/kernel/net/ipv6/netfilter/nf_defrag_ipv6.ko': unknown symbol in module
root@DD-WRT:/jffs# insmod ip6_tables.ko
root@DD-WRT:/jffs# insmod nf_conntrack_ipv6.ko
insmod: cannot insert '/lib/modules/3.10.33/kernel/net/ipv6/netfilter/nf_conntrack_ipv6.ko': unknown symbol in module
root@DD-WRT:/jffs# insmod ip6table_filter.ko
root@DD-WRT:/jffs#


As you can see, I got a couple of errors above. I'm wondering if this is an ordering problem...wondering what the order should be to make this work? Or what I can do to make the 2 non-working insmod's work correctly?

2. For this step, step 5:

5-make sure to add these to router startup scripts:
/jffs/etc/config/dhcp6c.wanup
/jffs/etc/config/rdisc6.wanup
/jffs/etc/config/load-ipv6.sh

what router startup scripts do I add them to, and where are those scripts? Do I create them, or are they already there? Where do I put them if I create them...seems like they'd have to be in /jffs if I'm to create them, since this is about the only writeable file system I have?

Kind of a newbie at doing this in dd-wrt, as you can see, and could really use some help with this.

Thanks very much!
NiTrus
DD-WRT User


Joined: 25 Dec 2010
Posts: 295
Location: Twin Cities, MN

PostPosted: Wed May 07, 2014 12:07    Post subject: Reply with quote
MrDoh wrote:
Okay, I've followed Nitrus's instructions above. However, I have some questions.

1. All okay up to manually trying the four insmod's:

root@DD-WRT:/jffs# insmod nf_defrag_ipv6
insmod: cannot insert '/lib/modules/3.10.33/kernel/net/ipv6/netfilter/nf_defrag_ipv6.ko': unknown symbol in module
root@DD-WRT:/jffs# insmod ip6_tables.ko
root@DD-WRT:/jffs# insmod nf_conntrack_ipv6.ko
insmod: cannot insert '/lib/modules/3.10.33/kernel/net/ipv6/netfilter/nf_conntrack_ipv6.ko': unknown symbol in module
root@DD-WRT:/jffs# insmod ip6table_filter.ko
root@DD-WRT:/jffs#


As you can see, I got a couple of errors above. I'm wondering if this is an ordering problem...wondering what the order should be to make this work? Or what I can do to make the 2 non-working insmod's work correctly?

2. For this step, step 5:

5-make sure to add these to router startup scripts:
/jffs/etc/config/dhcp6c.wanup
/jffs/etc/config/rdisc6.wanup
/jffs/etc/config/load-ipv6.sh

what router startup scripts do I add them to, and where are those scripts? Do I create them, or are they already there? Where do I put them if I create them...seems like they'd have to be in /jffs if I'm to create them, since this is about the only writeable file system I have?

Kind of a newbie at doing this in dd-wrt, as you can see, and could really use some help with this.

Thanks very much!


1-those commands are saved in loadipv6.sh script in step 4 of instructions..
2-you should have created those scripts, and put them in the directories noted in instructions...then you can copy/paste step 5 to your router..
router-login/administration/commands/save startup

pm me if u get stuck...i will see if i can help..

_________________
NETGEAR R9000 | RT | 40134
NETGEAR R7800 | AP | 40134

JAMESMTL
DD-WRT Guru


Joined: 13 Mar 2014
Posts: 856
Location: Montreal, QC

PostPosted: Wed May 07, 2014 16:35    Post subject: Reply with quote
Did you enable ipv6 prior to running those commands?

Personally when I do a fresh install I enable ipv6 and radvd then reboot the router. I the run lsmod to make sure ipv6 has been loaded. I then turn off radvd from the webif and have it started by my scripts on future reboots.
MrDoh
DD-WRT Guru


Joined: 04 Dec 2012
Posts: 647

PostPosted: Wed May 07, 2014 16:47    Post subject: Reply with quote
NiTrus wrote:

1-those commands are saved in loadipv6.sh script in step 4 of instructions..
2-you should have created those scripts, and put them in the directories noted in instructions...then you can copy/paste step 5 to your router..
router-login/administration/commands/save startup

pm me if u get stuck...i will see if i can help..


1-Well, seems to me that I should be able to run those insmod commands outside of the script. Another poster brought up the detail about whether IPv6 was enabled at the time, I don't remember that detail. I did enable IPv6 so that I could put radvd contents in the linked document into the radvd.conf file, but I'm not sure if that was before or after enabling IPv6 via "Apply", I may only have saved it at that time.

Anyways, it's the same kernel that the modules are being linked with, and the same set of other linked modules, so it seems to me that the insmod's should work anytime, if they're going to work at boot time.

2-Thanks, I'd forgotten about the ability to save startup commands in the web interface...the last router that I did this with didn't have that, you had to create the startup files under /jffs/scripts. However, dd-wrt does have that nice facility for saving startup commands, so I'll use it for this.

Got my fingers crossed that having IPv6 enabled when I do the insmod's is the problem.

Thanks.
Goto page Previous  1, 2, 3, 4 ... 35, 36, 37  Next Display posts from previous:    Page 3 of 37
Post new topic   Reply to topic    DD-WRT Forum Index -> Broadcom SoC based Hardware All times are GMT

Navigation

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You can attach files in this forum
You can download files in this forum