Did you enable ipv6 prior to running those commands?
Personally when I do a fresh install I enable ipv6 and radvd then reboot the router. I the run lsmod to make sure ipv6 has been loaded. I then turn off radvd from the webif and have it started by my scripts on future reboots.
Good point, I'll give this a try and see if it causes those other symbols to be included in the kernel.
Did you enable ipv6 prior to running those commands?
Personally when I do a fresh install I enable ipv6 and radvd then reboot the router. I the run lsmod to make sure ipv6 has been loaded. I then turn off radvd from the webif and have it started by my scripts on future reboots.
Good point, I'll give this a try and see if it causes those other symbols to be included in the kernel.
Thanks for this.
Okay, I've tried everything that I can think of, but the ipv6 modules are not in the kernel after enabling IPv6 and radvd, and rebooting. The ipv6 modules are there after enabling IPv6, but once I reboot and the router fully comes back up, they've been removed.
When I reboot after enabling IPv6, the router has to make at least two tries at it, I see it reboot, and fail to connect to the internet, then reboot again, and connect. And the ipv6 modules are apparently dropped (my theory) after the first failure to connect in the reboot process.
I don't know if this is characteristic of the 23900M build, or what, but I cannot get IPv6 going at this point since I can't get the kernel set up in the right state with the needed ipv6 modules loaded.
Thanks for everyone's help, at this point I don't know what the problem is. Likely me *smile*.
Edit: just got back from a walk, and have decided that I'm going to do all the prep work up to the end, then enable IPv6 and reboot, and hope that it all works. I have a good feeling about doing that *smile*.
Edit: just got back from a walk, and have decided that I'm going to do all the prep work up to the end, then enable IPv6 and reboot, and hope that it all works. I have a good feeling about doing that *smile*.
Okay, I did the above, and things look much better, but not quite there. I have all the ipv6 modules in my kernel after rebooting now, but radvd is not running. I did put the configuration for radvd in the web interface, so I'm not quite sure why this is.
This raises yet another question. If I want to run radvd out of my scripts instead of relying on the web interface to run it (which is apparently not working), how would I do that? Would I put the invocation of radvd in a startup script, and use a parameter that gives the path to my radvd.conf?
Anyways, getting closer here!
Edit: Darn it, I still see that nf_defrag_ipv6 and nf_conntrack_ipv6 still didn't make it:
root@DD-WRT:~# insmod nf_defrag_ipv6
insmod: cannot insert '/lib/modules/3.10.33/kernel/net/ipv6/netfilter/nf_defrag_ipv6.ko': unknown symbol in module
root@DD-WRT:~# insmod nf_conntrack_ipv6.ko
insmod: cannot insert '/lib/modules/3.10.33/kernel/net/ipv6/netfilter/nf_conntrack_ipv6.ko': unknown symbol in module
root@DD-WRT:~#
So there's still something funky about what I've done, something missing.
Oh well. I'm going to stop spending time on this, not really getting anywhere.
Last edited by MrDoh on Wed May 07, 2014 22:15; edited 2 times in total
Maybe I'm missing something in the thread, but I just got IPv6 working on a fresh flash of DD-WRT on the R7000. All I did for getting ip6tables going was to add this to startup:
No issues with missing symbols, modules show as loaded with lsmod on reboot, and I'm able to plug in all my rules fine without any errors. I'm also completely stealth on http://ipv6.chappell-family.com/ipv6tcptest/. Let me know if there's any notes you'd like to compare. I'm using Tunnelbroker.
Joined: 25 Dec 2010 Posts: 295 Location: Twin Cities, MN
Posted: Thu May 08, 2014 4:24 Post subject:
twalls wrote:
Maybe I'm missing something in the thread, but I just got IPv6 working on a fresh flash of DD-WRT on the R7000. All I did for getting ip6tables going was to add this to startup:
No issues with missing symbols, modules show as loaded with lsmod on reboot, and I'm able to plug in all my rules fine without any errors. I'm also completely stealth on http://ipv6.chappell-family.com/ipv6tcptest/. Let me know if there's any notes you'd like to compare. I'm using Tunnelbroker.
m feelin stealthy myself!! _________________ NETGEAR R9000 | RT | 40134 NETGEAR R7800 | AP | 40134
Last edited by NiTrus on Sat May 10, 2014 21:57; edited 1 time in total
Can I ask how you're doing your firewall script? I'm getting mixed results here. I'm working on a newly factory reset firmware. The only things I've done is change admin and Wi-Fi passwords, enable IPv6 and Radvd, type in Radvd config, type in startup script which handles the IPv6 tunnel and modules for ip6tables, and type in a firewall script. All of that works great, but here's the rub. I reboot, and everything is great except for the firewall. Running ip6tables -L shows no rules loaded. I just parsed through nvram show, and the rules are all there for rc_firewall. I can save the firewall script, and they apply again. They show up in .rc_firewall under /tmp, but they aren't loading on reboot. I thought that was the point...
I'm using DD-WRT v24-sp2 (04/08/14) kongac - build 23884M on R7000.
Joined: 25 Dec 2010 Posts: 295 Location: Twin Cities, MN
Posted: Thu May 08, 2014 5:30 Post subject:
twalls wrote:
Can I ask how you're doing your firewall script? I'm getting mixed results here. I'm working on a newly factory reset firmware. The only things I've done is change admin and Wi-Fi passwords, enable IPv6 and Radvd, type in Radvd config, type in startup script which handles the IPv6 tunnel and modules for ip6tables, and type in a firewall script. All of that works great, but here's the rub. I reboot, and everything is great except for the firewall. Running ip6tables -L shows no rules loaded. I just parsed through nvram show, and the rules are all there for rc_firewall. I can save the firewall script, and they apply again. They show up in .rc_firewall under /tmp, but they aren't loading on reboot. I thought that was the point...
I'm using DD-WRT v24-sp2 (04/08/14) kongac - build 23884M on R7000.
Travis
check out my post on pg3 of this thread: it loads this script on boot..
4-create a script called load-ipv6.sh with code below..thx to Bascom
put it in /jffs/etc/config
Code:
#!/bin/sh
insmod nf_defrag_ipv6
insmod ip6_tables.ko
insmod nf_conntrack_ipv6.ko
insmod ip6table_filter.ko
ip6tables -F INPUT
ip6tables -F FORWARD
ip6tables -F OUTPUT
ip6tables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
ip6tables -A INPUT -p icmpv6 -j ACCEPT
ip6tables -A INPUT -s fe80::/64 -j ACCEPT
ip6tables -A INPUT -j DROP
ip6tables -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
ip6tables -A FORWARD -o vlan2 -j ACCEPT
ip6tables -A FORWARD -j DROP _________________ NETGEAR R9000 | RT | 40134 NETGEAR R7800 | AP | 40134
Joined: 13 Mar 2014 Posts: 856 Location: Montreal, QC
Posted: Thu May 08, 2014 5:46 Post subject:
Fwiw I am using similar rules however I handle icmpv6 as per the recommendations found in rfc4890. At the end of the RFC you will find their ip6tables script. I'm addition to those rules I allow my prefix to access the router this way I can ssh into the r7000 via ipv6.
I guess that's why I'm confused. I'm reading tons of forum posts where people say they saved the firewall rules to their firewall script, and it works for them. Even this page on the DD-WRT wiki, http://www.dd-wrt.com/wiki/index.php/Iptables_command, says:
Quote:
To get your rules to survive a reboot of the router, save them in a Firewall script
Sure, I could put it in the startup script, but, for example, what happens when my Internet connection happens to go down and back up, which I've read results in a restart of the firewall. My understanding is that the firewall would reload during a WAN down/up scenario, and it would use the contents of the firewall script (NOT the startup script) to handle what rules to load when starting back up. Basically, it is starting to look like I need to establish the firewall script, but still call that firewall script up manually in the startup script by running something like /tmp/.rc_firewall. The only problem I have with doing that is everything I'm reading seems to indicate that saving the firewall script is sufficient. That, or no one ever reboots their routers to see what happens afterwards!
so save your firewall in a self made script instead of the firewall script. On Reboot, the dd-wrt firewall maybe build, BEFORE your ip6modules have been inserted.
however, you can save your firewall in firewall script, too. ( for several wan disconnects ). but unsure, if that can work for reboots ( see above )
. there are several ways in dd-wrt to realize what you want.
my way was using self made scripts and execute them on router startup and wan/down/up. _________________ RT-N66U @ Build 25697M K3.10.63
TL-WR842ND v1 @ BS-build 23919 WDS AP
TL-WR841ND @ BS-build 23919 WDS Client
TL-WR841ND @ BS-build 23919 Client Bridge ( Routed )
Thanks, Bas. I ended up throwing /tmp/.rc_firewall in the startup script after the ip6tables modules load. So I pretty much have the same setup that you describe, separate firewall script that gets called on boot as well. This is working great so far.
Joined: 13 Mar 2014 Posts: 856 Location: Montreal, QC
Posted: Wed May 14, 2014 7:11 Post subject:
Here is my firewall wanup script. If you decide to use this script, ensure that it loads after all prefixes are assigned to the interfaces.
# IPv6 firewall rules based on Bascom's basic ip6tables rules found in DD-WRT forum post
# http://www.dd-wrt.com/phpBB2/viewtopic.php?p=879022#879022 and includes RFC 4890 - ICMPv6
# Filtering Recommendations. Sample code found in appendix B of the RFC at
# http://www.ietf.org/rfc/rfc4890.txt
#
# This script has modifed the above to allow all prefixes on br0 to access the router via IPv6,
# removed duplcate icmpv6-type bad-header (Type 4 Code 0) rules for multiple prefixes, and corrected
# an error for time exceeded code 0 messages on existing sessions as per errata.
#
# By default all hosts permit echo requests (see sections 4.3.1 and 3.2 of RFC) however this can be
# disabled by setting the variable PINGABLE_HOSTS="" or can be limited using the -m limit parameter.
#
# Replace vlan2 from the last forward rule in the basic firewall rule section section if running a
# tunnel (Ex. ip6tables -A FORWARD -o he-ipv6 -j ACCEPT). Add additional rules for multiple tunnels.
#
# Add special rules for accessing hosts remotely and modify the local prefix size where needed