Enabling LAN IPv6

Post new topic   This topic is locked: you cannot edit posts or make replies.    DD-WRT Forum Index -> Broadcom SoC based Hardware
Goto page Previous  1, 2, 3, 4, 5  Next
View previous topic :: View next topic  
Author Message
PaulGo
DD-WRT User


Joined: 01 Dec 2021
Posts: 289
Location: Maryland, United States
PostPosted: Fri Jan 27, 2023 14:37    Post subject: Reply with quote
These are the previous treads I posted on Comcast and IPv6 (which did work, but currently don't):

https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=333042&highlight=

https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=330904&highlight=
Back to top View user's profile Send private message
Sponsor
egc
DD-WRT Guru


Joined: 18 Mar 2014
Posts: 12884
Location: Netherlands
PostPosted: Fri Jan 27, 2023 15:39    Post subject: Reply with quote
The IPv6 firewall has been overhauled recently, so you should not need any firewall rules any more (but you never know, IPv6 is new for us all)

Normally just enabling IPv6 with PD and using a prefix of /48 , /56 or /64 (try all of those) should get you an IPv6 address

For the record these rules I had in my firewall but are now not necessary any more:
Quote:
# Allow ICMP might make it more restrictive only allowing the necessary ICMP messages
#ip6tables -D INPUT -p ipv6-icmp -j ACCEPT -m limit --limit 30/minute
#ip6tables -I INPUT -p ipv6-icmp -j ACCEPT -m limit --limit 30/minute
# Allow link local
#ip6tables -D INPUT -s fe80::/10 -j ACCEPT
#ip6tables -I INPUT -s fe80::/10 -j ACCEPT
#ip6tables -D OUTPUT -s fe80::/10 -j ACCEPT
#ip6tables -I OUTPUT -s fe80::/10 -j ACCEPT
# Allow multicast
#ip6tables -D INPUT -d ff00::/8 -j ACCEPT
#ip6tables -I INPUT -d ff00::/8 -j ACCEPT
#ip6tables -D OUTPUT -d ff00::/8 -j ACCEPT
#ip6tables -I OUTPUT -d ff00::/8 -j ACCEPT

_________________
Routers:Netgear R7000, R6400v1, R6400v2, EA6900 (XvortexCFE), E2000, E1200v1, WRT54GS v1.
Install guide R6400v2, R6700v3,XR300:https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=316399
Install guide R7800/XR500: https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=320614
Forum Guide Lines (important read):https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=324087

Last edited by egc on Fri Jan 27, 2023 16:34; edited 1 time in total
Back to top View user's profile Send private message
PaulGo
DD-WRT User


Joined: 01 Dec 2021
Posts: 289
Location: Maryland, United States
PostPosted: Fri Jan 27, 2023 16:32    Post subject: Reply with quote
It appears the IPv6 changes to DD-WRT disabled compatibly with Comcast IPv6. EGC I tried your firewall commands but it did not enable WAN IPv6. The following commands did get me a WAN IPv6 address:

Fix (added this to startup Firewall Commands):
ip6tables -F
ip6tables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
ip6tables -A INPUT -p icmpv6 -j ACCEPT
ip6tables -A INPUT -s fe80::/64 -j ACCEPT
ip6tables -A INPUT -p udp --dport 546 -j ACCEPT
ip6tables -A INPUT -i lo -j ACCEPT
ip6tables -A INPUT -i br0 -j ACCEPT
ip6tables -A INPUT -j DROP

But no LAN IPv6 address. I did try all the previous solutions to get a LAN Ipv6 address, but they do not work.
Back to top View user's profile Send private message
egc
DD-WRT Guru


Joined: 18 Mar 2014
Posts: 12884
Location: Netherlands
PostPosted: Fri Jan 27, 2023 18:30    Post subject: Reply with quote
PaulGo wrote:
It appears the IPv6 changes to DD-WRT disabled compatibly with Comcast IPv6. EGC I tried your firewall commands but it did not enable WAN IPv6. The following commands did get me a WAN IPv6 address:

Fix (added this to startup Firewall Commands):
ip6tables -F
ip6tables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
ip6tables -A INPUT -p icmpv6 -j ACCEPT
ip6tables -A INPUT -s fe80::/64 -j ACCEPT
ip6tables -A INPUT -p udp --dport 546 -j ACCEPT
ip6tables -A INPUT -i lo -j ACCEPT
ip6tables -A INPUT -i br0 -j ACCEPT
ip6tables -A INPUT -j DROP

But no LAN IPv6 address. I did try all the previous solutions to get a LAN Ipv6 address, but they do not work.


As far as I can see all those rules are already present, besides it looks like your rules are appended so probably are not hit at all, you can view it with : ip6tables -vnL

You are using a recent build?

Check with ifconfig if br0 has got an IPv6 address
_________________
Routers:Netgear R7000, R6400v1, R6400v2, EA6900 (XvortexCFE), E2000, E1200v1, WRT54GS v1.
Install guide R6400v2, R6700v3,XR300:https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=316399
Install guide R7800/XR500: https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=320614
Forum Guide Lines (important read):https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=324087
Back to top View user's profile Send private message
PaulGo
DD-WRT User


Joined: 01 Dec 2021
Posts: 289
Location: Maryland, United States
PostPosted: Fri Jan 27, 2023 19:29    Post subject: Reply with quote
I am using the latest DD-WRT build for my R7000P router with as script which works with Verizon FiOS IPv6.
Back to top View user's profile Send private message
Johnnyh12
DD-WRT Novice


Joined: 07 Jul 2014
Posts: 35
PostPosted: Fri Jan 27, 2023 22:23    Post subject: Reply with quote
egc wrote:
PaulGo wrote:
It appears the IPv6 changes to DD-WRT disabled compatibly with Comcast IPv6. EGC I tried your firewall commands but it did not enable WAN IPv6. The following commands did get me a WAN IPv6 address:

Fix (added this to startup Firewall Commands):
ip6tables -F
ip6tables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
ip6tables -A INPUT -p icmpv6 -j ACCEPT
ip6tables -A INPUT -s fe80::/64 -j ACCEPT
ip6tables -A INPUT -p udp --dport 546 -j ACCEPT
ip6tables -A INPUT -i lo -j ACCEPT
ip6tables -A INPUT -i br0 -j ACCEPT
ip6tables -A INPUT -j DROP

But no LAN IPv6 address. I did try all the previous solutions to get a LAN Ipv6 address, but they do not work.


As far as I can see all those rules are already present, besides it looks like your rules are appended so probably are not hit at all, you can view it with : ip6tables -vnL

You are using a recent build?

Check with ifconfig if br0 has got an IPv6 address


This is what I get using the above firewall commands:

Untitled-1.jpg
 Description:
 Filesize:  156.41 KB
 Viewed:  1376 Time(s)

Untitled-1.jpg
Back to top View user's profile Send private message
egc
DD-WRT Guru


Joined: 18 Mar 2014
Posts: 12884
Location: Netherlands
PostPosted: Sat Jan 28, 2023 7:31    Post subject: Reply with quote
My question was also about the script you are using.
Code:
ip6tables -vnL
will show all rules already present and it looks like most and possibly all rules are already present, at least in the most recente builds

so can you show (from Command line interface, ssh/telnet/putty):
Code:
ip6tables -vnL
preferably before you executed your script and after you executed your script?
_________________
Routers:Netgear R7000, R6400v1, R6400v2, EA6900 (XvortexCFE), E2000, E1200v1, WRT54GS v1.
Install guide R6400v2, R6700v3,XR300:https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=316399
Install guide R7800/XR500: https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=320614
Forum Guide Lines (important read):https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=324087
Back to top View user's profile Send private message
Mile-Lile
DD-WRT Guru


Joined: 24 Feb 2013
Posts: 1634
Location: Belgrade
PostPosted: Sat Jan 28, 2023 10:07    Post subject: Reply with quote
on the first page Per Ingve Berg allready told him to post output of ifconfig but I supose he missundetood him and posted output from windows client machine (ipconfig /all)...
@PaulGo
you need to post output of ifconfig from router itself... I you cannot ssh you can use GUI

http://192.168.1.1/Diagnostics.asp and in the Commands field type ifconfig and hit green "Run commands" button ath the bottom... and post output so we can see if you get Global unicast adress... it could be routing problem... then post ip6tables -S and ip6tables -vnL

we will help you but please do this first...
Back to top View user's profile Send private message
Mile-Lile
DD-WRT Guru


Joined: 24 Feb 2013
Posts: 1634
Location: Belgrade
PostPosted: Sat Jan 28, 2023 10:11    Post subject: Reply with quote
and output of route -nA inet6 please
Back to top View user's profile Send private message
PaulGo
DD-WRT User


Joined: 01 Dec 2021
Posts: 289
Location: Maryland, United States
PostPosted: Sat Jan 28, 2023 19:16    Post subject: Reply with quote
Mile-Lile wrote:
on the first page Per Ingve Berg allready told him to post output of ifconfig but I supose he missundetood him and posted output from windows client machine (ipconfig /all)...
@PaulGo
you need to post output of ifconfig from router itself... I you cannot ssh you can use GUI

http://192.168.1.1/Diagnostics.asp and in the Commands field type ifconfig and hit green "Run commands" button ath the bottom... and post output so we can see if you get Global unicast adress... it could be routing problem... then post ip6tables -S and ip6tables -vnL

we will help you but please do this first...


As you can see, I am not familiar with how to use these commands. I did try what you suggested with the DD-WRT GUI with the Verizon FiOS which works with IPv6, and after I entered ifconfig and did run commands I did not get any response or error message.
Back to top View user's profile Send private message
PaulGo
DD-WRT User


Joined: 01 Dec 2021
Posts: 289
Location: Maryland, United States
PostPosted: Sun Jan 29, 2023 17:35    Post subject: Reply with quote
After some research for putty I found the username is now "root" and I needed to use telnet (I changed the username in the GUI). What appears obvious to someone familiar with this is not unfortunately obvious to me. Anyway, here is the output of ifconfig connected to Comcast getting a WAN nut no LAN using the script shown above:

root@DD-WRT:~# ifconfig
aux0 Link encap:Ethernet HWaddr 10:0C:6B:5D:B3:EA
inet6 addr: fe80::120c:6bff:fe5d:b3ea/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:9 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:0 (0.0 B) TX bytes:838 (838.0 B)
Interrupt:179 Base address:0x4000

br0 Link encap:Ethernet HWaddr 10:0C:6B:5D:B3:EA
inet addr:192.168.1.1 Bcast:192.168.1.255 Mask:255.255.255.0
inet6 addr: fe80::120c:6bff:fe5d:b3ea/64 Scope:Link
inet6 addr: 2601:152:4b01:3966:120c:6bff:fe5d:b3ea/64 Scope:Global
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:10847 errors:0 dropped:60 overruns:0 frame:0
TX packets:8547 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:1614175 (1.5 MiB) TX bytes:5412293 (5.1 MiB)

eth0 Link encap:Ethernet HWaddr 10:0C:6B:5D:B3:EA
inet6 addr: fe80::120c:6bff:fe5d:b3ea/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:14590 errors:0 dropped:0 overruns:0 frame:0
TX packets:12242 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:4412934 (4.2 MiB) TX bytes:4842081 (4.6 MiB)
Interrupt:181 Base address:0x6000

eth1 Link encap:Ethernet HWaddr 10:0C:6B:5D:B3:EC
inet6 addr: fe80::120c:6bff:fe5d:b3ec/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:0 errors:0 dropped:30 overruns:0 frame:3956
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:0 (0.0 B) TX bytes:0 (0.0 B)
Interrupt:163

eth2 Link encap:Ethernet HWaddr 10:0C:6B:5D:B3:FD
inet6 addr: fe80::120c:6bff:fe5d:b3fd/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:2695 errors:0 dropped:36 overruns:0 frame:0
TX packets:4391 errors:0 dropped:6 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:496375 (484.7 KiB) TX bytes:2127238 (2.0 MiB)

lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
inet6 addr: ::1/128 Scope:Host
UP LOOPBACK RUNNING MULTICAST MTU:65536 Metric:1
RX packets:61 errors:0 dropped:0 overruns:0 frame:0
TX packets:61 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1
RX bytes:9047 (8.8 KiB) TX bytes:9047 (8.8 KiB)

vlan1 Link encap:Ethernet HWaddr 10:0C:6B:5D:B3:EA
inet6 addr: fe80::120c:6bff:fe5d:b3ea/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:7415 errors:0 dropped:0 overruns:0 frame:0
TX packets:6997 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:1013133 (989.3 KiB) TX bytes:3921902 (3.7 MiB)

vlan2 Link encap:Ethernet HWaddr 10:0C:6B:5D:B3:EB
inet addr:69.251.161.63 Bcast:69.251.161.255 Mask:255.255.254.0
inet6 addr: fe80::120c:6bff:fe5d:b3eb/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:7175 errors:0 dropped:0 overruns:0 frame:0
TX packets:5236 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000

Last edited by PaulGo on Sun Jan 29, 2023 18:37; edited 1 time in total
Back to top View user's profile Send private message
PaulGo
DD-WRT User


Joined: 01 Dec 2021
Posts: 289
Location: Maryland, United States
PostPosted: Sun Jan 29, 2023 17:48    Post subject: Reply with quote
egc wrote:
My question was also about the script you are using.
Code:
ip6tables -vnL
will show all rules already present and it looks like most and possibly all rules are already present, at least in the most recente builds

so can you show (from Command line interface, ssh/telnet/putty):
Code:
ip6tables -vnL
preferably before you executed your script and after you executed your script?


After firewall script:

# ip6tables -vnL
Chain INPUT (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
7 1143 ACCEPT all * * ::/0 ::/0 state RELATED,ESTABLISHED
945 60832 ACCEPT icmpv6 * * ::/0 ::/0
5 417 ACCEPT all * * fe80::/64 ::/0
0 0 ACCEPT udp * * ::/0 ::/0 udp dpt:546
0 0 ACCEPT all lo * ::/0 ::/0
0 0 ACCEPT all br0 * ::/0 ::/0
0 0 DROP all * * ::/0 ::/0

Chain FORWARD (policy DROP 182 packets, 14040 bytes)
pkts bytes target prot opt in out source destination

Chain OUTPUT (policy ACCEPT 41 packets, 4071 bytes)
pkts bytes target prot opt in out source destination

Before script - No ipV6:

ip6tables -vnL
Chain INPUT (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 DROP all * * ::/0 ::/0 rt type:0
0 0 DROP all * * ::/0 ::/0 ctstate INVALID
0 0 ACCEPT all lo * ::/0 ::/0
0 0 DROP all !lo * ::1 ::/0
0 0 DROP all vlan2 * fc00::/7 ::/0
1 161 ACCEPT all * * ::/0 ::/0 ctstate RELATED,ESTABLISHED
0 0 ACCEPT udp * * fe80::/10 fe80::/10 udp spt:547 dpt:546 ctstate NEW
16 1653 ACCEPT all br0 * ::/0 ::/0
33 2120 ACCEPT all * * fe80::/10 ::/0
0 0 ACCEPT all * * ::/0 ff00::/8
0 0 ACCEPT icmpv6 * * ::/0 ::/0 ipv6-icmptype 128 limit: avg 30/min burst 5
0 0 ACCEPT icmpv6 * * ::/0 ::/0 ipv6-icmptype 1
0 0 ACCEPT icmpv6 * * ::/0 ::/0 ipv6-icmptype 2
0 0 ACCEPT icmpv6 * * ::/0 ::/0 ipv6-icmptype 3
0 0 ACCEPT icmpv6 * * ::/0 ::/0 ipv6-icmptype 4
0 0 ACCEPT icmpv6 * * ::/0 ::/0 ipv6-icmptype 128
0 0 ACCEPT icmpv6 * * ::/0 ::/0 ipv6-icmptype 129
0 0 ACCEPT icmpv6 * * ::/0 ::/0 ipv6-icmptype 133 HL match HL == 255
0 0 ACCEPT icmpv6 * * ::/0 ::/0 ipv6-icmptype 134 HL match HL == 255
0 0 ACCEPT icmpv6 * * ::/0 ::/0 ipv6-icmptype 135 HL match HL == 255
0 0 ACCEPT icmpv6 * * ::/0 ::/0 ipv6-icmptype 136 HL match HL == 255
0 0 ACCEPT icmpv6 * * ::/0 ::/0 ipv6-icmptype 141 HL match HL == 255
0 0 ACCEPT icmpv6 * * ::/0 ::/0 ipv6-icmptype 142 HL match HL == 255
0 0 ACCEPT icmpv6 * * fe80::/10 ::/0 ipv6-icmptype 130
0 0 ACCEPT icmpv6 * * fe80::/10 ::/0 ipv6-icmptype 131
0 0 ACCEPT icmpv6 * * fe80::/10 ::/0 ipv6-icmptype 132
0 0 ACCEPT icmpv6 * * fe80::/10 ::/0 ipv6-icmptype 143
0 0 ACCEPT icmpv6 * * ::/0 ::/0 ipv6-icmptype 148 HL match HL == 255
0 0 ACCEPT icmpv6 * * ::/0 ::/0 ipv6-icmptype 149 HL match HL == 255
0 0 ACCEPT icmpv6 * * fe80::/10 ::/0 ipv6-icmptype 151 HL match HL == 1
0 0 ACCEPT icmpv6 * * fe80::/10 ::/0 ipv6-icmptype 152 HL match HL == 1
0 0 ACCEPT icmpv6 * * fe80::/10 ::/0 ipv6-icmptype 153 HL match HL == 1
0 0 ACCEPT icmpv6 * * ::/0 ::/0 ipv6-icmptype 144
0 0 ACCEPT icmpv6 * * ::/0 ::/0 ipv6-icmptype 145
0 0 ACCEPT icmpv6 * * ::/0 ::/0 ipv6-icmptype 146
0 0 ACCEPT icmpv6 * * ::/0 ::/0 ipv6-icmptype 147
5 825 REJECT all * * ::/0 ::/0 reject-with icmp6-adm-prohibited

Chain FORWARD (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 DROP all * * ::/0 ::/0 rt type:0
0 0 DROP all * * ::1 ::/0
0 0 DROP all vlan2 * fc00::/7 ::/0
0 0 ACCEPT all * * ::/0 ::/0 ctstate RELATED,ESTABLISHED
0 0 ACCEPT all br0 * ::/0 ::/0 ctstate NEW
0 0 TCPMSS tcp * * ::/0 ::/0 tcp flags:0x06/0x02 TCPMSS clamp to PMTU
0 0 ACCEPT icmpv6 * * ::/0 ::/0 ipv6-icmptype 1
0 0 ACCEPT icmpv6 * * ::/0 ::/0 ipv6-icmptype 2
0 0 ACCEPT icmpv6 * * ::/0 ::/0 ipv6-icmptype 3
0 0 ACCEPT icmpv6 * * ::/0 ::/0 ipv6-icmptype 4
0 0 ACCEPT icmpv6 * * ::/0 ::/0 ipv6-icmptype 128
0 0 ACCEPT icmpv6 * * ::/0 ::/0 ipv6-icmptype 129
0 0 REJECT all * * ::/0 ::/0 reject-with icmp6-adm-prohibited

Chain OUTPUT (policy ACCEPT 26 packets, 3279 bytes)
pkts bytes target prot opt in out source destination
0 0 DROP all * * ::/0 ::/0 rt type:0
root@DD-WRT:~#
Back to top View user's profile Send private message
Mile-Lile
DD-WRT Guru


Joined: 24 Feb 2013
Posts: 1634
Location: Belgrade
PostPosted: Mon Jan 30, 2023 6:42    Post subject: Reply with quote
the only odd thing I noticed is that your vlan2 (WAN interface) has /64 prefix lenght...
usually ISPs give /56 or even better /48...

and working firewall config has this 2 lines:


Code:
7 1143 ACCEPT all * * ::/0 ::/0 state RELATED,ESTABLISHED
945 60832 ACCEPT icmpv6 * * ::/0 ::/0


looks to me like icmpv6 flood from internet...
Back to top View user's profile Send private message
Mile-Lile
DD-WRT Guru


Joined: 24 Feb 2013
Posts: 1634
Location: Belgrade
PostPosted: Mon Jan 30, 2023 6:46    Post subject: Reply with quote
try just to accept all icmpv6 with:

Code:
ip6tables -A INPUT -p icmpv6 -j ACCEPT


and on ipv6 page of ddwrt GUI don't touch prefix lenght... leave it to default (/64) and see if that helps...
Back to top View user's profile Send private message
egc
DD-WRT Guru


Joined: 18 Mar 2014
Posts: 12884
Location: Netherlands
PostPosted: Mon Jan 30, 2023 7:21    Post subject: Reply with quote
It looks like VLAN2 (which is the WAN) does not get a Global IPv6 at all.

So it could be a setup error.

Try to setup like see attachment

Naamloos.jpg
 Description:
 Filesize:  90.33 KB
 Viewed:  1194 Time(s)

Naamloos.jpg

_________________
Routers:Netgear R7000, R6400v1, R6400v2, EA6900 (XvortexCFE), E2000, E1200v1, WRT54GS v1.
Install guide R6400v2, R6700v3,XR300:https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=316399
Install guide R7800/XR500: https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=320614
Forum Guide Lines (important read):https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=324087
Back to top View user's profile Send private message
Goto page Previous  1, 2, 3, 4, 5  Next Display posts from previous:    Page 2 of 5
Post new topic   This topic is locked: you cannot edit posts or make replies.    DD-WRT Forum Index -> Broadcom SoC based Hardware All times are GMT

Navigation

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You can attach files in this forum
You can download files in this forum