ipv6 recipe for asuswrt-merlin via hurricane electric

[donbowman]

It took me a bit to get this going so i thought i would share. When you are done you will have IPv6 in your home for all your devices.

High level instructions
1. sign up for a (free!) tunnel account @ http://tunnelbroker.net/
2. change your DDNS settings in asuswrt to reset your v4 IP if it changes
3. Setup a ipv6 6in4 tunnel
4. put an ip6tables firewall script on
5. run the test @ http://test-ipv6.com/ and enjoy!

OK, some details.
I assume you can all do #1 without trouble.

For #2, On your asuswrt interface, go to WAN/DDNS. Select the 'www.tunnelbroker.net' provider. In the 'Host Name' put the tunnel ID your tunnel has. This is a ~5 digit number, and appears on your 'Tunnel Details' page on the tunnelbroker.net website after you have logged in. In the "User Name or Email Address" put your user-id which is a really long alphanumeric string for User ID that you will see if you click on "Main Page" (just above account info) on the tunnelbroker.net site. Then enter your password. Once this is done, the DDNS client on the router will update HE each time your IP changes.

For #3, select 'IPV6' on the asuswrt interface. Select 'Tunnel 6in4' for connection type. Enter the Server IPv4 Address from your HE tunnel details page. Enter the Client IPv6 address (without the mask... this should end in ::2). Select 64 for ipv6 prefix len. Select 1480 for Tunnel MTU. Select 255 for Tunnel TTL. In the IPv6 lan settings, take the value from the 'Routed /64' on your tunnel details page, and enter it as LAN ipv6 prefix. Do not put the mask, but end in :: (e.g. X:X:X:X:. Enter 64 for the prefix len. In the IPv6 DNS resolvers, put 2001:470:20::2, 2001:4860:4860::8888, and 2001:4860:4860::8844. Now select 'Enable Router Advertisement'.

@ this stage you should have ipv6 connectivity, you can check that here: http://test-ipv6.com/, or run 'ifconfig' on your linux machine, or ipconfig on your windows machine. These should have gotten an ipv6 from the router via router advertisement. If not, debug until you do.

For #4, you are going to want to do some firewalling I think (If you are happy with all your interior machines open on the internet, skip). Go to the administration/System tab, enable JFFS. Now create a file called /jffs/scripts/firewall-start [i did this via SSH] based on the attachment to this thread. You need to change the top 3 lines to match your tunnel IP interfaces.

This will allow any machine inside your house to do what it wants, but disallows incoming connectivity.

At this stage, re-run the ipv6 test http://test-ipv6.com/, and you should be good to go.

You may wish to remove the bottom 3 lines of the script (the LOG) ones, they are for debugging, but cost a lot of perf.

 

[Andycar]

Thanks for the guide!

One question, though:

How do I access my router from WAN using HE DDNS?

What would be the address line, e.g. 'Host-ID'.he.net or smth. else?

 

[donbowman]

Thanks for the guide!

One question, though:

How do I access my router from WAN using HE DDNS?

What would be the address line, e.g. 'Host-ID'.he.net or smth. else?

Well, you've got a few options...

ultimately its running this script on their end: http://ipv4.tunnelbroker.net/ipv4_end.php

1. You've got ipv6 now, and those IP are all public and don't change, why bother w/ DDNS?
2. Run a second DDNS either on the router (entware, optware), or on a pc of yours.
3. Don't use that part of the recipe, if your IP changes rarely, just update in the tunnelbroker interface manually.
4. Figure out how to add a custom DDNS script, and have it do both in one go

Me? I'm using #2.

 

[RMerlin]

You can also use my modified script from my website. Saves you from having to monopolize the DDNS client just for updating the tunnel.

This howto is quite outdated tho, I wrote it before I implemented user scripts, so the tunnel update script documented there can now be put in the wan-start script.

 

[Andycar]

... so the tunnel update script documented there can now be put in the wan-start script.

Oh, OK! great, trying the wan-start script now. Thanks!

 

[Andycar]

Hmm... strange. I've ran RMErlin's update script on the router and now

I'm lloking at http://tunnelbroker.net/tunnel_detail.php?tid=<MyTunnelID>
and it shows no any signs of http://ipv4.tunnelbroker.net/ipv4_end.php script activity:

Last Status: N/A @ N/A
Hostname: <empty>
API Key: <empty>

How do know if my Ipv4 address has registered with HE DDNS server?

Also, http://test-ipv6.com test results are not good
I'm running Win8, and My Ethernet adapter indicate that the router has delegated IPv6 address and DNS to the adapter (ipconfig /all follows):

Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Marvell Yukon 88E8072 PCI-E Gigabit Ether
net Controller
Physical Address. . . . . . . . . : 70-5A-B6-__-__-__
DHCP Enabled. . . . . . . . . . . : Yes
Autoconfiguration Enabled . . . . : Yes
IPv6 Address. . . . . . . . . . . : 2001:470:1f0b:a92:613b:c6a8:____:_____(Preferred)
Temporary IPv6 Address. . . . . . : 2001:470:1f0b:a92:99bc:aa79:___:____(Preferred)
Link-local IPv6 Address . . . . . : fe80::613b:c6a8:e63a:_____%12(Preferred)
IPv4 Address. . . . . . . . . . . : 192.168.1.110(Preferred)
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Lease Obtained. . . . . . . . . . : 2 января 2013 г. 3:08:42
Lease Expires . . . . . . . . . . : 3 января 2013 г. 3:08:41
Default Gateway . . . . . . . . . : fe80::ca60:ff:fee8:____%12
192.168.1.1
DHCP Server . . . . . . . . . . . : 192.168.1.1
DHCPv6 IAID . . . . . . . . . . . : 259021494
DHCPv6 Client DUID. . . . . . . . : 00-01-00-01-17-7A-6C-AD-70-5A-B6-__-__-__

DNS Servers . . . . . . . . . . . : 2001:470:20::2
2001:4860:4860::8888
2001:4860:4860::8844

However, http://test-ipv6.com complains that ipv6. sites will appear as 'broken'...
Any clue?

 

[donbowman]

Hmm... strange. I've ran RMErlin's update script on the router and now

I'm lloking at http://tunnelbroker.net/tunnel_detail.php?tid=<MyTunnelID>
and it shows no any signs of http://ipv4.tunnelbroker.net/ipv4_end.php script activity:
...

if you look on the tunnelbroker.net website after you login, you can click on the link for your tunnel.

http://tunnelbroker.net/tunnel_detail.php?tid=????

This will show the current IPv4 address registered. If that is not correct, try until it is or you can manually set it.

 

[Andycar]

OK, success!
In RMerlin's script, I've just uncommented the part that allowed HE VERIFY SERVER to ping through my FW, and now it's all good:
http://test-ipv6.com gives me 9/10 score

 

[donbowman]

OK, success!
In RMerlin's script, I've just uncommented the part that allowed HE VERIFY SERVER to ping through my FW, and now it's all good:
http://test-ipv6.com gives me 9/10 score

you are likely failing the AAAA record test. If you put in 8.8.8.8 for your ipv4 dns server, you'll get 10/10 i think.
but it does mean you have connectivity. congrats.

 

[Raffael_M]

i have a few questions about this tutorial because this network stuff is all new to me:

"In the IPv6 DNS resolvers, put 2001:470:20::2, 2001:4860:4860::8888, and 2001:4860:4860::8844"
in an other tutorial i read to enter the "Anycasted IPv6 Caching Nameserver" Address. So, what are those IPs and what should i use?

"Select 1480 for Tunnel MTU."
what's this about? i used "0" and it also worked.

the firewall script:
i've downloaded the txt file and changed the first 3 lines.

then i deleted the suffix (.txt) and uploaded it to cloudapp because i didn't get access to my router via cyberduck sftp client (with scp). (i'm on mac OSX)

then i've used this commands in terminal:
wget -c -O /jffs/scripts/firewall-start http://cl.ly/myfile
chmod a+rx /jffs/scripts/firewall-start
(found this commands on an other thread)
and then: #!/bin/sh

is this correct?

how do i know if the firewall-script is working?


sorry for my bad english

 

[donbowman]

i have a few questions about this tutorial because this network stuff is all new to me:

"In the IPv6 DNS resolvers, put 2001:470:20::2, 2001:4860:4860::8888, and 2001:4860:4860::8844"

in an other tutorial i read to enter the "Anycasted IPv6 Caching Nameserver" Address. So, what are those IPs and what should i use?

These are the ipv6 nameservers of hurricane electric (first one), and google (2nd two). you can use any public ipv6 nameserver.

"Select 1480 for Tunnel MTU."
what's this about? i used "0" and it also worked.

MTU is 'maximum transmission unit', its the size of the largest packet allowable on a link.
Ethernet is normally 1500. Because there is overhead on the tunnel, I lowered it. I'm not sure if '0' makes it automatically detect, perhaps that it does.

the firewall script:
i've downloaded the txt file and changed the first 3 lines.

then i deleted the suffix (.txt) and uploaded it to cloudapp because i didn't get access to my router via cyberduck sftp client (with scp). (i'm on mac OSX)

then i've used this commands in terminal:
wget -c -O /jffs/scripts/firewall-start http://cl.ly/myfile
chmod a+rx /jffs/scripts/firewall-start
(found this commands on an other thread)
and then: #!/bin/sh

is this correct?

how do i know if the firewall-script is working?


sorry for my bad english

You can tell if the firewall is working by doing an 'iptables -vL' and look for ipv6 lines. THe counters in the first two indicate the number of packets hitting the rule.

For example, in mine, i see:

pkts bytes target prot opt in out source destination
...
17 1224 ACCEPT ipv6 -- any any anywhere anywhere
...

which means that i've had some packets hit my ipv6 accept rule.

 

[Raffael_M]

ok! thx a lot, i think everything is working now

 

[Raffael_M]

sorry, i have 2 more questions:

is it possible that tunneling only works if i eneable "respond to ping" on my N66U? isn't that very insecure?

best regards

 

[RMerlin]

sorry, i have 2 more questions:

is it possible that tunneling only works if i eneable "respond to ping" on my N66U? isn't that very insecure?

best regards

If I remember, this is a requirement that Hurricane Electric specifies on their website. They probably need it to check that your IP is online.

This has very limited security implications. All it means is that someone pinging your IP will know there is someone online at that IP. If you have any forwarded port, they would be able to find it as well just through port scanning anyway.

 

[wockawockawocka]

For #2, On your asuswrt interface, go to WAN/DDNS. Select the 'www.tunnelbroker.net' provider. In the 'Host Name' put the tunnel ID your tunnel has. This is a ~5 digit number, and appears on your 'Tunnel Details' page on the tunnelbroker.net website after you have logged in. In the "User Name or Email Address" put your user-id which is a really long alphanumeric string for User ID that you will see if you click on "Main Page" (just above account info) on the tunnelbroker.net site. Then enter your password. Once this is done, the DDNS client on the router will update HE each time your IP changes.

Works a treat thanks.
The only thing that I changed was I use dns-o-matic in my ddns setting and setup tunnelbroker from there. As this means I get to keep my homeip.net address and the ipv6 tunnel also works.

 

[netmik3]

I too used http://www.lostrealm.ca/tower/node/81
Built in ip updater and firewall-start jffs script

#!/bin/sh

touch /tmp/000firewall6start

#############
# IPV6 Firewalling
# chmod a+rx /jffs/scripts/*
# Unix mode!
#############
ip6tables -A INPUT -j DROP

ip6tables -I FORWARD 2 -m state --state RELATED,ESTABLISHED -j ACCEPT

# Allowed inbound rules here, such as this one:
#ip6tables -I FORWARD 2 -p tcp -m state --state NEW -i v6in4 -d 2001:123:44:555:6666:7777:8888:9999 --dport 3389 -j ACCEPT
ip6tables -A FORWARD -i v6in4 -o br0 -p all -j DROP
ip6tables -A FORWARD -i br0 -o any -p all -j ACCEPT
ip6tables -A FORWARD -i br0 -o v6in4 -p all -j ACCEPT
ip6tables -A FORWARD -i any -o br0 -p all -j ACCEPT
ip6tables -A FORWARD -j DROP

 

[Raffael_M]

ok, I had rejoiced too soon.

Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         
   56  2824 DROP       all  --  any    any     anywhere             anywhere            state INVALID 
 7908 1999K logaccept  all  --  any    any     anywhere             anywhere            state RELATED,ESTABLISHED 
   11  3071 ACCEPT     all  --  lo     any     anywhere             anywhere            state NEW 
 1793  200K ACCEPT     all  --  br0    any     anywhere             anywhere            state NEW 
   29 10819 logaccept  udp  --  any    any     anywhere             anywhere            udp spt:bootps dpt:bootpc 
    0     0 logaccept  icmp --  any    any     anywhere             anywhere            
    0     0 logaccept  tcp  --  eth0   any     anywhere             anywhere            tcp dpt:1723 
    0     0 logaccept  gre  --  any    any     anywhere             anywhere            
    0     0 ACCEPT     ipv6 --  any    any     anywhere             anywhere            
   48  6334 DROP       all  --  any    any     anywhere             anywhere

IPv6 no accepted packages. what did i do wrong?
(and what is the first line which ends with: INVALID?)
someone could help me plz?

 

[RMerlin]

ok, I had rejoiced too soon.

Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         
   56  2824 DROP       all  --  any    any     anywhere             anywhere            state INVALID 
 7908 1999K logaccept  all  --  any    any     anywhere             anywhere            state RELATED,ESTABLISHED 
   11  3071 ACCEPT     all  --  lo     any     anywhere             anywhere            state NEW 
 1793  200K ACCEPT     all  --  br0    any     anywhere             anywhere            state NEW 
   29 10819 logaccept  udp  --  any    any     anywhere             anywhere            udp spt:bootps dpt:bootpc 
    0     0 logaccept  icmp --  any    any     anywhere             anywhere            
    0     0 logaccept  tcp  --  eth0   any     anywhere             anywhere            tcp dpt:1723 
    0     0 logaccept  gre  --  any    any     anywhere             anywhere            
    0     0 ACCEPT     ipv6 --  any    any     anywhere             anywhere            
   48  6334 DROP       all  --  any    any     anywhere             anywhere

Are you looking at the IPv4 tables or the IPv6 tables? They are totally separate.

ip6tables -L -v

 

[Raffael_M]

i used this command: iptables -vL

because donbowman said:

"You can tell if the firewall is working by doing an 'iptables -vL' and look for ipv6 lines. THe counters in the first two indicate the number of packets hitting the rule.

For example, in mine, i see:

pkts bytes target prot opt in out source destination
...
17 1224 ACCEPT ipv6 -- any any anywhere anywhere
...

which means that i've had some packets hit my ipv6 accept rule"

beside, why is the first lines state INVALID? is there something wrong?
(i don't understand all the stuff in this table):

Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
56 2824 DROP all -- any any anywhere anywhere state INVALID


thank you in advance for your answer.

 

[RMerlin]

i used this command: iptables -vL

because donbowman said:





beside, why is the first lines state INVALID? is there something wrong?
(i don't understand all the stuff in this table):

Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
56 2824 DROP all -- any any anywhere anywhere state INVALID

That means if a packet has a state that is invalid, then it should be dropped. This is just a basic firewall security rule.

iptables -L will show the content of the IPv4 tables. ip6tables -L will show the content of the IPv6 tables.