ok, got some more time to test this ipv6...
my wg11.conf includes an ipv6 address, although I have
no ipv6 wan, tunnel or anything else... wg11 is up and running as a ipv4 internet client so I decided to elaborate on how far I could take this ipv6 connection. my conf file gives me this ULA fdab:xxxx:xxxx:69::214/64. I have made in total 3 conf files and they all give different subnets (another: fdab:xxxx:xxxx:93::103/64)
apparently this cannot be done without enabling ipv6 on the router (
see this post)
so I flipped the dreaded ipv6 switch, set it to native and did not touch anything for the moment.
Code:
ip link set down dev wg11
ip -6 address add dev wg11 fdab:xxxx:xxxx:69::214/64
ip link set up dev wg11
looking at my interface:
Code:
admin@RT-AC86U-D7D8:/tmp/home/root# ifconfig wg11
wg11 Link encap:UNSPEC HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
inet addr:10.0.69.214 P-t-P:10.0.69.214 Mask:255.255.255.0
inet6 addr: fdab:xxxx:xxxx:69::214/64 Scope:Global
UP POINTOPOINT RUNNING NOARP MTU:1412 Metric:1
RX packets:15403 errors:0 dropped:0 overruns:0 frame:0
TX packets:14313 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:14173304 (13.5 MiB) TX bytes:4693064 (4.4 MiB)
ok, looking good, but the main routing table still lacks a default route, so adding one to this interface:
Code:
ip -6 route add ::/1 dev wg11
ip -6 route add 8000::/1 dev wg11
testing to ping something:
Code:
admin@RT-AC86U-D7D8:/tmp/home/root# ping 2600:: -c 3
PING 2600:: (2600::): 56 data bytes
64 bytes from 2600::: seq=0 ttl=50 time=144.946 ms
64 bytes from 2600::: seq=1 ttl=50 time=142.667 ms
64 bytes from 2600::: seq=2 ttl=50 time=144.360 ms
--- 2600:: ping statistics ---
3 packets transmitted, 3 packets received, 0% packet loss
round-trip min/avg/max = 142.667/143.991/144.946 ms
YAY!!!!
went into unbound and enabled ipv6 using
vx
Code:
admin@RT-AC86U-D7D8:/tmp/home/root# ping ipv6.google.com -c 3
PING ipv6.google.com (2a00:1450:400f:802::200e): 56 data bytes
64 bytes from 2a00:1450:400f:802::200e: seq=0 ttl=118 time=16.757 ms
64 bytes from 2a00:1450:400f:802::200e: seq=1 ttl=118 time=14.432 ms
64 bytes from 2a00:1450:400f:802::200e: seq=2 ttl=118 time=16.692 ms
--- ipv6.google.com ping statistics ---
3 packets transmitted, 3 packets received, 0% packet loss
round-trip min/avg/max = 14.432/15.960/16.757 ms
Hurray!!!!
so... now what? GUI in router still shows nothing obtained via DHVPv6... so I set DHCP-PD to disabled and populated:
LAN IPv6 Adress: fdab:xxxx:xxxx:69::1
LAN Prefix Length: 64
so, now my br0 get an ip in the same subnet
Code:
admin@RT-AC86U-D7D8:/tmp/home/root# ping ipv6.google.com -c 3 -I br0
PING ipv6.google.com (2a00:1450:400f:802::200e): 56 data bytes
ping: sendto: Network is unreachable
now, I dont get it... it appears as if something is still fishy... maybee having wg11 and br0 on the same subnet messes things up, routing wise... and since we cannot masquarade/NAT I dont know what to do... prehaps try another subnet, but I'm quite sure any replies wont find their way back to me....
ooh, when executing:
Code:
ip link set down dev wg11
ip -6 address add dev wg11 fdab:xxxx:xxxx:69::214/64
ip link set up dev wg11
it messes up the ipv4 routing table (wg11 is removed) so in order to make this stick, I put this in
wg11-route-up.sh
then wgm sets up the routing tables after this.
I also added in wg11-up.sh
Code:
ip -6 route add ::/1 dev wg11
ip -6 route add 8000::/1 dev wg11
ip6tables -t mangle -I FORWARD -o wg11 -p tcp -m tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu -m comment --comment "WireGuard 'client'"
ip6tables -t mangle -I FORWARD -i wg11 -p tcp -m tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu -m comment --comment "WireGuard 'client'"
ip6tables -t mangle -I FORWARD -o wg11 -j MARK --set-xmark 0x01/0x7 -m comment --comment "WireGuard 'client'"
ip6tables -t mangle -I PREROUTING -i wg11 -j MARK --set-xmark 0x01/0x7 -m comment --comment "WireGuard 'client'"
ip6tables -t filter -I FORWARD -i br0 -o wg11 -j ACCEPT
and here is my filter rules:
Code:
admin@RT-AC86U-D7D8:/tmp/home/root# ip6tables --line -t filter -nvL FORWARD
Chain FORWARD (policy DROP 0 packets, 0 bytes)
num pkts bytes target prot opt in out source destination
1 5 472 ACCEPT all br0 wg11 ::/0 ::/0
2 0 0 ACCEPT all eth0 * ::/0 ff00::/8
3 0 0 ACCEPT all * * ::/0 ::/0 state RELATED,ESTABLISHED
4 0 0 ACCEPT all br0 eth0 ::/0 ::/0
5 0 0 ACCEPT all br0 br0 ::/0 ::/0
6 0 0 logdrop all * * ::/0 ::/0 state INVALID
7 0 0 ACCEPT 59 * * ::/0 ::/0 length 40
8 0 0 ICMP_V6 icmpv6 * * ::/0 ::/0
9 2 152 logdrop all * * ::/0 ::/0
(the byte movement on the br0 rule appears when I do ipv6 ping from a router client (my Android phone) but the ping fails
anyone know how to make the jump between br0 to wg11???
ps. still keeping a weary eye out through the wooden planks I nailed up on the windows for any zombies...