Troubleshooting IPv6 + Aiccu (SiXXS) - Setup partially working

[WillyTP]

Hello everybody.
I've been able to setup IPv6 through the tunnel broker SiXXS on AsusWRT Merlin 378.56_beta2.
I installed Aiccu through Optware-NG, and setup IPv6 on my router IPv6 configuration page.
My setup is the following:

Connection Type: Tunnel 6in4
Server IPv4 Address: my choosen POP IPv4
Client IPv6 Address: my SiXXS given IPv6 (ending in ::2)
IPv6 prefix lenght: 64
IPv6 server address: my choosen POP IPv6 (ending in ::1)
MTU tunnel: 1280
TTL tunnel: 255
LAN IPv6 Setting:

LAN Prefix Lenght: my SiXXS subnet prefix (in my case 48)
LAN IPv6 Prefix: my SiXXS subnet (ending in :

DNS IPv6 Settings:
Server DNS IPv6 1: 2001:4860:4860::8888
Server DNS IPv6 2: 2001:4860:4860::8844
(Please note: these are Google IPv6 DNS Addresses)

Router advertisement: Enabled

Aiccu.conf configuration:

# AICCU Configuration

# Login information (defaults: none)
username MySiXXSUserName
password MySiXXSPassword

# Protocol and server to use for setting up the tunnel (defaults: none)
protocol tic
server tic.sixxs.net

# Interface names to use (default: aiccu)
# ipv6_interface is the name of the interface that will be used as a tunnel interface.
# On *BSD the ipv6_interface should be set to gifX (eg gif0) for proto-41 tunnels
# or tunX (eg tun0) for AYIYA tunnels.
ipv6_interface v6in4

# The tunnel_id to use (default: none)
# (only required when there are multiple tunnels in the list)
tunnel_id TXXXX

# Be verbose? (default: false)
verbose true

# Daemonize? (default: true)
# Set to false if you want to see any output
# When true output goes to syslog
#
# WARNING: never run AICCU from DaemonTools or a similar automated
# 'restart' tool/script. When AICCU does not start, it has a reason
# not to start which it gives on either the stdout or in the (sys)log
# file. The TIC server *will* automatically disable accounts which
# are detected to run in this mode.
#
daemonize true

# Automatic Login and Tunnel activation?
automatic true

# Require TLS?
# When set to true, if TLS is not supported on the server
# the TIC transaction will fail.
# When set to false, it will try a starttls, when that is
# not supported it will continue.
# In any case if AICCU is build with TLS support it will
# try to do a 'starttls' to the TIC server to see if that
# is supported.
requiretls false

# PID File
#pidfile /var/run/aiccu.pid

# Add a default route (default: true)
#defaultroute true

# Script to run after setting up the interfaces (default: none)
#setupscript /usr/local/etc/aiccu-subnets.sh

# Make heartbeats (default true)
# In general you don't want to turn this off
# Of course only applies to AYIYA and heartbeat tunnels not to static ones
#makebeats true

# Don't configure anything (default: false)
#noconfigure true

# Behind NAT (default: false)
# Notify the user that a NAT-kind network is detected
#behindnat true

# Local IPv4 Override (default: none)
# Overrides the IPv4 parameter received from TIC
# This allows one to configure a NAT into "DMZ" mode and then
# forwarding the proto-41 packets to an internal host.
#
# This is only needed for static proto-41 tunnels!
# AYIYA and heartbeat tunnels don't require this.
#local_ipv4_override

In particular, please note "ipv6_interface v6in4" setting.

Once my AC-68U is started, if I manually start AICCU, and then enable IPv6 under the router settings, everything seems to works perfectly.
AICCU, in order to work, needs time to be synched properly.

I noticed two different problems, which rise in the following situations.
1)When there is an IP change, AICCU seems not to detect it, and hence tunnel stops working;

2)When I reboot the router, putting a script that makes starting AICCU with wan-start script doesnt't work.
The reason (I suppose) is the following: a)IPv6 settings are already given within router IPv6 setup page, but without Aiccu started the tunnel doesn't work; b)due to the IPv6 settings given, NTP service tries to connect to pool.ntp.org in IPv6 mode, but it fails and doesn't adjust the clock; c)Aiccu, since the clock is not synched, doesn't work. And hence, here we have a loop.

Any suggestions?
I'd like to fix all of these and finally publish a working Aiccu IPv6 guide on the Wiki

Temporary solution (yet to be tested enough)
Change NTP server address from pool.ntp.org to some IPv4 server;
Use the following wan-start script:

#!/bin/sh
aiccu start

Please not that I'm not a developer, just a power user... everything and the proper working of the IPv6 firewall should be checked by someone with some more knowledge.

Thanks to all!

 

[Egbert]

I have been working on making this work today, too. Thanks for some pointers, especially the name of the sixxs tunnel is a useful suggestion. First I tried putting IPv6 on native in the web interface and having the aiccu tunnel configured on the command line. However, that basically disables the IPv6 firewall because it then assumes that IPv6 traffic is coming in directly through the WAN-interface rather than through the 6in4 tunnel. Your suggestion to put it on 6in4 tunnel in de web interface and make sure the name of the tunnel corresponds with aiccu fixes this.

Additionally, a good suggestion is to use heartbeat rather than AYIYA when possible, as the overhead is lower and thus the latency and available bandwidth.

I have no issues with NTP, aiccu is started using wan-start. However, I did encounter another problem: name resolution. In your approach, you mention 2 IPv6 DNS servers configured in the web interface. However, if you do this, this will mean that DNSMASQ is configured to use these IPv6 DNS servers, too, and for some reason it seems to prefer these over the IPv4 DNS servers from my ISP. Since aiccu cannot be started before name resolution works, there is no name resolution possible because the IPv6 DNS servers are not reachable.

To circumvent this issue, I had to remove the IPv6 DNS servers completely. I manually added a IPv6 DNS server to /jffs/configs/dnsmasq.conf.add to make sure clients do get a IPv6 DNS server. After this, name resolution works before aiccu is running.

To make sure this is actually the case, I created a wrapper script around aiccu that checks if it can resolve the hostname of the tic server, tic.sixxs.net, and as long as it does not, it will sleep a second and try again. Once tic.sixxs.net resolves, aiccu is actually started. There's got to be a cleaner way to accomplish this, but it works.

A wiki page dedicated to configuring a sixxs tunnel using aiccu would have been a great help, there are many many many topics discussing this situation but none give all the information you need to make it work.