Using an OpenWRT router for 2degrees (Snap) IPv6

2degrees Broadband (previously Snap) offer IPv6 to all their residential customers, with the preferred method to use one of their CPEs the Fritzbox 7340 or the Fritzbox 7390. These devices come with a price premium, so I decided to look for a cheaper alternative with what I already have. I have a Draytek Vigor 120 and a TP-Link TL-WR1043ND with OpenWRT installed. I use the Vigor 120 in bridged mode to allow my WR1032ND to hold up the connection using PPPoE. This should work on their ADSL2+, and UFB connections (you can VLAN tag the WAN port as VLAN10 which I believe is required for UFB, but I won’t go into how to do this). I am unsure if it will work with VDSL2 however.

I am unsure whether this method will work with a non bridged modem (unless of course it’s capable of doing IPv6 itself, in which case you probably don’t want this tutorial), but I suspect it won’t as your PPP session needs to be assigned a link-local IPv6 address.

This assumes you are already using PPPoE to connect via an OpenWRT box, if you’re not I advise setting this up first. The OpenWRT website provides excellent instructions on how to do this.

The first step needed is to install the required packages into OpenWRT. I am using Attitude Adjustment, but have previously used Backfire so these settings should still work.

ppp-mod-pppoe for pppoe connectivity
kmod-ipv6
wide-dhcpv6-client
radvd

The first step to do is to enable IPv6 negotiation on your PPP link. This can be done through luci under Network > Interfaces > WAN > Advanced Settings and selecting Enable IPv6 negotiation on the PPP link. Alternatively if you prefer to edit the configuration files you can add option ipv6 ‘1’ to your /etc/config/network file under config interface ‘wan’

Snap use DHCPv6 to allocate you a dynamic IPv6 prefix (they don’t provide static IPv6 prefixes yet, they really should but I understand this is a work in progress). Therefore you need to use a DHCPv6 client to get it.

The /etc/config/dhcp6c file should already exist. Edit it and change the enabled, interface, pd, and config interface ‘lan’ settings to be the same. Do not configure a prefix on the WAN interface. I find it causes IPv6 to not work. If it doesn’t create it and copy the following into it.

config 'dhcp6c' 'basic'
        option 'enabled' '1'                            # 1 = enabled; 0 = disabled
        option 'interface' 'wan'                        # This is the interface the DHCPv6 client will run on
        option 'dns' 'dnsmasq'                          # Which DNS server you run (only dnsmasq currently supported)
        option 'debug' '0'                              # 1 = enable debugging; 0 = disable debugging

        # Send options (1 = send; 0 = do not send)
        option 'pd' '1'                                 # Prefix Delegation
        option 'na' '0'                                 # Non-Temporary Address
        option 'rapid_commit' '1'                       # Rapid Commit

        # Request options (1 = request; 0 = do not request)
        option 'domain_name_servers' '0'
        option 'domain_name' '0'
        option 'ntp_servers' '0'
        option 'sip_server_address' '0'
        option 'sip_server_domain_name' '0'
        option 'nis_server_address' '0'
        option 'nis_domain_name' '0'
        option 'nisp_server_address' '0'
        option 'nisp_domain_name' '0'
        option 'bcmcs_server_address' '0'
        option 'bcmcs_server_domain_name' '0'

        # Override the used DUID, by default it is derived from the interface MAC
        # The given value must be uppercase and globally unique!
        #option 'duid' '00:03:00:06:D8:5D:4C:A5:03:F2'

        # Script to run when a reply is received
        option 'script' '/usr/bin/dhcp6c-state'

# Define one or more interfaces on which prefixes should be assigned
config 'interface' 'loopback'
        option 'enabled' '1'                            # 1 = enabled; 0 = disabled
        option 'sla_id' '0'                             # Site level aggregator identifier specified in decimal (subnet)
        option 'sla_len' '16' # Site level aggregator length (64 - size of prefix being delegated Snap is 64-48 = 16)

config 'interface' 'lan'
        option 'enabled' '1'
        option 'sla_id' '1'
        option 'sla_len' '16'

Now if you restart your router you should get a IPv6 prefix assigned to your LAN interface. Great! That’s what we wanted, but it’s not much use if we can’t tell the machines on our network what our IPv6 prefix is.

That is where radvd comes in. It’s a router advertisement daemon, that can be used to distribute our prefix to our clients. To configure radvd edit the /etc/config/radvd file and update the settings to match below. You must NOT put a prefix in the list prefix because we are assigned a dynamic prefix and we need radvd to work out what prefix to advertise to our connected devices.

config interface
        option interface        'lan'
        option AdvSendAdvert    1
        option AdvManagedFlag   0
        option AdvOtherConfigFlag 1
        list client             ''
        option ignore           0

config prefix
        option interface        'lan'
        # If not specified, a non-link-local prefix of the interface is used
        list prefix             ''
        option AdvOnLink        1
        option AdvAutonomous    1
        option AdvRouterAddr    0
        option ignore           0
        option AdvValidLifetime 3600
        option AdvPreferredLifetime 600

config route
        option interface        'lan'
        list prefix             ''
        option ignore           1

If you prefer change AdvValidLifetime and AdvPreferredLifetime to something higher. I did this because I often restart my router and am given a new prefix, and my machines will prefer and use the old one until expiry, meaning I can’t establish IPv6 connections. My recommendation is to use something like 3600 for both if you have a stable connection that rarely gets rebooted.

Save that file and restart your router, everything should work and you should have IPv6 connectivity on your machines. Be aware that your machines will not get a IPv6 DNS server so all the DNS queries will still be executed over IPv4. This generally isn’t a problem as DNS servers should still return IPv6 records to you regardless of the version used to access them.

As all your devices that support IPv6 now have a globally routable address I recommend having firewalls turned on on everything. However sometimes we have phones etc that don’t have firewalls and you perhaps you want to only allow incoming traffic to that device if there has been outgoing traffic first. OpenWRT can handle this in iptables. Installing the following packages and reboot should do the trick. I say should as I can’t exactly remember whether I had to do more, but if it doesn’t work leave a comment and I’ll investigate my configuration.

ip6tables
kmod-ip6tables

Enabling IPv6 on a home network

IPv6 is the next generation internet protocol. Currently few ISPs provide it to the customers, and therefore uptake is slow. However if you wish to have access to the IPv6 world now then there are options. If you only have a single machine than a tunnel is fine, but however if you wish to add it to an entire network then you need something more. If you have a spare old machine lying around, or a machine running Linux that is always on, then you can configure that as a router and use it to provide IPv6 to your LAN.

I have IPv6 connectivity to all the machines that are connected to my network. To achieve this, I use an Ubuntu Linux box as a router, which has a tunnel configured. This allows all the computers to connect onto the IPv6 internet transparently. This is a guide on how I did it.

I use sixxs.net as my IPv6 tunnel provider. They provide the use of the aiccu client which allows the configuration and setup of the tunnel automatically. It creates a interface sixxs which is one end of the tunnel. First things first, you need to register an account at sixxs.net. After your account is approved you are able to create an IPv6 tunnel. This will only allow you to connect one machine, but it is essential before you will be able to enable access to other machines. This will take a while to get approved, but once approved you can install the aiccu client. On Ubuntu you can install it using:

sudo apt-get install aiccu

During setup it will ask you to enter information regarding your tunnel, most likely your sixxs.net login information. Once entered it should authenticate and complete the installation. If it hasn’t started automatically, you need to start it.

sudo service aiccu startOr on older version of Ubuntu try sudo /etc/init.d/aiccu start

Then it will configure the tunnel and you should be able to connect to IPv6 sites. You can try this by typing traceroute6 ipv6.google.com. The next thing to do is to provide IPv6 addresses to your network. To do this, you must apply for a Subnet from sixxs. You will receive a /48 subnet, for which you assign /64s to your network. To distribute your prefix announcement onto your network you need something like radvd installed. Again on Ubuntu it is as simple as typing

sudo apt-get install radvd

Now once radvd is installed, you need to edit the configuration file. This is usually stored in /etc/radvd.conf. So open it up and you want to enter the following:

interface eth0
{
  AdvSendAdvert on;
  AdvManagedFlag on;
  prefix 2001:4232:532::/64
  {
    AdvOnLink on;
    AdvAutonomous on;
    AdvRouterAddr on;
  };
};

The prefix is from the subnet that sixxs has assigned you. In this case I was assigned 2001:4232:532::/48, so I chose to use the /64 of this for simple setup.

Now of course your interface that is connected to your IPv4 LAN, so what will now be the interface on your router not connected to IPv6 web, should have a static IP assigned to it. This makes it easier to remember, and use. So I just assigned 2001:4232:523::1 to eth0. I won’t cover how to do this, as it is relatively simple if you have done any networking in Linux before.

You now need to tell the linux kernel that you want it to forward traffic for IPv6. To enable IPv6 forwarding you need to edit /etc/sysctl.conf and add the following lines:

net.ipv6.conf.all.forwarding=1
net.ipv6.conf.default.forwarding=1

Now save this file and reboot. When the machine comes back up, check that aiccu and radvd have started ( I find I always have to start aiccu manually). If this is the case then your other machines should have Global IPv6 addresses assigned to them using the prefix you gave radvd. However I found this was not enough to allow my other machines to connect to the internet. After specifying the default route on the router as the IP at the sixxs end of the tunnel, all traffic from eth0 was then routed out over my tunnel, and all the other machines appeared to have native IPv6 connectivity, and were globally addressable. You therefore need to ensure that your machines have firewalls installed, and if you like setup IPv6 iptables on the router. This is what I have done to filter traffic that is not wanted in the network. Also as your IPv6 address will be based on your MAC Address, you can be easily tracked based on it. Windows by default enabled privacy extensions, but Linux does not. To enable this on your Linux clients edit /etc/sysctl.conf and add these lines:

net.ipv6.conf.wlan0.use_tempaddr=2
net.ipv6.conf.all.use_tempaddr=2
net.ipv6.conf.default.use_tempaddr=2

If you have eth0 then replace wlan0 with eth0 or add an extra line for each different interface. all and default should cover all of them, but I like to specify them individually as well just to be safe. I will write another article regarding IPv6 tables at a later date.

World IPv6 Day

World IPv6 day is on June 8, 2011. World IPv6 Day is a day where several large organisations, such as Google, Facebook, Yahoo, Akamai etc will offer there content of IPv6 for a day. I’m ready for it, and so on June 8, I will be browsing these sites in IPv6 for the day!

Here is what I get when I traceroute from my machine to ipv6.google.com

Tracing route to ipv6.l.google.com [2404:6800:8004::68]
over a maximum of 30 hops:

1 1 ms <1 ms 2001:4428:450::1
2 28 ms 26 ms 27 ms gw-113.wlg-01.nz.sixxs.net [2001:4428:200:70::1]
3 29 ms 26 ms 27 ms ge0-1-6.v6wlg0.acsdata.co.nz [2001:4428:0:6::1]
4 39 ms 50 ms 38 ms ge0-0-2321.v6akl1.acsdata.co.nz [2001:4428:0:911::4]
5 38 ms 39 ms 38 ms ten-0-0-0-134.bdr01.akl02.akl.VOCUS.net.au [2402:7800:110:511::d]
6 43 ms 38 ms 38 ms ten-0-2-0-400.bdr01.akl01.akl.VOCUS.net.au [2402:7800:110:1::1a]
7 62 ms 65 ms 62 ms 2402:7800:0:1::ca
8 62 ms 63 ms 94 ms 2402:7800:0:2::92
9 64 ms 63 ms 64 ms 2001:4860::1:0:9f7
10 67 ms 73 ms 70 ms 2001:4860:0:1::d7
11 63 ms 142 ms 65 ms 2404:6800:8004::68

Trace complete.