Networking – How to enable IPv6 in OpenWRT 15.05

ipv6networkingopenwrtrouter

My university provides native IPv6 support in campus network, and I want to let devices (running Linux) in my TL-WR720N router's LAN have IPv6 access.

After many trials, I can make LAN devices able to get Global IPv6 addresses. But when I ping6 some websites, it always says "Network is unreachable", whereas these websites all responded normally when I ping6 them on the router.

Here are my config files:

root@OpenWrt:~# cat /etc/config/network 

config interface 'loopback'
        option ifname 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option ula_prefix 'fdc8:3a9f:1840::/48'

config interface 'lan'
        option ifname 'eth1'
        option force_link '1'
        option type 'bridge'
        option proto 'static'
        option ipaddr '192.168.1.1'
        option netmask '255.255.255.0'
        option ip6hint '1234'
        option ip6assign '48'

config interface 'wan'
        option ifname 'eth0'
        option proto 'dhcp'

config interface 'wan6'
        option ifname 'eth0'
        option proto 'dhcpv6'

root@OpenWrt:~# cat /etc/config/dhcp 

config dnsmasq
        option domainneeded '1'
        option boguspriv '1'
        option filterwin2k '0'
        option localise_queries '1'
        option rebind_protection '1'
        option rebind_localhost '1'
        option local '/lan/'
        option domain 'lan'
        option expandhosts '1'
        option nonegcache '0'
        option authoritative '1'
        option readethers '1'
        option leasefile '/tmp/dhcp.leases'
        option resolvfile '/tmp/resolv.conf.auto'
        option localservice '1'

config dhcp 'lan'
        option interface 'lan'
        option start '100'
        option limit '150'
        option leasetime '12h'
        option dhcpv6 'server'
        option ra_management '2'

config dhcp 'wan'
        option interface 'wan'
        option ignore '1'

config odhcpd 'odhcpd'
        option maindhcp '0'
        option leasefile '/tmp/hosts/odhcpd'
        option leasetrigger '/usr/sbin/odhcpd-update'

root@OpenWrt:~#

I have relatively poor knowledge about IPv6 network and not familiar with some stuff such as Router Advertisement, NDP, IPv6 assignment length/hint, etc. It's really appreciated if someone can help.

Best Answer

You need to request an IPv6 prefix from your upstream provider for the machines on the LAN side of your router to use; this is called DHCPv6 prefix delegation.

config interface 'wan6'
        option ifname 'eth0'
        option proto 'dhcpv6'
        option reqaddress 'force'
        option reqprefix '56'

Of course, this will work if and only if the upstream provider actually provides routed prefixes. In a campus dorm, this may or may not be the case. Contact your university's IT services and ask about this if you don't get a routed prefix after doing this.

Related Solutions

Networking – OpenWrt: how to give wlan clients @ 10.x Internet access via gateway @ 192.168.1.254

Had the exact situation like you, except for the gateway (Cisco RV042G). However, my solution probably won't work on E4200 due to missing features. If it is possible by using other methods, then it is beyond my knowledge. I'm adding the answer for others that may be looking for a solution like this.

Let's assume that 10.0.0.0/24 is your main network with the gateway address 10.0.0.1 and 10.0.1.0/24 is the guest network. Steps for reproducing my solution:

Create a different subnet for the guests on the gateway. The gateway must support this feature as it creates multiple NAT tables for routing the Internet traffic to the appropriate subnet.
Add a firewall rule for blocking all traffic from 10.0.1.0/24 to 10.0.0.0/24 on the gateway.
Use an OpenWrt build with kernel 2.6+. brcm-2.4 builds won't due to lack of ebtables support. I used a 12.06 build with a config based onto the default brcm47xx config. With the default image opkg fails to work while I didn't try 10.03. I do recommend a Debian 7 i386 for buildroot as it wasted enough hours of my life with amd64 and various random compile errors. You may use the ImageBuilder, I think, but I didn't try it. For ebtables you need the following packages: ebtables, ebtables-utils, kmod-ebtables-ipv4. The kernel module isn't automatically added as dependency, so be careful.
These ebtables rules from below in /etc/firewall.user for blocking the DHCP broadcast from the gateway, if gateway doesn't support multiple DHCP pools. RV042G doesn't. Found them on the OpenWrt forums, adapted them for 12.06 which uses eth0.0 as interface name for the lan VLAN.

ebtables -F

ebtables -A INPUT --in-interface eth0.0 --protocol ipv4 --ip-protocol udp --ip-source-port 67:68 -j DROP

ebtables -A INPUT --in-interface eth0.0 --protocol ipv4 --ip-protocol udp --ip-destination-port 67:68 -j DROP

ebtables -A FORWARD --in-interface eth0.0 --protocol ipv4 --ip-protocol udp --ip-destination-port 67:68 -j DROP

ebtables -A FORWARD --in-interface eth0.0 --protocol ipv4 --ip-protocol udp --ip-source-port 67:68 -j DROP

Optional: Configure the lan interface for the secondary subnet. You need to change the address if both the gateway and the OpenWrt AP use the defaults (192.168.1.1).

config interface lan

option type bridge

option ifname "eth0.0"

option proto static

option ipaddr 10.0.1.2

option netmask 255.255.255.0

option gateway 10.0.1.1

option dns "8.8.8.8 8.8.4.4"

Tell the DHCP server which gateway to broadcast as it would normally use the ipaddr from the lan interface config:

config dhcp lan

option interface lan

option start 100

option limit 100

option leasetime 1h

list 'dhcp_option' '3,10.0.1.1'

Configure the wireless as a regular access point. Optional: encryption (recommended), client isolation (also recommended).

I found only one issue with this setup: a guest can still enter your main network if the subnet for that network is "guessed" and the network configuration is done manually for the wireless interface. Given the fact that the guests still see the arp broadcasts from the main network, it isn't that difficult for people that understand the previous statement. I think it can be fixed with some firewall rules onto the OpenWrt AP, but I have to research that part.

Networking – OpenWRT: basic network configuration

It seems that you are doing all configurations in command line.

I have tried OpenWRT before and I have installed the WebGUI to help, you may refer to LuCI Essentials for setting up Web User Interface by LuCI. Access through web browser to configure your router such as turning on SSH and set some other configurations will be easier through Web UI.

Edit 1.

So you have 3 questions, I separate them and try to pin point the solution one by one for easy understanding. One things have to declare that, since my Router is turned from OpenWRT to DDWRT and then turned into Tomato. So I used VM(Virtual Machine) for screen capturing and solutions writings. Please forgive if there is 1 or 2 slight points difference. I think it is same most of the case, since I used VM to try OpenWRT before I flash to my router.

Preparations: (in case you haven't done so), the LuCi will be accessed later when your router is configured to be accessible by local area network machines. Extracted from LuCI Essentials

Install LuCi by following commands

opkg update
opkg install luci # without https OR
opkg install luci-ssl # with https support
/etc/init.d/uhttpd start # Start the web server (uHTTPd) manually
/etc/init.d/uhttpd enable # if you wish to start automatically on reboot

1. My external address (lan/eth0) provided by the ISP modem (so I can't simple block port 68 in this interface) I suppose you mean to get the external address, right? Actually, when you setup the router to get the DHCP from your ISP(modem) then your external address will be appeared in LuCi later.

This setting should do the work:

vim /etc/config/network # edit network settings
save

#add the following lines to config
config 'interface' 'wan' # config the interface wan
        option 'proto' 'dhcp' # use protocol DHCP
        option 'ifname' 'eth1' # Physical interface name to assign to, this should be the network port connected to the your ISP modem, may vary eth1 or eth0 or whatever in your case

>>>command
ifup wan # bring WAN interface up

Up to this point, when you open your client computer such as Windows 7, open a browser, type in 192.168.100.1 (your case), then you should see the OpenWRT interface in browser. Password is nothing by default.

Something like this screen:

enter image description here

2. DHCP provided by this router to my internal devices, with resolving of device names (DNS)

When you can connect to your router through client computer browser, you can go to Network -> Hostnames to manually assign hostname to specific devices if those device does not have hostname or does not resolve automatically. (in my case, default have no problem)

3. Properly configure my interfaces so I can allow ssh only on internal (wan/radio0) interface

according to Secure Access document in OpenWRT

"by letting the SSH server dropbear and the web-Server uhttpd not listen on the external/WAN port"

Here is how to do it:

vim /etc/config/dropbear
save

# add the following line to your dropbear
option Interface 'lan' # only listen to lan

>>>command
/etc/init.d/dropbear restart # or reboot if it doesn't work

I think this should illustrate the solution picture to your questions.

Edit 2. Since it is a long time post, I just added the reference link for future audience.

Best Answer

Related Solutions

Networking – OpenWrt: how to give wlan clients @ 10.x Internet access via gateway @ 192.168.1.254

Networking – OpenWRT: basic network configuration

Related Question