Although the big builds of dd-wrt contain IPv6 support, it doesn’t support ip6tables. Hence, I choose to use the mini build (which gives me the most free space) and add the missing parts myself. I shamelessly used OpenWRT modules to save me the trouble of figuring out how to compile each library. (Unfortunately, my router isn’t supported by OpenWRT, so I need to stay with dd-wrt for the base system).
Kernel support
Unfortunately, I couldn’t use the OpenWRT kamikaze 8.09.2 kernel modules, since they’re build for a different kernel. My previous post explains how I compiled the modules myself. I stripped and installed:
- ipv6.ko : the main IPv6 module
- sit.ko : IPv6-in-IPv4 tunneling, for Sixxs support
- ip6_tables.ko : IPv6 firewalling, main module
- ip6table_filter.ko : IPv6 firewalling, filtering module
- nf_conntrack_ipv6.ko : Connection tracking for IPv6
- ip6t_REJECT.ko : Reject target for ip6tables
- Additional matching modules: ip6t_frag.ko, ip6t_hbh.ko, ip6t_hl.ko, ip6t_ipv6header.ko, ip6t_rt.ko
Radvd
radvd is responsible for communicating the presence of a router. Hosts can automatically configure an IPv6 address in the correct range and know what gateway to use to the rest of the world. I simply used the radvd binary that shipped with the big build of dd-wrt and dropped that in to /jffs/sbin/.
The configuration file looks like this: /jffs/etc/radvd.conf
interface br0 { AdvSendAdvert on; MaxRtrAdvInterval 600; AdvManagedFlag off; AdvOtherConfigFlag off; prefix 2001:db8:0:0::/64 { AdvAutonomous on; AdvValidLifetime 604800; AdvPreferredLifetime 86400; }; }; interface br1 { AdvSendAdvert on; MaxRtrAdvInterval 600; AdvManagedFlag off; AdvOtherConfigFlag off; prefix 2001:db8:0:1::/64 { AdvAutonomous on; AdvValidLifetime 604800; AdvPreferredLifetime 86400; }; };
Obviously, put your own prefixes in there!
Ip6tables
Since I like to keep my setup as lean as possible, I choose not to use ipkg and only copy the files that are actually used by dd-wrt; ipkg also installs the scripts that OpenWRT uses. Hence, I needed to manually keep track of the dependencies. To get ip6tables working, I installed:
- ip6tables binary from the ip6tables-utils package
- all libip6t_* libraries from the ip6tables-utils package
- the libxt_* libraries from the iptables package
- libxt_state.so from the iptables-mod-conntrack package
Debugging tools
I also installed ping6 (from iputils-ping6) and traceroute6 (from traceroute6) to aid in debugging IPv6 connectivity.
Aiccu
To get a working Sixxs tunnel, they provide a small tool called AICCU. This tool automatically configures the tunnel and keeps it alive. I just used the aiccu binary from the aiccu package.
I use a fairly basic configuration file: aiccu.conf
username/Txxxxx password protocol tsp tunnel_id Txxxxx server tic.sixxs.net ipv6_interface sit_sixxs daemonize true automatic true requiretls false
I use a standard IPv6-in-IPv4 (SIT) tunnel, so I added a corresponding hole in my firewall:
iptables -A INPUT -p 41 -j ACCEPT
Setup
To get this all up and running, I added a few script in /jffs/etc/config: ipv6.startup (run at bootup):
insmod /jffs/kmods/ipv6.ko insmod /jffs/kmods/sit.ko insmod /jffs/kmods/ip6_tables.ko insmod /jffs/kmods/ip6table_filter.ko insmod /jffs/kmods/nf_conntrack_ipv6.ko echo 1 > /proc/sys/net/ipv6/conf/all/forwarding ip -6 addr add 2001:db8:0:0:0011:22ff:fe33:4455/64 dev br0 ip -6 addr add 2001:db8:0:1:0011:22ff:fe33:4456/64 dev br1 /jffs/sbin/radvd -C /jffs/etc/radvd.conf
and ipv6.wanup (run after the WAN and firewall are up):
ntpclient europe.pool.ntp.org # aiccu requires a correct clock, so make sure our clock is set /jffs/sbin/aiccu start /jffs/etc/aiccu.conf
As a finishing touch, I added my IPv6 address in DNS.
Firewall
Since IPv6 does not offer the automatic traffic blocking that NAT does, an IPv6 firewall is a must. Here is my very basic script, which I put in firewall.wanup
ip6tables -F INPUT ip6tables -F FORWARD ip6tables -X ip6tables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT ip6tables -A INPUT -p icmpv6 --icmpv6-type neighbor-solicitation -j ACCEPT ip6tables -A INPUT -p icmpv6 --icmpv6-type neighbor-advertisement -j ACCEPT ip6tables -A INPUT -p icmpv6 --icmpv6-type echo-request -j ACCEPT ip6tables -A INPUT -i br0 -j ACCEPT ip6tables -A INPUT -i br1 -p icmpv6 --icmpv6-type router-solicitation -j ACCEPT ip6tables -P INPUT DROP ip6tables -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT ip6tables -A FORWARD -p icmpv6 --icmpv6-type echo-request -j ACCEPT ip6tables -A FORWARD -i br0 -j ACCEPT ip6tables -A FORWARD -i br1 -o sit_sixxs -j ACCEPT ip6tables -P FORWARD DROP
bv says:
I’m just curious, what are you using ipv6 for?
2010-12-09, 1:44Niobos says:
To reach my internal machines without NAT-struggle. For example to deliver mail straight to my internal mail server; my ISP blocks incoming TCP/25 connections.
2010-12-09, 11:12IPv6 op DD-WRT « Eric’s Rommelhoek says:
[…] dan toch gelukt om ip6tables aan de praat te krijgen op DD-WRT. Het was me niet gelukt zonder deze site. Mochten mensen intresse hebben, hier staan de binaries en scripts: […]
2011-04-28, 8:14Ali says:
Dear
Please tell me how do you install these packages
ip6tables binary from the ip6tables-utils package
all libip6t_* libraries from the ip6tables-utils package
the libxt_* libraries from the iptables package
libxt_state.so from the iptables-mod-conntrack package
I could not procedure, for this, mentioned above.
Do i need to copy these modules to my dd-wrt router?
Any help will be appreciated.
2011-07-26, 9:50Niobos says:
Hi Ali,
The ipk files are actually just gzip-ed tar files; just extract them with “tar zxf ” to see what’s inside. One of the extracted files should be data.tar.gz; extract that one as well. You’ll find the mentioned binaries and libraries in the extracted directories.
And yes, you need to copy these to your dd-wrt router.
Niobos
2011-07-26, 10:32