Although the big builds of dd-wrt contain IPv6 support, it doesn’t support ip6tables. Hence, I choose to use the mini build (which gives me the most free space) and add the missing parts myself. I shamelessly used OpenWRT modules to save me the trouble of figuring out how to compile each library. (Unfortunately, my router isn’t supported by OpenWRT, so I need to stay with dd-wrt for the base system).

Kernel support

Unfortunately, I couldn’t use the OpenWRT kamikaze 8.09.2 kernel modules, since they’re build for a different kernel. My previous post explains how I compiled the modules myself. I stripped and installed:

  • ipv6.ko : the main IPv6 module
  • sit.ko : IPv6-in-IPv4 tunneling, for Sixxs support
  • ip6_tables.ko : IPv6 firewalling, main module
  • ip6table_filter.ko : IPv6 firewalling, filtering module
  • nf_conntrack_ipv6.ko : Connection tracking for IPv6
  • ip6t_REJECT.ko : Reject target for ip6tables
  • Additional matching modules: ip6t_frag.ko, ip6t_hbh.ko, ip6t_hl.ko, ip6t_ipv6header.ko, ip6t_rt.ko

Radvd

radvd is responsible for communicating the presence of a router. Hosts can automatically configure an IPv6 address in the correct range and know what gateway to use to the rest of the world. I simply used the radvd binary that shipped with the big build of dd-wrt and dropped that in to /jffs/sbin/.

The configuration file looks like this: /jffs/etc/radvd.conf

interface br0 {
    AdvSendAdvert on;
    MaxRtrAdvInterval 600;
    AdvManagedFlag off;
    AdvOtherConfigFlag off;
    prefix 2001:db8:0:0::/64 {
        AdvAutonomous on;
        AdvValidLifetime 604800;
        AdvPreferredLifetime 86400;
    };
};
interface br1 {
    AdvSendAdvert on;
    MaxRtrAdvInterval 600;
    AdvManagedFlag off;
    AdvOtherConfigFlag off;
    prefix 2001:db8:0:1::/64 {
        AdvAutonomous on;
        AdvValidLifetime 604800;
        AdvPreferredLifetime 86400;
    };
};

Obviously, put your own prefixes in there!

Ip6tables

Since I like to keep my setup as lean as possible, I choose not to use ipkg and only copy the files that are actually used by dd-wrt; ipkg also installs the scripts that OpenWRT uses. Hence, I needed to manually keep track of the dependencies. To get ip6tables working, I installed:

  • ip6tables binary from the ip6tables-utils package
  • all libip6t_* libraries from the ip6tables-utils package
  • the libxt_* libraries from the iptables package
  • libxt_state.so from the iptables-mod-conntrack package

Debugging tools

I also installed ping6 (from iputils-ping6) and traceroute6 (from traceroute6) to aid in debugging IPv6 connectivity.

Aiccu

To get a working Sixxs tunnel, they provide a small tool called AICCU. This tool automatically configures the tunnel and keeps it alive. I just used the aiccu binary from the aiccu package.

I use a fairly basic configuration file: aiccu.conf

username <your nichandle/username>/Txxxxx
password <your password>
protocol tsp
tunnel_id Txxxxx
server tic.sixxs.net
ipv6_interface sit_sixxs
daemonize true
automatic true
requiretls false

I use a standard IPv6-in-IPv4 (SIT) tunnel, so I added a corresponding hole in my firewall:

iptables -A INPUT -p 41 -j ACCEPT

Setup

To get this all up and running, I added a few script in /jffs/etc/config: ipv6.startup (run at bootup):

insmod /jffs/kmods/ipv6.ko
insmod /jffs/kmods/sit.ko
insmod /jffs/kmods/ip6_tables.ko
insmod /jffs/kmods/ip6table_filter.ko
insmod /jffs/kmods/nf_conntrack_ipv6.ko

echo 1 > /proc/sys/net/ipv6/conf/all/forwarding

ip -6 addr add 2001:db8:0:0:0011:22ff:fe33:4455/64 dev br0
ip -6 addr add 2001:db8:0:1:0011:22ff:fe33:4456/64 dev br1

/jffs/sbin/radvd -C /jffs/etc/radvd.conf

and ipv6.wanup (run after the WAN and firewall are up):

ntpclient europe.pool.ntp.org   # aiccu requires a correct clock, so make sure our clock is set
/jffs/sbin/aiccu start /jffs/etc/aiccu.conf

As a finishing touch, I added my IPv6 address in DNS.

Firewall

Since IPv6 does not offer the automatic traffic blocking that NAT does, an IPv6 firewall is a must. Here is my very basic script, which I put in firewall.wanup

ip6tables -F INPUT
ip6tables -F FORWARD
ip6tables -X

ip6tables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
ip6tables -A INPUT -p icmpv6 --icmpv6-type neighbor-solicitation -j ACCEPT
ip6tables -A INPUT -p icmpv6 --icmpv6-type neighbor-advertisement -j ACCEPT
ip6tables -A INPUT -p icmpv6 --icmpv6-type echo-request -j ACCEPT
ip6tables -A INPUT -i br0 -j ACCEPT
ip6tables -A INPUT -i br1 -p icmpv6 --icmpv6-type router-solicitation -j ACCEPT
ip6tables -P INPUT DROP

ip6tables -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
ip6tables -A FORWARD -p icmpv6 --icmpv6-type echo-request -j ACCEPT
ip6tables -A FORWARD -i br0 -j ACCEPT
ip6tables -A FORWARD -i br1 -o sit_sixxs -j ACCEPT
ip6tables -P FORWARD DROP

5 Comments

  1. bv says:

    I’m just curious, what are you using ipv6 for?

  2. Niobos says:

    To reach my internal machines without NAT-struggle. For example to deliver mail straight to my internal mail server; my ISP blocks incoming TCP/25 connections.

  3. IPv6 op DD-WRT « Eric’s Rommelhoek says:

    […] dan toch gelukt om ip6tables aan de praat te krijgen op DD-WRT. Het was me niet gelukt zonder deze site. Mochten mensen intresse hebben, hier staan de binaries en scripts: […]

  4. Ali says:

    Dear

    Please tell me how do you install these packages

    ip6tables binary from the ip6tables-utils package
    all libip6t_* libraries from the ip6tables-utils package
    the libxt_* libraries from the iptables package
    libxt_state.so from the iptables-mod-conntrack package
    I could not procedure, for this, mentioned above.

    Do i need to copy these modules to my dd-wrt router?

    Any help will be appreciated.

  5. Niobos says:

    Hi Ali,

    The ipk files are actually just gzip-ed tar files; just extract them with “tar zxf ” to see what’s inside. One of the extracted files should be data.tar.gz; extract that one as well. You’ll find the mentioned binaries and libraries in the extracted directories.

    And yes, you need to copy these to your dd-wrt router.

    Niobos

Leave a Reply

Anti-Spam Quiz: