| Both sides previous revision Previous revision Next revision | Previous revision Next revisionBoth sides next revision |
| docs:guide-user:network:ipv6_ipv4_transitioning [2019/03/19 10:07] – [6in4 tunnel (HE.net tunnel broker ...)] Merged 6in4 from docs:guide-user:network:tunneling_interface_protocols vgaetera | docs:guide-user:network:ipv6_ipv4_transitioning [2023/01/28 12:12] – [IPv4/IPv6 transition technologies] vgaetera |
|---|
| ====== IPv4/IPv6 Transition Technologies ====== | ====== IPv4/IPv6 transition technologies ====== |
| Transitioning technologies can be installed using the packages with the same names.\\ | See also: [[docs:guide-user:network:ipv6:nat64|NAT64 for IPv6-only networks]] |
| Setup and management of IPv6-in-IPv4 tunnels: ''6rd'', ''6to4'', ''6in4''.\\ | |
| Setup and management of IPv4-in-IPv6 tunnels: ''ds-lite''\\ | |
| |
| ===== 6in4 tunnel (HE.net tunnel broker) ===== | Transition technologies can be installed using the following packages: |
| 6in4 tunnels are usually provided by external tunnel providers like HE.net. | * IPv6-in-IPv4 tunnels: [[packages:pkgdata:6rd]], [[packages:pkgdata:6to4]], [[packages:pkgdata:6in4]]. |
| | * IPv4-in-IPv6 tunnels: [[packages:pkgdata:ds-lite]]. |
| |
| * Read [[/docs/guide-user/network/ipv6/ipv6tunnel-luci|Setting up an IPv6 Tunnel with LuCI]] for a walkthrough using the web GUI | ===== 6in4 Tunnel / HE.net Tunnel Broker ===== |
| * Use the following example configuration as a basis from the command line | See also: |
| | [[docs:guide-user:network:ipv6:ipv6tunnel-luci|Setting up an IPv6 Tunnel with LuCI]], |
| | [[docs:guide-user:network:ipv6:ipv6_henet|IPv6 with Hurricane Electric]] |
| |
| :!: The package ''6in4'' must be installed to use 6in4-tunnels. | 6in4 tunnels are usually provided by external tunnel providers like HE.net. |
| |
| ==== Static IPv6-in-IPv4 tunnel ==== | :!: The package [[packages:pkgdata:6in4]] must be installed to use this protocol. |
| The example below illustrates a static tunnel configuration in ''/etc/config/network'' file for the Hurricane Electric (he.net) broker. | |
| Option ''ipaddr'' specifies the local IPv4 address, ''peeraddr'' is the broker IPv4 address and ''ip6addr'' the local IPv6 address routed via the tunnel. | |
| |
| <code bash> | :!: 6in4 requires you to have a public IPv4 address, clients behind CGNAT are [[https://forums.he.net/index.php?topic=488.0|not supported]]. |
| config 'interface' 'henet' | |
| option 'proto' '6in4' | |
| option 'ipaddr' '178.24.115.19' | |
| option 'peeraddr' '216.66.80.30' | |
| option 'ip6addr' '2001:0DB8:1f0a:1359::2/64' | |
| </code> | |
| |
| :!: You should also add an address from your routed IPv6 network to the "lan" interface. | ==== Static IPv6-in-IPv4 Tunnel ==== |
| | The example below illustrates a static tunnel configuration for the Hurricane Electric (he.net) broker. |
| | option ''ipaddr'' specifies the local IPv4 address, ''peeraddr'' is the broker IPv4 address and ''ip6addr'' the local IPv6 address routed via the tunnel. |
| |
| :!: To apply IPv6 firewall rules to the tunnel interface, add it to the "wan" zone in ''/etc/config/firewall'': | <code bash> |
| | # /etc/config/network |
| <code> | config interface 'wan6' |
| config 'zone' | option proto '6in4' |
| option 'name' 'wan' | option ipaddr '178.24.115.19' |
| option 'network' 'wan henet' # Important | option peeraddr '216.66.80.30' |
| option 'input' 'REJECT' | option ip6addr '2001:0DB8:1f0a:1359::2/64' |
| option 'forward' 'REJECT' | |
| option 'output' 'ACCEPT' | |
| option 'masq' '1' | |
| </code> | </code> |
| |
| :!: If you define a new, dedicated [[docs:guide-user:firewall:fw3_network|zone]] just for the tunnel interface, | ==== Dynamic IPv6-in-IPv4 Tunnel (HE.net only) ==== |
| make sure to set ''option conntrack 1'' in order to [[docs:guide-user:firewall:firewall_configuration#note.on.connection.tracking.notrack|force enabling connection tracking]], | |
| otherwise [[inbox:firewall:fw3_configurations:fw3_config|unidirectional forwarding rules]] will not work. | |
| | |
| :!: Don't forget to set up [[docs:guide-user:firewall:fw3_configurations:fw3_ipv6_examples#Forwarding_IPv6_tunnel_traffic|forwarding rules]] between the LAN and the tunnel if you want to route IPv6 traffic between them. | |
| | |
| === Setup behind one-to-one NAT === | |
| If [[http://checkip.dyndns.org/|your public IP]], e.g. ''178.24.115.19'', is not matching the IP address on your WAN interface, your ISP is probably using [[http://shorewall.net/NAT.htm#One-to-one|one-to-one NAT]] (aka [[http://en.wikipedia.org/wiki/Network_address_translation#Methods_of_Port_translation|full-cone NAT]]) and you won't be able to establish static [[docs:guide-user:network:ipv6_ipv4_transitioning#6in4.tunnel|IPv6-in-IPv4 tunnel]]. IP address of your WAN interface can be obtained with the following command: | |
| | |
| <code>. /lib/functions/network.sh; network_get_ipaddr ip wan; echo $ip</code> | |
| | |
| If this is your case you should fill the WAN IP address into ''ipaddr'' option instead of your actual public IP that might have been provided to [[http://he.net/|Hurricane Electric]] during tunnel creation.((You should always use your public IP while creating Hurricane Electric tunnel, so don't change it just because you are behind one-to-one NAT.)) Or you may completely omit the [[docs:guide-user:network:ipv6_ipv4_transitioning#6in4.tunnel|optional]] ''ipaddr'' option and the current WAN IPv4 address IP will be used automatically.\\ | |
| That would be preferred solution if your WAN IP is dynamic (i.e. obtained via DHCP) or you are not sure.\\ | |
| | |
| Example of ''/etc/config/network'' entry: | |
| | |
| <code> | |
| config 'interface' 'henet' | |
| option 'proto' '6in4' | |
| option 'peeraddr' '216.66.80.30' | |
| option 'ip6addr' '2001:0DB8:1f0a:1359::2/64' | |
| </code> | |
| | |
| ==== Dynamic IPv6-in-IPv4 tunnel (HE.net only) ==== | |
| The example below illustrates a dynamic tunnel configuration for the Hurricane Electric (he.net) broker with enabled IP update. | The example below illustrates a dynamic tunnel configuration for the Hurricane Electric (he.net) broker with enabled IP update. |
| The local IPv4 address is automatically determined and tunnelid, username and password are provided for IP update. | The local IPv4 address is determined automatically. |
| | The options ''tunnelid'', ''username'' and ''updatekey'' are provided for IP update. |
| |
| <code> | <code bash> |
| # /etc/config/network | # /etc/config/network |
| | config interface 'wan6' |
| | option proto '6in4' |
| | option mtu '1424' # the IPv6 tunnel MTU (optional) |
| | option peeraddr '216.66.80.30' # the IPv4 tunnel endpoint at the tunnel provider |
| | option ip6addr '2001:0db8:1f0a:1359::2/64' # the IPv6 tunnel address |
| | option ip6prefix '2001:db8:1234::/48' # Your routed prefix (required) |
| | # configuration options below are only valid for HE.net tunnels, ignore them for other tunnel providers. |
| | option tunnelid '12345' # HE.net tunnel id |
| | option username 'username' # HE.net username used to login into tunnelbroker, not the User ID shown after login in. |
| | option updatekey 'updatekey' # HE.net updatekey instead of password, default for new tunnels |
| | </code> |
| |
| config 'interface' 'henet' | See below for advanced configuration options. |
| option 'proto' '6in4' | |
| option 'mtu' '1424' # the IPv6 tunnel MTU (optional) | |
| option 'peeraddr' '216.66.80.30' # the IPv4 tunnel endpoint at the tunnel provider | |
| option 'ip6addr' '2001:0DB8:1f0a:1359::2/64' # the IPv6 tunnel address | |
| option 'ip6prefix' '2001:DB8:1234::/48' # Your routed prefix (required!) | |
| # configuration options below are only valid for HE.net tunnels. ignore them for other tunnel providers. | |
| option 'tunnelid' '12345' # HE.net tunnel id | |
| option 'username' 'username' # HE.net username used to login into tunnelbroker, not the User ID shown after login in. | |
| option 'password' 'password' # HE.net password if there is no updatekey for tunnel | |
| option 'updatekey' 'updatekey' # HE.net updatekey instead of password, default for new tunnels | |
| | |
| # /etc/config/firewall | |
| | |
| config zone 'wan' | |
| list network 'henet' | |
| </code> | |
| |
| In a typical tunnel configuration (e.g. HE.net) you get two different ipv6 addresses/prefixes from the tunnel provider: | In a typical tunnel configuration (e.g. HE.net) you get two different ipv6 addresses/prefixes from the tunnel provider: |
| * **ip6addr**: The tunnel endpoint address is like '2001:DB8:2222:EFGH::2/64'. This ...::2 address is only used for the tunnel interface endpoint. It is not a routable address and it can't be used for anything else than connecting to the other end of the tunnel, typically ...::1 . | * **ip6addr**: The tunnel endpoint address is like '2001:DB8:2222:EFGH::2/64'. This ...::2 address is only used for the tunnel interface endpoint. It is not a routable address and it can't be used for anything else than connecting to the other end of the tunnel, typically ...::1 . |
| * **ip6prefix**: The tunnel provider gives you also a routable prefix, typically either /48 or /64, for example '2001:DB8:1112::/48' or '2001:DB8:1234:ABCD::/64'. Your LAN clients will get addresses from that prefix. | * **ip6prefix**: The tunnel provider gives you also a routable prefix, typically either /48 or /64, for example '2001:DB8:1112::/48' or '2001:DB8:1234:ABCD::/64'. Your LAN clients will get addresses from that prefix. Using a wider prefix helps delegate IPv6 to several downstream networks. |
| |
| :!: You should also add an address from your routed IPv6 network to the "lan" interface. | === Firewall === |
| | Some users may require to add extra firewall rules to allow 6in4 traffic to always reach their tunnel endpoint. |
| :!: To apply IPv6 firewall rules to the tunnel interface, add it to the "wan" firewall zone, see example above for details. | The package [[packages:pkgdata:iptables-mod-ipopt]] must be installed for length matching. |
| | |
| :!: The password entered above should be the md5sum of the password you use to log in to tunnelbroker.net. | |
| | |
| :!: If your tunnel provider gives you a routable /48, /56 or /60 prefix, use that (instead of the /64), as a wider prefix will allow you to properly pass routable /64 prefixes to several networks (lan, guest, …). | |
| | |
| :!: Note that HE.net assigns an "updatekey" by default for new tunnels since February 2014. If updatekey exists (visible in tunnel's advanced info page at the HE.net site), it needs to be used instead of the password. Old tunnels without updatekey will continue to work with password. | |
| | |
| :!: To allow 6in4 traffic to always reach your tunnel endpoint, it may be necessary to pass IPv4 protocol 41 traffic with the following firewall configuration stanza: | |
| |
| <code bash> | <code bash> |
| | # /etc/config/firewall |
| config rule | config rule |
| option name 'Allow-protocol 41' | option name 'Allow-protocol-41' |
| option src wan | option src 'wan' |
| option proto 41 | option proto '41' |
| option target ACCEPT | option target 'ACCEPT' |
| | |
| | config rule |
| | option name 'Allow-protocol-59' |
| | option src 'wan' |
| | option proto '59' |
| | option target 'ACCEPT' |
| | option extra '-m length --length 40' |
| </code> | </code> |
| |
| HE.net users also report use of protocol 59, which should be allowed but limited to length of 40 bytes: | === Default route === |
| | Provide default route to override ''sourcefilter''. |
| |
| <code bash> | <code bash> |
| config rule | # /etc/config/network |
| option name 'Allow-protocol 59' | config route6 |
| option src 'wan' | option interface 'wan6' |
| option proto '59' | option target '::/0' |
| option target 'ACCEPT' | |
| option extra '-m length --length 40' # package 'iptables-mod-ipopt' must be installed for length matching | |
| </code> | </code> |
| |
| See below for advanced configuration options. | |
| |
| ===== Protocol 6in4 (IPv6-in-IPv4 Tunnel) ===== | ===== Protocol 6in4 (IPv6-in-IPv4 Tunnel) ===== |
| :!: The package ''6in4'' must be installed to use this protocol. | |
| |
| ^ Name ^ Type ^ Required ^ Default ^ Description ^ | ^ Name ^ Type ^ Required ^ Default ^ Description ^ |
| | ''ipaddr'' | IPv4 address | no | Current WAN IPv4 address | Local IPv4 endpoint address | | | ''ipaddr'' | IPv4 address | no | Current WAN IPv4 address | Local IPv4 endpoint address | |
| | ''ip6addr'' | IPv6 address (CIDR) | yes | //(none)// | Local IPv6 address delegated to the tunnel endpoint | | | ''ip6addr'' | IPv6 address (CIDR) | yes | //(none)// | Local IPv6 address delegated to the tunnel endpoint | |
| | ''ip6prefix'' | IPv6 prefix | no | //(none)// | Routed IPv6 prefix for downstream interfaces (Barrier Breaker and later only) | | | ''ip6prefix'' | IPv6 prefix | no | //(none)// | Routed IPv6 prefix for downstream interfaces (Barrier Breaker and later only) | |
| | ''sourcerouting'' | boolean | no | ''1'' | Whether to route only packets from delegated prefixes (Barrier Breaker and later only) | | | ''tunlink'' | Logical Interface | no | //(none)// | Tunnel base interface. Define which Interface, for example WAN, should be used for outgoing IPv4 traffic to the Remote IPv4 Address | |
| | ''defaultroute'' | boolean | no | ''1'' | Whether to create an IPv6 default route over the tunnel | | | ''defaultroute'' | boolean | no | ''1'' | Whether to create an IPv6 default route over the tunnel | |
| | ''ttl'' | integer | no | ''64'' | TTL used for the tunnel interface | | | ''ttl'' | integer | no | ''64'' | TTL used for the tunnel interface | |
| | ''tos'' | string | no | //(none)// | Type Of Service : either "inherit" (the outer header inherits the value of the inner header) or an hexadecimal value. Also known as DSCP. (Chaos Calmer and later only) | | | ''tos'' | string | no | //(none)// | Type Of Service : either "inherit" (the outer header inherits the value of the inner header) or an hexadecimal value. Also known as DSCP. | |
| | ''mtu'' | integer | no | ''1280'' | MTU used for the tunnel interface | | | ''mtu'' | integer | no | ''1280'' | MTU used for the tunnel interface | |
| | ''tunnelid'' | integer | no | //(none)// | HE.net global tunnel ID (used for endpoint update) | | | ''tunnelid'' | integer | no | //(none)// | HE.net global tunnel ID, used for endpoint update | |
| | ''username'' | string | no | //(none)// | HE.net username which you use to login into tunnelbroker, not the User ID shows after you have login int (used for endpoint update) | | | ''username'' | string | no | //(none)// | HE.net username which you use to login into tunnelbroker, not the User ID shown after you have login in, plaintext, used for endpoint update | |
| | ''password'' | string | no | //(none)// | <del>md5sum of</del> HE.net password (used for endpoint update) | | | ''password'' | string | no | //(none)// | HE.net password, plaintext, obsolete, used for endpoint update | |
| | ''updatekey'' | string | no | //(none)// | HE.net updatekey, overrides password (used for endpoint update) | | | ''updatekey'' | string | no | //(none)// | HE.net updatekey, plaintext, overrides password since 2014-02, used for endpoint update | |
| | ''metric'' | integer | no | ''0'' | Specifies the default route metric to use | | | ''metric'' | integer | no | ''0'' | Specifies the default route metric to use | |
| |
| :!: This protocol type does not need an ''ifname'' option set in the interface section. The interface name is derived from the section name, e.g. ''config interface sixbone'' would result in an interface named ''6in4-sixbone''. | :!: This protocol type does not need the ''device'' option set in the interface section. |
| | The interface name is derived from the section name, e.g. ''config interface sixbone'' would result in an interface named ''6in4-sixbone''. |
| |
| :!: HE.net has introduced updatekey as default for new tunnels in February 2014. | :!: Although ''ip6prefix'' isn't required, ''sourcefilter'' is enabled by default and prevents forwarding of packets unless ''ip6prefix'' is specified. |
| |
| :!: **username**, **password** and **updatekey** are all plaintext entries. | ===== 6rd Tunnel (ISP-Provided IPv6 Transition) ===== |
| | 6rd is a tunnel mechanism based on 6to4. |
| | Unlike other tunneling mechanisms, 6rd is usually provided by the ISP itself. |
| |
| :!: One of the ustream SSL Library variants (package ''libustream-*'') should be installed for HE.net endpoint update to be performed over **https**. (optional for https: install packages ''ca-certificates'' and ''ca-bundle'' for server certificate validation.) Otherwise endpoint update will be performed over **http**. | :!: The package [[packages:pkgdata:6rd]] must be installed to use this protocol. |
| |
| :!: although ip6prefix isn't required, sourcerouting, enabled by default, will prevent forwarding of packets unless ip6prefix is specified. | :!: The configuration of 6rd is usually auto-detected and manual configuration is not needed, simply installing the 6rd package (and rebooting) is usually enough. |
| |
| ===== 6rd tunnel (ISP-provided IPv6 transition) ===== | :!: To automatically configure 6rd from dhcp you need to create an interface with ''option auto 0'' and put its name as the 'iface6rd' parameter. |
| 6rd is a tunnel mechanism based on 6to4. Unlike other tunneling mechanisms, 6rd is usually provided by the ISP itself. | In addition you also need to add its name to a suitable firewall zone in ''/etc/config/firewall''. |
| |
| :!: The package ''6rd'' must be installed to use this protocol. | <code bash> |
| | # /etc/config/network |
| | config interface 'wan6' |
| | option proto '6rd' |
| | option peeraddr '77.174.0.2' |
| | option ip6prefix '2001:838:ad00::' |
| | option ip6prefixlen '40' |
| | option ip4prefixlen '16' |
| | </code> |
| |
| :!: The configuration of 6rd is usually auto-detected and manual configuration is not needed, simply installing the 6rd package (and rebooting) is usually enough. | To debug 6rd via DHCP, first check if the parameters are sent. |
| | Create a ''/etc/udhcpc.user'' file with the following content: |
| |
| :!: To automatically configure 6rd from dhcp you need to create an interface with ''option auto 0'' and put its name as the 'iface6rd' parameter. In addition you also need to add its name to a suitable firewall zone in /etc/config/firewall. | <code bash> |
| | #!/bin/sh |
| | env >> /tmp/udhcpc.log |
| | </code> |
| | |
| | Reboot the router and check the log file ''/tmp/udhcpc.log'' for the following line: |
| | |
| | <code bash> |
| | ip6rd=16 40 2001:0838:ad00:0000:0000:0000:0000:0000 77.174.0.2 |
| | </code> |
| | |
| | If this line isn't present, you need to obtain the correct values for peeraddr, ip6prefix, ip6prefixlen and ip4prefixlen from your ISP. |
| | The above ip6rd or the obtained values can be used to hardcode the 6rd tunnel. |
| | Remove or comment out the iface6rd line in the wan section. |
| | |
| | :!: If you choose a name for your tunnel-interface different from ''wan6'', be sure to add that network to the ''wan'' firewall-zone. |
| |
| ===== 6rd options ===== | |
| Below configuration options are only needed for hardcoding the 6rd tunnel. | Below configuration options are only needed for hardcoding the 6rd tunnel. |
| |
| | ===== Protocol 6rd ===== |
| ^ Name ^ Type ^ Required ^ Default ^ Description ^ | ^ Name ^ Type ^ Required ^ Default ^ Description ^ |
| | ''peeraddr'' | IPv4 address | yes | no | 6rd - Gateway | | | ''peeraddr'' | IPv4 address | yes | no | 6rd - Gateway | |
| | ''ipaddr'' | IPv4 address | no | Current WAN IPv4 address | Local IPv4 endpoint address | | | ''ipaddr'' | IPv4 address | no | Current WAN IPv4 address | Local IPv4 endpoint address | |
| | ''ip6prefix'' | IPv6 prefix (without length) | yes | no | 6rd-IPv6 Prefix | | | ''ip6prefix'' | IPv6 prefix (without length) | yes | no | 6rd-IPv6 Prefix | |
| | ''defaultroute'' | boolean | no | ''1'' | Whether to create an IPv6 default route over the tunnel | | | ''defaultroute'' | boolean | no | ''1'' | Whether to create an IPv6 default route over the tunnel | |
| | ''ttl'' | integer | no | ''64'' | TTL used for the tunnel interface | | | ''ttl'' | integer | no | ''64'' | TTL used for the tunnel interface | |
| | ''tos'' | string | no | //(none)// | Type Of Service : either "inherit" (the outer header inherits the value of the inner header) or an hexadecimal value (Chaos Calmer and later only) | | | ''tos'' | string | no | //(none)// | Type Of Service: either "inherit" (the outer header inherits the value of the inner header) or an hexadecimal value | |
| | ''mtu'' | integer | no | ''1280'' | MTU used for the tunnel interface | | | ''mtu'' | integer | no | ''1280'' | MTU used for the tunnel interface | |
| | ''iface6rd'' | logical interface | no | //(none)// | Logical interface template for auto-configuration of 6rd | | | ''iface6rd'' | logical interface | no | //(none)// | Logical interface template for auto-configuration of 6rd | |
| | ''zone6rd'' | firewall zone | no | //system default// | Firewall zone to which the 6rd interface should be added | | | ''zone6rd'' | firewall zone | no | //system default// | Firewall zone to which the 6rd interface should be added | |
| |
| | :!: This protocol type does not need the ''device'' option set in the interface section. |
| | The interface name is derived from the section name, e.g. ''config interface wan6'' would result in an interface named ''6rd-wan6''. |
| |
| :!: This protocol type does not need an ''ifname'' option set in the interface section. The interface name is derived from the section name, e.g. ''config interface wan6'' would result in an interface named ''6rd-wan6''. | :!: Some ISP's give you the number of bytes you should use from your WAN IP to calculate your IPv6 address. |
| | ''ip4prefixlen'' expects the //prefix// bytes of your WAN IP to calculate the IPv6 address. |
| | So if your ISP gives you 14 bytes to calculate, enter 18 (32 - 14). |
| |
| :!: Some ISP's give you the number of bytes you should use from your WAN IP to calculate your IPv6 address. ip4prefixlen expects the //prefix// bytes of your WAN IP to calculate the IPv6 address. So if your ISP gives you 14 bytes to calculate, enter 18 (32 - 14). | ===== 6pe, L2TP Tunnel (ISP-provided IPv6 Transition) ===== |
| | This is another transitional mechanism for IPv6 used by some ISPs, it relies on a L2TPv2 tunnel. |
| |
| To debug 6rd via DHCP, first check if the parameters are sent. Create a ''/etc/udhcpc.user'' file with the following content: | :!: The package [[packages:pkgdata:xl2tpd]] must be installed to use this protocol. |
| | It will handle the L2TP tunnel and PPP session. |
| <code> | |
| #!/bin/sh | |
| env >> /tmp/udhcpc.log | |
| </code> | |
| | |
| Reboot the router and check the log file ''/tmp/udhcpc.log'' for the following line: | |
| | |
| <code> | |
| ip6rd=16 40 2001:0838:ad00:0000:0000:0000:0000:0000 77.174.0.2 | |
| </code> | |
| | |
| If this line isn't present, you need to obtain the correct values for peeraddr, ip6prefix, ip6prefixlen and ip4prefixlen from your ISP. The above ip6rd or the obtained values can be used to hardcode the 6RD tunnel. Remove or comment out the iface6rd line in the wan section. | |
| | |
| ''/etc/config/network'' | |
| <code> | |
| config interface 'wan6' | |
| option proto '6rd' | |
| option peeraddr '77.174.0.2' | |
| option ip6prefix '2001:838:ad00::' | |
| option ip6prefixlen '40' | |
| option ip4prefixlen '16' | |
| </code> | |
| | |
| :!: If you choose a name for your tunnel-interface that is different from 'wan6' make sure to add that name to the network-option of the firewall-zone 'wan' in /etc/config/firewall. | |
| | |
| | |
| ===== 6pe, L2TP tunnel(ISP-provided IPv6 transition) ===== | |
| This is another transitional mechanism for IPv6 used by some ISPs, it relies on a L2TPv2 tunnel. | |
| | |
| :!: The package ''xl2tpd'' must be installed to use this protocol. | |
| |
| The high-level description of the tunneling is the following: | The high-level description of the tunneling is the following: |
| | - An L2TP tunnel is created, encapsulated in UDP packets over IPv4. |
| | - A PPP session is established inside the tunnel. |
| | - IPv6CP (see [[http://tools.ietf.org/html/rfc5072|RFC 5072]]) is used to negotiate link-local IPv6 addresses. |
| | - An IPv6 prefix is obtained thanks to DHCPv6. |
| |
| - a L2TP tunnel is created, encapsulated in UDP packets over IPv4 | This howto is derived from an experience with SFR, in France (FTTH residential access). |
| - a PPP session is established inside the tunnel | It might apply to other ISPs as well. |
| - IPv6CP (see [[http://tools.ietf.org/html/rfc5072|RFC 5072]]) is used to negotiate link-local IPv6 addresses | In the case of SFR, steps 1 and 2 require an authentication. |
| - an IPv6 prefix is obtained thanks to DHCPv6 | Fortunately, the L2TP password is hardcoded. |
| | The PPP password is not, but it's sent as cleartext, so a simple sniffing is enough to recover it. |
| |
| This howto is derived from an experience with SFR, in France (FTTH residential access). It might apply to other ISPs as well.\\ | <code bash> |
| In the case of SFR, steps 1 and 2 require an authentication. Fortunately, the L2TP password is hardcoded. The PPP password is not, but it's sent as cleartext, so a simple sniffing is enough to recover it. | # /etc/config/network |
| | |
| ==== Setup ==== | |
| You need to install ''xl2tpd'', which will handle the L2TP tunnel and PPP session. | |
| | |
| ==== Configuration ==== | |
| ''/etc/config/network'' | |
| <code> | |
| config interface 6pe | config interface 6pe |
| option proto l2tpv2 | option proto l2tpv2 |
| |
| config interface 'wan6' | config interface 'wan6' |
| option ifname '@6pe' | option device '@6pe' |
| option proto 'dhcpv6' | option proto 'dhcpv6' |
| </code> | </code> |
| |
| If you need authentication at the L2TP level (before PPP), configure it in ''/etc/xl2tpd/xl2tp-secrets'': | If you need authentication at the L2TP level (before PPP): |
| <code> | |
| | <code bash> |
| | # /etc/xl2tpd/xl2tp-secrets |
| * * my_l2tp_password | * * my_l2tp_password |
| </code> | </code> |
| |
| At this point, running "/etc/init.d/network reload" or simply running ''ifup wan6'' should give you a fully working IPv6 setup.\\ | At this point, running ''/etc/init.d/network reload'' or simply running ''ifup wan6'' should give you a fully working IPv6 setup. |
| To debug, look at the logs (''logread'') and the interfaces status (''ifstatus 6pe'' and ''ifstatus wan6''). | To debug, look at the logs (''logread'') and the interfaces status (''ifstatus 6pe'' and ''ifstatus wan6''). |
| |
| |
| ^ Name ^ Type ^ Required ^ Default ^ Description ^ | ^ Name ^ Type ^ Required ^ Default ^ Description ^ |
| | ''server'' | string | yes | //(none)// | L2TP server to connect to. Acceptable datatypes are hostname or IP address, with optional port separated by colon '':''. Note that specifying port is only supported recently and should appear in DD release | | | ''server'' | string | yes | //(none)// | L2TP server to connect to. Acceptable datatypes are hostname or IP address, with optional port separated by colon '':''. Note that specifying port is only supported recently and should appear in DD release | |
| | ''username'' | string | no | //(none)// | Username for PAP/CHAP authentication | | | ''username'' | string | no | //(none)// | Username for PAP/CHAP authentication | |
| | ''password'' | string | yes if ''username'' is provided | //(none)// | Password for PAP/CHAP authentication | | | ''password'' | string | yes if ''username'' is provided | //(none)// | Password for PAP/CHAP authentication | |
| | ''mtu'' | int | no | ''pppd'' default | Maximum Transmit/Receive Unit, in bytes | | | ''mtu'' | int | no | ''pppd'' default | Maximum Transmit/Receive Unit, in bytes | |
| | ''keepalive'' | string | no | //(none)// | Number of unanswered echo requests before considering the peer dead. The interval between echo requests is 5 seconds. | | | ''keepalive'' | string | no | //(none)// | Number of unanswered echo requests before considering the peer dead. The interval between echo requests is 5 seconds. | |
| | ''checkup_interval'' | int | no | //(none)// | Number of seconds to pass before checking if the interface is not up since the last setup attempt and retry the connection otherwise. Set it to a value sufficient for a successful L2TP connection for you. It's mainly for the case that netifd sent the connect request yet xl2tpd failed to complete it without the notice of netifd | | | ''checkup_interval'' | int | no | //(none)// | Number of seconds to pass before checking if the interface is not up since the last setup attempt and retry the connection otherwise. Set it to a value sufficient for a successful L2TP connection for you. It's mainly for the case that netifd sent the connect request yet xl2tpd failed to complete it without the notice of netifd | |
| | ''pppd_options'' | string | no | //(none)// | Additional options to pass to ''pppd'' | | | ''pppd_options'' | string | no | //(none)// | Additional options to pass to ''pppd'' | |
| |
| The name of the physical interface will be "l2tp-<logical interface name>". | The name of the physical interface will be "l2tp-<logical interface name>". |
| |
| ===== 6to4 tunnel ===== | ===== 6to4 Tunnel ===== |
| 6to4 is the simplest IPv6 tunneling mechanism and relies on publicly available gateways. | 6to4 is the simplest IPv6 tunneling mechanism and relies on publicly available gateways. |
| |
| :!: The package ''6to4'' must be installed to use 6to4 tunnels. | :!: The package [[packages:pkgdata:6to4]] must be installed to use this protocol. |
| |
| ''/etc/config/network'' | <code bash> |
| <code> | # /etc/config/network |
| config 'interface' 'wan6' | config interface 'wan6' |
| option 'proto' '6to4' | option proto '6to4' |
| |
| config 'interface' 'lan' | # /etc/config/firewall |
| option 'proto' 'static' | config rule |
| option ip6assign 60 | option target 'ACCEPT' |
| ... | option name '6to4' |
| | option src 'wan' |
| | option proto '41' |
| </code> | </code> |
| |
| :!: If you choose a name for your tunnel-interface that is different from 'wan6' make sure to add that name to the network-option of the firewall-zone 'wan' in /etc/config/firewall. | :!: If you choose a name for your tunnel-interface different from ''wan6'', be sure to add that network to the ''wan'' firewall-zone. |
| |
| See below for advanved configuration options. | See below for advanced configuration options. |
| |
| ===== Protocol 6to4 (IPv6-in-IPv4 Tunnel) ===== | ===== Protocol 6to4 (IPv6-in-IPv4 Tunnel) ===== |
| | ''mtu'' | integer | no | ''1280'' | MTU used for the tunnel interface | | | ''mtu'' | integer | no | ''1280'' | MTU used for the tunnel interface | |
| | ''metric'' | integer | no | ''0'' | Specifies the default route metric to use | | | ''metric'' | integer | no | ''0'' | Specifies the default route metric to use | |
| | <del>''adv_interface''</del> | <del>string</del> | <del>no</del> | <del>''lan''</del> | **deprecated** <del>The //logical interface name// of the network the subnet should be advertised on. Multiple interface names can be given.</del> | | |
| | <del>''adv_subnet''</del> | <del>hex number</del> | <del>no</del> | <del>''1''</del> | **deprecated** <del>A subnet ID between ''1'' and ''FFFF'' which selects the advertised /64 prefix from the mapped 6to4 space. The subnet ID is incremented by 1 for every interface specified in ''adv_interface''.</del> | | |
| | <del>''adv_valid_lifetime''</del> |<del> integer</del> | <del>no</del> | <del>''300''</del> | **deprecated** <del>Overrides the advertised valid prefix lifetime, in seconds (used with radvd)</del> | | |
| | <del>''adv_preferred_lifetime''</del> | <del>integer</del> | <del>no</del> | <del>''120''</del> | **deprecated** <del>Overrides the advertised preferred prefix lifetime, in seconds (used with radvd)</del> | | |
| |
| :!: This protocol type does not need an ''ifname'' option set in the interface section. The interface name is derived from the section name, e.g. ''config interface wan6'' would result in an interface named ''6to4-wan6''. \\ | :!: This protocol type does not need the ''device'' option set in the interface section. |
| | The interface name is derived from the section name, e.g. ''config interface wan6'' would result in an interface named ''6to4-wan6''. |
| :!: <del>If radvd is installed and enabled, the 6to4 scripts will add a temporary prefix and interface declaration to the //radvd// uci configuration and perform a daemon restart if required. </del> (**deprecated**) | |
| |
| ===== Dual-Stack Lite tunnel (ds-lite IPv4 in IPv6) ===== | ===== Dual-Stack Lite tunnel (ds-lite IPv4 in IPv6) ===== |
| ds-lite is a transitioning-mechanism which is used by ISPs to support legacy IPv4-connectivity over a native IPv6 connection. | ds-lite is a transitioning-mechanism which is used by ISPs to support legacy IPv4-connectivity over a native IPv6 connection. |
| |
| :!: The package ''ds-lite'' must be installed to use this protocol. | :!: The package [[packages:pkgdata:ds-lite]] must be installed to use this protocol. |
| |
| :!: The configuration is usually auto-detected and manual configuration is not needed, simply installing the ds-lite package (and restarting the network interfaces like when changing the configuration) is usually enough. | :!: The configuration is usually auto-detected and manual configuration is not needed, simply installing the ds-lite package (and restarting the network interfaces like when changing the configuration) is usually enough. |
| |
| ''/etc/config/network'' | <code bash> |
| <code>config 'interface' 'wan6' | # /etc/config/network |
| option 'ifname' 'eth1' | config interface 'wan6' |
| option 'proto' 'dhcpv6' | option device 'eth1' |
| | option proto 'dhcpv6' |
| |
| config 'interface' 'wan' | config interface 'wan' |
| option 'proto' 'dslite' | option proto 'dslite' |
| option 'peeraddr' '2001:db80::1' # Your ISP's DS-Lite AFTR | option peeraddr '2001:db80::1' # Your ISP's DS-Lite AFTR |
| </code> | </code> |
| |
| :!: If you choose a name for your tunnel-interface that is different from 'wan' make sure to add that name to the network-option of the firewall-zone 'wan' in /etc/config/firewall. | :!: If you choose a name for your tunnel-interface different from ''wan'', be sure to add that network to the ''wan'' firewall-zone. |
| | |
| :!: The package ''ds-lite'' must be installed to use ds-lite-tunnels. | |
| |
| See below for advanced configuration options. | See below for advanced configuration options. |
| |
| ===== Protocol dslite (Dual-Stack Lite) ===== | ===== Protocol dslite (Dual-Stack Lite) ===== |
| |
| ^ Name ^ Type ^ Required ^ Default ^ Description ^ | ^ Name ^ Type ^ Required ^ Default ^ Description ^ |
| | ''peeraddr'' | IPv6 address | yes | no | DS-Lite AFTR address | | | ''peeraddr'' | IPv6 address | yes | no | DS-Lite AFTR address | |
| | ''ip6addr'' | IPv6 address | no | Current WAN IPv6 address | Local IPv6 endpoint address | | | ''ip6addr'' | IPv6 address | no | Current WAN IPv6 address | Local IPv6 endpoint address | |
| | ''tunlink'' | Logical Interface | no | Current WAN interface | Tunnel base interface | | | ''tunlink'' | Logical Interface | no | Current WAN interface | Tunnel base interface | |
| | ''mtu'' | integer | no | ''1280'' | MTU used for the tunnel interface | | | ''mtu'' | integer | no | ''1280'' | MTU used for the tunnel interface | |
| |
| :!: ds-lite operation requires that IPv4 NAT is disabled. You should adjust your settings in /etc/config/firewall accordingly. | :!: ds-lite operation requires that IPv4 NAT is disabled. |
| | You should adjust your settings in /etc/config/firewall accordingly. |
| |
| :!: This protocol type does not need an ''ifname'' option set in the interface section. The interface name is derived from the section name, e.g. ''config interface wan'' would result in an interface named ''dslite-wan''. | :!: This protocol type does not need the ''device'' option set in the interface section. |
| | The interface name is derived from the section name, e.g. ''config interface wan'' would result in an interface named ''dslite-wan''. |
| |