This page is not fully translated, yet. Please help completing the translation.
(remove this paragraph once the translation is finished)
IPv4/IPv6 过渡技术
See also: NAT64 for IPv6-only networks, NAT66 and IPv6 masquerading, IPv6 NAT and NPT
可以使用以下软件包安装过渡技术:
- IPv4-in-IPv6 隧道: ds-lite.
6in4 隧道 / HE.net 隧道代理
See also: Setting up an IPv6 Tunnel with LuCI, IPv6 with Hurricane Electric
6in4 隧道通常由像 HE.net 这样的外部隧道提供商提供。
The package 6in4 must be installed to use this protocol.
6in4要求您具有公网IPv4-地址, 不支持ISP NAT后的客户端。
静态 IPv6-in-IPv4 隧道
下面的示例演示了 Hurricane Electric (he.net) 代理服务商的静态隧道配置.
设定 ipaddr 指定本地IPv4地址, peeraddr 是代理IPv4地址和 ip6addr 是通过隧道路由的本地IPv6地址。
# /etc/config/network config interface 'wan6' option proto '6in4' option ipaddr '178.24.115.19' option peeraddr '216.66.80.30' option ip6addr '2001:0DB8:1f0a:1359::2/64'
动态 IPv6-in-IPv4 隧道 (HE.net only)
下面的示例演示了启用IP更新的 Hurricane Electric (he.net) 代理的动态隧道配置。本地IPv4地址是自动确定的。选项 tunnelid, username and updatekey 用于IP更新。
# /etc/config/network config interface 'wan6' option proto '6in4' option mtu '1424' # IPv6 隧道 MTU(可选) option peeraddr '216.66.80.30' # 隧道提供商处的 IPv4 隧道端点 option ip6addr '2001:0db8:1f0a:1359::2/64' # IPv6 隧道地址 option ip6prefix '2001:db8:1234::/48' # 您的路由前缀(必需) # 下面的配置选项仅对 HE.net 隧道有效,对于其他隧道提供商,请忽略它们。 option tunnelid '12345' # HE.net隧道id option username 'username' # HE.net username used to login into tunnelbroker, not the User ID shown after login in. option updatekey 'updatekey' # HE.net updatekey instead of password, default for new tunnels
See below for advanced configuration options.
In a typical tunnel configuration (e.g. HE.net) you get two different ipv6 addresses/prefixes from the tunnel provider:
- ip6addr: The tunnel endpoint address is like '2001:DB8:2222:EFGH::2/64'. This ...::2 address is only used for the tunnel interface endpoint. It is not a routable address and it can't be used for anything else than connecting to the other end of the tunnel, typically ...::1 .
- ip6prefix: The tunnel provider gives you also a routable prefix, typically either /48 or /64, for example '2001:DB8:1112::/48' or '2001:DB8:1234:ABCD::/64'. Your LAN clients will get addresses from that prefix. Using a wider prefix helps delegate IPv6 to several downstream networks.
防火墙
Some users may require to add extra firewall rules to allow 6in4 traffic to always reach their tunnel endpoint. The package iptables-mod-ipopt must be installed for length matching.
# /etc/config/firewall config rule option name 'Allow-protocol-41' option src 'wan' option proto '41' option target 'ACCEPT' config rule option name 'Allow-protocol-59' option src 'wan' option proto '59' option target 'ACCEPT' option extra '-m length --length 40'
Default route
Provide default route to override sourcefilter.
# /etc/config/network config route6 option interface 'wan6' option target '::/0'
6in4 协议 (IPv6-in-IPv4 隧道)
| 名称 | 类型 | Required | 默认值 | 描述 |
|---|---|---|---|---|
ipaddr | IPv4 address | no | Current WAN IPv4 address | Local IPv4 endpoint address |
peeraddr | IPv4 address | yes | (none) | Remote IPv4 endpoint address |
ip6addr | IPv6 address (CIDR) | yes | (none) | Local IPv6 address delegated to the tunnel endpoint |
ip6prefix | IPv6 prefix | no | (none) | Routed IPv6 prefix for downstream interfaces (Barrier Breaker and later only) |
tunlink | Logical Interface | no | (none) | Tunnel base interface. Define which Interface, for example WAN, should be used for outgoing IPv4 traffic to the Remote IPv4 Address |
defaultroute | boolean | no | 1 | Whether to create an IPv6 default route over the tunnel |
ttl | integer | no | 64 | TTL used for the tunnel interface |
tos | string | no | (none) | Type Of Service : either “inherit” (the outer header inherits the value of the inner header) or an hexadecimal value. Also known as DSCP. |
mtu | integer | no | 1280 | MTU used for the tunnel interface |
tunnelid | integer | no | (none) | HE.net global tunnel ID, used for endpoint update |
username | string | no | (none) | HE.net username which you use to login into tunnelbroker, not the User ID shown after you have login in, plaintext, used for endpoint update |
password | string | no | (none) | HE.net password, plaintext, obsolete, used for endpoint update |
updatekey | string | no | (none) | HE.net updatekey, plaintext, overrides password since 2014-02, used for endpoint update |
metric | integer | no | 0 | Specifies the default route metric to use |
This protocol type does not need the device option set in the interface section.
The interface name is derived from the section name, e.g. config interface sixbone would result in an interface named 6in4-sixbone.
Although ip6prefix isn't required, sourcefilter is enabled by default and prevents forwarding of packets unless ip6prefix is specified.
6rd 隧道 (ISP-Provided IPv6 Transition)
6rd 是基于 6to4 的隧道机制。与其他隧道机制不同,6rd 通常由 ISP 本身提供。
必须安装 6rd 包才能使用此协议。
6rd 的配置通常是自动检测的,不需要手动配置,只需安装 6rd 软件包(并重新启动)通常就足够了。
To automatically configure 6rd from dhcp you need to create an interface with option auto 0 and put its name as the 'iface6rd' parameter. In addition you also need to add its name to a suitable firewall zone in /etc/config/firewall.
# /etc/config/network config interface 'wan6' option proto '6rd' option peeraddr '77.174.0.2' option ip6prefix '2001:838:ad00::' option ip6prefixlen '40' option ip4prefixlen '16'
To debug 6rd via DHCP, enable DHCP client logging, reboot the router, and check the logs:
# logread -e ip6rd ip6rd=16 40 2001:0838:ad00:0000:0000:0000:0000:0000 77.174.0.2
If this line isn't present, you need to obtain the correct values for peeraddr, ip6prefix, ip6prefixlen and ip4prefixlen from your ISP. The above ip6rd or the obtained values can be used to hardcode the 6rd tunnel. Remove or comment out the iface6rd line in the wan section.
If you choose a name for your tunnel-interface different from wan6, be sure to add that network to the wan firewall-zone.
Below configuration options are only needed for hardcoding the 6rd tunnel.
6rd 协议
| 名称 | 类型 | Required | 默认值 | 描述 |
|---|---|---|---|---|
peeraddr | IPv4 address | yes | no | 6rd - 网关 |
ipaddr | IPv4 address | no | Current WAN IPv4 address | Local IPv4 endpoint address |
ip6prefix | IPv6 prefix (without length) | yes | no | 6rd-IPv6 前缀 |
ip6prefixlen | IPv6 prefix length | yes | no | 6rd-IPv6 前缀长度 |
ip4prefixlen | IPv6 prefix length | no | 0 | IPv4 common prefix |
defaultroute | boolean | no | 1 | Whether to create an IPv6 default route over the tunnel |
ttl | integer | no | 64 | TTL used for the tunnel interface |
tos | string | no | (none) | Type Of Service : either “inherit” (the outer header inherits the value of the inner header) or an hexadecimal value (Chaos Calmer and later only) |
mtu | integer | no | 1280 | MTU used for the tunnel interface |
iface6rd | logical interface | no | (none) | Logical interface template for auto-configuration of 6rd |
mtu6rd | integer | no | system default | MTU of the 6rd interface |
zone6rd | firewall zone | no | system default | Firewall zone to which the 6rd interface should be added |
This protocol type does not need the device option set in the interface section.
The interface name is derived from the section name, e.g. config interface wan6 would result in an interface named 6rd-wan6.
Some ISP's give you the number of bytes you should use from your WAN IP to calculate your IPv6 address.
ip4prefixlen expects the prefix bytes of your WAN IP to calculate the IPv6 address.
So if your ISP gives you 14 bytes to calculate, enter 18 (32 - 14).
6pe, L2TP 隧道 (ISP-provided IPv6 Transition)
This is another transitional mechanism for IPv6 used by some ISPs, it relies on a L2TPv2 tunnel.
The package xl2tpd must be installed to use this protocol.
It will handle the L2TP tunnel and PPP session.
The high-level description of the tunneling is the following:
- An L2TP tunnel is created, encapsulated in UDP packets over IPv4.
- A PPP session is established inside the tunnel.
- IPv6CP (see RFC 5072) is used to negotiate link-local IPv6 addresses.
- An IPv6 prefix is obtained thanks to DHCPv6.
This howto is derived from an experience with SFR, in France (FTTH residential access). It might apply to other ISPs as well. In the case of SFR, steps 1 and 2 require an authentication. Fortunately, the L2TP password is hardcoded. The PPP password is not, but it's sent as cleartext, so a simple sniffing is enough to recover it.
# /etc/config/network config interface 6pe option proto l2tpv2 option server <LNS address> option username '<PPP username>' option password '<PPP password>' option keepalive '6' option ipv6 '1' config interface 'wan6' option device '@6pe' option proto 'dhcpv6'
If you need authentication at the L2TP level (before PPP):
# /etc/xl2tpd/xl2tp-secrets * * my_l2tp_password
At this point, running service network reload or simply running ifup wan6 should give you a fully working IPv6 setup.
To debug, look at the logs (logread) and the interfaces status (ifstatus 6pe and ifstatus wan6).
请参阅下文了解高级配置选项。
l2tp 协议 (PPP over L2TP 隧道)
Most options are similar to protocol “ppp”.
| 名称 | 类型 | Required | 默认值 | 描述 |
|---|---|---|---|---|
server | string | yes | (none) | L2TP server to connect to. Acceptable datatypes are hostname or IP address, with optional port separated by colon :. Note that specifying port is only supported recently and should appear in DD release |
username | string | no | (none) | Username for PAP/CHAP authentication |
password | string | yes if username is provided | (none) | Password for PAP/CHAP authentication |
ipv6 | bool | no | 0 | Enable IPv6 on the PPP link (IPv6CP) |
mtu | int | no | pppd default | Maximum Transmit/Receive Unit, in bytes |
keepalive | string | no | (none) | Number of unanswered echo requests before considering the peer dead. The interval between echo requests is 5 seconds. |
checkup_interval | int | no | (none) | Number of seconds to pass before checking if the interface is not up since the last setup attempt and retry the connection otherwise. Set it to a value sufficient for a successful L2TP connection for you. It's mainly for the case that netifd sent the connect request yet xl2tpd failed to complete it without the notice of netifd |
pppd_options | string | no | (none) | Additional options to pass to pppd |
The name of the physical interface will be “l2tp-<logical interface name>”.
6to4 隧道
6to4 is the simplest IPv6 tunneling mechanism and relies on publicly available gateways.
必须安装软件包 6to4 才能使用此协议。
# /etc/config/network config interface 'wan6' option proto '6to4' # /etc/config/firewall config rule option target 'ACCEPT' option name '6to4' option src 'wan' option proto '41'
If you choose a name for your tunnel-interface different from wan6, be sure to add that network to the wan firewall-zone.
请参阅下文了解高级配置选项。
6to4 协议 (IPv6-in-IPv4 隧道)
| 名称 | 类型 | Required | 默认值 | 描述 |
|---|---|---|---|---|
ipaddr | IPv4 address | no | Current WAN IPv4 address | Local IPv4 endpoint address |
defaultroute | boolean | no | 1 | Whether to create an IPv6 default route over the tunnel |
ttl | integer | no | 64 | TTL used for the tunnel interface |
tos | string | no | (none) | Type Of Service : either “inherit” (the outer header inherits the value of the inner header) or an hexadecimal value |
mtu | integer | no | 1280 | MTU used for the tunnel interface |
metric | integer | no | 0 | Specifies the default route metric to use |
This protocol type does not need the device option set in the interface section.
The interface name is derived from the section name, e.g. config interface wan6 would result in an interface named 6to4-wan6.
Dual-Stack Lite 隧道 (ds-lite IPv4 in IPv6)
ds-lite is a transitioning-mechanism which is used by ISPs to support legacy IPv4-connectivity over a native IPv6 connection.
必须安装 ds-lite 软件包才能使用此协议。
配置通常是自动检测的,不需要手动配置,只需安装 ds-lite 软件包(并像更改配置时那样重新启动网络接口)通常就足够了。
# /etc/config/network config interface 'wan6' option ifname 'eth1' option proto 'dhcpv6' config interface 'wan' option proto 'dslite' option peeraddr '2001:db80::1' # Your ISP's DS-Lite AFTR
If you choose a name for your tunnel-interface that is different from 'wan' make sure to add that name to the network-option of the firewall-zone 'wan' in /etc/config/firewall.
请参阅下文了解高级配置选项。
dslite 协议 (Dual-Stack Lite)
| 名称 | 类型 | Required | 默认值 | 描述 |
|---|---|---|---|---|
peeraddr | IPv6 address | yes | no | DS-Lite AFTR 地址 |
ip6addr | IPv6 address | no | Current WAN IPv6 address | Local IPv6 endpoint address |
tunlink | Logical Interface | no | Current WAN interface | Tunnel base interface |
defaultroute | boolean | no | 1 | Whether to create an IPv6 default route over the tunnel |
ttl | integer | no | 64 | TTL used for the tunnel interface |
mtu | integer | no | 1280 | MTU used for the tunnel interface |
ds-lite 操作要求禁用IPv4 NAT。 您应该相应地调整 /etc/config/firewall 中的设置。
This protocol type does not need an ifname option set in the interface section. The interface name is derived from the section name, e.g. config interface wan would result in an interface named dslite-wan.