IPv4/IPv6 过渡技术

可以使用具有相同名称的包来安装转换技术.
IPv6-in-IPv4隧道的设置和管理: 6rd, 6to4, 6in4.
IPv4-in-IPv6隧道的设置和管理: ds-lite

6in4隧道通常由像HE.net这样的外部隧道提供商提供.

6in4要求您具有公网IPv4-地址, 不支持ISP NAT背后的客户端.

必须安装 6in4 才能使用此协议.

• 阅读使用WebUI为演练设置 LuCI的IPv6隧道.
• 使用下面的示例配置作为命令行的基础.

下面的示例演示了Hurricane Electric (he.net)代理服务商的静态隧道配置. 设定 ipaddr 指定本地IPv4地址, peeraddr 是代理IPv4地址和 ip6addr 是通过隧道路由的本地IPv6地址.

# /etc/config/network
config interface 'wan6'
        option proto     '6in4'
        option tunlink   'wan'
        option ipaddr    '178.24.115.19'
        option peeraddr  '216.66.80.30'
        option ip6addr   '2001:0DB8:1f0a:1359::2/64'

为本地系统提供有效的默认 IPv6-route.

# /etc/config/network
config route6
        option interface 'wan6'
        option source    '::'
        option target    '::/0'

下面的示例演示了启用IP更新的 Hurricane Electric (he.net) 代理的动态隧道配置. 本地IPv4地址自动确定, 并为IP更新提供隧道盖、用户名和密码.

# /etc/config/network
config interface 'wan6'
        option proto     '6in4'
        option tunlink   'wan'
        option mtu       '1424'                      # the IPv6 tunnel MTU (optional)
        option peeraddr  '216.66.80.30'              # the IPv4 tunnel endpoint at the tunnel provider
        option ip6addr   '2001:0DB8:1f0a:1359::2/64' # the IPv6 tunnel address
        option ip6prefix '2001:DB8:1234::/48'        # Your routed prefix (required)
        # configuration options below are only valid for HE.net tunnels, ignore them for other tunnel providers.
        option tunnelid  '12345'                     # HE.net tunnel id
        option username  'username'                  # HE.net username used to login into tunnelbroker, not the User ID shown after login in.
        option password  'password'                  # HE.net password if there is no updatekey for tunnel
        option updatekey 'updatekey'                 # HE.net updatekey instead of password, default for new tunnels

In a typical tunnel configuration (e.g. HE.net) you get two different ipv6 addresses/prefixes from the tunnel provider:

• ip6addr: The tunnel endpoint address is like '2001:DB8:2222:EFGH::2/64'. This ...::2 address is only used for the tunnel interface endpoint. It is not a routable address and it can't be used for anything else than connecting to the other end of the tunnel, typically ...::1 .
• ip6prefix: The tunnel provider gives you also a routable prefix, typically either /48 or /64, for example '2001:DB8:1112::/48' or '2001:DB8:1234:ABCD::/64'. Your LAN clients will get addresses from that prefix.

You should also add an address from your routed IPv6 network to the “lan” interface.

To apply IPv6 firewall rules to the tunnel interface, add it to the “wan” firewall zone, see example above for details.

The password entered above should be the md5sum of the password you use to log in to tunnelbroker.net.

If your tunnel provider gives you a routable /48, /56 or /60 prefix, use that (instead of the /64), as a wider prefix will allow you to properly pass routable /64 prefixes to several networks (lan, guest, …).

Note that HE.net assigns an “updatekey” by default for new tunnels since February 2014. If updatekey exists (visible in tunnel's advanced info page at the HE.net site), it needs to be used instead of the password. Old tunnels without updatekey will continue to work with password.

To allow 6in4 traffic to always reach your tunnel endpoint, it may be necessary to pass IPv4 protocol 41 traffic with the following firewall configuration stanza:

# /etc/config/firewall
config rule
        option name     'Allow-protocol-41'
        option src      'wan'
        option proto    '41'
        option target   'ACCEPT'

HE.net users also report use of protocol 59, which should be allowed but limited to length of 40 bytes:

# /etc/config/firewall
config rule
    option name         'Allow-protocol-59'
    option src          'wan'
    option proto        '59'
    option target       'ACCEPT'
    option extra        '-m length --length 40' # package 'iptables-mod-ipopt' must be installed for length matching

See below for advanced configuration options.

This protocol type does not need an ifname option set in the interface section. The interface name is derived from the section name, e.g. config interface sixbone would result in an interface named 6in4-sixbone.

HE.net has introduced updatekey as default for new tunnels in February 2014.

username, password and updatekey are all plaintext entries.

One of the ustream SSL Library variants (package libustream-*) should be installed for HE.net endpoint update to be performed over https. (optional for https: install packages ca-certificates and ca-bundle for server certificate validation.) Otherwise endpoint update will be performed over http.

Although ip6prefix isn't required, sourcefilter is enabled by default and prevents forwarding of packets unless ip6prefix is specified.

6rd is a tunnel mechanism based on 6to4. Unlike other tunneling mechanisms, 6rd is usually provided by the ISP itself.

The package 6rd must be installed to use this protocol.

The configuration of 6rd is usually auto-detected and manual configuration is not needed, simply installing the 6rd package (and rebooting) is usually enough.

To automatically configure 6rd from dhcp you need to create an interface with option auto 0 and put its name as the 'iface6rd' parameter. In addition you also need to add its name to a suitable firewall zone in /etc/config/firewall.

# /etc/config/network
config interface 'wan6'
        option proto '6rd'
        option peeraddr '77.174.0.2'
        option ip6prefix '2001:838:ad00::'
        option ip6prefixlen '40'
        option ip4prefixlen '16'

To debug 6rd via DHCP, first check if the parameters are sent. Create a /etc/udhcpc.user file with the following content:

#!/bin/sh
env >> /tmp/udhcpc.log

Reboot the router and check the log file /tmp/udhcpc.log for the following line:

ip6rd=16 40 2001:0838:ad00:0000:0000:0000:0000:0000 77.174.0.2

If this line isn't present, you need to obtain the correct values for peeraddr, ip6prefix, ip6prefixlen and ip4prefixlen from your ISP. The above ip6rd or the obtained values can be used to hardcode the 6RD tunnel. Remove or comment out the iface6rd line in the wan section.

If you choose a name for your tunnel-interface that is different from 'wan6' make sure to add that name to the network-option of the firewall-zone 'wan' in /etc/config/firewall.

Below configuration options are only needed for hardcoding the 6rd tunnel.

This protocol type does not need an ifname option set in the interface section. The interface name is derived from the section name, e.g. config interface wan6 would result in an interface named 6rd-wan6.

Some ISP's give you the number of bytes you should use from your WAN IP to calculate your IPv6 address. ip4prefixlen expects the prefix bytes of your WAN IP to calculate the IPv6 address. So if your ISP gives you 14 bytes to calculate, enter 18 (32 - 14).

This is another transitional mechanism for IPv6 used by some ISPs, it relies on a L2TPv2 tunnel.

The package xl2tpd must be installed to use this protocol. It will handle the L2TP tunnel and PPP session.

The high-level description of the tunneling is the following:

1. a L2TP tunnel is created, encapsulated in UDP packets over IPv4
2. a PPP session is established inside the tunnel
3. IPv6CP (see RFC 5072) is used to negotiate link-local IPv6 addresses
4. an IPv6 prefix is obtained thanks to DHCPv6

This howto is derived from an experience with SFR, in France (FTTH residential access). It might apply to other ISPs as well.
In the case of SFR, steps 1 and 2 require an authentication. Fortunately, the L2TP password is hardcoded. The PPP password is not, but it's sent as cleartext, so a simple sniffing is enough to recover it.

# /etc/config/network
config interface 6pe
        option proto l2tpv2
        option server <LNS address>
        option username '<PPP username>'
        option password '<PPP password>'
        option keepalive '6'
        option ipv6 '1'
 
config interface 'wan6'
        option ifname '@6pe'
        option proto 'dhcpv6'

If you need authentication at the L2TP level (before PPP):

# /etc/xl2tpd/xl2tp-secrets
* * my_l2tp_password

At this point, running /etc/init.d/network reload or simply running ifup wan6 should give you a fully working IPv6 setup.
To debug, look at the logs (logread) and the interfaces status (ifstatus 6pe and ifstatus wan6).

Advanced options for this protocol are below.

Most options are similar to protocol “ppp”.

The name of the physical interface will be “l2tp-<logical interface name>”.

6to4 is the simplest IPv6 tunneling mechanism and relies on publicly available gateways.

The package 6to4 must be installed to use this protocol.

# /etc/config/network
config interface 'wan6'
        option proto '6to4'

If you choose a name for your tunnel-interface that is different from 'wan6' make sure to add that name to the network-option of the firewall-zone 'wan' in /etc/config/firewall.

See below for advanced configuration options.

This protocol type does not need an ifname option set in the interface section. The interface name is derived from the section name, e.g. config interface wan6 would result in an interface named 6to4-wan6.

ds-lite is a transitioning-mechanism which is used by ISPs to support legacy IPv4-connectivity over a native IPv6 connection.

The package ds-lite must be installed to use this protocol.

The configuration is usually auto-detected and manual configuration is not needed, simply installing the ds-lite package (and restarting the network interfaces like when changing the configuration) is usually enough.

# /etc/config/network
config interface 'wan6'
        option ifname 'eth1'
        option proto 'dhcpv6'
 
config interface 'wan'
        option proto 'dslite'
        option peeraddr '2001:db80::1' # Your ISP's DS-Lite AFTR

If you choose a name for your tunnel-interface that is different from 'wan' make sure to add that name to the network-option of the firewall-zone 'wan' in /etc/config/firewall.

See below for advanced configuration options.

ds-lite operation requires that IPv4 NAT is disabled. You should adjust your settings in /etc/config/firewall accordingly.

This protocol type does not need an ifname option set in the interface section. The interface name is derived from the section name, e.g. config interface wan would result in an interface named dslite-wan.