A week later and my account had enough credits to request the subnet. I got a /48 network, or in otherwords, I have a network with 80 bits which I can use! This are more address then the whole IPv4 address space has! 😎
When you have the approval for the subnet SixXS did allready a lot of work for you: They sent you the actual address, and they make sure that this subnet is routed to your router address. So you only need to assign the addresses to your devices.
First of all we have to create some firewall rules. Create an UCI interface for the sixxs interface in /etc/config/network to use the OpenWRT built in firewall capabilities:
config 'interface' 'sixxs' option 'proto' 'none' option 'ifname' 'sixxs' option 'send_rs' '0'
Create a zone for that interface and some rules to /etc/config/firewall. To allow pings to my hosts on the inside network I have to allow forwarding globally (this listing contains only the relevant parts):
config 'defaults' ... option 'forward' 'ACCEPT' config 'rule' option '_name' 'IPv6' option 'family' 'ipv6' option 'src' 'wan6' option 'target' 'ACCEPT' option 'proto' 'icmp' option 'dest' 'lan' option 'icmp_type' 'echo-request' config 'zone' option 'name' 'wan6' option 'output' 'ACCEPT' option 'network' 'sixxs' option 'family' 'ipv6' option 'forward' 'REJECT' option 'input' 'REJECT' config 'forwarding' option 'dest' 'wan6' option 'src' 'lan'
Then you have to set the IPv6 for your router’s LAN interface by editing /etc/config/network (it’s also possible to do this using the web interface)
config 'interface' 'lan' ... option 'ip6addr' '2001:xxxx:xxx::1/64'
Restart the network and firewall
/etc/init.d/network restart /etc/init.d/firewall restart
Although I’ve a /48 subnet I’m using a /64 subnet here. IPv6 has an autoconfiguration mechanism to set the IP addresses. The clients are able to create an IPv6 address using a prefix and their unique EUI-64 (extended unique identifier, which is a 64-bit backward compatible MAC address, or in other words, it’s the 48-bit mac address with some zero’s preceding). The router has to announce its presence and provide a prefix to the clients. This prefix has to be 64-bit, the client then simply combines that prefix with its EUI-64 address to create a unique IPv6 address. Using another prefix length ends in an error message:
netgear daemon.warn radvd[15361]: prefix length should be 64 for br-lan
This prefix announcements are called Router Advertisement (or for short, RA) and are sent periodically. On the other side, the clients can send Router Solicitiations (RS). The router normally answers them with an RA immediately. On Linux systems the daemon radvd can be used doing this:
opkg update opkg install radvd
Enable the configuration in the file /etc/config/radvd and start the daemon
config 'interface' option 'interface' 'lan' option 'AdvSendAdvert' '1' option 'IgnoreIfMissing' '1' option 'AdvSourceLLAddress' '1' option 'AdvDefaultPreference' 'medium' option 'ignore' '0' config 'prefix' option 'interface' 'lan' option 'AdvOnLink' '1' option 'AdvAutonomous' '1' option 'ignore' '0'
/etc/init.d/radvd enable /etc/init.d/radvd start
By default, the daemon uses the prefix of the IPv6 address from the interface it is using. We configured that already, so no need to configure a prefix here.
By this time, your clients should get an IPv6 and be able to connect over IPv6!
Some useful IPv6 links:
- Something to test (only reachable through IPv6): http://ipv6.google.com/
- Dual-Stack test: http://ipv6-test.com/
- Portscanner: http://ipv6.chappell-family.com/cgi-bin6/ipscan-js.cgi
config 'rule' option 'target' 'ACCEPT' option '_name' 'IPv6' option 'src' 'wan6' option 'proto' 'icmp' option 'family' 'ipv6' option 'icmp_type' 'echo-request'
0 Comments.