IPv6 on OpenWRT

A short digression to set up IPv6 on OpenWRT 



Linksys WRT54GL running OpenWRT "Backfire"

BusyBox v1.15.3 (2010-04-06 04:08:20 CEST) built-in shell (ash)
Enter 'help' for a list of built-in commands.

  _______                     ________        __
 |       |.-----.-----.-----.|  |  |  |.----.|  |_
 |   -   ||  _  |  -__|     ||  |  |  ||   _||   _|
 |_______||   __|_____|__|__||________||__|  |____|
          |__| W I R E L E S S   F R E E D O M
 Backfire (10.03, r20728) --------------------------
  * 1/3 shot Kahlua    In a shot glass, layer Kahlua
  * 1/3 shot Bailey's  on the bottom, then Bailey's,
  * 1/3 shot Vodka     then Vodka.
 ---------------------------------------------------
root@OpenWrt:/etc/config# uname -a
Linux OpenWrt 2.6.32.10 #20 Tue Apr 6 15:53:48 CEST 2010 mips GNU/Linux

WAN interface is configured for dual-stack PPPoE.

root@OpenWrt:/etc/config# cat network

config 'switch' 'eth0'
        option 'enable' '1'

config 'switch_vlan' 'eth0_0'
        option 'device' 'eth0'
        option 'vlan' '0'
        option 'ports' '0 1 2 3 5'

config 'switch_vlan' 'eth0_1'
        option 'device' 'eth0'
        option 'vlan' '1'
        option 'ports' '4 5'

config 'interface' 'loopback'
        option 'ifname' 'lo'
        option 'proto' 'static'
        option 'ipaddr' '127.0.0.1'
        option 'netmask' '255.0.0.0'

config 'interface' 'lan'
        option 'type' 'bridge'
        option 'ifname' 'eth0.0'
        option 'proto' 'static'
        option 'netmask' '255.255.255.0'
        option 'ipaddr' '192.168.2.1'
        option 'defaultroute' '0'
        option 'peerdns' '0'

config 'interface' 'wan'
        option 'ifname' 'eth0.1'
        option 'proto' 'pppoe'
        option 'username' 'test1@ipv6.eircom.net'
        option 'password' 'test1'
        option 'defaultroute' '1'
        option 'peerdns' '1'
        option 'ipv6' '1'

DHCP6c is the DHCPv6 client used to obtain an IPv6 prefix from the WAN

root@OpenWrt:/etc/config# cat dhcp6c

config 'dhcp6c' 'basic'

        option 'enabled' '1       # 1 = enabled

        option 'interface' 'wan'  # Interface the DHCPv6 client will run on

        option 'debug' '1'        # 1 = enabled

# Send options (1 = send; 0 = do not send)

        option 'pd' '1'           # Prefix Delegation

        option 'na' '0'           # Non-Temporary Address

        option 'rapid_commit' '0' # Rapid Commit

# Request options (1 = request; 0 = do not request)

        option 'domain_name_servers' '1'

        option 'domain_name' '0'

        option 'ntp_servers' '0'

        option 'sip_server_address' '0'

        option 'sip_domain_name' '0'

        option 'nis_server_address' '0'

        option 'nis_domain_name' '0'

        option 'nisp_server_address' '0'

        option 'nisp_domain_name' '0'

        option 'bcmcs_server_address' '0'

        option 'bcmcs_domain_name' '0'

# Define interfaces on which prefixes should be assigned

config 'interface' 'loopback'

        option 'enabled' '1'      # 1 = enabled

        option 'sla_id' '0'       # Subnet ID

        option 'sla_len' '8'      # Subnet length (64 – 56 = 8)

config 'interface' 'lan'

        option 'enabled' '1'

        option 'sla_id' '1'

        option 'sla_len' '8'

RADVD is the Router Advertisement Daemon used to assign IPv6 addresses to hosts on the LAN

root@OpenWrt:/etc/config# cat radvd

config 'interface'

        option 'interface'      'lan'

        option 'AdvSendAdvert'  '1'

        option 'AdvManagedFlag' '0'

        option 'AdvOtherConfigFlag' '1'

        option 'MaxRtrAdvInterval' '60'

        option 'AdvDefaultLifetime' '60'

        option 'ignore'         '0'

config 'prefix'

        option 'interface'      'lan'

        option 'AdvOnLink'      '1'

        option 'AdvAutonomous'  '1'

        option 'AdvRouterAddr'  '1'

DHCP

The utility dnsmasq handles both DNS and DHCP. Settings are contained in /etc/dnsmasq.conf

root@voyage:/etc# more dnsmasq.conf

#Use this range for dynamic address assignments
dhcp-range=192.168.11.128,192.168.11.192,12h

#Reserve this range for static assignments
dhcp-range=192.168.11.0,255.255.255.128,static

#Give this machine a particular IP address with an infinite lease

dhcp-host=Lorcan-PC,192.168.11.112,infinite

OpenDNS web filtering

I don't have any immediate need for website filtering but I was curious about the OpenDNS solution so I set up an account and configured the router to use the OpenDNS nameservers. DNS (and DHCP) is handled by dnsmasq. ddclient is used to pass the IP address of the router to OpenDNS so that they can match it with my account in order to block certain domains and provide stats. To stop users getting around the OpenDNS restrictions by configuring a different nameserver on the PC, the iptables firewall is configured not to forward DNS requests (only to proxy them.)

Configure ddclient address updater

root@voyage:~# vi /etc/ddclient.conf
# check every 600 seconds
daemon=600
# log update msgs to syslog
syslog=yes
# Mail failed updates to user
mail-failure=lorcan@horrorthon.com
# record PID in file.
pid=/var/run/ddclient.pid

## DynDNS
use=web, web=checkip.dyndns.com, web-skip='IP Address'
protocol=dyndns2
server=members.dyndns.org
login=xxxxx
password=xxxxxx
xxxxx.dyndns-remote.com

## OpenDNS
use=web, web=myip.dnsomatic.com
protocol=dyndns2
ssl=yes
server=updates.opendns.com
login=xxxxx@xxxxx.com
password=xxxxx
opendns_network_label

Restart ddclient in debug mode

root@voyage:~# ddclient stop 

root@voyage:~# ddclient -daemon=0 -debug -verbose -noquiet -force

Tell dnsmasq to get nameservers from a file (not from the ISP)

root@voyage:~# vi /etc/dnsmasq.conf

resolv-file=/etc/resolv.conf.opendns

Add OpenDNS nameservers to this file

root@voyage:~# vi /etc/resolv.conf.opendns

nameserver 127.0.0.1

nameserver 206.67.222.222

nameserver 208.67.220.220

Restart dnsmasq

root@voyage:~# /etc/init.d/dnsmasq restart

Add firewall rules to the interface startup script

root@voyage:~# vi /etc/network/if-up.d/firewall
iptables -A INPUT -p udp --dport 53 -j ACCEPT  #  allow inbound DNS
iptables -A OUTPUT -p udp --dport 53 -j ACCEPT #  allow outbound DNS
iptables -A OUTPUT -p udp --dport 53 -j ACCEPT #  do not forward DNS


root@voyage:/var/run/resolvconf# vi /etc/default/dnsmasq
# This file has five functions:
# 1) to completely disable starting dnsmasq,
# 2) to set DOMAIN_SUFFIX by running `dnsdomainname`
# 3) to select an alternative config file
#    by setting DNSMASQ_OPTS to --conf-file=<file>
# 4) to tell dnsmasq to read the files in /etc/dnsmasq.d for
#    more configuration variables.
# 5) to stop the resolvconf package from controlling dnsmasq's
#    idea of which upstream nameservers to use.
# For upgraders from very old versions, all the shell variables set
# here in previous versions are still honored by the init script
# so if you just keep your old version of this file nothing will break.

#DOMAIN_SUFFIX=`dnsdomainname`
#DNSMASQ_OPTS="--conf-file=/etc/dnsmasq.alt"

# Whether or not to run the dnsmasq daemon; set to 0 to disable.
ENABLED=1

# By default search this drop directory for configuration options.
# Libvirt leaves a file here to make the system dnsmasq play nice.
# Comment out this line if you don't want this. The dpkg-* are file
# endings which cause dnsmasq to skip that file. This avoids pulling
# in backups made by dpkg.
CONFIG_DIR=/etc/dnsmasq.d,.dpkg-dist,.dpkg-old,.dpkg-new

# If the resolvconf package is installed, dnsmasq will use its output
# rather than the contents of /etc/resolv.conf to find upstream
# nameservers. Uncommenting this line inhibits this behaviour.
# Not that including a "resolv-file=<filename>" line in
# /etc/dnsmasq.conf is not enough to override resolvconf if it is
# installed: the line below must be uncommented.

IGNORE_RESOLVCONF=yes

More PPTP routes

The PPTP script is updated to add routes to Piratebay (blocked by eircom) and to 4OD. Channel 4's original content is fine but some US shows like Big Bang Theory are blocked outside the UK. I just ran Wireshark and noted the destination address of the HTTP GET message that is sent when clicking play on UK-only content. Messages to that address are then routed via the PPTP tunnel so they appear to originate in the UK. I found a few subnets that are used for this service and there may be more (4OD seem to use Amazon Web Service so potentially all AWS subnets may need to be added)

root@voyage:/etc/ppp/ip-up.d# vi MPN-UK

#!/bin/sh
echo "Running /etc/ppp/ip-up.d/MPN-UK..."

if [ "${PPP_IPPARAM}" = "MPN-UK" ]; then

echo "Add route to bbc.co.uk"

/sbin/route add -net 212.0.0.0/8 dev ${IFNAME}

iptables -I OUTPUT 1 -d 212.58.240.0/8 -o ${IFNAME} -j ACCEPT

echo "Add route to piratebay"

/sbin/route add -net 194.71.107.0/24 dev ${IFNAME}
iptables -I OUTPUT 1 -d 194.71.107.0/24 -o ${IFNAME} -j ACCEPT

echo "Add route to 4od"

/sbin/route add -net 79.125.0.0/17 dev ${IFNAME}
/sbin/route add -net 68.232.0.0/16 dev ${IFNAME}
/sbin/route add -net 46.51.128.0/18 dev ${IFNAME}
/sbin/route add -net 46.137.0.0/17 dev ${IFNAME}
/sbin/route add -net 86.98.16.0/20 dev ${IFNAME}
/sbin/route add -net 54.216.0.0/15 dev ${IFNAME}

iptables -I OUTPUT 1 -d 79.125.0.0/17 -o ${IFNAME} -j ACCEPT
iptables -I OUTPUT 1 -d 68.232.0.0/16 -o ${IFNAME} -j ACCEPT
iptables -I OUTPUT 1 -d 46.51.128.0/18 -o ${IFNAME} -j ACCEPT
iptables -I OUTPUT 1 -d 46.137.0.0/17 -o ${IFNAME} -j ACCEPT
iptables -I OUTPUT 1 -d 86.98.16.0/20 -o ${IFNAME} -j ACCEPT
iptables -I OUTPUT 1 -d 54.216.0.0/15 -o ${IFNAME} -j ACCEPT

echo "NAT"
iptables -t nat -A POSTROUTING -o ${IFNAME} -j MASQUERADE

fi