OpenWrt auf alix2c0 mit Atheros-Wifi und nativem IPv6 über PPPoE

Eine knappe Anleitung, wie man auf alix2-Boards von PC Engines natives IPv6 (also nicht getunnelt) über PPPoE zum laufen bringt:

Squashfs-Image unter Ubuntu erstellen

$ sudo apt-get install svn libncurses5-dev zlib1g-dev bison flex autoconf
$ mkdir kamikaze
$ cd kamikaze/
$ svn co https://svn.openwrt.org/openwrt/trunk/
$ make menuconfig

Target System: x86 / Target Profile: PCEngines Alix / Kernel partition size: 12 / Filsystem part size: <z.B. 224MB bei einer 256MB-Karte>
Base package: qos-scripts, wireless-tools / Network: hostapd-mini, hostapd-utils, ip, iw, wpa-supplicant, wpa-cli
IPv6: ip6tables / Wireless driver: kmod-madwifi

$ ./scripts/feeds update -a
$ make package/symlinks
$ make menuconfig

Administration - webif: webif, webif-lang-de, webif-theme-xwrt

$ make

Image auf CF schreiben. Achtung: Device darf nicht gemountet sein!

$ sudo dd if=bin/openwrt-x86-squashfs.image of=/dev/<Device der CF-Karte> bs=16k

Karte in alix2c0 einstecken, Serielles Kabel anschliessen, minicom mit 38400 Baud starten und alix2c0 booten
Passwort setzen mit passwd
PPPoE fuer IPv6 konfigurieren

# vi /etc/ppp/options

+ipv6
#debug
logfile /var/log/ppp.log

IPv6 Autoconf abstellen

# vi /etc/init.d/network

boot() {
        echo "0" >/proc/sys/net/ipv6/conf/all/autoconf
        echo "0" >/proc/sys/net/ipv6/conf/default/autoconf
        echo "0" >/proc/sys/net/ipv6/conf/all/accept_ra

Netzwerk konfigurieren

# vi /etc/config/network

config interface wan
	option ifname	eth1
	option proto	pppoe
	option username	'<user>'
	option password	'<pass>'
	option ppp_redial	'persist'

config  interface lan
	option ip6addr	<IPv6-Adresse/Netzmaske>

IPv6-Forwarding aktivieren

# echo 1 >/proc/sys/net/ipv6/conf/all/forwarding
# vi /etc/sysctrl.conf

net.ipv6.conf.all.forwarding=1

Netzwerk neu starten

# /etc/init.d/network restart
# /etc/init.d/firewall restart

radvd installieren und konfigurieren (IPv6-Adresse des Gateways im LAN announcen)

# opkg update
# opkg install radvd

# vi /etc/config/radvd

config interface
	#option ignore          1

config prefix
	option prefix	'<IPv6-Netz>'
	#option ignore          1

```
radvd aktivieren
```

# /etc/init.d/radvd enable

IPv6-Firewall-Script erstellen

# vi /etc/init.d/firewall6

#!/bin/sh /etc/rc.common
# Copyright (C) 2006 OpenWrt.org

## Please make changes in /etc/firewall6.user
START=45

start() {
  echo "Starting firewall (IPv6)..."
  [ -f /etc/firewall6.user ] && . /etc/firewall6.user

  ip6tables -P INPUT DROP
  ip6tables -P FORWARD DROP

  # --> Firewall
  ip6tables -A INPUT -i ! ${UPLINK} -j ACCEPT
  ip6tables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
  ip6tables -A INPUT -p icmpv6 -j ACCEPT
  ip6tables -A INPUT -p tcp --dport 80 -j ACCEPT
  ip6tables -A INPUT -p tcp --dport 22 -j ACCEPT
  ip6tables -A INPUT -p tcp -j REJECT --reject-with tcp-reset
  ip6tables -A INPUT -p udp -j REJECT --reject-with icmp6-port-unreachable

  # --> LAN
  ip6tables -A FORWARD -i ! ${UPLINK} -j ACCEPT
  ip6tables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
  ip6tables -t mangle -A FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu
  ip6tables -A INPUT -p icmpv6 -j ACCEPT
  for x in ${TCPSERVICES}; do
    ip6tables -A FORWARD -p tcp --dport ${x} -j ACCEPT
  done
  for x in ${UDPSERVICES};do
    ip6tables -A FORWARD -p udp --dport ${x} -j ACCEPT
  done
  ip6tables -A FORWARD -p tcp -j REJECT --reject-with tcp-reset
  ip6tables -A FORWARD -p udp -j REJECT --reject-with icmp6-port-unreachable
        
  #explicitly disable ECN
  if [ -e /proc/sys/net/ipv6/tcp_ecn ]; then
    echo 0 > /proc/sys/net/ipv6/tcp_ecn
  fi   
} 

stop() {
  echo "Stopping firewalll (IPv6)..."
  ip6tables -F INPUT 
  ip6tables -P INPUT ACCEPT
  ip6tables -F FORWARD 
  ip6tables -P FORWARD ACCEPT
}

IPv6-Firewall konfigurieren

# vi /etc/firewall6.user

#wan interface
UPLINK="ppp0"

#allowed services from wan to lan
TCPSERVICES="22 80"
UDPSERVICES=""

Firewall aktivieren

# /etc/init.d/firewall6 enable

No comments

Add Comment

Name

Homepage

Comment

In reply to

Enclosing asterisks marks text as bold (*word*), underscore are made via _word_.

Standard emoticons like :-) and ;-) are converted to images.

E-Mail addresses will not be displayed and will only be used for E-Mail notifications.

To leave a comment you must approve it via e-mail, which will be sent to your address after submission.

To prevent automated Bots from commentspamming, please enter the string you see in the image below in the appropriate input box. Your comment will only be submitted if the strings match. Please ensure that your browser supports and accepts cookies, or your comment cannot be verified correctly.
CAPTCHA

Enter the string from the spam-prevention image above:

Remember Information?

Submitted comments will be subject to moderation before being displayed.