Eine knappe Anleitung, wie man auf alix2-Boards von PC Engines natives IPv6 (also nicht getunnelt) über PPPoE zum laufen bringt:


  • Squashfs-Image unter Ubuntu erstellen
$ sudo apt-get install svn libncurses5-dev zlib1g-dev bison flex autoconf
$ mkdir kamikaze
$ cd kamikaze/
$ svn co https://svn.openwrt.org/openwrt/trunk/
$ make menuconfig

Target System: x86 / Target Profile: PCEngines Alix / Kernel partition size: 12 / Filsystem part size: <z.B. 224MB bei einer 256MB-Karte>
Base package: qos-scripts, wireless-tools / Network: hostapd-mini, hostapd-utils, ip, iw, wpa-supplicant, wpa-cli
IPv6: ip6tables / Wireless driver: kmod-madwifi

$ ./scripts/feeds update -a
$ make package/symlinks
$ make menuconfig

Administration - webif: webif, webif-lang-de, webif-theme-xwrt

$ make
  • Image auf CF schreiben. Achtung: Device darf nicht gemountet sein!
$ sudo dd if=bin/openwrt-x86-squashfs.image of=/dev/<Device der CF-Karte> bs=16k
  • Karte in alix2c0 einstecken, Serielles Kabel anschliessen, minicom mit 38400 Baud starten und alix2c0 booten
  • Passwort setzen mit passwd
  • PPPoE fuer IPv6 konfigurieren
# vi /etc/ppp/options

+ipv6
#debug
logfile /var/log/ppp.log

  • IPv6 Autoconf abstellen
# vi /etc/init.d/network
boot() {
        echo "0" >/proc/sys/net/ipv6/conf/all/autoconf
        echo "0" >/proc/sys/net/ipv6/conf/default/autoconf
        echo "0" >/proc/sys/net/ipv6/conf/all/accept_ra
  • Netzwerk konfigurieren
# vi /etc/config/network
config interface wan
option ifname eth1
option proto pppoe
option username '<user>'
option password '<pass>'
option ppp_redial 'persist'
config  interface lan
option ip6addr <IPv6-Adresse/Netzmaske>
  • IPv6-Forwarding aktivieren
# echo 1 >/proc/sys/net/ipv6/conf/all/forwarding
# vi /etc/sysctrl.conf
net.ipv6.conf.all.forwarding=1
  • Netzwerk neu starten
# /etc/init.d/network restart
# /etc/init.d/firewall restart
  • radvd installieren und konfigurieren (IPv6-Adresse des Gateways im LAN announcen)
# opkg update
# opkg install radvd

# vi /etc/config/radvd
config interface
#option ignore 1
config prefix
option prefix '<IPv6-Netz>'
#option ignore 1
  • radvd aktivieren
# /etc/init.d/radvd enable
  • IPv6-Firewall-Script erstellen

# vi /etc/init.d/firewall6
#!/bin/sh /etc/rc.common
# Copyright (C) 2006 OpenWrt.org

## Please make changes in /etc/firewall6.user
START=45

start() {
echo "Starting firewall (IPv6)..."
[ -f /etc/firewall6.user ] && . /etc/firewall6.user

ip6tables -P INPUT DROP
ip6tables -P FORWARD DROP

# --> Firewall
ip6tables -A INPUT -i ! ${UPLINK} -j ACCEPT
ip6tables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
ip6tables -A INPUT -p icmpv6 -j ACCEPT
ip6tables -A INPUT -p tcp --dport 80 -j ACCEPT
ip6tables -A INPUT -p tcp --dport 22 -j ACCEPT
ip6tables -A INPUT -p tcp -j REJECT --reject-with tcp-reset
ip6tables -A INPUT -p udp -j REJECT --reject-with icmp6-port-unreachable

# --> LAN
ip6tables -A FORWARD -i ! ${UPLINK} -j ACCEPT
ip6tables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
ip6tables -t mangle -A FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu
ip6tables -A INPUT -p icmpv6 -j ACCEPT
for x in ${TCPSERVICES}; do
ip6tables -A FORWARD -p tcp --dport ${x} -j ACCEPT
done
for x in ${UDPSERVICES};do
ip6tables -A FORWARD -p udp --dport ${x} -j ACCEPT
done
ip6tables -A FORWARD -p tcp -j REJECT --reject-with tcp-reset
ip6tables -A FORWARD -p udp -j REJECT --reject-with icmp6-port-unreachable

#explicitly disable ECN
if [ -e /proc/sys/net/ipv6/tcp_ecn ]; then
echo 0 > /proc/sys/net/ipv6/tcp_ecn
fi
}

stop() {
echo "Stopping firewalll (IPv6)..."
ip6tables -F INPUT
ip6tables -P INPUT ACCEPT
ip6tables -F FORWARD
ip6tables -P FORWARD ACCEPT
}
  • IPv6-Firewall konfigurieren

# vi /etc/firewall6.user
#wan interface
UPLINK="ppp0"

#allowed services from wan to lan
TCPSERVICES="22 80"
UDPSERVICES=""
  • Firewall aktivieren
# /etc/init.d/firewall6 enable

No comments

Add Comment

Enclosing asterisks marks text as bold (*word*), underscore are made via _word_.
Standard emoticons like :-) and ;-) are converted to images.
E-Mail addresses will not be displayed and will only be used for E-Mail notifications.
To leave a comment you must approve it via e-mail, which will be sent to your address after submission.

To prevent automated Bots from commentspamming, please enter the string you see in the image below in the appropriate input box. Your comment will only be submitted if the strings match. Please ensure that your browser supports and accepts cookies, or your comment cannot be verified correctly.
CAPTCHA

Submitted comments will be subject to moderation before being displayed.