在dd wrt路由器上通過6to4開啟IPV6

參考了dd wrt官方文檔. 我用的dd wrt版本為DD-WRT v24-sp2 (06/08/12) mega (SVN revision 19342), 路由器為華碩RT-N16

條件:

  • dd wrt路由器開啟jffs.
  • 具有公網IP. 本文中以PPPoE撥號為例
  • 你的ISP支持6to4隧道的路由

配置完成後, 區域網內所有設備可以自動從路由器獲取IPV6地址, 訪問Google, Youtube等網站時會自動通過IPV6, 不過被牆.以下方案和OpenVPN不衝突, 可以同時在dd wrt路由器上開啟OpenVPN全局翻牆和IPV6.

下載IPV6內核模塊

用`uname -r`查看dd wrt的kernel版本, 下載對應的IPV6內核模塊. 目前dd wrt K26 build的內核版本為2.6.24.111, 可以從這裡下載此版本的IPV6模塊. 下載後, 將nf_conntrack_ipv6.ko, ip6_tables.ko和ip6table_filter.ko這三個文件放到路由器jffs空間里.

IPV6配置

在dd wrt WEB管理界面 Administration – IPv6 Support 設置里 開啟(enable) IPV6和Radvd, “Radvd config”里輸入下面內容

interface br0 {
    MinRtrAdvInterval 3;
    MaxRtrAdvInterval 10;
    AdvLinkMTU 1472;
    AdvSendAdvert on;
    prefix 0:0:0:1::/64 {
        AdvOnLink on;
        AdvAutonomous on;
        AdvValidLifetime 86400;
        AdvPreferredLifetime 86400;
        Base6to4Interface ppp0;
        AdvRouterAddr on;
    };
};

如果你不是通過ppp撥號上網, 將ppp0改為你的WAN介面名. (可以通過ifconfig查看)

創建啟動腳本

在/jffs/etc/config/下創建一個 *.startup文件, 名稱任意, 用於在dd wrt啟動時自動載入IPV6內核模塊

#!/bin/sh
MODPATH=/jffs/sagan/lib/modules/`uname -r`
KMODS='ip6_tables.ko ip6table_filter.ko nf_conntrack_ipv6.ko'
for x in $KMODS; do
  insmod $MODPATH/$x
done
insmod /lib/modules/`uname -r`/kernel/net/ipv6/sit.ko
insmod /lib/modules/`uname -r`/kernel/net/ipv6/ipv6.ko
#Enable IPv6 forwarding
echo 1 > /proc/sys/net/ipv6/conf/all/forwarding

將MODPATH改為你下載的IPV6內核模塊存放路徑.

創建IPUP和IPDOWN腳本

在/jffs/etc/config/下創建一個 *.ipup文件, 名稱任意, 用於在連接網路時自動啟動IPV6

#!/bin/sh

WANIP=`ifconfig ppp0 | grep "inet addr" | cut -d ":" -f 2 | cut -d " " -f1`
if [ -n "$WANIP" ]
then
	V6PREFIX=$(printf '2002:%02x%02x:%02x%02x' $(echo $WANIP | tr . ' '))
	ip tunnel add tun6to4 mode sit ttl 255 remote any local $WANIP
	ip link set tun6to4 mtu 1472
	ip link set tun6to4 up
	ip addr add $V6PREFIX:0::1/16 dev tun6to4
	ip addr add $V6PREFIX:1::1/64 dev br0
	ip -6 route add 2000::/3 via ::192.88.99.1 dev tun6to4
	
	# Not working in dd wrt, I do not know why
	#kill -HUP $(cat /var/run/radvd.pid)
fi

# Start radvd ipv6 DHCP server. will run in background
killall radvd
radvd -C /tmp/radvd.conf start

同樣創建一個 *.ipdown文件, 內容如下:

#!/bin/sh

killall radvd
ip tunnel del tun6to4

創建iptables規則

DD WRT Web管理界面 Administration – Commands, 編輯firewall, 加入下面幾行(如果沒有firewall則創建新的):

# ipv6
# IMPORTANT!!!

#clear and reset default
ip6tables -F

# set default policy 
ip6tables -P INPUT ACCEPT
ip6tables -P OUTPUT ACCEPT
ip6tables -P FORWARD DROP

# Allow traffic on loopback interface
ip6tables -A INPUT -i lo -j ACCEPT
ip6tables -A OUTPUT -o lo -j ACCEPT

# Allow traffic from local host to the IPv6-tunnel
ip6tables -A OUTPUT -o tun6to4 -j ACCEPT
ip6tables -A INPUT -i tun6to4 -m state --state RELATED,ESTABLISHED -j ACCEPT

# Allow traffic from local network to local host
ip6tables -A OUTPUT -o br0 -j ACCEPT
ip6tables -A INPUT -i br0 -j ACCEPT

# Allow traffic from local network to tunnel (IPv6 world)
ip6tables -A FORWARD -i br0 -j ACCEPT
ip6tables -A FORWARD -i tun6to4 -m state --state RELATED,ESTABLISHED -j ACCEPT

# Allow some special ICMPv6 packettypes, do this in an extra chain because we need it everywhere
ip6tables -N AllowICMPs
# Destination unreachable
ip6tables -A AllowICMPs -p icmpv6 --icmpv6-type 1 -j ACCEPT
# Packet too big
ip6tables -A AllowICMPs -p icmpv6 --icmpv6-type 2 -j ACCEPT
# Time exceeded
ip6tables -A AllowICMPs -p icmpv6 --icmpv6-type 3 -j ACCEPT
# Parameter problem
ip6tables -A AllowICMPs -p icmpv6 --icmpv6-type 4 -j ACCEPT
# Echo Request (protect against flood)
ip6tables -A AllowICMPs -p icmpv6 --icmpv6-type 128 -m limit --limit 5/sec --limit-burst 10 -j ACCEPT
# Echo Reply
ip6tables -A AllowICMPs -p icmpv6 --icmpv6-type 129 -j ACCEPT
# Link in tables INPUT and FORWARD (in Output we allow everything anyway)
ip6tables -A INPUT -p icmpv6 -j AllowICMPs
ip6tables -A FORWARD -p icmpv6 -j AllowICMPs

OpenVPN

如果你同時在DD wrt上部署了OpenVPN, 在OpenVPN配置文件里加入下面一行:

# 6to4 ipv6 tunnel
route 192.88.99.1 255.255.255.255 net_gateway 5

完工. 重啟路由器, 在Windows網路管理里重新啟動網路(如果是Wfi, 斷開重連; 如果是有線網卡, 先禁用再啟用網卡適配器). 應該已經能看到本機獲取的IPV6地址了.

可以訪問http://ipv6.google.com/測試.

PS. 192.88.99.1是ICANN分配的6to4通用unicast地址,实际连接的节点取决于你的ISP。我这里(江苏)电信会把192.88.99.1路由到美国he.net的IPV6线路,速度尚可。

0 Responses to “在dd wrt路由器上通過6to4開啟IPV6”


Comments are currently closed.