Monthly Archive for September, 2012

在dd wrt路由器上通过6to4开启IPV6

参考了dd wrt官方文档. 我用的dd wrt版本为DD-WRT v24-sp2 (06/08/12) mega (SVN revision 19342), 路由器为华硕RT-N16

条件:

  • dd wrt路由器开启jffs.
  • 具有公网IP. 本文中以PPPoE拨号为例
  • 你的ISP支持6to4隧道的路由

配置完成后, 区域网内所有设备可以自动从路由器获取IPV6地址, 访问Google, Youtube等网站时会自动通过IPV6, 不过被墙.以下方案和OpenVPN不冲突, 可以同时在dd wrt路由器上开启OpenVPN全局翻墙和IPV6.

下载IPV6内核模块

用`uname -r`查看dd wrt的kernel版本, 下载对应的IPV6内核模块. 目前dd wrt K26 build的内核版本为2.6.24.111, 可以从这里下载此版本的IPV6模块. 下载后, 将nf_conntrack_ipv6.ko, ip6_tables.ko和ip6table_filter.ko这三个文件放到路由器jffs空间里.

IPV6配置

在dd wrt WEB管理界面 Administration – IPv6 Support 设置里 开启(enable) IPV6和Radvd, “Radvd config”里输入下面内容

interface br0 {
    MinRtrAdvInterval 3;
    MaxRtrAdvInterval 10;
    AdvLinkMTU 1472;
    AdvSendAdvert on;
    prefix 0:0:0:1::/64 {
        AdvOnLink on;
        AdvAutonomous on;
        AdvValidLifetime 86400;
        AdvPreferredLifetime 86400;
        Base6to4Interface ppp0;
        AdvRouterAddr on;
    };
};

如果你不是通过ppp拨号上网, 将ppp0改为你的WAN介面名. (可以通过ifconfig查看)

创建启动脚本

在/jffs/etc/config/下创建一个 *.startup文件, 名称任意, 用于在dd wrt启动时自动载入IPV6内核模块

#!/bin/sh
MODPATH=/jffs/sagan/lib/modules/`uname -r`
KMODS='ip6_tables.ko ip6table_filter.ko nf_conntrack_ipv6.ko'
for x in $KMODS; do
  insmod $MODPATH/$x
done
insmod /lib/modules/`uname -r`/kernel/net/ipv6/sit.ko
insmod /lib/modules/`uname -r`/kernel/net/ipv6/ipv6.ko
#Enable IPv6 forwarding
echo 1 > /proc/sys/net/ipv6/conf/all/forwarding

将MODPATH改为你下载的IPV6内核模块存放路径.

创建IPUP和IPDOWN脚本

在/jffs/etc/config/下创建一个 *.ipup文件, 名称任意, 用于在连接网路时自动启动IPV6

#!/bin/sh

WANIP=`ifconfig ppp0 | grep "inet addr" | cut -d ":" -f 2 | cut -d " " -f1`
if [ -n "$WANIP" ]
then
	V6PREFIX=$(printf '2002:%02x%02x:%02x%02x' $(echo $WANIP | tr . ' '))
	ip tunnel add tun6to4 mode sit ttl 255 remote any local $WANIP
	ip link set tun6to4 mtu 1472
	ip link set tun6to4 up
	ip addr add $V6PREFIX:0::1/16 dev tun6to4
	ip addr add $V6PREFIX:1::1/64 dev br0
	ip -6 route add 2000::/3 via ::192.88.99.1 dev tun6to4
	
	# Not working in dd wrt, I do not know why
	#kill -HUP $(cat /var/run/radvd.pid)
fi

# Start radvd ipv6 DHCP server. will run in background
killall radvd
radvd -C /tmp/radvd.conf start

同样创建一个 *.ipdown文件, 内容如下:

#!/bin/sh

killall radvd
ip tunnel del tun6to4

创建iptables规则

DD WRT Web管理界面 Administration – Commands, 编辑firewall, 加入下面几行(如果没有firewall则创建新的):

# ipv6
# IMPORTANT!!!

#clear and reset default
ip6tables -F

# set default policy 
ip6tables -P INPUT ACCEPT
ip6tables -P OUTPUT ACCEPT
ip6tables -P FORWARD DROP

# Allow traffic on loopback interface
ip6tables -A INPUT -i lo -j ACCEPT
ip6tables -A OUTPUT -o lo -j ACCEPT

# Allow traffic from local host to the IPv6-tunnel
ip6tables -A OUTPUT -o tun6to4 -j ACCEPT
ip6tables -A INPUT -i tun6to4 -m state --state RELATED,ESTABLISHED -j ACCEPT

# Allow traffic from local network to local host
ip6tables -A OUTPUT -o br0 -j ACCEPT
ip6tables -A INPUT -i br0 -j ACCEPT

# Allow traffic from local network to tunnel (IPv6 world)
ip6tables -A FORWARD -i br0 -j ACCEPT
ip6tables -A FORWARD -i tun6to4 -m state --state RELATED,ESTABLISHED -j ACCEPT

# Allow some special ICMPv6 packettypes, do this in an extra chain because we need it everywhere
ip6tables -N AllowICMPs
# Destination unreachable
ip6tables -A AllowICMPs -p icmpv6 --icmpv6-type 1 -j ACCEPT
# Packet too big
ip6tables -A AllowICMPs -p icmpv6 --icmpv6-type 2 -j ACCEPT
# Time exceeded
ip6tables -A AllowICMPs -p icmpv6 --icmpv6-type 3 -j ACCEPT
# Parameter problem
ip6tables -A AllowICMPs -p icmpv6 --icmpv6-type 4 -j ACCEPT
# Echo Request (protect against flood)
ip6tables -A AllowICMPs -p icmpv6 --icmpv6-type 128 -m limit --limit 5/sec --limit-burst 10 -j ACCEPT
# Echo Reply
ip6tables -A AllowICMPs -p icmpv6 --icmpv6-type 129 -j ACCEPT
# Link in tables INPUT and FORWARD (in Output we allow everything anyway)
ip6tables -A INPUT -p icmpv6 -j AllowICMPs
ip6tables -A FORWARD -p icmpv6 -j AllowICMPs

OpenVPN

如果你同时在DD wrt上部署了OpenVPN, 在OpenVPN配置文件里加入下面一行:

# 6to4 ipv6 tunnel
route 192.88.99.1 255.255.255.255 net_gateway 5

完工. 重启路由器, 在Windows网路管理里重新启动网路(如果是Wfi, 断开重连; 如果是有线网卡, 先禁用再启用网卡适配器). 应该已经能看到本机获取的IPV6地址了.

可以访问http://ipv6.google.com/测试.

PS. 192.88.99.1是ICANN分配的6to4通用unicast地址,实际连接的节点取决于你的ISP。我这里(江苏)电信会把192.88.99.1路由到美国he.net的IPV6线路,速度尚可。