|
AICCU & OpenWRT firewallv2 -> /etc/config/firewall
![[de]](/s/countries/de.gif) Shadow Hawkins on Saturday, 19 November 2011 08:38:57
This is tested and working for my SIXXS AICCU tunnel.
I'm using a DIR-600 on trunk (bleeding edge, r28963).
Idea was to get rid of the additonal firewall script to launch ipv6 rules and do a full uci configuration.
(See my posting on OpenWRT as well, I solved it last night.
Initially I had some issues with ping respond and lost my loss & latency statistics. It is working with the configuration show below.
Firewall rules are OK, I've tested it with Chappels famouns ipv6 firewall tester.
### Solved (Latest Update 19.11.2011 / 08:36 GMT+1)
Tunnelping Issue is solved, tunnel endpoint is pingable from outside. So loss & latency statistics is working again.
My actuall configuration:
You need an addional dummy interface which don't come up automatically, see configuration below.
/etc/config/firewall
#
# v1.0 OK (SIXXS loss & latency issue solved, respond to tunnel ping)
#
config 'defaults'
option 'syn_flood' '1'
option 'input' 'ACCEPT'
option 'output' 'ACCEPT'
option 'forward' 'REJECT'
option 'drop_invalid' '1'
config 'zone'
option 'name' 'lan'
option 'network' 'lan'
option 'input' 'ACCEPT'
option 'output' 'ACCEPT'
option 'forward' 'REJECT'
#option 'conntrack' '1'
config 'zone'
option 'name' 'wan'
option 'network' 'wan'
option 'input' 'DROP'
option 'output' 'ACCEPT'
option 'forward' 'DROP'
option 'masq' '1'
option 'mtu_fix' '1'
#option 'family' 'ipv4'
config 'zone'
option 'name' 'wan6'
option 'network' 'IP_Sixxs'
option 'input' 'DROP'
option 'output' 'ACCEPT'
option 'forward' 'DROP'
option 'conntrack' '1'
option 'mtu_fix' '1'
option 'family' 'ipv6'
config 'rule'
option 'src' 'wan'
option 'proto' 'udp'
option 'dest_port' '68'
option 'target' 'ACCEPT'
option 'family' 'ipv4'
config 'rule'
option 'src' 'wan'
option 'proto' 'icmp'
option 'icmp_type' 'echo-request'
option 'family' 'ipv4'
option 'target' 'REJECT'
config 'rule'
option 'src' 'wan6'
option 'proto' 'icmp'
option 'icmp_type' 'echo-request'
option 'family' 'ipv6'
option 'target' 'ACCEPT'
config 'rule'
option 'src' 'wan'
option 'proto' '41'
option 'target' 'ACCEPT'
config 'rule'
option 'src' 'wan6'
option 'proto' 'udp'
option 'src_ip' 'fe80::/10'
option 'src_port' '547'
option 'dest_ip' 'fe80::/10'
option 'dest_port' '546'
option 'family' 'ipv6'
option 'target' 'ACCEPT'
config 'rule'
option 'src' 'wan6'
option 'proto' 'icmp'
list 'icmp_type' 'echo-request'
list 'icmp_type' 'destination-unreachable'
list 'icmp_type' 'packet-too-big'
list 'icmp_type' 'time-exceeded'
list 'icmp_type' 'bad-header'
list 'icmp_type' 'unknown-header-type'
list 'icmp_type' 'router-solicitation'
list 'icmp_type' 'neighbour-solicitation'
option 'limit' '1000/sec'
option 'family' 'ipv6'
option 'target' 'ACCEPT'
config 'rule'
option 'src' 'wan6'
option 'dest' '*'
option 'proto' 'icmp'
list 'icmp_type' 'echo-request'
list 'icmp_type' 'destination-unreachable'
list 'icmp_type' 'packet-too-big'
list 'icmp_type' 'time-exceeded'
list 'icmp_type' 'bad-header'
list 'icmp_type' 'unknown-header-type'
option 'limit' '1000/sec'
option 'family' 'ipv6'
option 'target' 'ACCEPT'
config 'include'
option 'path' '/etc/firewall.user'
config 'forwarding'
option 'dest' 'wan'
option 'src' 'lan'
config 'forwarding'
option 'dest' 'wan6'
option 'src' 'lan'
Don't forget to add an dummy interface IP_Sixxs to /etc/config/interface.
config 'interface' 'IP_Sixxs'
option 'proto' 'static'
option 'ifname' 'sixxs'
option 'auto' '0'
option 'ip6addr' '2001:myipsixx:1234::2'
option 'send_rs' '0'
Next challange is to build and put OpenWRT (trunk) on an ASUS RT-16N, cause its a great and performant device!
cu
Tom
AICCU & OpenWRT firewallv2 -> /etc/config/firewall
Shadow Hawkins on Saturday, 26 November 2011 17:11:28
I'm sorry to say that the configuration is not stable yet.
The Zone wan6 don't add automatically after a reboot of the device.
Tom
AICCU & OpenWRT firewallv2 -> /etc/config/firewall
![[br]](/s/countries/br.gif) Carmen Sandiego on Friday, 13 January 2012 17:49:32
Hi,
I am working on a similar setup, using OpenWRT 10.03.1 final and the same firewall settings. I have noticed the same behavior you mentioned. After a reboot, the tunnel is established but routing does not work. Did you find a solution for this?
Thanks,
--
Fernando
AICCU & OpenWRT firewallv2 -> /etc/config/firewall
Shadow Hawkins on Sunday, 15 January 2012 16:54:58
Hi Fernando,
change startup priority
50 radvd
51 aiccu
But I'm still testing.
Regards
Thomas
AICCU & OpenWRT firewallv2 -> /etc/config/firewall
Carmen Sandiego on Monday, 16 January 2012 17:08:39
Hi Thomas,
The priority you suggested,
50 radvd
51 aiccu
is already the default for Backfire 10.03.1 final, but it does not seem to solve the routing problem. While I try to understand what exactly is happening, I applied the set of ip6tables rules you mentioned in another thread, applying them right after aiccu starts.
Regards,
--
Fernando
AICCU & OpenWRT firewallv2 -> /etc/config/firewall
Shadow Hawkins on Tuesday, 17 January 2012 20:47:27
Hi Fernando,
just working on it. May take some time, I'll update the Wiki soon.
Regards
Thomas
AICCU & OpenWRT firewallv2 -> /etc/config/firewall
Shadow Hawkins on Thursday, 19 January 2012 23:07:11
Hi Fernando,
it looks like that I solved it. I'll now update the WIKI with my new configuration: link.
Feel free to test it and give me feedback.
Regards
Thomas
AICCU & OpenWRT firewallv2 -> /etc/config/firewall
Shadow Hawkins on Thursday, 19 January 2012 23:07:28
Hi Fernando,
WIKI is updated, hope that is working for you, too.
link
Thomas
AICCU & OpenWRT firewallv2 -> /etc/config/firewall
Carmen Sandiego on Tuesday, 24 January 2012 03:06:13
Hi Thomas,
I finally had some time to test it, and it is working fine now. By the way, if you don't mind, I think I could update the wiki page, adding some observations about the similarities and differences between kamikaze, backfire 10.03 and 10.03.1.
Thanks for you help,
--
Fernando
|
Posting is only allowed when you are