This is meant as a guide to setup IPv6 using tunnelbroker.net, D-Link DIR-655 router and Windows XP. Probably this is not done the most efficient / correct way, so I hope anyone with better ideas will reply. Update: Read the update in the bottom first.
Here's my information from tunnelbroker.net:
(http://lindhart.com/uploads/MortenSpecial/ExternalUsage/heConfig.jpg)
And here's how I used that information on my router:
(http://lindhart.com/uploads/MortenSpecial/ExternalUsage/routerIpv6Config.jpg)
The internal IP address is just the first in the range I'm given by tunnelbroker.net. The DNS servers are googles.
Configuring your computer
Now, you'd think that this would make your Windows XP or at least your Windows 2003 able to get an IPv6 address within your scope (in my example 2001:470:28:a6c) - think again. Neither operating systems reacted on the router. I tried different commands that should renew or reset the IPv6 address, but all in vain. Notice that using statefull (DHCPv6) doesn't work either - as far as I know it's not supported by Windows XP nor Windows 2003.
If you just have an Windows XP and you just want it to work, you can specify the address and the route manually using either the "ipv6" command (only in Windows XP - think it is obsolete in Vista and Windows 7) or using "netsh"
Guides
Guide for using "ipv6" command for routing can be found here:
http://www.microsoft.com/resources/documentation/windows/xp/all/proddocs/en-us/sag_ip_v6_pro_rt_add.mspx?mfr=true (http://www.microsoft.com/resources/documentation/windows/xp/all/proddocs/en-us/sag_ip_v6_pro_rt_add.mspx?mfr=true)
With a general ipv6 guide here:
http://www.microsoft.com/resources/documentation/windows/xp/all/proddocs/en-us/sag_ip_v6_add_utils.mspx?mfr=true
Guide for using "netsh":
http://technet.microsoft.com/en-us/library/cc740203(WS.10).aspx#BKMK_6 (http://technet.microsoft.com/en-us/library/cc740203(WS.10).aspx#BKMK_6)
What I did
Using "ipv6" to specify route with my configuration I had to type:
ipv6 rtu ::/0 4/2001:470:28:a6c::1
Where "::/0" means that every destination can use this route, "2001:470:28:a6c::1" is my routers inside IP (see above), and 4 is my "Local Area Connection" cards interface number, which can be found using the command:
ipv6 if
Using netsh, I believe I should have typed:
netsh interface ipv6 add route ::/0 "Local Area Connection" 2001:470:28:a6c::1
To add an IPv6 address you can use the same command tools, here's an example using "netsh":
netsh interface ipv6 add address "Local Area Connection" 2001:470:28:a6c::42
The address 2001:470:28:a6c::42 is just a random in the address space given by tunnelbroker.net
If you have a server at hand and want to avoid manually configuring clients
If you want you can use Windows Router Advertisement Server (http://sourceforge.net/projects/wradvs/ (http://sourceforge.net/projects/wradvs/)). This tool will route IPv6 messages though your server (which I would like to avoid), but will actually work stateless with Windows XP (automaticly assign IPv6 and routes to clients, hooray). If anyone finds a way to make Windows XP work statelessly and route directly through the router, let me know.
Great - but I still don't get an IPv6 DNS server configured statelessly
Neither do I. Either configure it manually or just use your IPv4 DNS server - they'll normally work fine for translation to IPv6 (at least googles does).
UPDATE
It seems that the problems I had where all fixed in a later firmware upgrade. While writing the above I had firmware version 2.00. Since I'm an Danish (European) customer later firmwares where not directly available. However at least one later firmware can be downloaded from d-link German ftp site. I found it here:
ftp://ftp.dlink.de/dir/dir-655/driver_software/ (http://ftp://ftp.dlink.de/dir/dir-655/driver_software/)
It should be possible to use the American firmwares as well as the European(according to some forum I went by - no, I don't remember which), but they are named diffidently.
After using firmware 2.01 IPv6 works with stateless autoconfiguration in windows XP as well (without a routing server in between).
FYI this is much easier in Vista and Win7...it just works
I didn't know Google was providing DNS over IPv6...where did you find those addresses?
Fair warning about the Google NS, they aren't white-listed for their own IPv6 services.
Quote from: cholzhauer on October 26, 2011, 11:51:19 AM
FYI this is much easier in Vista and Win7...it just works
I didn't know Google was providing DNS over IPv6...where did you find those addresses?
Are you sure that it "just works" in Vista and Win7 when using this specific router? Because when I used the server application Windows XP worked like a charm (I just had to install IPv6 then the rest worked automatically).
I believe Google announced them recently, they can be found here:
http://code.google.com/intl/da-DK/speed/public-dns/docs/using.html (http://code.google.com/intl/da-DK/speed/public-dns/docs/using.html)
Yep...I have that router at home and didn't have to change a thing in Win7/Vista
Quote from: cholzhauer on October 28, 2011, 11:39:14 AM
Yep...I have that router at home and didn't have to change a thing in Win7/Vista
Damn - hope I didn't do anything wrong in configuring it. Well that just makes me a bit happier about my router :)
Thanks cholzhauer.
Your comments made me look into later firmwares, and that solved my problems. I've updated the original post.
Cool, I guess mine must have come with the later firmware then. I checked the other day and there wasn't an upgrade for mine yet...I assume there probably wont be either
Quote from: cholzhauer on November 04, 2011, 06:58:53 PM
Cool, I guess mine must have come with the later firmware then. I checked the other day and there wasn't an upgrade for mine yet...I assume there probably wont be either
Well, there might be an upgrade for yours. When I went to D-link homepage and used my correct location, there was no new firmware - and when I tried the "Check online Now for Latest Firmware.." button on the routers web configuration tools page it didn't find any updates either. It wasn't until I found a forum where it was mentioned that it was available from the German site.
If you want to know which firmware you have you can check it on the routers web configuration page - it's displayed in the top right. The latest firmware is 2.03 for US users. For European users the latest I could find was 2.01.
Non-obvious to me was that I had to add 1 to the Routed/64 value for the Lan IPV6 Value
(https://www.evernote.com/shard/s31/sh/ff414295-f083-4278-8628-778090db471f/9b8fbc6a9825ebddfeb1783b3180563f/res/7674228f-a345-4b58-820e-4b8465679881/skitch.png)
@dougransom
Yeah - that's true. I'm not really sure if it uses that address at all - I think it only uses the prefix. So I believe that's non-obvious to us all.
Quote from: dougransom on April 01, 2013, 05:11:21 PM
Non-obvious to me was that I had to add 1 to the Routed/64 value for the Lan IPV6 Value
I suspect you can actually use any address you like from your routed /64 .
Have any luck getting ddns to work? Specifically, I'm working with a dir657, but nothing seems to work. Hasn't been an issue so far since my ip rarely changes, but I can see it eventually being an issue (and if I'm away from home...).
Also, I'm curious if this massive security vulnerability affects other dlink routers. It seems that the remote management setting only applies to the ipv4 wan address. The ipv6 firewall does nothing for the ipv6 local or ipv6 lan addresses. As a result, the router's web server is accessible publicly over ipv6. I've already sent dlink a few emails, but it looks like they aren't even interested in humoring me with a canned response.
Quote from: ziddey on April 11, 2013, 07:09:22 PMAs a result, the router's web server is accessible publicly over ipv6.
As long as it requires login with a password, and doesn't have any vulnerabilities, which can be exploited without being logged in, that is not a security problem. But of course being able to restrict it to only LAN addresses, would provide an extra layer of defence.
Can you bind the server to an unpredictable IP address? That would mean any attacker would first have to guess a 64 bit value before they can access the webserver.
Yes I can set the router's lan ipv6 but the local ipv6 is fixed for the tunnel.
Quote from: ziddey on April 12, 2013, 03:40:45 AMthe local ipv6 is fixed for the tunnel.
Actually you can change that. But there are two caveats. HE could think your tunnel is not used because there are no responses when pinging that IP address. You can't really hide that IP address anyway, as it is going to show up in traceroutes from outside.
So ideally you would want the webserver to not listen on that IPv6 address. If it was only listening on the LAN IPv6 address, then you could hide that IPv6 address from outsiders. The WAN IPv6 address would still show up in traceroute output, but shouldn't respond to HTTP requests.
But if there is no way to configure which addresses the webserver is listening on, then the only options you have left may be to either use a strong password or put a bridging firewall in front of the router.
Quote from: ziddey on April 11, 2013, 07:09:22 PM
Have any luck getting ddns to work? ...
... The ipv6 firewall does nothing for the ipv6 local or ipv6 lan addresses. As a result, the router's web server is accessible publicly over ipv6. I've already sent dlink a few emails, but it looks like they aren't even interested in humoring me with a canned response.
Haven't used ddns at all, so I'm unable to even try to provide any advice there.
Regarding the ipv6 firewall, I've so far been unable to access my router's web server remotely (publicly), even when I try to make a rule allowing it in the firewall. But I've only found one tool to test it with (http://www.ipv6proxy.net/ (http://www.ipv6proxy.net/)). You are welcome to try to access it - the information is above.
Btw. I'm running firmware 2.06B2
Ahh, damn. So it looks like that part of the firmware is different for the DIR-657. I'm on the latest firmware released.
What are your ipv6 firewall rules?
I just double checked and indeed both my wan and lan ipv6 addresses have ports 80 and 443 accessible.
What a shame. It's a terrible router otherwise too, but at least the tunnel is able to keep up with my internet speed (was using a raspberry pi before and it seemed to max around 30-40mbps).
Thanks for testing
Yeah, I believe the 655 is way more updated - I had a quick look at the changelist last time I updated and as far as I remember quite some of the changes are related to ipv6.
I've attached a screen dump of my ipv6 firewall settings - hope it's useful.