• Welcome to Hurricane Electric's IPv6 Tunnel Broker Forums.

Asus RT-N66U - TunnelBroker support built-in

Started by kbmyipv6, October 18, 2012, 04:57:25 AM

Previous topic - Next topic

kbmyipv6

Just thought I post a success story, as I don't see any mention of Asus routers here.

Looked around for a bit trying to set up a tunnel through my conventional single-dynamic-IPv4 domestic ISP.

Didn't have any luck with SixXS - I couldn't get the aiccu keepalive utility to run on my PC, and that was awkward anyway, as I really wanted my router to be doing everything self-contained.

After an upgrade to the latest firmware (3.0.0.4.220), it turns out that the Asus RT-N66U router is dead easy to set up for the HE Tunnel Broker - it has specific knowledge built in to the UI.

Under "IPv6", fill in with the values shown on your HE tunnel info page:


Asus settingTunnelbroker details
Connection type"Tunnel 6in4"
Server IPv4 AddressServer IPv4 Address
Client IPv6 AddressClient IPv6 Address (address part only)
IPv6 Prefix Length"64"
Tunnel MTU"0", or MTU from Advanced tab
Tunnel TTL"255"
LAN IPv6 PrefixRouted /64 (address part only), or a /64 prefix within your Routed /48
LAN Prefix Length"64"
LAN IPv6 AddressWill be fixed as ::1 on the Prefix specified
IPv6 DNS Server 1Anycasted IPv6 Caching Nameserver

And then, to cope with you having a dynamic IPv4 address from your ISP, the router helpfully already knows about the https://ipv4.tunnelbroker.net/ipv4_end.php script. Go into WAN/DDNS, and fill it in thus:

Asus settingTunnelbroker details
Enable the DDNS Client"Yes"
Server"WWW.TUNNELBROKER.NET" from the menu
Host NameTunnel ID (6-digit decimal number)
User Name or E-mail AddressUser ID (long hex value on Main Page, not Username)
PasswordPassword

Then everything just works.

Only major flaw in this setup is that I don't believe the standard router firewall GUI settings affect IPv6 traffic. You'd have to muck around under the surface.

valkenbw

Before I had a Linksys E4200v2 and was easily able to set up a 6rd tunnel with "my" Huricane details.
Now I have a RT-N66U and followed above guidelines...without success. The settings are accepted, and a laptop with IPv6 enabled gets an IPv6 address but has no IPv6 connectivity to the Internet.
I see the guideline was written for firmware 220, my router has the latest 260 build. Probably first good to hear if someone had succes with that build too.
Any other hints?
Can I check IPv6 connectivity on the router it self, like on the E4200v2 which has a build in Ping utility?
Or does the RT-N66U show a IPv6 tunnel "Connected" status, like the E400v2?
Do I need to reboot the RT-N66U after all IPv6 settings are applied?
Maybe a screen print of the IPv6 page of a working RT-N66U router (with some details blurred)?

valkenbw

#2
After a good night or what sleep I have tried setup of a IPv6 tunnel with a RT-N66U (f/w 3.0.0.4.260) again, now with success.
Fill in the details, hit Apply, wait for the page to appear again and done.
The System log does tell you something about the IPv6 setup, but not very clear.
I am still curious to a way to test IPv6 on the router level (I assume you need to open a console through Telnet).
Here is the screen dump as reference with some details blurred:

valkenbw

To test the IPv6 connection from your router you can ping a known IPv6 address from a Telnet session:
Enable Telnet in: Administration>System.
Open a Telnet session from your computer to the router.
Perform the following command: ping -c 3 ipv6.google.com
When the Tunnel and IPv6 works ok for the router, you should get 3 successful replies.

thetorpedodog

I just got my Asus RT-N66U.  Now I'm trying to set it up for IPv6 tunnelling, and it actually seems to be working.  If I telnet to the router and ping an IPv6 site, it works.

Unfortunately, my personal Thinkpad (Ubuntu Qsomething) doesn't seem to have gotten the memo.

syslog says things like:

Jan 19 03:31:57 lambert kernel: [583063.503152] wlan2: no IPv6 routers present
Jan 19 03:32:06 lambert NetworkManager[974]: <info> (wlan2): IP6 addrconf timed out or failed.
Jan 19 03:32:06 lambert NetworkManager[974]: <info> Activation (wlan2) Stage 4 of 5 (IPv6 Configure Timeout) scheduled...
Jan 19 03:32:06 lambert NetworkManager[974]: <info> Activation (wlan2) Stage 4 of 5 (IPv6 Configure Timeout) started...
Jan 19 03:32:06 lambert NetworkManager[974]: <info> Activation (wlan2) Stage 4 of 5 (IPv6 Configure Timeout) complete.


If I force IPv6 connectivity in NetworkManager, it just gets to this state and loops, disconnecting and reconnecting forever. "Advertise router" is enabled on my router.

Is this what happened to others here?

thetorpedodog

#5
It turns out the router isn't running radvd on account of an error somewhere:

Jan 19 09:27:41 radvd[1211]: version 1.9.1 started
Jan 19 09:27:41 radvd[1211]: Exiting, permissions on conf_file invalid.


wubangle@RT-N66U:/tmp/etc# ls -l radvd.conf
-r--------    1 wubangle root           325 Jan 19 09:27 radvd.conf
wubangle@RT-N66U:/tmp/etc# chmod a-r radvd.conf
wubangle@RT-N66U:/tmp/etc# radvd
[Jan 19 09:38:53] radvd: Exiting, permissions on conf_file invalid.

There appears to be no pleasing radvd.

EDIT: Yes, there is. This problem occurs if you set your username to anything but "admin". So reset your username to "admin" and the problem will solve itself, and IPv6 will work for you!

valkenbw

Thats a nice one :-)
What is the firmware version in your router and is it Asus or Merlin build?

promaster99

Im running version 3.0.0.4.270 and tunnel 6in4 and it works, but ther is no firewall protection on the ipv6 clients, anyone have solution on this problem ?

kr1zmo

I have tried all these steps with no result. I setup the tunnel with the exact settings. As soon as I switch my connection on my macbook (wifi) over to ipv6, it grabs a ip address but I cannot access anything, I cannot ping anything.

Am I doing this right?

kasperd

Quote from: kr1zmo on May 28, 2013, 09:29:31 AMAs soon as I switch my connection on my macbook (wifi) over to ipv6, it grabs a ip address but I cannot access anything, I cannot ping anything.

Am I doing this right?
That question is easy to answer. The answer is no, you are not doing it right. But since you haven't told us what you did, it is not easy for us to tell you, what you did wrong. Here is what a traceroute to your IP looks like from my endtraceroute to 2001:470:7:6e0::2 (2001:470:7:6e0::2), 30 hops max, 80 byte packets
1  2001:470:28:940:5d75:c1f4:e0a0:f8ec  0.571 ms  1.267 ms  1.972 ms
2  2001:470:27:940::1  73.299 ms  78.426 ms  84.542 ms
3  2001:470:0:11e::1  90.700 ms  23.553 ms  28.255 ms
4  2001:470:0:22f::1  67.662 ms  68.337 ms  62.153 ms
5  2001:470:0:3f::1  78.001 ms  73.546 ms  79.839 ms
6  2001:470:0:128::1  140.811 ms  141.530 ms  138.308 ms
7  2001:470:0:299::1  188.932 ms  142.235 ms  160.012 ms
8  2001:470:0:90::2  161.104 ms  167.111 ms  167.223 ms
9  2002:422a:d452::  192.673 ms  182.012 ms  183.677 ms
10  *  *  *
11  *  *  *
12  *  *  *
13  *  *  *
14  *  *  *
15  *  *  *
The 2002:422a:d452:: showing up in there makes me think you might have configured your router to do 6to4 instead of 6in4. You should post a screenshot of the configuration.

shoneycutt

#10
Just wanted to post and extend my appreciation, to all those who've posted here on the forum; posting their problems and/or solutions, to TunnelBroker for the service (free as in beer mind you) and to my proud new papa of a working IPV6 tunnel address; the Asus RT-N16!

Being of the semi-technically challenged persuasion, my router and I are no longer beating our heads together.

Also, shouldn't leave out all the people who develop for the DD-WRT and Tomato Firmware either. Being unable to make either of those work, I reverted back to version 3.0.0.4.260 from Asus. Asus makes no bones about it, they too mention the others who work on the FOSS firmwares.

Other than radvd complaining about an error I made (leaving off the trailing "::" at the end of the LAN IPV6 prefix, it finally all came together!

So, to recap for other technically challenged folks like myself, The LAN IPV6 prefix requires not only the first 64 bits, but, the trailing "::" too. xxxx:xxxx:xxxx:xxxx::

I'm as happy as a young pup whose owners just brought home a shiny new kitten to play with... ;)


GEOPS

For all poor souls out there that have the tunnel running on rt-n66u but do not have v6 firewall I have found a simple solution (although it has to be applied at each router restart). You have to telnet into the router and add some rules to ip6tables on the router like this:

ip6tables -A FORWARD -j DROP
ip6tables -I FORWARD -m state --state NEW -i br0 -o 6rd -j ACCEPT
ip6tables -I FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT

This will allow all outgoing connections and block all ipv6 incoming connections. I am running firmware version 3.0.0.4.270. my lan/wifi interface on the router is bridged at br0 and my tunnel is 6rd. If you have something different you'll need to replace the interface names in the rules. Now after you've tested this and it works you can open ports to services you run behind the firewall. For example I want to allow port 22 (ssh) to all hosts behind the firewall. I can do that with the following line:

ip6tables -I FORWARD -i 6rd -p tcp --dport 22 -j ACCEPT

You can do the same for different ports and also add specific destinations if needed. Enjoy!

kasperd

Quote from: GEOPS on July 27, 2013, 05:23:25 PMFor all poor souls out there that have the tunnel running on rt-n66u but do not have v6 firewall I have found a simple solution (although it has to be applied at each router restart).
You need to keep in mind that if you do not pay a lot of attention to what you block, you may end up blocking legitimate packets, which may result in flaky connectivity to some services. Here are things to watch out for.

ICMPv6 packets are required in order for IPv6 to operate correctly. Most of them do not need to be forwarded across routers, but too big error message do need to get forwarded. Inappropriate filtering of those is often causing problems.

Certain tunnelling protocols utilize ICMPv6 echo request packets as well as no next header. If you block those, you may not be able to communicate with peers utilizing such tunnelling protocols.

Stateful inspection is generally less reliable because state can time out or get lost in case stateful equipment is restarted. TCP can be firewalled statelessly, which will give a better user experience in those cases. Doing the firewalling statelessly means you block the SYN packets, which would be used to establish a new connection and let other packets through. In that case packets can come in without being part of a connection, but they are going to be rejected by the TCP stack on the destination, so they will never reach any service, which may be listening on that port.

Using a DROP rule will make debugging network problems harder, it will also make it easier for others to spoof your IP address. Instead I recommend using proper REJECT rules (I use three different reject rules such that TCP can be rejected with TCP RST packets, UDP is rejected with port unreachable, and everything else is rejected with a generic ICMP error).

While you are configuring ip6tables, you can also make your connectivity a bit more reliable by utilizing the tcpmss module. By reducing MSS to 1220 on all SYN packets, which had a higher MSS, you can avoid most PMTU discovery problems.

GEOPS

Thanks for all the info kasperd. Currently I have no connectivity problems since the router already had all v6 icmp types allowed. I just added what was needed to block the rest. This is all a big experiment since it's all at home and running on a home wifi router. Your suggestions were great for production environment but I'm not sure I need that much at home. I was also expecting to have some problems since I'm keeping the tunnel mtu at 1480 but the path mtu discovery seems to work ok and I don't seem to have connectivity isues for the moment. After all I just posted a test setup that people can use to bring up the most basic firewall on the n66u router since being all open can be a big problem, especially if you run an open network at home with no local machine firewalls like me. Thanks again.

valkenbw

FYI,

There is a customized version of AsusWRT Firmware version 3.0.0.4.372.32 Beta 3, made by RMerlin, that incorporates a configurable IPv6 Firewall:
http://www.lostrealm.ca/tower/node/79
http://www.lostrealm.ca/asuswrt-merlin/changelog.txt