• Welcome to Hurricane Electric's IPv6 Tunnel Broker Forums.

A Most Complex Routing Puzzle for You! (DD-WRT)

Started by phipac, July 21, 2010, 03:17:26 PM

Previous topic - Next topic

phipac

Alright, here is one for you to chew on.  I wont go into the specifics of why my network is set the way it is (unless you ask of course).  Running a WRT54G v5 with DD-WRT micro v24sp2.  I have an IPv6 tunnel of course, and in the simpler days, this was all I needed in my configuration:

iptables -t nat -I PREROUTING -i vlan1 -p 41 -j DNAT --to 10.0.0.2
iptables -I FORWARD -s 66.220.18.42 -i vlan1 -j ACCEPT
iptables -t nat -I POSTROUTING --proto ! 41 -o vlan1 -j MASQUERADE

Works like a charm, as 10.0.0.2 is a Centos server that handled the radvd and the routing.  Well, I had a need to separate the LAN ports behind this router, and the main reason was to isolate this Centos box that was handling the IPv6 routing.  Well, now the rest of the router is on a 192.168.11.0/24 subnet and is of course blocked from seeing the Centos box on the 10.0.0.0/24 subnet.  This was accomplished with the following:

ifconfig vlan2 10.0.0.1 netmask 255.0.0.0
ip addr add 11.22.33.44/29 dev vlan1
iptables -t nat -I POSTROUTING 1 -p all -o vlan1 -s 10.0.0.0/24 -j SNAT --to 11.22.33.44
iptables -I INPUT -i vlan2 -j ACCEPT
iptables -I FORWARD -i vlan2 -o vlan1 -m state --state NEW -j ACCEPT
iptables -I FORWARD -i vlan2 -o ppp0 -m state --state NEW -j ACCEPT
iptables -I FORWARD -i br0 -o vlan2 -j logdrop

Question:  Can I open a route between the two vlans for only IPv6, or say only protocol 41 traffic?  That way, the Centos box on the 10.0.0.0/24 subnet can still act as the tunnel endpoint and serve the addresses and IPv6 routing for BOTH the 10.0.0.0/24 and 192.168.11.0/24 subnets?  See?  I told you this would be fun!  Thanks for your help.

;D
Phil

jimb

You should be able to.  You'll need a routed /48 so you can have two /64s, one for each vlan.  Then you just need to get the proto-41 traffic to and from the Centos box.  Then you just need a static route on the centos box pointing to the router which has the 2nd /64.

phipac

Quote from: jimb on July 21, 2010, 03:42:30 PM
You should be able to.  You'll need a routed /48 so you can have two /64s, one for each vlan.  Then you just need to get the proto-41 traffic to and from the Centos box.  Then you just need a static route on the centos box pointing to the router which has the 2nd /64.

Thanks - actually, that would be quite easily accomplished.  However, I'm trying to avoid using a 2nd router on the other vlan.  I would like to establish a bridge between the two vlans, but only for protocol 41 traffic.  I *think* this will work for what I am trying to do.  I just can't find the right combination of iptables commands to get it set.

-Phil

jimb

In that case you just establish a 6in4 tunnel between the router and host where you want the additional space, then you can route anything across the tunnel (or use the tunnel IPv6s alone).  The 2nd host basically becomes a router itself.  The tunnels are set up the same way you set it up with HE, except you're setting up both sides.

The iptables commands would have to let IP protocol 41 through.  It'd look something like (on both hosts):

iptables -I INPUT --proto 41 --jump ACCEPT

And a similar rule in the OUTPUT chain if you restrict output.  You also have to make sure ip6tables is allowing the traffic, and that the IP forwarding flags are turned on in the kernel, etc.

phipac

I'll try a couple of block diagrams to see if it helps.  It sure helps me to visualize it.  Note that the two networks cannot see each other in either direction, and the CentOS server is part of the 10.0.0.1/24 network.  The IPv6 tunnel endpoint is to the CentOS server, and thus can serve connections on the "10.0.0.1/24" network.  I'm trying to open just IPv6 between the CentOS server (tunnel endpoint), back through the WRT54G, and over to the "192.168.1.1/24" network, using a different /64 from my routed /48.  First is my current block:



And here is what I am trying to accomplish:



Sorry for the large images.  Thanks for your consideration!

patrickdk

Why is this thread stuck on protocol 41? IPv6 doesn't use protocol 41 for anything.

protocol 41 is ONLY used for ipv6 INSIDE of ipv4 tunnels.

You don't tunnel between your two networks, you just firewall them.

You need to use ip6tables to adjust the firewall to allow the two networks to talk. iptables will do nothing for you (it can only block ipv6 to he's servers, nothing else, cause that is on ipv4 in a tunnel (protocol 41))

phipac

Quote from: patrickdk on August 18, 2010, 05:12:22 PM
Why is this thread stuck on protocol 41? IPv6 doesn't use protocol 41 for anything.

protocol 41 is ONLY used for ipv6 INSIDE of ipv4 tunnels.

You don't tunnel between your two networks, you just firewall them.

You need to use ip6tables to adjust the firewall to allow the two networks to talk. iptables will do nothing for you (it can only block ipv6 to he's servers, nothing else, cause that is on ipv4 in a tunnel (protocol 41))


The reason is, I'm having to run DD-WRT micro, and it doesn't support ip6tables.  Maybe I am thinking about the wrong piece of the puzzle - are you saying I need to setup ip6tables on the Centos box (tunnel endpoint) to route to the different networks?

patrickdk

Ya, I re-read it and it makes more sense now :)

you need to use ip6tables to have both of your networks talk to each other, and to talk to the internet over ipv6.

You need to use iptables with protocol 41 on the centos and router to talk to he.

So the only thing needed on the router would be, a dnat of port 41 to centos, or dmz to centos

Configure your tunnel on centos and make sure it works.

Then you need to assign two /64 ranges out of the /48 onto each of your local lans (optionally configure radvd and stuff).

Turn on ipv6 forwarding on the centos box. Have all machines on your network use centos for ipv6 default gw (ipv4 default gw would be optional, it could still be the linksys router).

If centos works over ipv6, but other systems won't, it would be an ip6tables (centos), ipv6 forwarding (centos), or default gw (workstation, or radvd on centos) issue.

phipac

OK currently, radvd works and feeds IPv6 addresses to the 10.0.0.0/24 network.  I have full IPv6 connectivity on that side, using a /64 carved from my /48.  I didn't have to do anything fancy with ip6tables on the Centos machine to get that to work - probably because the tunnel endpoint is already there.  See, the DD-WRT is doing a great job of isolating the two sides of the network (note: I really do need them isolated from each other on IPv4 - long story as to why).  I think the reason that more tunneling was suggested is because I need to cross over this wall between the two networks but only with IPv6.  I don't see how I can force anything to go to the 192.168 network from the Centos box itself, unless we need to be thinking static routes instead of tunnels.

Thanks!

patrickdk

There is no tunnels needed, they are directly attached.

You just need to setup an ip6 block for the other network, the 192.168.1.x on the centos box.

Configure radvd to hand out the network prefix and default gateway as itself.

Then the centos box will route between the two without anything else needed. Both are directly connected, so it will create it's own static routes to handle it. Forwording must already be on, or your 10.x.x.x ipv6 hosts wouldn't have internet over ipv6.

Both networks would be wide open to each other and the internet though, on ipv6, unless you add some ip6tables rules in there somewhere on the centos box.

phipac

Thanks for your continued help!  This makes sense, but remember that even if I add a 192.168 address to the Centos box, it cannot see any of the 192.168 network on the other side of the router.  The ports are separated into different vlans on the router to keep the networks completely separated.  Knowing this, is there any way to make it work?

Another option might be to forget about separate vlans on the router, and just create the two separate IPv4 networks and use iptables to keep them separate except for IPv6 routing.  In my mind earlier, I think that's why I was thinking about protocol 41, using that as the only opening between the two networks.  What a pain.  It might be worth spending another $40 on another router that will let me install the full version of DD-WRT with IPv6 and radvd!

patrickdk

That is a fault of your switch config then, you should be passing both networks as vlans to the centos box.

You can do that using two ports on the switch, and two network cards on the centos box.
OR
You can use one port and set both vlans as tagged on that single port.

I used to do it both ways on many wrt54g, gs, gl units.