• Welcome to Hurricane Electric's IPv6 Tunnel Broker Forums.

How to create a tunnel throw a NAT gateway?

Started by jilingshu, March 02, 2012, 02:34:38 AM

Previous topic - Next topic

jilingshu

hi there,
Here's my network topology:

WAN <----------(Dynamic IP address)> DD-WRT Box <(10.0.0.254/24)----------(10.0.0.201/24)> OpenWRT Box <(10.1.2.254/24)----------(10.1.2.0/24)> Clients

All clients behind the DD-WRT box can access WAN via NAT.
Now I wanna configure IPv6 tunnel on the OpenWRT box. So anyone can tell me how to configure my DD-WRT box to allow 6in4 tunnel? Should I forward some special ports?
And, my IP address is a dynamic one, is there anyway for me to update the tunnel endpoint and my OpenWRT configuration automatically?
Thanks.

cholzhauer

You need to pass protocol 41 (remember, port =! protocol)

You can dynamically update the HE side to tell it that your IP address changed...there are a bunch of ideas on the forums if you search around.

As far as updating your side; you won't have to. If you're hosting it on your OpenWRT box, you'll have a NAT address that will never change, and the commands you use to create the tunnel will reference that never-changing address

kasperd

Quote from: jilingshu on March 02, 2012, 02:34:38 AMShould I forward some special ports?
No port forwarding needed. You need protocol 41 forwarded to the tunnel endpoint. How to get that working depends on the NAT.

On some NATs you can just send protocol 41 packets out through the NAT, and it will automatically send packets back to the same IP on the LAN. This however does require you to have a ping command running that will ping the tunnel server once per minute or so to keep the connection through the NAT alive.

Some NATs will allow you to forward a specific protocol to a specific IP on the LAN.

Some NATs require that you use a so-called DMZ feature to forward all traffic to a specific IP on the LAN, if it doesn't match anything else.

Quote from: jilingshu on March 02, 2012, 02:34:38 AMAnd, my IP address is a dynamic one, is there anyway for me to update the tunnel endpoint and my OpenWRT configuration automatically?
Here is a script, that I have been using in the past:#!/bin/bash
IP="$(curl http://myip.dnsomatic.com/ |
        grep '^[1-9][0-9]*\.[0-9]\+\.[1-9]\+\.[1-9][0-9]*$' |
        tail -1)"
if [ "$IP" != "" ]
then
        if [ "$IP" != "$(cat /var/local/he-ipv4)" ]
        then
        curl -k "https://ipv4.tunnelbroker.net/ipv4_end.php?ipv4b=$IP&pass=$(
                        cat /etc/he-md5-pass.txt
                )&user_id=<insert-your-user-id-here>&tunnel_id=<insert-your-tunnel-id-here>"
                echo "$IP" >/var/local/he-ipv4
        fi
        echo "Setting up tunnel"

        ifconfig sit0 up
        ifconfig sit0 inet6 tunnel ::<your-tunnel-server-ipv4-address-here>
        ifconfig sit1 up
        ifconfig sit1 inet6 add <your-ipv6-address-here>/64
        route -A inet6 add ::/0 dev sit1
        ping6 -c2 <your-tunnel-server-ipv6-address-here>
fi

jilingshu

#3
Quote from: kasperd on March 02, 2012, 08:50:38 AMHere is a script, that I have been using in the past
Your script is quite useful, thank you! :-)

I searched and found a thread(http://www.tunnelbroker.net/forums/index.php?topic=816.0) said
Quote
All you need is a NAT rule for proto 41 traffic (iptables --append PREROUTING --table nat --destination <outside IP>  --proto 41 --jump DNAT --to-destination <inside IP>), and a rule in the FORWARD chain allowing the traffic to the NATed IP (as you had in your OP).
I haven't tested this command yet and will try it later, but it seems that this command required me to specify my DD-WRT box's WAN IP, which is dynamic.
Anyone can tell me how to do with this? Thanks in advanced.

kasperd

Quote from: jilingshu on March 02, 2012, 04:54:40 PM
Quote
All you need is a NAT rule for proto 41 traffic (iptables --append PREROUTING --table nat --destination <outside IP>  --proto 41 --jump DNAT --to-destination <inside IP>), and a rule in the FORWARD chain allowing the traffic to the NATed IP (as you had in your OP).
I haven't tested this command yet and will try it later, but it seems that this command required me to specify my DD-WRT box's WAN IP, which is dynamic.
The point of that criteria is to ensure it is only applied to incoming traffic. Should work just fine if you match it by interface instead of matching it by IP. So instead of --destination <outside IP> you could do -i <outside interface>. You also need a rule to handle traffic leaving your network, but chances are it already has a MASQUERADE rule, which covers that.