Saturday, May 25, 2013

IPv6 with Charter Communications

This post describes how I enabled IPv6 on my home network.  After completing the six steps below:
  • All computers on my network now have a public IPv6 address (though a firewall limits external access to only some of them, see step 6).
  • My locally hosted websites are now accessible over IPv6.
  • My web browser can now reach IPv6-only web sites.
  • My web browser now scores 10 out of 10 on IPv6 connectivity tests.
As I write this IPv6 usage is around 1.5% but the supply of IPv4 address is almost exhausted.  The North American Regional Internet Register will distribute its last address blocks in about 10 months.  Why not help with the transition by converting your small corner of the net, and learning about IPv6 in the process.

Step 1: Install OpenWrt

Charter doesn't yet offer native IPv6. They do however offer a free IPv6 border relay: Charter IPv6 6rd Page. Through the relay you get your own /64 of publicly routeable IPv6 addresses-- that's 2^64 = 18 quintillion IP address, an old internet squared, just for you.

My router is a Netgear wndr3700v1.  The default firmware does not support 6rd.  I replaced my router firmware with OpenWrt.   I installed the latest version,  "Attitude Adjustment Release 12.09".  OpenWrt builds do not include a web interface by default (only command line), but it is easy to add one.  After installing OpenWrt, I logged into my router (ssh -l root and installed the LuCI web interface.  Five easy LuCI installation commands here. There are also images with LuCI pre-installed.

At this point you should have a functional IPv4 network again, provided by OpenWrt.  Take time to configure the root password on your router, configure the wireless network SSID, security, etc-- all the normal stuff you do with a new router.

Note: I first tried using dd-wrt, which is another popular open source router firmware alternative.  Although I was able to get the 6rd tunnel working with dd-wrt, there hasn't been a new build in two years, consequently the underlying Linux kernel is much older. I had trouble getting ip6tables to work.  OpenWrt development seems much more active, the latest release was last month.

Step 2: Install OpenWrt packages for IPv6 and 6rd

To utilize 6rd from OpenWrt one must install a few additional packages.  Package installation in OpenWrt is very easy.  Secure shell into the router as root and use the opkg command.

opkg install <package-name>
opkg install <package-url>

For some of the below packages/commands I used

Where "ar71xx" is the architecture of my router.  The correct value for any router can be found in OpenWrt's table of hardware.

# Install 6rd packages
opkg install 6rd

# Install radvd
opkg install radvd

# Enable configuration of 6rd interfaces via luci
opkg install ${REPO_URL}/luci-proto-6x4_0.11.1-1_ar71xx.ipk

# Install luci interface for radvd
opkg install ${REPO_URL}/luci-app-radvd_0.11.1-1_ar71xx.ipk

# Install packages for ip6tables
opkg install ${REPO_URL}/kmod-ip6tables_3.3.8-1_ar71xx.ipk
opkg install ${REPO_URL}/libip6tc_1.4.10-4_ar71xx.ipk
opkg install ${REPO_URL}/ip6tables_1.4.10-4_ar71xx.ipk

The indented names above are package dependencies that are automatically installed.  Use: opkg list-installed to list installed packages. After installing the above packages enable radvd at boot /etc/init.d/radvd enable them reboot your router.

Step 3: Configure Radvd

Setup radvd so that your router will distribute IPv6 addresses to attached devices. Edit /etc/config/radvd.  Here is my version of that file:

config interface
option interface 'lan'
option AdvSendAdvert '1'
list client ''
option ignore '0'
option IgnoreIfMissing '1'
option AdvSourceLLAddress '1'
option AdvDefaultPreference 'medium'
option AdvManagedFlag '1'
option AdvLinkMTU '1280'

config prefix

option interface 'lan'
option AdvOnLink '1'
option AdvAutonomous '1'
option ignore '0'
list prefix '2602:100:18cf:84ef::/64'

config rdnss

option interface 'lan'
option ignore '0'
list addr '2607:f428:1::5353:1'
list addr '2607:f428:2::5353:1'

config dnssl

option interface 'lan'
list suffix ''
option ignore '1'

The two addresses in the rdnss section are the primary and secondary DNS addresses, they come directly from Charter's IPv6 page.  The single address in the prefix section is your IPv6 /64 prefix.  It is derived as follows from Chater's 6rd prefix, plus your current WAN IP (google "what is my IP").  Here is a bash script you can use to generate the combined value:

V6_PREFIX=$(printf ' 2602:100:%02x%02x:%02x%02x' $(echo $WAN_IP | tr . ' '));
printf "RESULT: $V6_PREFIX \n";

If you installed the package luci-app-radvd there is a web-UI tab available for configuring radvd. The UI even contains an option indicating that the IPv6 prefix should be automatically derived from the IPv4 address of the interface you specify (wan).  I couldn't get radvd to work via the UI-- so I just edited the above file directly.

Step 4: Create an interface for the 6rd tunnel

In LuCI navigate to Network -> Iterfaces and select "Add new interface..."
  • Name of the new interface: WAN6
  • Select "IPv6-over-IPv4 (6rd)" as the protocol.
  • Enter value's from chater's IPv6 page for the remaining fields:
    • Remote IPv4 address:
    • IPv6 prefix: 2602:100::
    • IPv6 prefix length: 32
    • On the "Firewall" tab select "wan" to place this new interface in the same zone as wan.

Step 5: Enable IPv6 on your existing LAN inteface

  • Network -> Iterfaces -> LAN -> "Accept router advertisements".  Check this.
  • Reboot your router.

This is what should now see in LuCI, on the Network->Interface page:

At this point all capable IPv6 devices on your network should have an IPv6 address and should be able to access the IPv6 net.

Step 6: IPv6 Firewall

In LuCI navigate to Status -> Firewall.  You should see that there are now two tabs; one for an IPv4 firewall and one for an IPv6 firewall.  The IPv6 firewall should have rules allowing all outbound traffic, and blocking all inbound (except for ICMP, pings).

Here is an example rule allowing inbound IPv6 requests to one machine on your network.  Add the following to /etc/config/firewall:

config rule
option target 'ACCEPT'
option name 'IPv6-HTTP-to-dev-server'
option family 'ipv6'
option proto 'tcp'
option src 'wan'
option dest 'lan'
option dest_ip '2602:100:18cf:84ef:beae:c5ff:fee1:3c77'
option dest_port '80'

The 'name' is just a name for this rule, and can be anything you like.  The 'dest_ip' and 'dest_port' fields are of course the IPv6 address of your, in this example, web server.

Relevant links

Let me know

Let me know if this guide was helpful.  Similarly if you find an omission or error let me know, and I'll make updates for the benefit of everyone. 

1 comment:

  1. Thanks for the info. Any word on if Charter has native IPv6 service yet?