Łukasz Stelmach
2011-02-01 18:51:06 UTC
Hello.
I've got a situation I would like to solve as neatly as possible
and contribute to OpenWRT. This is the picture.
I've got a:
1. DSL line at home with a dynamic IPv4 address.
2. TL-WR1043ND router running OpenWRT (pppoe).
3. tunnel to SiXXS.
I'd like to:
1. set up 6to4 tunnel for better communication with other 6to4 users.
Condition:
1. SiXXS seem to block packets with 6to4 address comming to their
POP thtough a tunnel.
The simple option is to set up a 6to4 tunnel but not advertise it with
radvd. Inbound packets from 2002::/16 come through sixxs device outgoing
take the shorter route through 6to4 tunnel. 6to4 users should accept
them according to "Security considerations" in
http://www.faqs.org/rfcs/rfc3056.html
It is more efficient, however, to advertise 6to4 prefix throughout the
LAN and comunicate with others more directly to avoid possibly
misconfigured 6to4 GWs along the way.
Let's consider four possible cases of incoming connections (there are
only two for outgoing once, since local host is supposed to choose a
source address wisely) where remote and local addresses can be either
native or 6to4 ones. (iif/oif on a router)
| remote -> | 6to4 | native |
|-----------+-----------+-------------|
| local | | |
| 6to4 | stf/stf | stf/stf* |
| native | sixxs/stf | sixxs/sixxs |
As for default settings there is a problem with the "*" case as packets
with a 6to4 source address and a native destination one won't pass
through sixxs tunnel. A routing table like this won't work.
2002::/16 dev 6to4-stf proto kernel metric 256 mtu 1280 advmss 1220 hoplimit 0
default via 2001:db8:2::1 dev sixxs metric 1024 mtu 1280 advmss 1220 hoplimit 0
The solution.
I've solved the problem by adding an additional routing table
(sixtofour) with a single entry
2000::/3 via ::192.88.99.1 dev 6to4-stf metric 1029 mtu 1280 advmss 1220 hoplimit 0
and a rule
from 2002:c000:2e8::/48 lookup sixtofour
(2002:c000:2e8:: is my 6to4 prefix)
which makes all packets with a 6to4 source address from my LAN be routed
through the 6to4-stf interface.
It looks like there should be a separate routing table for each 6to4
interface/prefix which hints there shouldn't be more than one 6to4
tunnel.
The Questions.
I'd like to put everything (the above setup) together in the right
places so the question is what are they? (Would you accept a patch for
/etc/iproute2/rt_tables?)
Can I assume openwrt supports multiple routing tables?
I suppose I shoud not make any assumptions about the number role of
IPv4/IPv6/6to4 interfaces.
How can I tell (from within a script) there are other/better tunnels and
the above solution should be applied?
Any other suggestions?
--
Było mi bardzo miło. Czwarta pospolita klęska, [...]
I've got a situation I would like to solve as neatly as possible
and contribute to OpenWRT. This is the picture.
I've got a:
1. DSL line at home with a dynamic IPv4 address.
2. TL-WR1043ND router running OpenWRT (pppoe).
3. tunnel to SiXXS.
I'd like to:
1. set up 6to4 tunnel for better communication with other 6to4 users.
Condition:
1. SiXXS seem to block packets with 6to4 address comming to their
POP thtough a tunnel.
The simple option is to set up a 6to4 tunnel but not advertise it with
radvd. Inbound packets from 2002::/16 come through sixxs device outgoing
take the shorter route through 6to4 tunnel. 6to4 users should accept
them according to "Security considerations" in
http://www.faqs.org/rfcs/rfc3056.html
It is more efficient, however, to advertise 6to4 prefix throughout the
LAN and comunicate with others more directly to avoid possibly
misconfigured 6to4 GWs along the way.
Let's consider four possible cases of incoming connections (there are
only two for outgoing once, since local host is supposed to choose a
source address wisely) where remote and local addresses can be either
native or 6to4 ones. (iif/oif on a router)
| remote -> | 6to4 | native |
|-----------+-----------+-------------|
| local | | |
| 6to4 | stf/stf | stf/stf* |
| native | sixxs/stf | sixxs/sixxs |
As for default settings there is a problem with the "*" case as packets
with a 6to4 source address and a native destination one won't pass
through sixxs tunnel. A routing table like this won't work.
2002::/16 dev 6to4-stf proto kernel metric 256 mtu 1280 advmss 1220 hoplimit 0
default via 2001:db8:2::1 dev sixxs metric 1024 mtu 1280 advmss 1220 hoplimit 0
The solution.
I've solved the problem by adding an additional routing table
(sixtofour) with a single entry
2000::/3 via ::192.88.99.1 dev 6to4-stf metric 1029 mtu 1280 advmss 1220 hoplimit 0
and a rule
from 2002:c000:2e8::/48 lookup sixtofour
(2002:c000:2e8:: is my 6to4 prefix)
which makes all packets with a 6to4 source address from my LAN be routed
through the 6to4-stf interface.
It looks like there should be a separate routing table for each 6to4
interface/prefix which hints there shouldn't be more than one 6to4
tunnel.
The Questions.
I'd like to put everything (the above setup) together in the right
places so the question is what are they? (Would you accept a patch for
/etc/iproute2/rt_tables?)
Can I assume openwrt supports multiple routing tables?
I suppose I shoud not make any assumptions about the number role of
IPv4/IPv6/6to4 interfaces.
How can I tell (from within a script) there are other/better tunnels and
the above solution should be applied?
Any other suggestions?
--
Było mi bardzo miło. Czwarta pospolita klęska, [...]
Łukasz< Już nie katolicka lecz złodziejska. (c)PP