Hi All.

I have a Asus RT-N16 router, I've had it for years running with DD-WRT.

Lately I updated the firmware to the latest AsusWRT-Merlin because it has support for dual-wan and ipv6 firewall. WAN1 is ADSL and WAN2 is 4G.

No IPv6 support from the ISP's so I've set up a he.net tunnel in it and the router now has ipv6.

Yesterday I installed entware and privoxy via opkg. Now I can use the proxy in the router for outgoing traffic from my os/2 ipv4-only computer. :)

The next task is to forward incoming ipv6 traffic to ipv4. I don't know much about linux, so please help me to tell the box how to forward ipv6 port 24554 to 192.168.1.2.

Thanks! :)

'Tommi

---
* Origin: 2001:470:27:a::2 (2:221/1.1)

Hello Tommi!

Sep 26 12:01 2015, Tommi Koivula wrote to All:

The next task is to forward incoming ipv6 traffic to ipv4. I don't
know much about linux, so please help me to tell the box how to
forward ipv6 port 24554 to 192.168.1.2.

http://www.haproxy.org/

Regards,
Markus

---
* Origin: *** theca tabellaria *** (2:240/1661)

Hello Tommi!

Sep 26 11:53 2015, Markus Reschke wrote to Tommi Koivula:

http://www.haproxy.org/

Example: http://www.koopman.me/2011/02/haproxy-for-ipv6-translation-to-ipv4-only-websit e/

The important thing is to set the mode to TCP and to change the required ports. haproxy will work as proxy for any TCP based protocol.

Regards,
Markus

---
* Origin: *** theca tabellaria *** (2:240/1661)

26 Sep 15 11:53, you wrote to me:

The next task is to forward incoming ipv6 traffic to ipv4. I
don't know much about linux, so please help me to tell the box
how to forward ipv6 port 24554 to 192.168.1.2.

http://www.haproxy.org/

Thanks!

Haproxy installed and running. :)

Now I have a problem with the IPv6 firewall. It always blocks the inbound traffic from the tunnel even if I allowed port 24554 from the GUI of AsusWRT. From the router the forwarding works, (telnet 2001:470:27:a::2 24554) .

'Tommi

---
* Origin: ====================================== (2:221/1.1)

Hi Tommi!

Sep 26 15:51 2015, Tommi Koivula wrote to Markus Reschke:

Now I have a problem with the IPv6 firewall. It always blocks the
inbound traffic from the tunnel even if I allowed port 24554 from the
GUI of AsusWRT. From the router the forwarding works, (telnet 2001:470:27:a::2 24554) .

If possible, please enable firewall logging and check the log entries for IPv6 binkp. When you find drop/reject messages for binkp, then the next step is to evaluate the firewall rules. If you're lucky the log entries include the chain's name. That's based on how the rule sets are designed.

Regards,
Markus

---
* Origin: *** theca tabellaria *** (2:240/1661)

26 Sep 15 15:57, you wrote to me:

Now I have a problem with the IPv6 firewall. It always blocks the
inbound traffic from the tunnel even if I allowed port 24554 from
the GUI of AsusWRT. From the router the forwarding works, (telnet
2001:470:27:a::2 24554) .

If possible, please enable firewall logging and check the log entries
for IPv6 binkp. When you find drop/reject messages for binkp, then the next step is to evaluate the firewall rules. If you're lucky the log entries include the chain's name. That's based on how the rule sets
are designed.

One log line of dropped inbound binkp:

Sep 26 18:33:16 kernel: DROP <4>DROP IN=v6in4 OUT= MAC=00:e6:ba:a0:11:11:00:03:fa:56:9b:ac:08:00:45:00:00:5c:cf:d4:40:00:fa:29:c9:6 0:d8:42:50:5a:5b:9b:63:0b:60:00:00:00 TUNNEL=216.66.80.90->91.155.99.11 <1>SRC=2001:0470:1f15:0cb0:0000:0000:0000:0004 DST=2001:0470:0027:000a:0000:0000:0000:0002 <1>LEN=72 TC=0 HOPLIMIT=59 FLOWLBL=0 PROTO=TCP <1>SPT=57521 DPT=24554 SEQ=457283060 ACK=0 WINDOW=8192 RES=0x00 SYN URGP=0 OPT (0204058C0103030801010402)

91.155.99.11 is my routers ipv4 address,
216.66.80.90 is the endpoint of the HE tunnel. 2001:0470:1f15:0cb0:0000:0000:0000:0004 is where from I tried to access binkd at 2001:0470:0027:000a:0000:0000:0000:0002

Here's the output of ip6tables-save:

=== Cut ===
# Generated by ip6tables-save v1.3.8 on Sat Sep 26 18:41:06 2015
*mangle
:PREROUTING ACCEPT [13580:2593451]
:INPUT ACCEPT [10638:2352811]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [14587:1570620]
:POSTROUTING ACCEPT [14587:1570620]
-A PREROUTING -d ff02::1:ff00:0/104 -i vlan2 -p ipv6-icmp -m icmp6 --icmpv6-type 135 -j DROP
-A PREROUTING -d ff02::1:ff00:0/104 -i vlan3 -p ipv6-icmp -m icmp6 --icmpv6-type 135 -j DROP
-A FORWARD -m state --state NEW -j SKIPLOG
COMMIT
# Completed on Sat Sep 26 18:41:06 2015
# Generated by ip6tables-save v1.3.8 on Sat Sep 26 18:41:06 2015
*filter
:INPUT ACCEPT [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [12616:1430065]
:PControls - [0:0]
:logaccept - [0:0]
:logdrop - [0:0]
-A INPUT -m rt --rt-type 0 -j logdrop
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -i lo -m state --state NEW -j ACCEPT
-A INPUT -i br0 -m state --state NEW -j ACCEPT
-A INPUT -p ipv6-nonxt -m length --length 40 -j ACCEPT
-A INPUT -i br0 -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -p ipv6-icmp -m icmp6 --icmpv6-type 1 -j ACCEPT
-A INPUT -p ipv6-icmp -m icmp6 --icmpv6-type 2 -j ACCEPT
-A INPUT -p ipv6-icmp -m icmp6 --icmpv6-type 3 -j ACCEPT
-A INPUT -p ipv6-icmp -m icmp6 --icmpv6-type 4 -j ACCEPT
-A INPUT -p ipv6-icmp -m icmp6 --icmpv6-type 128 -j ACCEPT
-A INPUT -p ipv6-icmp -m icmp6 --icmpv6-type 129 -j ACCEPT
-A INPUT -p ipv6-icmp -m icmp6 --icmpv6-type 130 -j ACCEPT
-A INPUT -p ipv6-icmp -m icmp6 --icmpv6-type 131 -j ACCEPT
-A INPUT -p ipv6-icmp -m icmp6 --icmpv6-type 132 -j ACCEPT
-A INPUT -p ipv6-icmp -m icmp6 --icmpv6-type 133 -j ACCEPT
-A INPUT -p ipv6-icmp -m icmp6 --icmpv6-type 134 -j ACCEPT
-A INPUT -p ipv6-icmp -m icmp6 --icmpv6-type 135 -j ACCEPT
-A INPUT -p ipv6-icmp -m icmp6 --icmpv6-type 136 -j ACCEPT
-A INPUT -p ipv6-icmp -m icmp6 --icmpv6-type 141 -j ACCEPT
-A INPUT -p ipv6-icmp -m icmp6 --icmpv6-type 142 -j ACCEPT
-A INPUT -p ipv6-icmp -m icmp6 --icmpv6-type 143 -j ACCEPT
-A INPUT -p ipv6-icmp -m icmp6 --icmpv6-type 148 -j ACCEPT
-A INPUT -p ipv6-icmp -m icmp6 --icmpv6-type 149 -j ACCEPT
-A INPUT -p ipv6-icmp -m icmp6 --icmpv6-type 151 -j ACCEPT
-A INPUT -p ipv6-icmp -m icmp6 --icmpv6-type 152 -j ACCEPT
-A INPUT -p ipv6-icmp -m icmp6 --icmpv6-type 153 -j ACCEPT
-A INPUT -j logdrop
-A FORWARD -m state --state INVALID -j logdrop
-A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -m rt --rt-type 0 -j DROP
-A FORWARD -i br0 -o v6in4 -j ACCEPT
-A FORWARD -i br0 -o v6in4 -j ACCEPT
-A FORWARD -i br0 -o br0 -j ACCEPT
-A FORWARD -p ipv6-nonxt -m length --length 40 -j ACCEPT
-A FORWARD -p ipv6-icmp -m icmp6 --icmpv6-type 1 -j ACCEPT
-A FORWARD -p ipv6-icmp -m icmp6 --icmpv6-type 2 -j ACCEPT
-A FORWARD -p ipv6-icmp -m icmp6 --icmpv6-type 3 -j ACCEPT
-A FORWARD -p ipv6-icmp -m icmp6 --icmpv6-type 4 -j ACCEPT
-A FORWARD -p ipv6-icmp -m icmp6 --icmpv6-type 128 -j ACCEPT
-A FORWARD -p ipv6-icmp -m icmp6 --icmpv6-type 129 -j ACCEPT
-A FORWARD -d 2001:470:27:a::/64 -p tcp -m state --state NEW -m tcp --dport 24554 -j ACCEPT
-A FORWARD -d 2001:470:28:a::/64 -p tcp -m state --state NEW -m tcp --dport 24554 -j ACCEPT
-A FORWARD -i v6in4 -o br0 -j ACCEPT
-A FORWARD -j logdrop
-A OUTPUT -m rt --rt-type 0 -j logdrop
-A PControls -j ACCEPT
-A logaccept -m state --state NEW -j LOG --log-prefix "ACCEPT " --log-tcp-sequence --log-tcp-options --log-ip-options
-A logaccept -j ACCEPT
-A logdrop -m state --state NEW -j LOG --log-prefix "DROP " --log-tcp-sequence --log-tcp-options --log-ip-options
-A logdrop -j DROP
COMMIT
# Completed on Sat Sep 26 18:41:06 2015
=== Cut ===

'Tommi

---
* Origin: ====================================== (2:221/1.1)

Hello Tommi!

Sep 26 18:33 2015, Tommi Koivula wrote to Markus Reschke:

One log line of dropped inbound binkp:

Sep 26 18:33:16 kernel: DROP <4>DROP IN=v6in4 OUT=

6 0:d8:42:50:5a:5b:9b:63:0b:60:00:00:00
TUNNEL=216.66.80.90->91.155.99.11 <1>SRC=2001:0470:1f15:0cb0:0000:0000:0000:0004 DST=2001:0470:0027:000a:0000:0000:0000:0002 <1>LEN=72 TC=0
HOPLIMIT=59 FLOWLBL=0 PROTO=TCP <1>SPT=57521 DPT=24554 SEQ=457283060 ACK=0 WINDOW=8192 RES=0x00 SYN URGP=0 OPT (0204058C0103030801010402)

91.155.99.11 is my routers ipv4 address,
216.66.80.90 is the endpoint of the HE tunnel. 2001:0470:1f15:0cb0:0000:0000:0000:0004 is where from I tried to
access binkd at 2001:0470:0027:000a:0000:0000:0000:0002

I assume that the router is your end of the 6in4 HE.net tunnel and haproxy is runing on that router too. Is that right?

In this case you would need to insert an INPUT rule before the logdrop:
ip6tables -t filter -A INPUT -p tcp --destination-port 24554 -j ACCEPT

Regards,
Markus

---
* Origin: *** theca tabellaria *** (2:240/1661)

On 26.9.2015 19:12, Markus Reschke - Tommi Koivula wrote:

I assume that the router is your end of the 6in4 HE.net tunnel and
haproxy is runing on that router too. Is that right?

Yes.

In this case you would need to insert an INPUT rule before the logdrop:
ip6tables -t filter -A INPUT -p tcp --destination-port 24554 -j ACCEPT

I'll try to find a way to do it. ;)

'Tommi

--- Mozilla/5.0 (Windows NT 6.1; WOW64; rv:38.0) Gecko/20100101 Thunderbird/38.
* Origin: *** JamNNTPd @ nntp://fidonews.mine.nu *** Finland *** (2:221/6)

Hello Markus!

26 Sep 2015 12:08, Markus Reschke wrote to Tommi Koivula:

Hello Tommi!

Sep 26 11:53 2015, Markus Reschke wrote to Tommi Koivula:

http://www.haproxy.org/

Example: http://www.koopman.me/2011/02/haproxy-for-ipv6-translation-to-ipv4-onl y-websit e/

The important thing is to set the mode to TCP and to change the
required ports. haproxy will work as proxy for any TCP based protocol.

or install xinetd on openWRT, in a service use REDIRECT (incomming only trafik, not outgoing)

----- xinetd.manpage begins -----

redirect Allows a tcp service to be redirected to another host. When xinetd receives a tcp connection on this port it spawns a process
that establishes a connection to the host and port number specified, and forwards all data between the two hosts. This option is
useful when your internal machines are not visible to the outside world. Syntax is: redirect = (ip address) (port). You can
also use a hostname instead of the IP address in this field. The hostname lookup is performed only once, when xinetd is started,
and the first IP address returned is the one that is used until xinetd is restarted. The "server" attribute is not required when
this option is specified. If the "server" attribute is specified, this attribute takes priority.

----- xinetd.manpage ends -----

only downside is that if redirected host changes ips one need to reload xinetd :(

Regards Benny

... there can only be one way of life, and it works :)

--- Msged/LNX 6.2.0 (Linux/4.2.0-gentoo-r1 (i686))
* Origin: openvpn on its way here (1:261/38.20)

26 Sep 15 19:47, I wrote to Markus Reschke:

ip6tables -t filter -A INPUT -p tcp --destination-port 24554 -j
ACCEPT

I'll try to find a way to do it. ;)

Done!

BinkD/2 (2:221/0) should now answer at 2001:470:27:a::2 .

Finally I need to make sure my settings remain after reboot. ;)

Thanks Markus!

'Tommi

---
* Origin: ====================================== (2:221/1.1)

Hi Tommi!

Sep 26 20:22 2015, Tommi Koivula wrote to Markus Reschke:

BinkD/2 (2:221/0) should now answer at 2001:470:27:a::2 .

$ telnet 2001:470:27:a::2 24554
Trying 2001:470:27:a::2...
Connected to 2001:470:27:a::2.
Escape character is '^]'.
.OPT CRAM-MD5-1264e9f89dec8088e16d9c4dc38e28ee
SYS RBB/2ZYZ Tommi KoivulaLOC Lake Ylo, Finland
NDL IBN,CM%TIME Sat, 26 Sep 2015 20:38:25 +0300 VER binkd/1.1a-73/OS2 binkp/1.1

Looks fine!

Finally I need to make sure my settings remain after reboot. ;)

A very good idea ;)

Thanks Markus!

You're welcome!

Regards,
Markus

---
* Origin: *** theca tabellaria *** (2:240/1661)

Hello Tommi!

26 Sep 2015 19:47, Tommi Koivula wrote to Markus Reschke:

I'll try to find a way to do it. ;)

shorewall.net ask for a OpenWRT port

even my own AnTMiner have a openWRT router (bitcoins)

if you want to bridge Wireless IN to EtherNET outgoing i got that reverse to work, it was not designed for that stuppidness but it worked :=)

so all lefts was for me just to tell that eth0 should have a dhcp SERVER not a dhcp CLIENT

put a switch on the AnTMiner and you have a router that have wireless UPLINK and Ethernet lan


Regards Benny

... there can only be one way of life, and it works :)

--- Msged/LNX 6.2.0 (Linux/4.2.0-gentoo-r1 (i686))
* Origin: openvpn on its way here (1:261/38.20)

On Sat, 26 Sep 2015 20:51:04 +0300, Tommi Koivula wrote:

Now I have a problem with the IPv6 firewall. It always blocks the
inbound traffic from the tunnel even if I allowed port 24554 from the
GUI of AsusWRT. From the router the forwarding works, (telnet 2001:470:27:a::2 24554) .

You're tunnelled traffic is likely a GRE tunnel (ip protocol 41). If
you permit all traffic to or from the tunnel address for protocol 41
it should resolve your issues.

---
* Origin: The Byte Museum - news: news.bytemuseum.org (1:19/10)