Hi Holger,
First of all sorry for the delay. We were on holidays. I will try to
answer inline.
On 04/08/16 15:22, Holger Zuleger wrote:
Hi list,
I am trying to setup a xTR using oor on a openwrt router to get IPv6
access on a ipv4-only ppp link.
I installed the binary image from the openoverlay.org website and
configured the oor package.
It is the first time I'm using oor and openwrt as well. So probably my
problems are not related to oor but more on the network or firewall
configuration of openwrt.
However, it would be nice if someone could take a look at my config and
shed on a light what's wrong with it.
The first thing I configured is the upstream connection witch is a pppoe
connection. So I did something like this in the network config:
config interface 'lan'
option ifname 'eth0.1'
option force_link '1'
option type 'bridge'
option proto 'static'
option ipaddr '192.168.1.1'
option netmask '255.255.255.0'
option ip6hint '01'
option ip6assign '64'
config interface 'wan'
option ifname 'eth1'
option proto 'pppoe'
option username 'userxxxx'
option password 'xxxxx'
The pppoe-wan interface is coming up, and I configured this in
/etc/config/oor as rloc interface, as well as the usual config
parameters for an xTR:
package 'oor'
config 'daemon'
option 'debug' '1'
option 'log_file' '/tmp/oor.log'
option 'map_request_retries' '2'
option 'operating_mode' 'xTR'
option 'nat_traversal_support' 'off'
config 'rloc-probing'
option 'rloc_probe_interval' '30'
option 'rloc_probe_retries' '2'
option 'rloc_probe_retries_interval' '5'
config 'map-resolver'
list 'address' '109.235.46.40'
config 'map-server'
option 'address' '109.235.46.40'
option 'key_type' '1'
option 'key' 'xxxxxx'
option 'proxy_reply' 'on'
config 'database-mapping'
option 'eid_prefix' '2a03:3e00:ff01::/48'
option 'iid' '0'
option 'rloc_set' 'hknrlocset'
config 'proxy-itr'
list 'address' '109.235.46.40'
config 'proxy-etr'
option 'address' '109.235.46.40'
option 'priority' '1'
option 'weight' '100'
config 'rloc-set'
option 'name' 'hknrlocset'
list 'rloc_name' 'pppwan'
config 'rloc-iface'
option 'name' 'pppwan'
option 'interface' 'pppoe-wan'
option 'ip_version' '4'
option 'priority' '1'
option 'weight' '5'
The first problem with this config was, that the oor process didn't
startup, because the pppoe-wan interface wasn't up at the oor startup
time. I changed the startup script to wait for the pppoe-wan interface
to come up before starting oor.
Good
The next question was how to configure the IPv6 prefix.
I tried out a config global section like the ula prefix, but this won't
work.
So I configured the lisp ipv6 prefix as static on the wan6 interface:
config interface 'wan6'
option ifname 'eth1'
option ip6prefix '2a03:3e00:ff01::/48'
option proto 'static'
Now the registration at the map-server worked well, the lispTun0
interface is up, and the lan config looks good as well:
root@OpenWrt:/etc/config# ifconfig br-lan
br-lan Link encap:Ethernet HWaddr 00:1D:73:B1:92:97
inet addr:192.168.1.1 Bcast:192.168.1.255 Mask:255.255.255.0
inet6 addr: 2a03:3e00:ff01:1::1/64 Scope:Global
inet6 addr: fe80::21d:73ff:feb1:9297/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:2559 errors:0 dropped:0 overruns:0 frame:0
TX packets:2132 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:192132 (187.6 KiB) TX bytes:576824 (563.3 KiB)
root@OpenWrt:/etc/config# ifconfig pppoe-wan
pppoe-wan Link encap:Point-to-Point Protocol
inet addr:185.122.6.208 P-t-P:185.122.4.4 Mask:255.255.255.255
UP POINTOPOINT RUNNING NOARP MULTICAST MTU:1480 Metric:1
RX packets:18 errors:0 dropped:0 overruns:0 frame:0
TX packets:34 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:3
RX bytes:913 (913.0 B) TX bytes:1318 (1.2 KiB)
root@OpenWrt:/etc/config# ifconfig lispTun0
lispTun0 Link encap:UNSPEC HWaddr
00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
UP POINTOPOINT RUNNING MTU:1440 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:5 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:500
RX bytes:0 (0.0 B) TX bytes:520 (520.0 B)
The routing table on the oor router shows me a default route pointing to
the lispTun0 Interface, but ip -6 route does not:
root@OpenWrt:/etc/config# ip -6 route show
2a03:3e00:ff01:1::/64 dev br-lan proto static metric 1024
unreachable 2a03:3e00:ff01::/48 dev lo proto static metric 2147483647
error -128
fe80::/64 dev eth0 proto kernel metric 256
fe80::/64 dev br-lan proto kernel metric 256
fe80::/64 dev eth1 proto kernel metric 256
root@OpenWrt:/etc/config# route -Ainet6
Kernel IPv6 routing table
Destination Next Hop
Flags Metric Ref Use Iface
2a01:4f8:130:1261::2/128
:: UC 0 8 0 lispTun0
::/0 ::
U 100 0 1 lispTun0
2a03:3e00:ff01:1:2d5f:1607:e6a4:6348/128 ::
UC 0 6 0 br-lan
2a03:3e00:ff01:1::/64 ::
U 1024 0 1 br-lan
...
OOR routing use rule to redirect traffic to lisptun0.
For instance:
#ip -6 rule
0: from all lookup local
99: from all to 2a03:3e00:ff01:1::1/64 lookup main
100: from 2a03:3e00:ff01:1::1/64 lookup 100
32766: from all lookup main
#ip -6 route show table 100
default dev lispTun0 proto static metric 100
However, if a ping6 a remote side from a host sitting on the lan side, I
will see an entry in the route table (see above) but will get an
destination unreachable error from the oor router:
$ ping6 2a01:478:130:1261::2
PING 2a01:478:130:1261::2(2a01:478:130:1261::2) 56 data bytes
From 2a03:3e00:ff01:1::1 icmp_seq=1 Destination unreachable: Port
unreachable
From 2a03:3e00:ff01:1::1 icmp_seq=2 Destination unreachable: Port
unreachable
^C
--- 2a01:478:130:1261::2 ping statistics ---
2 packets transmitted, 0 received, +2 errors, 100% packet loss, time 1009ms
My guess is, that it has something to do with the (wrong) firewall
setting, wich is a bit of mystery for me.
Yes, this could be the reason. We also not have many experience with the
firewall of OpenWRT
What I changend in the firewall config is more or less the definition of
the wan zone like this:
## Firewall config (part)
config zone
option name lan
list network 'lan'
option input ACCEPT
option output ACCEPT
option forward ACCEPT
config zone
option name wan
list network 'wan'
list network 'wan6'
list network 'pppoe-wan'
option input REJECT
option output ACCEPT
option forward REJECT
option masq 1
option mtu_fix 1
config forwarding
option src lan
option dest wan
We add this changes to the basic configuration of the firewall to make
it work:
config defaults
option syn_flood '1'
option input 'ACCEPT'
option output 'ACCEPT'
option forward '*ACCEPT*'
config rule
option enabled '1'
option target 'ACCEPT'
option proto 'udp'
option dest_port '4341:4342'
option name 'LISP'
option src 'wan'
We are not experts in openWrt so it is possible that exists a more
restrictive firewall configuration
which allows OOR to work.
Best regards
Albert
Has anyone here an idea whats wrong with my config, or any suggestion
what I can check next?
Thanks for any help in advance
Best regards
Holger
_______________________________________________
Users mailing list
[email protected]
http://mail.openoverlayrouter.org/cgi-bin/mailman/listinfo/users
_______________________________________________
Users mailing list
[email protected]
http://mail.openoverlayrouter.org/cgi-bin/mailman/listinfo/users
