OpenWrt Forum Archive

Topic: RADVD and fixed ip addresses (for internal servers)

The content of this topic has been archived on 26 Mar 2018. There are no obvious gaps in this topic, but there may still be some posts missing at the end.

I am experimenting with OpenWRT and IPV6 (HE Net 6in4 tunnel). I have a ipv6 /48 allocation which I am currently splitting into 3 sub-nets: dmz, guest and lan.
The wan connection is IPV4 via DSL with an IPV4 /28 fixed address block routed over the DSL connection.

Guest and lan only use dynamic addresses ipv4 -dhcp and ipv6 radvd - everything seems to be working very nicely here.

Systems attached to the DMZ are all assigned fixed addresses, both ipv4 and IPV6. I have tried to remove DMZ from RADVD, but if I do this I am unable to connect to the systems on the DMZ, although they can connect outbound without any apparent problems.

Do I need RADVD for the DMZ, if so why?
What other problems might I have if I were to remove the DMZ from RADVD?
If I do not need RADVD for the DMZ, what do I need to do in order to be able to connect to the systems on the DMZ?
Am I right in think this is a routing problem?


configuration is:
Network

config 'interface' 'loopback'
    option 'ifname' 'lo'
    option 'proto' 'static'
    option 'ipaddr' '127.0.0.1'
    option 'netmask' '255.0.0.0'

config 'interface' 'dmz'
    option 'proto' 'static'
    option 'ifname' 'eth0.2'
    option 'ipaddr' '74.nn.nn.nn'
    option 'netmask' '255.255.255.240'
    option 'ip6addr' '2001:470:dead:100::1/64'

config 'interface' 'guest'
    option 'proto' 'static'
    option 'ipaddr' '192.168.2.1'
    option 'netmask' '255.255.255.240'
    option 'ip6addr' '2001:470:dead:200::1/64'

config 'interface' 'lan'
    option 'ifname' 'eth0.1'
    option 'type' 'bridge'
    option 'proto' 'static'
    option 'ipaddr' '192.168.1.1'
    option 'netmask' '255.255.255.224'
    option 'ip6addr' '2001:470:dead:300::1/64'

config 'interface' 'wan'
    option 'ifname' 'eth1'
    option 'proto' 'pppoe'
    option 'username' 'ja3@electronicbox.net'
    option 'password' 'al4v7ab1'

config 'interface' 'henet'
    option 'proto' '6in4'
    option 'peeraddr' '216.66.38.58'
    option 'ip6addr' '2001:470:aa:bbb::2/64'
    option 'tunnelid' '111111'
    option 'username' 'a-username-here'
    option 'password' 'password'

config 'switch_vlan'
    option 'device' 'rtl8366s'
    option 'vlan' '2'
    option 'ports' '2 3 5t'

config 'switch_vlan'
    option 'device' 'rtl8366s'
    option 'vlan' '1'
    option 'ports' '0 1 5t'

config 'switch'
    option 'name' 'rtl8366s'
    option 'reset' '1'
    option 'enable_vlan' '1'
    option 'blinkrate' '2'
    option 'enable_vlan4k' '1'
    option 'max_length' '3'

config 'switch_port'
    option 'device' 'rtl8366s'
    option 'port' '1'
    option 'led' '6'

config 'switch_port'
    option 'device' 'rtl8366s'
    option 'port' '2'
    option 'led' '9'

config 'switch_port'
    option 'device' 'rtl8366s'
    option 'port' '5'
    option 'led' '2'

RADVD

config 'interface'
    option 'interface' 'lan'
    option 'AdvSendAdvert' '1'
    option 'ignore' '0'
    option 'IgnoreIfMissing' '1'
    option 'AdvSourceLLAddress' '1'
    option 'AdvDefaultPreference' 'medium'
    option 'AdvHomeAgentFlag' '1'
    option 'AdvIntervalOpt' '1'
    option 'AdvHomeAgentInfo' '1'
    option 'AdvMobRtrSupportFlag' '1'
    option 'AdvManagedFlag' '1'
    option 'AdvOtherConfigFlag' '1'

config 'prefix'
    option 'interface' 'lan'
    option 'AdvOnLink' '1'
    option 'AdvAutonomous' '1'
    option 'ignore' '0'

config 'route'
    option 'interface' 'lan'
    list 'prefix' ''
    option 'ignore' '0'

config 'rdnss'
    option 'interface' 'lan'
    list 'addr' ''
    option 'ignore' '0'

config 'dnssl'
    option 'interface' 'lan'
    list 'suffix' 'klam.ca'
    option 'ignore' '0'

config 'interface'
    option 'ignore' '0'
    option 'interface' 'dmz'
    option 'IgnoreIfMissing' '1'
    option 'AdvSendAdvert' '1'
    option 'AdvManagedFlag' '1'
    option 'AdvOtherConfigFlag' '1'
    option 'AdvSourceLLAddress' '1'
    option 'AdvDefaultPreference' 'medium'

config 'prefix'
    option 'interface' 'dmz'
    option 'AdvOnLink' '1'
    option 'AdvAutonomous' '1'
    option 'ignore' '0'

config 'route'
    option 'interface' 'dmz'
    option 'AdvRoutePreference' 'medium'
    option 'ignore' '0'

config 'rdnss'
    option 'ignore' '0'
    option 'interface' 'dmz'

config 'dnssl'
    option 'ignore' '0'
    option 'interface' 'dmz'
    list 'suffix' 'klam.ca'
    list 'suffix' 'klam.com'
    list 'suffix' 'klam.biz'

config 'interface'
    option 'ignore' '0'
    option 'interface' 'guest'
    option 'IgnoreIfMissing' '1'
    option 'AdvSendAdvert' '1'
    option 'AdvManagedFlag' '1'
    option 'AdvOtherConfigFlag' '1'
    option 'AdvSourceLLAddress' '1'
    option 'AdvDefaultPreference' 'medium'
    option 'AdvHomeAgentFlag' '1'
    option 'AdvIntervalOpt' '1'
    option 'AdvHomeAgentInfo' '1'
    option 'AdvMobRtrSupportFlag' '1'

config 'prefix'
    option 'ignore' '0'
    option 'interface' 'guest'
    option 'AdvOnLink' '1'
    option 'AdvAutonomous' '1'

config 'route'
    option 'ignore' '0'
    option 'interface' 'guest'
    option 'AdvRoutePreference' 'medium'

config 'rdnss'
    option 'ignore' '0'
    option 'interface' 'guest'

Firewall

config 'defaults'
    option 'syn_flood' '1'
    option 'drop_invalid' '1'
    option 'input' 'ACCEPT'
    option 'output' 'ACCEPT'
    option 'forward' 'DROP'

config 'zone'
    option 'name' 'dmz'
    option 'network' 'dmz'
    option 'output' 'ACCEPT'
    option 'forward' 'REJECT'
    option 'input' 'ACCEPT'

config 'zone'
    option 'name' 'guest'
    option 'network' 'guest'
    option 'forward' 'REJECT'
    option 'conntrack' '1'
    option 'input' 'ACCEPT'
    option 'output' 'ACCEPT'
    
config 'zone'
    option 'name' 'lan'
    option 'network' 'lan'
    option 'input' 'ACCEPT'
    option 'output' 'ACCEPT'
    option 'forward' 'REJECT'

config 'zone'
    option 'name' 'wan'
    option 'input' 'REJECT'
    option 'output' 'ACCEPT'
    option 'forward' 'REJECT'
    option 'masq' '1'
    option 'mtu_fix' '1'
    option 'network' 'henet wan'
    option 'conntrack' '1'

config 'forwarding'
    option 'src' 'wan'
    option 'dest' 'dmz'
config 'forwarding'
    option 'src' 'dmz'
    option 'dest' 'wan'

config 'forwarding'
    option 'src' 'guest'
    option 'dest' 'wan'
config 'forwarding'
    option 'src' 'guest'
    option 'dest' 'dmz'

config 'forwarding'
    option 'src' 'lan'
    option 'dest' 'wan'
config 'forwarding'
    option 'src' 'lan'
    option 'dest' 'dmz'

config 'rule'
    option 'name' 'Allow-DHCP-Renew'
    option 'src' 'wan'
    option 'proto' 'udp'
    option 'target' 'ACCEPT'
    option 'family' 'ipv4'
    option 'dest_port' '67 68'

config 'rule'
    option 'name' 'Allow-Ping'
    option 'src' 'wan'
    option 'proto' 'icmp'
    option 'icmp_type' 'echo-request'
    option 'family' 'ipv4'
    option 'target' 'ACCEPT'

config 'rule'
    option 'name' 'Allow-DHCPv6'
    option 'src' 'wan'
    option 'proto' 'udp'
    option 'src_ip' 'fe80::/10'
    option 'src_port' '547'
    option 'dest_ip' 'fe80::/10'
    option 'dest_port' '546'
    option 'family' 'ipv6'
    option 'target' 'ACCEPT'

config 'rule'
    option 'name' 'Allow-ICMPv6-Input'
    option 'src' 'wan'
    option 'proto' 'icmp'
    list 'icmp_type' 'echo-request'
    list 'icmp_type' 'destination-unreachable'
    list 'icmp_type' 'packet-too-big'
    list 'icmp_type' 'time-exceeded'
    list 'icmp_type' 'bad-header'
    list 'icmp_type' 'unknown-header-type'
    list 'icmp_type' 'router-solicitation'
    list 'icmp_type' 'neighbour-solicitation'
    option 'limit' '1000/sec'
    option 'family' 'ipv6'
    option 'target' 'ACCEPT'

config 'rule'
    option 'name' 'Allow-ICMPv6-Forward'
    option 'src' 'wan'
    option 'dest' '*'
    option 'proto' 'icmp'
    list 'icmp_type' 'echo-request'
    list 'icmp_type' 'destination-unreachable'
    list 'icmp_type' 'packet-too-big'
    list 'icmp_type' 'time-exceeded'
    list 'icmp_type' 'bad-header'
    list 'icmp_type' 'unknown-header-type'
    option 'limit' '1000/sec'
    option 'family' 'ipv6'
    option 'target' 'ACCEPT'

config 'rule'
    option 'target' 'ACCEPT'
    option 'proto' 'tcp udp'
    option 'dest_port' '53'
    option 'name' 'DNS'
    option 'src' '*'

config 'include'
    option 'path' '/etc/firewall.user'

(Last edited by zzz2002 on 3 Jan 2012, 01:42)

It is possible that radvd just toggles some required sysctls on your dmz interface. I suggest to compare "sysctl -a | grep eth0.2" both when radvd manages it and when you've taken it out.

I tried your suggestion.
I saved the output of sysctl -a both with and without the dmz in the radvd setup, then did a winmerge comparison the two outputs were identical.
So that is not it

(Last edited by zzz2002 on 3 Jan 2012, 04:53)

The discussion might have continued from here.