I am experimenting with OpenWRT and IPV6 (HE Net 6in4 tunnel). I have a ipv6 /48 allocation which I am currently splitting into 3 sub-nets: dmz, guest and lan.
The wan connection is IPV4 via DSL with an IPV4 /28 fixed address block routed over the DSL connection.
Guest and lan only use dynamic addresses ipv4 -dhcp and ipv6 radvd - everything seems to be working very nicely here.
Systems attached to the DMZ are all assigned fixed addresses, both ipv4 and IPV6. I have tried to remove DMZ from RADVD, but if I do this I am unable to connect to the systems on the DMZ, although they can connect outbound without any apparent problems.
Do I need RADVD for the DMZ, if so why?
What other problems might I have if I were to remove the DMZ from RADVD?
If I do not need RADVD for the DMZ, what do I need to do in order to be able to connect to the systems on the DMZ?
Am I right in think this is a routing problem?
configuration is:
Network
config 'interface' 'loopback'
option 'ifname' 'lo'
option 'proto' 'static'
option 'ipaddr' '127.0.0.1'
option 'netmask' '255.0.0.0'
config 'interface' 'dmz'
option 'proto' 'static'
option 'ifname' 'eth0.2'
option 'ipaddr' '74.nn.nn.nn'
option 'netmask' '255.255.255.240'
option 'ip6addr' '2001:470:dead:100::1/64'
config 'interface' 'guest'
option 'proto' 'static'
option 'ipaddr' '192.168.2.1'
option 'netmask' '255.255.255.240'
option 'ip6addr' '2001:470:dead:200::1/64'
config 'interface' 'lan'
option 'ifname' 'eth0.1'
option 'type' 'bridge'
option 'proto' 'static'
option 'ipaddr' '192.168.1.1'
option 'netmask' '255.255.255.224'
option 'ip6addr' '2001:470:dead:300::1/64'
config 'interface' 'wan'
option 'ifname' 'eth1'
option 'proto' 'pppoe'
option 'username' 'ja3@electronicbox.net'
option 'password' 'al4v7ab1'
config 'interface' 'henet'
option 'proto' '6in4'
option 'peeraddr' '216.66.38.58'
option 'ip6addr' '2001:470:aa:bbb::2/64'
option 'tunnelid' '111111'
option 'username' 'a-username-here'
option 'password' 'password'
config 'switch_vlan'
option 'device' 'rtl8366s'
option 'vlan' '2'
option 'ports' '2 3 5t'
config 'switch_vlan'
option 'device' 'rtl8366s'
option 'vlan' '1'
option 'ports' '0 1 5t'
config 'switch'
option 'name' 'rtl8366s'
option 'reset' '1'
option 'enable_vlan' '1'
option 'blinkrate' '2'
option 'enable_vlan4k' '1'
option 'max_length' '3'
config 'switch_port'
option 'device' 'rtl8366s'
option 'port' '1'
option 'led' '6'
config 'switch_port'
option 'device' 'rtl8366s'
option 'port' '2'
option 'led' '9'
config 'switch_port'
option 'device' 'rtl8366s'
option 'port' '5'
option 'led' '2'RADVD
config 'interface'
option 'interface' 'lan'
option 'AdvSendAdvert' '1'
option 'ignore' '0'
option 'IgnoreIfMissing' '1'
option 'AdvSourceLLAddress' '1'
option 'AdvDefaultPreference' 'medium'
option 'AdvHomeAgentFlag' '1'
option 'AdvIntervalOpt' '1'
option 'AdvHomeAgentInfo' '1'
option 'AdvMobRtrSupportFlag' '1'
option 'AdvManagedFlag' '1'
option 'AdvOtherConfigFlag' '1'
config 'prefix'
option 'interface' 'lan'
option 'AdvOnLink' '1'
option 'AdvAutonomous' '1'
option 'ignore' '0'
config 'route'
option 'interface' 'lan'
list 'prefix' ''
option 'ignore' '0'
config 'rdnss'
option 'interface' 'lan'
list 'addr' ''
option 'ignore' '0'
config 'dnssl'
option 'interface' 'lan'
list 'suffix' 'klam.ca'
option 'ignore' '0'
config 'interface'
option 'ignore' '0'
option 'interface' 'dmz'
option 'IgnoreIfMissing' '1'
option 'AdvSendAdvert' '1'
option 'AdvManagedFlag' '1'
option 'AdvOtherConfigFlag' '1'
option 'AdvSourceLLAddress' '1'
option 'AdvDefaultPreference' 'medium'
config 'prefix'
option 'interface' 'dmz'
option 'AdvOnLink' '1'
option 'AdvAutonomous' '1'
option 'ignore' '0'
config 'route'
option 'interface' 'dmz'
option 'AdvRoutePreference' 'medium'
option 'ignore' '0'
config 'rdnss'
option 'ignore' '0'
option 'interface' 'dmz'
config 'dnssl'
option 'ignore' '0'
option 'interface' 'dmz'
list 'suffix' 'klam.ca'
list 'suffix' 'klam.com'
list 'suffix' 'klam.biz'
config 'interface'
option 'ignore' '0'
option 'interface' 'guest'
option 'IgnoreIfMissing' '1'
option 'AdvSendAdvert' '1'
option 'AdvManagedFlag' '1'
option 'AdvOtherConfigFlag' '1'
option 'AdvSourceLLAddress' '1'
option 'AdvDefaultPreference' 'medium'
option 'AdvHomeAgentFlag' '1'
option 'AdvIntervalOpt' '1'
option 'AdvHomeAgentInfo' '1'
option 'AdvMobRtrSupportFlag' '1'
config 'prefix'
option 'ignore' '0'
option 'interface' 'guest'
option 'AdvOnLink' '1'
option 'AdvAutonomous' '1'
config 'route'
option 'ignore' '0'
option 'interface' 'guest'
option 'AdvRoutePreference' 'medium'
config 'rdnss'
option 'ignore' '0'
option 'interface' 'guest'Firewall
config 'defaults'
option 'syn_flood' '1'
option 'drop_invalid' '1'
option 'input' 'ACCEPT'
option 'output' 'ACCEPT'
option 'forward' 'DROP'
config 'zone'
option 'name' 'dmz'
option 'network' 'dmz'
option 'output' 'ACCEPT'
option 'forward' 'REJECT'
option 'input' 'ACCEPT'
config 'zone'
option 'name' 'guest'
option 'network' 'guest'
option 'forward' 'REJECT'
option 'conntrack' '1'
option 'input' 'ACCEPT'
option 'output' 'ACCEPT'
config 'zone'
option 'name' 'lan'
option 'network' 'lan'
option 'input' 'ACCEPT'
option 'output' 'ACCEPT'
option 'forward' 'REJECT'
config 'zone'
option 'name' 'wan'
option 'input' 'REJECT'
option 'output' 'ACCEPT'
option 'forward' 'REJECT'
option 'masq' '1'
option 'mtu_fix' '1'
option 'network' 'henet wan'
option 'conntrack' '1'
config 'forwarding'
option 'src' 'wan'
option 'dest' 'dmz'
config 'forwarding'
option 'src' 'dmz'
option 'dest' 'wan'
config 'forwarding'
option 'src' 'guest'
option 'dest' 'wan'
config 'forwarding'
option 'src' 'guest'
option 'dest' 'dmz'
config 'forwarding'
option 'src' 'lan'
option 'dest' 'wan'
config 'forwarding'
option 'src' 'lan'
option 'dest' 'dmz'
config 'rule'
option 'name' 'Allow-DHCP-Renew'
option 'src' 'wan'
option 'proto' 'udp'
option 'target' 'ACCEPT'
option 'family' 'ipv4'
option 'dest_port' '67 68'
config 'rule'
option 'name' 'Allow-Ping'
option 'src' 'wan'
option 'proto' 'icmp'
option 'icmp_type' 'echo-request'
option 'family' 'ipv4'
option 'target' 'ACCEPT'
config 'rule'
option 'name' 'Allow-DHCPv6'
option 'src' 'wan'
option 'proto' 'udp'
option 'src_ip' 'fe80::/10'
option 'src_port' '547'
option 'dest_ip' 'fe80::/10'
option 'dest_port' '546'
option 'family' 'ipv6'
option 'target' 'ACCEPT'
config 'rule'
option 'name' 'Allow-ICMPv6-Input'
option 'src' 'wan'
option 'proto' 'icmp'
list 'icmp_type' 'echo-request'
list 'icmp_type' 'destination-unreachable'
list 'icmp_type' 'packet-too-big'
list 'icmp_type' 'time-exceeded'
list 'icmp_type' 'bad-header'
list 'icmp_type' 'unknown-header-type'
list 'icmp_type' 'router-solicitation'
list 'icmp_type' 'neighbour-solicitation'
option 'limit' '1000/sec'
option 'family' 'ipv6'
option 'target' 'ACCEPT'
config 'rule'
option 'name' 'Allow-ICMPv6-Forward'
option 'src' 'wan'
option 'dest' '*'
option 'proto' 'icmp'
list 'icmp_type' 'echo-request'
list 'icmp_type' 'destination-unreachable'
list 'icmp_type' 'packet-too-big'
list 'icmp_type' 'time-exceeded'
list 'icmp_type' 'bad-header'
list 'icmp_type' 'unknown-header-type'
option 'limit' '1000/sec'
option 'family' 'ipv6'
option 'target' 'ACCEPT'
config 'rule'
option 'target' 'ACCEPT'
option 'proto' 'tcp udp'
option 'dest_port' '53'
option 'name' 'DNS'
option 'src' '*'
config 'include'
option 'path' '/etc/firewall.user'(Last edited by zzz2002 on 3 Jan 2012, 01:42)