[OOR-Users] Problems configuring oor on a openwrt router
Albert López
alopez at ac.upc.edu
Thu Aug 25 16:03:19 CEST 2016
Hi Holger,
First of all sorry for the delay. We were on holidays. I will try to
answer inline.
On 04/08/16 15:22, Holger Zuleger wrote:
> Hi list,
>
> I am trying to setup a xTR using oor on a openwrt router to get IPv6
> access on a ipv4-only ppp link.
> I installed the binary image from the openoverlay.org website and
> configured the oor package.
>
> It is the first time I'm using oor and openwrt as well. So probably my
> problems are not related to oor but more on the network or firewall
> configuration of openwrt.
>
> However, it would be nice if someone could take a look at my config and
> shed on a light what's wrong with it.
>
> The first thing I configured is the upstream connection witch is a pppoe
> connection. So I did something like this in the network config:
> config interface 'lan'
> option ifname 'eth0.1'
> option force_link '1'
> option type 'bridge'
> option proto 'static'
> option ipaddr '192.168.1.1'
> option netmask '255.255.255.0'
> option ip6hint '01'
> option ip6assign '64'
>
> config interface 'wan'
> option ifname 'eth1'
> option proto 'pppoe'
> option username 'userxxxx'
> option password 'xxxxx'
>
> The pppoe-wan interface is coming up, and I configured this in
> /etc/config/oor as rloc interface, as well as the usual config
> parameters for an xTR:
> package 'oor'
>
> config 'daemon'
> option 'debug' '1'
> option 'log_file' '/tmp/oor.log'
> option 'map_request_retries' '2'
> option 'operating_mode' 'xTR'
> option 'nat_traversal_support' 'off'
>
> config 'rloc-probing'
> option 'rloc_probe_interval' '30'
> option 'rloc_probe_retries' '2'
> option 'rloc_probe_retries_interval' '5'
>
> config 'map-resolver'
> list 'address' '109.235.46.40'
>
> config 'map-server'
> option 'address' '109.235.46.40'
> option 'key_type' '1'
> option 'key' 'xxxxxx'
> option 'proxy_reply' 'on'
>
> config 'database-mapping'
> option 'eid_prefix' '2a03:3e00:ff01::/48'
> option 'iid' '0'
> option 'rloc_set' 'hknrlocset'
>
> config 'proxy-itr'
> list 'address' '109.235.46.40'
>
> config 'proxy-etr'
> option 'address' '109.235.46.40'
> option 'priority' '1'
> option 'weight' '100'
>
> config 'rloc-set'
> option 'name' 'hknrlocset'
> list 'rloc_name' 'pppwan'
>
> config 'rloc-iface'
> option 'name' 'pppwan'
> option 'interface' 'pppoe-wan'
> option 'ip_version' '4'
> option 'priority' '1'
> option 'weight' '5'
>
> The first problem with this config was, that the oor process didn't
> startup, because the pppoe-wan interface wasn't up at the oor startup
> time. I changed the startup script to wait for the pppoe-wan interface
> to come up before starting oor.
Good
> The next question was how to configure the IPv6 prefix.
> I tried out a config global section like the ula prefix, but this won't
> work.
> So I configured the lisp ipv6 prefix as static on the wan6 interface:
> config interface 'wan6'
> option ifname 'eth1'
> option ip6prefix '2a03:3e00:ff01::/48'
> option proto 'static'
>
> Now the registration at the map-server worked well, the lispTun0
> interface is up, and the lan config looks good as well:
>
> root at OpenWrt:/etc/config# ifconfig br-lan
> br-lan Link encap:Ethernet HWaddr 00:1D:73:B1:92:97
> inet addr:192.168.1.1 Bcast:192.168.1.255 Mask:255.255.255.0
> inet6 addr: 2a03:3e00:ff01:1::1/64 Scope:Global
> inet6 addr: fe80::21d:73ff:feb1:9297/64 Scope:Link
> UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
> RX packets:2559 errors:0 dropped:0 overruns:0 frame:0
> TX packets:2132 errors:0 dropped:0 overruns:0 carrier:0
> collisions:0 txqueuelen:0
> RX bytes:192132 (187.6 KiB) TX bytes:576824 (563.3 KiB)
>
> root at OpenWrt:/etc/config# ifconfig pppoe-wan
> pppoe-wan Link encap:Point-to-Point Protocol
> inet addr:185.122.6.208 P-t-P:185.122.4.4 Mask:255.255.255.255
> UP POINTOPOINT RUNNING NOARP MULTICAST MTU:1480 Metric:1
> RX packets:18 errors:0 dropped:0 overruns:0 frame:0
> TX packets:34 errors:0 dropped:0 overruns:0 carrier:0
> collisions:0 txqueuelen:3
> RX bytes:913 (913.0 B) TX bytes:1318 (1.2 KiB)
>
> root at OpenWrt:/etc/config# ifconfig lispTun0
> lispTun0 Link encap:UNSPEC HWaddr
> 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
> UP POINTOPOINT RUNNING MTU:1440 Metric:1
> RX packets:0 errors:0 dropped:0 overruns:0 frame:0
> TX packets:5 errors:0 dropped:0 overruns:0 carrier:0
> collisions:0 txqueuelen:500
> RX bytes:0 (0.0 B) TX bytes:520 (520.0 B)
>
> The routing table on the oor router shows me a default route pointing to
> the lispTun0 Interface, but ip -6 route does not:
>
> root at OpenWrt:/etc/config# ip -6 route show
> 2a03:3e00:ff01:1::/64 dev br-lan proto static metric 1024
> unreachable 2a03:3e00:ff01::/48 dev lo proto static metric 2147483647
> error -128
> fe80::/64 dev eth0 proto kernel metric 256
> fe80::/64 dev br-lan proto kernel metric 256
> fe80::/64 dev eth1 proto kernel metric 256
>
> root at OpenWrt:/etc/config# route -Ainet6
> Kernel IPv6 routing table
> Destination Next Hop
> Flags Metric Ref Use Iface
> 2a01:4f8:130:1261::2/128
> :: UC 0 8 0 lispTun0
> ::/0 ::
> U 100 0 1 lispTun0
> 2a03:3e00:ff01:1:2d5f:1607:e6a4:6348/128 ::
> UC 0 6 0 br-lan
> 2a03:3e00:ff01:1::/64 ::
> U 1024 0 1 br-lan
> ...
OOR routing use rule to redirect traffic to lisptun0.
For instance:
#ip -6 rule
0: from all lookup local
99: from all to 2a03:3e00:ff01:1::1/64 lookup main
100: from 2a03:3e00:ff01:1::1/64 lookup 100
32766: from all lookup main
#ip -6 route show table 100
default dev lispTun0 proto static metric 100
> However, if a ping6 a remote side from a host sitting on the lan side, I
> will see an entry in the route table (see above) but will get an
> destination unreachable error from the oor router:
>
> $ ping6 2a01:478:130:1261::2
> PING 2a01:478:130:1261::2(2a01:478:130:1261::2) 56 data bytes
> From 2a03:3e00:ff01:1::1 icmp_seq=1 Destination unreachable: Port
> unreachable
> From 2a03:3e00:ff01:1::1 icmp_seq=2 Destination unreachable: Port
> unreachable
> ^C
> --- 2a01:478:130:1261::2 ping statistics ---
> 2 packets transmitted, 0 received, +2 errors, 100% packet loss, time 1009ms
>
>
> My guess is, that it has something to do with the (wrong) firewall
> setting, wich is a bit of mystery for me.
Yes, this could be the reason. We also not have many experience with the
firewall of OpenWRT
> What I changend in the firewall config is more or less the definition of
> the wan zone like this:
> ## Firewall config (part)
> config zone
> option name lan
> list network 'lan'
> option input ACCEPT
> option output ACCEPT
> option forward ACCEPT
>
> config zone
> option name wan
> list network 'wan'
> list network 'wan6'
> list network 'pppoe-wan'
> option input REJECT
> option output ACCEPT
> option forward REJECT
> option masq 1
> option mtu_fix 1
>
> config forwarding
> option src lan
> option dest wan
We add this changes to the basic configuration of the firewall to make
it work:
config defaults
option syn_flood '1'
option input 'ACCEPT'
option output 'ACCEPT'
option forward '*ACCEPT*'
config rule
option enabled '1'
option target 'ACCEPT'
option proto 'udp'
option dest_port '4341:4342'
option name 'LISP'
option src 'wan'
We are not experts in openWrt so it is possible that exists a more
restrictive firewall configuration
which allows OOR to work.
Best regards
Albert
> Has anyone here an idea whats wrong with my config, or any suggestion
> what I can check next?
>
> Thanks for any help in advance
> Best regards
> Holger
>
>
>
>
> _______________________________________________
> Users mailing list
> Users at openoverlayrouter.org
> http://mail.openoverlayrouter.org/cgi-bin/mailman/listinfo/users
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.openoverlayrouter.org/pipermail/users/attachments/20160825/3b0afa90/attachment.html>
More information about the Users
mailing list