1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Tomato Shibby Disable IPv6 routing (ipv6 forwarding to 0)

Discussion in 'Tomato Firmware' started by daobiwrt, Aug 10, 2017.

  1. daobiwrt

    daobiwrt New Member Member

    Hallo,

    I'm looking for a designated way to disable ipv6 routing because WAN (vlan2) and LAN are bridged if ipv6 is used in order to provide ipv6 to computers on LAN.
    Code:
    ebtables -t broute -A BROUTING -i $WAN_IF -p ! ipv6 -j DROP
    Idea based on:
    http://www.linksysinfo.org/index.php?threads/customizing-tomato-with-ipv6-bridge.24238/
    http://blog.loetzimmer.de/2015/02/bridged-ipv6routed-ipv4.html
    https://www.dd-wrt.com/phpBB2/viewtopic.php?p=1062388

    The tomato router should also accept RA to receive an ipv6 address to reach ipv6 destinations itself e.g. public ipv6 dns servers. Accepting RA only works if ipv6 routing (forwarding) is disabled. In this bridged scenario ipv6 routing is not used therefore it can be disabled, but how?

    Putting
    Code:
    echo 0 > /proc/sys/net/ipv6/conf/all/forwarding
    into WAN up script ends in
    Code:
    cat /proc/sys/net/ipv6/conf/all/forwarding
    1
    after boot finishes.

    Any hints, suggestions and tips are welcome.
     
  2. Sean B.

    Sean B. Addicted to LI Member

    I don't get what your trying to do with bridging IPv6, haven't read up on what benefits or uses there are to doing so.. but in regards to your issues with changing the system config values:

    When a service goes up/down or is restarted it will change the related system configuration values as well. As, obviously, when the status of services on the router change the system settings must also change accordingly. The WANUP script is executed and finishes before the WAN is fully up and configured, sense the changes the script is making are to values related to the WAN interface they're overwritten when the WAN configuration completes ( think of time for the DHCP exchange, or PPPoE login handshake etc ). You need to code a delay of a few seconds as part of your WANUP script prior to it changing the config values. Also, I'd recommend changing the specific interface configs rather than the "all" section. IE: /proc/sys/net/ipv6/conf/vlan2/forwarding .
     
    Last edited: Aug 11, 2017
  3. daobiwrt

    daobiwrt New Member Member

    Thanks for your reply. I thougt WAN UP is called after WAN connection is established.

    Little information for bridging ipv6 stuff:
    I'm forced to bridge WAN & LAN for IPv6 because the cable modem only provides a /64 network prefix that would be fully consumed by the tomato router. So LAN clients got their ipv6 address from the cable modem directly.
    IPv4 is treated and routed as usual.
     
  4. Sean B.

    Sean B. Addicted to LI Member

    WANUP script is executed when the WAN interface is up, not when assured it's configured. For instance, the interface will become live prior to it receiving an IP address via a DHCP response, as obviously the interface has to be live in order to send out a DHCP request. But once DHCP response is received the service command used by the routers init functions restarts the related services so they then have the IP of the WAN.. this overwrites your script which changed the config after executed when interface was first live. Put this in your WANUP and see if it helps:

    Code:
    #!/bin/sh
    VALUE="$(cat /proc/sys/net/ipv6/conf/vlan2/forwarding)"
    
    logger "IPv6 WANUP script initiated. Waiting for WAN configuration to complete."
    sleep 5
    echo 0 > /proc/sys/net/ipv6/conf/vlan2/forwarding
    logger "IPv6 WANUP script executed. Verifying configuration change.."
    
    if [ $VALUE == 0  ]
      then
         logger "IPv6 WANUP script complete. Settings verified."
         exit 0
      else
         logger "IPv6 WANUP script FAILED. Settings incorrect, unknown error."
         exit 1
    fi
    Check the system log after reboot for info from the script.

    Sorry, that doesn't make sense, or I'm not getting your point. A /64 will not be "consumed" by the router. The /64 can be used however you configure the router to use it. Either DHCPv6 or SLAAC for your network clients to get IPv6 IP's.
     
    Last edited: Aug 11, 2017

Share This Page