What is Cool About IPv6

There are a few things. But the most prominent is the practically infinite number of available public IP addresses which, stated negatively, means you don’t have the problem of address exhaustion or the need to hide behind NAT.

Explained pictorially, here are two IPv6 networks with hosts A, B, C, etc. and routers R1 and R2:

NetworksIPv6

With IPv6, each host can easily (and cheaply) have a public IP, so in you just assign the public IP to each hostname in DNS. Then, if host A wants a Web resource from host F, simple call wget F and you are done. Likewise, host E can simply ping host B to see if B is up.

With IPv4, it is more like so:

NetworksIPv4

Because public IP addresses are so darn expensive, you have to hide the two networks behind NAT at R1 and R2, so that the various hosts can only see R1 and R2. Consequently, if host F and host G both want to be able to provide Web resources, you have to program R2 to forward the traffic through based on non-standard port numbers. So, if A wants a a Web resource from F, it must request that from R2 instead, and if D wants a Web resource from G, then it must request that from R2, and also remember to use a different port number you both agreed on before-hand.

Also, it is pointless for E to even try pinging B because ICMP echo requests don’t use port numbers, and so you can’t tell the difference between R1 and B.

Of course, a stereotypical “consumer” Internet user is not expected to be providing resources out of his or her network. But there is no reason we all have to be just “consumers”. Why not have various computers on your network providing as many services as you would like? E.g., a $40 libreCMC box could be an a chat server, or a P2P tracker, or a dozen other things. Turn-key NAS servers are making file sharing, media streaming, and such like easier than ever. Run a game server. Check your favorite IOT devices (refrigerator, toaster?) at home from work, directly over IPv6, instead of having to work through some 3rd party “cloud” service. Your imagination is the limit.

The (less knowledgeable) security folks will say “well, my network is more secure if hidden away behind a IPv4 NAT”. Nonsense! It is just as easy to tell an IPv6 firewall not to let any traffic through, as it is setup and maintain an IPv4 NAT.

So, if you aren’t already on the IPv6 Internet, flip on 6in4 in your libreCMC router, and start having fun!

v1.4.2 Commit 1652ef7 Rebuilds with Tracker

I rebuilt commit 1652ef7, the same as the last such builds, but with the following additions:

  • ip neigh command : useful for viewing IPv4 and IPv6 hosts, on L2 links, which you’ve recently communicated with.
  • 6in4 : required if you want to use 6in4 IPv6 tunnel
  • opentracker IPv4 : a bitorrent tracker (IPv4 build)

I included opentracker as a convenience to myself since I am running a closed tracker to provide peer tracking for my libreCMC torrents. Be aware that opentracker runs automatically when the firmware is loaded. A default firewall will not have this port (6969) open to the WAN side, so this may not be an issue, but if concerned you may want to uninstall that after loading the firmware.

I started running a tracker because DHT was using up way too much of my bandwidth. The new links included tracker information. I’m intending to have an IPv6 opentracker instance as well, but I’m not sure both can be running on the same host, so I’ll probably wait until I get another pocket router some how.

  • libreCMC v1.4.2 commit 1652ef7 Build 2 source
    • magnet:?xt=urn:btih:39bb40c25ddffbb8c3eeefdd7e685a29facf506b&dn=librecmc-v1.4.2-c%5F1652ef7.tar.gz&tr=udp%3A%2F%2Fmaedhros.qlfiles.net%3A6969
  • libreCMC v1.4.2 commit 1652ef7 Build 2 TPE-R1100 Build
    • magnet:?xt=urn:btih:f641330b7cf6fefc1b6a14a6e1914aaea52979ec&dn=librecmc-v1.4.2-c%5F1652ef7-B2-ar71xx-generic-tpe-r1100-squashfs-sysupgrade.bin&tr=udp%3A%2F%2Fmaedhros.qlfiles.net%3A6969
  • libreCMC v1.4.2 commit 1652ef7 Build 2 GL-AR150 Build
    • magnet:?xt=urn:btih:5f15078311d934edb0c528bd5ba0d038982f406b&dn=librecmc-v1.4.2-c%5F1652ef7-B2-ar71xx-generic-gl-ar150-squashfs-sysupgrade.bin&tr=udp%3A%2F%2Fmaedhros.qlfiles.net%3A6969
  • libreCMC v1.4.2 commit 1652ef7 Build 2 GL-AR300M NAND Build
    • magnet:?xt=urn:btih:1843a56be2b9638347648791a9b083eaa2181f50&dn=librecmc-v1.4.2-c%5F1652ef7-B2-ar71xx-nand-gl-ar300m-ubi-factory.img&tr=udp%3A%2F%2Fmaedhros.qlfiles.net%3A6969

IPv6 Internet: Connected!

Yeah! I’m finally connected to the IPv6 Internet via 6in4 tunnel.

christopher@nightshade:~$ ping ipv6.google.com -c 1
PING ipv6.google.com(sea15s02-in-x0e.1e100.net (2607:f8b0:400a:807::200e)) 56 data bytes
64 bytes from sea15s02-in-x0e.1e100.net (2607:f8b0:400a:807::200e): icmp_seq=1 ttl=57 time=59.4 ms

--- ipv6.google.com ping statistics ---
1 packets transmitted, 1 received, 0% packet loss, time 0ms
rtt min/avg/max/mdev = 59.426/59.426/59.426/0.000 ms

Earlier I tried to do this via 6to4, a different IPv6 transition method, but failed. While trying to diagnose the problem, I kept running into Web information indicating that 6to4 is deprecated and unreliable, so I gave up on it.

So I went with what seems to be the common route of using 6in4 protocol along with a tunnel provided by tunnelbroker.net (he.net). It is a free service, though you are required to provide your email address and other real personal information. Also, you must have a public IPv4 address for your tunnel endpoint. After signing up, you get a configuration page like so:

Screenshot from 2018-03-08 21-16-41

(My configuration is of no use to you, as you do not have my public IPv4 address.)

In your libreCMC gateway router, you must switch the protocol of the WAN6 interface to 6in4. Then copy over the configuration items into the interface settings:

Screenshot from 2018-03-08 21-17-52

Screenshot from 2018-03-08 21-24-56

Your IPv6 capable desktops on the network will automatically get new IP addresses:

christopher@nightshade:~$ ip addr

2: eth0:  mtu 1500 qdisc pfifo_fast state UP group default qlen 1000

 inet6 2001:470:b:449:c49f:c37b:638c:b6fd/64 scope global temporary dynamic 
 valid_lft 602629sec preferred_lft 83855sec
 inet6 2001:470:b:449:1e6f:65ff:feac:7d41/64 scope global mngtmpaddr noprefixroute 
 valid_lft forever preferred_lft forever

And you will be able to communicate to IPv6 capable sites.

Screenshot from 2018-03-08 21-26-09LibreCMC will need the 6in4 package installed. I’m planning to include this in my future builds.

Stream Captured Network Traffic

Scenario:

  • You want to capture a lot of network traffic that is flowing through your libreCMC router.
  • You don’t have much disk space on your libreCMC router, so you need that traffic streamed to your desktop computer.
  • You want to analyze the traffic with Wireshark.

On the Desktop

christopher@nightshade:~/Scratch$ nc -l -p 30293 > out.pcap

On this side, netcat (nc) listens (-l) on port (-p) 30293, and dumps incoming data to out.pcap file.

On the Router

On the libreCMC router, you need tcpdump and netcat:

root@libreCMC:~# tcpdump -i eth1 udp port 51413 -w - | nc 10.0.0.3 30293
tcpdump: listening on eth1, link-type EN10MB (Ethernet), capture size 262144 bytes

Tcpdump captures the network traffic you want.

  • -i eth1 means capture from interface eth1, in this case my WAN interface.
  • udp port 51413 means capture UDP protocol data with source or destination port 51413 (my Bitorrent port). See the Manual page for other expressions.
  • -w – means save the packet data and send it to the standard output stream.

Netcat (nc) streams this data over TCP to IP address 10.0.0.3 (my desktop computer) port 30293.

With Wireshark

Once you have as many packets as your heart desires, CTRL-C one of the processes, and then run Wireshark on the pcap data:

christopher@nightshade:~/Scratch$ wireshark out.pcap

Then use Wireshark to display cool looking graphs!

Screenshot from 2018-03-06 18-46-23

Troubleshooting

Often desktop computer firewalls are configured to block incoming ports by default. So you may need to open that incoming port — port 30293 in the example.

Installing IPv6 6to4

For 6to4 functionality, you need packages

  • 6to4
  • kmod-sit
  • iptunnel
  • iptunnel4
  • kernel

I didn’t think I would need to install the kernel package again, since the kernel versions was the same. I tried to skip that one with –force-depends, but when I tried to use the 6to4 protocol, I was seeing “missing symbol” errors from sit module in the logs. It seems that when you build kmod-sit as a module, this also causes some additional code branch dependencies to be built in the kernel itself.

Is was able to switch wan6 interface over to the 6to4 protocol, and something seems to be working because I see related info in the interface information:

root@libreCMC:~# ip addr
<snip>
4: sit0@NONE: <NOARP> mtu 1480 qdisc noop state DOWN qlen 1
 link/sit 0.0.0.0 brd 0.0.0.0
<snip>
8: 6to4-WAN6@NONE: <NOARP,UP,LOWER_UP> mtu 1280 qdisc noqueue state UNKNOWN qlen 1
 link/sit <snip-ipv4-public> brd 0.0.0.0
 inet6 2002:<snip>::1/16 scope global 
 valid_lft forever preferred_lft forever

Something stills seems to be amiss, though:

root@libreCMC:~# ping ipv6.google.com
PING ipv6.google.com (2607:f8b0:400a:806::200e): 56 data bytes
ping: sendto: Permission denied

Likely this will be the subject of a future post.