Network device without IPv6? Nonsense, I tell you. Look which year it is. If your ISP is retarded - keep the pace with
IPv6 Tunnel Broker
Now addingaiccu
files/etc/config/aiccu
config aiccu
option username 'MYHDL-SIXXS'
option password 'SomePassword'
option protocol 'tic'
option server 'tic.sixxs.net'
option interface 'sixxs'
option tunnel_id ''
option requiretls ''
option defaultroute '1'
option nat '0'
option heartbeat '1'
In scope of previous article - adding IPv6 rules:
files/etc/config/ip6tables *filter :INPUT ACCEPT :FORWARD ACCEPT :OUTPUT ACCEPT # Allow lo explicitly, we will drop anything not from lan at the end. -A INPUT -i lo -j ACCEPT -A INPUT ! -i br-lan -p icmpv6 -j ACCEPT -A INPUT ! -i br-lan -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT -A INPUT ! -i br-lan -j DROP # Forwarding -A FORWARD -d ff0e::/16 -j ACCEPT -A FORWARD -o br-lan -p icmpv6 --icmpv6-type echo-request -j ACCEPT -A FORWARD -o br-lan -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT # Published services -A FORWARD -p udp -m multiport --dport 53,4569,5060 -j ACCEPT -A FORWARD -p tcp -m multiport --dport 25,53,80,143,443 -j ACCEPT -A FORWARD -o br-lan -j DROP COMMITUpdate
Since recently openwrt is not packaging aiccu startup script. That's because it doesn't work correctly via NAT, abusing TIC server. Fair enough. But I'm sure what am I doing, hence I'm still using old packaged aiccu startup file with little modification - again to avoid TIC abuse:
#!/bin/sh /etc/rc.common
# Copyright (C) 2006 OpenWrt.org
# Copyright (C) 2012 Ruslan.N.Marchenko
START=51
config_cb() {
local cfg_type="$1"
local cfg_name="$2"
case "$cfg_type" in
aiccu)
append cfgs_sections "$cfg_name" "$N"
;;
esac
}
start() {
config_load aiccu
for cfgs_section in $cfgs_sections; do
config_get username $cfgs_section username
config_get password $cfgs_section password
config_get server $cfgs_section server
config_get protocol $cfgs_section protocol
config_get interface $cfgs_section interface
config_get tunnel_id $cfgs_section tunnel_id
config_get_bool requiretls $cfgs_section requiretls 0
config_get_bool defaultroute $cfgs_section defaultroute 1
config_get_bool nat $cfgs_section nat 1
config_get_bool heartbeat $cfgs_section heartbeat 1
mkdir -p /tmp/run
echo "username $username" > /tmp/run/aiccu-${cfgs_section}.conf
echo "password $password" >> /tmp/run/aiccu-${cfgs_section}.conf
[ -n "$server" ] && \
echo "server $server" >> \
/tmp/run/aiccu-${cfgs_section}.conf
[ -n "$protocol" ] && \
echo "protocol $protocol" >> \
/tmp/run/aiccu-${cfgs_section}.conf
[ -n "$interface" ] && \
echo "ipv6_interface $interface" >> \
/tmp/run/aiccu-${cfgs_section}.conf
[ -n "$tunnel_id" ] && \
echo "tunnel_id $tunnel_id" >> \
/tmp/run/aiccu-${cfgs_section}.conf
[ "$requiretls" = "1" ] && \
echo "requiretls true" >> \
/tmp/run/aiccu-${cfgs_section}.conf
[ "$defaultroute" != "1" ] && \
echo "defaultroute false" >> \
/tmp/run/aiccu-${cfgs_section}.conf
[ "$nat" = "1" ] && \
echo "behindnat true" >> \
/tmp/run/aiccu-${cfgs_section}.conf
[ "$heartbeat" != "1" ] && \
echo "makebeats false" >> \
/tmp/run/aiccu-${cfgs_section}.conf
echo 'daemonize true' >> /tmp/run/aiccu-${cfgs_section}.conf
echo "pidfile /var/run/aiccu-${cfgs_section}.pid" >> \
/tmp/run/aiccu-${cfgs_section}.conf
# Be nice, respect the TIC
until ping -q4c2 $server > /dev/null 2>&1; do sleep 1; done
ntpclient -sh pool.ntp.org || exit 1
aiccu start /tmp/run/aiccu-$cfgs_section.conf
done
}
stop() {
config_load aiccu
for cfgs_section in $cfgs_sections; do
aiccu stop /tmp/run/aiccu-$cfgs_section.conf
done
}
Modification here is endless ping towards TIC before starting the tunnel. This was done due to specifics of my wan connectivity - there's a delay for all my wan trackt to settle, hence this validation.
Link... Sun Feb 21 18:16:34 2010 Upd.: Sat Feb 9 14:51:15 2013