Artur Bergman (crucially) wrote,
Artur Bergman
crucially

So, I wanted to be able to firewall the traffic going through the linksys WRT54GL, but the bridging code doesn't work with netfilter in 2.4 (except with the ebtable patches which dd-wrt lack), so I decided to try proxy_arp instead. Getting rid of the bridge got rid of the promiscuous mode and also made traffic flow through the netfilter so I could firewall it. This allows me to override the routing for some internal networks instead of having to dual home machines.

I also finally got ipv6 working, so now I see the dancing turtle.

Follow my instructions from http://crucially.livejournal.com/57220.html for how to configure the switch.

vlan1 is the public lan
vlan2 is internal lan


nvram set rc_startup='

# turn on the second vlan2
ip link set vlan2 up
ip link set vlan2 multicast on

# delete the IP from vlan1
ip a del 69.12.246.231/24 dev vlan1
# add it back with netmask
ip a add 69.12.246.231 dev vlan1
# create a static route to the upstream router so we know where to find it
ip r add 69.12.246.1 dev vlan1
# and then put the default route through there
ip r add default via 69.12.246.1
# add the linksys ip to the internal lan
ip a add 69.12.246.231/24 dev vlan2
# add a lan so we can reach the adsl modem
ip a add 10.0.0.4/24 dev vlan1
# and the internal management lan
ip a add 10.250.250.1/24 dev vlan2

#turn on proxy arp
echo 1 > /proc/sys/net/ipv4/conf/vlan1/proxy_arp
echo 1 > /proc/sys/net/ipv4/conf/vlan2/proxy_arp

# add a tunnel
ip tunnel add sixbone mode sit remote 208.201.234.221 local 69.12.246.231 ttl 255
ip link set sixbone up
# add our local address to the tunnel
ip addr add 2001:05a8:0000:0001:0000:0000:0000:0613/127 dev sixbone
# default ipv5 route
ip route add ::/0 dev sixbone
# add our network address
ip addr add 2001:05a8:0004:3090:0000:0000:0000:0001/60 dev vlan2
# start radvd
radvd -C /tmp/radvd.conf
'

Then, to advertise this internally..

nvram set radvd_enable=1
nvram set radvd_conf='
interface vlan2 {
MinRtrAdvInterval 3;
MaxRtrAdvInterval 10;
AdvLinkMTU 1280;
AdvSendAdvert on;
prefix 2001:05a8:0004:3090:0000:0000:0000:0000/64 {
AdvOnLink on;
AdvAutonomous on;
AdvValidLifetime 86400;
AdvPreferredLifetime 86400;
};
'

Now, machines on the vlan2 network should work. If you need to use 6to4 instead of sit, you can take a look at http://www.dd-wrt.com/wiki/index.php/IPv6

(Now, why can't I proxy two different physical networks to be one link-layer local ipv6 network?)
(The 192.88.99.1 anycast ip6 gateway is cute)
Tags: dd-wrt, hack
Subscribe

  • Post a new comment

    Error

    default userpic

    Your reply will be screened

    Your IP address will be recorded 

    When you submit the form an invisible reCAPTCHA check will be performed.
    You must follow the Privacy Policy and Google Terms of use.
  • 1 comment