Ds-lite / dslite IPv4 connection not working, IPv6 working fine

rum · January 27, 2017, 5:32pm

So I have a mostly working dslite setup. Most of the time. Sometimes the IPv4 connection dies, ICMP packages and IPv6 still work.

/etc/config/network

config interface 'wan'
	option ifname 'eth1.40'
	option username '<userid>@<provider>'
	option password '<passwd>'
	option ipv6 '1'
	option proto 'pppoe'

config interface 'wan6'
	option ifname '@wan'
	option proto 'dhcpv6'

config interface 'wan4'
        option peeraddr '<providerpeeraddr>'
	option proto 'dslite'

/etc/init.d/network restart sometimes fixes it, but most of the time it does not.

rum · March 14, 2017, 7:23pm

I started of with
http://openwrt-devel.openwrt.narkive.com/IyDPDgot/dslite-tunnel-setup
https://lists.openwrt.org/pipermail/openwrt-devel/2014-April/024649.html
but eventually went to the official docs and tried to verify the above:
https://wiki.openwrt.org/doc/uci/network#protocol_dslite_dual-stack_lite

For sake of comlpeteness my firewall config.

$ cat /etc/config/firewall 

config defaults
	option syn_flood '1'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'REJECT'

config zone
	option name 'lan'
	list network 'lan'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'

config zone
	option name 'wan'
	list network 'wan'
	list network 'wan6'
	list network 'wan4'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option masq '1'
	option mtu_fix '1'

config forwarding
	option src 'lan'
	option dest 'wan'
	option family 'any'
	
config rule
	option name 'Allow-DHCP-Renew'
	option src 'wan'
	option proto 'udp'
	option dest_port '68'
	option target 'ACCEPT'
	option family 'ipv4'

config rule
	option name 'Allow-Ping'
	option src 'wan'
	option proto 'icmp'
	option icmp_type 'echo-request'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-IGMP'
	option src 'wan'
	option proto 'igmp'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-DHCPv6'
	option src 'wan'
	option proto 'udp'
	option src_ip 'fe80::/10'
	option src_port '547'
	option dest_ip 'fe80::/10'
	option dest_port '546'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-MLD'
	option src 'wan'
	option proto 'icmp'
	option src_ip 'fe80::/10'
	list icmp_type '130/0'
	list icmp_type '131/0'
	list icmp_type '132/0'
	list icmp_type '143/0'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Input'
	option src 'wan'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	list icmp_type 'router-solicitation'
	list icmp_type 'neighbour-solicitation'
	list icmp_type 'router-advertisement'
	list icmp_type 'neighbour-advertisement'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Forward'
	option src 'wan'
	option dest '*'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config include
	option path '/etc/firewall.user'

config include
	option path '/usr/share/firewall/turris'
	option reload '1'

config include
	option path '/etc/firewall.d/with_reload/firewall.include.sh'
	option reload '1'

config include
	option path '/etc/firewall.d/without_reload/firewall.include.sh'
	option reload '0'

config rule
	option src 'wan'
	option dest 'lan'
	option proto 'esp'
	option target 'ACCEPT'

config rule
	option src 'wan'
	option dest 'lan'
	option dest_port '500'
	option proto 'udp'
	option target 'ACCEPT'

config include 'miniupnpd'
	option type 'script'
	option path '/usr/share/miniupnpd/firewall.include'
	option family 'any'
	option reload '1'

# allow attached network printer
config rule
	option src 'lan'
	option proto 'tcp'
	option dest_port '9100'
	option target 'ACCEPT'

n1ete · March 21, 2017, 11:27pm

any progress so far :-?

rum · March 28, 2017, 5:21am

I filed a ticket about 10 days ago, but no response so far.

rum · March 30, 2017, 10:51am

I got a response telling me to be a little more patient. The network specialist will have a look into it.

rum · April 13, 2017, 6:44am

the peeraddr has to be an IPv6 address (in my case). the network scripts do not resolve an url. This was the core issue for me.

n1ete · April 13, 2017, 3:45pm

So what did you do at your network config to resolve it?

rum · April 13, 2017, 8:33pm

resolveip some.aftr.url.ext and put the ipv6 I got into the peeraddr field

n1ete · April 25, 2017, 6:34pm

i don’t get it, where did u get you aftr address?? can you post your etc/conf/network??

it would be very nice if someone could help me finally to get turris omnia proper running with my ds-lite config!

rum · April 27, 2017, 7:54am

Your provider has to provide that to you, you then put that one in as peeraddr for the wan connection (the IPv6 one).

I am not sure if you have the same problem as I do, can you describe what connects to what in your setup?

n1ete · May 8, 2017, 4:13pm

So i got an Cisco EPC 3212 cable modem wich is connected to the turris via dhcp
The epc 3212 checks at boot the connected device and provides the wan to this device.
Everything Works fine except for any ipv4 connection from the terminal in turris?!! it would be a pleasure if someone is able to help me! because this problem persists since i got the turris and its realy annyoing!
i posted this problem in another thread no one seems able to help me yet

rum · June 8, 2017, 8:43pm

Do you have the aftr address as given from your provider?
can you reliably ping IPv6
do you know if your provider uses ds-lite?
did you try to email turris support with all the information and the config file export from the webinterface?

n1ete · July 26, 2017, 6:42pm

no the aftr address is automaticly provided to docsis 3.0 modem after they provisioned the mac address and serial.
the ethernet out from that modem was providing wan for my turris.
you have to reboot the modem after you connect them, so the modem pass trough that information to turris
yes that worked
it was for sure a ds-lite shitty nat ipv4 connection
nope i didnt because i switched meanwhile in an ipv4 buisness contract.

thanks for your help though

and i have to admit…i get more and more in love with the possibiltys from that beauty-omnia-box