IPv6 on DD-WRT

With World-IPv6-Day around the corner (June 8th) it's about time to get on the IPv6 internet.

Introduction

If your running your own OpenBSD router at home, you're in luck, everything works great with minimal configuration from your side. But if you're like the average nerd, you're probably running the DD-WRT on your home WiFi/Router box.

Unfortunately DD-WRT does and doesn't support IPv6. Most of the builds have IPv6 built-in, but there are no graphical setup of IPv6, and not even the ping6 or traceroute6 utilities in the console. So you have to configure IPv6 for DD-WRT totally in the dark.

Luckily some frustrated users added some useful information at: http://www.dd-wrt.com/wiki/index.php/IPv6

But there are many different ways to configure IPv6 on DD-WRT, and many of them fail. This post is my config, which applies to my specific setup, in hope that it might be useful for someone. If you didn't already read up on what IPv6 and 6to4 is, you should stop here, and go wiki it.

My setup includes the following:

• 6to4 tunnel from the awesome folk at Hurricane Electrics tunnelbroker.net service 
• A Cisco/Linksys WRT-320N
• DD-WRT 24 K2.6 build (eko beta build)
• Please note that I'm using the kernel 2.6 build, since the WRT 320N is supported.
• The initial flash of the WRT 320N has do be done with a special build

IPv6 configuration

After enabling IPv6 under "Administration" -> "Management", the you must activate the config by entering it under "Administration" -> "Commands", and save it as "startup".

sleep 5
WANIP=$(ip -4 addr show dev vlan2 | awk '/inet / {print $2}' | cut -d/ -f1)
echo "External IP:" $WANIP > /tmp/startup.debug
if [ -n $WANIP ]
then
echo "configuring tunnel" >> /tmp/startup.debug

# The following commands are straight from HE's website
ip tunnel add he-ipv6 mode sit remote 216.66.84.46 local $WANIP ttl 64
ip link set he-ipv6 up
ip addr add 2001:470:1f14:1446::2/64 dev he-ipv6
ip route add ::/0 dev he-ipv6

# Set IPv6 addr for br0
ip -6 addr add 2001:470:1f15:1446::1/64 dev br0

# Enable IPv6 forwarding
echo 1 > /proc/sys/net/ipv6/conf/all/forwarding

# Start radvd
radvd -C /tmp/radvd.conf &
fi

Please note that since I'm using the WRT-320N, my WAN interface is vlan2 instead of the usual vlan1. Also "216.66.84.46", "2001:470:1f14:1446::2" and "2001:470:1f15:1446::1" is my "Server IPv4 Address", "Client IPv6 Address" and "Routed /64" respectively from my HE 6to4 tunnel. Yours will be different.

You also have to enable radvd under "Administration" -> "Management" and insert a configuration. The following minimal configuration is sufficient for me:

interface br0
 {
 AdvSendAdvert on;
 prefix 2001:470:1f15:1446::/64
   {
   };
 };

The "2001:470:1f15:1446::/64" the my routed prefix from HE, adjust to your prefix.

I also added: "iptables -I INPUT 2 -p ipv6 -i vlan2 -j ACCEPT"

To my firewall commands (note the vlan2 for wan interface), as it was suggested in the wiki page.

Final thoughts and gotchas.  

After all this, reboot your router (again) and cross your fingers. If it doesn't work you can log into the router via SSH or Telnet and mess with the ip command.

Some things that confused me from the wiki pages.

• ttl should be 64, not 255 as you get in the HE example configs
• your routed subnet should only be added to the br0
• sometimes the wan interface is vlan1, othertimes vlan2
• radvd may or may not start on it's own. Add it to the commands to be sure.
• the ip command often returns nothing on erroneous input, so double check that the command did something useful when messing with it.

With your new IPv6 capable browser, go have some fun at:

• http://ipv6.google.com/ - wee. google. now with ipv6
• http://test-ipv6.com/ - enjoy your test scores, and brag to your (nerd) friends
• http://www.kame.net/ - watch the turtle dance (only dances for IPv6 users)

B-Tech BT928 headphone amp

I was looking for a headphone amplifier on the cheap, very cheap. I needed an amp with two stereo channels, or two amps. The amps are going to be looked up via rca to a playstation cable, for my co-op gaming setup.
At first I found the Millenium HP4 which provides 4-channels for 61 €. A very nice price and good looking product I thought, and bought it. Bad idea. The build quality is top notch, it looks and feels like a pro product. The sound is another story though, it's very thin and hollow, with little or no dynamics. In fact it was so bad I almost considered it unplayable. Remember we are simply talking about solving a connectivity problem with PS3's and headphones.
Clearly I needed to find another solution.

A quick search at a national retailer revealed the B-Tech BT928, which was retailing at 80 €. It can be found at Amazon for 32 €, which puts it within my budget. Even after factoring in the UK-to-DK plug adaptors.

My BT928s above, after modification, (see more below).

The BT928 is dirt cheap, simple, ok looking device with nice connectors. The tone pot is a piece of crap though, no matter what neutral setting I attempted it produced a distorted sound with badly boomy bass and/or scratchy treble. So I decided to remove it as suggested by a head-fi.org thread. I got a budget soldering iron, and desoldering pump, and went to work.

BT928, pcb only, with tone potentiometer on the left still attached.

In order to remove it, I simply desoldered the 6 connections for the tone pot, and as suggested by the thread also the green and orange capacitors marked 101 and 472.

Desolder these components to greatly improve the sound quality.

BT928, pcb and lower case. After tone pot removal.

The difference was like night and day. I did it with only one of them at first, so I could compare before/after easily. As a side effect the volume knob very quickly rises (exponentially) to loud levels, so it requires some more fine tuning, but is still very usable.

The sound quality after tone pot removal is more than acceptable for gaming. I wouldn't recommend it for a HiFi setup though. For that you'll need a higher quality amp, or make some serious mods like they did at Rock Grotto.

I used a Cambridge Audio DacMagic, and Sennheiser HD 25-1 for testing.

EduRoam @ CBS - Quick guide for Snow Leopard

Following up on my more detailed and less automated guide for setting up EduRoam @ CBS, I found an easier way to get Snow Leopard hooked up to the EduRoam network.

This guide will show you how to connect to the EduRoam network, as you would with any other wireless network in OS X. For more background information on EduRoam see the previous mentioned guide.

Step 1: Connect using AirPort menubar icon

Click the AirPort menu bar icon, wait for the "eduroam" network to appear, click it to connect.

Step 2: Enter credentials

 

A credentials prompt should appear. Here you must enter your credentials for the school network.

For CBS students: Please note that these may not be equal to your sitescape credentials, but are equal to the credentials you use to access the school computers. If you didn't use the school computers to change your password previously, it will still be the one given to you at enrollment.

Step 3: It fails, but that's okay

At this point it might work for you, or it might not. In my case it didn't work, and the AirPort utility showed an exclamation mark to illustrate that you are connected but unable to get on the internet.

To fix this you'll need to verify your security settings. Click the "Open Network Preferences" item to continue.

Step 4: Advanced Wireless Settings

Make sure the "AirPort" network is highlighted from the left menu, and then click "Advanced" to open the advanced settings.

Step 5: Move TTLS to the top, disable others

Select the "802.1X" tab. Click-hold and drag the TTLS settings to the top of the list. Make sure all others are disabled. When you're done, your window should look like the one below.

Step 6: Configure TTLS

Make sure TTLS is highlighted and click "Configure".

Step 7: Choose PAP authentication

Select "PAP" from the drop down list.

Now return to the network preferences by clicking "OK" twice.

Step 8: Apply and connect

Click "Apply" and then click "Connect". Yes, you really need to click apply first.

You're done!

 

If you screen say "Authenticated via TTLS", everything works as it should.

If it doesn't work, it's likely that you are missing the required certificate, and for some reason Snow Leopard don't install it automatically. See the more detailed guide for steps to work around it. In step 9 from the detailed guide you'll download a certificate. You can try to correct the problem by double clicking the certificate file to install it.

If it still doesn't work try following the steps from the detailed guide.

I hope the ones that couldn't get my previous instructions to work, will have better luck with these.

If you have any questions, or suggestions please hit me in the comments.

EduRoam @ CBS - Mac OS X 10.6 guide

I've often wondered what the eduroam network is all about? The network frequently pops up when I'm at Copenhagen Business School, but since I couldn't connect to it I ignored it. I guess most students simply ignore it, and use the public WiFi with the html login (captive portal), provided by CBS.

The eduroam network is a international network which you can access as a student or teacher of a connected university. In addition to being able to connect to the eduroam network at any connected university (at least I'm told), it's also encrypted, which means users can't eavesdrop on your wireless traffic.
The eduroam network uses an extended authentication standard (802.1X). This additional layer of security makes it slightly more difficult to set up. Also it would seem that Snow Leopard makes it more difficult to use, since you are now required to manually import the certificate.

There was no guides for Snow Leopard provided by CBS, and most of the guides to other eduroam networks I could find, weren't updated for Snow Leopard yet. Having fiddled with the settings for some time before getting it to work, I thought; I might as well create a guide, and upload it as my first post on this blog, hoping someone will find it useful.

You poor windows users can find guides for CBS eduroam at e-campus or generic ones at eduroam.dk in (danish).

The guide for Snow Leopard follow below.

Step 1: Network preferences

 

Click-and-hold the apple icon at the upper left corner of the screen, and select "System Preferences" from the dropdown list. From there click the network icon as shown above.

Step 2: Advanced AirPort settings

Select the "AirPort" interface from the list, and click the "Advanced" button.

 Step 3: Add 802.1X user profile

Click on the 802.1X tab, then click on the "+" button to add a new profile. Select "Add User Profile" from the list and name it.

Step 4: Enter credentials

Enter your credentials for the eduroam network. My username is hadu08ab@student.cbs.dk. Then select or enter "eduroam" from the "Wireless Network" dropdown.

Step 5: Enable TTLS

Make sure TTLS is enabled and at the top of the list. It should be by default, but if not click the box and drag it to the top of the list. Disable PEAP. Then click "Configure"

Step 6: Set outer-identity

Select PAP as the inner authentication and enter the outer identity. This could be identical to your username or something else. "@student.cbs.dk" worked for me, but I'm not sure it's necessary.

Step 7: Configure Trust

 

This part is different from other guides. In most other guides OS X simply imports the correct certificate after prompting you to accept it. I seems this has changed in Snow Leopard, and is replaced by a "Configure Trust" button, which was missing in some other guides.

Step 8: Add trusted server

First click the "Servers" tab, then click the "+" button to add a new trusted server. For CBS students enter "radiator.cbs.dk", but don't click "OK" yet. Others might try to skip this step.

Step 9: Add certificate
This next step is a bit odd. Either I simply got something wrong, or there is a small blunder in the User Interfaces for this part.
For Snow Leopard, you need to manually add the "Equifax Secure Certificate Authority" certificate to your list of trusted certificates. The above direct link goes to the page https://www.geotrust.com/resources/root-certificates/. You should really only add cerficates you really trust. You can trust the geotrust certificate, but that is really something you should decide yourself.

So download the certificate file linked above (right click and use "Save link as"), and save it somewhere you can find it again. I saved it on my desktop.

Click the "Certificates" tab. Then click the "+" button and select "Select Certificate File" from the list. An open dialog will appear.

Step 10: Select downloaded certificate

Select the downloaded certificate file from the list (step 9), and then click "Open". When you click the "Open" button it might not show up on the trusted certificates list, but hopefully it will be added anyway.

You might also try double clicking the downloaded file to import it into your system.

Step 11: Connect to eduroam via 802.1X

Click OK to the two previous windows, and you should be back at the network settings dialogue. Click the "Connect" button to attempt a connection to the eduroam network. You'll obviously need to be in range of an eduroam hotspot.

Step 12: Complete

If you see a message containing the text "Authenticated via TTLS" you're done. If nothing happens it's likely due to the certificate missing. Review step 9, and try double clicking the certificate file to import it. If that doesn't work, try clicking the "Select Certificate From Keychain" and selecting the "Equifax Secure Certificate Authority" from the Keychain certificate store.

For advanced users, you can use the "Console" application to view debugging info. Click cmd-spacebar to open Spotlight and type "Console". Select the log "Database Searches" > "All messages" and search for "eapolclient". If you see the message "eapttls_verify_server: server certificate not trusted, status 6 0" the certificate is not imported correctly. Recheck steps 9 and 10.

I hope this guide will be helpful to the few users with general 802.1X + Snow Leopard problems, for eduroam users, or CBS students.

If you have any questions, or suggestions please hit me in the comments.