IPv6 with DD-WRT router and Hurricane Electric

Last weekend I got IPv6 working on my US$60 router, allowing all my machines here to talk IPv6 to the outside world. That includes an Ubuntu Linux server, 4 PCs and one Mac.

The biggest incentive for upgrading to IPv6 is the fact that at the current pace we’ll run out of (IPv4) IP addresses in about two years. These are the unique host addresses (usually written in dotted decimal format like 209.85.171.100) that identify client and server computers on the Internet. The newer IPv6 standard that replaces 32-bit addresses with 128-bit addresses will forever take care of this shortage. It will also do away with the primary need for Network Address Translation (NAT) which has been a big headache for voice over IP (VoIP) and other peer to peer applications.

However, over a decade after the introduction of the newer standard (in 1997), uptake is still slow. Many ISPs still don’t support IPv6 and neither does a lot of the equipment used at homes and offices. This is gradually starting to change. IPv6 is an integral part of modern operating systems such as Linux, Mac OS X, Windows 7, Windows 2008 Server, Windows Vista, Windows 2003 Server and Windows XP (where it’s optional).

If your ISP does not support IPv6, you can still use it by employing the services of a tunnel broker, which gives you IPv6 connectivity over an IPv4 tunnel. This lets you test your software with the new APIs, though you won’t gain native IPv6 performance. If you have a static IP you can use tunnelbroker.net by Hurricane Electric, Inc. Their service is professionally run and free. Another option is SixXS, but I have not tried them.

My router is a Buffalo WHR-HP-G54, which is compatible with the Linux based open source DD-WRT firmware. Recent versions of DD-WRT have IPv6 support. My first attempt with the v24 sp1 std build which is supposed to include IPv6 was unsuccessful, but I had more luck after trying the v24 10070 crushedhat version (dd-wrt.v24-10070_crushedhat_4MB.bin). Here’s what you do:

  • The following instructions assume that your WHR-HP-G54 router is running open source DD-WRT firmware. If your router is still running the default firmware, install DD-WRT v24 sp1 mini generic (SVN build 10020, 27-July-2008) on it. See my blog post on the WHR-HP-G54 with DD-WRT for detailed instructions. The WHR-HP-G54DD is a version of this router that comes with DD-WRT preinstalled.
  • Go to Security / Firewall on your DD-WRT and remove the check mark on Block anonymous WAN requests (ping) so that Hurricane Electric can verify your router exists by pinging it.
  • Go to www.tunnelbroker.net and sign up for an account. Then log in and go to Create a Regular tunnel. You’ll need to enter your static IP, which will be conveniently displayed. You have a choice of tunnel endpoints. Pick one that has a short ping time from where you are. Make a note of all the details of the tunnel that is created. You will need to enter some of these details on your router, in particular these:
    • Server IPv4 address
    • Server IPv6 address
    • Routed /64
  • Read crushedhat’s description of how to configure the router with his firmware, which should work with most Broadcom-based DD-WRT-compatible routers.
  • I’m assuming you have updated the firmware of your router before and know the usual caveats about “bricking” your router if anything goes wrong. I won’t be responsible for that. 😉 I went from the factory Buffalo firmware to v24 sp1 mini to v24 sp1 std to v24 sp1 mini to v24 crushedhat 10070, with no problems, but your mileage may vary. I downgraded from v24 sp1 std (4 MB) to v24 sp1 mini (2 MB) “just in case” before flashing crushedhat’s std (4 MB) build. I did not opt to reset the NVRAM to factory defaults.
  • Download a copy of the v24 crushedhat 10070 build and save it on your hard disk. Use a computer with a wired connection to the router, not WLAN for the firmware upgrade. Go to Administration / Firmware Upgrade and select the dd-wrt.v24-10070_crushedhat_4MB.bin file. Click the upgrade button. Don’t touch anything until after the router has reset and is running the new firmware.
  • Go to Administration / Management and check Enable for IPv6 and Radvd enabled. Then paste the following into the Radvd config box:

    interface br0
    {
    AdvSendAdvert on;
    prefix 2001:470:YYYY:YY::/64
    {
    AdvOnLink on;
    AdvAutonomous on;
    };
    };

    where 2001:470:YYYY:YY::/64 matches the value of “Routed /64” in the created tunnel given to you by Tunnelbroker.net:

    Server IPv4 address: 216.218.226.238
    Server IPv6 address: 2001:470:XXXX:XX::1/64
    Client IPv4 address: 219.110.159.121
    Client IPv6 address: 2001:470:YYYY:YY::2/64
    Routed /48: 2001:470:ZZZZ::/48
    Routed /64: 2001:470:YYYY:YY::/64

  • Go to Administration / Commands and enter these commands, then click Save Startup:

    ip tunnel add he-ipv6 mode sit remote 216.218.226.238 ttl 64
    ip link set he-ipv6 up
    ip addr add 2001:470:XXXX:XX::2/64 dev he-ipv6
    ip route add ::/0 dev he-ipv6
    ip addr add 2001:470:YYYY:YY:200:00ff:fe00:0000/64 dev br0

    Replace 216.218.226.238 with Server IPv4 address from your tunnel settings, 2001:470:XXXX:XX:: with the Server IPv6 address value and 2001:470:YYYY:YY:: with the Routed /64 value.

  • Go to Administration / Commands and enter these commands, then click Save Firewall:

    insmod ip6t_REJECT
    ip6tables -F
    ip6tables -A FORWARD -p tcp -i he-ipv6 –syn -m multiport –dports ftp-data,ftp,ssh,smtp,http,https,ntp,domain -j ACCEPT
    ip6tables -A FORWARD -p tcp -i he-ipv6 –syn -j REJECT –reject-with adm-prohibited
    ip6tables -A FORWARD -p udp -i he-ipv6 -m multiport –dports ntp,domain -j ACCEPT
    ip6tables -A FORWARD -p udp -i he-ipv6 -j REJECT –reject-with adm-prohibited

  • Now it’s time to check if everything works. It may take a few minutes or one reboot for your client to obtain an IPv6 address. Here is what things should look like after that:

    C:\>ipconfig

    Windows IP Configuration

    Ethernet adapter Motherboard Network Connection:

    Connection-specific DNS Suffix . :
    IP Address. . . . . . . . . . . . : 192.168.100.2
    Subnet Mask . . . . . . . . . . . : 255.255.255.0
    IP Address. . . . . . . . . . . . : 2001:470:YYYY:YY:290:feff:fe66:e237
    IP Address. . . . . . . . . . . . : fe80::290:feff:fe66:e237%6
    Default Gateway . . . . . . . . . : 192.168.100.1
    fe80::21d:73ff:fe3a:3b8c%6

    Tunnel adapter Teredo Tunneling Pseudo-Interface:

    Connection-specific DNS Suffix . :
    IP Address. . . . . . . . . . . . : fe80::ffff:ffff:fffd%5
    Default Gateway . . . . . . . . . :

    Tunnel adapter Automatic Tunneling Pseudo-Interface:

    Connection-specific DNS Suffix . :
    IP Address. . . . . . . . . . . . : fe80::5efe:192.168.42.2%2
    Default Gateway . . . . . . . . . :

    You can ping Google’s IPv6 servers:

    C:\>ping ipv6.google.com

    Pinging ipv6.l.google.com [2001:4860:c004::68] from 2001:470:YYYY:YY:290:feff:fe66:e237 with 32 bytes of data:

    Reply from 2001:4860:c004::68: time=307ms
    Reply from 2001:4860:c004::68: time=307ms
    Reply from 2001:4860:c004::68: time=331ms
    Reply from 2001:4860:c004::68: time=318ms

    Ping statistics for 2001:4860:c004::68:
    Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
    Approximate round trip times in milli-seconds:
    Minimum = 307ms, Maximum = 331ms, Average = 315ms

    Fire up FireFox 3 or the browser of your choice and go to http://www.kame.net/ – if the image of the turtle is dancing then you have IPv6 working. Go to http://whatismyv6.com/ to see your IPv6 address.

Good luck! 🙂

“Muslim demographics” propaganda video exposed

Today a friend forwarded me an email with a link to a Youtube video on “Muslim demographics” that appears to be viral at the moment, with over 5 million views so far:

Islam will overwhelm Christendom unless Christians recognize the demographic realities, begin reproducing again, and share the gospel with Muslims.

It’s a cleverly made piece of propaganda that paints a picture of a Europe in which Muslims become the majority of the population by or before 2050. However it did not clearly reference its sources, which (if you notice them at all) appear too small to be readable. It’s not clear who produced this video either.

Why do I call it propaganda? Because whoever made it, they did play fast and loose with the truth – Goebbels would have been proud of them. I will give you just a few examples.

They claimed that the average fertility of Muslim women in France was 8.1 children per woman, which would be about 4 times the French average. The fact is that most Muslims in France originated from Morocco, Algeria, Tunisia or Turkey, countries whose average fertility rates are much lower than claimed for the Muslim immigrants.

Morocco 2.57
Algeria 1.82
Tunisia 1.73
Turkey 1.87

That doesn’t really make sense. It seems likely that fertility amongst immigrants would fall somewhere in between rates in their country of origin and of their new chosen home, but not some four times higher than either of them, as the makers of this propaganda video would have us believe.

Birth rates have been falling with rising living standards and education levels – not only in Europe, North America and Japan but also in Latin America, South Asia, East Asia, most of the Middle East and just about anywhere else. It’s a global trend: These days even the Islamic Republic of Iran, not exactly a bastion of Western liberalism, has a lower fertility rate than France. In fact sub-Saharan Africa is the only region worldwide that has bucked the trend, where fertility rates have remained consistently high. A large percentage of future Christian and Muslim worldwide population growth will come from that continent.

Another example is false claim in the video that Muslims make up 25% of the population of Belgium, when in fact they only reach that proportion in the city of Brussels, while they constitute a mere 4.0% of the population of Wallonia and 3.9% of the population of Flanders, the two major regions of the country. The national average is 6% – only one quarter of what the video claims. The video authors are off in a similar way in a similar claim about the Netherlands.

These and numerous other mistakes and inconsistencies are exposed and thoroughly refuted in an excellent post on the Tiny Frog blog. If anyone sends you a link to the “Muslim demographics” video, send them back a link to the facts!

Demographics and Politics

With falling birth rates in many developed countries and rising immigration that partly compensates for this, many people are afraid of their countries gradually losing their cultural identity. This fear is largely misplaced. When Polish workers came to the Ruhr area of Prussia in large numbers to work in coal mines in the 19th century, there were the same fears, but now their descendants are as German as anyone else and only the numerous Polish surnames in the phone books or local football (soccer) teams remind of the immigration. Likewise, Catholic immigrants from Ireland, Italy and Mexico faced a lot of hostility in the US around the turn of the 19th/20th century, but they integrated like Protestant immigrants before them and their descendants speak English like other Americans. With immigration patterns such as in Europe and the US, immigrant populations will largely assimilate within two or three generations, even if they may retain some elements of their parents’ and grandparents’ culture.

Unfortunately most people who have watched this propaganda video will not see the real facts any time soon. There is a good chance this video will have had an effect on them, sowing seeds of fear and mistrust that others will seek to exploit for political gains. Nazi chief propagandist Joseph Goebbels’ would have approved: “That propaganda is good which leads to success, and that is bad which fails to achieve the desired result,” he wrote. “It is not propaganda’s task to be intelligent, its task is to lead to success.” (see Joachim Fest, The Face of the Third Reich).

Whoever made this video does not care about the real numbers or facts, or they would not consistently get their facts wrong by such wide margins. What they are trying to do is to stoke fear. As one person wrote who forwarded the link to my friend: “WATCH THIS AND BE AFRAID – VERY AFRAID.” People who are afraid are easier to manipulate: They will want to give power to whoever is promising to protect them from the perceived danger. In 1933 Hitler assumed total power in Germany after scaring the country of a supposedly imminent communist coup (by having his troopers secretly set fire to the Reichstag). Look what George W. Bush, Dick Cheney and Co. managed to get away with when Americans got really frightened after 9/11! Fear is a powerful weapon at the hands of those unscrupulous enough to exploit it.