Feature Request: IPv6 Hotspot support

omega-00 · July 20, 2010, 12:40pm

As in the subject, my request is for an IPv6 enabled hotspot, either dual stacked or IPv6 only.

Best solution would be to allow both IPv4 and IPv6 enabled users to access however one hotspot for each would be a good start.

I’ve previously emailed this request to Mikrotik who have indicated they are working on this, but I’m reposting here to get a feel from others as to who is interested in this becoming a reality for v5 and to indicate that I would be more than willing to test any Alpha or Beta releases of an IPv6-hotspot package soon as it becomes available.

hedele · July 21, 2010, 8:23am

You may want to add at least two zeroes at the end of that figure, else I suppose nobody at mikrotik will be interested.

omega-00 · July 22, 2010, 6:53am

I was figuring I wouldn’t be the only one wanting this so other people could chip in also.

bevhost · September 13, 2010, 11:18am

Since this is a feature we need I have been giving this some consideration.

I have developed the back end software / client hotspot website, radius servers etc that run our hotspots. So I am keen to see how we can support IPv6 clients on our hotspot networks.

Since I don’t now the internal workings of RouterOS code I am making quite a few assumptions here. Perhaps someone from Mikrotik can set me straight where I get it wrong.

I assume that the easiest thing for Mikrotik to do is to copy the IPv4 Hotspot and make an IPv6 copy of the same thing that works on the IPv6 Protocol with the IPv6 Firewall.

There are three ways that the hotspot could be setup.

IPv4 Only
Ipv6 Only
Ipv4 + Ipv6 Dual Stack.

If the software is pretty much copied from IPv4 to IPv6 for the hotspot that will take care of the single stack (Option 2 above) senario.

For Option 3 the question becomes,
a) how does the dual stack client login to both IPv4 and IPv6 Hotspots
b) do the two hotspots have independant radius / user stats sessions or combined

For 3a) currently (on our system anyway) client initally hits the mikrotik login.html which redirects to our hotspot website where the client must purchase time&data the when they click the connect button to continue we redirect them back to the mikrotik alogin.html with radius credentials so that the client can be logged in via radius. At this point the status.html pops up in a new window and the main window redirects to the initial page the client requested. I invisige that another redirect happen here that also make a call to a mikrotik blogin.html to do an IPv6 radius or whatever login. This second redirect would be to an IPv6 Address to the the mikrotik could discover the IPv6 Address Associated with the client in addition to the IPv4 Address. A session token could be passed to both the IPv4 alogin.htm and the IPv6 blogin.html, so the router can know which IPv4 belongs with which IPv6.

For 3b) To have combined sessions the IPv4 counters would have to be combined with the IPv6 counters to create a single radius session. ie instead of IPv6 creating it’s own radius session, it would simply add itself to the existing IPv4 session. I have a feeling that this might be tricky to achieve without some effort. The main problem I see with this is that it creates the idea of a master and slave protocol. Let’s suppose that a client first starts his session with a call to an IPv6 web site such as http://ipv6.google.com, but the IPv4 is the master protocol, then the hotspot will have to redirect the browser to the IPv4 hotspot and login from there. I’m not really sure how much of a problem this is, or if it even is one.

Naturally I am happy to assist with testing this new feature.

fewi · September 13, 2010, 12:15pm

The current Hotspot solution relies heavily on NAT.

The problem: There’s no such thing for IPv6.

omega-00 · September 13, 2010, 5:36pm

Not really, most of the rules are simply catch-all redirects..

Eg: if dst-port=80 and protocol=tcp and user=no-auth then redirect to 65XXX (whatever port it is the hotspot runs on)
same with dns, redirect any port 53 udp requests to the mikrotiks IP address itself.

These could remain the same on an IPv6 hotspot.

fewi · September 13, 2010, 6:09pm

Those redirects are NAT. The destination IP address of the packet is rewritten to an IP address local to the router. From the iptables man page:

REDIRECT

This target is only valid in the nat table, in the PREROUTING and OUTPUT chains, and user-defined chains which are only called from those chains. It redirects the packet to the machine itself by changing the destination IP to the primary address of the incoming interface (locally-generated packets are mapped to the 127.0.0.1 address). It takes one option:
–to-ports port[-port]
This specifies a destination port or range of ports to use: without this, the destination port is never altered. This is only valid if the rule also specifies -p tcp or -p udp.

omega-00 · September 13, 2010, 11:27pm

Derp sorry. I stand corrected.

bevhost · September 15, 2010, 5:07am

This might help…

see
http://www.suse.de/~krahmer/ip6nat/

normis · September 15, 2010, 11:48am

what is that?

bevhost · September 15, 2010, 6:14pm

It’s been suggested that the lack of a NAT capability for IPv6 is a roadblock for IPv6 Hotspot. Here is an implementation of NAT allowing IPv6 Redirect.

README:

ip6nat

Requires libnefnetlink (libnfnetlink-0.0.39 tested) and
libnetfilter_queue (libnetfilter_queue-0.0.16 tested), both
available on http://netfilter.org.
Should also be available on most dists via libnfnetlink,
libnfnetlink-devel, libnetfilter_queue and libnetfilter_queue-devel
RPMs.

I know, I know! IPv6 was designed for end-to-end use-case and there
is no need for NAT etc. Thats exactly why theres no ip6nat
inside netfitler. However, in some cases, especially transparent
proxying for example to setup on-the-fly virus scanning, SPAM traps
or pentesting SSL applications, it is very useful.

Even though ip6nat could NAT whole network ranges from private address
ranges (link local) to public ones, the intended use is as
described above.

There is a sample.conf file describing how to use the rules, then
basically just start ip6nat as root with your conf-file,
redirect the traffic you need to translate via ip6table QUEUE target
into ip6nat, and you are done.

tp-test shows how you can use ip6nat API to find out where
original connections should go if you write a transparent
proxy.

If using -R, make sure you have a /dev/log device inside.

sample.conf:

ip6nat config file

generic template:

→
where: proto is one of {icmp, udp, tcp}
table is one of {dnat, snat} for destinantion NAT or source NAT
addr1 the address or address-range that the packet must match
if table is dnat, the destination of packet must match
and respectively for snat the source must match
port1 if proto is udp or tcp, this port must match too;
source-port if snat is used, destination port if dnat is used
a port of 0 matches any port
addr2 this is the address to which the packet is translated if addr1/port1
rule matches
port2 ditto. if port2 is 0, then the port is not translated
Please also see setup.sh. 2001::1 was a local address, 2002, 3001 and 4000
were remote machines with apropriate routing entries set.
For every proto and table, only the first matching rule is taken,
so write the more specific rules first (e.g. single address before network
address). As a general rule, do not try to be too clever with the rules,
like SNATing and DNATing packets so that they all equal or alike,
this will confuse the translator.
Also, use carefull chosen ip6table rules to only QUEUE the packets
you want to translate. This speeds up NAT and helps to avoid
misconfigs. See setup.sh how to QUEUE packets.
all tcp to 3001::1.22 is translated to 2001::1.22
tcp dnat 3001::1 22->2001::1 0
tcp dnat 3001::1 1234->2001::1 8080
all tcp from 2001::1.x is translated to src port 7890 (singleton connection)
#tcp snat 2001::1 0->2001::1 7890
all tcp to 2002::1.22 is translated to 2001::1.1234
tcp dnat 2002::1 22->2001::1 1234
icmp has no ports, set it to 0
icmp dnat 3001::1 0->2001::1 0
all tcp to network 4000::/16 port 22 is translated to 2002::1.22
tcp dnat 4000::1/16 22->2002::1 0

omega-00 · September 20, 2010, 4:53pm

Pepperspot (the IPv6 version of chillispot) also has a hotspot implementation running now.

I believe this is the relevant IPTABLES file https://pepperspot.svn.sourceforge.net/svnroot/pepperspot/tags/pepperspot-0.3/extra/pepper.ip6tables
however the whole source code is available http://pepperspot.sourceforge.net/

normis · September 21, 2010, 6:05am

Those are non standard hacks. We will only use approved standards in our ipv6 implementation

bevhost · September 21, 2010, 10:15am

So it’s official then, Mikrotik is getting out of the hotspot with captive portal business?

normis · September 21, 2010, 10:17am

maybe it’s possible to achieve this in another way, we are still researching possibilities

fewi · September 21, 2010, 12:10pm

The Pepperspot solution was kinda neat in a way. They appear to be routing all IP traffic (v6 and v4) across a TUN interface so that it is consumed in userland by their Hotpot process. That process then puts packets out on the physical interface for authenticated clients. No NAT required. On the other hand, the process always consumes all packets so I would think performance is fairly bad.

At least that is how I think it works. Didn’t have too much time to go through their code, and I’m a very bad programmer to boot.

omega-00 · September 21, 2010, 10:26pm

There isn’t an RFC for an IPv4 captive portal implementation let alone IPv6

normis · September 22, 2010, 5:39am

what do you mean, of course there is. NAT is a documented technology standard. All the mechanism that make hotspot work are.

normis · September 22, 2010, 6:21am

To bevhost: Code you provided link to captures all IPv6 traffic to user space for processing and that will mean massive performance penalty.

To omega-00: we could not find any NAT or redirects in pepperspot code neither in IPv4 nor IPv6.

bevhost · September 22, 2010, 8:13am

Actually it only captures IPv6 traffic that is directed to the QUEUE target in iptables, so it’s not all traffic.

And that is the one reason why it is better than the pepperspot solution.
The other reason is that pepperspot will only work on the direct LAN so hotpsot users can’t be behind another router.
The Juniper Junos Captive Portal has a similar problem.

You would not actually have to use the nat software I provided, you could just process the QUEUE traffic in userspace in your own code.