Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revision Previous revision
Next revision
Previous revision
Next revisionBoth sides next revision
docs:guide-user:firewall:fw3_configurations:fw3_nat [2018/09/18 20:57] – [NAT Diagnostics] dturvenedocs:guide-user:firewall:fw3_configurations:fw3_nat [2023/11/01 22:14] – [IPv6 to IPv4 NAT with Tayga] update vgaetera
Line 1: Line 1:
-====== fw3 NAT Configurations ====== +====== NAT examples ====== 
-The [[docs:guide-user:firewall:overview|fw3 application]] has extensive support for +The [[docs:guide-user:firewall:overview|fw4 application]] has extensive support for [[https://en.wikipedia.org/wiki/Network_address_translation|NAT]] filterning. 
-[[https://en.wikipedia.org/wiki/Network_address_translation|NAT]] filterning. +NAT is a powerful feature and is credited with extending the life of the IPv4 protocol.
-NAT is a powerful feature and is credited with extending the life of the IPv4 +
-protocol. +
- +
-As with other firewall section, this section will not delve into NAT background +
-and theory. Some useful links for this are:+
  
 +As with other firewall section, this section will not delve into NAT background and theory.
 +Some useful links for this are:
   * https://www.netfilter.org/documentation/HOWTO/NAT-HOWTO.html   * https://www.netfilter.org/documentation/HOWTO/NAT-HOWTO.html
   * https://www.karlrupp.net/en/computer/nat_tutorial   * https://www.karlrupp.net/en/computer/nat_tutorial
Line 14: Line 11:
 OpenWrt supports DNAT, SNAT, MASQUERADING. OpenWrt supports DNAT, SNAT, MASQUERADING.
  
-===== NAT Diagnostics =====+===== NAT diagnostics =====
 See [[docs:guide-user:firewall:netfilter_iptables:netfilter_management|Netfilter Management]] for See [[docs:guide-user:firewall:netfilter_iptables:netfilter_management|Netfilter Management]] for
-analyzing the netfilter rules+analyzing the netfilter rules and investigating conntrack sessions.
- +
-Additionally, all NAT features depend on the ''nf_conntrack'' modules to track +
-IP connections between the WAN-side and the LAN-side; viewing it can be +
-invaluable when debugging NAT traffic.  The kernel presents the table +
-through the [[https://en.wikipedia.org/wiki/Procfs|procfs filesystem]] +
-at ''/proc/net/nf_conntrack''+
- +
-:!: The nf_conntrack parameters can be tuned using parameters in the sysfs +
-filesystem under ''/proc/sys/net/netfilter'' This is almost never desirable+
  
-===== NAT Example Configurations ===== +===== NAT example configurations ===== 
-This section contains typical uses of the fw3 NAT features+This section contains typical uses of the fw4 NAT features
  
 ==== Port forwarding for IPv4 (DNAT) ==== ==== Port forwarding for IPv4 (DNAT) ====
Line 34: Line 22:
 the SSH (22) port of a single LAN-side station. the SSH (22) port of a single LAN-side station.
  
-<file>+<code bash>
 config redirect config redirect
        option target          DNAT        option target          DNAT
Line 44: Line 32:
        option dest_port       22        option dest_port       22
        option enabled         1        option enabled         1
-</file>+</code>
  
 To test from a WAN-side station (STA1), SSH on port 2222 to a non-existent IPv4 To test from a WAN-side station (STA1), SSH on port 2222 to a non-existent IPv4
 address on the LAN-side network: address on the LAN-side network:
-<file>+ 
 +<code bash>
 ssh -p 2222 192.168.10.13 hostname; cat /proc/version ssh -p 2222 192.168.10.13 hostname; cat /proc/version
-</file>+</code> 
 When the rule is enabled STA2 will reply with its hostname and kernel version. When the rule is enabled STA2 will reply with its hostname and kernel version.
 When the rule is disabled, the connection is refused. When the rule is disabled, the connection is refused.
  
 The passionate reader will ask "So what netfilter rules does this create?" The passionate reader will ask "So what netfilter rules does this create?"
-<file>+<code bash>
 iptables -t nat -A zone_wan_prerouting -p tcp -m tcp --dport 2222 -m comment --comment "!fw3: @redirect[0]" -j DNAT --to-destination 192.168.10.20:22 iptables -t nat -A zone_wan_prerouting -p tcp -m tcp --dport 2222 -m comment --comment "!fw3: @redirect[0]" -j DNAT --to-destination 192.168.10.20:22
 ... ...
 iptables -t nat -A zone_lan_prerouting -p tcp -s 192.168.10.0/255.255.255.0 -d 192.168.3.185/255.255.255.255 -m tcp --dport 2222 -m comment --comment "!fw3: @redirect[0] (reflection)" -j DNAT --to-destination 192.168.10.20:22 iptables -t nat -A zone_lan_prerouting -p tcp -s 192.168.10.0/255.255.255.0 -d 192.168.3.185/255.255.255.255 -m tcp --dport 2222 -m comment --comment "!fw3: @redirect[0] (reflection)" -j DNAT --to-destination 192.168.10.20:22
-</file+</code> 
-The first rule matches packets coming in the WAN-side if on TCP port 2222 and + 
-jumps to the ''DNAT'' filter to translate the destination to +The first rule matches packets coming in the WAN-side if on TCP port 2222 and jumps to the ''DNAT'' filter to translate the destination to ''192.168.10.20:22''
-''192.168.10.20:22''+The second rule matches packets coming in from the LAN-side to the WAN-side if on TCP port 2222. 
-The second rule matches packets coming in from the LAN-side to the WAN-side if +The DNAT target uses the same ''--to-destination'' parameters as the first rule to find the "reflection" in the conntrack table.
-on TCP port 2222.  The DNAT target uses the same ''--to-destination'' +
-parameters as the first rule to find the "reflection" in the conntrack table.+
  
 The next thought of the passionate reader is "So what is IN the conntrack table?" The next thought of the passionate reader is "So what is IN the conntrack table?"
-<file>+ 
 +<code bash>
 ipv4     2 tcp      6 117 TIME_WAIT src=192.168.3.171 dst=192.168.10.13 sport=51390 dport=2222 packets=21 bytes=4837 src=192.168.10.20 dst=192.168.3.171 sport=22 dport=51390 packets=23 bytes=4063 [ASSURED] mark=0 use=2 ipv4     2 tcp      6 117 TIME_WAIT src=192.168.3.171 dst=192.168.10.13 sport=51390 dport=2222 packets=21 bytes=4837 src=192.168.10.20 dst=192.168.3.171 sport=22 dport=51390 packets=23 bytes=4063 [ASSURED] mark=0 use=2
-</file>+</code> 
 This record shows the WAN-side src=STA1 and dst=192.168.10.13:2222 and the reverse direction This record shows the WAN-side src=STA1 and dst=192.168.10.13:2222 and the reverse direction
 LAN-side src=STA2:22 src=STA1. LAN-side src=STA2:22 src=STA1.
  
 ==== DNAT to translate a LAN-side address on the WAN-side ==== ==== DNAT to translate a LAN-side address on the WAN-side ====
-This redirect rule will cause the router to translate the WAN-side source of +This redirect rule will cause the router to translate the WAN-side source of 1.2.3.4 to the LAN-side STA2 and route the ICMP echo to it. 
-1.2.3.4 to the LAN-side STA2 and route the ICMP echo to it.  The rule is +The rule is reflexive in that STA2 will be translated by to 1.2.3.4 on the WAN-side.
-reflexive in that STA2 will be translated by to 1.2.3.4 on the WAN-side.+
  
-<code>+<code bash>
 config redirect config redirect
         option src      wan         option src      wan
Line 98: Line 87:
  
 :!: Due to the high visibility of a public server, it may warrant putting :!: Due to the high visibility of a public server, it may warrant putting
-it/them in a [[docs:guide-user:firewall:fw3_configurations:fw3_dmz|fw3 DMZ]].+it/them in a [[docs:guide-user:firewall:fw3_configurations:fw3_dmz|fw4 DMZ]].
  
-<code>+<code bash>
 config redirect config redirect
         option target DNAT         option target DNAT
Line 114: Line 103:
 </code> </code>
  
-In this example, STA2 is running an email server (e.g. postfix) listening on +In this example, STA2 is running an email server (e.g. postfix) listening on port 2525 for incoming email.
-port 2525 for incoming email.+
  
-This redirect rule states: any incoming traffic from the wan on port 25, +This redirect rule states: any incoming traffic from the wan on port 25, redirect to STA1 port 2525.
-redirect to STA1 port 2525.+
  
-To verify what is going on dump ''/proc/net/nf_conntrack'' to observe the +To verify what is going on dump ''/proc/net/nf_conntrack'' to observe the dynamic connnection for incoming traffic. 
-dynamic connnection for incoming traffic.  There can be quite a few conntrack +There can be quite a few conntrack records in it so we will search on just the ones using port 2525:
-records in it so we will search on just the ones using port 2525:+
  
-<file>+<code>
 ... ...
 ipv4     2 tcp      6 7436 ESTABLISHED src=192.168.3.171 dst=192.168.3.11 sport=41370 dport=25 packets=4 bytes=229 src=192.168.10.20 dst=192.168.3.171 sport=2525 dport=41370 packets=3 bytes=164 [ASSURED] mark=0 use=2 ipv4     2 tcp      6 7436 ESTABLISHED src=192.168.3.171 dst=192.168.3.11 sport=41370 dport=25 packets=4 bytes=229 src=192.168.10.20 dst=192.168.3.171 sport=2525 dport=41370 packets=3 bytes=164 [ASSURED] mark=0 use=2
 ... ...
-</file>+</code> 
 The connection is coming from STA1 port 25 to the DUT and is translated to STA2 The connection is coming from STA1 port 25 to the DUT and is translated to STA2
 on port 2525 with a response destination to STA1. on port 2525 with a response destination to STA1.
  
-In the reference topology, the above rule alone will not allow SMTP traffic to +The relevant traffic matches the DNAT conntrack state which is allowed to traverse zones by OpenWrt firewall, so no extra permissive rules are required.
-the server. Why?  The netfilter rules are more restrictive than typical, +
-blocking all traffic that is not explicitly accepted.  There is no rule for +
-accepting email traffic to the LAN-side so it is being dropped.  For this +
-topology, an additional rule must be added to the firewall to forward SMTP +
-traffic. +
- +
-<code> +
-config rule +
-        option src wan +
-        option dest lan +
-        option proto tcp +
-        option dest_port 2525 +
-        option target ACCEPT +
-        option name 'ACCEPT-SMTP-WAN-LAN' +
-        option enabled 1 +
-</code> +
- +
-Since DNAT translation occurs early in the ip stack (the PREROUTING chain)the +
-'dest_port' is already translated to 2525 when this rule is tested in the +
-FORWARD chain - notice the port match is for 2525. +
- +
-:!: This is illustrated because some (most!) netfilter configurations accept too +
-much WAN-side traffic.+
  
 ==== Source NAT (SNAT) ==== ==== Source NAT (SNAT) ====
Line 161: Line 125:
 a fictitious one on port 8080. a fictitious one on port 8080.
  
-<code>+<code bash>
 config redirect config redirect
         option target           SNAT         option target           SNAT
Line 174: Line 138:
  
 To test: To test:
- 
   - use netcat to listen on the STA1, the WAN-side station: ''nc -l 8080''   - use netcat to listen on the STA1, the WAN-side station: ''nc -l 8080''
   - use netcat to connect on the STA2, the LAN-side station: ''nc -v 192.168.3.171 8080''   - use netcat to connect on the STA2, the LAN-side station: ''nc -v 192.168.3.171 8080''
  
-Type something on the LAN-side station and see it echoed on the WAN-side +Type something on the LAN-side station and see it echoed on the WAN-side station. 
-station.  Check the connection on the WAN-side station using ''netstat -ntap'' +Check the connection on the WAN-side station using ''netstat -ntap'' and see the line:
-and see the line:+
  
-''tcp        0      0 192.168.3.171:8080      192.168.10.13:47970 ESTABLISHED 16746/nc''+<code> 
 +tcp        0      0 192.168.3.171:8080      192.168.10.13:47970 ESTABLISHED 16746/nc 
 +</code>
  
 The WAN-side station shows the SNAT address connecting to it on port 8080! The WAN-side station shows the SNAT address connecting to it on port 8080!
  
-When used alone, Source NAT is used to restrict a computer's access to the +When used alone, Source NAT is used to restrict a computer's access to the internet while allowing it to access a few services by forwarding what appears to be 
-internet while allowing it to access a few services by forwarding what appears to be +a few local services, e.g. [[http://en.wikipedia.org/wiki/Network_time_protocol|NTP]], to the internet. 
-a few local services, e.g. [[http://en.wikipedia.org/wiki/Network_time_protocol|NTP]], to the +While DNAT hides the local network from the internet, SNAT hides the internet from the local network.
-internet.  While DNAT hides the local network from the internet, SNAT hides the +
-internet from the local network.+
  
 ==== MASQUERADE ==== ==== MASQUERADE ====
-This is the most used and useful NAT function.  It translates a local private +This is the most used and useful NAT function. 
-network on the LAN-side to a single public address/port num on the WAN-side and +It translates a local private network on the LAN-side to a single public address/port num on the WAN-side and then the reverse. 
-then the reverse.  It is the default firewall configuration for **every** IPv4 +It is the default firewall configuration for **every** IPv4 router. 
-router.  As a result it is a very simple fw3 configuration+As a result it is a very simple fw4 configuration
  
-The LAN-side uses a +The LAN-side uses a [[https://en.wikipedia.org/wiki/Private_network|private network]]. 
-[[https://en.wikipedia.org/wiki/Private_network|private network]]. +The router translates the private addresses to the router address:port and the netfilter conntrack module manages the connection.
-The router translates the private addresses to the router  +
-address:port and the netfilter conntrack module manages the connection.+
  
 The masquerade is set on the WAN-side The masquerade is set on the WAN-side
-<code>+ 
 +<code bash>
 config zone config zone
  option name 'wan'  option name 'wan'
Line 211: Line 172:
  option masq '1'  option masq '1'
 </code> </code>
 +
 Simple, no? Simple, no?
  
-The router will generally get its WAN ip address from the upstream DHCP server +The router will generally get its WAN ip address from the upstream DHCP server and be the DHCP server (and usually DNS server) for LAN stations. 
-and be the DHCP server (and usually DNS server) for LAN stations.  The ''network'' +The ''network'' configuration file defines the private network and the ''dhcp'' configuration file defines how the OpenWrt router assigns LAN-side IPv4 addresses.
-configuration file defines the private network and the ''dhcp'' configuration +
-file defines how the OpenWrt router assigns LAN-side IPv4 addresses.+
  
-When MASQUERADE is enabled, **all** forwarded traffic between WAN and LAN is +When MASQUERADE is enabled, **all** forwarded traffic between WAN and LAN is translated. 
-translated.  Essentially, there is very little that can go wrong with the +Essentially, there is very little that can go wrong with the MASQUERADE firewall rules.
-MASQUERADE firewall rules.+
  
 Dump ''/proc/net/nf_conntrack'' to inspect the current MASQUERADE connections. Dump ''/proc/net/nf_conntrack'' to inspect the current MASQUERADE connections.
 The following connection tracks SSH (22) access from STA1 to STA2. The following connection tracks SSH (22) access from STA1 to STA2.
-<file>+ 
 +<code>
 ipv4     2 tcp      6 4615 ESTABLISHED src=192.168.3.171 dst=192.168.10.20 sport=60446 dport=22 packets=27 bytes=1812 src=192.168.10.20 dst=192.168.3.171 sport=22 dport=60446 packets=21 bytes=2544 [ASSURED] mark=0 use=2 ipv4     2 tcp      6 4615 ESTABLISHED src=192.168.3.171 dst=192.168.10.20 sport=60446 dport=22 packets=27 bytes=1812 src=192.168.10.20 dst=192.168.3.171 sport=22 dport=60446 packets=21 bytes=2544 [ASSURED] mark=0 use=2
-</file>+</code>
  
 :!: MASQUERADE supports two or more private LAN zones :!: MASQUERADE supports two or more private LAN zones
Line 233: Line 193:
 :!: not tested :!: not tested
  
-The following rule redirects all LAN-side HTTP traffic through an +The following rule redirects all LAN-side HTTP traffic through an external proxy at 192.168.1.100 listening on port 3128. 
-external proxy at 192.168.1.100 listening on port 3128. +It assumes the //lan// address to be 192.168.1.1 - this is needed to masquerade redirected traffic towards the proxy.
-It assumes the //lan// address to be 192.168.1.1 - this is needed to masquerade +
-redirected traffic towards the proxy.+
  
-<code>+<code bash>
 config redirect config redirect
         option src              lan         option src              lan
Line 257: Line 215:
 </code> </code>
  
 +===== Extras =====
 +==== NAT ====
 +Enable masquerading aka NAT on the WAN zone.
 +
 +<code bash>
 +uci set firewall.@zone[1].masq="1"
 +uci commit firewall
 +service firewall restart
 +</code>
 +
 +==== IPv6 NAT ====
 +Enable IPv6 masquerading aka NAT66 on the WAN zone.
 +
 +<code bash>
 +uci set firewall.@zone[1].masq6="1"
 +uci commit firewall
 +service firewall restart
 +</code>
 +
 +Announce IPv6 default route for the ULA prefix.
 +
 +<code bash>
 +uci set dhcp.lan.ra_default="1"
 +uci commit dhcp
 +service odhcpd restart
 +</code>
 +
 +Disable IPv6 source filter on the upstream interface.
 +
 +<code bash>
 +uci set network.wan6.sourcefilter="0"
 +uci commit network
 +service network restart
 +</code>
 +
 +==== Selective NAT ====
 +Enable masquerading selectively for a specific source subnet.
 +
 +<code bash>
 +uci -q delete firewall.nat
 +uci set firewall.nat="nat"
 +uci set firewall.nat.family="ipv4"
 +uci set firewall.nat.proto="all"
 +uci set firewall.nat.src="wan"
 +uci set firewall.nat.src_ip="192.168.2.0/24"
 +uci set firewall.nat.target="MASQUERADE"
 +uci commit firewall
 +service firewall restart
 +</code>
 +
 +==== IPv6 selective NAT ====
 +Enable IPv6 masquerading selectively for a specific source subnet.
 +
 +<code bash>
 +uci -q delete firewall.nat6
 +uci set firewall.nat6="nat"
 +uci set firewall.nat6.family="ipv6"
 +uci set firewall.nat6.proto="all"
 +uci set firewall.nat6.src="wan"
 +uci set firewall.nat6.src_ip="fd00:2::/64"
 +uci set firewall.nat6.target="MASQUERADE"
 +uci commit firewall
 +service firewall restart
 +</code>
 +
 +==== NPT ====
 +Enable IPv4 to IPv4 network prefix translation.
 +
 +<code bash>
 +cat << "EOF" > /etc/nftables.d/npt.sh
 +LAN_PFX="192.168.1.0/24"
 +WAN_PFX="192.168.2.0/24"
 +. /lib/functions/network.sh
 +network_flush_cache
 +network_find_wan WAN_IF
 +network_get_device WAN_DEV "${WAN_IF}"
 +nft add rule inet fw4 srcnat \
 +oifname ${WAN_DEV} snat ip prefix to ip \
 +saddr map { ${LAN_PFX} : ${WAN_PFX} }
 +EOF
 +uci -q delete firewall.npt
 +uci set firewall.npt="include"
 +uci set firewall.npt.path="/etc/nftables.d/npt.sh"
 +uci commit firewall
 +service firewall restart
 +</code>
 +
 +==== IPv6 NPT ====
 +Enable IPv6 to IPv6 network prefix translation.
 +
 +<code bash>
 +cat << "EOF" > /etc/nftables.d/npt6.sh
 +LAN_PFX="$(uci -q get network.globals.ula_prefix)"
 +. /lib/functions/network.sh
 +network_flush_cache
 +network_find_wan6 WAN_IF
 +network_get_device WAN_DEV "${WAN_IF}"
 +network_get_prefix6 WAN_PFX "${WAN_IF}"
 +nft add rule inet fw4 srcnat \
 +oifname ${WAN_DEV} snat ip6 prefix to ip6 \
 +saddr map { ${LAN_PFX} : ${WAN_PFX} }
 +EOF
 +uci -q delete firewall.npt6
 +uci set firewall.npt6="include"
 +uci set firewall.npt6.path="/etc/nftables.d/npt6.sh"
 +uci commit firewall
 +service firewall restart
 +</code>
 +
 +==== Symmetric dynamic IPv6 NPT ====
 +Enable symmetric dynamic IPv6 to IPv6 network prefix translation.
 +
 +<code bash>
 +cat << "EOF" > /etc/nftables.d/npt6.sh
 +LAN_IF="lan"
 +sleep 5
 +. /lib/functions/network.sh
 +network_flush_cache
 +network_get_device LAN_DEV "${LAN_IF}"
 +network_get_prefix_assignment6 LAN_PFX "${LAN_IF}"
 +network_find_wan6 WAN_IF
 +network_get_device WAN_DEV "${WAN_IF}"
 +network_get_prefix6 WAN_PFX "${WAN_IF}"
 +nft add rule inet fw4 srcnat \
 +oifname ${WAN_DEV} snat ip6 prefix to ip6 \
 +saddr map { ${LAN_PFX} : ${WAN_PFX} }
 +nft add rule inet fw4 srcnat \
 +oifname ${LAN_DEV} snat ip6 prefix to ip6 \
 +saddr map { ${WAN_PFX} : ${LAN_PFX} }
 +EOF
 +uci -q delete firewall.npt6
 +uci set firewall.npt6="include"
 +uci set firewall.npt6.path="/etc/nftables.d/npt6.sh"
 +uci commit firewall
 +service firewall restart
 +</code>
 +
 +==== IPv6 to IPv4 NAT with Jool ====
 +Enable IPv6 to IPv4 NAT aka NAT64 for IPv6-only networks with Jool.
 +Use DNS64 to resolve domain names.
 +
 +<code bash>
 +opkg update
 +opkg install jool-tools-netfilter
 +. /usr/share/libubox/jshn.sh
 +json_init
 +json_add_string "instance" "default"
 +json_add_string "framework" "netfilter"
 +json_add_object "global"
 +json_add_string "pool6" "64:ff9b::/96"
 +json_close_object
 +json_dump > /etc/jool/jool-nat64.conf.json
 +uci set jool.general.enabled="1"
 +uci set jool.nat64.enabled="1"
 +uci commit jool
 +service jool restart
 +</code>
 +
 +==== IPv6 to IPv4 NAT with Tayga ====
 +Enable IPv6 to IPv4 NAT aka NAT64 for IPv6-only networks with Tayga.
 +Use DNS64 to resolve domain names.
 +
 +<code bash>
 +opkg update
 +opkg install tayga
 +uci del_list firewall.lan.network="nat64"
 +uci add_list firewall.lan.network="nat64"
 +uci commit firewall
 +service firewall restart
 +uci -q delete network.nat64
 +uci set network.nat64="interface"
 +uci set network.nat64.proto="tayga"
 +uci set network.nat64.prefix="64:ff9b::/96"
 +uci set network.nat64.ipv6_addr="fd00:ffff::1"
 +uci set network.nat64.dynamic_pool="192.168.255.0/24"
 +uci set network.nat64.ipv4_addr="192.168.255.1"
 +uci commit network
 +service network restart
 +</code>
 +
 +==== TTL ====
 +Modify TTL for egress traffic.
 +
 +<code bash>
 +cat << "EOF" > /etc/nftables.d/ttl.sh
 +WAN_TTL="65"
 +. /lib/functions/network.sh
 +network_flush_cache
 +network_find_wan WAN_IF
 +network_get_device WAN_DEV "${WAN_IF}"
 +nft add rule inet fw4 mangle_postrouting \
 +oifname ${WAN_DEV} ip ttl set ${WAN_TTL}
 +EOF
 +uci -q delete firewall.ttl
 +uci set firewall.ttl="include"
 +uci set firewall.ttl.path="/etc/nftables.d/ttl.sh"
 +uci commit firewall
 +service firewall restart
 +</code>
 +
 +==== IPv6 hop limit ====
 +Modify IPv6 hop limit for egress traffic.
 +
 +<code bash>
 +cat << "EOF" > /etc/nftables.d/hlim.sh
 +WAN_HLIM="65"
 +. /lib/functions/network.sh
 +network_flush_cache
 +network_find_wan6 WAN_IF
 +network_get_device WAN_DEV "${WAN_IF}"
 +nft add rule inet fw4 mangle_postrouting \
 +oifname ${WAN_DEV} ip6 hoplimit set ${WAN_HLIM}
 +EOF
 +uci -q delete firewall.hlim
 +uci set firewall.hlim="include"
 +uci set firewall.hlim.path="/etc/nftables.d/hlim.sh"
 +uci commit firewall
 +service firewall restart
 +</code>
 +
 +==== FTP passthrough ====
 +Enable NAT passthrough for FTP using [[packages:pkgdata:kmod-nf-nathelper]].
 +
 +<code bash>
 +opkg update
 +opkg install kmod-nf-nathelper
 +service firewall restart
 +</code>
 +
 +==== SIP passthrough ====
 +Enable NAT passthrough for SIP, PPTP, GRE, etc. using [[packages:pkgdata:kmod-nf-nathelper-extra]].
 +
 +<code bash>
 +opkg update
 +opkg install kmod-nf-nathelper-extra
 +service firewall restart
 +</code>
 +
 +==== RTSP passthrough ====
 +Enable NAT passthrough for RTSP using [[packages:pkgdata:kmod-ipt-nathelper-rtsp]].
 +
 +<code bash>
 +opkg update
 +opkg install kmod-ipt-nathelper-rtsp
 +service firewall restart
 +</code>
  
  • Last modified: 2023/12/10 11:42
  • by vgaetera