Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revision Previous revision
Next revision
Previous revision
Next revisionBoth sides next revision
docs:guide-user:firewall:fw3_configurations:fw3_nat [2022/10/27 20:41] – optimize title vgaeteradocs:guide-user:firewall:fw3_configurations:fw3_nat [2023/11/01 22:14] – [IPv6 to IPv4 NAT with Tayga] update vgaetera
Line 1: Line 1:
-====== NAT configurations ======+====== NAT examples ======
 The [[docs:guide-user:firewall:overview|fw4 application]] has extensive support for [[https://en.wikipedia.org/wiki/Network_address_translation|NAT]] filterning. The [[docs:guide-user:firewall:overview|fw4 application]] has extensive support for [[https://en.wikipedia.org/wiki/Network_address_translation|NAT]] filterning.
 NAT is a powerful feature and is credited with extending the life of the IPv4 protocol. NAT is a powerful feature and is credited with extending the life of the IPv4 protocol.
Line 213: Line 213:
         option dest_port        3128         option dest_port        3128
         option target           SNAT         option target           SNAT
 +</code>
 +
 +===== Extras =====
 +==== NAT ====
 +Enable masquerading aka NAT on the WAN zone.
 +
 +<code bash>
 +uci set firewall.@zone[1].masq="1"
 +uci commit firewall
 +service firewall restart
 +</code>
 +
 +==== IPv6 NAT ====
 +Enable IPv6 masquerading aka NAT66 on the WAN zone.
 +
 +<code bash>
 +uci set firewall.@zone[1].masq6="1"
 +uci commit firewall
 +service firewall restart
 +</code>
 +
 +Announce IPv6 default route for the ULA prefix.
 +
 +<code bash>
 +uci set dhcp.lan.ra_default="1"
 +uci commit dhcp
 +service odhcpd restart
 +</code>
 +
 +Disable IPv6 source filter on the upstream interface.
 +
 +<code bash>
 +uci set network.wan6.sourcefilter="0"
 +uci commit network
 +service network restart
 +</code>
 +
 +==== Selective NAT ====
 +Enable masquerading selectively for a specific source subnet.
 +
 +<code bash>
 +uci -q delete firewall.nat
 +uci set firewall.nat="nat"
 +uci set firewall.nat.family="ipv4"
 +uci set firewall.nat.proto="all"
 +uci set firewall.nat.src="wan"
 +uci set firewall.nat.src_ip="192.168.2.0/24"
 +uci set firewall.nat.target="MASQUERADE"
 +uci commit firewall
 +service firewall restart
 +</code>
 +
 +==== IPv6 selective NAT ====
 +Enable IPv6 masquerading selectively for a specific source subnet.
 +
 +<code bash>
 +uci -q delete firewall.nat6
 +uci set firewall.nat6="nat"
 +uci set firewall.nat6.family="ipv6"
 +uci set firewall.nat6.proto="all"
 +uci set firewall.nat6.src="wan"
 +uci set firewall.nat6.src_ip="fd00:2::/64"
 +uci set firewall.nat6.target="MASQUERADE"
 +uci commit firewall
 +service firewall restart
 +</code>
 +
 +==== NPT ====
 +Enable IPv4 to IPv4 network prefix translation.
 +
 +<code bash>
 +cat << "EOF" > /etc/nftables.d/npt.sh
 +LAN_PFX="192.168.1.0/24"
 +WAN_PFX="192.168.2.0/24"
 +. /lib/functions/network.sh
 +network_flush_cache
 +network_find_wan WAN_IF
 +network_get_device WAN_DEV "${WAN_IF}"
 +nft add rule inet fw4 srcnat \
 +oifname ${WAN_DEV} snat ip prefix to ip \
 +saddr map { ${LAN_PFX} : ${WAN_PFX} }
 +EOF
 +uci -q delete firewall.npt
 +uci set firewall.npt="include"
 +uci set firewall.npt.path="/etc/nftables.d/npt.sh"
 +uci commit firewall
 +service firewall restart
 +</code>
 +
 +==== IPv6 NPT ====
 +Enable IPv6 to IPv6 network prefix translation.
 +
 +<code bash>
 +cat << "EOF" > /etc/nftables.d/npt6.sh
 +LAN_PFX="$(uci -q get network.globals.ula_prefix)"
 +. /lib/functions/network.sh
 +network_flush_cache
 +network_find_wan6 WAN_IF
 +network_get_device WAN_DEV "${WAN_IF}"
 +network_get_prefix6 WAN_PFX "${WAN_IF}"
 +nft add rule inet fw4 srcnat \
 +oifname ${WAN_DEV} snat ip6 prefix to ip6 \
 +saddr map { ${LAN_PFX} : ${WAN_PFX} }
 +EOF
 +uci -q delete firewall.npt6
 +uci set firewall.npt6="include"
 +uci set firewall.npt6.path="/etc/nftables.d/npt6.sh"
 +uci commit firewall
 +service firewall restart
 +</code>
 +
 +==== Symmetric dynamic IPv6 NPT ====
 +Enable symmetric dynamic IPv6 to IPv6 network prefix translation.
 +
 +<code bash>
 +cat << "EOF" > /etc/nftables.d/npt6.sh
 +LAN_IF="lan"
 +sleep 5
 +. /lib/functions/network.sh
 +network_flush_cache
 +network_get_device LAN_DEV "${LAN_IF}"
 +network_get_prefix_assignment6 LAN_PFX "${LAN_IF}"
 +network_find_wan6 WAN_IF
 +network_get_device WAN_DEV "${WAN_IF}"
 +network_get_prefix6 WAN_PFX "${WAN_IF}"
 +nft add rule inet fw4 srcnat \
 +oifname ${WAN_DEV} snat ip6 prefix to ip6 \
 +saddr map { ${LAN_PFX} : ${WAN_PFX} }
 +nft add rule inet fw4 srcnat \
 +oifname ${LAN_DEV} snat ip6 prefix to ip6 \
 +saddr map { ${WAN_PFX} : ${LAN_PFX} }
 +EOF
 +uci -q delete firewall.npt6
 +uci set firewall.npt6="include"
 +uci set firewall.npt6.path="/etc/nftables.d/npt6.sh"
 +uci commit firewall
 +service firewall restart
 +</code>
 +
 +==== IPv6 to IPv4 NAT with Jool ====
 +Enable IPv6 to IPv4 NAT aka NAT64 for IPv6-only networks with Jool.
 +Use DNS64 to resolve domain names.
 +
 +<code bash>
 +opkg update
 +opkg install jool-tools-netfilter
 +. /usr/share/libubox/jshn.sh
 +json_init
 +json_add_string "instance" "default"
 +json_add_string "framework" "netfilter"
 +json_add_object "global"
 +json_add_string "pool6" "64:ff9b::/96"
 +json_close_object
 +json_dump > /etc/jool/jool-nat64.conf.json
 +uci set jool.general.enabled="1"
 +uci set jool.nat64.enabled="1"
 +uci commit jool
 +service jool restart
 +</code>
 +
 +==== IPv6 to IPv4 NAT with Tayga ====
 +Enable IPv6 to IPv4 NAT aka NAT64 for IPv6-only networks with Tayga.
 +Use DNS64 to resolve domain names.
 +
 +<code bash>
 +opkg update
 +opkg install tayga
 +uci del_list firewall.lan.network="nat64"
 +uci add_list firewall.lan.network="nat64"
 +uci commit firewall
 +service firewall restart
 +uci -q delete network.nat64
 +uci set network.nat64="interface"
 +uci set network.nat64.proto="tayga"
 +uci set network.nat64.prefix="64:ff9b::/96"
 +uci set network.nat64.ipv6_addr="fd00:ffff::1"
 +uci set network.nat64.dynamic_pool="192.168.255.0/24"
 +uci set network.nat64.ipv4_addr="192.168.255.1"
 +uci commit network
 +service network restart
 +</code>
 +
 +==== TTL ====
 +Modify TTL for egress traffic.
 +
 +<code bash>
 +cat << "EOF" > /etc/nftables.d/ttl.sh
 +WAN_TTL="65"
 +. /lib/functions/network.sh
 +network_flush_cache
 +network_find_wan WAN_IF
 +network_get_device WAN_DEV "${WAN_IF}"
 +nft add rule inet fw4 mangle_postrouting \
 +oifname ${WAN_DEV} ip ttl set ${WAN_TTL}
 +EOF
 +uci -q delete firewall.ttl
 +uci set firewall.ttl="include"
 +uci set firewall.ttl.path="/etc/nftables.d/ttl.sh"
 +uci commit firewall
 +service firewall restart
 +</code>
 +
 +==== IPv6 hop limit ====
 +Modify IPv6 hop limit for egress traffic.
 +
 +<code bash>
 +cat << "EOF" > /etc/nftables.d/hlim.sh
 +WAN_HLIM="65"
 +. /lib/functions/network.sh
 +network_flush_cache
 +network_find_wan6 WAN_IF
 +network_get_device WAN_DEV "${WAN_IF}"
 +nft add rule inet fw4 mangle_postrouting \
 +oifname ${WAN_DEV} ip6 hoplimit set ${WAN_HLIM}
 +EOF
 +uci -q delete firewall.hlim
 +uci set firewall.hlim="include"
 +uci set firewall.hlim.path="/etc/nftables.d/hlim.sh"
 +uci commit firewall
 +service firewall restart
 +</code>
 +
 +==== FTP passthrough ====
 +Enable NAT passthrough for FTP using [[packages:pkgdata:kmod-nf-nathelper]].
 +
 +<code bash>
 +opkg update
 +opkg install kmod-nf-nathelper
 +service firewall restart
 +</code>
 +
 +==== SIP passthrough ====
 +Enable NAT passthrough for SIP, PPTP, GRE, etc. using [[packages:pkgdata:kmod-nf-nathelper-extra]].
 +
 +<code bash>
 +opkg update
 +opkg install kmod-nf-nathelper-extra
 +service firewall restart
 +</code>
 +
 +==== RTSP passthrough ====
 +Enable NAT passthrough for RTSP using [[packages:pkgdata:kmod-ipt-nathelper-rtsp]].
 +
 +<code bash>
 +opkg update
 +opkg install kmod-ipt-nathelper-rtsp
 +service firewall restart
 </code> </code>
  
  • Last modified: 2023/12/10 11:42
  • by vgaetera