Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Next revision
Previous revision
Next revisionBoth sides next revision
docs:guide-user:firewall:fw3_configurations:fw3_nat [2023/08/27 09:01] – [Custom TTL] vgaeteradocs:guide-user:firewall:fw3_configurations:fw3_nat [2023/11/01 22:14] – [IPv6 to IPv4 NAT with Tayga] update vgaetera
Line 215: Line 215:
 </code> </code>
  
-==== FTP passthrough ==== +===== Extras ===== 
-See also: +==== NAT ==== 
-[[packages:pkgdata:kmod-nf-nathelper]]+Enable masquerading aka NAT on the WAN zone. 
 + 
 +<code bash> 
 +uci set firewall.@zone[1].masq="1" 
 +uci commit firewall 
 +service firewall restart 
 +</code> 
 + 
 +==== IPv6 NAT ==== 
 +Enable IPv6 masquerading aka NAT66 on the WAN zone. 
 + 
 +<code bash> 
 +uci set firewall.@zone[1].masq6="1" 
 +uci commit firewall 
 +service firewall restart 
 +</code> 
 + 
 +Announce IPv6 default route for the ULA prefix. 
 + 
 +<code bash> 
 +uci set dhcp.lan.ra_default="1" 
 +uci commit dhcp 
 +service odhcpd restart 
 +</code> 
 + 
 +Disable IPv6 source filter on the upstream interface. 
 + 
 +<code bash> 
 +uci set network.wan6.sourcefilter="0" 
 +uci commit network 
 +service network restart 
 +</code> 
 + 
 +==== Selective NAT ==== 
 +Enable masquerading selectively for a specific source subnet. 
 + 
 +<code bash> 
 +uci -q delete firewall.nat 
 +uci set firewall.nat="nat" 
 +uci set firewall.nat.family="ipv4" 
 +uci set firewall.nat.proto="all" 
 +uci set firewall.nat.src="wan" 
 +uci set firewall.nat.src_ip="192.168.2.0/24" 
 +uci set firewall.nat.target="MASQUERADE" 
 +uci commit firewall 
 +service firewall restart 
 +</code> 
 + 
 +==== IPv6 selective NAT ==== 
 +Enable IPv6 masquerading selectively for a specific source subnet. 
 + 
 +<code bash> 
 +uci -q delete firewall.nat6 
 +uci set firewall.nat6="nat" 
 +uci set firewall.nat6.family="ipv6" 
 +uci set firewall.nat6.proto="all" 
 +uci set firewall.nat6.src="wan" 
 +uci set firewall.nat6.src_ip="fd00:2::/64" 
 +uci set firewall.nat6.target="MASQUERADE" 
 +uci commit firewall 
 +service firewall restart 
 +</code> 
 + 
 +==== NPT ==== 
 +Enable IPv4 to IPv4 network prefix translation. 
 + 
 +<code bash> 
 +cat << "EOF" > /etc/nftables.d/npt.sh 
 +LAN_PFX="192.168.1.0/24" 
 +WAN_PFX="192.168.2.0/24" 
 +. /lib/functions/network.sh 
 +network_flush_cache 
 +network_find_wan WAN_IF 
 +network_get_device WAN_DEV "${WAN_IF}" 
 +nft add rule inet fw4 srcnat \ 
 +oifname ${WAN_DEV} snat ip prefix to ip \ 
 +saddr map { ${LAN_PFX} : ${WAN_PFX} } 
 +EOF 
 +uci -q delete firewall.npt 
 +uci set firewall.npt="include" 
 +uci set firewall.npt.path="/etc/nftables.d/npt.sh" 
 +uci commit firewall 
 +service firewall restart 
 +</code> 
 + 
 +==== IPv6 NPT ==== 
 +Enable IPv6 to IPv6 network prefix translation. 
 + 
 +<code bash> 
 +cat << "EOF" > /etc/nftables.d/npt6.sh 
 +LAN_PFX="$(uci -q get network.globals.ula_prefix)" 
 +. /lib/functions/network.sh 
 +network_flush_cache 
 +network_find_wan6 WAN_IF 
 +network_get_device WAN_DEV "${WAN_IF}" 
 +network_get_prefix6 WAN_PFX "${WAN_IF}" 
 +nft add rule inet fw4 srcnat \ 
 +oifname ${WAN_DEV} snat ip6 prefix to ip6 \ 
 +saddr map { ${LAN_PFX} : ${WAN_PFX} } 
 +EOF 
 +uci -q delete firewall.npt6 
 +uci set firewall.npt6="include" 
 +uci set firewall.npt6.path="/etc/nftables.d/npt6.sh" 
 +uci commit firewall 
 +service firewall restart 
 +</code> 
 + 
 +==== Symmetric dynamic IPv6 NPT ==== 
 +Enable symmetric dynamic IPv6 to IPv6 network prefix translation. 
 + 
 +<code bash> 
 +cat << "EOF" > /etc/nftables.d/npt6.sh 
 +LAN_IF="lan" 
 +sleep 5 
 +. /lib/functions/network.sh 
 +network_flush_cache 
 +network_get_device LAN_DEV "${LAN_IF}" 
 +network_get_prefix_assignment6 LAN_PFX "${LAN_IF}" 
 +network_find_wan6 WAN_IF 
 +network_get_device WAN_DEV "${WAN_IF}" 
 +network_get_prefix6 WAN_PFX "${WAN_IF}" 
 +nft add rule inet fw4 srcnat \ 
 +oifname ${WAN_DEV} snat ip6 prefix to ip6 \ 
 +saddr map { ${LAN_PFX} : ${WAN_PFX} } 
 +nft add rule inet fw4 srcnat \ 
 +oifname ${LAN_DEV} snat ip6 prefix to ip6 \ 
 +saddr map { ${WAN_PFX} : ${LAN_PFX} } 
 +EOF 
 +uci -q delete firewall.npt6 
 +uci set firewall.npt6="include" 
 +uci set firewall.npt6.path="/etc/nftables.d/npt6.sh" 
 +uci commit firewall 
 +service firewall restart 
 +</code> 
 + 
 +==== IPv6 to IPv4 NAT with Jool ==== 
 +Enable IPv6 to IPv4 NAT aka NAT64 for IPv6-only networks with Jool. 
 +Use DNS64 to resolve domain names.
  
 <code bash> <code bash>
 opkg update opkg update
-opkg install kmod-nf-nathelper +opkg install jool-tools-netfilter 
-/etc/init.d/firewall restart+/usr/share/libubox/jshn.sh 
 +json_init 
 +json_add_string "instance" "default" 
 +json_add_string "framework" "netfilter" 
 +json_add_object "global" 
 +json_add_string "pool6" "64:ff9b::/96" 
 +json_close_object 
 +json_dump > /etc/jool/jool-nat64.conf.json 
 +uci set jool.general.enabled="1" 
 +uci set jool.nat64.enabled="1" 
 +uci commit jool 
 +service jool restart
 </code> </code>
  
-==== SIP passthrough ==== +==== IPv6 to IPv4 NAT with Tayga ==== 
-See also: +Enable IPv6 to IPv4 NAT aka NAT64 for IPv6-only networks with Tayga. 
-[[packages:pkgdata:kmod-nf-nathelper-extra]]+Use DNS64 to resolve domain names.
  
 <code bash> <code bash>
 opkg update opkg update
-opkg install kmod-nf-nathelper-extra +opkg install tayga 
-/etc/init.d/firewall restart+uci del_list firewall.lan.network="nat64" 
 +uci add_list firewall.lan.network="nat64" 
 +uci commit firewall 
 +service firewall restart 
 +uci -q delete network.nat64 
 +uci set network.nat64="interface" 
 +uci set network.nat64.proto="tayga" 
 +uci set network.nat64.prefix="64:ff9b::/96" 
 +uci set network.nat64.ipv6_addr="fd00:ffff::1" 
 +uci set network.nat64.dynamic_pool="192.168.255.0/24" 
 +uci set network.nat64.ipv4_addr="192.168.255.1" 
 +uci commit network 
 +service network restart
 </code> </code>
  
-==== Custom TTL ====+==== TTL ==== 
 +Modify TTL for egress traffic. 
 <code bash> <code bash>
-NET_DEV="$(uci get network.wan.device)" +cat << "EOF" > /etc/nftables.d/ttl.sh 
-NET_TTL="65" +WAN_TTL="65" 
-nft flush chain inet fw4 mangle_postrouting +. /lib/functions/network.sh 
-nft add rule inet fw4 mangle_postrouting oifname ${NET_DEV} ip ttl set ${NET_TTL}+network_flush_cache 
 +network_find_wan WAN_IF 
 +network_get_device WAN_DEV "${WAN_IF}" 
 +nft add rule inet fw4 mangle_postrouting 
 +oifname ${WAN_DEV} ip ttl set ${WAN_TTL}
 EOF EOF
 uci -q delete firewall.ttl uci -q delete firewall.ttl
Line 246: Line 412:
 uci set firewall.ttl.path="/etc/nftables.d/ttl.sh" uci set firewall.ttl.path="/etc/nftables.d/ttl.sh"
 uci commit firewall uci commit firewall
-/etc/init.d/firewall restart+service firewall restart 
 +</code> 
 + 
 +==== IPv6 hop limit ==== 
 +Modify IPv6 hop limit for egress traffic. 
 + 
 +<code bash> 
 +cat << "EOF"/etc/nftables.d/hlim.sh 
 +WAN_HLIM="65" 
 +. /lib/functions/network.sh 
 +network_flush_cache 
 +network_find_wan6 WAN_IF 
 +network_get_device WAN_DEV "${WAN_IF}" 
 +nft add rule inet fw4 mangle_postrouting \ 
 +oifname ${WAN_DEV} ip6 hoplimit set ${WAN_HLIM} 
 +EOF 
 +uci -q delete firewall.hlim 
 +uci set firewall.hlim="include" 
 +uci set firewall.hlim.path="/etc/nftables.d/hlim.sh" 
 +uci commit firewall 
 +service firewall restart 
 +</code> 
 + 
 +==== FTP passthrough ==== 
 +Enable NAT passthrough for FTP using [[packages:pkgdata:kmod-nf-nathelper]]. 
 + 
 +<code bash> 
 +opkg update 
 +opkg install kmod-nf-nathelper 
 +service firewall restart 
 +</code> 
 + 
 +==== SIP passthrough ==== 
 +Enable NAT passthrough for SIP, PPTP, GRE, etc. using [[packages:pkgdata:kmod-nf-nathelper-extra]]. 
 + 
 +<code bash> 
 +opkg update 
 +opkg install kmod-nf-nathelper-extra 
 +service firewall restart 
 +</code> 
 + 
 +==== RTSP passthrough ==== 
 +Enable NAT passthrough for RTSP using [[packages:pkgdata:kmod-ipt-nathelper-rtsp]]. 
 + 
 +<code bash> 
 +opkg update 
 +opkg install kmod-ipt-nathelper-rtsp 
 +service firewall restart
 </code> </code>
  
  • Last modified: 2023/12/10 11:42
  • by vgaetera