Differences
This shows you the differences between two versions of the page.
| Both sides previous revision Previous revision Next revision | Previous revision Next revisionBoth sides next revision | ||
| docs:guide-user:firewall:fw3_configurations:fw3_nat [2023/08/27 10:29] – [Custom TTL] update vgaetera | docs:guide-user:firewall:fw3_configurations:fw3_nat [2023/11/01 22:14] – [IPv6 to IPv4 NAT with Tayga] update vgaetera | ||
|---|---|---|---|
| Line 215: | Line 215: | ||
| </ | </ | ||
| - | ==== FTP passthrough | + | ===== Extras ===== |
| - | See also: | + | ==== NAT ==== |
| - | [[packages:pkgdata:kmod-nf-nathelper]] | + | Enable masquerading aka NAT on the WAN zone. |
| + | |||
| + | <code bash> | ||
| + | uci set firewall.@zone[1].masq=" | ||
| + | uci commit firewall | ||
| + | service firewall restart | ||
| + | </ | ||
| + | |||
| + | ==== IPv6 NAT ==== | ||
| + | Enable IPv6 masquerading aka NAT66 on the WAN zone. | ||
| + | |||
| + | <code bash> | ||
| + | uci set firewall.@zone[1].masq6=" | ||
| + | uci commit firewall | ||
| + | service firewall restart | ||
| + | </ | ||
| + | |||
| + | Announce IPv6 default route for the ULA prefix. | ||
| + | |||
| + | <code bash> | ||
| + | uci set dhcp.lan.ra_default=" | ||
| + | uci commit dhcp | ||
| + | service odhcpd restart | ||
| + | </ | ||
| + | |||
| + | Disable IPv6 source filter on the upstream interface. | ||
| + | |||
| + | <code bash> | ||
| + | uci set network.wan6.sourcefilter=" | ||
| + | uci commit network | ||
| + | service network restart | ||
| + | </ | ||
| + | |||
| + | ==== Selective NAT ==== | ||
| + | Enable masquerading selectively for a specific source subnet. | ||
| + | |||
| + | <code bash> | ||
| + | uci -q delete firewall.nat | ||
| + | uci set firewall.nat=" | ||
| + | uci set firewall.nat.family=" | ||
| + | uci set firewall.nat.proto=" | ||
| + | uci set firewall.nat.src=" | ||
| + | uci set firewall.nat.src_ip=" | ||
| + | uci set firewall.nat.target=" | ||
| + | uci commit firewall | ||
| + | service firewall restart | ||
| + | </ | ||
| + | |||
| + | ==== IPv6 selective NAT ==== | ||
| + | Enable IPv6 masquerading selectively for a specific source subnet. | ||
| + | |||
| + | <code bash> | ||
| + | uci -q delete firewall.nat6 | ||
| + | uci set firewall.nat6=" | ||
| + | uci set firewall.nat6.family=" | ||
| + | uci set firewall.nat6.proto=" | ||
| + | uci set firewall.nat6.src=" | ||
| + | uci set firewall.nat6.src_ip=" | ||
| + | uci set firewall.nat6.target=" | ||
| + | uci commit firewall | ||
| + | service firewall restart | ||
| + | </ | ||
| + | |||
| + | ==== NPT ==== | ||
| + | Enable IPv4 to IPv4 network prefix translation. | ||
| + | |||
| + | <code bash> | ||
| + | cat << " | ||
| + | LAN_PFX=" | ||
| + | WAN_PFX=" | ||
| + | . / | ||
| + | network_flush_cache | ||
| + | network_find_wan WAN_IF | ||
| + | network_get_device WAN_DEV " | ||
| + | nft add rule inet fw4 srcnat \ | ||
| + | oifname ${WAN_DEV} snat ip prefix to ip \ | ||
| + | saddr map { ${LAN_PFX} : ${WAN_PFX} } | ||
| + | EOF | ||
| + | uci -q delete firewall.npt | ||
| + | uci set firewall.npt=" | ||
| + | uci set firewall.npt.path="/ | ||
| + | uci commit firewall | ||
| + | service firewall restart | ||
| + | </ | ||
| + | |||
| + | ==== IPv6 NPT ==== | ||
| + | Enable IPv6 to IPv6 network prefix translation. | ||
| + | |||
| + | <code bash> | ||
| + | cat << " | ||
| + | LAN_PFX=" | ||
| + | . / | ||
| + | network_flush_cache | ||
| + | network_find_wan6 WAN_IF | ||
| + | network_get_device WAN_DEV " | ||
| + | network_get_prefix6 WAN_PFX " | ||
| + | nft add rule inet fw4 srcnat \ | ||
| + | oifname ${WAN_DEV} snat ip6 prefix to ip6 \ | ||
| + | saddr map { ${LAN_PFX} : ${WAN_PFX} } | ||
| + | EOF | ||
| + | uci -q delete firewall.npt6 | ||
| + | uci set firewall.npt6=" | ||
| + | uci set firewall.npt6.path="/ | ||
| + | uci commit firewall | ||
| + | service firewall restart | ||
| + | </ | ||
| + | |||
| + | ==== Symmetric dynamic IPv6 NPT ==== | ||
| + | Enable symmetric dynamic IPv6 to IPv6 network prefix translation. | ||
| + | |||
| + | <code bash> | ||
| + | cat << " | ||
| + | LAN_IF=" | ||
| + | sleep 5 | ||
| + | . / | ||
| + | network_flush_cache | ||
| + | network_get_device LAN_DEV " | ||
| + | network_get_prefix_assignment6 LAN_PFX " | ||
| + | network_find_wan6 WAN_IF | ||
| + | network_get_device WAN_DEV " | ||
| + | network_get_prefix6 WAN_PFX " | ||
| + | nft add rule inet fw4 srcnat \ | ||
| + | oifname ${WAN_DEV} snat ip6 prefix to ip6 \ | ||
| + | saddr map { ${LAN_PFX} : ${WAN_PFX} } | ||
| + | nft add rule inet fw4 srcnat \ | ||
| + | oifname ${LAN_DEV} snat ip6 prefix to ip6 \ | ||
| + | saddr map { ${WAN_PFX} : ${LAN_PFX} } | ||
| + | EOF | ||
| + | uci -q delete firewall.npt6 | ||
| + | uci set firewall.npt6=" | ||
| + | uci set firewall.npt6.path="/ | ||
| + | uci commit firewall | ||
| + | service firewall restart | ||
| + | </ | ||
| + | |||
| + | ==== IPv6 to IPv4 NAT with Jool ==== | ||
| + | Enable IPv6 to IPv4 NAT aka NAT64 for IPv6-only networks with Jool. | ||
| + | Use DNS64 to resolve domain names. | ||
| <code bash> | <code bash> | ||
| opkg update | opkg update | ||
| - | opkg install | + | opkg install |
| - | /etc/init.d/firewall | + | . /usr/share/ |
| + | json_init | ||
| + | json_add_string " | ||
| + | json_add_string " | ||
| + | json_add_object " | ||
| + | json_add_string " | ||
| + | json_close_object | ||
| + | json_dump > / | ||
| + | uci set jool.general.enabled=" | ||
| + | uci set jool.nat64.enabled=" | ||
| + | uci commit jool | ||
| + | service jool restart | ||
| </ | </ | ||
| - | ==== SIP passthrough | + | ==== IPv6 to IPv4 NAT with Tayga ==== |
| - | See also: | + | Enable IPv6 to IPv4 NAT aka NAT64 for IPv6-only networks with Tayga. |
| - | [[packages: | + | Use DNS64 to resolve domain names. |
| <code bash> | <code bash> | ||
| opkg update | opkg update | ||
| - | opkg install | + | opkg install |
| - | /etc/init.d/firewall | + | uci del_list firewall.lan.network=" |
| + | uci add_list firewall.lan.network=" | ||
| + | uci commit firewall | ||
| + | service firewall restart | ||
| + | uci -q delete network.nat64 | ||
| + | uci set network.nat64=" | ||
| + | uci set network.nat64.proto=" | ||
| + | uci set network.nat64.prefix=" | ||
| + | uci set network.nat64.ipv6_addr=" | ||
| + | uci set network.nat64.dynamic_pool=" | ||
| + | uci set network.nat64.ipv4_addr=" | ||
| + | uci commit network | ||
| + | service network | ||
| </ | </ | ||
| - | ==== Custom | + | ==== TTL ==== |
| + | Modify TTL for egress traffic. | ||
| <code bash> | <code bash> | ||
| cat << " | cat << " | ||
| - | NET_DEV="$(uci get network.wan.device)" | + | WAN_TTL="65" |
| - | NET_TTL="65" | + | . / |
| + | network_flush_cache | ||
| + | network_find_wan WAN_IF | ||
| + | network_get_device WAN_DEV | ||
| nft add rule inet fw4 mangle_postrouting \ | nft add rule inet fw4 mangle_postrouting \ | ||
| - | oifname ${NET_DEV} ip ttl set ${NET_TTL} | + | oifname ${WAN_DEV} ip ttl set ${WAN_TTL} |
| - | nft add rule inet fw4 mangle_postrouting \ | + | |
| - | oifname ${NET_DEV} ip6 hoplimit set ${NET_TTL} | + | |
| EOF | EOF | ||
| uci -q delete firewall.ttl | uci -q delete firewall.ttl | ||
| Line 249: | Line 412: | ||
| uci set firewall.ttl.path="/ | uci set firewall.ttl.path="/ | ||
| uci commit firewall | uci commit firewall | ||
| - | /etc/init.d/firewall restart | + | service firewall restart |
| + | </ | ||
| + | |||
| + | ==== IPv6 hop limit ==== | ||
| + | Modify IPv6 hop limit for egress traffic. | ||
| + | |||
| + | <code bash> | ||
| + | cat << " | ||
| + | WAN_HLIM=" | ||
| + | . / | ||
| + | network_flush_cache | ||
| + | network_find_wan6 WAN_IF | ||
| + | network_get_device WAN_DEV " | ||
| + | nft add rule inet fw4 mangle_postrouting \ | ||
| + | oifname ${WAN_DEV} ip6 hoplimit set ${WAN_HLIM} | ||
| + | EOF | ||
| + | uci -q delete firewall.hlim | ||
| + | uci set firewall.hlim=" | ||
| + | uci set firewall.hlim.path="/ | ||
| + | uci commit firewall | ||
| + | service firewall restart | ||
| + | </ | ||
| + | |||
| + | ==== FTP passthrough ==== | ||
| + | Enable NAT passthrough for FTP using [[packages: | ||
| + | |||
| + | <code bash> | ||
| + | opkg update | ||
| + | opkg install kmod-nf-nathelper | ||
| + | service firewall restart | ||
| + | </ | ||
| + | |||
| + | ==== SIP passthrough ==== | ||
| + | Enable NAT passthrough for SIP, PPTP, GRE, etc. using [[packages: | ||
| + | |||
| + | <code bash> | ||
| + | opkg update | ||
| + | opkg install kmod-nf-nathelper-extra | ||
| + | service firewall restart | ||
| + | </ | ||
| + | |||
| + | ==== RTSP passthrough ==== | ||
| + | Enable NAT passthrough for RTSP using [[packages: | ||
| + | |||
| + | <code bash> | ||
| + | opkg update | ||
| + | opkg install kmod-ipt-nathelper-rtsp | ||
| + | service | ||
| </ | </ | ||