Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revision Previous revision
Next revision
Previous revision
Next revisionBoth sides next revision
docs:guide-user:firewall:fw3_configurations:fw3_nat [2023/09/01 23:22] – reorganize content vgaeteradocs:guide-user:firewall:fw3_configurations:fw3_nat [2023/11/01 22:14] – [IPv6 to IPv4 NAT with Tayga] update vgaetera
Line 215: Line 215:
 </code> </code>
  
-==== FTP passthrough ==== +===== Extras ===== 
-See also: +==== NAT ==== 
-[[packages:pkgdata:kmod-nf-nathelper]]+Enable masquerading aka NAT on the WAN zone.
  
 <code bash> <code bash>
-opkg update +uci set firewall.@zone[1].masq="1" 
-opkg install kmod-nf-nathelper +uci commit firewall 
-/etc/init.d/firewall restart+service firewall restart
 </code> </code>
  
-==== SIP passthrough ==== +==== IPv6 NAT ==== 
-See also: +Enable IPv6 masquerading aka NAT66 on the WAN zone.
-[[packages:pkgdata:kmod-nf-nathelper-extra]]+
  
 <code bash> <code bash>
-opkg update +uci set firewall.@zone[1].masq6="1" 
-opkg install kmod-nf-nathelper-extra +uci commit firewall 
-/etc/init.d/firewall restart+service firewall restart
 </code> </code>
  
-==== Masquerading ==== +Announce IPv6 default route for the ULA prefix.
-Enable masquerading on the WAN zone.+
  
 <code bash> <code bash>
-uci set firewall.@zone[1].masq="1" +uci set dhcp.lan.ra_default="1" 
-uci commit firewall +uci commit dhcp 
-/etc/init.d/firewall restart+service odhcpd restart
 </code> </code>
  
-==== IPv6 masquerading ==== +Disable IPv6 source filter on the upstream interface.
-Enable IPv6 masquerading on the WAN zone.+
  
 <code bash> <code bash>
-uci set firewall.@zone[1].masq6="1+uci set network.wan6.sourcefilter="0
-uci commit firewall +uci commit network 
-/etc/init.d/firewall restart+service network restart
 </code> </code>
  
-==== Selective masquerading ==== +==== Selective NAT ==== 
-Enable selective masquerading for a specific source subnet.+Enable masquerading selectively for a specific source subnet.
  
 <code bash> <code bash>
-uci -q delete firewall.@zone[1].masq 
 uci -q delete firewall.nat uci -q delete firewall.nat
 uci set firewall.nat="nat" uci set firewall.nat="nat"
Line 266: Line 262:
 uci set firewall.nat.target="MASQUERADE" uci set firewall.nat.target="MASQUERADE"
 uci commit firewall uci commit firewall
-/etc/init.d/firewall restart+service firewall restart
 </code> </code>
  
-==== Selective IPv6 masquerading ==== +==== IPv6 selective NAT ==== 
-Enable selective IPv6 masquerading for a specific source subnet.+Enable IPv6 masquerading selectively for a specific source subnet.
  
 <code bash> <code bash>
-uci -q delete firewall.@zone[1].masq6 
 uci -q delete firewall.nat6 uci -q delete firewall.nat6
 uci set firewall.nat6="nat" uci set firewall.nat6="nat"
Line 282: Line 277:
 uci set firewall.nat6.target="MASQUERADE" uci set firewall.nat6.target="MASQUERADE"
 uci commit firewall uci commit firewall
-/etc/init.d/firewall restart+service firewall restart
 </code> </code>
- 
  
 ==== NPT ==== ==== NPT ====
-Replace masquerading with IPv4 to IPv4 network prefix translation.+Enable IPv4 to IPv4 network prefix translation.
  
 <code bash> <code bash>
 cat << "EOF" > /etc/nftables.d/npt.sh cat << "EOF" > /etc/nftables.d/npt.sh
-NET_DEV="$(uci -q get network.wan.device)" +LAN_PFX="192.168.1.0/24" 
-NET_SPFX="192.168.1.0/24" +WAN_PFX="192.168.2.0/24
-NET_DPFX="192.168.2.0/24"+. /lib/functions/network.sh 
 +network_flush_cache 
 +network_find_wan WAN_IF 
 +network_get_device WAN_DEV "${WAN_IF}"
 nft add rule inet fw4 srcnat \ nft add rule inet fw4 srcnat \
-oifname ${NET_DEV} snat ip prefix to ip \ +oifname ${WAN_DEV} snat ip prefix to ip \ 
-saddr map { ${NET_SPFX} : ${NET_DPFX} }+saddr map { ${LAN_PFX} : ${WAN_PFX} }
 EOF EOF
-uci -q delete firewall.@zone[1].masq 
 uci -q delete firewall.npt uci -q delete firewall.npt
 uci set firewall.npt="include" uci set firewall.npt="include"
 uci set firewall.npt.path="/etc/nftables.d/npt.sh" uci set firewall.npt.path="/etc/nftables.d/npt.sh"
 uci commit firewall uci commit firewall
-/etc/init.d/firewall restart+service firewall restart
 </code> </code>
  
 ==== IPv6 NPT ==== ==== IPv6 NPT ====
-Replace IPv6 masquerading with IPv6 to IPv6 network prefix translation.+Enable IPv6 to IPv6 network prefix translation.
  
 <code bash> <code bash>
 cat << "EOF" > /etc/nftables.d/npt6.sh cat << "EOF" > /etc/nftables.d/npt6.sh
-NET_DEV="$(uci -q get network.wan.device)" +LAN_PFX="$(uci -q get network.globals.ula_prefix)" 
-NET_SPFX="$(uci -q get network.globals.ula_prefix)+. /lib/functions/network.sh 
-NET_DPFX="fd00:2::/64"+network_flush_cache 
 +network_find_wan6 WAN_IF 
 +network_get_device WAN_DEV "${WAN_IF}
 +network_get_prefix6 WAN_PFX "${WAN_IF}"
 nft add rule inet fw4 srcnat \ nft add rule inet fw4 srcnat \
-oifname ${NET_DEV} snat ip6 prefix to ip6 \ +oifname ${WAN_DEV} snat ip6 prefix to ip6 \ 
-saddr map { ${NET_SPFX} : ${NET_DPFX} }+saddr map { ${LAN_PFX} : ${WAN_PFX} }
 EOF EOF
-uci -q delete firewall.@zone[1].masq6 
 uci -q delete firewall.npt6 uci -q delete firewall.npt6
 uci set firewall.npt6="include" uci set firewall.npt6="include"
 uci set firewall.npt6.path="/etc/nftables.d/npt6.sh" uci set firewall.npt6.path="/etc/nftables.d/npt6.sh"
 uci commit firewall uci commit firewall
-/etc/init.d/firewall restart+service firewall restart
 </code> </code>
  
-==== NAT64 ==== +==== Symmetric dynamic IPv6 NPT ==== 
-Set up NAT64 for IPv6-only networks/clients.+Enable symmetric dynamic IPv6 to IPv6 network prefix translation. 
 + 
 +<code bash> 
 +cat << "EOF" > /etc/nftables.d/npt6.sh 
 +LAN_IF="lan" 
 +sleep 5 
 +. /lib/functions/network.sh 
 +network_flush_cache 
 +network_get_device LAN_DEV "${LAN_IF}" 
 +network_get_prefix_assignment6 LAN_PFX "${LAN_IF}" 
 +network_find_wan6 WAN_IF 
 +network_get_device WAN_DEV "${WAN_IF}" 
 +network_get_prefix6 WAN_PFX "${WAN_IF}" 
 +nft add rule inet fw4 srcnat \ 
 +oifname ${WAN_DEV} snat ip6 prefix to ip6 \ 
 +saddr map { ${LAN_PFX} : ${WAN_PFX} } 
 +nft add rule inet fw4 srcnat \ 
 +oifname ${LAN_DEV} snat ip6 prefix to ip6 \ 
 +saddr map { ${WAN_PFX} : ${LAN_PFX} } 
 +EOF 
 +uci -q delete firewall.npt6 
 +uci set firewall.npt6="include" 
 +uci set firewall.npt6.path="/etc/nftables.d/npt6.sh" 
 +uci commit firewall 
 +service firewall restart 
 +</code> 
 + 
 +==== IPv6 to IPv4 NAT with Jool ==== 
 +Enable IPv6 to IPv4 NAT aka NAT64 for IPv6-only networks with Jool.
 Use DNS64 to resolve domain names. Use DNS64 to resolve domain names.
  
Line 344: Line 370:
 uci set jool.nat64.enabled="1" uci set jool.nat64.enabled="1"
 uci commit jool uci commit jool
-/etc/init.d/jool restart+service jool restart 
 +</code> 
 + 
 +==== IPv6 to IPv4 NAT with Tayga ==== 
 +Enable IPv6 to IPv4 NAT aka NAT64 for IPv6-only networks with Tayga. 
 +Use DNS64 to resolve domain names. 
 + 
 +<code bash> 
 +opkg update 
 +opkg install tayga 
 +uci del_list firewall.lan.network="nat64" 
 +uci add_list firewall.lan.network="nat64" 
 +uci commit firewall 
 +service firewall restart 
 +uci -q delete network.nat64 
 +uci set network.nat64="interface" 
 +uci set network.nat64.proto="tayga" 
 +uci set network.nat64.prefix="64:ff9b::/96" 
 +uci set network.nat64.ipv6_addr="fd00:ffff::1" 
 +uci set network.nat64.dynamic_pool="192.168.255.0/24" 
 +uci set network.nat64.ipv4_addr="192.168.255.1" 
 +uci commit network 
 +service network restart
 </code> </code>
  
Line 352: Line 400:
 <code bash> <code bash>
 cat << "EOF" > /etc/nftables.d/ttl.sh cat << "EOF" > /etc/nftables.d/ttl.sh
-NET_DEV="$(uci -q get network.wan.device)" +WAN_TTL="65" 
-NET_TTL="65"+. /lib/functions/network.sh 
 +network_flush_cache 
 +network_find_wan WAN_IF 
 +network_get_device WAN_DEV "${WAN_IF}"
 nft add rule inet fw4 mangle_postrouting \ nft add rule inet fw4 mangle_postrouting \
-oifname ${NET_DEV} ip ttl set ${NET_TTL}+oifname ${WAN_DEV} ip ttl set ${WAN_TTL}
 EOF EOF
 uci -q delete firewall.ttl uci -q delete firewall.ttl
Line 361: Line 412:
 uci set firewall.ttl.path="/etc/nftables.d/ttl.sh" uci set firewall.ttl.path="/etc/nftables.d/ttl.sh"
 uci commit firewall uci commit firewall
-/etc/init.d/firewall restart+service firewall restart
 </code> </code>
  
-==== Hop limit ==== +==== IPv6 hop limit ==== 
-Modify hop limit for egress IPv6 traffic.+Modify IPv6 hop limit for egress traffic.
  
 <code bash> <code bash>
 cat << "EOF" > /etc/nftables.d/hlim.sh cat << "EOF" > /etc/nftables.d/hlim.sh
-NET_DEV="$(uci -q get network.wan6.device)" +WAN_HLIM="65" 
-NET_HLIM="65"+. /lib/functions/network.sh 
 +network_flush_cache 
 +network_find_wan6 WAN_IF 
 +network_get_device WAN_DEV "${WAN_IF}"
 nft add rule inet fw4 mangle_postrouting \ nft add rule inet fw4 mangle_postrouting \
-oifname ${NET_DEV} ip6 hoplimit set ${NET_HLIM}+oifname ${WAN_DEV} ip6 hoplimit set ${WAN_HLIM}
 EOF EOF
 uci -q delete firewall.hlim uci -q delete firewall.hlim
Line 378: Line 432:
 uci set firewall.hlim.path="/etc/nftables.d/hlim.sh" uci set firewall.hlim.path="/etc/nftables.d/hlim.sh"
 uci commit firewall uci commit firewall
-/etc/init.d/firewall restart+service firewall restart 
 +</code> 
 + 
 +==== FTP passthrough ==== 
 +Enable NAT passthrough for FTP using [[packages:pkgdata:kmod-nf-nathelper]]. 
 + 
 +<code bash> 
 +opkg update 
 +opkg install kmod-nf-nathelper 
 +service firewall restart 
 +</code> 
 + 
 +==== SIP passthrough ==== 
 +Enable NAT passthrough for SIP, PPTP, GRE, etcusing [[packages:pkgdata:kmod-nf-nathelper-extra]]. 
 + 
 +<code bash> 
 +opkg update 
 +opkg install kmod-nf-nathelper-extra 
 +service firewall restart 
 +</code> 
 + 
 +==== RTSP passthrough ==== 
 +Enable NAT passthrough for RTSP using [[packages:pkgdata:kmod-ipt-nathelper-rtsp]]. 
 + 
 +<code bash> 
 +opkg update 
 +opkg install kmod-ipt-nathelper-rtsp 
 +service firewall restart
 </code> </code>
  
  • Last modified: 2023/12/10 11:42
  • by vgaetera