Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revision Previous revision
Next revision
Previous revision
Next revisionBoth sides next revision
docs:guide-user:firewall:fw3_configurations:fw3_nat [2023/09/16 12:29] – [IPv6 NPT] vgaeteradocs:guide-user:firewall:fw3_configurations:fw3_nat [2023/11/01 22:14] – [IPv6 to IPv4 NAT with Tayga] update vgaetera
Line 222: Line 222:
 uci set firewall.@zone[1].masq="1" uci set firewall.@zone[1].masq="1"
 uci commit firewall uci commit firewall
-/etc/init.d/firewall restart+service firewall restart
 </code> </code>
  
Line 231: Line 231:
 uci set firewall.@zone[1].masq6="1" uci set firewall.@zone[1].masq6="1"
 uci commit firewall uci commit firewall
-/etc/init.d/firewall restart+service firewall restart
 </code> </code>
  
Line 239: Line 239:
 uci set dhcp.lan.ra_default="1" uci set dhcp.lan.ra_default="1"
 uci commit dhcp uci commit dhcp
-/etc/init.d/odhcpd restart+service odhcpd restart
 </code> </code>
  
-Disable IPv6 source routing on the upstream interface.+Disable IPv6 source filter on the upstream interface.
  
 <code bash> <code bash>
 uci set network.wan6.sourcefilter="0" uci set network.wan6.sourcefilter="0"
 uci commit network uci commit network
-/etc/init.d/network restart+service network restart
 </code> </code>
  
Line 262: Line 262:
 uci set firewall.nat.target="MASQUERADE" uci set firewall.nat.target="MASQUERADE"
 uci commit firewall uci commit firewall
-/etc/init.d/firewall restart+service firewall restart
 </code> </code>
  
Line 277: Line 277:
 uci set firewall.nat6.target="MASQUERADE" uci set firewall.nat6.target="MASQUERADE"
 uci commit firewall uci commit firewall
-/etc/init.d/firewall restart+service firewall restart
 </code> </code>
  
Line 285: Line 285:
 <code bash> <code bash>
 cat << "EOF" > /etc/nftables.d/npt.sh cat << "EOF" > /etc/nftables.d/npt.sh
-NET_DEV="$(uci -q get network.wan.device)" +LAN_PFX="192.168.1.0/24" 
-NET_SPFX="192.168.1.0/24" +WAN_PFX="192.168.2.0/24
-NET_DPFX="192.168.2.0/24"+. /lib/functions/network.sh 
 +network_flush_cache 
 +network_find_wan WAN_IF 
 +network_get_device WAN_DEV "${WAN_IF}"
 nft add rule inet fw4 srcnat \ nft add rule inet fw4 srcnat \
-oifname ${NET_DEV} snat ip prefix to ip \ +oifname ${WAN_DEV} snat ip prefix to ip \ 
-saddr map { ${NET_SPFX} : ${NET_DPFX} }+saddr map { ${LAN_PFX} : ${WAN_PFX} }
 EOF EOF
 uci -q delete firewall.npt uci -q delete firewall.npt
Line 296: Line 299:
 uci set firewall.npt.path="/etc/nftables.d/npt.sh" uci set firewall.npt.path="/etc/nftables.d/npt.sh"
 uci commit firewall uci commit firewall
-/etc/init.d/firewall restart+service firewall restart
 </code> </code>
  
Line 304: Line 307:
 <code bash> <code bash>
 cat << "EOF" > /etc/nftables.d/npt6.sh cat << "EOF" > /etc/nftables.d/npt6.sh
-NET_DEV="$(uci -q get network.wan6.device)" +LAN_PFX="$(uci -q get network.globals.ula_prefix)" 
-NET_SPFX="$(uci -q get network.globals.ula_prefix)" +. /lib/functions/network.sh 
-NET_DPFX="fd00:2::/64+network_flush_cache 
-NET_ZONE="$(fw4 -q network ${NET_IF})+network_find_wan6 WAN_IF 
-nft add rule inet fw4 srcnat_${NET_ZONE} +network_get_device WAN_DEV "${WAN_IF}
-oifname ${NET_DEV} snat ip6 prefix to ip6 \ +network_get_prefix6 WAN_PFX "${WAN_IF}" 
-saddr map { ${NET_SPFX} : ${NET_DPFX} }+nft add rule inet fw4 srcnat 
 +oifname ${WAN_DEV} snat ip6 prefix to ip6 \ 
 +saddr map { ${LAN_PFX} : ${WAN_PFX} }
 EOF EOF
 uci -q delete firewall.npt6 uci -q delete firewall.npt6
Line 316: Line 321:
 uci set firewall.npt6.path="/etc/nftables.d/npt6.sh" uci set firewall.npt6.path="/etc/nftables.d/npt6.sh"
 uci commit firewall uci commit firewall
-/etc/init.d/firewall restart+service firewall restart
 </code> </code>
  
-==== Symmetrical dynamic IPv6 NPT ==== +==== Symmetric dynamic IPv6 NPT ==== 
-Enable symmetrical dynamic IPv6 to IPv6 network prefix translation.+Enable symmetric dynamic IPv6 to IPv6 network prefix translation.
  
 <code bash> <code bash>
-cat << "EOF" > /etc/odhcp6c.user.d/00-firewall 
-DHCPC_EVENT="${2}" 
-case ${DHCPC_EVENT} in 
-(bound|informed|updated|rebound|ra-updated) ;; 
-(*) exit 0 ;; 
-esac 
-/etc/init.d/firewall reload 
-EOF 
 cat << "EOF" > /etc/nftables.d/npt6.sh cat << "EOF" > /etc/nftables.d/npt6.sh
 LAN_IF="lan" LAN_IF="lan"
-WAN_IF="wan6" +sleep 5
-WAN_ZONE="$(fw4 -q network ${WAN_IF})"+
 . /lib/functions/network.sh . /lib/functions/network.sh
 network_flush_cache network_flush_cache
 network_get_device LAN_DEV "${LAN_IF}" network_get_device LAN_DEV "${LAN_IF}"
 network_get_prefix_assignment6 LAN_PFX "${LAN_IF}" network_get_prefix_assignment6 LAN_PFX "${LAN_IF}"
-network_flush_cache+network_find_wan6 WAN_IF
 network_get_device WAN_DEV "${WAN_IF}" network_get_device WAN_DEV "${WAN_IF}"
 network_get_prefix6 WAN_PFX "${WAN_IF}" network_get_prefix6 WAN_PFX "${WAN_IF}"
-nft add rule inet fw4 srcnat_${WAN_ZONE} \+nft add rule inet fw4 srcnat \
 oifname ${WAN_DEV} snat ip6 prefix to ip6 \ oifname ${WAN_DEV} snat ip6 prefix to ip6 \
 saddr map { ${LAN_PFX} : ${WAN_PFX} } saddr map { ${LAN_PFX} : ${WAN_PFX} }
Line 353: Line 349:
 uci set firewall.npt6.path="/etc/nftables.d/npt6.sh" uci set firewall.npt6.path="/etc/nftables.d/npt6.sh"
 uci commit firewall uci commit firewall
-/etc/init.d/firewall restart+service firewall restart
 </code> </code>
  
-==== IPv6 to IPv4 NAT ==== +==== IPv6 to IPv4 NAT with Jool ==== 
-Enable IPv6 to IPv4 NAT aka NAT64 for IPv6-only networks/clients.+Enable IPv6 to IPv4 NAT aka NAT64 for IPv6-only networks with Jool.
 Use DNS64 to resolve domain names. Use DNS64 to resolve domain names.
  
Line 374: Line 370:
 uci set jool.nat64.enabled="1" uci set jool.nat64.enabled="1"
 uci commit jool uci commit jool
-/etc/init.d/jool restart+service jool restart 
 +</code> 
 + 
 +==== IPv6 to IPv4 NAT with Tayga ==== 
 +Enable IPv6 to IPv4 NAT aka NAT64 for IPv6-only networks with Tayga. 
 +Use DNS64 to resolve domain names. 
 + 
 +<code bash> 
 +opkg update 
 +opkg install tayga 
 +uci del_list firewall.lan.network="nat64" 
 +uci add_list firewall.lan.network="nat64" 
 +uci commit firewall 
 +service firewall restart 
 +uci -q delete network.nat64 
 +uci set network.nat64="interface" 
 +uci set network.nat64.proto="tayga" 
 +uci set network.nat64.prefix="64:ff9b::/96" 
 +uci set network.nat64.ipv6_addr="fd00:ffff::1" 
 +uci set network.nat64.dynamic_pool="192.168.255.0/24" 
 +uci set network.nat64.ipv4_addr="192.168.255.1" 
 +uci commit network 
 +service network restart
 </code> </code>
  
Line 382: Line 400:
 <code bash> <code bash>
 cat << "EOF" > /etc/nftables.d/ttl.sh cat << "EOF" > /etc/nftables.d/ttl.sh
-NET_DEV="$(uci -q get network.wan.device)" +WAN_TTL="65" 
-NET_TTL="65"+. /lib/functions/network.sh 
 +network_flush_cache 
 +network_find_wan WAN_IF 
 +network_get_device WAN_DEV "${WAN_IF}"
 nft add rule inet fw4 mangle_postrouting \ nft add rule inet fw4 mangle_postrouting \
-oifname ${NET_DEV} ip ttl set ${NET_TTL}+oifname ${WAN_DEV} ip ttl set ${WAN_TTL}
 EOF EOF
 uci -q delete firewall.ttl uci -q delete firewall.ttl
Line 391: Line 412:
 uci set firewall.ttl.path="/etc/nftables.d/ttl.sh" uci set firewall.ttl.path="/etc/nftables.d/ttl.sh"
 uci commit firewall uci commit firewall
-/etc/init.d/firewall restart+service firewall restart
 </code> </code>
  
Line 399: Line 420:
 <code bash> <code bash>
 cat << "EOF" > /etc/nftables.d/hlim.sh cat << "EOF" > /etc/nftables.d/hlim.sh
-NET_DEV="$(uci -q get network.wan6.device)" +WAN_HLIM="65" 
-NET_HLIM="65"+. /lib/functions/network.sh 
 +network_flush_cache 
 +network_find_wan6 WAN_IF 
 +network_get_device WAN_DEV "${WAN_IF}"
 nft add rule inet fw4 mangle_postrouting \ nft add rule inet fw4 mangle_postrouting \
-oifname ${NET_DEV} ip6 hoplimit set ${NET_HLIM}+oifname ${WAN_DEV} ip6 hoplimit set ${WAN_HLIM}
 EOF EOF
 uci -q delete firewall.hlim uci -q delete firewall.hlim
Line 408: Line 432:
 uci set firewall.hlim.path="/etc/nftables.d/hlim.sh" uci set firewall.hlim.path="/etc/nftables.d/hlim.sh"
 uci commit firewall uci commit firewall
-/etc/init.d/firewall restart+service firewall restart
 </code> </code>
  
Line 417: Line 441:
 opkg update opkg update
 opkg install kmod-nf-nathelper opkg install kmod-nf-nathelper
-/etc/init.d/firewall restart+service firewall restart
 </code> </code>
  
Line 426: Line 450:
 opkg update opkg update
 opkg install kmod-nf-nathelper-extra opkg install kmod-nf-nathelper-extra
-/etc/init.d/firewall restart+service firewall restart 
 +</code> 
 + 
 +==== RTSP passthrough ==== 
 +Enable NAT passthrough for RTSP using [[packages:pkgdata:kmod-ipt-nathelper-rtsp]]. 
 + 
 +<code bash> 
 +opkg update 
 +opkg install kmod-ipt-nathelper-rtsp 
 +service firewall restart
 </code> </code>
  
  • Last modified: 2023/12/10 11:42
  • by vgaetera