NAT66 and IPv6 masquerading

• This how-to describes the method for setting up NAT66 aka NAT6 with IPv6 masquerading on your OpenWrt router.
• Assuming a ULA prefix, SLAAC and DHCPv6 and a working IPv6 connection on the router.
• Avoid using NAT66 and better use relay mode if you are provided with a /64 prefix.
• It is also best to avoid using NAT66 unless you are facing the following problems:
  • IPv6 multihoming without BGP.
  • Performing stateless 1:1 NAT for migration purposes.
  • Your ISP uses a dynamic prefix and you need stable addressing.
  • Creating a subnet for when the network doesn't support subnetting.
  • Being provided a smaller prefix than a /64 or worse, none at all or a ULA address.
• See also: NAT64 for a IPv6-only networks, IPv6 NAT and NPT

Enable IPv6 masquerading on the upstream zone.

# Configure firewall
uci set firewall.@zone[1].masq6="1"
uci commit firewall
/etc/init.d/firewall restart

Disable IPv6 source filter on the upstream interface.

# Configure network
uci set network.wan6.sourcefilter="0"
uci commit network
/etc/init.d/network restart

Prefer IPv6 by default or announce IPv6 default route if necessary.

Collect and analyze the following information.

# Log and status
/etc/init.d/firewall restart
 
# Runtime configuration
ip -6 address show; ip -6 route show table all
ip -6 rule show; nft list ruleset
 
# Persistent configuration
uci show network; uci show firewall