NAT66 and IPv6 masquerading

This article relies on the following:

Introduction

  • This how-to describes the method for setting up NAT66 aka NAT6 with IPv6 masquerading on your OpenWrt router.
  • Assuming a ULA prefix, SLAAC and DHCPv6 and a working IPv6 connection on the router.
  • Avoid using NAT66 and better use relay mode if you are provided with a /64 prefix.
  • It is also best to avoid using NAT66 unless you are facing the following problems:
    • IPv6 multihoming without BGP.
    • Performing stateless 1:1 NAT for migration purposes.
    • Your ISP uses a dynamic prefix and you need stable addressing.
    • Creating a subnet for when the network doesn't support subnetting.
    • Being provided a smaller prefix than a /64 or worse, none at all or a ULA address.
  • See also: NAT64 for a IPv6-only networks, IPv6 NAT and NPT

Command-line instructions

1. Firewall

Enable IPv6 masquerading on the upstream zone. 

# Configure firewall
uci set firewall.@zone[1].masq6="1"
uci commit firewall
service firewall restart

2. Network

Disable IPv6 source filter on the upstream interface. 

# Configure network
uci set network.wan6.sourcefilter="0"
uci commit network
service network restart

Prefer IPv6 by default or announce IPv6 default route if necessary.

Troubleshooting

Collect and analyze the following information. 

# Log and status
service firewall restart
 
# Runtime configuration
ip -6 address show; ip -6 route show table all
ip -6 rule show; nft list ruleset
 
# Persistent configuration
uci show network; uci show firewall
This website uses cookies. By using the website, you agree with storing cookies on your computer. Also you acknowledge that you have read and understand our Privacy Policy. If you do not agree leave the website.More information about cookies
  • Last modified: 2023/10/14 06:10
  • by vgaetera