Differences
This shows you the differences between two versions of the page.
| Both sides previous revision Previous revision Next revision | Previous revision Next revisionBoth sides next revision | ||
| docs:guide-user:network:ipv6:ipv6.nat6 [2022/10/26 04:53] – [Port forwarding] ** OpenWrt 22.03 **: https://openwrt.org/docs/guide-user/firewall/firewall_configuration#destination_nat vgaetera | docs:guide-user:network:ipv6:ipv6.nat6 [2023/09/17 23:39] – [Introduction] vgaetera | ||
|---|---|---|---|
| Line 1: | Line 1: | ||
| - | ====== | + | ====== |
| - | {{section> | + | {{section> |
| ===== Introduction ===== | ===== Introduction ===== | ||
| - | This page describes | + | * This how-to describes the method for setting |
| - | Most users will not need or want to do this in IPv6, but there are some more specific | + | * Assuming a [[docs: |
| - | These might include: | + | * Avoid using NAT66 and better [[docs: |
| + | * It is also best to avoid using NAT66 unless you are facing the following problems: | ||
| + | * IPv6 multihoming without BGP. | ||
| + | * Performing stateless 1:1 NAT for migration purposes. | ||
| + | * Your ISP uses a dynamic prefix and you need stable addressing. | ||
| + | * Creating a subnet for when the network doesn' | ||
| + | * Being provided a smaller prefix than a /64 or worse, none at all or a ULA address. | ||
| + | * See also: [[docs: | ||
| - | * IPv6 multihoming without BGP | + | ===== Command-line instructions |
| - | * Performing stateless 1:1 NAT for migration purposes | + | ==== 1. Firewall |
| - | * Your ISP uses a dynamic prefix and you need stable addressing | + | Enable IPv6 masquerading on the upstream zone. |
| - | * Creating a subnet for when the network doesn' | + | |
| - | * Being provided a smaller prefix than a /64 or worse, none at all or a ULA address | + | |
| - | + | ||
| - | Note: If you are provided a /64 prefix, you may not need to use NAT6 and instead [[docs: | + | |
| - | + | ||
| - | This guide relies on OpenWrt default settings and assumes you already have a working IPv6 connection on your OpenWrt router. | + | |
| - | + | ||
| - | ===== Instructions | + | |
| - | ==== 1. Preparation ==== | + | |
| - | Install the necessary packages. | + | |
| - | + | ||
| - | <code bash> | + | |
| - | # Install packages | + | |
| - | opkg update | + | |
| - | opkg install kmod-ipt-nat6 | + | |
| - | </ | + | |
| - | + | ||
| - | ==== 2. Network and DHCPv6 | + | |
| - | Enable | + | |
| - | + | ||
| - | ==== 3. Firewall ==== | + | |
| - | Enable the new '' | + | |
| <code bash> | <code bash> | ||
| # Configure firewall | # Configure firewall | ||
| - | uci set $(uci show firewall | + | uci set firewall.@zone[1].masq6=" |
| - | uci commit firewall | + | |
| - | </ | + | |
| - | + | ||
| - | Since masquerading is enabled, disable the redundant firewall rule " | + | |
| - | + | ||
| - | <code bash> | + | |
| - | # Configure firewall | + | |
| - | uci set $(uci show firewall | sed -n -e "/ | + | |
| - | uci commit firewall | + | |
| - | </ | + | |
| - | + | ||
| - | Save the NAT6 firewall script. | + | |
| - | + | ||
| - | <code bash> | + | |
| - | # Configure firewall | + | |
| - | cat << " | + | |
| - | # NAT6 + masquerading firewall script | + | |
| - | # https:// | + | |
| - | # trevorj <github@trevor.joynson.io> | + | |
| - | # | + | |
| - | # You can configure in / | + | |
| - | # * IPv4 masquerading | + | |
| - | # | + | |
| - | # * IPv6 masquerading | + | |
| - | # | + | |
| - | # * IPv6 privacy extensions | + | |
| - | # | + | |
| - | + | ||
| - | set -e -o pipefail | + | |
| - | + | ||
| - | . / | + | |
| - | . / | + | |
| - | . / | + | |
| - | + | ||
| - | log() { | + | |
| - | logger -t nat6 -s " | + | |
| - | } | + | |
| - | + | ||
| - | get_ula_prefix() { | + | |
| - | uci get network.globals.ula_prefix | + | |
| - | } | + | |
| - | + | ||
| - | validate_ula_prefix() { | + | |
| - | local ula_prefix=" | + | |
| - | if [ $(echo " | + | |
| - | log "Fatal error: IPv6 ULA ula_prefix=\" | + | |
| - | return 1 | + | |
| - | fi | + | |
| - | } | + | |
| - | + | ||
| - | ip6t() { | + | |
| - | ip6tables " | + | |
| - | } | + | |
| - | + | ||
| - | ip6t_add() { | + | |
| - | if ! ip6t -C " | + | |
| - | ip6t -I " | + | |
| - | fi | + | |
| - | } | + | |
| - | + | ||
| - | nat6_init() { | + | |
| - | iptables-save -t nat \ | + | |
| - | | sed -e " | + | |
| - | / | + | |
| - | / | + | |
| - | / | + | |
| - | /, | + | |
| - | | ip6tables-restore -T nat | + | |
| - | } | + | |
| - | + | ||
| - | masq6_network() { | + | |
| - | # ${config} contains the ID of the current section | + | |
| - | local network_name=" | + | |
| - | + | ||
| - | local device | + | |
| - | network_get_device device " | + | |
| - | + | ||
| - | local done_net_dev | + | |
| - | for done_net_dev in ${DONE_NETWORK_DEVICES}; | + | |
| - | if [ " | + | |
| - | log " | + | |
| - | return 0 | + | |
| - | fi | + | |
| - | done | + | |
| - | + | ||
| - | log "Found device=\" | + | |
| - | + | ||
| - | if [ " | + | |
| - | log " | + | |
| - | + | ||
| - | log " | + | |
| - | echo 2 > "/ | + | |
| - | || log " | + | |
| - | + | ||
| - | log "Using temporary addresses for outgoing connections on interface ${device}" | + | |
| - | echo 2 > "/ | + | |
| - | || log " | + | |
| - | fi | + | |
| - | + | ||
| - | append DONE_NETWORK_DEVICES " | + | |
| - | } | + | |
| - | + | ||
| - | handle_zone() { | + | |
| - | # ${config} contains the ID of the current section | + | |
| - | local config=" | + | |
| - | + | ||
| - | local zone_name | + | |
| - | config_get zone_name " | + | |
| - | + | ||
| - | # Enable masquerading via NAT6 | + | |
| - | local zone_masq6 | + | |
| - | config_get_bool zone_masq6 " | + | |
| - | + | ||
| - | log " | + | |
| - | + | ||
| - | if [ " | + | |
| - | return 0 | + | |
| - | fi | + | |
| - | + | ||
| - | # IPv6 privacy extensions: Use temporary addrs for outgoing connections? | + | |
| - | local zone_masq6_privacy | + | |
| - | config_get_bool zone_masq6_privacy " | + | |
| - | + | ||
| - | log "Found firewall zone_name=\" | + | |
| - | + | ||
| - | log " | + | |
| - | + | ||
| - | local ula_prefix=" | + | |
| - | validate_ula_prefix " | + | |
| - | + | ||
| - | local postrouting_chain=" | + | |
| - | log " | + | |
| - | ip6t_add " | + | |
| - | -m comment --comment " | + | |
| - | + | ||
| - | local input_chain=" | + | |
| - | log " | + | |
| - | ip6t_add " | + | |
| - | -m comment --comment "!fw3: Accept port forwards" | + | |
| - | + | ||
| - | local forward_chain=" | + | |
| - | log " | + | |
| - | ip6t_add " | + | |
| - | -m comment --comment "!fw3: Accept port forwards" | + | |
| - | + | ||
| - | local DONE_NETWORK_DEVICES="" | + | |
| - | config_list_foreach " | + | |
| - | + | ||
| - | log "Done setting up nat6 for zone=\" | + | |
| - | } | + | |
| - | + | ||
| - | main() { | + | |
| - | nat6_init | + | |
| - | config_load firewall | + | |
| - | config_foreach handle_zone zone | + | |
| - | } | + | |
| - | + | ||
| - | main " | + | |
| - | EOF | + | |
| - | cat << " | + | |
| - | / | + | |
| - | EOF | + | |
| - | </ | + | |
| - | + | ||
| - | Include the NAT6 firewall script in the configuration. | + | |
| - | + | ||
| - | <code bash> | + | |
| - | # Configure firewall | + | |
| - | uci -q delete firewall.nat6 | + | |
| - | uci set firewall.nat6=" | + | |
| - | uci set firewall.nat6.path="/ | + | |
| - | uci set firewall.nat6.reload=" | + | |
| uci commit firewall | uci commit firewall | ||
| / | / | ||
| </ | </ | ||
| - | ===== Configuration ===== | + | ==== 2. Network |
| - | The solution provided here can be considered more robust and portable. | + | Disable IPv6 source filter on the upstream interface. |
| - | Especially | + | |
| - | + | ||
| - | Configuration is done per firewall zone, just like standard masquerading. | + | |
| - | + | ||
| - | This provides two configurables in UCI's firewall zone section: | + | |
| <code bash> | <code bash> | ||
| - | # Configure | + | # Configure |
| - | uci set firewall.@zone[1].masq6="1" | + | uci set network.wan6.sourcefilter="0" |
| - | uci set firewall.@zone[1].masq6_privacy=" | + | uci commit |
| - | uci commit | + | / |
| - | / | + | |
| </ | </ | ||
| - | If '' | + | Prefer [[docs: |
| - | This supposedly makes it harder to track users and surf behavior. | + | |
| - | + | ||
| - | If you prefer to use static addresses (at least as long your ISP assigned prefix doesn' | + | |
| ===== Troubleshooting ===== | ===== Troubleshooting ===== | ||
| - | The script logs informational | + | Collect |
| - | The messages are tagged with '' | + | |
| - | You can view the log messages with the command: | + | |
| <code bash> | <code bash> | ||
| - | logread -e nat6 | + | # Log and status |
| - | </ | + | |
| - | + | ||
| - | If all was configured successfully, | + | |
| - | + | ||
| - | < | + | |
| - | 2017-02-04T18: | + | |
| - | 2017-02-04T18: | + | |
| - | 2017-02-04T18: | + | |
| - | 2017-02-04T18: | + | |
| - | 2017-02-04T18: | + | |
| - | 2017-02-04T18: | + | |
| - | 2017-02-04T18: | + | |
| - | 2017-02-04T18: | + | |
| - | 2017-02-04T18: | + | |
| - | </ | + | |
| - | + | ||
| - | Failures that occur during initialization (upon each firewall reload), will be logged and marked as such. Pay attention to any noted as error or fatal error. | + | |
| - | + | ||
| - | You're also welcome to run the script from a shell to see it progress; it is just a shell script after all. | + | |
| - | + | ||
| - | ===== Extras ===== | + | |
| - | ==== References ==== | + | |
| - | * [[http:// | + | |
| - | * [[http:// | + | |
| - | + | ||
| - | ==== DHCPv6 ==== | + | |
| - | Make sure DHCPv6 uses the following settings (on an unmodified OpenWrt installation these should by the default): | + | |
| - | * " | + | |
| - | * " | + | |
| - | * " | + | |
| - | + | ||
| - | You can check this by running the following command: | + | |
| - | + | ||
| - | <code bash> | + | |
| - | # uci show dhcp.lan | + | |
| - | ... | + | |
| - | dhcp.lan.dhcpv6=' | + | |
| - | dhcp.lan.ra=' | + | |
| - | dhcp.lan.ra_management=' | + | |
| - | </ | + | |
| - | + | ||
| - | If the output is different, you are not using the defaults | + | |
| - | If there is an additional line starting with '' | + | |
| - | Setups with " | + | |
| - | However, if " | + | |
| - | Therefore, enabling the " | + | |
| - | + | ||
| - | ==== ULA prefix ==== | + | |
| - | The default ULA (Unique local address) prefix represents an address that is not globally routed on the internet by design. | + | |
| - | A lot of clients will prefer IPv4 over a ULA IPv6 address if there is no global IPv6 address assigned, so you may need to change your existing ULA prefix to indicate a global address to ensure traffic goes over IPv6 by default when possible. | + | |
| - | + | ||
| - | When changing the ULA prefix, it doesn' | + | |
| - | The letters are unassigned and therefore safe choices. | + | |
| - | + | ||
| - | Setting '' | + | |
| - | + | ||
| - | Using your ISP assigned prefix as ULA should also work. | + | |
| - | However, unless you have a static IPv6 prefix assigned by your ISP, this is not recommended, | + | |
| - | If you have a static prefix that you can delegate across your LAN, then you won't need to change your ULA prefix. | + | |
| - | + | ||
| - | ==== RAW6 ==== | + | |
| - | Provide IPv6 raw table support to improve connection tracking when traversing NAT6. | + | |
| - | + | ||
| - | <code bash> | + | |
| - | # Install packages | + | |
| - | opkg update | + | |
| - | opkg install kmod-ipt-raw6 | + | |
| / | / | ||
| - | </ | ||
| - | ==== NAT64 ==== | + | # Runtime |
| - | NAT64 can be easily activated using [[https:// | + | ip -6 address show; ip -6 route show table all |
| + | ip -6 rule show; nft list ruleset | ||
| - | Don't forget to implement DNS64 such that your devices are able to discover the translated addresses. Two ideas for that: | + | # Persistent configuration |
| - | * Change your DNS to [[https:// | + | uci show network; uci show firewall |
| - | * Set up your own [[https:// | + | |
| - | + | ||
| - | <code bash> | + | |
| - | # Install packages | + | |
| - | opkg update | + | |
| - | opkg install kmod-jool jool-tools | + | |
| - | + | ||
| - | # Activate loading kernel module on boot | + | |
| - | cat << " | + | |
| - | jool | + | |
| - | EOF | + | |
| - | # Prevent the file from being deleted during sysupgrade | + | |
| - | cat << " | + | |
| - | / | + | |
| - | EOF | + | |
| </ | </ | ||
| - | < | ||
| - | # Add the following line to / | ||
| - | jool instance add --iptables | ||
| - | </ | ||
| - | < | ||
| - | # Add the following two lines to / | ||
| - | ip6tables -t mangle -A PREROUTING -j JOOL | ||
| - | iptables | ||
| - | </ | ||
| - | < | ||
| - | # Confirm working NAT64 from a device inside your LAN | ||
| - | ping 64: | ||
| - | </ | ||
| - | |||
| - | |||
| - | |||
| - | ==== NAT6 simplified ==== | ||
| - | fw4 supports NAT6 and [[docs: | ||
| - | |||