Differences
This shows you the differences between two versions of the page.
| Both sides previous revision Previous revision Next revision | Previous revision Next revisionBoth sides next revision | ||
| docs:guide-user:network:ipv6:ipv6.nat6 [2022/10/26 14:15] – [Introduction] update vgaetera | docs:guide-user:network:ipv6:ipv6.nat6 [2023/09/17 23:39] – [Introduction] vgaetera | ||
|---|---|---|---|
| Line 1: | Line 1: | ||
| - | ====== | + | ====== |
| - | {{section> | + | {{section> |
| ===== Introduction ===== | ===== Introduction ===== | ||
| - | * This page describes | + | * This how-to describes the method for setting |
| - | * It relies on OpenWrt default settings | + | * Assuming a [[docs: |
| - | * Avoid using NAT6 and better [[docs: | + | * Avoid using NAT66 and better [[docs: |
| - | * Also avoid using NAT6 unless you are facing the following problems: | + | * It is also best to avoid using NAT66 unless you are facing the following problems: |
| * IPv6 multihoming without BGP. | * IPv6 multihoming without BGP. | ||
| * Performing stateless 1:1 NAT for migration purposes. | * Performing stateless 1:1 NAT for migration purposes. | ||
| Line 12: | Line 12: | ||
| * Creating a subnet for when the network doesn' | * Creating a subnet for when the network doesn' | ||
| * Being provided a smaller prefix than a /64 or worse, none at all or a ULA address. | * Being provided a smaller prefix than a /64 or worse, none at all or a ULA address. | ||
| + | * See also: [[docs: | ||
| - | ===== Instructions | + | ===== Command-line instructions |
| - | Enable the [[docs: | + | ==== 1. Firewall ==== |
| + | Enable IPv6 masquerading | ||
| <code bash> | <code bash> | ||
| Line 23: | Line 25: | ||
| </ | </ | ||
| - | Enable [[docs: | + | ==== 2. Network ==== |
| - | + | Disable IPv6 source filter | |
| - | ===== Extras ===== | + | |
| - | ==== References ==== | + | |
| - | * [[http:// | + | |
| - | * [[http:// | + | |
| - | + | ||
| - | ==== DHCPv6 | + | |
| - | Make sure DHCPv6 uses the following settings (on an unmodified OpenWrt installation these should by the default): | + | |
| - | * " | + | |
| - | * " | + | |
| - | * " | + | |
| - | + | ||
| - | You can check this by running the following command: | + | |
| <code bash> | <code bash> | ||
| - | # uci show dhcp.lan | + | # Configure network |
| - | ... | + | uci set network.wan6.sourcefilter=" |
| - | dhcp.lan.dhcpv6=' | + | uci commit network |
| - | dhcp.lan.ra=' | + | /etc/init.d/network restart |
| - | dhcp.lan.ra_management=' | + | |
| </ | </ | ||
| - | If the output is different, you are not using the defaults and you should set these options to the ones shown above. | + | Prefer [[docs: |
| - | If there is an additional line starting with '' | + | |
| - | Setups with " | + | |
| - | However, if " | + | |
| - | Therefore, enabling the " | + | |
| - | ==== ULA prefix | + | ===== Troubleshooting ===== |
| - | The default ULA (Unique local address) prefix represents an address that is not globally routed on the internet by design. | + | Collect |
| - | A lot of clients will prefer IPv4 over a ULA IPv6 address if there is no global IPv6 address assigned, so you may need to change your existing ULA prefix to indicate a global address to ensure traffic goes over IPv6 by default when possible. | + | |
| - | + | ||
| - | When changing the ULA prefix, it doesn' | + | |
| - | The letters are unassigned | + | |
| - | + | ||
| - | Setting '' | + | |
| - | + | ||
| - | Using your ISP assigned prefix as ULA should also work. | + | |
| - | However, unless you have a static IPv6 prefix assigned by your ISP, this is not recommended, | + | |
| - | If you have a static prefix that you can delegate across your LAN, then you won't need to change your ULA prefix. | + | |
| - | + | ||
| - | ==== NAT64 ==== | + | |
| - | NAT64 can be easily activated using [[https:// | + | |
| - | The following | + | |
| - | + | ||
| - | Don't forget to implement DNS64 such that your devices are able to discover the translated addresses. | + | |
| - | Two ideas for that: | + | |
| - | * Change your DNS to [[https:// | + | |
| - | * Set up your own [[https:// | + | |
| - | + | ||
| - | See also: | + | |
| - | * [[packages: | + | |
| - | * [[https:// | + | |
| <code bash> | <code bash> | ||
| - | # Install packages | + | # Log and status |
| - | opkg update | + | / |
| - | opkg install kmod-jool-netfilter jool-tools-netfilter | + | |
| - | + | ||
| - | # Configure jool | + | |
| - | uci set jool.general.enabled=" | + | |
| - | uci set jool.nat64.enabled=" | + | |
| - | uci commit jool | + | |
| - | / | + | |
| - | + | ||
| - | # Configure local startup | + | |
| - | cat << " | + | |
| - | jool instance add --iptables --pool6 64: | + | |
| - | EOF | + | |
| - | # Configure firewall rules | + | # Runtime configuration |
| - | cat << " | + | ip -6 address show; ip -6 route show table all |
| - | iptables | + | ip -6 rule show; nft list ruleset |
| - | ip6tables | + | |
| - | EOF | + | |
| - | # Confirm working NAT64 from a device inside your LAN | + | # Persistent configuration |
| - | ping 64: | + | uci show network; uci show firewall |
| </ | </ | ||