Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revision Previous revision
Next revision
Previous revision
Next revisionBoth sides next revision
docs:guide-user:network:ipv6:ipv6.nat6 [2022/10/27 23:51] – [NAT64] vgaeteradocs:guide-user:network:ipv6:ipv6.nat6 [2023/09/17 23:39] – [Introduction] vgaetera
Line 1: Line 1:
-====== NAT6 and IPv6 masquerading ====== +====== NAT66 and IPv6 masquerading ====== 
-{{section>meta:infobox:howto_links#cli_skills&noheader&nofooter&noeditbutton}}+{{section>meta:infobox:howto_links#basic_skills&noheader&nofooter&noeditbutton}}
  
 ===== Introduction ===== ===== Introduction =====
-  * This how-to describes the method for setting up NAT6 aka NAT66 with IPv6 masquerading on your OpenWrt router. +  * This how-to describes the method for setting up NAT66 aka NAT6 with IPv6 masquerading on your OpenWrt router. 
-  * Assuming default OpenWrt settings and a working IPv6 connection on the router. +  * Assuming a [[docs:guide-user:network:ipv6:configuration#ula_prefix|ULA prefix]], [[docs:guide-user:network:ipv6:configuration#slaac_and_dhcpv6|SLAAC and DHCPv6]] and a working IPv6 connection on the router. 
-  * Avoid using NAT6 and better [[docs:guide-user:network:ipv6:configuration#ipv6_relay|use relay mode]] if you are provided with a /64 prefix. +  * Avoid using NAT66 and better [[docs:guide-user:network:ipv6:configuration#ipv6_relay|use relay mode]] if you are provided with a /64 prefix. 
-  * It is also best to avoid using NAT6 unless you are facing the following problems:+  * It is also best to avoid using NAT66 unless you are facing the following problems:
     * IPv6 multihoming without BGP.     * IPv6 multihoming without BGP.
     * Performing stateless 1:1 NAT for migration purposes.     * Performing stateless 1:1 NAT for migration purposes.
Line 12: Line 12:
     * Creating a subnet for when the network doesn't support subnetting.     * Creating a subnet for when the network doesn't support subnetting.
     * Being provided a smaller prefix than a /64 or worse, none at all or a ULA address.     * Being provided a smaller prefix than a /64 or worse, none at all or a ULA address.
 +  * See also: [[docs:guide-user:network:ipv6:nat64|NAT64]], [[docs:guide-user:firewall:fw3_configurations:fw3_nat#ipv6_npt|IPv6 NAT and NPT]]
  
-===== Instructions ===== +===== Command-line instructions ===== 
-Enable the [[docs:guide-user:firewall:firewall_configuration?s=masq6#options1|masq6 option]] in the firewall config on your upstream zone.+==== 1. Firewall ==== 
 +Enable IPv6 masquerading on the upstream zone.
  
 <code bash> <code bash>
Line 23: Line 25:
 </code> </code>
  
-Enable [[docs:guide-user:network:ipv6:ipv6_extras#using_ipv6_by_default|IPv6 by default]] and announce the [[docs:guide-user:network:ipv6:ipv6_extras#announcing_default_ipv6_route|default IPv6 route]] if necessary. +==== 2. Network ==== 
- +Disable IPv6 source filter on the upstream interface.
-===== Extras ===== +
-==== References ==== +
-  * [[http://tools.ietf.org/html/rfc6052|RFC6052 - IPv6 Addressing of IPv4/IPv6 Translators]] +
-  * [[http://tools.ietf.org/html/rfc6146|RFC6146 - Stateful NAT64: Network Address and Protocol Translation from IPv6 Clients to IPv4 Servers]] +
- +
-==== DHCPv6 ==== +
-Make sure DHCPv6 uses the following settings (on an unmodified OpenWrt installation these should by the default): +
-  * "Router Advertisement-Service" and "DHCPv6-Service" are set to server mode* +
-  * "DHCPv6-Mode" is stateless + stateful +
-  * "NDP-Proxy" is disabled +
- +
-You can check this by running the following command:+
  
 <code bash> <code bash>
-# uci show dhcp.lan +Configure network 
-... +uci set network.wan6.sourcefilter="0" 
-dhcp.lan.dhcpv6='server' +uci commit network 
-dhcp.lan.ra='server' +/etc/init.d/network restart
-dhcp.lan.ra_management='1'+
 </code> </code>
  
-If the output is different, you are not using the defaults and you should set these options to the ones shown above. +Prefer [[docs:guide-user:network:ipv6:ipv6_extras#using_ipv6_by_default|IPv6 by default]] or announce [[docs:guide-user:network:ipv6:ipv6_extras#announcing_ipv6_default_route|IPv6 default route]] if necessary.
-If there is an additional line starting with ''dhcp.lan.ndp'', the NDP-Proxy is enabled and should be disabled. +
-Setups with "DHCPv6-Service" disabled have been reported working as well by some users. +
-However, if "DHCPv6-Service" is disabled, some clients (e.g. Android devices) will prefer IPv4 over IPv6+
-Therefore, enabling the "DHCPv6-Service" server mode is recommended.+
  
-==== ULA prefix ==== +===== Troubleshooting ===== 
-The default ULA (Unique local address) prefix represents an address that is not globally routed on the internet by design. +Collect and analyze the following information.
-A lot of clients will prefer IPv4 over a ULA IPv6 address if there is no global IPv6 address assigned, so you may need to change your existing ULA prefix to indicate a global address to ensure traffic goes over IPv6 by default when possible. +
- +
-When changing the ULA prefix, it doesn't necessarily have to start with ''d'', but to avoid conflicts, you should use a prefix that is not being used yet. +
-The letters are unassigned and therefore safe choices. +
- +
-Setting ''ula_prefix'' to ''auto'' will auto-generate a new valid ULA prefix. +
- +
-Using your ISP assigned prefix as ULA should also work. +
-However, unless you have a static IPv6 prefix assigned by your ISP, this is not recommended, since it can cause address conflicts once the prefix changes. +
-If you have a static prefix that you can delegate across your LAN, then you won't need to change your ULA prefix. +
- +
-==== NAT64 ==== +
-NAT64 can be easily activated using [[https://github.com/NICMx/Jool#jool|Jool]]. +
-The following configuration should enable NAT64 on your LAN network.+
  
 <code bash> <code bash>
-Install packages +Log and status 
-opkg update +/etc/init.d/firewall restart
-opkg install jool-tools-netfilter+
  
-Configure NAT64 +Runtime configuration 
-cat << "EOF" > /etc/jool/jool-nat64.conf.json +ip -6 address show; ip -6 route show table all 
-+ip -6 rule show; nft list ruleset
-"instance": "default", +
-"framework": "netfilter", +
-"global": { "pool6": "64:ff9b::/96"+
-+
-EOF +
-uci set jool.general.enabled="1" +
-uci set jool.nat64.enabled="1" +
-uci commit jool +
-/etc/init.d/jool restart+
  
-Check service status +Persistent configuration 
-jool instance display +uci show network; uci show firewall
-jool instance status +
- +
- +
-# Check from a LAN client +
-ping 64:ff9b::8.8.8.8+
 </code> </code>
- 
-Be sure to [[docs:guide-user:base-system:dhcp_configuration#upstream_dns_provider|change]] your DNS to [[https://developers.google.com/speed/public-dns/docs/dns64|Google's DNS64]] or set up your own [[https://github.com/cvmiller/nat64#running-your-own-dns64-server|DNS64]] to correctly resolve domain names into translated addresses. 
- 
-See also: 
-  * [[packages:pkgdata:jool-tools]] 
-  * [[https://github.com/openwrt/packages/tree/master/net/jool/files#readme|Documentation]] 
  
  • Last modified: 2023/10/14 06:10
  • by vgaetera