Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revision Previous revision
Next revision
Previous revision
Next revisionBoth sides next revision
docs:guide-user:network:ipv6:ipv6.nat6 [2022/10/30 16:34] – [Introduction] update vgaeteradocs:guide-user:network:ipv6:ipv6.nat6 [2023/09/17 23:39] – [Introduction] vgaetera
Line 1: Line 1:
-====== NAT6 and IPv6 masquerading ====== +====== NAT66 and IPv6 masquerading ====== 
-{{section>meta:infobox:howto_links#cli_skills&noheader&nofooter&noeditbutton}}+{{section>meta:infobox:howto_links#basic_skills&noheader&nofooter&noeditbutton}}
  
 ===== Introduction ===== ===== Introduction =====
-  * This how-to describes the method for setting up NAT6 aka NAT66 with IPv6 masquerading on your OpenWrt router. +  * This how-to describes the method for setting up NAT66 aka NAT6 with IPv6 masquerading on your OpenWrt router. 
-  * Follow [[docs:guide-user:network:ipv6:nat64|NAT64]] to provide access to IPv4-only servers from IPv6-only client networks. +  * Assuming a [[docs:guide-user:network:ipv6:configuration#ula_prefix|ULA prefix]], [[docs:guide-user:network:ipv6:configuration#slaac_and_dhcpv6|SLAAC and DHCPv6]] and a working IPv6 connection on the router. 
-  * if you have IPv6-only connectivity and need to set up NAT64. +  * Avoid using NAT66 and better [[docs:guide-user:network:ipv6:configuration#ipv6_relay|use relay mode]] if you are provided with a /64 prefix. 
-  * Assuming default OpenWrt settings and a working IPv6 connection on the router. +  * It is also best to avoid using NAT66 unless you are facing the following problems:
-  * Avoid using NAT6 and better [[docs:guide-user:network:ipv6:configuration#ipv6_relay|use relay mode]] if you are provided with a /64 prefix. +
-  * It is also best to avoid using NAT6 unless you are facing the following problems:+
     * IPv6 multihoming without BGP.     * IPv6 multihoming without BGP.
     * Performing stateless 1:1 NAT for migration purposes.     * Performing stateless 1:1 NAT for migration purposes.
Line 14: Line 12:
     * Creating a subnet for when the network doesn't support subnetting.     * Creating a subnet for when the network doesn't support subnetting.
     * Being provided a smaller prefix than a /64 or worse, none at all or a ULA address.     * Being provided a smaller prefix than a /64 or worse, none at all or a ULA address.
 +  * See also: [[docs:guide-user:network:ipv6:nat64|NAT64]], [[docs:guide-user:firewall:fw3_configurations:fw3_nat#ipv6_npt|IPv6 NAT and NPT]]
  
 ===== Command-line instructions ===== ===== Command-line instructions =====
-Enable the [[docs:guide-user:firewall:firewall_configuration?s=masq6#options1|masq6 option]] in the firewall config on your upstream zone.+==== 1. Firewall ==== 
 +Enable IPv6 masquerading on the upstream zone.
  
 <code bash> <code bash>
Line 25: Line 25:
 </code> </code>
  
-Enable [[docs:guide-user:network:ipv6:ipv6_extras#using_ipv6_by_default|IPv6 by default]] and announce the [[docs:guide-user:network:ipv6:ipv6_extras#announcing_default_ipv6_route|default IPv6 route]] if necessary. +==== 2. Network ==== 
- +Disable IPv6 source filter on the upstream interface.
-===== Extras ===== +
-==== References ==== +
-  * [[http://tools.ietf.org/html/rfc6052|RFC6052 - IPv6 Addressing of IPv4/IPv6 Translators]] +
-  * [[http://tools.ietf.org/html/rfc6146|RFC6146 - Stateful NAT64: Network Address and Protocol Translation from IPv6 Clients to IPv4 Servers]] +
- +
-==== DHCPv6 ==== +
-Make sure DHCPv6 uses the following settings (on an unmodified OpenWrt installation these should by the default): +
-  * "Router Advertisement-Service" and "DHCPv6-Service" are set to server mode* +
-  * "DHCPv6-Mode" is stateless + stateful +
-  * "NDP-Proxy" is disabled +
- +
-You can check this by running the following command:+
  
 <code bash> <code bash>
-# uci show dhcp.lan +Configure network 
-... +uci set network.wan6.sourcefilter="0" 
-dhcp.lan.dhcpv6='server' +uci commit network 
-dhcp.lan.ra='server' +/etc/init.d/network restart
-dhcp.lan.ra_management='1'+
 </code> </code>
  
-If the output is different, you are not using the defaults and you should set these options to the ones shown above. +Prefer [[docs:guide-user:network:ipv6:ipv6_extras#using_ipv6_by_default|IPv6 by default]] or announce [[docs:guide-user:network:ipv6:ipv6_extras#announcing_ipv6_default_route|IPv6 default route]] if necessary.
-If there is an additional line starting with ''dhcp.lan.ndp'', the NDP-Proxy is enabled and should be disabled. +
-Setups with "DHCPv6-Service" disabled have been reported working as well by some users. +
-However, if "DHCPv6-Service" is disabled, some clients (e.g. Android devices) will prefer IPv4 over IPv6+
-Therefore, enabling the "DHCPv6-Service" server mode is recommended.+
  
-==== ULA prefix ==== +===== Troubleshooting ===== 
-Typically relevant when you do not have a real global prefix assigned by your ISP (in which case your ULA should be a real ULA), AND you want to run local IPv6 (e.g. for NAT66), AND you have applications that preference IPv4 over IPv6 ULA addresses.+Collect and analyze the following information.
  
-A trick to get around this is set your ULA prefix to a non-ULA value.+<code bash> 
 +# Log and status 
 +/etc/init.d/firewall restart
  
-The default ULA ([[wp>Unique_local_address|Unique local address]]) prefix represents an address that is not globally routed on the internet by design (only between provide networks).+# Runtime configuration 
 +ip -6 address show; ip -6 route show table all 
 +ip -6 rule show; nft list ruleset
  
-A lot of clients will prefer IPv4 over a ULA IPv6 address if there is no global IPv6 address assigned, so you may need to change your existing ULA prefix to indicate a global address (i.e. trick it with a non-ULA prefix) to ensure traffic goes over IPv6 by default when possible.  +# Persistent configuration 
- +uci show network; uci show firewall 
-When changing the ULA prefix, it doesn't necessarily have to start with ''d'', but to avoid conflicts, you should use a prefix that is not being used yet. The prefix ''fd'' is generally an actual ULA, other ''f'' address have specific meanings, and existing allocated public addresses start with ''2''. The letters 'a' through 'e' are unassigned and therefore safe choices. +</code>
- +
-Setting ''ula_prefix'' to ''auto'' will auto-generate a new valid ULA prefix. +
- +
-Using your ISP assigned prefix as ULA should also work. +
- +
-However, unless you have a static IPv6 prefix assigned by your ISP, this is not recommended, since it can cause address conflicts once the prefix changes. +
- +
-But normally if you have a static prefix that you can delegate across your LAN (i.e. real global addresses), then you won't need to change your ULA prefix.+
  
  • Last modified: 2023/10/14 06:10
  • by vgaetera