Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revision Previous revision
Next revision
Previous revision
Next revisionBoth sides next revision
docs:guide-user:network:ipv6:ipv6.nat6 [2023/01/17 04:29] – [NAT66 and IPv6 masquerading] update infobox vgaeteradocs:guide-user:network:ipv6:ipv6.nat6 [2023/09/17 23:39] – [Introduction] vgaetera
Line 4: Line 4:
 ===== Introduction ===== ===== Introduction =====
   * This how-to describes the method for setting up NAT66 aka NAT6 with IPv6 masquerading on your OpenWrt router.   * This how-to describes the method for setting up NAT66 aka NAT6 with IPv6 masquerading on your OpenWrt router.
-  * Assuming default OpenWrt settings and a working IPv6 connection on the router.+  * Assuming a [[docs:guide-user:network:ipv6:configuration#ula_prefix|ULA prefix]], [[docs:guide-user:network:ipv6:configuration#slaac_and_dhcpv6|SLAAC and DHCPv6]] and a working IPv6 connection on the router.
   * Avoid using NAT66 and better [[docs:guide-user:network:ipv6:configuration#ipv6_relay|use relay mode]] if you are provided with a /64 prefix.   * Avoid using NAT66 and better [[docs:guide-user:network:ipv6:configuration#ipv6_relay|use relay mode]] if you are provided with a /64 prefix.
   * It is also best to avoid using NAT66 unless you are facing the following problems:   * It is also best to avoid using NAT66 unless you are facing the following problems:
Line 12: Line 12:
     * Creating a subnet for when the network doesn't support subnetting.     * Creating a subnet for when the network doesn't support subnetting.
     * Being provided a smaller prefix than a /64 or worse, none at all or a ULA address.     * Being provided a smaller prefix than a /64 or worse, none at all or a ULA address.
-  * Follow [[docs:guide-user:network:ipv6:nat64|NAT64]] to provide access to IPv4-only services from IPv6-only client networks.+  * See also: [[docs:guide-user:network:ipv6:nat64|NAT64]], [[docs:guide-user:firewall:fw3_configurations:fw3_nat#ipv6_npt|IPv6 NAT and NPT]]
  
 ===== Command-line instructions ===== ===== Command-line instructions =====
-Enable the [[docs:guide-user:firewall:firewall_configuration?s=masq6#options1|masq6 option]] in the firewall config on your upstream zone.+==== 1. Firewall ==== 
 +Enable IPv6 masquerading on the upstream zone.
  
 <code bash> <code bash>
Line 24: Line 25:
 </code> </code>
  
-Enable [[docs:guide-user:network:ipv6:ipv6_extras#using_ipv6_by_default|IPv6 by default]] and announce the [[docs:guide-user:network:ipv6:ipv6_extras#announcing_default_ipv6_route|default IPv6 route]] if necessary. +==== 2. Network ==== 
- +Disable IPv6 source filter on the upstream interface.
-===== Extras ===== +
-==== DHCPv6 ==== +
-Make sure DHCPv6 uses the following settings (on an unmodified OpenWrt installation these should by the default): +
-  * "Router Advertisement-Service" and "DHCPv6-Service" are set to server mode* +
-  * "DHCPv6-Mode" is stateless + stateful +
-  * "NDP-Proxy" is disabled +
- +
-You can check this by running the following command:+
  
 <code bash> <code bash>
-# uci show dhcp.lan +Configure network 
-... +uci set network.wan6.sourcefilter="0" 
-dhcp.lan.dhcpv6='server' +uci commit network 
-dhcp.lan.ra='server' +/etc/init.d/network restart
-dhcp.lan.ra_management='1'+
 </code> </code>
  
-If the output is different, you are not using the defaults and you should set these options to the ones shown above. +Prefer [[docs:guide-user:network:ipv6:ipv6_extras#using_ipv6_by_default|IPv6 by default]] or announce [[docs:guide-user:network:ipv6:ipv6_extras#announcing_ipv6_default_route|IPv6 default route]] if necessary.
-If there is an additional line starting with ''dhcp.lan.ndp'', the NDP-Proxy is enabled and should be disabled. +
-Setups with "DHCPv6-Service" disabled have been reported working as well by some users. +
-However, if "DHCPv6-Service" is disabled, some clients (e.g. Android devices) will prefer IPv4 over IPv6+
-Therefore, enabling the "DHCPv6-Service" server mode is recommended.+
  
-==== ULA prefix ==== +===== Troubleshooting ===== 
-Typically relevant when you do not have a real global prefix assigned by your ISP (in which case your ULA should be a real ULA), AND you want to run local IPv6 (e.g. for NAT66), AND you have applications that preference IPv4 over IPv6 ULA addresses.+Collect and analyze the following information.
  
-A trick to get around this is set your [[wp>Unique_local_address|ULA]] prefix to a non-ULA value.+<code bash> 
 +# Log and status 
 +/etc/init.d/firewall restart
  
-The default ULA prefix represents an address that is not globally routed on the internet by design (only between provider networks).+# Runtime configuration 
 +ip -6 address show; ip -6 route show table all 
 +ip -6 rule show; nft list ruleset
  
-A lot of clients will prefer IPv4 over a ULA IPv6 address if there is no global IPv6 address assigned, so you may need to change your existing ULA prefix to indicate a global address (i.e. trick it with a non-ULA prefix) to ensure traffic goes over IPv6 by default when possible. +# Persistent configuration 
- +uci show network; uci show firewall 
-When changing the ULA prefix, it doesn't necessarily have to start with ''d'', but to avoid conflicts, you should use a prefix that is not being used yet. +</code>
-The prefix ''fd'' is generally an actual ULA, other ''f'' address have specific meanings, and existing allocated public addresses start with ''2''+
-The letters ''a'' through ''e'' are [[https://www.iana.org/assignments/ipv6-address-space/ipv6-address-space.xhtml|unassigned for the time being]] and therefore safe choices. +
- +
-Setting ''ula_prefix'' to ''auto'' will auto-generate a new valid ULA prefix. +
- +
-Using your ISP assigned prefix as ULA should also work. +
- +
-However, unless you have a static IPv6 prefix assigned by your ISP, this is not recommended, since it can cause address conflicts once the prefix changes. +
- +
-But normally if you have a static prefix that you can delegate across your LAN (i.e. real global addresses), then you won't need to change your ULA prefix.+
  
  • Last modified: 2023/10/14 06:10
  • by vgaetera