Error occurred when executing 90-nat6.fw

[ThomasLee-git]

Hi, I followed the updated guide but ran into some errors. Router: Lenovo Y1 Firmware: Chaos Calmer 15.05.1

1. There isn't a configuration directory called /etc/firewall.d/with_reload/, I created it anyway but autostart does not work.
2. I run the script manually and the output is root@OpenWrt:/etc# /etc/firewall.d/with_reload/90-nat6.fw nat6: Firewall config="cfg04dc81" zone="lan" zone_masq6="0". nat6: Firewall config="cfg06dc81" zone="wan" zone_masq6="1". nat6: Found firewall zone_name="wan" with zone_masq6="1" zone_masq6_privacy="1". nat6: Setting up masquerading nat6 for zone_name="wan" with zone_masq6_privacy="1" nat6: Ensuring ip6tables chain="zone_wan_postrouting" contains our MASQUERADE. ip6tables: No chain/target/match by that name.

I've checked all the other settings in Troubleshooting. Thanks in advance.

[akatrevorjay]

Hi! Can you paste the output of ip6tables -vnL?

[ThomasLee-git]

Sure~ ip6tables_output.zip

[akatrevorjay]

Lol, so sorry, I meant to say ip6tables -t nat -vnL, sorry about that!

[akatrevorjay]

Certainly is strange that you have a seemingly normal ipv6 firewall active, yet zone_wan_postrouting does not exist as far as it's aware. Definitely interesting to me.

[akatrevorjay]

Do you have all required modules installed and loaded for ipv6 NAT? opkg list-installed && lsmod would also help to verify against my own, (Definitely possible I may have missed one in the guide, we'll see!)

[wangmingg]

Hi, I meet the same trouble when I verify the configuration in my Xiaomi mini router. Fireware: Chaos Calmer 15.05.1. Thanks in advance.

[akatrevorjay]

Can you try this version? https://github.com/akatrevorjay/openwrt-masq6/raw/master/90-nat6.fw ?

I think older fw3 may not populate the ipv6 nat table from the sounds of it.

[ThomasLee-git]

I tried https://github.com/akatrevorjay/openwrt-masq6/raw/master/90-nat6.fw but still no luck~:(

ip6tables -t nat -vnL outputs: Chain PREROUTING (policy ACCEPT 2650 packets, 237K bytes) pkts bytes target prot opt in out source destination Chain INPUT (policy ACCEPT 389 packets, 32891 bytes) pkts bytes target prot opt in out source destination Chain OUTPUT (policy ACCEPT 308 packets, 46850 bytes) pkts bytes target prot opt in out source destination Chain POSTROUTING (policy ACCEPT 312 packets, 47090 bytes) pkts bytes target prot opt in out source destination 2257 201K MASQUERADE all * eth0.2 dd3d:13f1:936f::/48 ::/0

packages and modules installed pkg&mod_list.txt.zip

[akatrevorjay]

Oh, wow. @ThomasLee-git It looks like ipv6 is actually disabled for you firewall-wise altogether! fw3 isn't even touching ip6tables at all, not even to set the policy.

I'm curious if ping6 google.com works for you from the router at all? I'm guessing it may not.

If you can:

• Reboot router, wait 5m, then upload the output of sh -xv 'logread; ip -6 addr; ip -6 route; ifstatus wan; ifstatus wan6'
• Upload files: /etc/config/network /etc/config/firewall (fw3 is not configuring ip6tables at all which will require some debugging into why.)

If you cannot:

• You need to get basic ipv6 connectivity first. Only then this script can work. The required setup can vary per ISP and connection method, if you want some things to try upload the files as above and I may be able to help.

[akatrevorjay]

Here is a portion of my test router config for reference:

Remember that ifnames will need to be updated to match your own if you copy any of this!

# /etc/config/dhcp
config dhcp 'wan6'
        option interface 'wan6'
        option ignore '1'
        option master '1'
        option ra 'relay'
        option dhcpv6 'relay'
        option ndp 'relay'

config dhcp 'lan'
        option interface 'lan'
        option start '100'
        option limit '150'
        option leasetime '720h'
        option force '1'
        option dhcpv6 'server'
        option ra 'server'
        option ra_management '1'
        option ra_default '1'
        option ndp 'server'

# /etc/config/network
config globals 'globals'
    #option ula_prefix 'auto'
    option ula_prefix 'fd00:dead::/48'

config interface 'lan'
    option ifname 'eth0 eth2'
    option force_link '1'
    option type 'bridge'
    option proto 'static'
    option netmask '255.255.255.0'
    option ipaddr '192.168.69.254'
    option ip6assign '60'
    #option igmp_snooping '1'

config interface 'wan'
    option ifname 'eth1'
    option proto 'dhcp'
    option peerdns '0'
    option dns '8.8.8.8 8.8.4.4'

config interface 'wan6'
    option ifname '@wan'
    option proto 'dhcpv6'
    option peerdns '0'
    option dns '2001:4860:4860::8888 2001:4860:4860::8844'
    #option ip6assign '0'

#/etc/config/firewall
config zone
        option name 'wan'
        option input 'DROP'
        option forward 'DROP'
        option output 'ACCEPT'
        option masq '1'
        option masq6 '1'
        option mtu_fix '1'
        list network 'wan'
        list network 'wan6'

[bluehj777]

Don't know if you notice that if installed kmod-ipt-nat6,there are some warnings will be happened about firewall (fw3). root@OpenWrt:~# /etc/init.d/firewall restart

• Flushing IPv4 filter table
• Flushing IPv4 nat table
• Flushing IPv4 mangle table
• Flushing IPv4 raw table
• Flushing IPv6 filter table
• Flushing IPv6 nat table
• Flushing IPv6 mangle table
• Flushing IPv6 raw table
• Flushing conntrack table ...
• Populating IPv4 filter table
  • Zone 'lan'
  • Zone 'wan'
  • Rule 'Allow-DHCP-Renew'
  • Rule 'Allow-Ping'
  • Rule 'Allow-IGMP'
  • Rule #7
  • Rule #8
  • Forward 'lan' -> 'wan'
• Populating IPv4 nat table
  • Zone 'lan'
  • Zone 'wan'
• Populating IPv4 mangle table
  • Zone 'lan'
  • Zone 'wan'
• Populating IPv4 raw table
  • Zone 'lan'
  • Zone 'wan'
• Populating IPv6 filter table
  • Zone 'lan'
  • Zone 'wan'
  • Rule 'Allow-DHCPv6'
  • Rule 'Allow-MLD'
  • Rule 'Allow-ICMPv6-Input'
  • Rule 'Allow-ICMPv6-Forward'
  • Rule #7
  • Rule #8
  • Forward 'lan' -> 'wan'
• Populating IPv6 nat table
  • Zone 'lan' Warning: fw3_ipt_rule_append(): Can't find target 'prerouting_lan_rule' Warning: fw3_ipt_rule_append(): Can't find target 'postrouting_lan_rule'
  • Zone 'wan' Warning: fw3_ipt_rule_append(): Can't find target 'prerouting_wan_rule' Warning: fw3_ipt_rule_append(): Can't find target 'postrouting_wan_rule' Warning: fw3_ipt_rule_append(): Can't find target 'delegate_prerouting' Warning: fw3_ipt_rule_append(): Can't find target 'delegate_postrouting' Warning: fw3_ipt_rule_append(): Can't find target 'prerouting_rule' Warning: fw3_ipt_rule_append(): Can't find target 'postrouting_rule'
• Populating IPv6 mangle table
  • Zone 'lan'

I don't know what caused this?

Router: netgear 4300 Firmware: Chaos Calmer 15.05.1

[ThomasLee-git]

@akatrevorjay, sorry for such a late response~ I have native ipv6 connectivity, however as you guessed, ping6 www.google.com doesn't work from the router~so strange⊙﹏⊙‖∣°

Since sh -xv 'logread; ip -6 addr; ip -6 route; ifstatus wan; ifstatus wan6' gives me sh: can't open xxx, the attachment is the output of separated commands. Or you can teach me some alternative ways.

debug_info.zip

[ThomasLee-git]

@akatrevorjay Great news~ I tested the latest version on another router which uses isatap to get ipv6 address and the script works like a charm!! There's only one small flaw left, /etc/firewall.d/with_reload cannot get the script run every reboot, any other dirs?

Still wondering why mine is having this odd issue~ the old nat6 script still works, maybe I should stick with that one~

Thank you for everything, you're the man!! (´∀`）ｂ~

[akatrevorjay]

Fantastic! Oh, it can't? Mine does load it upon initial boot as well as restart.

If you don't mind a hack, you can always just stuff a firewall reload in /etc/rc.local, lol.

Just to verify: On the boots it does not come up on it's own, does a /etc/init.d/firewall reload fix it? If so, interesting, love to debug that further; what version of OpenWrt/LEDE are you running by the way?

[hubutui]

Hello, I come across similar issue. Router: Lenovo Y1 Firmware: LEDE 17.01.2

If I use the port on the wall, I could get a IPv4 IP & a IPv6 IP, but if I use a router, only the router could get access to IPv6 website, none of the devices connect to the router could visit IPv6 website. Therefore, I considering use IPv6 NAT.

I follow the wiki. While

uci show dhcp.lan | grep -e 'dhcpv6=' -e 'ra=' -e 'ra_management=' -e 'ndp='

outputs

dhcp.lan.ra='server'
dhcp.lan.dhcpv6='server'

so I edit /etc/config/dhcp, and add

option ra_management '1'

to config dhcp 'lan' section.

Since there no /etc/firewall.d/with_reload dir, I created one, and download 90-nat6.fw from this project. After rebooting my router, I could visit IPv4 website, but failed to visit IPv6 website, which promoted by Google Chrome that I was block by firewall. So I run the 90-nat6.fw script, and finally could get access to IPV6 website.

It seems that this script does not auto run on reboot or firewall reload, should I add it to startup? Should it run after firewall reload? And sometimes, I have to wait couple minutes before I could get acess to IPv6 website. I'm not sure what's wrong, but it's acceptable.

[akatrevorjay]

Yeah, for older OpenWrt versions (at least that's what I think it is) without /etc/firewall.d/with_reload support (it should be there already), by all means, add it as an init script or append it to rc.local. The cool part about with_reload is it gets applied whenever the firewall is restarted/reloaded, which is helpful, but if you lack support then I really recommend upgrading to a later version.

[akatrevorjay]

@bluehj777 I've seen that before when certain ip6 nat related options are not enables in the kernel config

[akatrevorjay]

@bluehj777 I think at least, it's been a minute since I've seen that tbh ;)

[hubutui]

@akatrevorjay Hi, I follow LEDE firewall wiki, add a section to /etc/config/firewall

config include
    option path '/etc/firewall-nat6.user'
    option reload '1'

where /etc/firewall-nat6.usr is the file 90-nat6.fw. And it works just great. I'm not sure option reload 1 is needed, it's said that

Specifies whether the include should be called on reload - this is only needed if the include injects rules into internal chains

[robertying]

The same problem happens when using the latest doc's method.

• It says ip6tables: No chain/target/match by that name. no matter what I have tried.
• And also /etc/firewall.d/with_reload does not exist even on the latest 18.06.1

I did some searching and found out the old doc could be helpful. I paste all the steps here at anyone's convenience. Hope this helps!

Environment

• OpenWrt 18.06.1
• Lenovo Newifi Y1
• Clean installation

Steps

1. opkg update && opkg install kmod-ipt-nat6

2. uci set network.globals.ula_prefix="$(uci get network.globals.ula_prefix | sed 's/^./d/')"
   uci commit network

3. uci set dhcp.lan.ra_default='1'
   uci commit dhcp

4. Use nat6 attached in the end (attention: you may need more than 5s delay for the script. 5 is sometimes problematic for me and 10 is perfect)

   touch /etc/init.d/nat6
   vi /etc/init.d/nat6

5. chmod +x /etc/init.d/nat6
   /etc/init.d/nat6 enable

6. reboot
7. (Optional)

   uci set firewall.@rule["$(uci show firewall | grep 'Allow-ICMPv6-Forward' | cut -d'[' -f2 | cut -d']' -f1)"].enabled='0'
   uci commit firewall

nat6

#!/bin/sh /etc/rc.common
# NAT6 init script for OpenWrt // Depends on package: kmod-ipt-nat6

START=55

# Options
# -------

# Use temporary addresses (IPv6 privacy extensions) for outgoing connections? Yes: 1 / No: 0
PRIVACY=1

# Maximum number of attempts before this script will stop in case no IPv6 route is available
# This limits the execution time of the IPv6 route lookup to (MAX_TRIES+1)*(MAX_TRIES/2) seconds. The default (15) equals 120 seconds.
MAX_TRIES=15

# An initial delay (in seconds) helps to avoid looking for the IPv6 network too early. Ideally, the first probe is successful.
# This would be the case if the time passed between the system log messages "Probing IPv6 route" and "Setting up NAT6" is 1 second.
DELAY=5

# Logical interface name of outbound IPv6 connection
# There should be no need to modify this, unless you changed the default network interface names
# Edit by Vincent: I never changed my default network interface names, but still I have to change the WAN6_NAME to "wan" instead of "wan6"
WAN6_NAME="wan6"

# ---------------------------------------------------
# Options end here - no need to change anything below

boot() {
        [ $DELAY -gt 0 ] && sleep $DELAY
        logger -t NAT6 "Probing IPv6 route"
        PROBE=0
        COUNT=1
        while [ $PROBE -eq 0 ]
        do
                if [ $COUNT -gt $MAX_TRIES ]
                then
                        logger -t NAT6 "Fatal error: No IPv6 route found (reached retry limit)" && exit 1
                fi
                sleep $COUNT
                COUNT=$((COUNT+1))
                PROBE=$(route -A inet6 | grep -c '::/0')
        done

        logger -t NAT6 "Setting up NAT6"

        WAN6_INTERFACE=$(uci get "network.$WAN6_NAME.ifname")
        if [ -z "$WAN6_INTERFACE" ] || [ ! -e "/sys/class/net/$WAN6_INTERFACE/" ] ; then
                logger -t NAT6 "Fatal error: Lookup of $WAN6_NAME interface failed. Were the default interface names changed?" && exit 1
        fi
        WAN6_GATEWAY=$(route -A inet6 -e | grep "$WAN6_INTERFACE" | awk '/::\/0/{print $2; exit}')
        if [ -z "$WAN6_GATEWAY" ] ; then
                logger -t NAT6 "Fatal error: No IPv6 gateway for $WAN6_INTERFACE found" && exit 1
        fi
        LAN_ULA_PREFIX=$(uci get network.globals.ula_prefix)
        if [ $(echo "$LAN_ULA_PREFIX" | grep -c -E "^([0-9a-fA-F]{4}):([0-9a-fA-F]{0,4}):") -ne 1 ] ; then
                logger -t NAT6 "Fatal error: IPv6 ULA prefix $LAN_ULA_PREFIX seems invalid. Please verify that a prefix is set and valid." && exit 1
        fi

        ip6tables -t nat -I POSTROUTING -s "$LAN_ULA_PREFIX" -o "$WAN6_INTERFACE" -j MASQUERADE
        if [ $? -eq 0 ] ; then
                logger -t NAT6 "Added IPv6 masquerading rule to the firewall (Src: $LAN_ULA_PREFIX - Dst: $WAN6_INTERFACE)"
        else
                logger -t NAT6 "Fatal error: Failed to add IPv6 masquerading rule to the firewall (Src: $LAN_ULA_PREFIX - Dst: $WAN6_INTERFACE)" && exit 1
        fi

        route -A inet6 add 2000::/3 gw "$WAN6_GATEWAY" dev "$WAN6_INTERFACE"
        if [ $? -eq 0 ] ; then
                logger -t NAT6 "Added $WAN6_GATEWAY to routing table as gateway on $WAN6_INTERFACE for outgoing connections"
        else
                logger -t NAT6 "Error: Failed to add $WAN6_GATEWAY to routing table as gateway on $WAN6_INTERFACE for outgoing connections"
        fi

        if [ $PRIVACY -eq 1 ] ; then
                echo 2 > "/proc/sys/net/ipv6/conf/$WAN6_INTERFACE/accept_ra"
                if [ $? -eq 0 ] ; then
                        logger -t NAT6 "Accepting router advertisements on $WAN6_INTERFACE even if forwarding is enabled (required for temporary addresses)"
                else
                        logger -t NAT6 "Error: Failed to change router advertisements accept policy on $WAN6_INTERFACE (required for temporary addresses)"
                fi
                echo 2 > "/proc/sys/net/ipv6/conf/$WAN6_INTERFACE/use_tempaddr"
                if [ $? -eq 0 ] ; then
                        logger -t NAT6 "Using temporary addresses for outgoing connections on interface $WAN6_INTERFACE"
                else
                        logger -t NAT6 "Error: Failed to enable temporary addresses for outgoing connections on interface $WAN6_INTERFACE"
                fi
        fi

        exit 0
}