Open ThomasLee-git opened 7 years ago
Hi! Can you paste the output of ip6tables -vnL
?
Sure~ ip6tables_output.zip
Lol, so sorry, I meant to say ip6tables -t nat -vnL
, sorry about that!
Certainly is strange that you have a seemingly normal ipv6 firewall active, yet zone_wan_postrouting
does not exist as far as it's aware. Definitely interesting to me.
Do you have all required modules installed and loaded for ipv6 NAT? opkg list-installed && lsmod
would also help to verify against my own, (Definitely possible I may have missed one in the guide, we'll see!)
Hi, I meet the same trouble when I verify the configuration in my Xiaomi mini router. Fireware: Chaos Calmer 15.05.1. Thanks in advance.
Can you try this version? https://github.com/akatrevorjay/openwrt-masq6/raw/master/90-nat6.fw ?
I think older fw3 may not populate the ipv6 nat table from the sounds of it.
I tried https://github.com/akatrevorjay/openwrt-masq6/raw/master/90-nat6.fw but still no luck~:(
ip6tables -t nat -vnL
outputs:
Chain PREROUTING (policy ACCEPT 2650 packets, 237K bytes)
pkts bytes target prot opt in out source destination
Chain INPUT (policy ACCEPT 389 packets, 32891 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 308 packets, 46850 bytes)
pkts bytes target prot opt in out source destination
Chain POSTROUTING (policy ACCEPT 312 packets, 47090 bytes)
pkts bytes target prot opt in out source destination
2257 201K MASQUERADE all * eth0.2 dd3d:13f1:936f::/48 ::/0
packages and modules installed pkg&mod_list.txt.zip
Oh, wow. @ThomasLee-git It looks like ipv6 is actually disabled for you firewall-wise altogether! fw3 isn't even touching ip6tables at all, not even to set the policy.
I'm curious if ping6 google.com
works for you from the router at all? I'm guessing it may not.
If you can:
sh -xv 'logread; ip -6 addr; ip -6 route; ifstatus wan; ifstatus wan6'
/etc/config/network
/etc/config/firewall
(fw3 is not configuring ip6tables at all which will require some debugging into why.)If you cannot:
Here is a portion of my test router config for reference:
Remember that ifnames will need to be updated to match your own if you copy any of this!
# /etc/config/dhcp
config dhcp 'wan6'
option interface 'wan6'
option ignore '1'
option master '1'
option ra 'relay'
option dhcpv6 'relay'
option ndp 'relay'
config dhcp 'lan'
option interface 'lan'
option start '100'
option limit '150'
option leasetime '720h'
option force '1'
option dhcpv6 'server'
option ra 'server'
option ra_management '1'
option ra_default '1'
option ndp 'server'
# /etc/config/network
config globals 'globals'
#option ula_prefix 'auto'
option ula_prefix 'fd00:dead::/48'
config interface 'lan'
option ifname 'eth0 eth2'
option force_link '1'
option type 'bridge'
option proto 'static'
option netmask '255.255.255.0'
option ipaddr '192.168.69.254'
option ip6assign '60'
#option igmp_snooping '1'
config interface 'wan'
option ifname 'eth1'
option proto 'dhcp'
option peerdns '0'
option dns '8.8.8.8 8.8.4.4'
config interface 'wan6'
option ifname '@wan'
option proto 'dhcpv6'
option peerdns '0'
option dns '2001:4860:4860::8888 2001:4860:4860::8844'
#option ip6assign '0'
#/etc/config/firewall
config zone
option name 'wan'
option input 'DROP'
option forward 'DROP'
option output 'ACCEPT'
option masq '1'
option masq6 '1'
option mtu_fix '1'
list network 'wan'
list network 'wan6'
Don't know if you notice that if installed kmod-ipt-nat6,there are some warnings will be happened about firewall (fw3). root@OpenWrt:~# /etc/init.d/firewall restart
I don't know what caused this?
Router: netgear 4300 Firmware: Chaos Calmer 15.05.1
@akatrevorjay, sorry for such a late response~
I have native ipv6 connectivity, however as you guessed, ping6 www.google.com
doesn't work from the router~so strange⊙﹏⊙‖∣°
Since sh -xv 'logread; ip -6 addr; ip -6 route; ifstatus wan; ifstatus wan6'
gives me sh: can't open xxx
, the attachment is the output of separated commands. Or you can teach me some alternative ways.
@akatrevorjay Great news~ I tested the latest version on another router which uses isatap to get ipv6 address and the script works like a charm!! There's only one small flaw left, /etc/firewall.d/with_reload cannot get the script run every reboot, any other dirs?
Still wondering why mine is having this odd issue~ the old nat6 script still works, maybe I should stick with that one~
Thank you for everything, you're the man!! (´∀`)b~
Fantastic! Oh, it can't? Mine does load it upon initial boot as well as restart.
If you don't mind a hack, you can always just stuff a firewall reload in /etc/rc.local
, lol.
Just to verify: On the boots it does not come up on it's own, does a /etc/init.d/firewall reload
fix it?
If so, interesting, love to debug that further; what version of OpenWrt/LEDE are you running by the way?
Hello, I come across similar issue. Router: Lenovo Y1 Firmware: LEDE 17.01.2
If I use the port on the wall, I could get a IPv4 IP & a IPv6 IP, but if I use a router, only the router could get access to IPv6 website, none of the devices connect to the router could visit IPv6 website. Therefore, I considering use IPv6 NAT.
I follow the wiki. While
uci show dhcp.lan | grep -e 'dhcpv6=' -e 'ra=' -e 'ra_management=' -e 'ndp='
outputs
dhcp.lan.ra='server'
dhcp.lan.dhcpv6='server'
so I edit /etc/config/dhcp
, and add
option ra_management '1'
to config dhcp 'lan'
section.
Since there no /etc/firewall.d/with_reload
dir, I created one, and download 90-nat6.fw
from this project. After rebooting my router, I could visit IPv4 website, but failed to visit IPv6 website, which promoted by Google Chrome that I was block by firewall. So I run the 90-nat6.fw
script, and finally could get access to IPV6 website.
It seems that this script does not auto run on reboot or firewall reload, should I add it to startup? Should it run after firewall reload? And sometimes, I have to wait couple minutes before I could get acess to IPv6 website. I'm not sure what's wrong, but it's acceptable.
Yeah, for older OpenWrt versions (at least that's what I think it is) without /etc/firewall.d/with_reload
support (it should be there already), by all means, add it as an init script or append it to rc.local
. The cool part about with_reload
is it gets applied whenever the firewall is restarted/reloaded, which is helpful, but if you lack support then I really recommend upgrading to a later version.
@bluehj777 I've seen that before when certain ip6 nat related options are not enables in the kernel config
@bluehj777 I think at least, it's been a minute since I've seen that tbh ;)
@akatrevorjay Hi, I follow LEDE firewall wiki, add a section to /etc/config/firewall
config include
option path '/etc/firewall-nat6.user'
option reload '1'
where /etc/firewall-nat6.usr
is the file 90-nat6.fw
. And it works just great. I'm not sure option reload 1
is needed, it's said that
The same problem happens when using the latest doc's method.
ip6tables: No chain/target/match by that name.
no matter what I have tried./etc/firewall.d/with_reload
does not exist even on the latest 18.06.1I did some searching and found out the old doc could be helpful. I paste all the steps here at anyone's convenience. Hope this helps!
opkg update && opkg install kmod-ipt-nat6
uci set network.globals.ula_prefix="$(uci get network.globals.ula_prefix | sed 's/^./d/')"
uci commit network
uci set dhcp.lan.ra_default='1'
uci commit dhcp
touch /etc/init.d/nat6
vi /etc/init.d/nat6
chmod +x /etc/init.d/nat6
/etc/init.d/nat6 enable
reboot
uci set firewall.@rule["$(uci show firewall | grep 'Allow-ICMPv6-Forward' | cut -d'[' -f2 | cut -d']' -f1)"].enabled='0'
uci commit firewall
#!/bin/sh /etc/rc.common
# NAT6 init script for OpenWrt // Depends on package: kmod-ipt-nat6
START=55
# Options
# -------
# Use temporary addresses (IPv6 privacy extensions) for outgoing connections? Yes: 1 / No: 0
PRIVACY=1
# Maximum number of attempts before this script will stop in case no IPv6 route is available
# This limits the execution time of the IPv6 route lookup to (MAX_TRIES+1)*(MAX_TRIES/2) seconds. The default (15) equals 120 seconds.
MAX_TRIES=15
# An initial delay (in seconds) helps to avoid looking for the IPv6 network too early. Ideally, the first probe is successful.
# This would be the case if the time passed between the system log messages "Probing IPv6 route" and "Setting up NAT6" is 1 second.
DELAY=5
# Logical interface name of outbound IPv6 connection
# There should be no need to modify this, unless you changed the default network interface names
# Edit by Vincent: I never changed my default network interface names, but still I have to change the WAN6_NAME to "wan" instead of "wan6"
WAN6_NAME="wan6"
# ---------------------------------------------------
# Options end here - no need to change anything below
boot() {
[ $DELAY -gt 0 ] && sleep $DELAY
logger -t NAT6 "Probing IPv6 route"
PROBE=0
COUNT=1
while [ $PROBE -eq 0 ]
do
if [ $COUNT -gt $MAX_TRIES ]
then
logger -t NAT6 "Fatal error: No IPv6 route found (reached retry limit)" && exit 1
fi
sleep $COUNT
COUNT=$((COUNT+1))
PROBE=$(route -A inet6 | grep -c '::/0')
done
logger -t NAT6 "Setting up NAT6"
WAN6_INTERFACE=$(uci get "network.$WAN6_NAME.ifname")
if [ -z "$WAN6_INTERFACE" ] || [ ! -e "/sys/class/net/$WAN6_INTERFACE/" ] ; then
logger -t NAT6 "Fatal error: Lookup of $WAN6_NAME interface failed. Were the default interface names changed?" && exit 1
fi
WAN6_GATEWAY=$(route -A inet6 -e | grep "$WAN6_INTERFACE" | awk '/::\/0/{print $2; exit}')
if [ -z "$WAN6_GATEWAY" ] ; then
logger -t NAT6 "Fatal error: No IPv6 gateway for $WAN6_INTERFACE found" && exit 1
fi
LAN_ULA_PREFIX=$(uci get network.globals.ula_prefix)
if [ $(echo "$LAN_ULA_PREFIX" | grep -c -E "^([0-9a-fA-F]{4}):([0-9a-fA-F]{0,4}):") -ne 1 ] ; then
logger -t NAT6 "Fatal error: IPv6 ULA prefix $LAN_ULA_PREFIX seems invalid. Please verify that a prefix is set and valid." && exit 1
fi
ip6tables -t nat -I POSTROUTING -s "$LAN_ULA_PREFIX" -o "$WAN6_INTERFACE" -j MASQUERADE
if [ $? -eq 0 ] ; then
logger -t NAT6 "Added IPv6 masquerading rule to the firewall (Src: $LAN_ULA_PREFIX - Dst: $WAN6_INTERFACE)"
else
logger -t NAT6 "Fatal error: Failed to add IPv6 masquerading rule to the firewall (Src: $LAN_ULA_PREFIX - Dst: $WAN6_INTERFACE)" && exit 1
fi
route -A inet6 add 2000::/3 gw "$WAN6_GATEWAY" dev "$WAN6_INTERFACE"
if [ $? -eq 0 ] ; then
logger -t NAT6 "Added $WAN6_GATEWAY to routing table as gateway on $WAN6_INTERFACE for outgoing connections"
else
logger -t NAT6 "Error: Failed to add $WAN6_GATEWAY to routing table as gateway on $WAN6_INTERFACE for outgoing connections"
fi
if [ $PRIVACY -eq 1 ] ; then
echo 2 > "/proc/sys/net/ipv6/conf/$WAN6_INTERFACE/accept_ra"
if [ $? -eq 0 ] ; then
logger -t NAT6 "Accepting router advertisements on $WAN6_INTERFACE even if forwarding is enabled (required for temporary addresses)"
else
logger -t NAT6 "Error: Failed to change router advertisements accept policy on $WAN6_INTERFACE (required for temporary addresses)"
fi
echo 2 > "/proc/sys/net/ipv6/conf/$WAN6_INTERFACE/use_tempaddr"
if [ $? -eq 0 ] ; then
logger -t NAT6 "Using temporary addresses for outgoing connections on interface $WAN6_INTERFACE"
else
logger -t NAT6 "Error: Failed to enable temporary addresses for outgoing connections on interface $WAN6_INTERFACE"
fi
fi
exit 0
}
Hi, I followed the updated guide but ran into some errors. Router: Lenovo Y1 Firmware: Chaos Calmer 15.05.1
root@OpenWrt:/etc# /etc/firewall.d/with_reload/90-nat6.fw
nat6: Firewall config="cfg04dc81" zone="lan" zone_masq6="0".
nat6: Firewall config="cfg06dc81" zone="wan" zone_masq6="1".
nat6: Found firewall zone_name="wan" with zone_masq6="1" zone_masq6_privacy="1".
nat6: Setting up masquerading nat6 for zone_name="wan" with zone_masq6_privacy="1"
nat6: Ensuring ip6tables chain="zone_wan_postrouting" contains our MASQUERADE.
ip6tables: No chain/target/match by that name.
I've checked all the other settings in Troubleshooting. Thanks in advance.