search

aparcar / openwrt

Staging tree of Paul Spooren
Other
8 stars 1 forks source link

FS#472 - 6to4 support with 1:1 nat #500

Open aparcar opened 7 years ago

aparcar commented 7 years ago

bolvan:

One-to-one NAT means you have LAN address on interface and its mapped 1:1 to external ip addresses. You can have incoming connections.

In such configuration "ipaddr" must be specified in 6to4 protocol section. But due to bug this addr is submitted as local address for tunnel creation. It does not work.

I fixed this with the following patch to /lib/netifd/proto/6to4.sh

48,53c48,53 < [ -z "$ipaddr" ] && { < if ! network_get_ipaddr ipaddr "$wanif"; then < proto_notify_error "$cfg" "NO_WAN_ADDRESS" < return < fi < }

  if ! network_get_ipaddr ipladdr "$wanif"; then
          proto_notify_error "$cfg" "NO_WAN_ADDRESS"
          return
  fi

  [ -z "$ipaddr" ] && ipaddr=$ipladdr

76c76 < json_add_string local "$ipaddr"

  json_add_string local "$ipladdr"

I suggest you integrate this patch or do something similar yourself.

aparcar commented 7 years ago

bolvan:

Attached patch file

aparcar commented 7 years ago

jow-:

I do not understand your patch. All it does is making 6in4 fail when it finds no wan ip even if the user specified an ip in the configuration. It does not change anything in the actual tunnel setup logic.

What is this bug you're referring to?

aparcar commented 7 years ago

bolvan:

Imagine wan has ipv4 "10.1.2.3". Its mapped 1:1 by isp to 190.1.2.3. I specify option "ipaddr" as 190.1.2.3. 6to4.sh correctly calculates 2002:BE01:0203::1 but then it sets up link as

ip tunnel add tun6to4 mode sit ttl XXX remote any local 190.1.2.3

instead of correct

ip tunnel add tun6to4 mode sit ttl XXX remote any local 10.1.2.3

And it does not work. In my patch I force actually present IP to netifd. Yes, my approach may be not 100% optimal. There may not be WAN if at all. I've just experienced non-working 6to4 in my setup and found the reason. You know better how to fix it perfectly But note that local addr can be dynamic. Its bad to require to hardcode it in config.

aparcar commented 7 years ago

dedeckeh:

But is that not misconfiguration by the user ? I mean if you specify an IP address via uci config I expect this IP address to be applied even if the wan interface has an IP address. All other tunnel protocols like 6in4, 6rd behave in the same way

aparcar commented 7 years ago

bolvan:

6in4 works from the box because 6in4.sh does not have

test_6to4_rfc1918 "$ipaddr" && { proto_notify_error "$cfg" "INVALID_LOCAL_ADDRESS" return }

6in4 does not need to find out actual external ip address. 6to4 need it because its used to construct 2002:

aparcar commented 7 years ago

bolvan:

"ipaddr" option is documented as "Local IPv4 endpoint address". it can be useful when interface has multiple IPs. ipaddr must be one of the locally present IPs, not ephemeral "external IP". we can leave it as is but we need to override generation of 6to4 prefix we need either specify "external_ip" (as its done in miniupnpd uci conf) or directly 2002: prefix and abandon its auto-generation Now 2002 prefix is generated only from either "ipaddr" or ip taken from interface and there's no option to change this, also no way to disable autogeneration.