Hi everyone,
I have been trying to test map-t with openwrt latest version (24.10) on TP-Link c6 v2 with map package version 7.
I was able to get the map-wan6 interface up using dhcpv6 PD and option 95.
However the nat46 translation doesn't go through, I collected some debug below:
If any one can help with this issue, it will be much appreciated.
root@OpenWrt:~# ifstatus wan6_4
{
"up": true,
"pending": false,
"available": true,
"autostart": true,
"dynamic": true,
"uptime": 65787,
"l3_device": "map-wan6_4",
"proto": "map",
"updated": [
"routes",
"data"
],
"metric": 0,
"dns_metric": 0,
"delegation": true,
"ipv4-address": [
],
"ipv6-address": [
],
"ipv6-prefix": [
],
"ipv6-prefix-assignment": [
],
"route": [
{
"target": "2c0f:xxxx:xx::6643:6a00:0",
"mask": 128,
"nexthop": "::",
"source": "::/0"
},
{
"target": "0.0.0.0",
"mask": 0,
"nexthop": "0.0.0.0",
"source": "0.0.0.0/0"
}
],
"dns-server": [
],
"dns-search": [
],
"neighbors": [
],
"inactive": {
"ipv4-address": [
],
"ipv6-address": [
],
"route": [
],
"dns-server": [
],
"dns-search": [
],
"neighbors": [
]
},
"data": {
"zone": "wan",
"firewall": [
{
"type": "nat",
"target": "SNAT",
"family": "inet",
"proto": "icmp",
"connlimit_ports": true,
"snat_ip": "102.xx.xx.0",
"snat_port": "1024-1087"
},
{
"type": "nat",
"target": "SNAT",
"family": "inet",
"proto": "tcp",
"connlimit_ports": true,
"snat_ip": "102.xx.xx.0",
"snat_port": "1024-1087"
},
!snipped!
!
!
{
"type": "nat",
"target": "SNAT",
"family": "inet",
"proto": "udp",
"connlimit_ports": true,
"snat_ip": "102.xx.xx.0",
"snat_port": "64512-64575"
},
{
"type": "rule",
"family": "inet6",
"proto": "all",
"direction": "in",
"dest": "wan",
"src": "wan",
"src_ip": "2c0f:xxxx:xx::6643:6a00:0",
"target": "ACCEPT"
},
{
"type": "rule",
"family": "inet6",
"proto": "all",
"direction": "out",
"dest": "wan",
"src": "wan",
"dest_ip": "2c0f:xxxx:xx::6643:6a00:0",
"target": "ACCEPT"
}
],
"zone": "wan"
}
}
root@OpenWrt:~# cat /tmp/map-wan6_4.rules
rule=type=map-t,ealen=12,prefix4len=24,prefix6len=48,ipv4prefix=102.xx.xx.0,ipv6prefix=2c0f:xxxx:xx::,offset=6,psidlen=0,psid=0,dmr=2c0f:xxxx:xx:ffff::/64,
RULE_1_FMR=0
RULE_1_EALEN=12
RULE_1_PSIDLEN=4
RULE_1_OFFSET=6
RULE_1_PREFIX4LEN=24
RULE_1_PREFIX6LEN=48
RULE_1_IPV4PREFIX=102.xx.xx.0
RULE_1_IPV6PREFIX=2c0f:xxxx:xx::
RULE_1_IPV6PD=2c0f:xxxx:xx::
RULE_1_PD6LEN=60
RULE_1_PD6IFACE=wan6
RULE_1_IPV6ADDR=2c0f:xxxx:xx::6643:6a00:0
RULE_BMR=1
RULE_1_IPV4ADDR=102.xx.xx.0
RULE_1_ADDR4LEN=32
RULE_1_PORTSETS='1024-1087 2048-2111 3072-3135 4096-4159 5120-5183 6144-6207 7168-7231 8192-8255 9216-9279 10240-10303 11264-11327 12288-12351 13312-13375 14336-14399 15360-15423 16384-16447 17408-17471 18432-18495 19456-19519 20480-20543 21504-21567 22528-22591 23552-23615 24576-24639 25600-25663 26624-26687 27648-27711 28672-28735 29696-29759 30720-30783 31744-31807 32768-32831 33792-33855 34816-34879 35840-35903 36864-36927 37888-37951 38912-38975 39936-39999 40960-41023 41984-42047 43008-43071 44032-44095 45056-45119 46080-46143 47104-47167 48128-48191 49152-49215 50176-50239 51200-51263 52224-52287 53248-53311 54272-54335 55296-55359 56320-56383 57344-57407 58368-58431 59392-59455 60416-60479 61440-61503 62464-62527 63488-63551 64512-64575 '
RULE_1_DMR=2c0f:xxxx:xx:ffff::/64
RULE_COUNT=1
root@OpenWrt:~# route -n
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
0.0.0.0 0.0.0.0 0.0.0.0 U 0 0 0 map-wan6_4
192.168.1.0 0.0.0.0 255.255.255.0 U 0 0 0 br-lan
root@OpenWrt:~#
root@OpenWrt:~# ip -6 route
default from 2c0f:xxxx:yy:10::1000 via fe80::c6ad:34ff:fee1:2a0 dev eth0.2 metric 4096
default from 2c0f:xxxx:xx::/60 via fe80::c6ad:34ff:fee1:2a0 dev eth0.2 metric 4096
2c0f:xxxx:xx::6643:6a00:0 dev map-wan6_4 metric 1024
2c0f:xxxx:xx::/64 dev br-lan metric 1024
unreachable 2c0f:xxxx:xx::/60 dev lo metric 2147483647
fdad:b692:d8e3::/64 dev br-lan metric 1024
unreachable fdad:b692:d8e3::/48 dev lo metric 2147483647
fe80::/64 dev eth0 metric 256
fe80::/64 dev eth0.2 metric 256
fe80::/64 dev br-lan metric 256
fe80::/64 dev map-wan6_4 metric 256
anycast 2c0f:xxxx:xx:: dev br-lan metric 0
anycast fdad:b692:d8e3:: dev br-lan metric 0
anycast fe80:: dev eth0 metric 0
anycast fe80:: dev eth0.2 metric 0
anycast fe80:: dev br-lan metric 0
anycast fe80:: dev map-wan6_4 metric 0
multicast ff00::/8 dev eth0 metric 256
multicast ff00::/8 dev br-lan metric 256
multicast ff00::/8 dev eth0.2 metric 256
multicast ff00::/8 dev map-wan6_4 metric 256
root@OpenWrt:~# cat /proc/net/nat46/control
add map-wan6_4
config map-wan6_4 local.v4 102.xx.xx.0/24 local.v6 2c0f:xxxx:xx::/48 local.style MAP local.ea-len 12 local.psid-offset 6 remote.v4 0.0.0.0/0 remote.v6 2c0f:xxxx:xxxx:ffff::/64 remote.style RFC6052 remote.ea-len 0 remot
root@OpenWrt:~# nft list ruleset
table inet fw4 {
chain input {
type filter hook input priority filter; policy drop;
iif "lo" accept comment "!fw4: Accept traffic from loopback"
ct state vmap { established : accept, related : accept } comment "!fw4: Handle inbound flows"
tcp flags & (fin | syn | rst | ack) == syn jump syn_flood comment "!fw4: Rate limit TCP syn packets"
iifname "br-lan" jump input_lan comment "!fw4: Handle lan IPv4/IPv6 input traffic"
iifname { "eth0.2", "map-wan6_4" } jump input_wan comment "!fw4: Handle wan IPv4/IPv6 input traffic"
jump handle_reject
}
chain forward {
type filter hook forward priority filter; policy drop;
ct state vmap { established : accept, related : accept } comment "!fw4: Handle forwarded flows"
iifname "br-lan" jump forward_lan comment "!fw4: Handle lan IPv4/IPv6 forward traffic"
iifname { "eth0.2", "map-wan6_4" } jump forward_wan comment "!fw4: Handle wan IPv4/IPv6 forward traffic"
jump handle_reject
}
chain output {
type filter hook output priority filter; policy accept;
oif "lo" accept comment "!fw4: Accept traffic towards loopback"
ct state vmap { established : accept, related : accept } comment "!fw4: Handle outbound flows"
oifname "br-lan" jump output_lan comment "!fw4: Handle lan IPv4/IPv6 output traffic"
oifname { "eth0.2", "map-wan6_4" } jump output_wan comment "!fw4: Handle wan IPv4/IPv6 output traffic"
}
chain prerouting {
type filter hook prerouting priority filter; policy accept;
iifname "br-lan" jump helper_lan comment "!fw4: Handle lan IPv4/IPv6 helper assignment"
}
chain handle_reject {
meta l4proto tcp reject with tcp reset comment "!fw4: Reject TCP traffic"
reject comment "!fw4: Reject any other traffic"
}
chain syn_flood {
limit rate 25/second burst 50 packets return comment "!fw4: Accept SYN packets below rate-limit"
drop comment "!fw4: Drop excess packets"
}
chain input_lan {
jump accept_from_lan
}
chain output_lan {
jump accept_to_lan
}
chain forward_lan {
jump accept_to_wan comment "!fw4: Accept lan to wan forwarding"
jump accept_to_lan
}
chain helper_lan {
}
chain accept_from_lan {
iifname "br-lan" counter packets 20580 bytes 1500229 accept comment "!fw4: accept lan IPv4/IPv6 traffic"
}
chain accept_to_lan {
oifname "br-lan" counter packets 4815 bytes 366126 accept comment "!fw4: accept lan IPv4/IPv6 traffic"
}
chain input_wan {
meta nfproto ipv4 udp dport 68 counter packets 0 bytes 0 accept comment "!fw4: Allow-DHCP-Renew"
icmp type echo-request counter packets 0 bytes 0 accept comment "!fw4: Allow-Ping"
meta nfproto ipv4 meta l4proto igmp counter packets 0 bytes 0 accept comment "!fw4: Allow-IGMP"
meta nfproto ipv6 udp dport 546 counter packets 66 bytes 17556 accept comment "!fw4: Allow-DHCPv6"
ip6 saddr fe80::/10 icmpv6 type . icmpv6 code { mld-listener-query . 0, mld-listener-report . 0, mld-listener-done . 0, mld2-listener-report . 0 } counter packets 0 bytes 0 accept comment "!fw4: Allow-MLD"
icmpv6 type { destination-unreachable, time-exceeded, echo-request, echo-reply, nd-router-solicit, nd-router-advert } limit rate 1000/second burst 5 packets counter packets 0 bytes 0 accept comment "!fw4: Allow-ICMPv6-Input"
icmpv6 type . icmpv6 code { packet-too-big . 0, parameter-problem . 0, parameter-problem . 1, nd-neighbor-solicit . 0, nd-neighbor-advert . 0 } limit rate 1000/second burst 5 packets counter packets 2353 bytes 158984 accept comment "!fw4: Allow-ICMPv6-Input"
jump reject_from_wan
}
chain output_wan {
jump accept_to_wan
}
chain forward_wan {
iifname "map-wan6_4" ip6 saddr 2c0f:xxxx:xx::6643:6a00:0 counter packets 323 bytes 30384 jump accept_to_wan comment "!fw4: ubus:wan6_4[map] rule 189"
oifname "map-wan6_4" ip6 daddr 2c0f:xxxx:xx::6643:6a00:0 counter packets 0 bytes 0 jump accept_to_wan comment "!fw4: ubus:wan6_4[map] rule 190"
icmpv6 type { destination-unreachable, time-exceeded, echo-request, echo-reply } limit rate 1000/second burst 5 packets counter packets 0 bytes 0 accept comment "!fw4: Allow-ICMPv6-Forward"
icmpv6 type . icmpv6 code { packet-too-big . 0, parameter-problem . 0, parameter-problem . 1 } limit rate 1000/second burst 5 packets counter packets 0 bytes 0 accept comment "!fw4: Allow-ICMPv6-Forward"
meta l4proto esp counter packets 0 bytes 0 jump accept_to_lan comment "!fw4: Allow-IPSec-ESP"
udp dport 500 counter packets 0 bytes 0 jump accept_to_lan comment "!fw4: Allow-ISAKMP"
jump reject_to_wan
}
chain accept_to_wan {
meta nfproto ipv4 oifname { "eth0.2", "map-wan6_4" } ct state invalid counter packets 0 bytes 0 drop comment "!fw4: Prevent NAT leakage"
oifname { "eth0.2", "map-wan6_4" } counter packets 55008 bytes 4706017 accept comment "!fw4: accept wan IPv4/IPv6 traffic"
}
chain reject_from_wan {
iifname { "eth0.2", "map-wan6_4" } counter packets 2184 bytes 458640 jump handle_reject comment "!fw4: reject wan IPv4/IPv6 traffic"
}
chain reject_to_wan {
oifname { "eth0.2", "map-wan6_4" } counter packets 0 bytes 0 jump handle_reject comment "!fw4: reject wan IPv4/IPv6 traffic"
}
chain dstnat {
type nat hook prerouting priority dstnat; policy accept;
}
chain srcnat {
type nat hook postrouting priority srcnat; policy accept;
meta nfproto ipv4 meta l4proto tcp oifname "map-wan6_4" counter packets 41 bytes 2132 snat ip to 102.xx.xx.0:1024-1087 comment "!fw4: ubus:wan6_4[map] nat 1"
meta nfproto ipv4 meta l4proto udp oifname "map-wan6_4" counter packets 3 bytes 220 snat ip to 102.xx.xx.0:1024-1087 comment "!fw4: ubus:wan6_4[map] nat 2"
meta nfproto ipv4 meta l4proto tcp oifname "map-wan6_4" counter packets 0 bytes 0 snat ip to 102.xx.xx.0:2048-2111 comment "!fw4: ubus:wan6_4[map] nat 4"
meta nfproto ipv4 meta l4proto udp oifname "map-wan6_4" counter packets 0 bytes 0 snat ip to 102.xx.xx.0:2048-2111 comment "!fw4: ubus:wan6_4[map] nat 5"
! snipped
!
meta nfproto ipv4 meta l4proto udp oifname "map-wan6_4" counter packets 0 bytes 0 snat ip to 102.xx.xx.0:64512-64575 comment "!fw4: ubus:wan6_4[map] nat 188"
oifname "br-lan" jump srcnat_lan comment "!fw4: Handle lan IPv4/IPv6 srcnat traffic"
oifname { "eth0.2", "map-wan6_4" } jump srcnat_wan comment "!fw4: Handle wan IPv4/IPv6 srcnat traffic"
}
chain srcnat_wan {
meta nfproto ipv4 masquerade comment "!fw4: Masquerade IPv4 wan traffic"
}
chain raw_prerouting {
type filter hook prerouting priority raw; policy accept;
}
chain raw_output {
type filter hook output priority raw; policy accept;
}
chain mangle_prerouting {
type filter hook prerouting priority mangle; policy accept;
}
chain mangle_postrouting {
type filter hook postrouting priority mangle; policy accept;
oifname { "eth0.2", "map-wan6_4" } tcp flags & (fin | syn | rst) == syn tcp option maxseg size set rt mtu comment "!fw4: Zone wan IPv4/IPv6 egress MTU fixing"
}
chain mangle_input {
type filter hook input priority mangle; policy accept;
}
chain mangle_output {
type route hook output priority mangle; policy accept;
}
chain mangle_forward {
type filter hook forward priority mangle; policy accept;
iifname { "eth0.2", "map-wan6_4" } tcp flags & (fin | syn | rst) == syn tcp option maxseg size set rt mtu comment "!fw4: Zone wan IPv4/IPv6 ingress MTU fixing"
}
chain srcnat_lan {
meta nfproto ipv4 oifname "map-wan6_4" counter packets 0 bytes 0 masquerade comment "!fw4: @nat[0]"
}
}
root@OpenWrt:~# wget -O /dev/null -4 https://www.google.com
Downloading 'https://www.google.com'
Failed to send request: Operation not permitted
root@OpenWrt:~# dmseg
!snipped!
[ 6547.150755] nat46_ipv4_input protocol: 1, len: 92, flags: 01
[ 6547.156643] ICMP echo request translated into IPv6, id: 1
[ 6547.162228] xlate_map_v4_to_v6: IPv4 address 192.168.1.1 outside of MAP domain 102.xx.xx.0/24
[ 6547.171128] [nat46] pairs_xlate_v4_to_v6_outer result: src -1 dst 0
[ 6547.177604] [nat46] Could not find a translation pair v4->v6
[ 6547.183452] [nat46] Could not translate v4->v6
[ 6550.736197] nat46_ipv4_input packet
[ 6550.739827] nat46_ipv4_input protocol: 1, len: 92, flags: 01
[ 6550.745719] ICMP echo request translated into IPv6, id: 1
[ 6550.751294] xlate_map_v4_to_v6: IPv4 address 192.168.1.1 outside of MAP domain 102.xx.xx.0/24
[ 6550.760200] [nat46] pairs_xlate_v4_to_v6_outer result: src -1 dst 0
[ 6550.766675] [nat46] Could not find a translation pair v4->v6
[ 6550.772524] [nat46] Could not translate v4->v6
[ 6554.730179] nat46_ipv4_input packet
[ 6554.733827] nat46_ipv4_input protocol: 1, len: 92, flags: 01
[ 6554.739674] ICMP echo request translated into IPv6, id: 1
[ 6554.745267] xlate_map_v4_to_v6: IPv4 address 192.168.1.1 outside of MAP domain 102.xx.xx.0/24
[ 6554.754170] [nat46] pairs_xlate_v4_to_v6_outer result: src -1 dst 0
[ 6554.760641] [nat46] Could not find a translation pair v4->v6
[ 6554.766491] [nat46] Could not translate v4->v6
[ 6558.727448] nat46_ipv4_input packet
[ 6558.731071] nat46_ipv4_input protocol: 1, len: 92, flags: 01
[ 6558.736958] ICMP echo request translated into IPv6, id: 1
[ 6558.742535] xlate_map_v4_to_v6: IPv4 address 192.168.1.1 outside of MAP domain 102.xx.xx.0/24
[ 6558.751434] [nat46] pairs_xlate_v4_to_v6_outer result: src -1 dst 0
[ 6558.757913] [nat46] Could not find a translation pair v4->v6
[ 6558.763759] [nat46] Could not translate v4->v6