Configuring a dual-stack network with NAT support and ds-lite

Installing and Using OpenWrt Network and Wireless Configuration
1

So a few months ago I finally switched internet providers and got an IPv6 address ('bout time!).
I managed to setup my network using both DHCPv6 and a DS-Lite tunnel, but I wanted to have public access via IPv4 in case I need to access my network from an IPv4 only network in the future, so I setup an extra interface via PPPoE:

2023-05-24_23:49:32
2023-05-24_23:49:321591×1269 264 KB

I setup a few NAT rules and for weeks I've been scratching my head, why does the port forwarding not work? I assumed something about the firewall must be failing, until finally today I figured out, the firewall was correctly forwarding the packets to their destination nodes inside the network, but those nodes had no way to reach back through the PPPoE interface to their destination! I confirmed this by enabling a default route on the PPPoE interface. Unfortunately, this setup will forego the faster DS-Lite tunnel and forward all IPv4 traffic through the slow PPPoE tunnel.

How can I setup OpenWRT to enable outside IPv4 connections via PPPoE, but still have default routes going through DS-Lite? Thanks!

2

Re-enable the default gateway on the pppoe interface, but set a metric for it.
Install the pbr package.

Let's say you set port forwarding to port 22 on an internal device with IP address 192.168.1.101.
To make the router return the reply through the pppoe interface, you will need to create a policy like this:

config policy
        option name 'SSH'
        option src_port '22'
        option interface 'pppoe'
        option proto 'tcp'
        option src_addr '192.168.1.101'
        option enabled '1'
1 Like
3

Oh nice! That looks way simpler than what I was looking at, thanks!
I ran into a method using firewall marks:

iptables -A PREROUTING -i eth1 -t mangle -p tcp -s 192.168.12.145 --sport 80 -d !192.168.0.0/20 -j MARK --set-mark 0x20

Then using adding a new routing table and using fwmark to route :

ip rule add priority 100 fwmark 0x20 table pppoe

Now that I think about it, maybe this is what pbr is doing under the hood though? :thinking:

There is also another method I'd like to try using conntrack outlined here:

Not entirely sure how to implement it inside openwrt since I'm not very familiar with nftables, but it should be more transparent I imagine? Would this work?

Edit: your suggestion works like a charm, thank you so much!

1 Like
4

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.