for my sake, so IPv4 NAT should be ok as is if internet is working? ok..
But what about Firewall? Having internet doesnt meant it's configured correctly right?
Yes, tests were there all the time to check that.
Run ping or tracer(ou)t(e) -4/-6 from the client.
How to ping/traceroute with -4 and -6 ?
in command line, ping google.com / ping -6 google.com
On the router do:
opkg update , opkg install tracepath to install the tracepath utility:
then
- run
tracepath -4 www.google.deand post the output here - run
tracepath -6 www.google.deand post the output here
this tests whether the router itself can use IPv4 and IPv6 (which likely is the case) it will also return information about the path MTU.
The next step is to repeat this exercise (using traceroute) on one of the machines in your local home network to check that they have working IPv4 and IPv6 as well.
Regarding the firewall, please post the output of (BUT PLEASE REACT YOUR ISP USERNAME AND PASSWORD, as I have not gotten any more trust worthy 
)
cat /etc/config/networkcat /etc/config/firewall
root@OpenWrt:~# cat /etc/config/firewall
config defaults
option syn_flood 1
option input REJECT
option output ACCEPT
option forward REJECT
# Uncomment this line to disable ipv6 rules
# option disable_ipv6 1
config zone
option name lan
list network 'lan'
option input ACCEPT
option output ACCEPT
option forward ACCEPT
config zone
option name wan
list network 'wan'
list network 'wan6'
option input REJECT
option output ACCEPT
option forward REJECT
option masq 1
option mtu_fix 1
config forwarding
option src lan
option dest wan
# We need to accept udp packets on port 68,
# see https://dev.openwrt.org/ticket/4108
config rule
option name Allow-DHCP-Renew
option src wan
option proto udp
option dest_port 68
option target ACCEPT
option family ipv4
# Allow IPv4 ping
config rule
option name Allow-Ping
option src wan
option proto icmp
option icmp_type echo-request
option family ipv4
option target ACCEPT
config rule
option name Allow-IGMP
option src wan
option proto igmp
option family ipv4
option target ACCEPT
# Allow DHCPv6 replies
# see https://github.com/openwrt/openwrt/issues/5066
config rule
option name Allow-DHCPv6
option src wan
option proto udp
option dest_port 546
option family ipv6
option target ACCEPT
config rule
option name Allow-MLD
option src wan
option proto icmp
option src_ip fe80::/10
list icmp_type '130/0'
list icmp_type '131/0'
list icmp_type '132/0'
list icmp_type '143/0'
option family ipv6
option target ACCEPT
# Allow essential incoming IPv6 ICMP traffic
config rule
option name Allow-ICMPv6-Input
option src wan
option proto icmp
list icmp_type echo-request
list icmp_type echo-reply
list icmp_type destination-unreachable
list icmp_type packet-too-big
list icmp_type time-exceeded
list icmp_type bad-header
list icmp_type unknown-header-type
list icmp_type router-solicitation
list icmp_type neighbour-solicitation
list icmp_type router-advertisement
list icmp_type neighbour-advertisement
option limit 1000/sec
option family ipv6
option target ACCEPT
# Allow essential forwarded IPv6 ICMP traffic
config rule
option name Allow-ICMPv6-Forward
option src wan
option dest *
option proto icmp
list icmp_type echo-request
list icmp_type echo-reply
list icmp_type destination-unreachable
list icmp_type packet-too-big
list icmp_type time-exceeded
list icmp_type bad-header
list icmp_type unknown-header-type
option limit 1000/sec
option family ipv6
option target ACCEPT
config rule
option name Allow-IPSec-ESP
option src wan
option dest lan
option proto esp
option target ACCEPT
config rule
option name Allow-ISAKMP
option src wan
option dest lan
option dest_port 500
option proto udp
option target ACCEPT
option mask is = 1, but doesnt that mean that IPv4 NAT is on? Wiki/Doc said it needs to be deactivated for when using DS-Lite
root@OpenWrt:~# cat /etc/config/network
config interface 'loopback'
option device 'lo'
option proto 'static'
option ipaddr '127.0.0.1'
option netmask '255.0.0.0'
config globals 'globals'
option ula_prefix 'xxxx:xxxx:2555::/48'
config dsl 'dsl'
option annex 'b'
option tone 'b'
option ds_snr_offset '0'
option xfer_mode 'ptm'
option line_mode 'vdsl'
option firmware '/etc/config/vr9-B-dsl.bin'
config device
option name 'br-lan'
option type 'bridge'
list ports 'lan1'
list ports 'lan2'
list ports 'lan3'
list ports 'lan4'
config device
option name 'lan1'
option macaddr 'xxx'
config device
option name 'lan2'
option macaddr 'xxx'
config device
option name 'lan3'
option macaddr 'xxx'
config device
option name 'lan4'
option macaddr 'xxx'
config interface 'lan'
option device 'br-lan'
option proto 'static'
option ipaddr '192.168.1.1'
option netmask '255.255.255.0'
option ip6assign '60'
config device
option name 'dsl0'
option macaddr 'xxx'
config interface 'wan'
option device 'dsl0.7'
option proto 'pppoe'
option username 'Hinternet/xxxxxx-xxx@de-access.de'
option password 'xxx'
option ipv6 '1'
option peerdns '0'
list dns '9.9.9.9'
list dns '149.112.112.112'
config interface 'wan6'
option device '@wan'
option proto 'dhcpv6'
option reqaddress 'try'
option reqprefix 'auto'
option peerdns '0'
list dns '2620:fe::fe'
list dns '2620:fe::9'
config device
option name 'ds-wan6_4'
option mtu '1452'
option mtu6 '1452'
Now, I am not the biggest fan of their recommendations, but maybe use:
https://www.grc.com/x/ne.dll?bh0bkyd2
to get an idea about your firewall... please note that I do not share the idea that stealth is better than closed, this is just a quick way to do some sanity checking of the firewall.
Honest advise: ALWAYS configure a firewall on all devices, do not expect the router firewall to be impenetrable and layer your defenses in depth...
2 Likes
It is disabled automatically in the DS-Lite setup script: https://git.openwrt.org/?p=openwrt/openwrt.git;a=commit;h=ba6689b064a745dfc07424513d6b283d6f625cf8
By the way, there is no hard technical requirement for NAT to be disabled when using DS-Lite. There is just no need for it, as the AFTR on the providers side already performs NAT (the stateful firewall in OpenWrt is still active for IPv4 with DS-Lite, so this is not a security issue).
1 Like
This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.