Ip6nat on 19.07.10

Installing and Using OpenWrt Network and Wireless Configuration
1

hello

the main goal is to setup protonvpn's tunnel, through wireguard
up to ipv4 it works well, by default the traffic goes to the tunnel (i had to play with metric values [1 for vpn, 10 local gateway]), but the provider doesnt offers any public dedicated prefix

i think i have no choice of using ipv6/nat6 because i dont have choice (no dedicated prefix)

weird thing it doesnt looks like to get ipv6 on common wan anymore
it's in AP+sta (means the wan link is on wwan, 1 antenna for wan, 1antenna+switch for lan)

i have tried soooo many file conf or uci commands..

thank you vm for your help!

for me it's coming from this :

/etc/init.d/firewall restart
Warning: Unable to locate ipset utility, disabling ipset support
Warning: Option @zone[1].masq6 is unknown
Warning: Option @zone[1].ipv6 is unknown
Warning: Option @zone[2].masq6 is unknown

i dont know if it's critical or just software change/evolution and just ignore it...

is there a bug?

i have no choice to use nat6 something

i have few knowledge of networks, plus nuxes ones

thank you vm for your replies

I voluntary added there and not on pastebin to get the whole thing in one, and especially because pastebins vanishes after a while of being not read..

here it is :
OpenWrt 19.07.10, r11427-9ce6aa9d8d

[..]
kmod-ip6tables - 4.14.275-1
kmod-ip6tables-extra - 4.14.275-1
kmod-ipt-nat6 - 4.14.275-1
kmod-nf-conntrack6 - 4.14.275-1
kmod-nf-ipt6 - 4.14.275-1
kmod-nf-nat6 - 4.14.275-1
kmod-nf-reject6 - 4.14.275-1
kmod-nft-nat6 - 4.14.275-1
kmod-udptunnel6 - 4.14.275-1
kmod-wireguard - 4.14.275+1.0.20200611-2
[..]

interface: wg0
  public key: XXXX......
  private key: (hidden)
  listening port: 57826

peer: XXXXXX....
  endpoint: 169.150.196.83:51820
  allowed ips: 0.0.0.0/0, ::/0
  latest handshake: 14 seconds ago
  transfer: 2.28 MiB received, 381.02 KiB sent
  persistent keepalive: every 25 seconds

    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host 
       valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP group default qlen 1000
    link/ether e8:94:f6:51:8c:2e brd ff:ff:ff:ff:ff:ff
    inet6 fe80::ea94:f6ff:fe51:8c2e/64 scope link 
       valid_lft forever preferred_lft forever
3: eth1: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc fq_codel state DOWN group default qlen 1000
    link/ether e8:94:f6:51:8c:2f brd ff:ff:ff:ff:ff:ff
6: br-lan: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
    link/ether e8:94:f6:51:8c:2e brd ff:ff:ff:ff:ff:ff
    inet 192.168.5.1/24 brd 192.168.5.255 scope global br-lan
       valid_lft forever preferred_lft forever
    inet6 ddec:225b:dee1::1/64 scope global noprefixroute 
       valid_lft forever preferred_lft forever
    inet6 fe80::ea94:f6ff:fe51:8c2e/64 scope link 
       valid_lft forever preferred_lft forever
7: eth0.1@eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master br-lan state UP group default qlen 1000
    link/ether e8:94:f6:51:8c:2e brd ff:ff:ff:ff:ff:ff
9: wlan0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
    link/ether e8:94:f6:51:8c:2e brd ff:ff:ff:ff:ff:ff
    inet 192.168.1.43/24 brd 192.168.1.255 scope global wlan0
       valid_lft forever preferred_lft forever
    inet6 fe80::ea94:f6ff:fe51:8c2e/64 scope link 
       valid_lft forever preferred_lft forever
10: wlan0-1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master br-lan state UP group default qlen 1000
    link/ether ea:94:f6:51:8c:2e brd ff:ff:ff:ff:ff:ff
    inet6 fe80::e894:f6ff:fe51:8c2e/64 scope link 
       valid_lft forever preferred_lft forever
11: wg0: <POINTOPOINT,NOARP,UP,LOWER_UP> mtu 1420 qdisc noqueue state UNKNOWN group default qlen 1000
    link/none 
    inet 10.2.0.2/32 brd 255.255.255.255 scope global wg0
       valid_lft forever preferred_lft forever
    inet6 fd54:20a4:d33b:b10c:0:2:0:2/128 scope global 
       valid_lft forever preferred_lft forever

network file :

======================================

        option ifname 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        #option ula_prefix 'ddec:225b:dee1::/48'
        option ula_prefix 'ddec:225b:dee1::1/64'
config interface 'wan'
        option ifname 'eth1'
        option proto 'dhcp'
        option ip4table '2'

config interface 'wwan'
        option proto 'dhcp'
        option metric '10'

config interface 'wan6'
        option ifname 'eth1'
        option proto 'dhcpv6'
        option ip6table '2'
        option sourcefilter '0'

config interface 'lan'
        option type 'bridge'
        option ifname 'eth0.1'
        option proto 'static'
        option ipaddr '192.168.5.1'
        option netmask '255.255.255.0'
        option ip6assign '64'
        option ip4table '1'
        option ip6table '1'
        list ip6class 'local'

[....]
config interface 'wg0'            
        option proto 'wireguard'
        list addresses '10.2.0.2/32 fd54:20a4:d33b:b10c:0:2:0:2/128'
        option delegate '0'                     
        option metric '1'                       
        list dns '10.2.0.1 fd54:20a4:d33b:b10c:0:2:0:1'
        option private_key 'mysecretkey'
                           
config device              
        option name 'eth0'
                       
config device              
        option name 'wg0' 

config wireguard_wg0   
        option endpoint_port '51820'
        list allowed_ips '0.0.0.0/0 ::/0'
        option route_allowed_ips '1'
        option description 'wg0'
        option public_key 'abcd'
        option endpoint_host '1.2.3.4'
        option persistent_keepalive '25'
                              
config rule 'lan_wan'        
        option lookup '2'          
        option priority '40000'       
                             
config rule6 'lan_wan6'    
        option lookup '2'  
        option priority '40000'

========================================

firewall :

config defaults
        option syn_flood '1'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'REJECT'

config zone
        option name 'lan'
        list network 'lan'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'

config zone
        option name 'wan'
        list network 'wan'
        list network 'wan6'
        list network 'wwan'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        option masq '1'
        option mtu_fix '1'
        option masq6 '1'
        option ipv6 'auto'


config interface 'wan6'
        option ifname 'eth0.2'
        option proto 'dhcpv6'
        option reqaddress 'try'
        option reqprefix 'auto'


config forwarding              
        option src 'lan'       
        option dest 'wan'      
[.....]                               
config zone                    
        option name 'vpnzone'  
        option input 'REJECT'  
        option forward 'REJECT'
        option output 'ACCEPT' 
        option masq '2'        
        option mtu_fix '1'     
        list network 'wg0'     
        option masq6 '1'       
                               
config forwarding              
        option src 'lan'       
        option dest 'vpnzone'  
                               
    
config include                                  
        option path '/etc/firewall.user'

=================================

my f/w restart results :

/etc/init.d/firewall restart
Warning: Unable to locate ipset utility, disabling ipset support
Warning: Option @zone[1].masq6 is unknown
Warning: Option @zone[1].ipv6 is unknown
Warning: Option @zone[2].masq6 is unknown
 * Flushing IPv4 filter table
 * Flushing IPv4 nat table
 * Flushing IPv4 mangle table
 * Flushing IPv4 raw table
 * Flushing IPv6 filter table
 * Flushing IPv6 nat table
 * Flushing IPv6 mangle table
 * Flushing conntrack table ...
 * Populating IPv4 filter table
   * Rule 'Allow-DHCP-Renew'
   * Rule 'Allow-Ping'
   * Rule 'Allow-IGMP'
   * Rule 'Allow-IPSec-ESP'
   * Rule 'Allow-ISAKMP'
   * Forward 'lan' -> 'wan'
   * Forward 'lan' -> 'vpnzone'
   * Zone 'lan'
   * Zone 'wan'
   * Zone 'vpnzone'
 * Populating IPv4 nat table
   * Zone 'lan'
   * Zone 'wan'
   * Zone 'vpnzone'
 * Populating IPv4 mangle table
   * Zone 'lan'
   * Zone 'wan'
   * Zone 'vpnzone'
 * Populating IPv4 raw table
   * Zone 'lan'
     - Using automatic conntrack helper attachment
   * Zone 'wan'
   * Zone 'vpnzone'
     - Using automatic conntrack helper attachment
 * Populating IPv6 filter table
   * Rule 'Allow-DHCPv6'
   * Rule 'Allow-MLD'
   * Rule 'Allow-ICMPv6-Input'
   * Rule 'Allow-ICMPv6-Forward'
   * Rule 'Allow-IPSec-ESP'
   * Rule 'Allow-ISAKMP'
   * Forward 'lan' -> 'wan'
   * Forward 'lan' -> 'vpnzone'
   * Zone 'lan'
   * Zone 'wan'
   * Zone 'vpnzone'
 * Populating IPv6 nat table
Warning: fw3_ipt_rule_append(): Can't find target 'prerouting_lan_rule'
Warning: fw3_ipt_rule_append(): Can't find target 'postrouting_lan_rule'
Warning: fw3_ipt_rule_append(): Can't find target 'prerouting_wan_rule'
Warning: fw3_ipt_rule_append(): Can't find target 'postrouting_wan_rule'
Warning: fw3_ipt_rule_append(): Can't find target 'prerouting_vpnzone_rule'
Warning: fw3_ipt_rule_append(): Can't find target 'postrouting_vpnzone_rule'
Warning: fw3_ipt_rule_append(): Can't find target 'prerouting_rule'
Warning: fw3_ipt_rule_append(): Can't find target 'postrouting_rule'
   * Zone 'lan'
   * Zone 'wan'
   * Zone 'vpnzone'
 * Populating IPv6 mangle table
   * Zone 'lan'
   * Zone 'wan'
   * Zone 'vpnzone'
 * Set tcp_ecn to off
 * Set tcp_syncookies to on
 * Set tcp_window_scaling to on
 * Running script '/etc/firewall.user'

============================

lsmod | grep nat6

[blank]

============================

ip -6 rule show; ip6tables-save -c
0:	from all lookup local 
20000:	from all to ddec:225b:dee1::1/64 lookup 1 
32766:	from all lookup main 
40000:	from all lookup 2 
90006:	from all iif lo lookup 1 
4200000001:	from all iif lo failed_policy
4200000006:	from all iif br-lan failed_policy
4200000009:	from all iif wlan0 failed_policy
4200000011:	from all iif wg0 failed_policy
# Generated by ip6tables-save v1.8.3 on Tue Dec 19 14:30:30 2023
*nat
:PREROUTING ACCEPT [26:11274]
:INPUT ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
COMMIT
# Completed on Tue Dec 19 14:30:30 2023
# Generated by ip6tables-save v1.8.3 on Tue Dec 19 14:30:30 2023
*mangle
:PREROUTING ACCEPT [54:13994]
:INPUT ACCEPT [11:880]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
[0:0] -A FORWARD -o eth1 -p tcp -m tcp --tcp-flags SYN,RST SYN -m comment --comment "!fw3: Zone wan MTU fixing" -j TCPMSS --clamp-mss-to-pmtu
[0:0] -A FORWARD -i eth1 -p tcp -m tcp --tcp-flags SYN,RST SYN -m comment --comment "!fw3: Zone wan MTU fixing" -j TCPMSS --clamp-mss-to-pmtu
[0:0] -A FORWARD -o wlan0 -p tcp -m tcp --tcp-flags SYN,RST SYN -m comment --comment "!fw3: Zone wan MTU fixing" -j TCPMSS --clamp-mss-to-pmtu
[0:0] -A FORWARD -i wlan0 -p tcp -m tcp --tcp-flags SYN,RST SYN -m comment --comment "!fw3: Zone wan MTU fixing" -j TCPMSS --clamp-mss-to-pmtu
[0:0] -A FORWARD -o wg0 -p tcp -m tcp --tcp-flags SYN,RST SYN -m comment --comment "!fw3: Zone vpnzone MTU fixing" -j TCPMSS --clamp-mss-to-pmtu
[0:0] -A FORWARD -i wg0 -p tcp -m tcp --tcp-flags SYN,RST SYN -m comment --comment "!fw3: Zone vpnzone MTU fixing" -j TCPMSS --clamp-mss-to-pmtu
COMMIT
# Completed on Tue Dec 19 14:30:30 2023
# Generated by ip6tables-save v1.8.3 on Tue Dec 19 14:30:31 2023
*filter
:INPUT ACCEPT [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [0:0]
:forwarding_lan_rule - [0:0]
:forwarding_rule - [0:0]
:forwarding_vpnzone_rule - [0:0]
:forwarding_wan_rule - [0:0]
:input_lan_rule - [0:0]
:input_rule - [0:0]
:input_vpnzone_rule - [0:0]
:input_wan_rule - [0:0]
:output_lan_rule - [0:0]
:output_rule - [0:0]
:output_vpnzone_rule - [0:0]
:output_wan_rule - [0:0]
:reject - [0:0]
:syn_flood - [0:0]
:zone_lan_dest_ACCEPT - [0:0]
:zone_lan_forward - [0:0]
:zone_lan_input - [0:0]
:zone_lan_output - [0:0]
:zone_lan_src_ACCEPT - [0:0]
:zone_vpnzone_dest_ACCEPT - [0:0]
:zone_vpnzone_dest_REJECT - [0:0]
:zone_vpnzone_forward - [0:0]
:zone_vpnzone_input - [0:0]
:zone_vpnzone_output - [0:0]
:zone_vpnzone_src_REJECT - [0:0]
:zone_wan_dest_ACCEPT - [0:0]
:zone_wan_forward - [0:0]
:zone_wan_input - [0:0]
:zone_wan_output - [0:0]
:zone_wan_src_REJECT - [0:0]
[0:0] -A INPUT -i lo -m comment --comment "!fw3" -j ACCEPT
[11:880] -A INPUT -m comment --comment "!fw3: Custom input rule chain" -j input_rule
[0:0] -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment "!fw3" -j ACCEPT
[0:0] -A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m comment --comment "!fw3" -j syn_flood
[0:0] -A INPUT -i br-lan -m comment --comment "!fw3" -j zone_lan_input
[0:0] -A INPUT -i eth1 -m comment --comment "!fw3" -j zone_wan_input
[11:880] -A INPUT -i wlan0 -m comment --comment "!fw3" -j zone_wan_input
[0:0] -A INPUT -i wg0 -m comment --comment "!fw3" -j zone_vpnzone_input
[0:0] -A FORWARD -m comment --comment "!fw3: Custom forwarding rule chain" -j forwarding_rule
[0:0] -A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment "!fw3" -j ACCEPT
[0:0] -A FORWARD -i br-lan -m comment --comment "!fw3" -j zone_lan_forward
[0:0] -A FORWARD -i eth1 -m comment --comment "!fw3" -j zone_wan_forward
[0:0] -A FORWARD -i wlan0 -m comment --comment "!fw3" -j zone_wan_forward
[0:0] -A FORWARD -i wg0 -m comment --comment "!fw3" -j zone_vpnzone_forward
[0:0] -A FORWARD -m comment --comment "!fw3" -j reject
[0:0] -A OUTPUT -o lo -m comment --comment "!fw3" -j ACCEPT
[0:0] -A OUTPUT -m comment --comment "!fw3: Custom output rule chain" -j output_rule
[0:0] -A OUTPUT -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment "!fw3" -j ACCEPT
[0:0] -A OUTPUT -o br-lan -m comment --comment "!fw3" -j zone_lan_output
[0:0] -A OUTPUT -o eth1 -m comment --comment "!fw3" -j zone_wan_output
[0:0] -A OUTPUT -o wlan0 -m comment --comment "!fw3" -j zone_wan_output
[0:0] -A OUTPUT -o wg0 -m comment --comment "!fw3" -j zone_vpnzone_output
[0:0] -A reject -p tcp -m comment --comment "!fw3" -j REJECT --reject-with tcp-reset
[0:0] -A reject -m comment --comment "!fw3" -j REJECT --reject-with icmp6-port-unreachable
[0:0] -A syn_flood -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m limit --limit 25/sec --limit-burst 50 -m comment --comment "!fw3" -j RETURN
[0:0] -A syn_flood -m comment --comment "!fw3" -j DROP
[0:0] -A zone_lan_dest_ACCEPT -o br-lan -m comment --comment "!fw3" -j ACCEPT
[0:0] -A zone_lan_forward -m comment --comment "!fw3: Custom lan forwarding rule chain" -j forwarding_lan_rule
[0:0] -A zone_lan_forward -m comment --comment "!fw3: Zone lan to wan forwarding policy" -j zone_wan_dest_ACCEPT
[0:0] -A zone_lan_forward -m comment --comment "!fw3: Zone lan to vpnzone forwarding policy" -j zone_vpnzone_dest_ACCEPT
[0:0] -A zone_lan_forward -m comment --comment "!fw3" -j zone_lan_dest_ACCEPT
[0:0] -A zone_lan_input -m comment --comment "!fw3: Custom lan input rule chain" -j input_lan_rule
[0:0] -A zone_lan_input -m comment --comment "!fw3" -j zone_lan_src_ACCEPT
[0:0] -A zone_lan_output -m comment --comment "!fw3: Custom lan output rule chain" -j output_lan_rule
[0:0] -A zone_lan_output -m comment --comment "!fw3" -j zone_lan_dest_ACCEPT
[0:0] -A zone_lan_src_ACCEPT -i br-lan -m conntrack --ctstate NEW,UNTRACKED -m comment --comment "!fw3" -j ACCEPT
[0:0] -A zone_vpnzone_dest_ACCEPT -o wg0 -m comment --comment "!fw3" -j ACCEPT
[0:0] -A zone_vpnzone_dest_REJECT -o wg0 -m comment --comment "!fw3" -j reject
[0:0] -A zone_vpnzone_forward -m comment --comment "!fw3: Custom vpnzone forwarding rule chain" -j forwarding_vpnzone_rule
[0:0] -A zone_vpnzone_forward -m comment --comment "!fw3" -j zone_vpnzone_dest_REJECT
[0:0] -A zone_vpnzone_input -m comment --comment "!fw3: Custom vpnzone input rule chain" -j input_vpnzone_rule
[0:0] -A zone_vpnzone_input -m comment --comment "!fw3" -j zone_vpnzone_src_REJECT
[0:0] -A zone_vpnzone_output -m comment --comment "!fw3: Custom vpnzone output rule chain" -j output_vpnzone_rule
[0:0] -A zone_vpnzone_output -m comment --comment "!fw3" -j zone_vpnzone_dest_ACCEPT
[0:0] -A zone_vpnzone_src_REJECT -i wg0 -m comment --comment "!fw3" -j reject
[0:0] -A zone_wan_dest_ACCEPT -o eth1 -m conntrack --ctstate INVALID -m comment --comment "!fw3: Prevent NAT leakage" -j DROP
[0:0] -A zone_wan_dest_ACCEPT -o eth1 -m comment --comment "!fw3" -j ACCEPT
[0:0] -A zone_wan_dest_ACCEPT -o wlan0 -m conntrack --ctstate INVALID -m comment --comment "!fw3: Prevent NAT leakage" -j DROP
[0:0] -A zone_wan_dest_ACCEPT -o wlan0 -m comment --comment "!fw3" -j ACCEPT
[0:0] -A zone_wan_forward -m comment --comment "!fw3: Custom wan forwarding rule chain" -j forwarding_wan_rule
[0:0] -A zone_wan_forward -p ipv6-icmp -m icmp6 --icmpv6-type 128 -m limit --limit 1000/sec -m comment --comment "!fw3: Allow-ICMPv6-Forward" -j ACCEPT
[0:0] -A zone_wan_forward -p ipv6-icmp -m icmp6 --icmpv6-type 129 -m limit --limit 1000/sec -m comment --comment "!fw3: Allow-ICMPv6-Forward" -j ACCEPT
[0:0] -A zone_wan_forward -p ipv6-icmp -m icmp6 --icmpv6-type 1 -m limit --limit 1000/sec -m comment --comment "!fw3: Allow-ICMPv6-Forward" -j ACCEPT
[0:0] -A zone_wan_forward -p ipv6-icmp -m icmp6 --icmpv6-type 2 -m limit --limit 1000/sec -m comment --comment "!fw3: Allow-ICMPv6-Forward" -j ACCEPT
[0:0] -A zone_wan_forward -p ipv6-icmp -m icmp6 --icmpv6-type 3 -m limit --limit 1000/sec -m comment --comment "!fw3: Allow-ICMPv6-Forward" -j ACCEPT
[0:0] -A zone_wan_forward -p ipv6-icmp -m icmp6 --icmpv6-type 4/0 -m limit --limit 1000/sec -m comment --comment "!fw3: Allow-ICMPv6-Forward" -j ACCEPT
[0:0] -A zone_wan_forward -p ipv6-icmp -m icmp6 --icmpv6-type 4/1 -m limit --limit 1000/sec -m comment --comment "!fw3: Allow-ICMPv6-Forward" -j ACCEPT
[0:0] -A zone_wan_forward -p esp -m comment --comment "!fw3: Allow-IPSec-ESP" -j zone_lan_dest_ACCEPT
[0:0] -A zone_wan_forward -p udp -m udp --dport 500 -m comment --comment "!fw3: Allow-ISAKMP" -j zone_lan_dest_ACCEPT
[0:0] -A zone_wan_forward -m comment --comment "!fw3" -j zone_wan_dest_ACCEPT
[11:880] -A zone_wan_input -m comment --comment "!fw3: Custom wan input rule chain" -j input_wan_rule
[0:0] -A zone_wan_input -s fc00::/6 -d fc00::/6 -p udp -m udp --dport 546 -m comment --comment "!fw3: Allow-DHCPv6" -j ACCEPT
[0:0] -A zone_wan_input -s fe80::/10 -p ipv6-icmp -m icmp6 --icmpv6-type 130/0 -m comment --comment "!fw3: Allow-MLD" -j ACCEPT
[0:0] -A zone_wan_input -s fe80::/10 -p ipv6-icmp -m icmp6 --icmpv6-type 131/0 -m comment --comment "!fw3: Allow-MLD" -j ACCEPT
[0:0] -A zone_wan_input -s fe80::/10 -p ipv6-icmp -m icmp6 --icmpv6-type 132/0 -m comment --comment "!fw3: Allow-MLD" -j ACCEPT
[0:0] -A zone_wan_input -s fe80::/10 -p ipv6-icmp -m icmp6 --icmpv6-type 143/0 -m comment --comment "!fw3: Allow-MLD" -j ACCEPT
[0:0] -A zone_wan_input -p ipv6-icmp -m icmp6 --icmpv6-type 128 -m limit --limit 1000/sec -m comment --comment "!fw3: Allow-ICMPv6-Input" -j ACCEPT
[0:0] -A zone_wan_input -p ipv6-icmp -m icmp6 --icmpv6-type 129 -m limit --limit 1000/sec -m comment --comment "!fw3: Allow-ICMPv6-Input" -j ACCEPT
[0:0] -A zone_wan_input -p ipv6-icmp -m icmp6 --icmpv6-type 1 -m limit --limit 1000/sec -m comment --comment "!fw3: Allow-ICMPv6-Input" -j ACCEPT
[0:0] -A zone_wan_input -p ipv6-icmp -m icmp6 --icmpv6-type 2 -m limit --limit 1000/sec -m comment --comment "!fw3: Allow-ICMPv6-Input" -j ACCEPT
[0:0] -A zone_wan_input -p ipv6-icmp -m icmp6 --icmpv6-type 3 -m limit --limit 1000/sec -m comment --comment "!fw3: Allow-ICMPv6-Input" -j ACCEPT
[0:0] -A zone_wan_input -p ipv6-icmp -m icmp6 --icmpv6-type 4/0 -m limit --limit 1000/sec -m comment --comment "!fw3: Allow-ICMPv6-Input" -j ACCEPT
[0:0] -A zone_wan_input -p ipv6-icmp -m icmp6 --icmpv6-type 4/1 -m limit --limit 1000/sec -m comment --comment "!fw3: Allow-ICMPv6-Input" -j ACCEPT
[0:0] -A zone_wan_input -p ipv6-icmp -m icmp6 --icmpv6-type 133 -m limit --limit 1000/sec -m comment --comment "!fw3: Allow-ICMPv6-Input" -j ACCEPT
[10:720] -A zone_wan_input -p ipv6-icmp -m icmp6 --icmpv6-type 135 -m limit --limit 1000/sec -m comment --comment "!fw3: Allow-ICMPv6-Input" -j ACCEPT
[1:160] -A zone_wan_input -p ipv6-icmp -m icmp6 --icmpv6-type 134 -m limit --limit 1000/sec -m comment --comment "!fw3: Allow-ICMPv6-Input" -j ACCEPT
[0:0] -A zone_wan_input -p ipv6-icmp -m icmp6 --icmpv6-type 136 -m limit --limit 1000/sec -m comment --comment "!fw3: Allow-ICMPv6-Input" -j ACCEPT
[0:0] -A zone_wan_input -m comment --comment "!fw3" -j zone_wan_src_REJECT
[0:0] -A zone_wan_output -m comment --comment "!fw3: Custom wan output rule chain" -j output_wan_rule
[0:0] -A zone_wan_output -m comment --comment "!fw3" -j zone_wan_dest_ACCEPT
[0:0] -A zone_wan_src_REJECT -i eth1 -m comment --comment "!fw3" -j reject
[0:0] -A zone_wan_src_REJECT -i wlan0 -m comment --comment "!fw3" -j reject
COMMIT
# Completed on Tue Dec 19 14:30:31 2023
2

19.07 is EOL, you should upgrade.

you should also:

Just make sure you "sandwich" your text between two rows of backtick characters ` (which themselves will be invisible in the preview) looking in something like this in the editor:
```
Your Pasted Text as preformatted text with fixed width font
1
1111 (note with fixed-width fonts the numbers are right-aligned)
```
but looking like this in the rendered forum:

Your Pasted Text as preformatted text with fixed width font
   1
1111 (note with fixed-width fonts the numbers are right-aligned)
2 Likes
3

corrected, even if it's far of my priority :wink:

4

As you've found, the masq6 setting doesn't exist in version 19 and so it would be much easier to implement this use case on a later version as IPv6 support has been enhanced.

5

That is because you have set wireguard to route_allowed_ips with a ::0/0 route, which replaced your direct to ISP v6 default route. But then access to the Internet via VPN does not work because it is not NATd.

6

so nat6 is just unavailable on 19th version at all?

should i downgrade to 18th one? im unsure my tiny space router would appreciate 20th..

7

The one-line shortcut setting in the firewall doesn't exist. I think there was a documented workaround by writing custom iptables rules. That was before I got involved much with v6 though.

It should also be noted that iptables itself is deprecated now.

8

how to get ipv6 through wireguard's vpn when the provider doesnt offers a public prefix?
like nat6?
im become totally lost..

9

Which VPN service are you using? Do they have any documents on v6 support? I thought most of the commercial VPNs only have v4 in the tunnel.

Presumably they will NAT again on their side on the way out to the Internet. You may only need to know the link-local of their Wireguard interface on their end of the tunnel and throw packets at it as the default gateway.

For anything IPv6 to work, you will need to manually configure a link-local onto your end of the tunnel. The MAC derived one from the other interfaces can be used. It doesn't matter if the same link-local exists on different links.

Have you tried instantiating a v6 DHCP interface aliased to the tunnel? That would look something like this:

config interface 'wg_6'
    option ifname '@wg0'
    option proto 'dhcpv6'

At least on version 22 or 23 this will attempt to get any IPv6 service advertised from the other end.

Also try probing for v6 routers:
ping ff02::2%wg0

I really can't say if any of this will work on version 19. At least when trying out a new concept, it would be best to find hardware that can run the latest version as you'll get better answers to questions here. After you have it working you could try to back-port and shoehorn it into your antique stuff as a separate project.

10

well, correct me if im wrong :slight_smile:
in the idea, for me :slight_smile:
it's protonvpn, they offer ipv6 access as ipv4 too.
they do not offer dedicated prefix. so i have to nat64 my lan.
i can ping6 effectively the internet through the wireguard interface
i just don't think being able to "just" provide dhcp6 server on my lan due to.. absence of dedicated public prefix.
that's why all my hope have to goes on nat64... to make it working through wireguard/openwrt

traceroute6 google.Fr
traceroute to google.Fr (2a00:1450:4007:80c::2003), 30 hops max, 64 byte packets
 1  fd54:20a4:d33b:b10c:0:2:0:1 (fd54:20a4:d33b:b10c:0:2:0:1)  18.262 ms  19.062 ms  20.413 ms
 2  unn-ams.cdn77.com (2a02:6ea0:c041::1335)  20.513 ms  unn-ams.cdn77.com (2a02:6ea0:c041::1336)  22.781 ms  17.986 ms
 3  vl223.ams-eq6-core-1.cdn77.com (2a02:6ea0:1::210)  26.674 ms  vl224.ams-eq6-core-2.cdn77.com (2a02:6ea0:1::214)  22.177 ms^C
11

i already have this :slight_smile:

        
config interface 'wan6'               
        option ifname 'eth1'          
        option proto 'dhcpv6'         
        option ip6table '2'           
        option sourcefilter '0'

or maybe i might add it there?

config interface 'wg0'           
        option proto 'wireguard'   
        list addresses '10.2.0.2/32 fd54:20a4:d33b:b10c:0:2:0:2/128'
        option delegate '0'                                         
        option metric '1'                                           
        list dns '10.2.0.1 fd54:20a4:d33b:b10c:0:2:0:1'             
        option private_key 'secret'
12

i fallen on this :

no way to have better information? about how the fe:: might be configured...

13

could you explain a bit more precisely that part please?
i dont really understand how to do..
ty!