IPv6 nat on LEDE 17.01.4

Installing and Using OpenWrt Network and Wireless Configuration
1

I want to enable IPv6 NATing on my router, so I installed related packages and set the following configs:

/etc/config/dhcp

config dhcp 'lan'
	option interface 'lan'
	option dhcpv6 'server'
	option dhcpv4 'server'
	option ra 'server'
	option ra_default '1'
	option ra_management '1'

config dhcp 'wan'
	option interface 'wan'
	option ignore '1'

config odhcpd 'odhcpd'
	option maindhcp '1'
	option leasefile '/tmp/hosts/odhcpd'
	option leasetrigger '/usr/sbin/odhcpd-update'

/etc/config/network

config globals 'globals'
	option ula_prefix 'dd45:8215:7b57::/48'

config interface 'lan'
	option type 'bridge'
	option ifname 'eth0.1'
	option proto 'static'
	option netmask '255.255.255.0'
	option ip6assign '60'
	option ipaddr '192.168.151.1'

config interface 'wan'
	option ifname 'eth0.2'
	option metric '1'
	option proto 'dhcp'

config device 'wan_dev'
	option name 'eth0.2'
	option macaddr 'e4:95:6e:40:98:e8'

config interface 'wan6'
	option ifname 'eth0.2'
	option proto 'dhcpv6'

config route6 'route6'
	option metric '1'
	option interface 'wan'
	option target '2000::/3'

When I manually set the gateway option for route6 config, it works fine, however, when I omit it I got the Destination unreachable: Address unreachable error on clients (using ping -6).

ip -6 r

default from 2001:570:2f4c:931::/64 via fe80::d6ca:6dff:fe31:bf67 dev eth0.2  proto static  metric 512  pref medium
local ::1 dev lo  proto kernel  metric 256  pref medium
2001:470:1f1c:931::/64 dev eth0.2  proto static  metric 256  pref medium
2001:db8::/32 dev veth0  proto kernel  metric 256  pref medium
2000::/3 dev eth0.2  proto static  metric 1  pref medium
dd45:8215:7b57::/64 dev br-lan  proto static  metric 1024  pref medium
unreachable dd45:8215:7b57::/48 dev lo  proto static  metric 2147483647  error -148 pref medium
fe80::/64 dev veth0  proto kernel  metric 256  pref medium
fe80::/64 dev eth0  proto kernel  metric 256  pref medium
fe80::/64 dev br-lan  proto kernel  metric 256  pref medium
fe80::/64 dev eth0.2  proto kernel  metric 256  pref medium
fe80::/64 dev wlan0-1  proto kernel  metric 256  pref medium
2

Ummm...you do know there is no such thing as NAT in IPv6, right???

What are you trying to solve?

Every host must have a Public IPv6 address to be reachable form the Internet. You also need to properly firewall your IPv6 for security purposes. IPv6 was designed with enough addresses that it would be inconceivable to run out before IPv8 needs to be released (odd numbering tends to be for test IP protocols).

Perhaps you should take an IPv6 class: https://ipv6.he.net/certification/

It's free...and they teach you how to setup an OpenWRT router...

3

Not to be contrarian, I guess non-existence might be a bit too harsh:

https://blog.apnic.net/2018/02/02/nat66-good-bad-ugly/

https://tools.ietf.org/html/rfc6296
But also read https://tools.ietf.org/html/rfc5902 for reasons why IPv6 NAT might not be that good an idea...

4

I need IPv6 NATing to setup VPN on my router

5

Also there is an article on OpenWRT wiki: https://wiki.openwrt.org/doc/howto/ipv6.nat6

6

OK...I think that might be a bit of wording semantics; but I understand your point.

From: https://tools.ietf.org/html/rfc6296

EXPERIMENTAL
Errata Exist
Request for Comments: 6296
Category: Experimental

The Errata still lists this document as experimental.

From: https://tools.ietf.org/html/rfc5902

INFORMATIONAL
Request for Comments: 5902
Category: Informational

And from: https://tools.ietf.org/html/rfc7934

BEST CURRENT PRACTICE
Errata Exist

2. Common IPv6 Deployment Model

IPv6 is designed to support multiple addresses, including multiple
global addresses, per interface

Then best practice would be to set up a /48 on the VPN server to route you a /64 to you VPN tunnel.

Interesting!

What step are you having issues with?

7

As I mentioned in my question, the problem is related to setting the gateway in route6 config.

8

What is the gateway address when you omit it?

9

fe80::d6ca:6dff:fe31:bf67 is set for the default routing which is absent in 2000::/3, please check the output of ip -6 r in the first post

10

WHOA...Are you saying...

is your public IPv6 gateway...?

Otherwise, you're completely missing my question.

And to be honest, I don't see a gateway anywhere else...so what's the issue with specifying that gateway IP?

11

of course not, it is the local IP of my upstream router

12

I don't want to manually set it everytime I want to change the location of my router!

13

WHAT!?!?
...nowhere did you mention this router is downstream of your border...it helps to know information regarding your config if you want assistance.

LOL...

  • Please explain how you make a static route on a router, without specifying a gateway???
  • How often do you relocate a router?
  • Did you set up DHCPv6 on the upstream router (that should fix it)?
14

ra is installed on upstream router (but not DHCPv6)

15

every day!

16

I'm almost certain the specs you wish to hand out (i.e. a gateway you specify to the downstream OpenWRT's WAN port), you'll need DHCPv6...since you don't want to set it statically.

18

I'll give it a try, thanks for the help

1 Like
19

If I understand correctly, you want to do something with respect to a VPN on what is essentially a travel router?

If you can explain the topology that you have, and the actual final goal, i'm sure we could help you a bit more both to determine whether NAT is even needed, and then, to determine how to achieve the ultimate goal.

EDIT: for example I use ipv6 NAT to rewrite DNS requests and force LAN clients to use my DNS server, but this is one of the very few instances where I'd recommend NAT66. I also use NAT64 to give ipv4 connectivity to my ipv6 only LAN clients... but that's a separate type of NAT. Some people use NPT6 to rewrite the network prefix so that they can control the situation where their ISP changes the network numbering on them... like if there's a power outage, there are some limited cases like this where NAT is applicable but the default should always be to see if you have a solution that doesn't involve any NAT at all.

1 Like
20

For what it is worth, IMHO as long as one does not re-map the port numbers everything should be sort of acceptable... re-mapping the IP address itself should be relatively free of undesired side effects (I guess it will not work nicely with IPSEC)

21

One of the great things about VOIP over ipv6 is the lack of NAT. Even 1-1 NAT such as NPT would potentially break VOIP since it sends the ip address bare inside the messages. My general feeling is seek any solution at all that doesn't involve NAT, and only then start to think about NAT.