makes total sense to me now. I am new to all these ipv6 adressing and address assigning. that lets me overlook some of the obvious solutions (brain still softwired for ipv4 problem solving)
It took a time to IPv6 running properly, althought NAT is not yet there. The pointers you gave we were a bit confusing (probably my fault). You have already been very patient with me, I see that and appreciate that. I really try to understand how this works and as part of that having many questions is a good sign on my side
I am beginning to understand what the port forwarding rule you gave me is doing:
The part that I do not yet understand is
-m comment --comment "DNAT WG0". Is the DNAT expicitly necessary, since the '--to-destination' address is already specified?
And then which interface is WG0? Why do we need to declare it and wil the interface address be used in DNAT translation?
I followed this guide and it works for me:
There is one part I decided not to do because I do not understand why it would be necessary. Maybe someone understands better why this may be useful:
If you are handing out only local addresses (i.e. not part of delegated prefix from your upstream), change the first letter of the IPv6 ULA prefix.
uci set network.globals.ula_prefix="$(uci get network.globals.ula_prefix | sed -e "s/^./d/")"
This was just an example. Which you have to adjust to your needs.
-t nat (type nat table)
-A PREROUTING (changing destination address)
-i eth0.2 (not necessary; but needed if you want handle traffic from a specific source)
-p udp (port type tcp, udp)
--dport (the port what the other side wants to reach)
-j DNAT (firewall target)
--to-destination (IP and port from destination machine)
-m comment (load module comment to allow comments; you want that if you have a lot of rules and issue a command like "iptables -L -v -n")
--comment (any usefull comment for the rule; you can write whatever you want)
In my example I'm redirecting the traffic incomming on WAN/port 4500 to a wireguard interface with specified address/port.
There is a reference linked why:
The default ULA (Unique local address) prefix represents an address that is not globally routed on the internet by design. A lot of clients will prefer IPv4 over a ULA IPv6 address if there is no global IPv6 address assigned, so you may need to change your existing ULA prefix to indicate a global address to ensure traffic goes over IPv6 by default when possible.
When changing the ULA prefix, it doesn't necessarily have to start with d, but to avoid conflicts, you should use a prefix that is not being used yet. The letters are unassigned and therefore safe choices.
Using your ISP assigned prefix as ULA works, too. However, unless you have a static IPv6 prefix assigned by your ISP, this is not recommended, since it can cause address conflicts once the prefix changes. If you have a static prefix that you can delegate across your LAN, then you won't need to change your ULA prefix.
OK, so to be clear, -i eth0.2 is the interface where the connection request comes in, so in your case it is the WAN interface? And in your case the destination address is reached via WG= wireguard interface?
There is a reference linked why:
Oh thanks, I did read that before and it explains what ULA a is and that it should not be routable. I knew that already.
The part that I do NOT understand is why that guide advises to change the ULA so that is not officially a ULA any more and so that it becomes routable on the Internet.
Why would that be necessary if you to NAT and your external interface has a public prefix adress that is routable? The internal ULA prefix addresses would never show up on the Internet? So why change the ULA prefix to make it routable?
Exactly. My wireguard interface is reached with ip and port given as destination.
The answer was already in the quote of the link:
That is that what masquerading is about. Hiding "internal" addresses by acting with only one address for all clients.
Thanks guys you were super helpful!
This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.