MultiWAN - Masq6 only on backup interface

Hi all,

I've been searching for a good solution for this for a while now, so I thought I would finally ask about it here.

Here is my scenario as it is currently laid out:

  • Primary internet (wan) on cable internet with Verizon LTE home gateway backup (wanb) in bridge mode
  • Primary provides native IPv6 with PD (/56)
  • Secondary provides only /64 without PD (it's LTE - this is not fixable)
  • MWAN is enabled for IPv4 interfaces, disabled for IPv6 at the moment

Since the LTE secondary is only for backup and will only be used if the primary is down, I want to keep my native IPv6 from the cable provider and only route v6 traffic through the backup if there's a failure. I'm trying to prevent full-on NAT6 due to multihoming without BGP.

I've tested multiple scenarios related to v6 routing without nat6 - permutations of allowing PD through the wan interface while trying to do numerous different tests to see if I could also present addresses from the backup /64 while doing policy routing and translation, but that's been insane and I recognize that I'm insane for trying to make it so complicated.

So I got the idea - what if I enabled masq6 outbound only on the LTE interface so that during outages, I still get ipv6 but in a 'degraded' state, of sorts. I am not certain how the primary's GUA addresses will react to losing the upstream, I'm not versed enough on IPv6 to know if routes get withdrawn in a way that takes precedence over other routing. I suspect that this won't matter if OpenWRT is sending RAs with default gateway set to forced so it always advertises itself as default - even if there's only link-local addressing theoretically I might still be able to figure out a way to route outbound v6 until I get the primary back and the PD starts distributing addresses again.

I just upgraded to 22.03 so I'm not quite certain how to enable masq6 on a single outbound interface - i'm not so well versed with nft vs ipt and there's no easy way to do this ass-backwards configuration in LUCI.

Does anyone have any configuration suggestions or better ideas for me? As it stands, my backup is not really used enough to pursue this much more than I already have -- it was just a problem and it was bugging me that I hadn't figured it out. If i'm down, the IPv4 backup with the small lag of ipv6 timeouts is acceptable... I'm just being the stereotypical IT geek that gets bugged by things not working. :slight_smile:


I would suggest that you separate the backup LTE into its own firewall zone, then the question "how to enable masq6 on a single outbound interface" becomes moot.

On the other hand, you don't need to fully enable masq6. LTE delegates the whole /64 prefix to you, and OpenWRT knows this. My own configuration is to use NPT6 for the first /64 subnet and masq6 for the rest. Here is my script, save as /etc/filewall.nat6 and make executable:


. /lib/functions/

# IPv6 NAT (horrible)
ip6tables -t nat -F PREROUTING
ip6tables -t nat -F POSTROUTING
ULA=$(uci get network.globals.ula_prefix)
for IFACE in $(uci show mwan3 | sed -n '/=interface/s/^mwan3\.\(.*\)=interface/\1/ p') ; do
  network_get_device DEVICE $IFACE || continue
  network_get_prefix6 PREFIX $IFACE || continue
  if [ "$BITS" -le 48 ] ; then BITS=48 ; fi
  echo "Mapping $ULA_PART <-> $PREFIX for $IFACE (on $DEVICE)"
  ip6tables -t nat -A PREROUTING -d $FIRST_IP -j REDIRECT
  ip6tables -t nat -A PREROUTING -d $PREFIX -j NETMAP --to $ULA_PART
  ip6tables -t nat -A POSTROUTING -s $ULA_PART -m conntrack --ctorigdst $PREFIX -j NETMAP --to $PREFIX
  ip6tables -t nat -A POSTROUTING -s $ULA_PART -o $DEVICE -j NETMAP --to $PREFIX
  ip6tables -t nat -A POSTROUTING -o $DEVICE -j MASQUERADE

Note: you need iptables-nft and ip6tables-nft installed, this won't work with legacy iptables on 22.03. Also, you need iptables-mod-nat-extra because of the NETMAP target.

Then add to /etc/config/firewall:

config include
	option path '/etc/firewall.nat6'

Then, in /etc/config/network, add this to the definition of lan:

config interface 'lan'
	list ip6class 'local'

After the reboot of the router, all devices in the LAN will now have only ULAs, but will still be reachable from outside using GUAs. E.g, look at the PC from which I am writing this:

$ ip a list dev wlp4s0
4: wlp4s0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
    link/ether f8:62:aa:60:0a:23 brd ff:ff:ff:ff:ff:ff
    inet brd scope global dynamic noprefixroute wlp4s0
       valid_lft 30262sec preferred_lft 30262sec
    inet6 fd7b:7d49:75e3:0:67d7:f802:8e2e:48d1/64 scope global noprefixroute 
       valid_lft forever preferred_lft forever
    inet6 fe80::172a:21b5:c214:24ab/64 scope link noprefixroute 
       valid_lft forever preferred_lft forever

However, it is reachable from outside via 2001:fd8:f090:9eb8:67d7:f802:8e2e:48d1 (on fiber) and 2405:8d40:b50:a171:67d7:f802:8e2e:48d1 (on LTE), and obviously can reach the IPv6 part of the internet.


Brilliant. After I posted this, I started going down the route of separating the zones since I noticed masq6 is a viable option in 22.03.

I think the rest of this may just be the solution I was looking for, I just wasn't exactly sure how to implement it. I'll do a deeper dive into it in a few days once I have time and update the thread on how I end up dealing with my specific situation.

If we ever meet, I definitely owe you a beer! This is much appreciated! Cheers!


I ultimately ended up implementing this solution since it made the most sense - it definitely also helped me better understand dealing with ipv6 multihoming outside of the BGP context. It works like a charm.

Thanks again, so much!

Now hopefully others trying to do this (admittedly unusual) implementation can search for and find this thread. :slight_smile:

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.