NAT6/masquerading not working

hyejin.hong · September 6, 2022, 2:51am

I've added NAT6 feature and firewall.nat6 script to my router.
Sending/Receiving ICMPv6 packets such as RS/RA, NS/NA, Ping works fine.
the below packets are captured from the opposite interface to which the wan interface is connected.

01:01:54.460626 IP6 2001:2d8:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx > nrt12s47-in-x0e.1e100.net: ICMP6, echo request, seq 137, length 40
01:01:54.531590 IP6 nrt12s47-in-x0e.1e100.net >2001:2d8:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx: ICMP6, echo reply, seq 137, length 40

My labtop's address is fd1e:a3fa:709f:0:xxxx:xxxx:xxxx:xxxx.
As you see, packets's source addresses are masqueraded to wan's address of routers.

But, if tcp packets are sent out through browsing, unmasquerade packets are also captured on the other side of the interface.

00:49:35.045623 IP6 2001:2d8:xxxx:xxxx:xxxx:xxxx:xxxx.53153 > 2001:41d0:701:1100::29c8.https: Flags [.], ack 1, win 64800, length 0
00:49:35.045900 IP6 2001:2d8:xxxx:xxxx:xxxx:xxxx:xxxx.53153 > 2001:41d0:701:1100::29c8.https: Flags [R.], seq 1, ack 1441, win 0, length 0
00:49:35.046094 IP6 2001:2d8:xxxx:xxxx:xxxx:xxxx:xxxx.53153 > 2001:41d0:701:1100::29c8.https: Flags [R], seq 2940622706, win 0, length 0
...
00:49:35.162925 IP6 fd1e:a3fa:709f:0:xxxx:xxxx:xxxx:xxxx.53168 > 2001:41d0:701:1100::29c8.https: Flags [.], ack 2502106129, win 64800, length 0
00:49:35.162931 IP6 fd1e:a3fa:709f:0:xxxx:xxxx:xxxx:xxxx.53168 > 2001:41d0:701:1100::29c8.https: Flags [.], ack 1441, win 64800, length 0
00:49:35.162940 IP6 fd1e:a3fa:709f:0:xxxx:xxxx:xxxx:xxxx.53168 > 2001:41d0:701:1100::29c8.https: Flags [.], ack 4097, win 64800, length 0
...
00:49:35.782561 IP6 fd1e:a3fa:709f:0:xxxx:xxxx:xxxx:xxxx.53168 > 2001:41d0:701:1100::29c8.https: Flags [P.], seq 0:1211, ack 4970, win 63927, length 1211
00:49:36.481563 IP6 fd1e:a3fa:709f:0:xxxx:xxxx:xxxx:xxxx.53168 > 2001:41d0:701:1100::29c8.https: Flags [P.], seq 0:1211, ack 4970, win 63927, length 1211

Why is my labtop's address showing up on the next router even though I'm using nat6?

trendy · September 6, 2022, 8:54am

Please run the following commands (copy-paste the whole block) and paste the output here, using the "Preformatted text </> " button:

Remember to redact passwords, MAC addresses and any public IP addresses you may have

ubus call system board; \
uci export network; uci export dhcp; uci export firewall; \
head -n -0 /etc/firewall.user; head -n -0 /etc/firewall.nat6; \
ip6tables-save -c; \
ip -6 addr ; ip -6 ro li tab all ; ip -6 ru

hyejin.hong · September 7, 2022, 12:26am

Thank you for your interest.
Here is the information you requested.


{
        "kernel": "5.4.164",
        "hostname": "OpenWrt",
        "system": "ARMv7 Processor rev 4 (v7l)",
        "model": "Qualcomm Technologies, Inc. IPQ5018/xxxxx",
        "board_name": "qcom,ipq5018-ap-mp03.6-c1",
        "release": {
                "distribution": "OpenWrt",
                "version": "19.07-SNAPSHOT",
                "revision": "unknown",
                "target": "ipq50xx/ipq50xx_32",
                "description": "OpenWrt 19.07-SNAPSHOT unknown"
        }
}
package network

config interface 'loopback'
        option ifname 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option ula_prefix 'fd1e:a3fa:709f::/48'

config interface 'lan'
        option type 'bridge'
        option ifname 'eth0'
        option proto 'static'
        option netmask '255.255.255.0'
        option ip6assign '60'
        option multicast_querier '0'
        option igmp_snooping '0'
        option ipaddr '192.168.100.1'
        option _orig_ifname 'ath01 ath11'
        option _orig_bridge 'true'
        option ieee1905managed '1'
        option force_link '1'

config interface 'wan'
        option ifname 'eth1'
        option proto 'dhcp'

config interface 'wan6'
        option ifname 'eth1'
        option proto 'dhcpv6'

config interface 'wwan'
        option proto 'wwan'
        option ifname 'rmnet_mhi0.1'
        option delay '5'

config interface 'wlan0'
        option ifname 'ath0'
        option _orig_ifname 'ath0'
        option _orig_bridge 'false'
        option proto 'dhcp'

config interface 'wlan1'
        option ifname 'ath1'
        option _orig_ifname 'ath1'
        option _orig_bridge 'false'
        option proto 'dhcp'

config interface 'lan1'
        option type 'bridge'
        option proto 'static'
        option ipaddr '192.168.200.1'
        option netmask '255.255.255.0'
        option _orig_ifname 'ath02 ath12'
        option _orig_bridge 'true'

package dhcp

config dnsmasq
        option domainneeded '1'
        option boguspriv '1'
        option filterwin2k '0'
        option localise_queries '1'
        option rebind_protection '1'
        option rebind_localhost '1'
        option local '/lan/'
        option domain 'lan'
        option expandhosts '1'
        option nonegcache '0'
        option authoritative '1'
        option readethers '1'
        option leasefile '/tmp/dhcp.leases'
        option resolvfile '/tmp/resolv.conf.auto'
        option nonwildcard '1'
        option localservice '1'
        option ednspacket_max '1232'

config dhcp 'lan'
        option interface 'lan'
        option start '100'
        option limit '150'
        option leasetime '12h'
        option dhcpv6 'server'
        option ra 'server'

config dhcp 'wan'
        option interface 'wan'
        option ignore '1'

config odhcpd 'odhcpd'
        option maindhcp '0'
        option leasefile '/tmp/hosts/odhcpd'
        option leasetrigger '/usr/sbin/odhcpd-update'
        option loglevel '4'

config dhcp 'wwan'
        option interface 'wwan'
        option ignore '1'

config dhcp 'wlan0'
        option interface 'wlan0'
        option ignore '1'

config dhcp 'wlan1'
        option interface 'wlan1'
        option ignore '1'

config dhcp 'lan1'
        option interface 'lan1'
        option start '100'
        option limit '150'
        option leasetime '12h'
        option force '1'
        option dhcpv6 'server'
        option ra 'server'

package firewall

config defaults
        option syn_flood '1'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option disabled '0'

config zone
        option name 'lan'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        option network 'lan lan1'
        list device 'tun+'

config zone
        option name 'wan'
        list network 'wan'
        list network 'wan6'
        list network 'wwan'
        list network 'wlan0'
        list network 'wlan1'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option masq '1'
        option mtu_fix '1'
        option masq6 '1'
        option masq6_privacy '0'

config forwarding
        option src 'lan'
        option dest 'wan'

config rule
        option name 'Allow-DHCP-Renew'
        option src 'wan'
        option proto 'udp'
        option dest_port '68'
        option target 'ACCEPT'
        option family 'ipv4'

config rule
        option name 'Allow-Ping'
        option src 'wan'
        option proto 'icmp'
        option icmp_type 'echo-request'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-IGMP'
        option src 'wan'
        option proto 'igmp'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-DHCPv6'
        option src 'wan'
        option proto 'udp'
        option src_ip 'fc00::/6'
        option dest_ip 'fc00::/6'
        option dest_port '546'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-MLD'
        option src 'wan'
        option proto 'icmp'
        option src_ip 'fe80::/10'
        list icmp_type '130/0'
        list icmp_type '131/0'
        list icmp_type '132/0'
        list icmp_type '143/0'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Input'
        option src 'wan'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        list icmp_type 'router-solicitation'
        list icmp_type 'neighbour-solicitation'
        list icmp_type 'router-advertisement'
        list icmp_type 'neighbour-advertisement'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Forward'
        option src 'wan'
        option dest '*'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'
        option enabled '0'

config rule
        option name 'Allow-IPSec-ESP'
        option src 'wan'
        option dest 'lan'
        option proto 'esp'
        option target 'ACCEPT'

config rule
        option name 'Allow-ISAKMP'
        option src 'wan'
        option dest 'lan'
        option dest_port '500'
        option proto 'udp'
        option target 'ACCEPT'

config include
        option path '/etc/firewall.user'

config include 'miniupnpd'
        option type 'script'
        option path '/usr/share/miniupnpd/firewall.include'
        option family 'any'
        option reload '1'

config include 'qcanssecm'
        option type 'script'
        option path '/etc/firewall.d/qca-nss-ecm'
        option family 'any'
        option reload '1'

config ipset 'ovpnset'
        option enabled '1'
        option name 'ovpnset'
        option match 'dst_port'
        option storage 'bitmap'
        option portrange '1194-1199'

config custom 'custom'
        option snat '1'
        option dnat '1'

config include 'webaccess'
        option type 'script'
        option path '/etc/firewall.d/web-access'
        option family 'any'
        option reload '1'

config include 'nat6'
        option path '/etc/firewall.nat6'
        option reload '1'

config rule
        option name 'Allow-OpenVPN'
        option family 'ipv4'
        option src 'wan'
        option ipset 'ovpnset'
        option target 'ACCEPT'

config rule
        option name 'Allow-SSH'
        option enabled '1'
        option src 'wan'
        option proto 'tcp udp'
        option dest_port '22'
        option target 'ACCEPT'

config rule
        option name 'Allow-HTTPS'
        option enabled '1'
        option src 'wan'
        option proto 'tcp udp'
        option dest_port '443'
        option target 'ACCEPT'

# This file is interpreted as shell script.
# Put your custom iptables rules here, they will
# be executed with each firewall (re-)start.

# Internal uci firewall chains are flushed and recreated on reload, so
# put custom rules into the root chains e.g. INPUT or FORWARD or into the
# special user chains, e.g. input_wan_rule or postrouting_lan_rule.

iptables --new-chain RATE-LIMIT
iptables --append RATE-LIMIT --match limit --limit 1000/sec --limit-burst 1000 --jump ACCEPT
iptables --append RATE-LIMIT --jump DROP
iptables --insert zone_wan_dest_ACCEPT 2 --match conntrack --ctstate NEW --jump RATE-LIMIT
# NAT6 + masquerading firewall script
# https://github.com/akatrevorjay/openwrt-masq6
# trevorj <github@trevor.joynson.io>
#
# You can configure in /etc/config/firewall per zone:
# * IPv4 masquerading
#     option masq 1
# * IPv6 masquerading
#     option masq6 1
# * IPv6 privacy extensions
#     option masq6_privacy 1

set -e -o pipefail

. /lib/functions.sh
. /lib/functions/network.sh
. /usr/share/libubox/jshn.sh

log() {
    logger -t nat6 -s "${@}"
}

get_ula_prefix() {
    uci get network.globals.ula_prefix
}

validate_ula_prefix() {
    local ula_prefix="${1}"
    if [ $(echo "${ula_prefix}" | grep -c -E -e "^([0-9a-fA-F]{4}):([0-9a-fA-F]{0,4}):") -ne 1 ] ; then
        log "Fatal error: IPv6 ULA ula_prefix=\"${ula_prefix}\" seems invalid. Please verify that a ula_prefix is set and valid."
        return 1
    fi
}

ip6t() {
    ip6tables "${@}"
}

ip6t_add() {
    if ! ip6t -C "${@}" &> /dev/null; then
        ip6t -I "${@}"
    fi
}

nat6_init() {
    iptables-save -t nat \
    | sed -e "
        /\sMASQUERADE$/d
        /\s[DS]NAT\s/d
        /\s--match-set\s\S*/s//\06/
        /,BROADCAST\s/s// /" \
    | ip6tables-restore -T nat
}

masq6_network() {
    # ${config} contains the ID of the current section
    local network_name="${1}"

    local device
    network_get_device device "${network_name}" || return 0

    local done_net_dev
    for done_net_dev in ${DONE_NETWORK_DEVICES}; do
        if [ "${done_net_dev}" = "${device}" ]; then
            log "Already configured device=\"${device}\", so leaving as is."
            return 0
        fi
    done

    log "Found device=\"${device}\" for network_name=\"${network_name}\"."

    if [ "${zone_masq6_privacy}" -eq 1 ]; then
        log "Enabling IPv6 temporary addresses for device=\"${device}\"."

        log "Accepting router advertisements on ${device} even if forwarding is enabled (required for temporary addresses)"
        echo 2 > "/proc/sys/net/ipv6/conf/${device}/accept_ra" \
        || log "Error: Failed to change router advertisements accept policy on ${device} (required for temporary addresses)"

        log "Using temporary addresses for outgoing connections on interface ${device}"
        echo 2 > "/proc/sys/net/ipv6/conf/${device}/use_tempaddr" \
        || log "Error: Failed to enable temporary addresses for outgoing connections on interface ${device}"
    fi

    append DONE_NETWORK_DEVICES "${device}"
}

handle_zone() {
    # ${config} contains the ID of the current section
    local config="${1}"

    local zone_name
    config_get zone_name "${config}" name

    # Enable masquerading via NAT6
    local zone_masq6
    config_get_bool zone_masq6 "${config}" masq6 0

    log "Firewall config=\"${config}\" zone=\"${zone_name}\" zone_masq6=\"${zone_masq6}\"."

    if [ "${zone_masq6}" -eq 0 ]; then
        return 0
    fi

    # IPv6 privacy extensions: Use temporary addrs for outgoing connections?
    local zone_masq6_privacy
    config_get_bool zone_masq6_privacy "${config}" masq6_privacy 1

    log "Found firewall zone_name=\"${zone_name}\" with zone_masq6=\"${zone_masq6}\" zone_masq6_privacy=\"${zone_masq6_privacy}\"."

    log "Setting up masquerading nat6 for zone_name=\"${zone_name}\" with zone_masq6_privacy=\"${zone_masq6_privacy}\""

    local ula_prefix="$(get_ula_prefix)"
    validate_ula_prefix "${ula_prefix}" || return 1

    local postrouting_chain="zone_${zone_name}_postrouting"
    log "Ensuring ip6tables chain=\"${postrouting_chain}\" contains our MASQUERADE."
    ip6t_add "${postrouting_chain}" -t nat \
        -m comment --comment "!fw3" -j MASQUERADE

    local input_chain="zone_${zone_name}_input"
    log "Ensuring ip6tables chain=\"${input_chain}\" contains our permissive DNAT rule."
    ip6t_add "${input_chain}" -t filter -m conntrack --ctstate DNAT \
        -m comment --comment "!fw3: Accept port forwards" -j ACCEPT

    local forward_chain="zone_${zone_name}_forward"
    log "Ensuring ip6tables chain=\"${forward_chain}\" contains our permissive DNAT rule."
    ip6t_add "${forward_chain}" -t filter -m conntrack --ctstate DNAT \
        -m comment --comment "!fw3: Accept port forwards" -j ACCEPT

    local DONE_NETWORK_DEVICES=""
    config_list_foreach "${config}" network masq6_network

    log "Done setting up nat6 for zone=\"${zone_name}\" on devices: ${DONE_NETWORK_DEVICES}"
}

main() {
    nat6_init
    config_load firewall
    config_foreach handle_zone zone
}

main "${@}"

hyejin.hong · September 7, 2022, 12:26am

# Generated by ip6tables-save v1.8.3 on Fri Jul  1 00:33:30 2022
*nat
:PREROUTING ACCEPT [24:2002]
:INPUT ACCEPT [20:1706]
:OUTPUT ACCEPT [25:2146]
:POSTROUTING ACCEPT [0:0]
:MINIUPNPD - [0:0]
:MINIUPNPD-POSTROUTING - [0:0]
:postrouting_lan_rule - [0:0]
:postrouting_rule - [0:0]
:postrouting_wan_rule - [0:0]
:prerouting_lan_rule - [0:0]
:prerouting_rule - [0:0]
:prerouting_wan_rule - [0:0]
:zone_lan_postrouting - [0:0]
:zone_lan_prerouting - [0:0]
:zone_wan_postrouting - [0:0]
:zone_wan_prerouting - [0:0]
[24:2002] -A PREROUTING -m comment --comment "!fw3: Custom prerouting rule chain" -j prerouting_rule
[0:0] -A PREROUTING -i tun+ -m comment --comment "!fw3" -j zone_lan_prerouting
[24:2002] -A PREROUTING -i br-lan -m comment --comment "!fw3" -j zone_lan_prerouting
[0:0] -A PREROUTING -i br-lan1 -m comment --comment "!fw3" -j zone_lan_prerouting
[0:0] -A PREROUTING -i eth1 -m comment --comment "!fw3" -j zone_wan_prerouting
[0:0] -A PREROUTING -i ath0 -m comment --comment "!fw3" -j zone_wan_prerouting
[0:0] -A PREROUTING -i ath1 -m comment --comment "!fw3" -j zone_wan_prerouting
[0:0] -A PREROUTING -i 464-wan6_4 -m comment --comment "!fw3" -j zone_wan_prerouting
[26:2226] -A POSTROUTING -m comment --comment "!fw3: Custom postrouting rule chain" -j postrouting_rule
[0:0] -A POSTROUTING -o tun+ -m comment --comment "!fw3" -j zone_lan_postrouting
[0:0] -A POSTROUTING -o br-lan -m comment --comment "!fw3" -j zone_lan_postrouting
[0:0] -A POSTROUTING -o br-lan1 -m comment --comment "!fw3" -j zone_lan_postrouting
[26:2226] -A POSTROUTING -o eth1 -m comment --comment "!fw3" -j zone_wan_postrouting
[0:0] -A POSTROUTING -o ath0 -m comment --comment "!fw3" -j zone_wan_postrouting
[0:0] -A POSTROUTING -o ath1 -m comment --comment "!fw3" -j zone_wan_postrouting
[0:0] -A POSTROUTING -o 464-wan6_4 -m comment --comment "!fw3" -j zone_wan_postrouting
[0:0] -A zone_lan_postrouting -m comment --comment "!fw3: Custom lan postrouting rule chain" -j postrouting_lan_rule
[24:2002] -A zone_lan_prerouting -m comment --comment "!fw3: Custom lan prerouting rule chain" -j prerouting_lan_rule
[26:2226] -A zone_wan_postrouting -m comment --comment "!fw3" -j MASQUERADE
[0:0] -A zone_wan_postrouting -m comment --comment "!fw3: Custom wan postrouting rule chain" -j postrouting_wan_rule
[0:0] -A zone_wan_postrouting -j MINIUPNPD-POSTROUTING
[0:0] -A zone_wan_postrouting -j MINIUPNPD-POSTROUTING
[0:0] -A zone_wan_prerouting -m comment --comment "!fw3: Custom wan prerouting rule chain" -j prerouting_wan_rule
[0:0] -A zone_wan_prerouting -j MINIUPNPD
[0:0] -A zone_wan_prerouting -j MINIUPNPD
COMMIT
# Completed on Fri Jul  1 00:33:30 2022
# Generated by ip6tables-save v1.8.3 on Fri Jul  1 00:33:30 2022
*mangle
:PREROUTING ACCEPT [108:11294]
:INPUT ACCEPT [88:9782]
:FORWARD ACCEPT [36:2704]
:OUTPUT ACCEPT [81:8745]
:POSTROUTING ACCEPT [121:11601]
[0:0] -A FORWARD -o eth1 -p tcp -m tcp --tcp-flags SYN,RST SYN -m comment --comment "!fw3: Zone wan MTU fixing" -j TCPMSS --clamp-mss-to-pmtu
[0:0] -A FORWARD -i eth1 -p tcp -m tcp --tcp-flags SYN,RST SYN -m comment --comment "!fw3: Zone wan MTU fixing" -j TCPMSS --clamp-mss-to-pmtu
[0:0] -A FORWARD -o ath0 -p tcp -m tcp --tcp-flags SYN,RST SYN -m comment --comment "!fw3: Zone wan MTU fixing" -j TCPMSS --clamp-mss-to-pmtu
[0:0] -A FORWARD -i ath0 -p tcp -m tcp --tcp-flags SYN,RST SYN -m comment --comment "!fw3: Zone wan MTU fixing" -j TCPMSS --clamp-mss-to-pmtu
[0:0] -A FORWARD -o ath1 -p tcp -m tcp --tcp-flags SYN,RST SYN -m comment --comment "!fw3: Zone wan MTU fixing" -j TCPMSS --clamp-mss-to-pmtu
[0:0] -A FORWARD -i ath1 -p tcp -m tcp --tcp-flags SYN,RST SYN -m comment --comment "!fw3: Zone wan MTU fixing" -j TCPMSS --clamp-mss-to-pmtu
[0:0] -A FORWARD -o 464-wan6_4 -p tcp -m tcp --tcp-flags SYN,RST SYN -m comment --comment "!fw3: Zone wan MTU fixing" -j TCPMSS --clamp-mss-to-pmtu
[0:0] -A FORWARD -i 464-wan6_4 -p tcp -m tcp --tcp-flags SYN,RST SYN -m comment --comment "!fw3: Zone wan MTU fixing" -j TCPMSS --clamp-mss-to-pmtu
COMMIT
# Completed on Fri Jul  1 00:33:30 2022
# Generated by ip6tables-save v1.8.3 on Fri Jul  1 00:33:30 2022
*filter
:INPUT ACCEPT [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [0:0]
:MINIUPNPD - [0:0]
:forwarding_lan_rule - [0:0]
:forwarding_rule - [0:0]
:forwarding_wan_rule - [0:0]
:input_lan_rule - [0:0]
:input_rule - [0:0]
:input_wan_rule - [0:0]
:output_lan_rule - [0:0]
:output_rule - [0:0]
:output_wan_rule - [0:0]
:reject - [0:0]
:syn_flood - [0:0]
:zone_lan_dest_ACCEPT - [0:0]
:zone_lan_forward - [0:0]
:zone_lan_input - [0:0]
:zone_lan_output - [0:0]
:zone_lan_src_ACCEPT - [0:0]
:zone_wan_dest_ACCEPT - [0:0]
:zone_wan_dest_REJECT - [0:0]
:zone_wan_forward - [0:0]
:zone_wan_input - [0:0]
:zone_wan_output - [0:0]
:zone_wan_src_REJECT - [0:0]
[0:0] -A INPUT -i lo -m comment --comment "!fw3" -j ACCEPT
[88:9782] -A INPUT -m comment --comment "!fw3: Custom input rule chain" -j input_rule
[36:5652] -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment "!fw3" -j ACCEPT
[0:0] -A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m comment --comment "!fw3" -j syn_flood
[0:0] -A INPUT -i tun+ -m comment --comment "!fw3" -j zone_lan_input
[28:2282] -A INPUT -i br-lan -m comment --comment "!fw3" -j zone_lan_input
[0:0] -A INPUT -i br-lan1 -m comment --comment "!fw3" -j zone_lan_input
[24:1848] -A INPUT -i eth1 -m comment --comment "!fw3" -j zone_wan_input
[0:0] -A INPUT -i ath0 -m comment --comment "!fw3" -j zone_wan_input
[0:0] -A INPUT -i ath1 -m comment --comment "!fw3" -j zone_wan_input
[0:0] -A INPUT -i 464-wan6_4 -m comment --comment "!fw3" -j zone_wan_input
[36:2704] -A FORWARD -m comment --comment "!fw3: Custom forwarding rule chain" -j forwarding_rule
[3:240] -A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment "!fw3" -j ACCEPT
[0:0] -A FORWARD -i tun+ -m comment --comment "!fw3" -j zone_lan_forward
[33:2464] -A FORWARD -i br-lan -m comment --comment "!fw3" -j zone_lan_forward
[0:0] -A FORWARD -i br-lan1 -m comment --comment "!fw3" -j zone_lan_forward
[0:0] -A FORWARD -i eth1 -m comment --comment "!fw3" -j zone_wan_forward
[0:0] -A FORWARD -i ath0 -m comment --comment "!fw3" -j zone_wan_forward
[0:0] -A FORWARD -i ath1 -m comment --comment "!fw3" -j zone_wan_forward
[0:0] -A FORWARD -i 464-wan6_4 -m comment --comment "!fw3" -j zone_wan_forward
[0:0] -A FORWARD -m comment --comment "!fw3" -j reject
[0:0] -A OUTPUT -o lo -m comment --comment "!fw3" -j ACCEPT
[81:8745] -A OUTPUT -m comment --comment "!fw3: Custom output rule chain" -j output_rule
[29:4567] -A OUTPUT -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment "!fw3" -j ACCEPT
[0:0] -A OUTPUT -o tun+ -m comment --comment "!fw3" -j zone_lan_output
[8:544] -A OUTPUT -o br-lan -m comment --comment "!fw3" -j zone_lan_output
[0:0] -A OUTPUT -o br-lan1 -m comment --comment "!fw3" -j zone_lan_output
[44:3634] -A OUTPUT -o eth1 -m comment --comment "!fw3" -j zone_wan_output
[0:0] -A OUTPUT -o ath0 -m comment --comment "!fw3" -j zone_wan_output
[0:0] -A OUTPUT -o ath1 -m comment --comment "!fw3" -j zone_wan_output
[0:0] -A OUTPUT -o 464-wan6_4 -m comment --comment "!fw3" -j zone_wan_output
[0:0] -A reject -p tcp -m comment --comment "!fw3" -j REJECT --reject-with tcp-reset
[1:160] -A reject -m comment --comment "!fw3" -j REJECT --reject-with icmp6-port-unreachable
[0:0] -A syn_flood -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m limit --limit 25/sec --limit-burst 50 -m comment --comment "!fw3" -j RETURN
[0:0] -A syn_flood -m comment --comment "!fw3" -j DROP
[0:0] -A zone_lan_dest_ACCEPT -o tun+ -m comment --comment "!fw3" -j ACCEPT
[40:2928] -A zone_lan_dest_ACCEPT -o br-lan -m comment --comment "!fw3" -j ACCEPT
[0:0] -A zone_lan_dest_ACCEPT -o br-lan1 -m comment --comment "!fw3" -j ACCEPT
[33:2464] -A zone_lan_forward -m comment --comment "!fw3: Custom lan forwarding rule chain" -j forwarding_lan_rule
[33:2464] -A zone_lan_forward -m comment --comment "!fw3: Zone lan to wan forwarding policy" -j zone_wan_dest_ACCEPT
[32:2384] -A zone_lan_forward -m comment --comment "!fw3" -j zone_lan_dest_ACCEPT
[28:2282] -A zone_lan_input -m comment --comment "!fw3: Custom lan input rule chain" -j input_lan_rule
[28:2282] -A zone_lan_input -m comment --comment "!fw3" -j zone_lan_src_ACCEPT
[8:544] -A zone_lan_output -m comment --comment "!fw3: Custom lan output rule chain" -j output_lan_rule
[8:544] -A zone_lan_output -m comment --comment "!fw3" -j zone_lan_dest_ACCEPT
[0:0] -A zone_lan_src_ACCEPT -i tun+ -m conntrack --ctstate NEW,UNTRACKED -m comment --comment "!fw3" -j ACCEPT
[28:2282] -A zone_lan_src_ACCEPT -i br-lan -m conntrack --ctstate NEW,UNTRACKED -m comment --comment "!fw3" -j ACCEPT
[0:0] -A zone_lan_src_ACCEPT -i br-lan1 -m conntrack --ctstate NEW,UNTRACKED -m comment --comment "!fw3" -j ACCEPT
[1:208] -A zone_wan_dest_ACCEPT -o eth1 -m conntrack --ctstate INVALID -m comment --comment "!fw3: Prevent NAT leakage" -j DROP
[44:3506] -A zone_wan_dest_ACCEPT -o eth1 -m comment --comment "!fw3" -j ACCEPT
[0:0] -A zone_wan_dest_ACCEPT -o ath0 -m conntrack --ctstate INVALID -m comment --comment "!fw3: Prevent NAT leakage" -j DROP
[0:0] -A zone_wan_dest_ACCEPT -o ath0 -m comment --comment "!fw3" -j ACCEPT
[0:0] -A zone_wan_dest_ACCEPT -o ath1 -m conntrack --ctstate INVALID -m comment --comment "!fw3: Prevent NAT leakage" -j DROP
[0:0] -A zone_wan_dest_ACCEPT -o ath1 -m comment --comment "!fw3" -j ACCEPT
[0:0] -A zone_wan_dest_ACCEPT -o 464-wan6_4 -m conntrack --ctstate INVALID -m comment --comment "!fw3: Prevent NAT leakage" -j DROP
[0:0] -A zone_wan_dest_ACCEPT -o 464-wan6_4 -m comment --comment "!fw3" -j ACCEPT
[0:0] -A zone_wan_dest_REJECT -o eth1 -m comment --comment "!fw3" -j reject
[0:0] -A zone_wan_dest_REJECT -o ath0 -m comment --comment "!fw3" -j reject
[0:0] -A zone_wan_dest_REJECT -o ath1 -m comment --comment "!fw3" -j reject
[0:0] -A zone_wan_dest_REJECT -o 464-wan6_4 -m comment --comment "!fw3" -j reject
[0:0] -A zone_wan_forward -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port forwards" -j ACCEPT
[0:0] -A zone_wan_forward -m comment --comment "!fw3: Custom wan forwarding rule chain" -j forwarding_wan_rule
[0:0] -A zone_wan_forward -s fd1e:a3fa:709f:0:9fbc:c249:ddeb:3d4d/128 -i 464-wan6_4 -m comment --comment "!fw3: ubus:wan6_4[464xlat] rule 1" -j zone_wan_dest_ACCEPT
[0:0] -A zone_wan_forward -p esp -m comment --comment "!fw3: Allow-IPSec-ESP" -j zone_lan_dest_ACCEPT
[0:0] -A zone_wan_forward -p udp -m udp --dport 500 -m comment --comment "!fw3: Allow-ISAKMP" -j zone_lan_dest_ACCEPT
[0:0] -A zone_wan_forward -j MINIUPNPD
[0:0] -A zone_wan_forward -j MINIUPNPD
[0:0] -A zone_wan_forward -m comment --comment "!fw3" -j zone_wan_dest_REJECT
[0:0] -A zone_wan_input -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port forwards" -j ACCEPT
[24:1848] -A zone_wan_input -m comment --comment "!fw3: Custom wan input rule chain" -j input_wan_rule
[0:0] -A zone_wan_input -s fc00::/6 -d fc00::/6 -p udp -m udp --dport 546 -m comment --comment "!fw3: Allow-DHCPv6" -j ACCEPT
[1:72] -A zone_wan_input -s fe80::/10 -p ipv6-icmp -m icmp6 --icmpv6-type 130/0 -m comment --comment "!fw3: Allow-MLD" -j ACCEPT
[5:360] -A zone_wan_input -s fe80::/10 -p ipv6-icmp -m icmp6 --icmpv6-type 131/0 -m comment --comment "!fw3: Allow-MLD" -j ACCEPT
[0:0] -A zone_wan_input -s fe80::/10 -p ipv6-icmp -m icmp6 --icmpv6-type 132/0 -m comment --comment "!fw3: Allow-MLD" -j ACCEPT
[0:0] -A zone_wan_input -s fe80::/10 -p ipv6-icmp -m icmp6 --icmpv6-type 143/0 -m comment --comment "!fw3: Allow-MLD" -j ACCEPT
[0:0] -A zone_wan_input -p ipv6-icmp -m icmp6 --icmpv6-type 128 -m limit --limit 1000/sec -m comment --comment "!fw3: Allow-ICMPv6-Input" -j ACCEPT
[0:0] -A zone_wan_input -p ipv6-icmp -m icmp6 --icmpv6-type 129 -m limit --limit 1000/sec -m comment --comment "!fw3: Allow-ICMPv6-Input" -j ACCEPT
[1:120] -A zone_wan_input -p ipv6-icmp -m icmp6 --icmpv6-type 1 -m limit --limit 1000/sec -m comment --comment "!fw3: Allow-ICMPv6-Input" -j ACCEPT
[0:0] -A zone_wan_input -p ipv6-icmp -m icmp6 --icmpv6-type 2 -m limit --limit 1000/sec -m comment --comment "!fw3: Allow-ICMPv6-Input" -j ACCEPT
[0:0] -A zone_wan_input -p ipv6-icmp -m icmp6 --icmpv6-type 3 -m limit --limit 1000/sec -m comment --comment "!fw3: Allow-ICMPv6-Input" -j ACCEPT
[0:0] -A zone_wan_input -p ipv6-icmp -m icmp6 --icmpv6-type 4/0 -m limit --limit 1000/sec -m comment --comment "!fw3: Allow-ICMPv6-Input" -j ACCEPT
[0:0] -A zone_wan_input -p ipv6-icmp -m icmp6 --icmpv6-type 4/1 -m limit --limit 1000/sec -m comment --comment "!fw3: Allow-ICMPv6-Input" -j ACCEPT
[0:0] -A zone_wan_input -p ipv6-icmp -m icmp6 --icmpv6-type 133 -m limit --limit 1000/sec -m comment --comment "!fw3: Allow-ICMPv6-Input" -j ACCEPT
[10:720] -A zone_wan_input -p ipv6-icmp -m icmp6 --icmpv6-type 135 -m limit --limit 1000/sec -m comment --comment "!fw3: Allow-ICMPv6-Input" -j ACCEPT
[0:0] -A zone_wan_input -p ipv6-icmp -m icmp6 --icmpv6-type 134 -m limit --limit 1000/sec -m comment --comment "!fw3: Allow-ICMPv6-Input" -j ACCEPT
[6:416] -A zone_wan_input -p ipv6-icmp -m icmp6 --icmpv6-type 136 -m limit --limit 1000/sec -m comment --comment "!fw3: Allow-ICMPv6-Input" -j ACCEPT
[0:0] -A zone_wan_input -p tcp -m tcp --dport 22 -m comment --comment "!fw3: Allow-SSH" -j ACCEPT
[0:0] -A zone_wan_input -p udp -m udp --dport 22 -m comment --comment "!fw3: Allow-SSH" -j ACCEPT
[0:0] -A zone_wan_input -p tcp -m tcp --dport 443 -m comment --comment "!fw3: Allow-HTTPS" -j ACCEPT
[0:0] -A zone_wan_input -p udp -m udp --dport 443 -m comment --comment "!fw3: Allow-HTTPS" -j ACCEPT
[1:160] -A zone_wan_input -j MINIUPNPD
[1:160] -A zone_wan_input -j MINIUPNPD
[1:160] -A zone_wan_input -m comment --comment "!fw3" -j zone_wan_src_REJECT
[44:3634] -A zone_wan_output -m comment --comment "!fw3: Custom wan output rule chain" -j output_wan_rule
[44:3634] -A zone_wan_output -m comment --comment "!fw3" -j zone_wan_dest_ACCEPT
[1:160] -A zone_wan_src_REJECT -i eth1 -m comment --comment "!fw3" -j reject
[0:0] -A zone_wan_src_REJECT -i ath0 -m comment --comment "!fw3" -j reject
[0:0] -A zone_wan_src_REJECT -i ath1 -m comment --comment "!fw3" -j reject
[0:0] -A zone_wan_src_REJECT -i 464-wan6_4 -m comment --comment "!fw3" -j reject
COMMIT
# Completed on Fri Jul  1 00:33:31 2022
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 state UNKNOWN qlen 1000
    inet6 ::1/128 scope host
       valid_lft forever preferred_lft forever
3: eth1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 state UP qlen 1000
    inet6 2001:2d8:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx/64 scope global noprefixroute
       valid_lft forever preferred_lft forever
    inet6 fe80::251:cff:fee4:eb96/64 scope link
       valid_lft forever preferred_lft forever
19: br-lan: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 state UP qlen 1000
    inet6 fd1e:a3fa:709f::1/60 scope global noprefixroute
       valid_lft forever preferred_lft forever
    inet6 fe80::251:cff:fee4:eb95/64 scope link
       valid_lft forever preferred_lft forever
21: ath01: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 state UP
    inet6 fe80::251:e5ff:fedc:1000/64 scope link
       valid_lft forever preferred_lft forever
22: ath02: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 state UP
    inet6 fe80::451:e5ff:fedc:1000/64 scope link
       valid_lft forever preferred_lft forever
23: ath0: <NO-CARRIER,BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 state DORMANT
    inet6 fe80::851:e5ff:fedc:1000/64 scope link
       valid_lft forever preferred_lft forever
24: ath11: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 state UP
    inet6 fe80::251:e5ff:fedc:1001/64 scope link
       valid_lft forever preferred_lft forever
25: ath12: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 state UP
    inet6 fe80::451:e5ff:fedc:1001/64 scope link
       valid_lft forever preferred_lft forever
26: ath1: <NO-CARRIER,BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 state DORMANT
    inet6 fe80::851:e5ff:fedc:1001/64 scope link
       valid_lft forever preferred_lft forever
27: br-lan1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 state UP qlen 1000
    inet6 fe80::451:e5ff:fedc:1000/64 scope link
       valid_lft forever preferred_lft forever
28: 464-wan6_4: <POINTOPOINT,NOARP,UP,LOWER_UP> mtu 16384 state UNKNOWN qlen 1000
    inet6 fe80::32c1:e7a4:832f:82dc/64 scope link stable-privacy
       valid_lft forever preferred_lft forever
fd1e:a3fa:709f:0:9fbc:c249:ddeb:3d4d dev 464-wan6_4 table prelocal proto static metric 1024 pref medium
2001:2d8:xxxx:xxxx::/64 dev eth1 proto static metric 256 pref medium
unreachable 2001:2d8:xxxx:xxxx::/64 dev lo proto static metric 2147483647 pref medium
fd1e:a3fa:709f::/64 dev br-lan proto static metric 1024 pref medium
unreachable fd1e:a3fa:709f::/48 dev lo proto static metric 2147483647 pref medium
fe80::/64 dev br-lan proto kernel metric 256 pref medium
fe80::/64 dev eth1 proto kernel metric 256 pref medium
fe80::/64 dev ath0 proto kernel metric 256 linkdown pref medium
fe80::/64 dev ath1 proto kernel metric 256 linkdown pref medium
fe80::/64 dev ath01 proto kernel metric 256 pref medium
fe80::/64 dev ath02 proto kernel metric 256 pref medium
fe80::/64 dev br-lan1 proto kernel metric 256 pref medium
fe80::/64 dev ath11 proto kernel metric 256 pref medium
fe80::/64 dev ath12 proto kernel metric 256 pref medium
fe80::/64 dev 464-wan6_4 proto kernel metric 256 pref medium
default via fe80::d8f5:a9ef:d054:edfb dev eth1 proto static metric 512 pref medium
local ::1 dev lo table local proto kernel metric 0 pref medium
anycast 2001:2d8:xxxx:xxxx:: dev eth1 table local proto kernel metric 0 pref medium
local 2001:2d8:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx dev eth1 table local proto kernel metric 0 pref medium
anycast fd1e:a3fa:709f:: dev br-lan table local proto kernel metric 0 pref medium
local fd1e:a3fa:709f::1 dev br-lan table local proto kernel metric 0 pref medium
anycast fd1e:a3fa:709f:0:9fbc:c249:ddeb:3d4d dev eth1 table local proto kernel metric 0 pref medium
anycast fe80:: dev br-lan table local proto kernel metric 0 pref medium
anycast fe80:: dev eth1 table local proto kernel metric 0 pref medium
anycast fe80:: dev ath0 table local proto kernel metric 0 pref medium
anycast fe80:: dev ath1 table local proto kernel metric 0 pref medium
anycast fe80:: dev ath01 table local proto kernel metric 0 pref medium
anycast fe80:: dev ath02 table local proto kernel metric 0 pref medium
anycast fe80:: dev br-lan1 table local proto kernel metric 0 pref medium
anycast fe80:: dev ath11 table local proto kernel metric 0 pref medium
anycast fe80:: dev ath12 table local proto kernel metric 0 pref medium
anycast fe80:: dev 464-wan6_4 table local proto kernel metric 0 pref medium
local fe80::251:cff:fee4:eb95 dev br-lan table local proto kernel metric 0 pref medium
local fe80::251:cff:fee4:eb96 dev eth1 table local proto kernel metric 0 pref medium
local fe80::251:e5ff:fedc:1000 dev ath01 table local proto kernel metric 0 pref medium
local fe80::251:e5ff:fedc:1001 dev ath11 table local proto kernel metric 0 pref medium
local fe80::451:e5ff:fedc:1000 dev ath02 table local proto kernel metric 0 pref medium
local fe80::451:e5ff:fedc:1000 dev br-lan1 table local proto kernel metric 0 pref medium
local fe80::451:e5ff:fedc:1001 dev ath12 table local proto kernel metric 0 pref medium
local fe80::851:e5ff:fedc:1000 dev ath0 table local proto kernel metric 0 pref medium
local fe80::851:e5ff:fedc:1001 dev ath1 table local proto kernel metric 0 pref medium
local fe80::32c1:e7a4:832f:82dc dev 464-wan6_4 table local proto kernel metric 0 pref medium
multicast ff00::/8 dev br-lan table local proto kernel metric 256 pref medium
multicast ff00::/8 dev eth1 table local proto kernel metric 256 pref medium
multicast ff00::/8 dev ath0 table local proto kernel metric 256 linkdown pref medium
multicast ff00::/8 dev ath1 table local proto kernel metric 256 linkdown pref medium
multicast ff00::/8 dev ath01 table local proto kernel metric 256 pref medium
multicast ff00::/8 dev ath02 table local proto kernel metric 256 pref medium
multicast ff00::/8 dev br-lan1 table local proto kernel metric 256 pref medium
multicast ff00::/8 dev ath11 table local proto kernel metric 256 pref medium
multicast ff00::/8 dev ath12 table local proto kernel metric 256 pref medium
multicast ff00::/8 dev 464-wan6_4 table local proto kernel metric 256 pref medium
0:      from all to fd1e:a3fa:709f:0:9fbc:c249:ddeb:3d4d lookup prelocal
1:      from all lookup local
32766:  from all lookup main

slh · September 7, 2022, 1:56am

It appears you are using firmware that is not from the official OpenWrt project.

When using forks/offshoots/vendor-specific builds that are "based on OpenWrt", there may be many differences compared to the official versions (hosted by OpenWrt.org). Some of these customizations may fundamentally change the way that OpenWrt works. You might need help from people with specific/specialized knowledge about the firmware you are using, so it is possible that advice you get here may not be useful.

You may find that the best options are:

Install an official version of OpenWrt, if your device is supported (see https://firmware-selector.openwrt.org).
Ask for help from the maintainer(s) or user community of the specific firmware that you are using.
Provide the source code for the firmware so that users on this forum can understand how your firmware works (OpenWrt forum users are volunteers, so somebody might look at the code if they have time and are interested in your issue).

If you believe that this specific issue is common to generic/official OpenWrt and/or the maintainers of your build have indicated as such, please feel free to clarify.

trendy · September 7, 2022, 1:12pm

I don't have much to add to what @slh wrote already. It is evident from the ip6tables output that postrouting for wan zone is to masquerade everything. So I have no idea why it is not working.

atownlede · September 8, 2022, 1:28am

This might be related, not totally sure...

I do use NAT6/masquerading for my wireguard VPN clients, which only get ULA addresses assigned. But that requires a specific extra clause in a separate .nft configuration, something like this which I put into /etc/nftables.d/nat6.nft:

chain srcnat_ula6 {
  type nat hook postrouting priority srcnat; policy accept;
  oifname $wan_devices ip6 saddr MY_ULA_PREFIX_HERE::/48 counter masquerade comment "!fw4: ULA masquerade6"
}

jow · September 8, 2022, 9:26am

This could be done with uci as well:

config nat                                                 
        option src 'wan'                                   
        option proto 'all'                                 
        option src_ip 'fc00::/7'                           
        option target 'MASQUERADE'

atownlede · September 8, 2022, 10:57am

LuCI doesn't care for the IPv6 address, but I'm OK with using command line for this.

How about the counter attribute, can that be configured with uci ? I'm not seeing anything in https://openwrt.org/docs/guide-user/firewall/firewall_configuration

jow · September 8, 2022, 11:37am

Good point, that isn't covered yet. It would be option counter 1 which is currently valid for config rule and config redirect sections but not config nat ones. Will add it with the next update.

hyejin.hong · September 15, 2022, 5:08am

I added new rule as below, but I still see the my labtop's IPv6 address on the next router.

ip6t_add "${postrouting_chain}" -t nat \
        -s fc00::/7 -m comment --comment "!fw3" -j MASQUERADE

Chain zone_wan_postrouting (3 references)
 pkts bytes target     prot opt in     out     source               destination
    0     0 MASQUERADE  all      *      *       fc00::/7             ::/0                 /* !fw3 */
    0     0 MASQUERADE  all      *      *       ::/0                 ::/0                 /* !fw3 */
    0     0 postrouting_wan_rule  all      *      *       ::/0                 ::/0                 /* !fw3: Custom wan postrouting rule chain */

It seems that there are cases where nat6 does not work.

hyejin.hong · September 15, 2022, 5:13am

My device uses firewall-2019-11-22-8174814a.tar.xz.
firewall (fw3) source doesn't support counter option.
what's the counter option?

hyejin.hong · September 15, 2022, 5:27am

Below is a list of modules that the device has.
Are there any modules I'm missing for NAT6?

root@OpenWrt:/lib/modules/5.4.164# ls -al nf*
-rw-r--r--    1 root     root         12380 Jun 30 00:35 nf_conncount.ko
-rw-r--r--    1 root     root        124764 Jun 30 00:35 nf_conntrack.ko
-rw-r--r--    1 root     root          6364 Jun 30 00:35 nf_conntrack_amanda.ko
-rw-r--r--    1 root     root          2876 Jun 30 00:35 nf_conntrack_broadcast.ko
-rw-r--r--    1 root     root         14932 Jun 30 00:35 nf_conntrack_ftp.ko
-rw-r--r--    1 root     root         49176 Jun 30 00:35 nf_conntrack_h323.ko
-rw-r--r--    1 root     root          9252 Jun 30 00:35 nf_conntrack_irc.ko
-rw-r--r--    1 root     root         37072 Jun 30 00:35 nf_conntrack_netlink.ko
-rw-r--r--    1 root     root         13632 Jun 30 00:35 nf_conntrack_pptp.ko
-rw-r--r--    1 root     root          8424 Jun 30 00:35 nf_conntrack_rtcache.ko
-rw-r--r--    1 root     root         13924 Jun 30 00:35 nf_conntrack_rtsp.ko
-rw-r--r--    1 root     root         27348 Jun 30 00:35 nf_conntrack_sip.ko
-rw-r--r--    1 root     root          4324 Jun 30 00:35 nf_conntrack_snmp.ko
-rw-r--r--    1 root     root          8300 Jun 30 00:35 nf_conntrack_tftp.ko
-rw-r--r--    1 root     root          4568 Jun 30 00:35 nf_defrag_ipv4.ko
-rw-r--r--    1 root     root         14120 Jun 30 00:35 nf_defrag_ipv6.ko
-rw-r--r--    1 root     root          3096 Jun 30 00:35 nf_dup_netdev.ko
-rw-r--r--    1 root     root         25540 Jun 30 00:35 nf_flow_table.ko
-rw-r--r--    1 root     root          6224 Jun 30 00:35 nf_flow_table_hw.ko
-rw-r--r--    1 root     root          3448 Jun 30 00:35 nf_flow_table_inet.ko
-rw-r--r--    1 root     root          3008 Jun 30 00:35 nf_flow_table_ipv4.ko
-rw-r--r--    1 root     root          3012 Jun 30 00:35 nf_flow_table_ipv6.ko
-rw-r--r--    1 root     root          6736 Jun 30 00:35 nf_log_common.ko
-rw-r--r--    1 root     root          7856 Jun 30 00:35 nf_log_ipv4.ko
-rw-r--r--    1 root     root          7952 Jun 30 00:35 nf_log_ipv6.ko
-rw-r--r--    1 root     root         32848 Jun 30 00:35 nf_nat.ko
-rw-r--r--    1 root     root          4744 Jun 30 00:35 nf_nat_amanda.ko
-rw-r--r--    1 root     root          6424 Jun 30 00:35 nf_nat_ftp.ko
-rw-r--r--    1 root     root         13448 Jun 30 00:35 nf_nat_h323.ko
-rw-r--r--    1 root     root          5652 Jun 30 00:35 nf_nat_irc.ko
-rw-r--r--    1 root     root          8440 Jun 30 00:35 nf_nat_pptp.ko
-rw-r--r--    1 root     root         11180 Jun 30 00:35 nf_nat_rtsp.ko
-rw-r--r--    1 root     root         12824 Jun 30 00:35 nf_nat_sip.ko
-rw-r--r--    1 root     root          6108 Jun 30 00:35 nf_nat_snmp_basic.ko
-rw-r--r--    1 root     root          4020 Jun 30 00:35 nf_nat_tftp.ko
-rw-r--r--    1 root     root          4672 Jun 30 00:35 nf_reject_ipv4.ko
-rw-r--r--    1 root     root          6796 Jun 30 00:35 nf_reject_ipv6.ko
-rw-r--r--    1 root     root        138140 Jun 30 00:35 nf_tables.ko
-rw-r--r--    1 root     root         10252 Jun 30 00:35 nfnetlink.ko
-rw-r--r--    1 root     root          6792 Jun 30 00:35 nft_counter.ko
-rw-r--r--    1 root     root         14240 Jun 30 00:35 nft_ct.ko
-rw-r--r--    1 root     root          4136 Jun 30 00:35 nft_dup_netdev.ko
-rw-r--r--    1 root     root          5892 Jun 30 00:35 nft_flow_offload.ko
-rw-r--r--    1 root     root          5844 Jun 30 00:35 nft_fwd_netdev.ko
-rw-r--r--    1 root     root          7356 Jun 30 00:35 nft_limit.ko
-rw-r--r--    1 root     root          5260 Jun 30 00:35 nft_log.ko
-rw-r--r--    1 root     root          6476 Jun 30 00:35 nft_masq.ko
-rw-r--r--    1 root     root          6100 Jun 30 00:35 nft_nat.ko
-rw-r--r--    1 root     root          5924 Jun 30 00:35 nft_numgen.ko
-rw-r--r--    1 root     root          6036 Jun 30 00:35 nft_quota.ko
-rw-r--r--    1 root     root          6328 Jun 30 00:35 nft_redir.ko
-rw-r--r--    1 root     root          3972 Jun 30 00:35 nft_reject.ko
-rw-r--r--    1 root     root          4768 Jun 30 00:35 nft_reject_inet.ko
-rw-r--r--    1 root     root          3920 Jun 30 00:35 nft_reject_ipv4.ko
-rw-r--r--    1 root     root          3920 Jun 30 00:35 nft_reject_ipv6.ko

root@OpenWrt:/lib/modules/5.4.164# ls | grep  6
ah6.ko
esp6.ko
ip6_gre.ko
ip6_tables.ko
ip6_tunnel.ko
ip6_udp_tunnel.ko
ip6t_NPT.ko
ip6t_REJECT.ko
ip6table_filter.ko
ip6table_mangle.ko
ip6table_nat.ko
ipcomp6.ko
nat46.ko
nf_defrag_ipv6.ko
nf_flow_table_ipv6.ko
nf_log_ipv6.ko
nf_reject_ipv6.ko
nft_reject_ipv6.ko
qca-nss-tun6rd.ko
qca-nss-tunipip6.ko
tunnel6.ko
xfrm6_tunnel.ko

jdwl1o1 · September 15, 2022, 5:35am

As slh said you need to install an openwrt supported firmware, only then can the people here provide guidance on nat6.

hyejin.hong · September 22, 2022, 2:33am

I resolved this issue.
ecm.global.acceleration_engine was 'auto' and I changed to 'sfe', the issue is gone then.

system · October 2, 2022, 2:34am

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.