NPT6 as a core feature

The official mwan3 documentation says:

Using mwan3 with IPv6 requires additional configuration such as IPv6 masquerading through methods like NETMAP or NAT6. This is currently not implemented in mwan3 directly and requires additional configuration. ... This is something that needs to be configured outside of mwan3 itself.

Currently, what's expressible using the core firewall features is NAT6, where all LAN hosts are masqueraded behind the router IPv6 address, just like it is done with IPv4. This is suboptimal. That's why the feature request to make network prefix translation for IPv6 a core feature, configurable through Luci without the need to write any scripts.

Just for the reference, here is what I do, and what I want to be fully achievable without custom scripts:


source /lib/functions/

# IPv6 NAT (horrible)
ip6tables -t nat -F PREROUTING
ip6tables -t nat -F POSTROUTING
ULA=$(uci get network.globals.ula_prefix)
for IFACE in $(uci show mwan3 | sed -n '/=interface/s/^mwan3\.\(.*\)=interface/\1/ p') ; do
  network_get_device DEVICE $IFACE || continue
  network_get_prefix6 PREFIX $IFACE || continue
  if [ "$BITS" -le 48 ] ; then BITS=48 ; fi
  echo "Mapping $ULA_PART <-> $PREFIX for $IFACE (on $DEVICE)"
  ip6tables -t nat -A PREROUTING -d $FIRST_IP -j REDIRECT
  ip6tables -t nat -A PREROUTING -d $PREFIX -j NETMAP --to $ULA_PART
  ip6tables -t nat -A POSTROUTING -s $ULA_PART -m conntrack --ctorigdst $PREFIX -j NETMAP --to $PREFIX
  ip6tables -t nat -A POSTROUTING -s $ULA_PART -o $DEVICE -j NETMAP --to $PREFIX
  ip6tables -t nat -A POSTROUTING -o $DEVICE -j MASQUERADE

This tries to use NETMAP where possible, and resorts to MASQUERADE only if the upstream prefix is too small. Example: if the ISP only offers a /64, then the LAN would go through NETMAP, and the gguest WiFi (if I create one), or whatever delegated prefixes my hypervsor hosts obtain through DHCPv6, will still get IPv6 connectivity, in a masqueraded form.

1 Like