[unsolved] About ipv6 NPT

youxiaojie · July 9, 2020, 5:46pm

I hope to use ipv6 npt(rfc6296 stateless npt), have kmod-ipt-nat6 installed.
I am sure about "ip6t_NPT" is about rfc6296
MODULE_DESCRIPTION("IPv6-to-IPv6 Network Prefix Translation (RFC 6296)");


root@OpenWrt:~# ip6tables -t mangle -I POSTROUTING -s 2001:470:4999:100::/64  -o br-lan -j SNPT --src-pfx 2001:470:4999:100::/64 --dst-pfx 240e:82:901:9400::/64
ip6tables v1.8.3 (legacy): unknown option "--src-pfx"
Try `ip6tables -h' or 'ip6tables --help' for more information.

I have kmod-ipt-nat6 install, which contain NPT extension.

lsmod
x_tables               12656 37 ipt_REJECT,ipt_MASQUERADE,xt_time,xt_tcpudp,xt_tcpmss,xt_statistic,xt_state,xt_nat,xt_multiport,xt_mark,xt_mac,xt_limit,xt_length,xt_hl,xt_ecn,xt_dscp,xt_conntrack,xt_comment,xt_TCPMSS,xt_REDIRECT,xt_LOG,xt_HL,xt_FLOWOFFLOAD,xt_DSCP,xt_CT,xt_CLASSIFY,iptable_mangle,iptable_filter,ipt_ECN,ip_tables,xt_set,ip6t_NPT,ip6t_MASQUERADE,ip6table_mangle,ip6table_filter,ip6_tables,ip6t_REJECT


DNPT (IPv6-specific)
       Provides stateless destination IPv6-to-IPv6 Network Prefix Translation (as described by RFC 6296).

       You have to use this target in the mangle table, not in the nat table. It takes the following options:

       --src-pfx [prefix/length]
              Set source prefix that you want to translate and length

       --dst-pfx [prefix/length]
              Set destination prefix that you want to use in the translation and length

       You have to use the SNPT target to undo the translation. Example:

              ip6tables -t mangle -I POSTROUTING -s fd00::/64  -o vboxnet0 -j SNPT --src-pfx fd00::/64 --dst-pfx 2001:e20:2000:40f::/64

              ip6tables -t mangle -I PREROUTING -i wlan0 -d 2001:e20:2000:40f::/64 -j DNPT --src-pfx 2001:e20:2000:40f::/64 --dst-pfx fd00::/64

       You may need to enable IPv6 neighbor proxy:

              sysctl -w net.ipv6.conf.all.proxy_ndp=1

       You also have to use the NOTRACK target to disable connection tracking for translated flows.

does anyone have ideas?

lleachii · July 10, 2020, 1:28pm

Ideas regarding what?
Are you having an IPv6 NPT config issue?

lantis1008 · July 10, 2020, 9:53pm

Dnpt and Snpt are separate extensions in iptables that I can see, and I don't think the OpenWrt build system sucks them into any of the existing package options.

youxiaojie · July 11, 2020, 7:00pm

ipt_NPT is for that! in kernel mod! you can check the source!

youxiaojie · July 11, 2020, 7:02pm

about the error. the ipt_NPT has loaded and there is no config, should be used after install kmod-ipt-nat6

lantis1008 · July 12, 2020, 1:17am

Right, but i'm asking if you have the iptables extensions? You have the kernel module, where is your userspace interpretation for it?

Show the output of
ls /usr/lib/iptables
opkg list-installed | grep ip6tables

on my system, by the way

root@Gargoyle:~# ip6tables -t mangle -I POSTROUTING -s 2001:470:4999:100::/64  -o br-lan -j SNPT --src-pfx 2001:470:4999:100::/64 --dst-pfx 240e:82:901:9400::/64
root@Gargoyle:~# ip6tables -t mangle -nvL
Chain POSTROUTING (policy ACCEPT 98 packets, 25459 bytes)
 pkts bytes target     prot opt in     out     source               destination
    0     0 SNPT       all      *      br-lan  2001:470:4999:100::/64  ::/0                 SNPT src-pfx 2001:470:4999:100::/64 dst-pfx 240e:82:901:9400::/64

youxiaojie · July 12, 2020, 5:26pm

perfect!! I check it again!!!

youxiaojie · July 12, 2020, 5:34pm

root@OpenWrt:~# ip6tables -t mangle -I POSTROUTING -s 2001:470:4999:100::/64 -o br-lan -j SNPT --src-pfx 2001:470:4999:100::/64 --dst
-pfx 240e:82:901:9400::/64
ip6tables v1.8.3 (legacy): unknown option "--src-pfx"
Try `ip6tables -h' or 'ip6tables --help' for more information.
root@OpenWrt:~# opkg list|grep ip6
ip6tables - 1.8.3-1
kmod-ip6tables - 4.14.180-1
libip6tc2 - 1.8.3-1

youxiaojie · July 12, 2020, 6:20pm

got it!! need install

ip6tables-mod-nat

1.8.3-1

2.4 KB

iptables extensions for IPv6-NAT targets.

though it shows all packages installed when I install it.!!
thanks great for your try!!!
thanks very very very much!!!

tmomas · July 12, 2020, 10:04pm

If your problem is solved, please consider marking this topic as [Solved]. See How to mark a topic as [Solved] for a short how-to.

youxiaojie · July 14, 2020, 7:47pm

another question, ping6 is ok, but can not http or ssh.
add customed rule

ip6tables -t mangle -I POSTROUTING -s 240e:82:aaaa:bbbb::/64 -o wg0 -j SNPT --src-pfx 240e:82:aaaa:bbbb::/64 --dst-pfx 2001:470:cccc:dddd::/64 
ip6tables -t mangle -I PREROUTING -i wg0 -d 2001:470:cccc:dddd::/64 -j DNPT --src-pfx 2001:470:cccc:dddd::/64 --dst-pfx 240e:82:aaaa:bbbb::/64

without using vpn:

C:\Users\Allan>tracert www.yahoo.com

通过最多 30 个跃点跟踪
到 new-fp-shed.wg1.b.yahoo.com [2406:2000:e4:a1a::11] 的路由:

  1     1 ms    <1 毫秒   <1 毫秒 OpenWrt.lan [fdbb:1fc4:1e19::1]
  2     1 ms     1 ms     1 ms  240e:82:aaaa:bbbb::1
  3     4 ms     3 ms     2 ms  240e:0:8000::411
  4     3 ms     2 ms     2 ms  240e:0:8000:411::c
  5     *     ^C

a strange question, maybe ndp proxy's fault,must ping gateway before using network.

C:\Users\Allan>tracert www.yahoo.com

通过最多 30 个跃点跟踪
到 new-fp-shed.wg1.b.yahoo.com [2406:2000:e4:a1a::11] 的路由:

  1     *        *        *     请求超时。
  2     *        *        *     请求超时。
  3  ^C
C:\Users\Allan>tracert www.yahoo.com

通过最多 30 个跃点跟踪
到 new-fp-shed.wg1.b.yahoo.com [2406:2000:e4:a1a::11] 的路由:

  1     *     ^C
C:\Users\Allan>tracert www.yahoo.com

通过最多 30 个跃点跟踪
到 new-fp-shed.wg1.b.yahoo.com [2406:2000:e4:a1a::10] 的路由:

  1     *     ^C
C:\Users\Allan>ping 240e:82:901:9400::1

正在 Ping 240e:82:aaaa:bbbb::1 具有 32 字节的数据:
来自 240e:82:aaaa:bbbb::1 的回复: 时间=1111ms
来自 240e:82:aaaa:bbbb::1 的回复: 时间=5ms
来自 240e:82:aaaa:bbbb::1 的回复: 时间=2ms
来自 240e:82:aaaa:bbbb::1 的回复: 时间=1ms

240e:82:aaaa:bbbb::1 的 Ping 统计信息:
    数据包: 已发送 = 4，已接收 = 4，丢失 = 0 (0% 丢失)，
往返行程的估计时间(以毫秒为单位):
    最短 = 1ms，最长 = 1111ms，平均 = 279ms

C:\Users\Allan>

though vpn, with snpt dnpt.

C:\Users\Allan>tracert www.yahoo.com

通过最多 30 个跃点跟踪
到 new-fp-shed.wg1.b.yahoo.com [2406:2000:e4:a1a::11] 的路由:

  1     2 ms    <1 毫秒   <1 毫秒 OpenWrt.lan [fdbb:1fc4:1e19::1]
  2   227 ms   228 ms   228 ms  2001:470:cccc::1
  3   292 ms   293 ms   293 ms  tunnel589291.tunnel.tserv29.fmt1.ipv6.he.net [2001:470:66:56a::1]
  4   289 ms   294 ms   345 ms  10ge3-19.core3.fmt1.he.net [2001:470:0:206::1]
  5   296 ms   291 ms   292 ms  100ge6-1.core1.sjc2.he.net [2001:470:0:1a7::2]
  6   301 ms   293 ms   292 ms  pat2.sjc.yahoo.com [2001:504:0:1:0:1:310:2]
  7   291 ms   295 ms   291 ms  ae-5.pat1.sjc.yahoo.com [2001:4998:f005:1::]
  8   443 ms   445 ms   445 ms  ae0.pat1.hkz.yahoo.com [2001:4998:f005:b::1]
  9   470 ms   468 ms   468 ms  et-3-3-0.pat1.sgy.yahoo.com [2406:2000:f01f:13::]
 10   469 ms   469 ms   469 ms  ae-5.msr1.sg3.yahoo.com [2406:2000:f01f:3::1]
 11   471 ms   470 ms   474 ms  2406:2000:e4:fe01::1
 12   472 ms   470 ms   470 ms  2406:2000:e4:fa07::1
 13   480 ms   474 ms   472 ms  media-router-fp2.prod1.media.vip.sg3.yahoo.com [2406:2000:e4:a1a::11]

ping is ok but can not open web page and ssh.

show connexion reset?
连接到 [2a02:6b8:a::a] 时发生错误。PR_CONNECT_RESET_ERROR

C:\Users\Allan>tracert www.yahoo.com

通过最多 30 个跃点跟踪
到 new-fp-shed.wg1.b.yahoo.com [2406:2000:e4:a1a::11] 的路由:

  1     2 ms    <1 毫秒   <1 毫秒 OpenWrt.lan [fdbb:1fc4:1e19::1]
  2   227 ms   228 ms   228 ms  2001:470:cccc::1
  3   292 ms   293 ms   293 ms  tunnel589291.tunnel.tserv29.fmt1.ipv6.he.net [2001:470:66:56a::1]
  4   289 ms   294 ms   345 ms  10ge3-19.core3.fmt1.he.net [2001:470:0:206::1]
  5   296 ms   291 ms   292 ms  100ge6-1.core1.sjc2.he.net [2001:470:0:1a7::2]
  6   301 ms   293 ms   292 ms  pat2.sjc.yahoo.com [2001:504:0:1:0:1:310:2]
  7   291 ms   295 ms   291 ms  ae-5.pat1.sjc.yahoo.com [2001:4998:f005:1::]
  8   443 ms   445 ms   445 ms  ae0.pat1.hkz.yahoo.com [2001:4998:f005:b::1]
  9   470 ms   468 ms   468 ms  et-3-3-0.pat1.sgy.yahoo.com [2406:2000:f01f:13::]
 10   469 ms   469 ms   469 ms  ae-5.msr1.sg3.yahoo.com [2406:2000:f01f:3::1]
 11   471 ms   470 ms   474 ms  2406:2000:e4:fe01::1
 12   472 ms   470 ms   470 ms  2406:2000:e4:fa07::1
 13   480 ms   474 ms   472 ms  media-router-fp2.prod1.media.vip.sg3.yahoo.com [2406:2000:e4:a1a::11]

ping npt's ipv6 in router, to vps server and turn back, ok,

root@OpenWrt:~# traceroute6  2001:470:4999:100:276b:d046:1cb:783d
traceroute to 2001:x:x:x:276b:d046:1cb:783d (2001:x:x:x:276b:d046:1cb:783d), 30 hops max, 64 byte packets
 1  2001:x:x::1 (2001:x:x::1)  228.426 ms  226.692 ms  227.231 ms
 2  2001:x:x::x (2001:x:x::x)  227.932 ms  228.225 ms  227.459 ms
 3  240e:x:x:x:d4e3:d046:1cb:783d (240e:x:x:x:d4e3:d046:1cb:783d)  228.241 ms  228.812 ms  228.694 ms

npt'ed indeed.
but ping npt'ed ipv6 from vps server:

root@localhost:~# ping6  2001:x:x:x:276b:d046:1cb:783d
PING 2001:x:x:x:276b:d046:1cb:783d(2001:x:x:x:276b:d046:1cb:783d) 56 data bytes
^C
25 packets transmitted, 0 received, 100% packet loss, time 24579ms

is it because firewall only accept related packet sent from wg0? one feature of state firewall?