Unable to get NAT66 to work on PPPoE Interface

moon · July 1, 2023, 2:29pm

Hi,

I have an PPPoE Interface which gets an IPv6-Prefix

config interface 'wan'
	option proto 'pppoe'
	option username ''
	option password ''
	option device 'eth0.2'
	option metric '10'
	option ipv6 'auto'
	option sourcefilter '0'

I followed these steps to enable NAT66 and advertise only ULA.

uci set dhcp.lan.ra_default="1"
uci commit dhcp
/etc/init.d/odhcpd restart

uci set network.lan.ip6class="local"
uci commit network
/etc/init.d/network restart

# Configure firewall
uci set firewall.@zone[1].masq6="1"
uci commit firewall
/etc/init.d/firewall restart

# Configure network
uci set network.wan.sourcefilter="0"
uci commit network
/etc/init.d/network restart

Now I can ping6 www.google.de from the openwrt-Shell, but from my computer it says no route

stefan@argus:~/Downloads$ ping6 www.google.de
PING www.google.de(fra24s08-in-x03.1e100.net (2a00:1450:4001:82b::2003)) 56 data bytes
From OpenWrt.lan (fd22:<redacted>::1) icmp_seq=1 Destination unreachable: No route

but I can ping the router itself:

stefan@argus:~/Downloads$ ping fd22:<redacted>::1
PING fd22:<redacted>::1(fd22:<redacted>::1) 56 data bytes
64 bytes from fd22:<redacted>::1: icmp_seq=1 ttl=64 time=0.415 ms

and from the router itself:

root@OpenWrt:~# ping6 www.google.de
PING www.google.de (2a00:1450:4001:82b::2003): 56 data bytes
64 bytes from 2a00:1450:4001:82b::2003: seq=0 ttl=119 time=12.974 ms

When I look at the nftables rules it looks like it should masquerade IPv6 traffic

chain srcnat {
		type nat hook postrouting priority srcnat; policy accept;
		oifname { "pppoe-wan" } jump srcnat_wan comment "!fw4: Handle wan IPv4/IPv6 srcnat traffic"
	}

	chain srcnat_wan {
		meta nfproto ipv4 masquerade comment "!fw4: Masquerade IPv4 wan traffic"
		meta nfproto ipv6 masquerade comment "!fw4: Masquerade IPv6 wan traffic"
	}

Anyone has an Idea on how to debug this further ?

Thank you very much!

Stefan

EDIT:
When I try to get a route for www.google.de:

ip -6 route get 2a00:1450:4001:82b::2003

it answers:
ip: RTNETLINK answers: Network unreachable

but there is a default route and I can still ping the address and the next hop

default from 2001:xxxx:xxxx:92f4::/64 via fe80::xxxx:xxxx:xxxx:xxxx dev pppoe-wan  metric 512 
default from 2a0a:xxxx:xxxx::/48 via fe80::xxxxx:xxxx:xxxx:cfe1 dev pppoe-wan  metric 512 
unreachable 2001:xxxx:xxxx:xxxx::/64 dev lo  metric 2147483647 
unreachable 2a0a:xxxx:xxxx::/48 dev lo  metric 2147483647 
fd22:c9d4:ba0f::/64 dev br-lan  metric 1024 
unreachable fd22:c9d4:ba0f::/48 dev lo  metric 2147483647 
fe80::xxxx:xxxx:xxxx:xxxx dev pppoe-wan  metric 256 
fe80::xxxx:xxxx:xxxx:xxxx dev pppoe-wan  metric 256

boredhominid · July 1, 2023, 2:58pm

moon · July 1, 2023, 3:01pm

Hey boredhominid,

that is exactly the article I followed, sorry I should have said that.

Stefan

moon · July 1, 2023, 6:42pm

Did not get it to work with either of these methods: https://openwrt.org/docs/guide-user/network/ipv6/ipv6.nat6

But found this thread OpenWrt 22.03 - migrate 1:1 nat from iptables to nftables and the map feature of nftables works like a charm.

nft add rule inet fw4 srcnat_wan snat ip6 prefix to ip6 saddr map { ula-prefix::/60 : gua-prefix::/60 }

Stefan