hello, it dawned on me that since EdgeRouter has the kernel/netfilte

Good evening, Yes, you are right in that a simple containing

I must be missing something? <div class="snippet-clipboard-content notranslate pos

This has now been implemented in <a class="commit-link" data-hovercard-type="commit" d

feature: use nat66 on tun interface for ethernet interface with dhcp6/radvd about vyatta-cjdns HOT 10 CLOSED

neilalexander commented on September 26, 2024

feature: use nat66 on tun interface for ethernet interface with dhcp6/radvd

from vyatta-cjdns.

Comments (10)

neilalexander commented on September 26, 2024

Good evening,

Yes, you are right in that a simple script containing the necessary ip6tables -t nat commands will work — this is exactly what I have done in my own config — but a better place to put the script is in /config/scripts/post-config.d/. All files marked as executable in this directory will be run automatically by the EdgeRouter after configuration has been loaded, particularly after a device reboot. It will also survive firmware upgrades as it resides within /config.

Once you have done that, then you can simply configure your IPv6 prefixes on your internal ethernet or switch interfaces as normal using the configure view, and the EdgeRouter will do the rest. I had planned to investigate some configuration options specifically for this into vyatta-cjdns.

By all means please write back with your success. If not then I can write a wiki page soon to explain how I got this to work.

from vyatta-cjdns.

wfleurant commented on September 26, 2024

I must be missing something?

-t filter -A FORWARD -i switch0 -o tun0 -j ACCEPT
-t filter -A FORWARD -i tun0 -o switch0 -m state --state RELATED,ESTABLISHED -j ACCEPT
-t nat -A POSTROUTING -o tun0 -j MASQUERADE

switch0 has inet6 fd00::1/64
on laptop, there is inet6 fd00::2/64

packet trace on ER (no responses, bad source address)

PING irc.fc00.io(guerrilla.network) 56 data bytes
...
tcpdump -nqi any net fc00::/8 or net fd00::/8
...
22:45:41.382923 IP6 fdfc::2 > fc34:8675:ed95:600c:38d7:6eb8:f5b9:5bfa: ICMP6, echo request, seq 12, length 64

I had some issues doing this in the GUI .. couple of terms not quite clear, and some address fields prevent ipv6 😮

-w

from vyatta-cjdns.

neilalexander commented on September 26, 2024

For the filter table rules I have configured these using the CLI:

firewall ipv6-name CJD_LOCAL default-action drop
firewall ipv6-name CJD_LOCAL rule 10 action accept
firewall ipv6-name CJD_LOCAL rule 10 state established enable
firewall ipv6-name CJD_LOCAL rule 10 state related enable
firewall ipv6-name CJD_LOCAL rule 20 action drop
firewall ipv6-name CJD_LOCAL rule 20 state invald enable
firewall ipv6-name CJD_LOCAL rule 30 action accept
firewall ipv6-name CJD_LOCAL rule 30 protocol icmpv6

... etc, and then attaching the policy to the interface:

interfaces cjdns tun1 firewall local ipv6-name CJD_LOCAL

Then in my /config/scripts/post-config.d/ipv6nat (which is +x) script to configure the nat table rules:

#!/bin/sh
sudo ip6tables -t nat -F
sudo ip6tables -t nat -A POSTROUTING -o tun1 -s fd97:4c4e:9d26::/48 -j MASQUERADE

For what it is worth when using tcpdump you may get more accurate results by specifying the cjdns tunnel interface instead of -i any, since I guess POSTROUTING rules on a specific interface maybe do not show in the any target?

from vyatta-cjdns.

wfleurant commented on September 26, 2024

OK I'll catch up over the weekend.

from vyatta-cjdns.

wfleurant commented on September 26, 2024

so where do we turn to for router advertisements? Test this on laptop

ping6 some-cjdns-node & 
sudo service cjdns stop
sudo ip -6 addr add fd00::10/48 dev wlan0
sudo ip -6 ro replace fc00::/8 via fd00::

64 bytes from some-cjdns-node: icmp_seq=74 ttl=41 time=3.89 ms

pretty much same script you provided above, but with address fd00::/48 on interface switch0
did an iperf -V -c some-cjdns-node -P10 and flooded a macbook air [SUM] 0.0-11.5 sec 11.5 MBytes 8.38 Mbits/sec

with 2 cores on ERL, we could run 2 cjdroute processes to probably double the throughput. i think the support is here https://gist.github.com/wfleurant/25ca9e4312e3397f67875a5573ecaa01

ubnt@edgerouter:~$ taskset
Usage: taskset [options] [mask | cpu-list] [pid|cmd [args...]]

ubnt@edgerouter:~$ ip -6 ro sh ta 0
fc00::/8 dev tun0  proto kernel  metric 256 
fd00::/48 dev switch0  proto kernel  metric 256 
...

#!/bin/sh

############################################################################
# configure mode
configure

# destination of initscript (no change needed)
nat66_script="/config/scripts/post-config.d/ipv6nat"

# cjdns interface name (change if other tunnels in use) with firewall rules
cjdns_devtun="tun0"

# fd00::/48 local source address for nat66 and cjdns networks with firewall rules
nat66_ip6adr="fd00::/48"

# the nat66 interface with firewall rules
nat66_inface="switch0"

# build firewall (enter configure)
set firewall ipv6-name CJD_LOCAL default-action drop
set firewall ipv6-name CJD_LOCAL rule 10 action accept
set firewall ipv6-name CJD_LOCAL rule 10 state established enable
set firewall ipv6-name CJD_LOCAL rule 10 state related enable
set firewall ipv6-name CJD_LOCAL rule 20 action drop
set firewall ipv6-name CJD_LOCAL rule 20 state invalid enable
set firewall ipv6-name CJD_LOCAL rule 30 action accept
set firewall ipv6-name CJD_LOCAL rule 30 protocol icmpv6

set interfaces switch ${nat66_inface} address ${nat66_ip6adr}
set interfaces cjdns ${cjdns_devtun} firewall local ipv6-name CJD_LOCAL
commit
save

############################################################################
# Create script executed during init  
cat << EOF > ${nat66_script} && chmod +x ${nat66_script}
#!/bin/sh
sudo ip6tables -t nat -F
sudo ip6tables -t nat -A POSTROUTING -o ${cjdns_devtun} -s ${nat66_ip6adr} -j MASQUERADE
EOF

# Exit configure mode
exit

from vyatta-cjdns.

neilalexander commented on September 26, 2024

Router advertisements on a given interface can be configured through the CLI, in my example below to send router advertisements on switch0:

set interfaces switch switch0 address 'fd97:4c4e:9d26:1ffe::1/64'

set interfaces switch switch0 ipv6 router-advert cur-hop-limit 64
set interfaces switch switch0 ipv6 router-advert default-preference high
set interfaces switch switch0 ipv6 router-advert link-mtu 1280
set interfaces switch switch0 ipv6 router-advert managed-flag true
set interfaces switch switch0 ipv6 router-advert max-interval 60
set interfaces switch switch0 ipv6 router-advert name-server 'fd97:4c4e:9d26:1ffe::1'
set interfaces switch switch0 ipv6 router-advert other-config-flag true
set interfaces switch switch0 ipv6 router-advert reachable-time 0
set interfaces switch switch0 ipv6 router-advert retrans-timer 0
set interfaces switch switch0 ipv6 router-advert send-advert true

set interfaces switch switch0 ipv6 router-advert prefix 'fd97:4c4e:9d26:1ffe::/64' autonomous-flag true
set interfaces switch switch0 ipv6 router-advert prefix 'fd97:4c4e:9d26:1ffe::/64' on-link-flag true
set interfaces switch switch0 ipv6 router-advert prefix 'fd97:4c4e:9d26:1ffe::/64' valid-lifetime 2592000

And also DHCPv6, as some clients prefer DHCPv6 instead of SLAAC addressing:

set service dhcpv6-server shared-network-name Access name-server 'fd97:4c4e:9d26:1ffe::1'
set service dhcpv6-server shared-network-name Access subnet 'fd97:4c4e:9d26:1ffe::/64' lease-time default 86400
set service dhcpv6-server shared-network-name Access subnet 'fd97:4c4e:9d26:1ffe::/64' name-server 'fd97:4c4e:9d26::1'

The above examples also send DNS server information on the assumption that your nameserver is listening on IPv6, like in my example. Otherwise amend the nameserver addresses as necessary.

Also, just for correctness in your script, you may want to do some simple string-checking on the nat66_inface name, as if it is an ethX interface then you must configure it using set interface ethernet ethX rather than set interface switch switchX.

from vyatta-cjdns.

wfleurant commented on September 26, 2024

i got stuck somewhere.. i didn't catch up last weekend. this is great work. I can pick up quickly w/ ERL if i can dpkg new version..

🎱 is there a proper way of putting this work in the package?

from vyatta-cjdns.

neilalexander commented on September 26, 2024

Well I have often thought about adding in CLI options to automatically configure the IPv6 NAT, but I am not confident yet on the best method to achieve this. It doesn't appear that the built-in vyatta firewall config has any ability to configure IPv6 NAT rules. Maybe just automatically generating a post-config.d script is one way to do that, if a little inelegant.

from vyatta-cjdns.

wfleurant commented on September 26, 2024

I would be OK with having a 'enable IPv6 NAT on boot' setting.. I'm not entirely familiar with the post-config.d/ process, but i'm assuming it is more or less like init.d/ on boot.

Should we branch these changes above? It would be easiest to pick it up from there.. Thanks for pointing out bug with either eth/switch in the code above. If you make a branch where post-config.d/cjdns-nat66.sh checks if should/shouldn't continue executing we could easily hit this out the park. I'd be more than happy to contrib and test from there on out.

from vyatta-cjdns.

neilalexander commented on September 26, 2024

This has now been implemented in a8cce61.

Configuration example:

configure
set interfaces cjdns tun0 masquerade from fd94:b2f3:9442::/48
commit

Release v0.1.164 contains the IPv6 Masquerade support: https://github.com/neilalexander/vyatta-cjdns/releases/tag/v0.1.164

Apologies that it's taken a year (to the day, in fact!)

from vyatta-cjdns.

feature: use nat66 on tun interface for ethernet interface with dhcp6/radvd about vyatta-cjdns HOT 10 CLOSED

Comments (10)

Related Issues (6)

Recommend Projects

React

Vue.js

Typescript

TensorFlow

Django

Laravel

D3

Recommend Topics

javascript

web

server

Machine learning

Visualization

Game

Recommend Org

Facebook

Microsoft

Google

Alibaba

D3

Tencent