Comments (10)
Good evening,
Yes, you are right in that a simple script containing the necessary ip6tables -t nat
commands will work — this is exactly what I have done in my own config — but a better place to put the script is in /config/scripts/post-config.d/
. All files marked as executable in this directory will be run automatically by the EdgeRouter after configuration has been loaded, particularly after a device reboot. It will also survive firmware upgrades as it resides within /config
.
Once you have done that, then you can simply configure your IPv6 prefixes on your internal ethernet or switch interfaces as normal using the configure
view, and the EdgeRouter will do the rest. I had planned to investigate some configuration options specifically for this into vyatta-cjdns.
By all means please write back with your success. If not then I can write a wiki page soon to explain how I got this to work.
from vyatta-cjdns.
I must be missing something?
-t filter -A FORWARD -i switch0 -o tun0 -j ACCEPT
-t filter -A FORWARD -i tun0 -o switch0 -m state --state RELATED,ESTABLISHED -j ACCEPT
-t nat -A POSTROUTING -o tun0 -j MASQUERADE
switch0 has inet6 fd00::1/64
on laptop, there is inet6 fd00::2/64
packet trace on ER (no responses, bad source address)
PING irc.fc00.io(guerrilla.network) 56 data bytes
...
tcpdump -nqi any net fc00::/8 or net fd00::/8
...
22:45:41.382923 IP6 fdfc::2 > fc34:8675:ed95:600c:38d7:6eb8:f5b9:5bfa: ICMP6, echo request, seq 12, length 64
I had some issues doing this in the GUI .. couple of terms not quite clear, and some address fields prevent ipv6 😮
-w
from vyatta-cjdns.
For the filter
table rules I have configured these using the CLI:
firewall ipv6-name CJD_LOCAL default-action drop
firewall ipv6-name CJD_LOCAL rule 10 action accept
firewall ipv6-name CJD_LOCAL rule 10 state established enable
firewall ipv6-name CJD_LOCAL rule 10 state related enable
firewall ipv6-name CJD_LOCAL rule 20 action drop
firewall ipv6-name CJD_LOCAL rule 20 state invald enable
firewall ipv6-name CJD_LOCAL rule 30 action accept
firewall ipv6-name CJD_LOCAL rule 30 protocol icmpv6
... etc, and then attaching the policy to the interface:
interfaces cjdns tun1 firewall local ipv6-name CJD_LOCAL
Then in my /config/scripts/post-config.d/ipv6nat
(which is +x
) script to configure the nat
table rules:
#!/bin/sh
sudo ip6tables -t nat -F
sudo ip6tables -t nat -A POSTROUTING -o tun1 -s fd97:4c4e:9d26::/48 -j MASQUERADE
For what it is worth when using tcpdump
you may get more accurate results by specifying the cjdns tunnel interface instead of -i any
, since I guess POSTROUTING rules on a specific interface maybe do not show in the any
target?
from vyatta-cjdns.
OK I'll catch up over the weekend.
from vyatta-cjdns.
so where do we turn to for router advertisements? Test this on laptop
ping6 some-cjdns-node &
sudo service cjdns stop
sudo ip -6 addr add fd00::10/48 dev wlan0
sudo ip -6 ro replace fc00::/8 via fd00::
64 bytes from some-cjdns-node: icmp_seq=74 ttl=41 time=3.89 ms
pretty much same script you provided above, but with address fd00::/48 on interface switch0
did an iperf -V -c some-cjdns-node -P10 and flooded a macbook air [SUM] 0.0-11.5 sec 11.5 MBytes 8.38 Mbits/sec
with 2 cores on ERL, we could run 2 cjdroute processes to probably double the throughput. i think the support is here https://gist.github.com/wfleurant/25ca9e4312e3397f67875a5573ecaa01
ubnt@edgerouter:~$ taskset
Usage: taskset [options] [mask | cpu-list] [pid|cmd [args...]]
ubnt@edgerouter:~$ ip -6 ro sh ta 0
fc00::/8 dev tun0 proto kernel metric 256
fd00::/48 dev switch0 proto kernel metric 256
...
#!/bin/sh
############################################################################
# configure mode
configure
# destination of initscript (no change needed)
nat66_script="/config/scripts/post-config.d/ipv6nat"
# cjdns interface name (change if other tunnels in use) with firewall rules
cjdns_devtun="tun0"
# fd00::/48 local source address for nat66 and cjdns networks with firewall rules
nat66_ip6adr="fd00::/48"
# the nat66 interface with firewall rules
nat66_inface="switch0"
# build firewall (enter configure)
set firewall ipv6-name CJD_LOCAL default-action drop
set firewall ipv6-name CJD_LOCAL rule 10 action accept
set firewall ipv6-name CJD_LOCAL rule 10 state established enable
set firewall ipv6-name CJD_LOCAL rule 10 state related enable
set firewall ipv6-name CJD_LOCAL rule 20 action drop
set firewall ipv6-name CJD_LOCAL rule 20 state invalid enable
set firewall ipv6-name CJD_LOCAL rule 30 action accept
set firewall ipv6-name CJD_LOCAL rule 30 protocol icmpv6
set interfaces switch ${nat66_inface} address ${nat66_ip6adr}
set interfaces cjdns ${cjdns_devtun} firewall local ipv6-name CJD_LOCAL
commit
save
############################################################################
# Create script executed during init
cat << EOF > ${nat66_script} && chmod +x ${nat66_script}
#!/bin/sh
sudo ip6tables -t nat -F
sudo ip6tables -t nat -A POSTROUTING -o ${cjdns_devtun} -s ${nat66_ip6adr} -j MASQUERADE
EOF
# Exit configure mode
exit
from vyatta-cjdns.
Router advertisements on a given interface can be configured through the CLI, in my example below to send router advertisements on switch0
:
set interfaces switch switch0 address 'fd97:4c4e:9d26:1ffe::1/64'
set interfaces switch switch0 ipv6 router-advert cur-hop-limit 64
set interfaces switch switch0 ipv6 router-advert default-preference high
set interfaces switch switch0 ipv6 router-advert link-mtu 1280
set interfaces switch switch0 ipv6 router-advert managed-flag true
set interfaces switch switch0 ipv6 router-advert max-interval 60
set interfaces switch switch0 ipv6 router-advert name-server 'fd97:4c4e:9d26:1ffe::1'
set interfaces switch switch0 ipv6 router-advert other-config-flag true
set interfaces switch switch0 ipv6 router-advert reachable-time 0
set interfaces switch switch0 ipv6 router-advert retrans-timer 0
set interfaces switch switch0 ipv6 router-advert send-advert true
set interfaces switch switch0 ipv6 router-advert prefix 'fd97:4c4e:9d26:1ffe::/64' autonomous-flag true
set interfaces switch switch0 ipv6 router-advert prefix 'fd97:4c4e:9d26:1ffe::/64' on-link-flag true
set interfaces switch switch0 ipv6 router-advert prefix 'fd97:4c4e:9d26:1ffe::/64' valid-lifetime 2592000
And also DHCPv6, as some clients prefer DHCPv6 instead of SLAAC addressing:
set service dhcpv6-server shared-network-name Access name-server 'fd97:4c4e:9d26:1ffe::1'
set service dhcpv6-server shared-network-name Access subnet 'fd97:4c4e:9d26:1ffe::/64' lease-time default 86400
set service dhcpv6-server shared-network-name Access subnet 'fd97:4c4e:9d26:1ffe::/64' name-server 'fd97:4c4e:9d26::1'
The above examples also send DNS server information on the assumption that your nameserver is listening on IPv6, like in my example. Otherwise amend the nameserver addresses as necessary.
Also, just for correctness in your script, you may want to do some simple string-checking on the nat66_inface
name, as if it is an ethX
interface then you must configure it using set interface ethernet ethX
rather than set interface switch switchX
.
from vyatta-cjdns.
i got stuck somewhere.. i didn't catch up last weekend. this is great work. I can pick up quickly w/ ERL if i can dpkg new version..
🎱 is there a proper way of putting this work in the package?
from vyatta-cjdns.
Well I have often thought about adding in CLI options to automatically configure the IPv6 NAT, but I am not confident yet on the best method to achieve this. It doesn't appear that the built-in vyatta firewall config has any ability to configure IPv6 NAT rules. Maybe just automatically generating a post-config.d
script is one way to do that, if a little inelegant.
from vyatta-cjdns.
I would be OK with having a 'enable IPv6 NAT on boot' setting.. I'm not entirely familiar with the post-config.d/ process, but i'm assuming it is more or less like init.d/ on boot.
Should we branch these changes above? It would be easiest to pick it up from there.. Thanks for pointing out bug with either eth/switch in the code above. If you make a branch where post-config.d/cjdns-nat66.sh checks if should/shouldn't continue executing we could easily hit this out the park. I'd be more than happy to contrib and test from there on out.
from vyatta-cjdns.
This has now been implemented in a8cce61.
Configuration example:
configure
set interfaces cjdns tun0 masquerade from fd94:b2f3:9442::/48
commit
Release v0.1.164 contains the IPv6 Masquerade support: https://github.com/neilalexander/vyatta-cjdns/releases/tag/v0.1.164
Apologies that it's taken a year (to the day, in fact!)
from vyatta-cjdns.
Related Issues (6)
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from vyatta-cjdns.