Hello, I'm configuring IPv6 with multihoming connections on LEDE Reboot 17.01.4 r3560-79f57e422d. For IPv4, NAT easily deal with it. However, for IPv6, I have two options: NPT or NETMAP.
1) NETMAP For each wan6 interface... ip6tables --table nat --append POSTROUTING --source $ula --out-interface $ifdev --jump NETMAP --to $ip6prefix ip6tables --table nat --append PREROUTING --destination $ip6prefix --in-interface $ifdev --jump NETMAP --to $ula 2) SNPT/DNPT (Network Prefix Translation) For each wan6 interface... ip6tables --table mangle --append POSTROUTING --source $ula --out-interface $ifdev --jump SNPT --src-pfx $ula --dst-pfx $ip6prefix ip6tables --table mangle --append PREROUTING --destination $ip6prefix --in-interface $ifdev --jump DNPT --src-pfx $ip6prefix --dst-pfx $ula ip6tables --table raw --append PREROUTING --destination $ip6prefix --jump CT --notrack NPT seems to be the "standard" way to do it. However, at least in Linux, I cannot use conntrack (a known limitation). Without connection state, I cannot have the same level of security that I have with NAT44. So, it is really not an option. NETMAP simply works as expected until I tested the connection to a lower MTU host: https://mtu1280.test-ipv6.arauc.br/ip/?callback=?&size=1600&fill=xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx&testdomain=test-ipv6.com&testname=test_v6mtu The router receives ICMPv6 type 2 informing its max MTU of 1280. It passes without being touched through all ip6tables chains but disappears without being forwarded to internal machine. It looks like NETMAP consume it. It did not hit nat PREROUTING rule, so I guess kernel assumed it was related to the existing connection. I also tested without firewall (only manually inserting NETMAP rules) and the result is the same. NPT do forwards ICMPv6 type 2 but, as I said, I cannot use it because I need a stateful firewall. Has anyone used something like this? Do I need a special syctl setting for making it work? Regards, -- Luiz Angelo Daros de Luca [email protected]
_______________________________________________ openwrt-users mailing list [email protected] https://lists.openwrt.org/cgi-bin/mailman/listinfo/openwrt-users
