FYI, it seems to be a bug in kernel used by LEDE 17.01.4.

I just tested with current snapshot and it simply worked without any change.

Regards,


Em ter, 27 de mar de 2018 às 17:45, Luiz Angelo Daros de Luca <
luizl...@gmail.com> escreveu:

> Hello,
>
> I'm configuring IPv6 with multihoming connections on LEDE Reboot 17.01.4
> r3560-79f57e422d. For IPv4, NAT easily deal with it. However, for IPv6, I
> have two options: NPT or NETMAP.
>
> 1) NETMAP
>
> For each wan6 interface...
>   ip6tables --table nat --append POSTROUTING --source      $ula
> --out-interface $ifdev --jump NETMAP --to $ip6prefix
>   ip6tables --table nat --append PREROUTING  --destination $ip6prefix
> --in-interface $ifdev --jump NETMAP --to $ula
>
> 2) SNPT/DNPT (Network Prefix Translation)
>
> For each wan6 interface...
>  ip6tables --table mangle --append POSTROUTING --source      $ula
>  --out-interface $ifdev --jump SNPT --src-pfx $ula      --dst-pfx
> $ip6prefix
>  ip6tables --table mangle --append PREROUTING  --destination $ip6prefix
> --in-interface $ifdev --jump DNPT --src-pfx $ip6prefix --dst-pfx $ula
>  ip6tables --table raw    --append PREROUTING --destination  $ip6prefix
> --jump CT --notrack
>
> NPT seems to be the "standard" way to do it. However, at least in Linux, I
> cannot use conntrack (a known limitation). Without connection state, I
> cannot have the same level of security that I have with NAT44. So, it is
> really not an option.
>
> NETMAP simply works as expected until I tested the connection to a lower
> MTU host:
>
>
> https://mtu1280.test-ipv6.arauc.br/ip/?callback=?&size=1600&fill=xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx&testdomain=test-ipv6.com&testname=test_v6mtu
>
> The router receives ICMPv6 type 2 informing its max MTU of 1280. It passes
> without being touched through all ip6tables chains but disappears without
> being forwarded to internal machine. It looks like NETMAP consume it. It
> did not hit nat PREROUTING rule, so I guess kernel assumed it was related
> to the existing connection.
> I also tested without firewall (only manually inserting NETMAP rules) and
> the result is the same.
>
> NPT do forwards ICMPv6 type 2 but, as I said, I cannot use it because I
> need a stateful firewall.
>
> Has anyone used something like this? Do I need a special syctl setting for
> making it work?
>
> Regards,
> --
>
> Luiz Angelo Daros de Luca
> luizl...@gmail.com
>
-- 

Luiz Angelo Daros de Luca
luizl...@gmail.com
_______________________________________________
openwrt-users mailing list
openwrt-users@lists.openwrt.org
https://lists.openwrt.org/cgi-bin/mailman/listinfo/openwrt-users

Reply via email to