You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Software versions of OpenWrt/LEDE release, packages, etc.
Steps to reproduce
I hope to use ipv6 npt(rfc6296 stateless npt), have kmod-ipt-nat6 installed.
I am sure about "ip6t_NPT" is about rfc6296 in source code:
MODULE_DESCRIPTION("IPv6-to-IPv6 Network Prefix Translation (RFC 6296)");
DNPT (IPv6-specific)
Provides stateless destination IPv6-to-IPv6 Network Prefix Translation (as described by RFC 6296).
You have to use this target in the mangle table, not in the nat table. It takes the following options:
--src-pfx [prefix/length]
Set source prefix that you want to translate and length
--dst-pfx [prefix/length]
Set destination prefix that you want to use in the translation and length
You have to use the SNPT target to undo the translation. Example:
<code> ip6tables -t mangle -I POSTROUTING -s fd00::/64 -o vboxnet0 -j SNPT --src-pfx fd00::/64 --dst-pfx 2001:e20:2000:40f::/64
ip6tables -t mangle -I PREROUTING -i wlan0 -d 2001:e20:2000:40f::/64 -j DNPT --src-pfx 2001:e20:2000:40f::/64 --dst-pfx fd00::/64
You may need to enable IPv6 neighbor proxy:
sysctl -w net.ipv6.conf.all.proxy_ndp=1
You also have to use the NOTRACK target to disable connection tracking for translated flows.</code>
does anyone have ideas?
The text was updated successfully, but these errors were encountered:
NPT is mostly useless for OpenWrt as it breaks conntrack. The result is that you'll have a stateless firewall. It would only be useful if you have a firewall before or after the router with NPT.
The reason for that is when you use conntrack, you could simply use NETMAP as most of its costs are [[https://unix.stackexchange.com/questions/331224/is-there-a-way-to-have-nptv6-with-connection-tracking-on-linux|already paid]].
I do suggest you to use NETMAP instead of MASQUERADE.
youxiaojie:
Supply the following if possible:
I hope to use ipv6 npt(rfc6296 stateless npt), have kmod-ipt-nat6 installed.
I am sure about "ip6t_NPT" is about rfc6296
in source code:
MODULE_DESCRIPTION("IPv6-to-IPv6 Network Prefix Translation (RFC 6296)");
root@OpenWrt:~# ip6tables -t mangle -I POSTROUTING -s 2001:470:4999:100::/64 -o br-lan -j SNPT --src-pfx 2001:470:4999:100::/64 --dst-pfx 240e:82:901:9400::/64
ip6tables v1.8.3 (legacy): unknown option "--src-pfx"
Try `ip6tables -h' or 'ip6tables --help' for more information.
I have kmod-ipt-nat6 install, which contain NPT extension.
lsmod
x_tables 12656 37 ipt_REJECT,ipt_MASQUERADE,xt_time,xt_tcpudp,xt_tcpmss,xt_statistic,xt_state,xt_nat,xt_multiport,xt_mark,xt_mac,xt_limit,xt_length,xt_hl,xt_ecn,xt_dscp,xt_conntrack,xt_comment,xt_TCPMSS,xt_REDIRECT,xt_LOG,xt_HL,xt_FLOWOFFLOAD,xt_DSCP,xt_CT,xt_CLASSIFY,iptable_mangle,iptable_filter,ipt_ECN,ip_tables,xt_set,ip6t_NPT,ip6t_MASQUERADE,ip6table_mangle,ip6table_filter,ip6_tables,ip6t_REJECT
DNPT (IPv6-specific)
Provides stateless destination IPv6-to-IPv6 Network Prefix Translation (as described by RFC 6296).
does anyone have ideas?
The text was updated successfully, but these errors were encountered: