내 ISP가 DHCPv6을 통해 하나의 단일 IPv6 주소만 할당하고 하나의 MAC 주소만 DHCPv6을 통해 마지막으로 얻은 단일 IPv6 주소(패킷)를 사용하도록 허용하기 때문에 OpenWrt(22.03.0-rc4) 라우터에서 IPv6용 NAT를 설정하고 있습니다. 다른 주소를 사용하는 것은 삭제됩니다).
OpenWrt의 최신 버전은 Firewall4 + nftables를 사용하고 있으므로 기존 ip6tables를 완전히 제거하고 새 테이블을 사용하기로 결정했습니다. 라우터가 IPv6 인터넷에 액세스할 수 있도록 하고 LAN의 클라이언트가 IPv6 주소(ULA 주소)를 얻을 수 있도록 했지만 masq6LAN의 클라이언트에 대해 구성하면 NAT6이 작동하지 않습니다.
내 PC에서 Wireshark를 실행하면 라우팅을 위해 라우터로 전송된 모든 패킷이 "대상에 연결할 수 없음(호스트에 대한 경로 없음)"으로 거부되었다고 표시됩니다. nftables 추적에 갔을 때 LAN 호스트의 IPv6 패킷이 정방향 체인에 도달한 적이 없다는 것을 알았습니다. 이러한 패킷은 dstnat 체인(사전 라우팅 시)에 도달하고 추적에서 사라져 PC에 "Destination Unreachable"을 반환합니다. -1000 우선순위로 새 체인 후킹을 생성해도 forwardIPv6 패킷이 보이지 않습니다.
사실 어제 작동하게 만들었는데(방법을 잊어버렸습니다), 라우터를 재설정한 후 다시 실패합니다.
누락되거나 충돌하는 커널 모듈이 있을 수 있는지 의심스럽습니다. 따라서 내 lsmod는 다음과 같습니다.
cfg80211 298812 5 mt7615_common,mt7603e,mt76_connac_lib,mt76,mac80211
cmac 2546 2
compat 1358 2 mac80211,cfg80211,[permanent]
crc_ccitt 1774 1 ppp_async
crc32c_generic 1458 1
drbg 17586 0
gpio_button_hotplug 6674 0
hmac 2578 0
hwmon 8038 1 mt7615_common
ip_tables 11645 0
ip6_tables 11331 0
jitterentropy_rng 7561 0
leds_gpio 3250 0
libcrc32c 727 1 nf_tables
libsha256 8772 1 sha256_generic
mac80211 557288 5 mt7615e,mt7615_common,mt7603e,mt76_connac_lib,mt76
mt76 48100 4 mt7615e,mt7615_common,mt7603e,mt76_connac_lib
mt76_connac_lib 26897 2 mt7615e,mt7615_common
mt7603e 40284 0
mt7615_common 68934 1 mt7615e
mt7615e 11469 0
netatop 35215 0
nf_conntrack 71239 8 nft_redir,nft_nat,nft_masq,nft_flow_offload,nft_ct,nf_nat,nf_flow_table,nf_conntrack_bridge
nf_conntrack_bridge 3346 0
nf_defrag_ipv4 1273 1 nf_conntrack
nf_defrag_ipv6 6036 2 nf_conntrack_bridge,nf_conntrack
nf_flow_table 23615 4 nf_flow_table_ipv6,nf_flow_table_ipv4,nf_flow_table_inet,nft_flow_offload
nf_flow_table_inet 658 0
nf_flow_table_ipv4 530 0
nf_flow_table_ipv6 530 0
nf_log_common 3064 2 nf_log_ipv6,nf_log_ipv4
nf_log_ipv4 3762 0
nf_log_ipv6 4050 0
nf_nat 24974 4 nft_redir,nft_nat,nft_masq,nft_chain_nat
nf_reject_ipv4 2601 3 nft_reject_ipv4,nft_reject_inet,nft_reject_bridge
nf_reject_ipv6 2926 3 nft_reject_ipv6,nft_reject_inet,nft_reject_bridge
nf_tables 153615203 nft_fib_inet,nf_flow_table_ipv6,nf_flow_table_ipv4,nf_flow_table_inet,nft_reject_ipv6,nft_reject_ipv4,nft_reject_inet,nft_reject_bridge,nft_reject,nft_redir,nft_quota,nft_objref,nft_numgen,nft_nat,nft_meta_bridge,nft_masq,nft_log,nft_limit,nft_hash,nft_flow_offload,nft_fib_ipv6,nft_fib_ipv4,nft_fib,nft_ct,nft_counter,nft_compat,nft_chain_nat
nfnetlink 5761 2 nft_compat,nf_tables
nft_chain_nat 946 2
nft_compat 5874 0
nft_counter 2226 18
nft_ct 7538 3
nft_fib 1622 3 nft_fib_inet,nft_fib_ipv6,nft_fib_ipv4
nft_fib_inet 754 0
nft_fib_ipv4 2197 1 nft_fib_inet
nft_fib_ipv6 2869 1 nft_fib_inet
nft_flow_offload 3442 0
nft_hash 2578 0
nft_limit 3634 5
nft_log 1810 0
nft_masq 1938 2
nft_meta_bridge 1426 0
nft_nat 2738 0
nft_numgen 1826 0
nft_objref 1746 0
nft_quota 2098 0
nft_redir 1906 0
nft_reject 1383 4 nft_reject_ipv6,nft_reject_ipv4,nft_reject_inet,nft_reject_bridge
nft_reject_bridge 4178 0
nft_reject_inet 1234 2
nft_reject_ipv4 754 0
nft_reject_ipv6 754 0
ppp_async 7330 0
ppp_generic 25903 3 pppoe,ppp_async,pppox
pppoe 9714 0
pppox 1520 1 pppoe
seqiv 1682 0
sha256_generic 2557 0
slhc 5538 1 ppp_generic
x_tables 17341 3 nft_compat,ip6_tables,ip_tables
그리고 여기 내 nft list ruleset:
table inet fw4 {
chain input {
type filter hook input priority filter; policy accept;
iifname "lo" accept comment "!fw4: Accept traffic from loopback"
ct state established,related accept comment "!fw4: Allow inbound established and related flows"
tcp flags syn / fin,syn,rst,ack jump syn_flood comment "!fw4: Rate limit TCP syn packets"
iifname "br-lan" jump input_lan comment "!fw4: Handle lan IPv4/IPv6 input traffic"
iifname "wan" jump input_wan comment "!fw4: Handle wan IPv4/IPv6 input traffic"
}
chain forward {
type filter hook forward priority filter; policy drop;
ct state established,related accept comment "!fw4: Allow forwarded established and related flows"
iifname "br-lan" jump forward_lan comment "!fw4: Handle lan IPv4/IPv6 forward traffic"
iifname "wan" jump forward_wan comment "!fw4: Handle wan IPv4/IPv6 forward traffic"
jump handle_reject
}
chain output {
type filter hook output priority filter; policy accept;
oifname "lo" accept comment "!fw4: Accept traffic towards loopback"
ct state established,related accept comment "!fw4: Allow outbound established and related flows"
meta l4proto tcp counter packets 0 bytes 0 comment "!fw4: @rule[9]"
meta l4proto udp counter packets 27 bytes 2192 comment "!fw4: @rule[9]"
oifname "br-lan" jump output_lan comment "!fw4: Handle lan IPv4/IPv6 output traffic"
oifname "wan" jump output_wan comment "!fw4: Handle wan IPv4/IPv6 output traffic"
}
chain handle_reject {
meta l4proto tcp reject with tcp reset comment "!fw4: Reject TCP traffic"
reject comment "!fw4: Reject any other traffic"
}
chain syn_flood {
limit rate 25/second burst 50 packets return comment "!fw4: Accept SYN packets below rate-limit"
drop comment "!fw4: Drop excess packets"
}
chain input_lan {
jump accept_from_lan
}
chain output_lan {
jump accept_to_lan
}
chain forward_lan {
jump accept_to_wan comment "!fw4: Accept lan to wan forwarding"
jump accept_to_lan
}
chain accept_from_lan {
iifname "br-lan" counter packets 252 bytes 19093 accept comment "!fw4: accept lan IPv4/IPv6 traffic"
}
chain accept_to_lan {
oifname "br-lan" counter packets 105 bytes 7472 accept comment "!fw4: accept lan IPv4/IPv6 traffic"
}
chain input_wan {
meta nfproto ipv4 udp dport 68 counter packets 0 bytes 0 accept comment "!fw4: Allow-DHCP-Renew"
icmp type echo-request counter packets 0 bytes 0 accept comment "!fw4: Allow-Ping"
meta nfproto ipv4 meta l4proto igmp counter packets 0 bytes 0 accept comment "!fw4: Allow-IGMP"
meta nfproto ipv6 udp dport 546-547 counter packets 0 bytes 0 accept comment "!fw4: Allow-DHCPv6"
ip6 saddr fe80::/10 icmpv6 type . icmpv6 code { mld-listener-query . no-route, mld-listener-report . no-route, mld-listener-done . no-route, mld2-listener-report . no-route } counter packets 0 bytes 0 accept comment "!fw4: Allow-MLD"
icmpv6 type { destination-unreachable, time-exceeded, echo-request, echo-reply, nd-router-solicit, nd-router-advert } limit rate 1000/second counter packets 0 bytes 0 accept comment "!fw4: Allow-ICMPv6-Input"
icmpv6 type . icmpv6 code { packet-too-big . no-route, parameter-problem . no-route, nd-neighbor-solicit . no-route, nd-neighbor-advert . no-route, parameter-problem . admin-prohibited } limit rate 1000/second counter packets 20 bytes 1440 accept comment "!fw4: Allow-ICMPv6-Input"
jump reject_from_wan
}
chain output_wan {
jump accept_to_wan
}
chain forward_wan {
icmpv6 type { destination-unreachable, time-exceeded, echo-request, echo-reply } limit rate 1000/second counter packets 0 bytes 0 accept comment "!fw4: Allow-ICMPv6-Forward"
icmpv6 type . icmpv6 code { packet-too-big . no-route, parameter-problem . no-route, parameter-problem . admin-prohibited } limit rate 1000/second counter packets 0 bytes 0 accept comment "!fw4: Allow-ICMPv6-Forward"
meta l4proto esp counter packets 0 bytes 0 jump accept_to_lan comment "!fw4: Allow-IPSec-ESP"
udp dport 500 counter packets 0 bytes 0 jump accept_to_lan comment "!fw4: Allow-ISAKMP"
jump reject_to_wan
}
chain accept_to_wan {
oifname "wan" counter packets 2123 bytes 133725 accept comment "!fw4: accept wan IPv4/IPv6 traffic"
}
chain reject_from_wan {
iifname "wan" counter packets 0 bytes 0 jump handle_reject comment "!fw4: reject wan IPv4/IPv6 traffic"
}
chain reject_to_wan {
oifname "wan" counter packets 0 bytes 0 jump handle_reject comment "!fw4: reject wan IPv4/IPv6 traffic"
}
chain dstnat {
type nat hook prerouting priority dstnat; policy accept;
}
chain srcnat {
type nat hook postrouting priority srcnat; policy accept;
oifname "wan" jump srcnat_wan comment "!fw4: Handle wan IPv4/IPv6 srcnat traffic"
}
chain srcnat_wan {
meta nfproto ipv4 masquerade comment "!fw4: Masquerade IPv4 wan traffic"
meta nfproto ipv6 masquerade comment "!fw4: Masquerade IPv6 wan traffic"
}
chain raw_prerouting {
type filter hook prerouting priority raw; policy accept;
iifname "br-lan" jump helper_lan comment "!fw4: lan IPv4/IPv6 CT helper assignment"
}
chain raw_output {
type filter hook output priority raw; policy accept;
}
chain helper_lan {
}
chain mangle_prerouting {
type filter hook prerouting priority mangle; policy accept;
}
chain mangle_postrouting {
type filter hook postrouting priority mangle; policy accept;
}
chain mangle_input {
type filter hook input priority mangle; policy accept;
}
chain mangle_output {
type route hook output priority mangle; policy accept;
}
chain mangle_forward {
type filter hook forward priority mangle; policy accept;
iifname "wan" tcp flags syn tcp option maxseg size set rt mtu comment "!fw4: Zone wan IPv4/IPv6 ingress MTU fixing"
oifname "wan" tcp flags syn tcp option maxseg size set rt mtu comment "!fw4: Zone wan IPv4/IPv6 egress MTU fixing"
}
}
OpenWrt의 기본값 sysctl.conf은 다음과 같습니다(필요합니까 wan.accept_ra = 2?).
net.core.bpf_jit_enable=1
net.ipv4.conf.default.arp_ignore=1
net.ipv4.conf.all.arp_ignore=1
net.ipv4.ip_forward=1
net.ipv4.icmp_echo_ignore_broadcasts=1
net.ipv4.icmp_ignore_bogus_error_responses=1
net.ipv4.igmp_max_memberships=100
net.ipv4.tcp_fin_timeout=30
net.ipv4.tcp_keepalive_time=120
net.ipv4.tcp_syncookies=1
net.ipv4.tcp_timestamps=1
net.ipv4.tcp_sack=1
net.ipv4.tcp_dsack=1
net.ipv6.conf.default.forwarding=1
net.ipv6.conf.all.forwarding=1
빠른 google-fu에서는 "v4 NAT가 작동하지만 v6 NAT가 작동하지 않음"과 관련된 내용을 표시하지 않았습니다. OpenWrt 포럼의 링크된 게시물:https://forum.openwrt.org/t/ipv6-nat-in-v22-03-0-rc4-with-nftables-packets-not-flowing-into-forward-chain/130653
nft monitor trace결과나 pcap이 필요한지 알려주십시오 . 어떤 도움이라도 주시면 감사하겠습니다.
답변1
net.ipv6.conf.wan.accept_ra = 2에 추가한 후에는 실제로 작동합니다 /etc/sysctl.conf. @user1686님 감사합니다!