我在 OpenWrt (22.03.0-rc4) 路由器上為 IPv6 設定 NAT,因為我的 ISP 僅透過 DHCPv6 分配一個 IPv6 位址,並且只允許一個 MAC 位址使用上次透過 DHCPv6 取得的單一 IPv6 位址(封包使用其他地址將被丟棄)。
最新版本的OpenWrt使用的是firewall4 + nftables,所以我決定完全擺脫舊的ip6tables並使用新的。我設法讓路由器能夠存取IPv6 Internet,並讓區域網路內的客戶端取得IPv6位址(ULA位址),但是當我masq6為區域網路內的客戶端設定時,NAT6不起作用。
當我在我的電腦上執行 Wireshark 時,它顯示所有發送到路由器進行路由的資料包都被拒絕為「目標無法到達(沒有到主機的路由)」。當我進行 nftables 追蹤時,我注意到沒有來自 LAN 主機的 IPv6 封包到達前向鏈。這些封包到達 dstnat 鏈(在預路由時),並從追蹤中消失,向 PC 返回「目標無法到達」。即使我創建了一條優先級為 -1000 的新鏈forward,也看不到 IPv6 封包。
事實上,我昨天設法使它工作(但我忘記瞭如何),但在路由器重置後,它再次失敗。
我懷疑可能缺少或衝突的核心模組,所以這是我的 lsmod:
cfg80211 298812 5 mt7615_common,mt7603e,mt76_connac_lib,mt76,mac80211
cmac 2546 2
compat 1358 2 mac80211,cfg80211,[permanent]
crc_ccitt 1774 1 ppp_async
crc32c_generic 1458 1
drbg 17586 0
gpio_button_hotplug 6674 0
hmac 2578 0
hwmon 8038 1 mt7615_common
ip_tables 11645 0
ip6_tables 11331 0
jitterentropy_rng 7561 0
leds_gpio 3250 0
libcrc32c 727 1 nf_tables
libsha256 8772 1 sha256_generic
mac80211 557288 5 mt7615e,mt7615_common,mt7603e,mt76_connac_lib,mt76
mt76 48100 4 mt7615e,mt7615_common,mt7603e,mt76_connac_lib
mt76_connac_lib 26897 2 mt7615e,mt7615_common
mt7603e 40284 0
mt7615_common 68934 1 mt7615e
mt7615e 11469 0
netatop 35215 0
nf_conntrack 71239 8 nft_redir,nft_nat,nft_masq,nft_flow_offload,nft_ct,nf_nat,nf_flow_table,nf_conntrack_bridge
nf_conntrack_bridge 3346 0
nf_defrag_ipv4 1273 1 nf_conntrack
nf_defrag_ipv6 6036 2 nf_conntrack_bridge,nf_conntrack
nf_flow_table 23615 4 nf_flow_table_ipv6,nf_flow_table_ipv4,nf_flow_table_inet,nft_flow_offload
nf_flow_table_inet 658 0
nf_flow_table_ipv4 530 0
nf_flow_table_ipv6 530 0
nf_log_common 3064 2 nf_log_ipv6,nf_log_ipv4
nf_log_ipv4 3762 0
nf_log_ipv6 4050 0
nf_nat 24974 4 nft_redir,nft_nat,nft_masq,nft_chain_nat
nf_reject_ipv4 2601 3 nft_reject_ipv4,nft_reject_inet,nft_reject_bridge
nf_reject_ipv6 2926 3 nft_reject_ipv6,nft_reject_inet,nft_reject_bridge
nf_tables 153615203 nft_fib_inet,nf_flow_table_ipv6,nf_flow_table_ipv4,nf_flow_table_inet,nft_reject_ipv6,nft_reject_ipv4,nft_reject_inet,nft_reject_bridge,nft_reject,nft_redir,nft_quota,nft_objref,nft_numgen,nft_nat,nft_meta_bridge,nft_masq,nft_log,nft_limit,nft_hash,nft_flow_offload,nft_fib_ipv6,nft_fib_ipv4,nft_fib,nft_ct,nft_counter,nft_compat,nft_chain_nat
nfnetlink 5761 2 nft_compat,nf_tables
nft_chain_nat 946 2
nft_compat 5874 0
nft_counter 2226 18
nft_ct 7538 3
nft_fib 1622 3 nft_fib_inet,nft_fib_ipv6,nft_fib_ipv4
nft_fib_inet 754 0
nft_fib_ipv4 2197 1 nft_fib_inet
nft_fib_ipv6 2869 1 nft_fib_inet
nft_flow_offload 3442 0
nft_hash 2578 0
nft_limit 3634 5
nft_log 1810 0
nft_masq 1938 2
nft_meta_bridge 1426 0
nft_nat 2738 0
nft_numgen 1826 0
nft_objref 1746 0
nft_quota 2098 0
nft_redir 1906 0
nft_reject 1383 4 nft_reject_ipv6,nft_reject_ipv4,nft_reject_inet,nft_reject_bridge
nft_reject_bridge 4178 0
nft_reject_inet 1234 2
nft_reject_ipv4 754 0
nft_reject_ipv6 754 0
ppp_async 7330 0
ppp_generic 25903 3 pppoe,ppp_async,pppox
pppoe 9714 0
pppox 1520 1 pppoe
seqiv 1682 0
sha256_generic 2557 0
slhc 5538 1 ppp_generic
x_tables 17341 3 nft_compat,ip6_tables,ip_tables
這是我的nft list ruleset:
table inet fw4 {
chain input {
type filter hook input priority filter; policy accept;
iifname "lo" accept comment "!fw4: Accept traffic from loopback"
ct state established,related accept comment "!fw4: Allow inbound established and related flows"
tcp flags syn / fin,syn,rst,ack jump syn_flood comment "!fw4: Rate limit TCP syn packets"
iifname "br-lan" jump input_lan comment "!fw4: Handle lan IPv4/IPv6 input traffic"
iifname "wan" jump input_wan comment "!fw4: Handle wan IPv4/IPv6 input traffic"
}
chain forward {
type filter hook forward priority filter; policy drop;
ct state established,related accept comment "!fw4: Allow forwarded established and related flows"
iifname "br-lan" jump forward_lan comment "!fw4: Handle lan IPv4/IPv6 forward traffic"
iifname "wan" jump forward_wan comment "!fw4: Handle wan IPv4/IPv6 forward traffic"
jump handle_reject
}
chain output {
type filter hook output priority filter; policy accept;
oifname "lo" accept comment "!fw4: Accept traffic towards loopback"
ct state established,related accept comment "!fw4: Allow outbound established and related flows"
meta l4proto tcp counter packets 0 bytes 0 comment "!fw4: @rule[9]"
meta l4proto udp counter packets 27 bytes 2192 comment "!fw4: @rule[9]"
oifname "br-lan" jump output_lan comment "!fw4: Handle lan IPv4/IPv6 output traffic"
oifname "wan" jump output_wan comment "!fw4: Handle wan IPv4/IPv6 output traffic"
}
chain handle_reject {
meta l4proto tcp reject with tcp reset comment "!fw4: Reject TCP traffic"
reject comment "!fw4: Reject any other traffic"
}
chain syn_flood {
limit rate 25/second burst 50 packets return comment "!fw4: Accept SYN packets below rate-limit"
drop comment "!fw4: Drop excess packets"
}
chain input_lan {
jump accept_from_lan
}
chain output_lan {
jump accept_to_lan
}
chain forward_lan {
jump accept_to_wan comment "!fw4: Accept lan to wan forwarding"
jump accept_to_lan
}
chain accept_from_lan {
iifname "br-lan" counter packets 252 bytes 19093 accept comment "!fw4: accept lan IPv4/IPv6 traffic"
}
chain accept_to_lan {
oifname "br-lan" counter packets 105 bytes 7472 accept comment "!fw4: accept lan IPv4/IPv6 traffic"
}
chain input_wan {
meta nfproto ipv4 udp dport 68 counter packets 0 bytes 0 accept comment "!fw4: Allow-DHCP-Renew"
icmp type echo-request counter packets 0 bytes 0 accept comment "!fw4: Allow-Ping"
meta nfproto ipv4 meta l4proto igmp counter packets 0 bytes 0 accept comment "!fw4: Allow-IGMP"
meta nfproto ipv6 udp dport 546-547 counter packets 0 bytes 0 accept comment "!fw4: Allow-DHCPv6"
ip6 saddr fe80::/10 icmpv6 type . icmpv6 code { mld-listener-query . no-route, mld-listener-report . no-route, mld-listener-done . no-route, mld2-listener-report . no-route } counter packets 0 bytes 0 accept comment "!fw4: Allow-MLD"
icmpv6 type { destination-unreachable, time-exceeded, echo-request, echo-reply, nd-router-solicit, nd-router-advert } limit rate 1000/second counter packets 0 bytes 0 accept comment "!fw4: Allow-ICMPv6-Input"
icmpv6 type . icmpv6 code { packet-too-big . no-route, parameter-problem . no-route, nd-neighbor-solicit . no-route, nd-neighbor-advert . no-route, parameter-problem . admin-prohibited } limit rate 1000/second counter packets 20 bytes 1440 accept comment "!fw4: Allow-ICMPv6-Input"
jump reject_from_wan
}
chain output_wan {
jump accept_to_wan
}
chain forward_wan {
icmpv6 type { destination-unreachable, time-exceeded, echo-request, echo-reply } limit rate 1000/second counter packets 0 bytes 0 accept comment "!fw4: Allow-ICMPv6-Forward"
icmpv6 type . icmpv6 code { packet-too-big . no-route, parameter-problem . no-route, parameter-problem . admin-prohibited } limit rate 1000/second counter packets 0 bytes 0 accept comment "!fw4: Allow-ICMPv6-Forward"
meta l4proto esp counter packets 0 bytes 0 jump accept_to_lan comment "!fw4: Allow-IPSec-ESP"
udp dport 500 counter packets 0 bytes 0 jump accept_to_lan comment "!fw4: Allow-ISAKMP"
jump reject_to_wan
}
chain accept_to_wan {
oifname "wan" counter packets 2123 bytes 133725 accept comment "!fw4: accept wan IPv4/IPv6 traffic"
}
chain reject_from_wan {
iifname "wan" counter packets 0 bytes 0 jump handle_reject comment "!fw4: reject wan IPv4/IPv6 traffic"
}
chain reject_to_wan {
oifname "wan" counter packets 0 bytes 0 jump handle_reject comment "!fw4: reject wan IPv4/IPv6 traffic"
}
chain dstnat {
type nat hook prerouting priority dstnat; policy accept;
}
chain srcnat {
type nat hook postrouting priority srcnat; policy accept;
oifname "wan" jump srcnat_wan comment "!fw4: Handle wan IPv4/IPv6 srcnat traffic"
}
chain srcnat_wan {
meta nfproto ipv4 masquerade comment "!fw4: Masquerade IPv4 wan traffic"
meta nfproto ipv6 masquerade comment "!fw4: Masquerade IPv6 wan traffic"
}
chain raw_prerouting {
type filter hook prerouting priority raw; policy accept;
iifname "br-lan" jump helper_lan comment "!fw4: lan IPv4/IPv6 CT helper assignment"
}
chain raw_output {
type filter hook output priority raw; policy accept;
}
chain helper_lan {
}
chain mangle_prerouting {
type filter hook prerouting priority mangle; policy accept;
}
chain mangle_postrouting {
type filter hook postrouting priority mangle; policy accept;
}
chain mangle_input {
type filter hook input priority mangle; policy accept;
}
chain mangle_output {
type route hook output priority mangle; policy accept;
}
chain mangle_forward {
type filter hook forward priority mangle; policy accept;
iifname "wan" tcp flags syn tcp option maxseg size set rt mtu comment "!fw4: Zone wan IPv4/IPv6 ingress MTU fixing"
oifname "wan" tcp flags syn tcp option maxseg size set rt mtu comment "!fw4: Zone wan IPv4/IPv6 egress MTU fixing"
}
}
這sysctl.conf是 OpenWrt 的預設設定(我需要嗎wan.accept_ra = 2?):
net.core.bpf_jit_enable=1
net.ipv4.conf.default.arp_ignore=1
net.ipv4.conf.all.arp_ignore=1
net.ipv4.ip_forward=1
net.ipv4.icmp_echo_ignore_broadcasts=1
net.ipv4.icmp_ignore_bogus_error_responses=1
net.ipv4.igmp_max_memberships=100
net.ipv4.tcp_fin_timeout=30
net.ipv4.tcp_keepalive_time=120
net.ipv4.tcp_syncookies=1
net.ipv4.tcp_timestamps=1
net.ipv4.tcp_sack=1
net.ipv4.tcp_dsack=1
net.ipv6.conf.default.forwarding=1
net.ipv6.conf.all.forwarding=1
快速的 google-fu 沒有顯示任何有關「v4 NAT 工作,但 v6 NAT 不工作」的相關內容。 OpenWrt 論壇上的連結貼文:https://forum.openwrt.org/t/ipv6-nat-in-v22-03-0-rc4-with-nftables-packets-not-flowing-into-forward-chain/130653
nft monitor trace如果需要結果或 pcap,請告訴我。任何幫助,將不勝感激。
答案1
net.ipv6.conf.wan.accept_ra = 2我添加後確實有效/etc/sysctl.conf。感謝@user1686!