原创文章,转载请注明出处
https://qiedd.com/

0.前言

爱快其实已经支持IPV6了,在Lan口处的设备也能获取到IPv6了。

但是当Openwrt作为二级路由时,我无论怎么设置,都无法让Openwrt Lan口下的设备获取到IPv6。未果,便想到了使用NAT6转发,然后成功了,便在此做个笔记。

2021.12.7 UPDATE

如果你获取 IPv6 前缀为 /60
那么旧方法可以全部抛弃了

我们只需要给 LAN 口分配 /61 到 /63 的前缀就行
因为爱快默认向LAN分发地址的前缀为 /64 ,因为安全原因导致Openwrt 无法继续下发前缀
建议用 /62

这样 Openwrt 的 WAN 就能获取到前缀为 /62 或者 /63 的地址了

然后我们简单设置 下 Openwrt 的 LAN 口

再设置下 WAN6 口

如果没有就创建一个,协议为 “DHCPv6 客户端”,然后防火墙划分至 WAN

搞定,如果获取不到,请确认你的固件是否支持 IPv6,然后重启试试

2021.4.12 UPDATE

请参考openwrt wiki
https://openwrt.org/docs/guide-user/network/ipv6/ipv6.nat6
执行完后全部设备重启+重新连接无线即可

测试

Plain text
Copy to clipboard
Open code in new window
EnlighterJS 3 Syntax Highlighter
ping 240C::6666 -t
ping 240C::6666 -t
ping 240C::6666 -t

1.准备工作

首先在编译固件时需要勾选 kmod-ipt-nat6 这个包,没有的可以尝试安装(一般来说应该是有的)

Plain text
Copy to clipboard
Open code in new window
EnlighterJS 3 Syntax Highlighter
#更新源
opkg update
#安装kmod-ipt-nat6
opkg install kmod-ipt-nat6
#更新源 opkg update #安装kmod-ipt-nat6 opkg install kmod-ipt-nat6
#更新源
opkg update

#安装kmod-ipt-nat6
opkg install kmod-ipt-nat6 

在 “网络-接口” 处,将 “IPv6 ULA 前缀” 的第一个字母改为d

将这个脚本放到 /etc/init.d/nat6,保存好

Plain text
Copy to clipboard
Open code in new window
EnlighterJS 3 Syntax Highlighter
vim /etc/init.d/nat6
vim /etc/init.d/nat6
vim /etc/init.d/nat6
Plain text
Copy to clipboard
Open code in new window
EnlighterJS 3 Syntax Highlighter
#!/bin/sh /etc/rc.common
# NAT6 init script for OpenWrt // Depends on package: kmod-ipt-nat6
START=55
# Options
# -------
# Use temporary addresses (IPv6 privacy extensions) for outgoing connections? Yes: 1 / No: 0
PRIVACY=1
# Maximum number of attempts before this script will stop in case no IPv6 route is available
# This limits the execution time of the IPv6 route lookup to (MAX_TRIES+1)*(MAX_TRIES/2) seconds. The default (15) equals 120 seconds.
MAX_TRIES=15
# An initial delay (in seconds) helps to avoid looking for the IPv6 network too early. Ideally, the first probe is successful.
# This would be the case if the time passed between the system log messages "Probing IPv6 route" and "Setting up NAT6" is 1 second.
DELAY=5
# Logical interface name of outbound IPv6 connection
# There should be no need to modify this, unless you changed the default network interface names
# Edit by Vincent: I never changed my default network interface names, but still I have to change the WAN6_NAME to "wan" instead of "wan6"
WAN6_NAME="wan6"
# ---------------------------------------------------
# Options end here - no need to change anything below
boot() {
[ $DELAY -gt 0 ] && sleep $DELAY
logger -t NAT6 "Probing IPv6 route"
PROBE=0
COUNT=1
while [ $PROBE -eq 0 ]
do
if [ $COUNT -gt $MAX_TRIES ]
then
logger -t NAT6 "Fatal error: No IPv6 route found (reached retry limit)" && exit 1
fi
sleep $COUNT
COUNT=$((COUNT+1))
PROBE=$(route -A inet6 | grep -c '::/0')
done
logger -t NAT6 "Setting up NAT6"
WAN6_INTERFACE=$(uci get "network.$WAN6_NAME.ifname")
if [ -z "$WAN6_INTERFACE" ] || [ ! -e "/sys/class/net/$WAN6_INTERFACE/" ] ; then
logger -t NAT6 "Fatal error: Lookup of $WAN6_NAME interface failed. Were the default interface names changed?" && exit 1
fi
WAN6_GATEWAY=$(route -A inet6 -e | grep "$WAN6_INTERFACE" | awk '/::\/0/{print $2; exit}')
if [ -z "$WAN6_GATEWAY" ] ; then
logger -t NAT6 "Fatal error: No IPv6 gateway for $WAN6_INTERFACE found" && exit 1
fi
LAN_ULA_PREFIX=$(uci get network.globals.ula_prefix)
if [ $(echo "$LAN_ULA_PREFIX" | grep -c -E "^([0-9a-fA-F]{4}):([0-9a-fA-F]{0,4}):") -ne 1 ] ; then
logger -t NAT6 "Fatal error: IPv6 ULA prefix $LAN_ULA_PREFIX seems invalid. Please verify that a prefix is set and valid." && exit 1
fi
ip6tables -t nat -I POSTROUTING -s "$LAN_ULA_PREFIX" -o "$WAN6_INTERFACE" -j MASQUERADE
if [ $? -eq 0 ] ; then
logger -t NAT6 "Added IPv6 masquerading rule to the firewall (Src: $LAN_ULA_PREFIX - Dst: $WAN6_INTERFACE)" else
logger -t NAT6 "Fatal error: Failed to add IPv6 masquerading rule to the firewall (Src: $LAN_ULA_PREFIX - Dst: $WAN6_INTERFACE)" && exit 1
fi
route -A inet6 add 2000::/3 gw "$WAN6_GATEWAY" dev "$WAN6_INTERFACE"
if [ $? -eq 0 ] ; then
logger -t NAT6 "Added $WAN6_GATEWAY to routing table as gateway on $WAN6_INTERFACE for outgoing connections"
else
logger -t NAT6 "Error: Failed to add $WAN6_GATEWAY to routing table as gateway on $WAN6_INTERFACE for outgoing connections"
fi
if [ $PRIVACY -eq 1 ] ; then
echo 2 > "/proc/sys/net/ipv6/conf/$WAN6_INTERFACE/accept_ra"
if [ $? -eq 0 ] ; then
logger -t NAT6 "Accepting router advertisements on $WAN6_INTERFACE even if forwarding is enabled (required for temporary addresses)"
else
logger -t NAT6 "Error: Failed to change router advertisements accept policy on $WAN6_INTERFACE (required for temporary addresses)"
fi
echo 2 > "/proc/sys/net/ipv6/conf/$WAN6_INTERFACE/use_tempaddr"
if [ $? -eq 0 ] ; then
logger -t NAT6 "Using temporary addresses for outgoing connections on interface $WAN6_INTERFACE"
else
logger -t NAT6 "Error: Failed to enable temporary addresses for outgoing connections on interface $WAN6_INTERFACE"
fi
fi
exit 0
}
#!/bin/sh /etc/rc.common # NAT6 init script for OpenWrt // Depends on package: kmod-ipt-nat6 START=55 # Options # ------- # Use temporary addresses (IPv6 privacy extensions) for outgoing connections? Yes: 1 / No: 0 PRIVACY=1 # Maximum number of attempts before this script will stop in case no IPv6 route is available # This limits the execution time of the IPv6 route lookup to (MAX_TRIES+1)*(MAX_TRIES/2) seconds. The default (15) equals 120 seconds. MAX_TRIES=15 # An initial delay (in seconds) helps to avoid looking for the IPv6 network too early. Ideally, the first probe is successful. # This would be the case if the time passed between the system log messages "Probing IPv6 route" and "Setting up NAT6" is 1 second. DELAY=5 # Logical interface name of outbound IPv6 connection # There should be no need to modify this, unless you changed the default network interface names # Edit by Vincent: I never changed my default network interface names, but still I have to change the WAN6_NAME to "wan" instead of "wan6" WAN6_NAME="wan6" # --------------------------------------------------- # Options end here - no need to change anything below boot() { [ $DELAY -gt 0 ] && sleep $DELAY logger -t NAT6 "Probing IPv6 route" PROBE=0 COUNT=1 while [ $PROBE -eq 0 ] do if [ $COUNT -gt $MAX_TRIES ] then logger -t NAT6 "Fatal error: No IPv6 route found (reached retry limit)" && exit 1 fi sleep $COUNT COUNT=$((COUNT+1)) PROBE=$(route -A inet6 | grep -c '::/0') done logger -t NAT6 "Setting up NAT6" WAN6_INTERFACE=$(uci get "network.$WAN6_NAME.ifname") if [ -z "$WAN6_INTERFACE" ] || [ ! -e "/sys/class/net/$WAN6_INTERFACE/" ] ; then logger -t NAT6 "Fatal error: Lookup of $WAN6_NAME interface failed. Were the default interface names changed?" && exit 1 fi WAN6_GATEWAY=$(route -A inet6 -e | grep "$WAN6_INTERFACE" | awk '/::\/0/{print $2; exit}') if [ -z "$WAN6_GATEWAY" ] ; then logger -t NAT6 "Fatal error: No IPv6 gateway for $WAN6_INTERFACE found" && exit 1 fi LAN_ULA_PREFIX=$(uci get network.globals.ula_prefix) if [ $(echo "$LAN_ULA_PREFIX" | grep -c -E "^([0-9a-fA-F]{4}):([0-9a-fA-F]{0,4}):") -ne 1 ] ; then logger -t NAT6 "Fatal error: IPv6 ULA prefix $LAN_ULA_PREFIX seems invalid. Please verify that a prefix is set and valid." && exit 1 fi ip6tables -t nat -I POSTROUTING -s "$LAN_ULA_PREFIX" -o "$WAN6_INTERFACE" -j MASQUERADE if [ $? -eq 0 ] ; then logger -t NAT6 "Added IPv6 masquerading rule to the firewall (Src: $LAN_ULA_PREFIX - Dst: $WAN6_INTERFACE)" else logger -t NAT6 "Fatal error: Failed to add IPv6 masquerading rule to the firewall (Src: $LAN_ULA_PREFIX - Dst: $WAN6_INTERFACE)" && exit 1 fi route -A inet6 add 2000::/3 gw "$WAN6_GATEWAY" dev "$WAN6_INTERFACE" if [ $? -eq 0 ] ; then logger -t NAT6 "Added $WAN6_GATEWAY to routing table as gateway on $WAN6_INTERFACE for outgoing connections" else logger -t NAT6 "Error: Failed to add $WAN6_GATEWAY to routing table as gateway on $WAN6_INTERFACE for outgoing connections" fi if [ $PRIVACY -eq 1 ] ; then echo 2 > "/proc/sys/net/ipv6/conf/$WAN6_INTERFACE/accept_ra" if [ $? -eq 0 ] ; then logger -t NAT6 "Accepting router advertisements on $WAN6_INTERFACE even if forwarding is enabled (required for temporary addresses)" else logger -t NAT6 "Error: Failed to change router advertisements accept policy on $WAN6_INTERFACE (required for temporary addresses)" fi echo 2 > "/proc/sys/net/ipv6/conf/$WAN6_INTERFACE/use_tempaddr" if [ $? -eq 0 ] ; then logger -t NAT6 "Using temporary addresses for outgoing connections on interface $WAN6_INTERFACE" else logger -t NAT6 "Error: Failed to enable temporary addresses for outgoing connections on interface $WAN6_INTERFACE" fi fi exit 0 }
#!/bin/sh /etc/rc.common
# NAT6 init script for OpenWrt // Depends on package: kmod-ipt-nat6

START=55

# Options
# -------

# Use temporary addresses (IPv6 privacy extensions) for outgoing connections? Yes: 1 / No: 0
PRIVACY=1

# Maximum number of attempts before this script will stop in case no IPv6 route is available
# This limits the execution time of the IPv6 route lookup to (MAX_TRIES+1)*(MAX_TRIES/2) seconds. The default (15) equals 120 seconds.
MAX_TRIES=15

# An initial delay (in seconds) helps to avoid looking for the IPv6 network too early. Ideally, the first probe is successful.
# This would be the case if the time passed between the system log messages "Probing IPv6 route" and "Setting up NAT6" is 1 second.
DELAY=5

# Logical interface name of outbound IPv6 connection
# There should be no need to modify this, unless you changed the default network interface names
# Edit by Vincent: I never changed my default network interface names, but still I have to change the WAN6_NAME to "wan" instead of "wan6"
WAN6_NAME="wan6"

# ---------------------------------------------------
# Options end here - no need to change anything below

boot() {
        [ $DELAY -gt 0 ] && sleep $DELAY
        logger -t NAT6 "Probing IPv6 route"
        PROBE=0
        COUNT=1
        while [ $PROBE -eq 0 ]
        do
                if [ $COUNT -gt $MAX_TRIES ]
                then
                        logger -t NAT6 "Fatal error: No IPv6 route found (reached retry limit)" && exit 1
                fi
                sleep $COUNT
                COUNT=$((COUNT+1))
                PROBE=$(route -A inet6 | grep -c '::/0')
        done
 
        logger -t NAT6 "Setting up NAT6"
 
        WAN6_INTERFACE=$(uci get "network.$WAN6_NAME.ifname")
        if [ -z "$WAN6_INTERFACE" ] || [ ! -e "/sys/class/net/$WAN6_INTERFACE/" ] ; then
                logger -t NAT6 "Fatal error: Lookup of $WAN6_NAME interface failed. Were the default interface names changed?" && exit 1
        fi
        WAN6_GATEWAY=$(route -A inet6 -e | grep "$WAN6_INTERFACE" | awk '/::\/0/{print $2; exit}')
        if [ -z "$WAN6_GATEWAY" ] ; then
                logger -t NAT6 "Fatal error: No IPv6 gateway for $WAN6_INTERFACE found" && exit 1
        fi
        LAN_ULA_PREFIX=$(uci get network.globals.ula_prefix)
        if [ $(echo "$LAN_ULA_PREFIX" | grep -c -E "^([0-9a-fA-F]{4}):([0-9a-fA-F]{0,4}):") -ne 1 ] ; then
                logger -t NAT6 "Fatal error: IPv6 ULA prefix $LAN_ULA_PREFIX seems invalid. Please verify that a prefix is set and valid." && exit 1
        fi
 
        ip6tables -t nat -I POSTROUTING -s "$LAN_ULA_PREFIX" -o "$WAN6_INTERFACE" -j MASQUERADE
        if [ $? -eq 0 ] ; then
                logger -t NAT6 "Added IPv6 masquerading rule to the firewall (Src: $LAN_ULA_PREFIX - Dst: $WAN6_INTERFACE)"        else
                logger -t NAT6 "Fatal error: Failed to add IPv6 masquerading rule to the firewall (Src: $LAN_ULA_PREFIX - Dst: $WAN6_INTERFACE)" && exit 1
        fi
 
        route -A inet6 add 2000::/3 gw "$WAN6_GATEWAY" dev "$WAN6_INTERFACE"
        if [ $? -eq 0 ] ; then
                logger -t NAT6 "Added $WAN6_GATEWAY to routing table as gateway on $WAN6_INTERFACE for outgoing connections"
        else
                logger -t NAT6 "Error: Failed to add $WAN6_GATEWAY to routing table as gateway on $WAN6_INTERFACE for outgoing connections"
        fi
 
        if [ $PRIVACY -eq 1 ] ; then
                echo 2 > "/proc/sys/net/ipv6/conf/$WAN6_INTERFACE/accept_ra"
                if [ $? -eq 0 ] ; then
                        logger -t NAT6 "Accepting router advertisements on $WAN6_INTERFACE even if forwarding is enabled (required for temporary addresses)"
                else
                        logger -t NAT6 "Error: Failed to change router advertisements accept policy on $WAN6_INTERFACE (required for temporary addresses)"
                fi
                echo 2 > "/proc/sys/net/ipv6/conf/$WAN6_INTERFACE/use_tempaddr"
                if [ $? -eq 0 ] ; then
                        logger -t NAT6 "Using temporary addresses for outgoing connections on interface $WAN6_INTERFACE"
                else
                        logger -t NAT6 "Error: Failed to enable temporary addresses for outgoing connections on interface $WAN6_INTERFACE"
                fi
        fi
 
        exit 0
}

然后启用nat6服务

Plain text
Copy to clipboard
Open code in new window
EnlighterJS 3 Syntax Highlighter
#添加执行权限
chmod +x /etc/init.d/nat6
#开机启动
/etc/init.d/nat6 enable
#添加执行权限 chmod +x /etc/init.d/nat6 #开机启动 /etc/init.d/nat6 enable
#添加执行权限
chmod +x /etc/init.d/nat6

#开机启动
/etc/init.d/nat6 enable

在/etc/sysctl.conf中添加这几行

Plain text
Copy to clipboard
Open code in new window
EnlighterJS 3 Syntax Highlighter
vim /etc/sysctl.conf
vim /etc/sysctl.conf
vim /etc/sysctl.conf
Plain text
Copy to clipboard
Open code in new window
EnlighterJS 3 Syntax Highlighter
net.ipv6.conf.default.forwarding=2
net.ipv6.conf.all.forwarding=2
net.ipv6.conf.default.accept_ra=2
net.ipv6.conf.all.accept_ra=2
net.ipv6.conf.default.forwarding=2 net.ipv6.conf.all.forwarding=2 net.ipv6.conf.default.accept_ra=2 net.ipv6.conf.all.accept_ra=2
net.ipv6.conf.default.forwarding=2
net.ipv6.conf.all.forwarding=2
net.ipv6.conf.default.accept_ra=2
net.ipv6.conf.all.accept_ra=2

然后在网络-接口-LAN-IPV6设置勾选通告默认路由

最后在 “网络-防火墙-自定义规则” 中添加以下内容

Plain text
Copy to clipboard
Open code in new window
EnlighterJS 3 Syntax Highlighter
ip6tables -t nat -I POSTROUTING -s $(uci get network.globals.ula_prefix) -j MASQUERADE
ip6tables -t nat -I POSTROUTING -s $(uci get network.globals.ula_prefix) -j MASQUERADE
ip6tables -t nat -I POSTROUTING -s $(uci get network.globals.ula_prefix) -j MASQUERADE

重启

Plain text
Copy to clipboard
Open code in new window
EnlighterJS 3 Syntax Highlighter
reboot
reboot
reboot

2.善后工作

由于宽带重拨时,有时候可能会掉v6,可以在Openwrt中设置自动重启

最后去测试一下吧

http://www.test-ipv6.com/

3.参考资料

https://blog.csdn.net/guituo9698/article/details/70285755


0 条评论

发表回复

Avatar placeholder

您的邮箱地址不会被公开。 必填项已用 * 标注

这个站点使用 Akismet 来减少垃圾评论。了解你的评论数据如何被处理