OpenWRT IPv6 & NAT6
2022-9-24
| 2024-11-27
字数 893阅读时长 3 分钟
type
Post
status
Published
date
Sep 24, 2022
slug
openwrt_ipv6
summary
OpenWRT NAT6相关操作
tags
工具
category
技术分享
icon
password
Property
Nov 27, 2024 05:43 PM

Concepts

IPv6

由128bits构成

link-local unicast addressing

fe80::/10 局域网
专门用于内部网络的地址,如果数据包的源IP或者目的IP地址是这个地址段之内的地址,是不可以在公网上转发的,BGP router是不转发该数据报文。

unique local address (ULA)

地址前缀是fc00::/7, L位为1
| 7 bits | 1 | 40 bits | 16 bits | 64 bits |
| Prefix | L | Global ID | Subnet ID | Interface ID |
 
ULA addresses can be routed (except on the public Internet).
Addresses in the Unique Local Address range must be manually assigned, while link-local addresses are generated automatically.
IPv6 ULA vs Link-Local
IPv6 link-local addresses are required addresses, and they cannot be routed. They are confined to a single link, and every link has the same link-local network. The link-local address range is fe80::/10. From RFC 4291, IP Version 6 Addressing Architecture: 2.5.6. Link-Local IPv6 Unicast Addresses Link-Local addresses are for use on a single link.
IPv6 ULA vs Link-Local
https://networkengineering.stackexchange.com/questions/30128/ipv6-ula-vs-link-local
IPv6 ULA vs Link-Local

Stateless address auto configuration (SLAAC)

ipv6术语,相对于DHCP,是无状态的配置: 发送的RA message不会告诉设备网关,dns等信息
SLAAC is the simplest way to give an IPv6 address to a client because it exclusively relies on the Neighbor Discovery Protocol. This protocol, which we simply call NDP, allows devices on a network to discover their Layer 3 neighbors. We use it to retrieve the layer 2 reachability information, like ARP, and to find out routers on the network.
 
Note: 不同于Stateless DHCPv6

router advertisement (RA)

Routers advertise their presence together with various link and Internet parameters either periodically, or in response to a Router Solicitation message.
路由器在广播域喊话

Neighbor Discovery Protocol (NDP)

NDP:
TCP/IP协议栈的一部分,主要与IPv6共同使用。它工作在网络层,负责在链路上发现其他节点和相应的地址,并确定可用路由和维护关于可用路径和其他活动节点的信息可达性。
 

Router Discovery (RD)

Router Discovery (RD) support (solicitations and advertisements) with 2 modes of operation:
  1. RD Server mode: Router Discovery (RD) server for slave interfaces:
    1. Automatic detection of prefixes, delegated prefix, default routes and MTU.
    2. Automatic re-announcement of any changes in either prefixes or routes.
  1. RD Relay mode: Router Discovery (RD) relay between master and slave interfaces.
    1. Supports rewriting of the announced DNS server addresses.
 
IPv6
The default firmware provides full IPv6 support with a DHCPv6 client ( odhcp6c), an RA & DHCPv6 Server () and a IPv6 firewall ( ip6tables). Also, the default installation of the web interface includes the package luci-proto-ipv6, required to configure IPv6 from the luci web interface.
IPv6
https://openwrt.org/docs/guide-user/network/ipv6/start
 

Methods

路由器通告等信息的分配流程是:从外到内
外部路由器→WAN6→LAN→devices

中继DHCPv6

odhcpd
odhcpd Embedded DHCP/DHCPv6/RA Server & Relay. Abstract odhcpd is a daemon for serving and relaying IP management protocols to configure clients and downstream routers. It tries to follow the RFC 6204 requirements for IPv6 home routers. odhcpd provides server services for
odhcpd
https://openwrt.org/docs/techref/odhcpd
中继:relay
 

使用NAT6

LAN设置: 使用服务器模式即开NAT6
记住还需要勾选“总是通告默认路由” (ra_default: 1)
notion image
补充: 目前新版本LEDE会在DHCP/DNS-高级设置 中自动开启“禁止解析 IPv6 DNS 记录”, 需要我们手动关闭
notion image
 
 
此外还需要配置防火墙和路由:

防火墙NAT6转发

在Luci界面:网络-防火墙-自定义规则添加. 对应/etc/firewall.user 文件
这里eth1为wan对应的网口
 
Tips: 最好再添加一个空行,不然下次刷机会和其他命令连成一行
 

路由设置ipv6网关:

创建/etc/hotplug.d/iface/90-ipv6文件, 并修改文件权限为755 (给执行权限)
重启服务
 
补充: 因为每次升级系统会丢失该文件, 提供两种方案:
  1. /etc/uci-defualts创建一个脚本, eg: 99-ipv6, 里面填写上述内容
      2. UCI defaults
      UCI defaults See also: The UCI system OpenWrt relies on UCI, the Unified Configuration Interface, to configure its core services. UCI defaults provides a way to preconfigure your images, using UCI. To set some system defaults the first time the device boots, create a script in the directory
      UCI defaults
      https://openwrt.org/docs/guide-developer/uci-defaults
      UCI defaults
      缺点: 如果exit code 0就会删除该脚本里, 下一次升级就无效了. 除非在编译时期进行配置
  1. (推荐) 将/etc/hotplug.d/iface/90-ipv6添加到/etc/sysupgrade.conf白名单, 使其在升级过程中保留
      2. Sysupgrade - Technical Reference
      This information is based upon v21.02, last updated for commit 6d266ef158 on 2022-02-10. Sysupgrade - Technical Reference In contrast to opkg, mtd and others, sysupgrade is merely a shell script: /sbin/sysupgrade intended to facilitate easy updates. Usage This page lists all sysupgrade command-line options.
      Sysupgrade - Technical Reference
      https://openwrt.org/docs/techref/sysupgrade
      Sysupgrade - Technical Reference

校园网信息

不支持dhcpv6 prefix delegation,给设备分配的都是/128的
相关文章 :
技术分享
  • 工具
    • 基于Hyper-V GPU-PV的半虚拟化GPU虚拟机方案n5105软路由笔记
    Loading...
    目录
    0%