FYI, it seems to be a bug in kernel used by LEDE 17.01.4. I just tested with current snapshot and it simply worked without any change.
Regards, Em ter, 27 de mar de 2018 às 17:45, Luiz Angelo Daros de Luca < [email protected]> escreveu: > Hello, > > I'm configuring IPv6 with multihoming connections on LEDE Reboot 17.01.4 > r3560-79f57e422d. For IPv4, NAT easily deal with it. However, for IPv6, I > have two options: NPT or NETMAP. > > 1) NETMAP > > For each wan6 interface... > ip6tables --table nat --append POSTROUTING --source $ula > --out-interface $ifdev --jump NETMAP --to $ip6prefix > ip6tables --table nat --append PREROUTING --destination $ip6prefix > --in-interface $ifdev --jump NETMAP --to $ula > > 2) SNPT/DNPT (Network Prefix Translation) > > For each wan6 interface... > ip6tables --table mangle --append POSTROUTING --source $ula > --out-interface $ifdev --jump SNPT --src-pfx $ula --dst-pfx > $ip6prefix > ip6tables --table mangle --append PREROUTING --destination $ip6prefix > --in-interface $ifdev --jump DNPT --src-pfx $ip6prefix --dst-pfx $ula > ip6tables --table raw --append PREROUTING --destination $ip6prefix > --jump CT --notrack > > NPT seems to be the "standard" way to do it. However, at least in Linux, I > cannot use conntrack (a known limitation). Without connection state, I > cannot have the same level of security that I have with NAT44. So, it is > really not an option. > > NETMAP simply works as expected until I tested the connection to a lower > MTU host: > > > https://mtu1280.test-ipv6.arauc.br/ip/?callback=?&size=1600&fill=xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx&testdomain=test-ipv6.com&testname=test_v6mtu > > The router receives ICMPv6 type 2 informing its max MTU of 1280. It passes > without being touched through all ip6tables chains but disappears without > being forwarded to internal machine. It looks like NETMAP consume it. It > did not hit nat PREROUTING rule, so I guess kernel assumed it was related > to the existing connection. > I also tested without firewall (only manually inserting NETMAP rules) and > the result is the same. > > NPT do forwards ICMPv6 type 2 but, as I said, I cannot use it because I > need a stateful firewall. > > Has anyone used something like this? Do I need a special syctl setting for > making it work? > > Regards, > -- > > Luiz Angelo Daros de Luca > [email protected] > -- Luiz Angelo Daros de Luca [email protected]
_______________________________________________ openwrt-users mailing list [email protected] https://lists.openwrt.org/cgi-bin/mailman/listinfo/openwrt-users
