我的博客： 菱歌's Blog | 聽見美好
筆記原文地址：OpenWrt上開啟NAT6為內網提供IPv6支持

校園網IPv6免流量闸餐，不限帶寬闸迷，同時也有一些v6 only的PT資源，非常有用，但是大部分情況下使用路由器后，內網設備就無法使用IPv6了⊙雕桑可以通過NAT6為路由器內網設備提供IPv6支持。

坐標THU蜀铲，使用教育網IPv6边琉，運營商的v6沒有測試過。

問題

之前一直使用的relay(中繼)模式為路由器下的各個設備提供IPv6记劝，具體方法可以參考這篇博客变姨，這種模式的好處是可以為內網設備分配到真實的公有IPv6地址，但是因為odhcpd不間斷抽風厌丑，需要經常重啟服務才能使用定欧。

近期突然發(fā)現(xiàn)實驗室的relay配置失效了，具體表現(xiàn)為：能夠分配到IPv6地址但是無法訪問v6網絡怒竿，經過檢查發(fā)現(xiàn)此時分配到的IPv6是2402:f000:xxxxx/128的形式砍鸠，/128表明此時的地址已經過了dhcpv6分配，而relay模式也是借助dhcpv6進行分配耕驰。因而此時只能使用IPv6的NAT爷辱，雖然它有一些效率問題。

NAT6配置

1. 安裝所需支持耍属，事實上許多OpenWrt系統(tǒng)沒有安裝odhcpd和odhcp6c托嚣，前者在這里用于內網v6地址的分配巩检，而后者作為路由器獲取外網v6地址的客戶端厚骗。

   opkg update && opkg install kmod-ipt-nat6 odhcpd odhcp6c
   

2. 更改內網IPv6 ULA 前綴，也可以再Luci界面中操作兢哭，將首位的f改為d领舰，這樣問題少些。

   uci set network.globals.ula_prefix="$(uci get network.globals.ula_prefix | sed 's/^./d/')"
   uci commit network
   

3. 設置LAN口dhcp

   uci set dhcp.lan.ra_default='1'
   uci commit dhcp
   

4. 新建NAT6服務迟螺，內容見NAT6

   touch /etc/init.d/nat6
   vi /etc/init.d/nat6
   

5. 啟動NAT6服務

   chmod +x /etc/init.d/nat6
   /etc/init.d/nat6 enable
   

6. 在/etc/firewall.user中添加轉發(fā)規(guī)則冲秽，否則內網v6流量不能被轉發(fā)。

   ip6tables -t nat -A POSTROUTING -o eth0.2 -j MASQUERADE
   

7. 重啟路由器

8. (可選)為PT服務提供UPnP高位端口映射矩父，提高效率锉桑。uTorrent下載效果：

   
   
   滿速下載

NAT6服務腳本

#!/bin/sh /etc/rc.common
# NAT6 init script for OpenWrt // Depends on package: kmod-ipt-nat6

START=55

# Options
# -------

# Use temporary addresses (IPv6 privacy extensions) for outgoing connections? Yes: 1 / No: 0
PRIVACY=1

# Maximum number of attempts before this script will stop in case no IPv6 route is available
# This limits the execution time of the IPv6 route lookup to (MAX_TRIES+1)*(MAX_TRIES/2) seconds. The default (15) equals 120 seconds.
MAX_TRIES=15

# An initial delay (in seconds) helps to avoid looking for the IPv6 network too early. Ideally, the first probe is successful.
# This would be the case if the time passed between the system log messages "Probing IPv6 route" and "Setting up NAT6" is 1 second.
DELAY=10

# Logical interface name of outbound IPv6 connection
# There should be no need to modify this, unless you changed the default network interface names
# Edit by Vincent: I never changed my default network interface names, but still I have to change the WAN6_NAME to "wan" instead of "wan6"
WAN6_NAME="wan6"

# ---------------------------------------------------
# Options end here - no need to change anything below

boot() {
        [ $DELAY -gt 0 ] && sleep $DELAY
        logger -t NAT6 "Probing IPv6 route"
        PROBE=0
        COUNT=1
        while [ $PROBE -eq 0 ]
        do
                if [ $COUNT -gt $MAX_TRIES ]
                then
                        logger -t NAT6 "Fatal error: No IPv6 route found (reached retry limit)" && exit 1
                fi
                sleep $COUNT
                COUNT=$((COUNT+1))
                PROBE=$(route -A inet6 | grep -c '::/0')
        done

        logger -t NAT6 "Setting up NAT6"

        WAN6_INTERFACE=$(uci get "network.$WAN6_NAME.ifname")
        if [ -z "$WAN6_INTERFACE" ] || [ ! -e "/sys/class/net/$WAN6_INTERFACE/" ] ; then
                logger -t NAT6 "Fatal error: Lookup of $WAN6_NAME interface failed. Were the default interface names changed?" && exit 1
        fi
        WAN6_GATEWAY=$(route -A inet6 -e | grep "$WAN6_INTERFACE" | awk '/::\/0/{print $2; exit}')
        if [ -z "$WAN6_GATEWAY" ] ; then
                logger -t NAT6 "Fatal error: No IPv6 gateway for $WAN6_INTERFACE found" && exit 1
        fi
        LAN_ULA_PREFIX=$(uci get network.globals.ula_prefix)
        if [ $(echo "$LAN_ULA_PREFIX" | grep -c -E "^([0-9a-fA-F]{4}):([0-9a-fA-F]{0,4}):") -ne 1 ] ; then
                logger -t NAT6 "Fatal error: IPv6 ULA prefix $LAN_ULA_PREFIX seems invalid. Please verify that a prefix is set and valid." && exit 1
        fi

        ip6tables -t nat -I POSTROUTING -s "$LAN_ULA_PREFIX" -o "$WAN6_INTERFACE" -j MASQUERADE
        if [ $? -eq 0 ] ; then
                logger -t NAT6 "Added IPv6 masquerading rule to the firewall (Src: $LAN_ULA_PREFIX - Dst: $WAN6_INTERFACE)"
        else
                logger -t NAT6 "Fatal error: Failed to add IPv6 masquerading rule to the firewall (Src: $LAN_ULA_PREFIX - Dst: $WAN6_INTERFACE)" && exit 1
        fi

        route -A inet6 add 2000::/3 gw "$WAN6_GATEWAY" dev "$WAN6_INTERFACE"
        if [ $? -eq 0 ] ; then
                logger -t NAT6 "Added $WAN6_GATEWAY to routing table as gateway on $WAN6_INTERFACE for outgoing connections"
        else
                logger -t NAT6 "Error: Failed to add $WAN6_GATEWAY to routing table as gateway on $WAN6_INTERFACE for outgoing connections"
        fi

        if [ $PRIVACY -eq 1 ] ; then
                echo 2 > "/proc/sys/net/ipv6/conf/$WAN6_INTERFACE/accept_ra"
                if [ $? -eq 0 ] ; then
                        logger -t NAT6 "Accepting router advertisements on $WAN6_INTERFACE even if forwarding is enabled (required for temporary addresses)"
                else
                        logger -t NAT6 "Error: Failed to change router advertisements accept policy on $WAN6_INTERFACE (required for temporary addresses)"
                fi
                echo 2 > "/proc/sys/net/ipv6/conf/$WAN6_INTERFACE/use_tempaddr"
                if [ $? -eq 0 ] ; then
                        logger -t NAT6 "Using temporary addresses for outgoing connections on interface $WAN6_INTERFACE"
                else
                        logger -t NAT6 "Error: Failed to enable temporary addresses for outgoing connections on interface $WAN6_INTERFACE"
                fi
        fi

        exit 0
}