ungleich-tools/openwrt/openwrt-nat64-bootstrap.sh
2024-07-31 16:21:12 +02:00

156 lines
3.3 KiB
Bash
Executable file

#!/bin/sh
# Nico Schottelius, 2024-07-22
# This script assumes a clean/newly setup openwrt device
#
# Assumption:
# WAN = IPv4, dhcp provided externally
# LAN = IPv6, "clients" that want to reach IPv4 Internet
# Consequences
# - do not provide IPv4 or IPv6 dhcp/ra on any interface
if [ $# -lt 8 ] ; then
echo $0 "address hostname nat64prefix ipv4address ipv4gw asn routerid babelpw iBGPpeer1 [iBGPpeer2...]"
exit 1
fi
address=$1; shift
hostname=$1; shift
nat64prefix=$1; shift
ipv4address=$1; shift
ipv4gw=$1; shift
asn=$1; shift
routerid=$1; shift
babelpw=$1; shift
ibgp_peers="$@"
# Now $@ only contains iBGP peers
cat <<EOF | ssh -t "root@${address}"
set -x
opkg update
# add jool + bird2 + tcpdump
opkg install jool-tools-netfilter bird2 bird2c tcpdump tmux atop
# Do not announce ULA - we have GUA
uci delete network.globals.ula_prefix
# Remove IPv6 assign, we are using static IPv6
uci delete network.lan.ip6assign
# Disable firewalling effectively to allow traffic any direction
uci set firewall.@defaults[0].input=ACCEPT
uci set firewall.@defaults[0].forward=ACCEPT
# Set hostname
uci set system.@system[0].hostname="${hostname}"
# Set IPv4 address on WAN for NAT64 upstream
uci set network.wan.ipaddr="${ipv4address}"
uci set network.wan.netmask="255.255.255.0" # hardcoded, usually correct, fix this script if needed
uci set network.wan.gateway="${ipv4gw}"
uci set network.wan.proto="static"
# Make LAN IPv6 dynamic
uci delete network.lan.ipaddr
uci delete network.lan.netmask
uci delete network.lan.gateway
uci set network.lan.proto="dhcpv6"
# Disable DHCP on LAN
uci delete dhcp.lan.dhcpv4
uci delete dhcp.lan.dhcpv6
uci delete dhcp.lan.ra
uci set dhcp.lan.ignore=1
uci commit
# TODO: Do something wireless (?), maybe disable?
echo "Setting up bird ..."
cat > /etc/bird.conf <<BBB
log syslog all;
router id ${routerid};
protocol device { }
protocol bfd { }
# Just announce, no kernel interaction
protocol static static6 {
ipv6;
route ${nat64prefix} unreachable;
}
# for getting iBGP routes
protocol babel {
interface "br-lan", "wan" { type wired; authentication mac; password "${babelpw}"; };
ipv6 { export where (source = RTS_DEVICE) || (source = RTS_BABEL); };
}
protocol kernel kernel_v6 {
ipv6 { export where source ~ [ RTS_BABEL ]; };
}
BBB
for ibgp_peer in ${ibgp_peers}; do
cat >> /etc/bird.conf <<BBB
protocol bgp {
local as ${asn};
neighbor \${ibgp_peer} as ${asn};
ipv6 {
import none;
export where source ~ [ RTS_STATIC ];
};
}
BBB
done
# TODO: configure jool
cat > /etc/jool/jool-nat64.conf.json <<BBB
{
"comment": "NAT64 by cdist",
"instance": "default",
"framework": "netfilter",
"global": {
"comment": "pool6 prefix",
"pool6": "${nat64prefix}"
},
"comment": "IPv4 pool4 table",
"pool4": [
{
"protocol": "TCP",
"prefix": "${ipv4address}",
"port range": "40001-65535"
}, {
"protocol": "UDP",
"prefix": "${ipv4address}",
"port range": "40001-65535"
}, {
"protocol": "ICMP",
"prefix": "${ipv4address}",
"port range": "40001-65535"
}
]
}
BBB
uci set jool.general.enabled=1
uci set jool.nat64.enabled=1
uci commit
# start jool
/etc/init.d/jool restart
# TODO: ensure jool is started at boot
# TODO: ensure bird is started at boot
uci commit
/etc/init.d/bird restart
EOF
echo "Restart router to restart firewall, network, dhcp"