ungleich-public/ungleich-tools
6
0
Fork 0
Code Issues Pull requests Projects Releases Wiki Activity
ungleich-tools/openwrt/openwrt-nat64-bootstrap.sh
Nico Schottelius 0ecdc29fb3 openwrt/nat64: disable bfd, add gateway recursive
2024-08-10 14:31:40 +02:00

176 lines
4 KiB
Bash
Executable file
Raw Blame History

#!/bin/sh
# Nico Schottelius, 2024-07-22
# This script assumes a clean/newly setup openwrt device
#
# Assumption:
# WAN = IPv4, dhcp provided externally
# LAN = IPv6, "clients" that want to reach IPv4 Internet
# Consequences
# - do not provide IPv4 or IPv6 dhcp/ra on any interface
if [ $# -lt 8 ] ; then
echo $0 "address hostname nat64prefix ipv4address ipv4gw asn routerid babelpw iBGPpeer1 [iBGPpeer2...]"
exit 1
fi
address=$1; shift
hostname=$1; shift
nat64prefix=$1; shift
ipv4address=$1; shift
ipv4gw=$1; shift
asn=$1; shift
routerid=$1; shift
babelpw=$1; shift
ibgp_peers="$@"
cat <<EOF | ssh -t "root@${address}"
set -x
opkg update
# add jool + bird2 + tcpdump
opkg install jool-tools-netfilter bird2 bird2c tcpdump tmux atop nload
# Do not announce ULA - we have GUA
uci delete network.globals.ula_prefix
# Remove IPv6 assign, we are using static IPv6
uci delete network.lan.ip6assign
# Disable firewalling effectively to allow traffic any direction
uci set firewall.@defaults[0].input=ACCEPT
uci set firewall.@defaults[0].forward=ACCEPT
# Set hostname
uci set system.@system[0].hostname="${hostname}"
# Set IPv4 address on WAN for NAT64 upstream
uci set network.wan.ipaddr="${ipv4address}"
uci set network.wan.netmask="255.255.255.0" # hardcoded, usually correct, fix this script if needed
uci set network.wan.gateway="${ipv4gw}"
uci set network.wan.proto="static"
# Make LAN IPv6 dynamic
uci delete network.lan.ipaddr
uci delete network.lan.netmask
uci delete network.lan.gateway
uci set network.lan.proto="dhcpv6"
# Need to remove ipv6 source based routing - leads to route not working
# Symptom:
# root@vigir28:~# ip route get 2a0a:e5c1:700::7
# ip: RTNETLINK answers: Network unreachable
# root@vigir28:~# ping -c2 2a0a:e5c1:700::7
# PING 2a0a:e5c1:700::7 (2a0a:e5c1:700::7): 56 data bytes
# 64 bytes from 2a0a:e5c1:700::7: seq=0 ttl=62 time=10.774 ms
# 64 bytes from 2a0a:e5c1:700::7: seq=1 ttl=62 time=8.597 ms
#
# --- 2a0a:e5c1:700::7 ping statistics ---
# 2 packets transmitted, 2 packets received, 0% packet loss
# round-trip min/avg/max = 8.597/9.685/10.774 ms
# root@vigir28:~#
uci set network.lan.sourcefilter=0
# Disable DHCP on LAN
uci delete dhcp.lan.dhcpv4
uci delete dhcp.lan.dhcpv6
uci delete dhcp.lan.ra
uci set dhcp.lan.ignore=1
uci commit
# TODO: Do something wireless (?), maybe disable?
echo "Setting up bird ..."
cat > /etc/bird.conf <<BBB
log syslog all;
router id ${routerid};
protocol device { }
protocol bfd { }
# Just announce, no kernel interaction
protocol static static6 {
ipv6;
route ${nat64prefix} unreachable;
}
# for getting iBGP routes
protocol babel {
interface "br-lan", "wan" { type wired; authentication mac; password "${babelpw}"; };
ipv6 { export where (source = RTS_DEVICE) || (source = RTS_BABEL); };
}
protocol kernel kernel_v6 {
ipv6 { export where source ~ [ RTS_BABEL ]; };
}
BBB
for ibgp_peer in ${ibgp_peers}; do
cat >> /etc/bird.conf <<BBB
protocol bgp {
local as ${asn};
neighbor \${ibgp_peer} as ${asn};
direct;
# bfd on;
ipv6 {
import none;
export where source ~ [ RTS_STATIC ];
gateway recursive;
};
}
BBB
done
# TODO: configure jool
cat > /etc/jool/jool-nat64.conf.json <<BBB
{
"comment": "NAT64 by cdist",
"instance": "default",
"framework": "netfilter",
"global": {
"comment": "pool6 prefix",
"pool6": "${nat64prefix}"
},
"comment": "IPv4 pool4 table",
"pool4": [
{
"protocol": "TCP",
"prefix": "${ipv4address}",
"port range": "10001-65535"
}, {
"protocol": "UDP",
"prefix": "${ipv4address}",
"port range": "10001-65535"
}, {
"protocol": "ICMP",
"prefix": "${ipv4address}",
"port range": "10001-65535"
}
]
}
BBB
uci set jool.general.enabled=1
# if nat64 is on, disable siit and vice versa
uci set jool.nat64.enabled=1
uci set jool.siit.enabled=0
uci commit
# start jool
/etc/init.d/jool restart
# TODO: ensure jool is started at boot
# TODO: ensure bird is started at boot
uci commit
/etc/init.d/bird restart
EOF
echo "Restart router to restart firewall, network, dhcp"
Reference in a new issue View git blame Copy permalink