Page MenuHomeVyOS Platform
Create Task
Maniphest T6535

NAT66 Prefix Translation not working anymore
Closed, InvalidPublicBUG
Actions

Description

At some point NAT66 prefix translation has stopped working on the 1.5 nightly.

Here's a sample config and ip6tables output showing nothing configured based on the config.

fahad@vyos-vps:~$ show interfaces
Codes: S - State, L - Link, u - Up, D - Down, A - Admin Down
Interface    IP Address                                 MAC                VRF        MTU  S/L    Description
-----------  -----------------------------------------  -----------------  -------  -----  -----  ----------------------------------------------------------------------------------
dum0         100.1.2.3/32                               da:f4:74:8c:09:7c  default   1500  u/u    Dummy interface for DNS
eth0         94.250.203.65/23                           00:50:56:44:bf:17  default   1500  u/u
             2a02:c206:2076:2040:250:56ff:fe44:bf17/64
             2a02:c206:2076:2040::1/64
lo           127.0.0.1/8                                00:00:00:00:00:00  default  65536  u/u
             ::1/128
tun100       2001:470:1f12:452::2/64                    n/a                default   1476  u/u    HE.NET IPv6 Tunnel. Routed Prefixes: 2001:470:1f13:452::/64 and 2001:470:ca0e::/48
vti10        10.0.0.2/30                                n/a                default   1420  u/u
vtun20       100.100.0.1/32                             n/a                default   1500  u/u
wg01         172.31.10.1/24                             n/a                default   1420  u/u    Roadwarrior Client WG VPN
             fd99:d781:643e:8308::1/64
wg10         172.31.250.1/24                            n/a                default   1420  u/u    WG Tunnel to OpenWRT wrt1900acs for ipv6 gateway
             2001:470:1f13:452::f:1/64
wg20         192.168.34.1/24                            n/a                default   1420  u/u    WG Tunnel to VyOS-RTR-N1
wg21         192.168.35.1/24                            n/a                default   1420  u/u    WG Tunnel to VyOS-RTR-N2
wg30         2a11:6c7:f01:3fa::2/64                     n/a                default   1420  u/u

fahad@vyos-vps:~$ show config commands | grep nat66
set nat66 destination rule 9001 description 'Wireguard Incoming NAT66 prefix translation'
set nat66 destination rule 9001 destination address '2a02:c206:2076:2040::a:0/112'
set nat66 destination rule 9001 inbound-interface name 'eth0'
set nat66 destination rule 9001 translation address 'fd99:d781:643e:8308::a:0/112'
set nat66 source rule 9000 description 'Wireguard Outgoing NAT66 prefix translation'
set nat66 source rule 9000 outbound-interface name 'eth0'
set nat66 source rule 9000 source prefix 'fd99:d781:643e:8308::/64'
set nat66 source rule 9000 translation address '2a02:c206:2076:2040::/64'

fahad@vyos-vps:~$ ip6tables -nvL
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination

Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination
fahad@vyos-vps:~$ ip6tables -t nat -nvL
Chain PREROUTING (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination

Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination

Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination

Chain POSTROUTING (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination

Details

Difficulty level
Normal (likely a few hours)
Version
1.5-rolling-202406130020
Why the issue appeared?
Will be filled on close
Is it a breaking change?
Unspecified (possibly destroys the router)
Issue type
Bug (incorrect behavior)

Event Timeline

fahadysf created this task.Jun 30 2024, 6:55 PM
fahadysf updated the task description. (Show Details)
fahadysf changed Version from 1.5.x to 1.5-rolling-202406130020.Jul 1 2024, 9:15 AM
fahadysf updated the task description. (Show Details)
Viacheslav subscribed.Jul 1 2024, 2:36 PM

We do not use iptables, we use nftables.
Check the rules with sudo nft list ruleset
What exactly does not work?

Viacheslav changed the task status from Open to Needs reporter action.Jul 1 2024, 2:37 PM
Viacheslav triaged this task as Normal priority.
pasik subscribed.Jul 1 2024, 8:35 PM
fahadysf added a comment.Jul 1 2024, 8:51 PM

So with nftables output apparently the rule is correctly in place.

table ip6 vyos_nat {
	chain PREROUTING {
		type nat hook prerouting priority dstnat; policy accept;
		counter packets 1320 bytes 246910 jump VYOS_DNPT_HOOK
		iifname "eth0" ip6 daddr 2a02:c206:2076:2040::a:0/112 counter packets 0 bytes 0 dnat prefix to fd99:d781:643e:8308::a:0/112 comment "DST-NAT66-9001"
	}

	chain POSTROUTING {
		type nat hook postrouting priority srcnat; policy accept;
		counter packets 1396 bytes 257881 jump VYOS_SNPT_HOOK
		oifname "eth0" ip6 saddr fd99:d781:643e:8308::/64 counter packets 0 bytes 0 snat prefix to 2a02:c206:2076:2040::/64 comment "SRC-NAT66-9000"
	}

	chain VYOS_DNPT_HOOK {
		return
	}

	chain VYOS_SNPT_HOOK {
		return
	}
}

This prompted me to look at the routing table and there was the problem. The default route for ipv6 is not on eth0 so the rule doesn't hit. Fixing the default route solves this. Thanks for the pointer.

fahadysf closed this task as Resolved.Jul 1 2024, 8:51 PM
fahadysf claimed this task.
Viacheslav changed the task status from Resolved to Invalid.Jul 2 2024, 4:03 AM