at title

Hi, I followed the updated guide but ran into some errors.
Router: Lenovo Y1
Firmware: Chaos Calmer 15.05.1

1. There isn't a configuration directory called /etc/firewall.d/with_reload/, I created it anyway but autostart does not work.
2. I run the script manually and the output is
   root@OpenWrt:/etc# /etc/firewall.d/with_reload/90-nat6.fw
nat6: Firewall config="cfg04dc81" zone="lan" zone_masq6="0".
nat6: Firewall config="cfg06dc81" zone="wan" zone_masq6="1".
nat6: Found firewall zone_name="wan" with zone_masq6="1" zone_masq6_privacy="1".
nat6: Setting up masquerading nat6 for zone_name="wan" with zone_masq6_privacy="1"
nat6: Ensuring ip6tables chain="zone_wan_postrouting" contains our MASQUERADE.
ip6tables: No chain/target/match by that name.

I've checked all the other settings in Troubleshooting. Thanks in advance.

When using miniupnpd with NAT6 enabled, the NAT6 firewall script will error out with the following error when one or more upnp lease is defined.

ip6tables-restore v1.8.3 (legacy): host/network `192.168.x.x' not found
Error occurred at line: 49
Try `ip6tables-restore -h' or 'ip6tables-restore --help' for more information.

I'm assuming this is because of ip6tables-restore encountering a IPv4 rule from the iptables-save command in nat6_init(). Examining the IPv4 iptables rules, this is what miniupnpd inserts:

-A MINIUPNPD -p udp -m udp --dport 9308 -j DNAT --to-destination 192.168.x.xxx:9308
-A MINIUPNPD-POSTROUTING -s 192.168.x.xxxx/32 -p udp -m udp --sport 9308 -j MASQUERADE --to-ports 9308
-A zone_wan_postrouting -j MINIUPNPD-POSTROUTING
-A zone_wan_postrouting -j MINIUPNPD-POSTROUTING 
-A zone_wan_prerouting -j MINIUPNPD
-A zone_wan_prerouting -j MINIUPNPD

If you amend the nat6_init function to skip any line from iptables-save with MINIUPNPD, it will resolve the error, but I'm not sure that is the best way to handle this.

Hi,

I've tried to follow the guide here to enable ipv6 nat, so I've used your script. First of all the one on the wiki is a bit outdated and does not work (can't find the required postrouting chain). The new one however executes correctly
nat6: Could not find table="zone_wan_postrouting", but yolo so adding to POSTROUTING directly.
and
nat6: Done setting up nat6 for zone="wan" on devices: eth0

But, starts only when I run manually, not automatically when I reload the router. The script placed at /etc/firewall.d/with_reload/90-nat6.fw and of course changed to executable

Supposing I don't use prefix delegation and my clients get their IP address by manual configuration. Is it mandatory to configure IPv6 NAT with the -s parameter?

I just set the configuration and the scripts doesn't work, it report:
nat6: Firewall config="cfg04dc81" zone="lan" zone_masq6="0".
nat6: Firewall config="cfg06dc81" zone="wan" zone_masq6="1".
nat6: Found firewall zone_name="wan" with zone_masq6="1" zone_masq6_privacy="0".
nat6: Setting up masquerading nat6 for zone_name="wan" with zone_masq6_privacy=" 0"
nat6: Ensuring ip6tables chain="zone_wan_postrouting" contains our MASQUERADE.
ip6tables: No chain/target/match by that name.
root@OpenWrt:#
besides,the resault of ip6tables -t -nat -vnL is:
root@OpenWrt:# ip6tables -t nat -vnL
Chain PREROUTING (policy ACCEPT 5853 packets, 490K bytes)
pkts bytes target prot opt in out source destination

Chain INPUT (policy ACCEPT 4071 packets, 344K bytes)
pkts bytes target prot opt in out source destination

Chain OUTPUT (policy ACCEPT 790 packets, 109K bytes)
pkts bytes target prot opt in out source destination

Chain POSTROUTING (policy ACCEPT 790 packets, 109K bytes)
pkts bytes target prot opt in out source destination
root@OpenWrt:~#
How can I solve the problem?

In the script I noticed this is included

local input_chain="zone_${zone_name}_input"
    log "Ensuring ip6tables chain=\"$input_chain\" contains our permissive DNAT rule."
    ip6t_add "$input_chain" -t filter -m conntrack --ctstate DNAT \
        -m comment --comment "!fw3: Accept port forwards" -j ACCEPT
 
    local forward_chain="zone_${zone_name}_forward"
    log "Ensuring ip6tables chain=\"$forward_chain\" contains our permissive DNAT rule."
    ip6t_add "$forward_chain" -t filter -m conntrack --ctstate DNAT \
        -m comment --comment "!fw3: Accept port forwards" -j ACCEPT

which indicates to me that the NAT6 supports port forwarding, but I'm not sure how I would begin to do this. When I run tcpdump on my router I can see incoming requests on IPv6 making it to the router, but the router does not forward them from there. I'm trying to make the SSH client on the router (listening on local port 22) reachable from the public IPv6 internet at external port 54355. It's easy with IPv4 on the web interface or command line but I'm not sure how one would go about port forwarding NAT6?