多线接入IPv6的策略路由怎么弄
本帖最后由 vancho 于 2024-7-21 20:03 编辑答案,用NETMAP搞定,下面以Mikrotik的路由器为例
先来个图,这是通过IPV4连接wireguard回家,我路由器给我的电脑peer分配的ipv6地址是fd00:172:31:1::101
我访问6.ipw.cn这个网站显示我的来源是联通的前缀,后缀是 1:101
我访问中国科技大学测速网站显示我的来源是联通的前缀,后缀也是 1:101
实现详细过程:
1.给PPPOE接口配置一个《静态》IPv6的前缀,这个前缀不能说完全静态,只要你不重启光猫和路由器或者局端不维护,基本上都是你在用了
/ipv6 dhcp-client
add interface=pppoe-out1 pool-name=pppoe-out1 pool-prefix-length=60 prefix-hint=2408:xxxx:xxx:72d0::/60 request=prefix use-peer-dns=no
add interface=pppoe-out2 pool-name=pppoe-out2 pool-prefix-length=60 prefix-hint=2408:xxxx:xxx:7f30::/60 request=prefix use-peer-dns=no
add interface=pppoe-out3 pool-name=pppoe-out3 pool-prefix-length=60 prefix-hint=2408:xxxx:xxx:8be0::/60 request=prefix use-peer-dns=no
add interface=pppoe-out4 pool-name=pppoe-out4 pool-prefix-length=60 prefix-hint=2409:xxxx:xxx:71a0::/60 request=prefix use-peer-dns=no
add interface=pppoe-out5 pool-name=pppoe-out5 pool-prefix-length=60 prefix-hint=2409:xxxx:xxx:9960::/60 request=prefix use-peer-dns=no
2.给局域网配置一个 IPv6 ULA 地址,我给我家分配的是fd00:172:31::/50,基本就是基于IPv4直接转义,方便识别。
2.1 先给lo配置一个地址,因为做了ospf3,这个步骤就不能忽略
/ipv6 address
add address=fd00:172:31:3fff::ffff/50 advertise=no interface=lo
2.2 再给局域网的接口分配一个地址
/ipv6 address
add address=fd00:172:31:2::ffff interface=sfp-sfpplus1
add address=fd00:172:31:3::ffff interface=vlan3103
add address=fd00:172:31:4::ffff interface=vlan3104
2.3 在公司或者外出我喜欢直接通过家里的路由器转发流量,所以所以我也给回家的wireguard1配置了个地址
/ipv6 address
add address=fd00:172:31:1::/119 advertise=no interface=wireguard
从上看出来,我都是沿着fd00:172:31:1--fd00:172:31:4这4个64位的ipv6地址进行配置的,这个很关键。
2.4 最后给pppoe-out{1..5}接口配置ipv6的地址,但是不写前缀,接口配置在lookback1上,这个也很关键,否则路由器本身无法通过ipv6发出连接请求。比如ddns我就靠着下面的配置
/interface bridge
add name=loopback1 port-cost-mode=short
/ipv6 address
add address=::82b2:24ff:7e7b:31e3/60 advertise=no eui-64=yes from-pool=pppoe-out1 interface=loopback1
add address=::82b2:24ff:7e7b:31e3/60 advertise=no eui-64=yes from-pool=pppoe-out2 interface=loopback1
add address=::82b2:24ff:7e7b:31e3/60 advertise=no eui-64=yes from-pool=pppoe-out3 interface=loopback1
add address=::82b2:24ff:7e7b:31e3/60 advertise=no eui-64=yes from-pool=pppoe-out4 interface=loopback1
add address=::82b2:24ff:7e7b:31e3/60 advertise=no eui-64=yes from-pool=pppoe-out5 interface=loopback1
3. 创建一些策略路由表
/routing table
add disabled=no fib name=wireguard1-routing
add disabled=no fib name=pppoe-out1-routing
add disabled=no fib name=pppoe-out2-routing
add disabled=no fib name=pppoe-out3-routing
add disabled=no fib name=pppoe-out4-routing
add disabled=no fib name=pppoe-out5-routing
4.创建ipv6默认路由,我把属于移动宽带的pppoe-out5和pppoe-out6的默认路由禁用了,但是策略路由,我都开启了。gateway那个位置的fe80开头的本地链路地址需要查看你的dhcp-client上显示的信息才能正确匹配
/ipv6 route
add comment=pppoe-out1 disabled=no distance=1 dst-address=::/0 gateway=fe80::16eb:xxx:xxx:b3ad%pppoe-out1 routing-table=main scope=30 suppress-hw-offload=no target-scope=10
add comment=pppoe-out2 disabled=no distance=1 dst-address=::/0 gateway=fe80::16eb:xxx:xxx:b3ad%pppoe-out2 routing-table=main scope=30 suppress-hw-offload=no target-scope=10
add comment=pppoe-out3 disabled=no distance=1 dst-address=::/0 gateway=fe80::16eb:xxx:xxx:b3ad%pppoe-out3 routing-table=main scope=30 suppress-hw-offload=no target-scope=10
add comment=pppoe-out4 disabled=yes distance=1 dst-address=::/0 gateway=fe80::62f1:xxxx:xxxx:106%pppoe-out4 routing-table=main scope=30 suppress-hw-offload=no target-scope=10
add comment=pppoe-out5 disabled=yes distance=1 dst-address=::/0 gateway=fe80::96db:xxxx:xxxx:106%pppoe-out5 routing-table=main scope=30 suppress-hw-offload=no target-scope=10
add comment=pppoe-out1-routing disabled=no distance=1 dst-address=::/0 gateway=fe80::16eb:xxx:b3ad%pppoe-out1 routing-table=pppoe-out1-routing scope=30 suppress-hw-offload=no target-scope=10
add comment=pppoe-out2-routing disabled=no distance=1 dst-address=::/0 gateway=fe80::16eb:xxx:b3ad%pppoe-out2 routing-table=pppoe-out2-routing scope=30 suppress-hw-offload=no target-scope=10
add comment=pppoe-out3-routing disabled=no distance=1 dst-address=::/0 gateway=fe80::16eb:xxx:b3ad%pppoe-out3 routing-table=pppoe-out3-routing scope=30 suppress-hw-offload=no target-scope=10
add comment=pppoe-out4-routing disabled=no distance=1 dst-address=::/0 gateway=fe80::62f1:xxxx:106%pppoe-out4 routing-table=pppoe-out4-routing scope=30 suppress-hw-offload=no target-scope=10
add comment=pppoe-out5-routing disabled=no distance=1 dst-address=::/0 gateway=fe80::96db:xxxx:106%pppoe-out5 routing-table=pppoe-out5-routing scope=30 suppress-hw-offload=no target-scope=10
add comment=wireguard1-routing disabled=no distance=1 dst-address=::/0 gateway=wireguard1 routing-table=wireguard1-routing scope=30 suppress-hw-offload=no target-scope=1
6. IPv6的一些防火墙,我这里只能给你参考,默认情况下全部拒绝,按照白名单转发,比如我开启了5201和3389的入账,还有pt下载的22653端口
6.1 先定义下接口
/interface list
add name=WAN
add name=LAN
/interface list member
add interface=pppoe-out1 list=WAN
add interface=pppoe-out2 list=WAN
add interface=pppoe-out3 list=WAN
add interface=pppoe-out4 list=WAN
add interface=pppoe-out5 list=WAN
add interface=sfp-sfpplus1 list=LAN
add interface=vlan3103 list=LAN
add interface=vlan3104 list=LAN
6.2 配置入站和转发策略
/ipv6 firewall filter
add action=passthrough chain=input
add action=passthrough chain=output
add action=accept chain=forward comment=established,related connection-state=established,related
add action=drop chain=forward comment=invalid connection-state=invalid
add action=accept chain=forward comment=icmpv6 protocol=icmpv6
add action=accept chain=forward out-interface-list=WAN
add action=accept chain=forward out-interface=wireguard1
add action=accept chain=forward dst-address=fd00:172:31::/50 src-address=fd00:172:31::/50
add action=accept chain=forward comment=tcp dst-port=22653 in-interface-list=WAN protocol=tcp
add action=accept chain=forward comment=udp dst-port=22653 in-interface-list=WAN protocol=udp
add action=accept chain=forward comment=tcp disabled=yes dst-port=5201 in-interface-list=WAN protocol=tcp
add action=accept chain=forward comment=udp disabled=yes dst-port=500,4500,5201 in-interface-list=WAN protocol=udp
add action=drop chain=input comment=udp disabled=yes dst-port=53,161 in-interface-list=WAN protocol=udp
add action=drop chain=forward
6.3 路由标记,从哪个接口进入,就从哪个接口出来
/ipv6 firewall mangle
add action=mark-connection chain=prerouting comment=pppoe-out1 connection-mark=no-mark in-interface=pppoe-out1 new-connection-mark=pppoe-out1-in passthrough=yes
add action=mark-connection chain=prerouting comment=pppoe-out2 connection-mark=no-mark in-interface=pppoe-out2 new-connection-mark=pppoe-out2-in passthrough=yes
add action=mark-connection chain=prerouting comment=pppoe-out3 connection-mark=no-mark in-interface=pppoe-out3 new-connection-mark=pppoe-out3-in passthrough=yes
add action=mark-connection chain=prerouting comment=pppoe-out4 connection-mark=no-mark in-interface=pppoe-out4 new-connection-mark=pppoe-out4-in passthrough=yes
add action=mark-connection chain=prerouting comment=pppoe-out5 connection-mark=no-mark in-interface=pppoe-out5 new-connection-mark=pppoe-out5-in passthrough=yes
add action=mark-routing chain=output comment=pppoe-out1 connection-mark=pppoe-out1-in new-routing-mark=pppoe-out1-routing passthrough=yes
add action=mark-routing chain=output comment=pppoe-out2 connection-mark=pppoe-out2-in new-routing-mark=pppoe-out2-routing passthrough=yes
add action=mark-routing chain=output comment=pppoe-out3 connection-mark=pppoe-out3-in new-routing-mark=pppoe-out3-routing passthrough=yes
add action=mark-routing chain=output comment=pppoe-out4 connection-mark=pppoe-out4-in new-routing-mark=pppoe-out4-routing passthrough=yes
add action=mark-routing chain=output comment=pppoe-out5 connection-mark=pppoe-out5-in new-routing-mark=pppoe-out5-routing passthrough=yes
add action=mark-routing chain=prerouting comment=pppoe-out1 dst-address-list=pppoe-out1 new-routing-mark=pppoe-out1-routing passthrough=yes
add action=mark-routing chain=prerouting comment=pppoe-out2 dst-address-list=pppoe-out2 new-routing-mark=pppoe-out2-routing passthrough=yes
add action=mark-routing chain=prerouting comment=pppoe-out3 dst-address-list=pppoe-out3 new-routing-mark=pppoe-out3-routing passthrough=yes
add action=mark-routing chain=prerouting comment=pppoe-out4 dst-address-list=pppoe-out4 new-routing-mark=pppoe-out4-routing passthrough=yes
add action=mark-routing chain=prerouting comment=pppoe-out5 dst-address-list=pppoe-out5 new-routing-mark=pppoe-out5-routing passthrough=yes
6.4 还有下面最重要的tcp-mss修改,我的联通和移动的pppoe接口的mtu都是1480,所以我的tcp-mss直接改成1420,而wireguard接口的mtu是1400,所以tcp-mss我改成了1340。这个很关键的。
/ipv6 firewall mangle
add action=change-mss chain=forward new-mss=1420 out-interface-list=WAN passthrough=yes protocol=tcp tcp-flags=syn tcp-mss=!0-1420
add action=change-mss chain=forward new-mss=1340 out-interface=wireguard1 passthrough=yes protocol=tcp tcp-flags=syn tcp-mss=!0-1340
7. netmap来了
fd00:xxx的地址在出站和入站的时候进行一次翻译,目前的配置内网设备是无法拿到公网IPv6的,但是我要求访问IPv6网站的时候,目标看到我的源地址不是fd00开头,而是正儿八经的2408,2409这种开头的公网地址。联通和移动都是给我60位的ipv6前缀,那就可以分配16个64位的子网。所以才有前面严格的地址约束,否则超出范围无法翻译
/ipv6 firewall nat
add action=netmap chain=srcnat out-interface=pppoe-out1 src-address=fd00:172:31::/60 to-address=2408:xxxx:xxx:72d0::/60
add action=netmap chain=srcnat out-interface=pppoe-out2 src-address=fd00:172:31::/60 to-address=2408:xxxx:xxx:7f30::/60
add action=netmap chain=srcnat out-interface=pppoe-out3 src-address=fd00:172:31::/60 to-address=2408:xxxx:xxx:8be0::/60
add action=netmap chain=srcnat out-interface=pppoe-out4 src-address=fd00:172:31::/60 to-address=2409:xxxx:xxx:71a0::/60
add action=netmap chain=srcnat out-interface=pppoe-out5 src-address=fd00:172:31::/60 to-address=2409:xxxx:xxx:9960::/60
add action=netmap chain=dstnat dst-address=2408:xxxx:xxx:72d0::/60 in-interface=pppoe-out1 to-address=fd00:172:31::/60
add action=netmap chain=dstnat dst-address=2408:xxxx:xxx:7f30::/60 in-interface=pppoe-out2 to-address=fd00:172:31::/60
add action=netmap chain=dstnat dst-address=2408:xxxx:xxx:8be0::/60 in-interface=pppoe-out3 to-address=fd00:172:31::/60
add action=netmap chain=dstnat dst-address=2409:xxxx:xxx:71a0::/60 in-interface=pppoe-out4 to-address=fd00:172:31::/60
add action=netmap chain=dstnat dst-address=2409:xxxx:xxx:9960::/60 in-interface=pppoe-out5 to-address=fd00:172:31::/60
8. 最后做个策略路由,移动的ipv6地址走移动出去,联通负责所有
/routing rule
add action=lookup disabled=no dst-address=2409:8000::/20 table=pppoe-out4-routing
add action=lookup disabled=no dst-address=2409:8000::/20 table=pppoe-out5-routing
8.1 我加了一段教育网的的地址走移动接口
/routing rule
add action=lookup disabled=no dst-address=2001:da8::/32 table=pppoe-out4-routing
8.2 记得wireguard1的peer都要分配fd00:172:31:1::/119内的地址给客户端,否则无法完成翻译
/routing rule
add action=lookup-only-in-table comment=wireguard-roadwarrior disabled=no dst-address=fd00:172:31:1::/119 table=wireguard1-routing
8.3 如果pt要绑定某一个接口,然后还要ipv6,也简单
首先给pt的机器手动配置一个静态的ipv6地址,然后设定好默认路由,最后在ros做一个接口绑定策略,比如我想ipv6地址是fd00:172:31:2::140/128的下载机,通过pppoe-out1来跟pt其他的ipv6的peer互联就下面这样配置
add action=lookup comment=bypass disabled=yes src-address=172.31.2.140/32 table=pppoe-out1-routing
add action=lookup comment=bypass disabled=yes src-address=fd00:172:31:2::140/128 table=pppoe-out1-routing
如果你能通过BGP收到其他的IPv6地址全表,走策略后还能下图这样:
参考来源;使用 NETMAP 获得稳定的 IPv6 地址并进行源地址控制 给我整乐了。 确实好用,不过本论坛各种排斥NAT66,好像上了NAT66后IPv6就没有意义一样。
页:
[1]