OpenWRT实现NAT64-DNS64

OpenWRT实现NAT64/DNS64连接核心路由器#连接核心路由器[C:\~]$sshroot@10.0.0.1Connectingto10.0.0.1:22...Connectionestablished.要转义到本地shell，请按“Ctrl+Alt+]”。警告！远程SSH服务器拒绝X11转发请求。BusyBoxv1.35.0(2022-10-2320:45:02UTC)内置shell(ash)________________||.-----.-----.-----.||||.-----.||_|-||_|-__|||||||_||_||_______||__|_____|__|__||________||__||____||__|WIRELESSFREDOM------------------------------------------------------OpenWrt22.03.0,r19685-512e76967f------------------------------------------------------root@OpenWrt:~#root@OpenWrt:~#测试访问IPv6是否正常#测试访问IPv6是否正常root@OpenWrt:~#pingwww.oiox.cn-6PINGwww.oiox.cn(2409:8c44:2:160:50::):56databytes64bytesfrom2409:8c44:2:160:50:::seq=0ttl=56时间=23.455ms64字节来自2409:8c44:2:160:50:::seq=1ttl=56时间=22.949ms64字节来自2409:8c44:2:160:50:::seq=2ttl=56time=23.338ms64字节来自2409:8c44:2:160:50:::seq=3ttl=56time=23.695ms^C---www.oiox.cnpingstatistics---4packetstransmitted,4packetsreceived,0%packetlossround-tripmin/avg/max=22.949/23.359/23.695msInstalltaygatoimplementNAT64#安装taygato实现NAT64root@OpenWrt:~#opkgupdateroot@OpenWrt:~#opkginstalltaygaconfiguration/etc/config/networkfile#configuration/etc/config/networkfile#重点配置全局变量和接口'nat64'configglobals'globals'选项ula_prefix'ddbe:48ec:56c6::/48'configinterface'nat64'optionproto'tayga'optionifname'tayga-nat64'optionipv4_addr'192.168.1.1'optionprefix'ddbe:48ec:56c6:1111::/96'optiondynamic_pool'192.168.1.0/24'optionaccept_ra'0'optionsend_rs'0'#完整配置如下root@OpenWrt:~#vim/etc/config/networkroot@OpenWrt:~#cat/etc/config/networkconfiginterface'loopback'optiondevice'lo'optionproto'static'选项ipaddr'127.0.0.1'选项netmask'255.0.0.0'配置全局变量'globals'选项ula_prefix'ddbe:48ec:56c6::/48'配置设备选项名称'br-lan'选项类型'bridge'列出端口'eth0'列出端口'eth1'列出端口'eth2'配置接口'lan'选项设备'br-lan'选项proto'static'选项ipaddr'10.0.0.1'选项网络掩码'255.0.0.0'选项ip6assign'64'配置接口'wan'选项原型'dhcp'选项设备'eth3'配置接口'wan6'选项原型'dhcpv6'选项设备'eth3'选项reqaddress'try'选项reqprefix'auto'配置接口'nat64'选项原型'tayga'选项ifname'tayga-nat64'选项ipv4_addr'192.168.1.1'选项前缀'ddbe:48ec:56c6:1111::/96'选项dynamic_pool'192.168.1.0/24'选项accept_ra'0'选项send_rs'0'root@OpenWrt:~#配置/etc/config/firewall#配置/etc/config/firewallconfigzoneoptionname'lan'listnetwork'lan'optioninput'ACCEPT'optionoutput'ACCEPT'optionforward'ACCEPT'#完整配置如下root@OpenWrt:~#vim/etc/config/firewallroot@OpenWrt:~#cat/etc/config/firewallconfigdefaultsoptioninput'ACCEPT'optionoutput'ACCEPT'optionsynflood_protect'1'optionforward'ACCEPT'configzoneoptionname'lan'listnetwork'lan'optioninput'ACCEPT'optionoutput'ACCEPT'optionforward'ACCEPT'configzoneoptionname'wan'listnetwork'wan'listnetwork'wan6'listnetwork'nat64'optioninput'ACCEPT'optionoutput'ACCEPT'optionforward'ACCEPT'optionmasq'1'optionmtu_fix'1'config转发选项src'lan'选项dest'wan'配置规则选项目标'ACCEPT'选项名称'IPv'选项src'*'选项dest'*'配置规则选项名称'Allow-DHCP-Renew'选项src'wan'选项proto'udp'选项dest_port'68'选项目标'ACCEPT'选项系列'ipv4'配置规则选项名称'Allow-Ping'选项src'wan'选项proto'icmp'选项icmp_type'echo-r??equest'选项系列'ipv4'选项目标'ACCEPT'配置规则选项名称'Allow-IGMP'optionsrc'wan'optionproto'igmp'optionfamily'ipv4'optiontarget'ACCEPT'configruleoptionname'Allow-DHCPv6'optionsrc'wan'optionproto'udp'optiondest_port'546'选项族'ipv6'optiontarget'ACCEPT'configruleoptionname'Allow-MLD'optionsrc'wan'optionproto'icmp'optionsrc_ip'fe80::/10'listicmp_type'130/0'listicmp_type'131/0'listicmp_type'132/0'listicmp_type'143/0'optionfamily'ipv6'optiontarget'ACCEPT'configruleoptionname'Allow-ICMPv6-Input'optionsrc'wan'optionproto'icmp'列表icmp_type'echo-request'listicmp_type'echo-r??eply'listicmp_type'destination-unreachable'listicmp_type'packet-to-big'listicmp_type'time-exceeded'listicmp_type'bad-header'listicmp_type'unknown-header-type'listicmp_type'router-solicitation'listicmp_type'neighbour-solicitation'listicmp_type'router-advertisement'listicmp_type'neighbour-advertisement'optionlimit'1000/sec'optionfamily'ipv6'optiontarget'ACCEPT'configruleoptionname'Allow-ICMPv6-Forward'optionsrc'wan'optiondest'*'选项原型'icmp'列表icmp_type'echo-r??equest'列表icmp_type'echo-r??eply'列表icmp_type'destination-unreachable'列表icmp_type'packet-too-big'列表icmp_type'time-exceeded'列表icmp_type'bad-header'列表icmp_type'unknown-header-type'optionlimit'1000/sec'optionfamily'ipv6'optiontarget'ACCEPT'configruleoptionname'Allow-IPSec-ESP'optionsrc'wan'optiondest'lan'optionproto'esp'选项目标“接受”配置规则选项名称'Allow-ISAKMP'选项src'wan'选项dest'lan'选项dest_port'500'选项proto'udp'选项目标'ACCEPT'root@OpenWrt:~#重启网络与防火墙#重启网络与firewallroot@OpenWrt:~#/etc/init.d/networkrestartroot@OpenWrt:~#/etc/init.d/firewallrestart测试tayga功能#测试tayga功能root@OpenWrt:~#ping-6ddbe:48ec:56c6:1111::8.8.8.8PINGddbe:48ec:56c6:1111::8.8.8.8(ddbe:48ec:56c6:1111::808:808):56个数据字节64个字节来自ddbe:48ec:56c6:1111::808:808:seq=0ttl=51time=57.846ms64字节来自ddbe:48ec:56c6:1111::808:808:seq=1ttl=51time=58.418ms64字节来自ddbe:48ec:56c6:1111::808:808:seq=2ttl=51time=57.077ms64来自ddbe:48ec:56c6:1111::808:808的字节：seq=3ttl=51time=57.571ms^C---ddbe:48ec:56c6:1111::8.8.8.8ping统计---4个数据包传输，4个数据包接收，0%数据包丢失往返min/avg/max=57.077/57.728/58.418msroot@OpenWrt:~#root@OpenWrt:~#root@OpenWrt:~#ping-6ddbe:48ec:56c6:1111::1.1.1.1PINGddbe:48ec:56c6:1111::1.1.1.1(ddbe:48ec:56c6:1111::101:101):56个数据字节64个字节来自ddbe:48ec:56c6:1111::101:101:seq=0ttl=50时间=212.821ms64字节来自ddbe:48ec:56c6:1111::101:101:seq=1ttl=50时间=212.753ms64字节来自ddbe:48ec:56c6:1111::101:101:seq=2ttl=50time=212.087ms64字节来自ddbe:48ec:56c6:1111::101:101:seq=3ttl=50time=212.161ms^C---ddbe:48ec:56c6:1111::1.1.1.1pingstatistics---4packetstransmitted,4packetsreceived,0%packetlossround-tripmin/avg/max=212.087/212.455/212.821msroot@OpenWrt:~#Configurebind-servertoimplementDNS64#Configurebind-server实现DNS64root@OpenWrt:~#opkginstallbind-serverroot@OpenWrt:~#root@OpenWrt:~#opkginstallbind-rndcroot@OpenWrt:~#Bind是Tayga官方推荐的DNS软件，所以使用Bind来配置那里DNS64功能Bind的配置项很多。还好官方给出了详细的https://downloads.isc.org/isc...bind配置需要修改/etc/bind/named.conf文件。对于DNS64，关注转发器、??dns64和dnssec-validation字段。forwarders用于表示Bind作为一个转发器，在forwarders中指定将接收到的DNS请求转发给那些外部的DNS服务器。dns64字段需要指定tayga中配置的NAT64前缀（这里可以有多个前缀），下面有很多配置项。clients用于指定客户端ACL来决定哪些客户端会受到DNS64的影响，默认是any；mapped用于指定需要将哪些IPv4地址转换为DNS64，默认为any；exclude用于指定哪些出现在AAAA记录中的IPv6地址被忽略，默认为::ffff:0.0.0.0/96。dnssec-validation用于指定是否启用DNSSEC验证。dnssec-enable已弃用，在此处无效。完整配置如下#完整配置如下root@OpenWrt:~#vim/etc/bind/named.confroot@OpenWrt:~#cat/etc/bind/named.conf//这是BINDDNS服务器的主要配置文件named.options{目录“/tmp”；//如果您的ISP为稳定的//名称服务器提供了一个或多个IP地址，您可能希望将它们用作转发器。//取消注释以下块，并插入地址替换//全0的占位符。侦听端口53{任何;};监听v6端口53{任何；};允许查询{任何;};允许查询缓存{任何;};递归是的；允许递归{任何;};转发器{//0.0.0.0;202.106.46.151；202.106.0.20；//114.114.114.114;//8.8.8.8;};dns64ddbe:48ec:56c6:1111::/96{客户{任何;};映射{任何;};排除{ddbe:48ec:56c6:1111::/96;::ffff:0000:0000/96；};后缀：：;};dnssec-验证号；auth-nxdomain号；#符合RFC1035};include"/etc/bind/named-rndc.conf";include"/tmp/bind/named.conf.local";//让服务器知道根服务器区域"."{类型提示；file"/etc/bind/db.root";};//根据RFC1912zone"localhost"{typemaster;//对本地主机正向和反向区域以及广播区域具有权威性。file"/etc/bind/db.local";};zone"127.in-addr.arpa"{typemaster;file"/etc/bind/db.127";};zone"0.in-addr.arpa"{typemaster;file"/etc/bind/db.0";};zone"255.in-addr.arpa"{typemaster;file"/etc/bind/db.255";};root@OpenWrt:~##Re-DNS服务#关闭默认dnsmasq#启用新安装namedroot@OpenWrt:~#servicednsmasqstoproot@OpenWrt:~#servicenamedstartroot@OpenWrt:~#测试NAT64使用测试DNS64使用关于https://www.oiox.cn/https://www.oiox.cn/index.php...CSDN、GitHub、51CTO、知乎、开源中国、师傅、掘金、简书、华为云、阿里云、腾讯云、哔哩哔哩、今日头条、新浪微博和个人博客可全网搜索《小陈运维》文章主要发表在微信上公众号