Nat-64 on Asuswrt?

[torchddv]

I've been playing with my new RT-N66U and Merlin's now 3.0.0.4.372.31 for about 2 weeks now. There was a bit of a learning curve and what seemed to me to be some odd quirks, but it's all sorted and (despite the recent thread) I've found it to be extremely stable despite my challenging wireless broadband connection and it's inherent instabilities.

One thing I would like to get running is NAT-64. (I have some legacy IPv4-only devices but would like to make them accessible from without via IPv6). There is a package that will apparently run on Tomato called Tayga (discussion here: http://www.litech.org/tayga/tomato.html).

Linux is not my strong suit. (to put it mildly). I've been trying to search this forum for relevant information with limited success. If someone has the time to offer a bit of guidance here, I would be grateful. I did find Merlin's instructions to install optware on a USB drive (install/uninstall the Asus download manager) and have activated JFFS. Now I think I need tun.o and/or GCC?

 

[RMerlin]

The tun.o module is already in the firmware as it's used for OpenVPN. The only thing left is compiling Tayga itself.

Cross-compiling isn't something easy to do if you aren't familiar with Linux development, but someone else might perhaps compile it for you.

 

[torchddv]

Thanks. When I get home I'll have a hunt through the directories for tun.o.

"Cross compiling" means compiling code on one machine that is intended to run on another, right? I have run Linux through Oracle's Virtual Box before, but I thought I might be able to compile Tayga on the router itself, similar to these instructions I found for compiling on a router running DD-WRT:

Basically I installed OptWare, then installed buildroot and optware-devel via ipkg.

Downloaded the source of tayga's website, I had to comment out lines #121 -> #126 of tayga.c because of a syntax error (not sure if this is DD-wrt's gcc or something).

Then I ran:

Code:
#unset LD_PRELOAD
#unset LD_LIBRARY_PATH

(won't compiled or run in a session without this done first on my router)

Then:

Code:
#./configure
#make

And it compiled cleanly on the device.


Setup my config that looks a bit like this:

Code:
# cat /opt/etc/tayga.conf
tun-device nat64
ipv4-addr 172.16.0.1
prefix xxxx:xxxx:xxx:64:64::/96
dynamic-pool 172.16.0.0/16


Started it up like this:

Code:
#unset LD_PRELOAD
#unset LD_LIBRARY_PATH

#tayga --mktun --config /opt/etc/tayga.conf
#ip link set nat64 up
#ip addr add 172.16.0.1 dev nat64
#Routers IPv6 address below
#ip addr add xxxx:xxxx:xxx:xx::2 dev nat64
#ip route add 172.16.0.0/16 dev nat64
#NAT64 range below
#ip route add xxxx:xxxx:xxx:64:64::/96 dev nat64

#tayga --config /opt/etc/tayga.conf

 

[RMerlin]

Thanks. When I get home I'll have a hunt through the directories for tun.o.

It's a kernel module part of the firmware. No need to find its location, just modprobe it if it's not already loaded.

"Cross compiling" means compiling code on one machine that is intended to run on another, right? I have run Linux through Oracle's Virtual Box before, but I thought I might be able to compile Tayga on the router itself, similar to these instructions I found for compiling on a router running DD-WRT:

Might be possible to do it directly on the router, if you are very patient. Otherwise, you have to install the toolchain from the firmware source code, and use that to compile it.

 

[torchddv]

Might be possible to do it directly on the router, if you are very patient. Otherwise, you have to install the toolchain from the firmware source code, and use that to compile it.

Well, so much for that idea:

admin@RT-N66U:/jffs# CC=mipsel-linux-uclibc-gcc ./configure --host=mipsel-linux-
uclibc \
> --build=i686-linux-gnu-pc
checking for a BSD-compatible install... ./install-sh -c
checking whether build environment is sane... yes
checking for mipsel-linux-uclibc-strip... no
checking for strip... no
checking for a thread-safe mkdir -p... ./install-sh -c -d
checking for gawk... no
checking for mawk... no
checking for nawk... no
checking for awk... awk
checking whether make sets $(MAKE)... no
checking for mipsel-linux-uclibc-gcc... mipsel-linux-uclibc-gcc
checking whether the C compiler works... no
configure: error: in `/jffs':
configure: error: C compiler cannot create executables
See `config.log' for more details.

I guess I'll try to figure out Plan B then...

 

[Kobold]

Since Tomato uses the same toolchain as AsusWRT you can pick out tayga executable from there. However, I need to mention that I couldn't build tayga for kernel 2.6.22.19 as it is, without modification. So, I don't know if it will work correctly.

 

[torchddv]

There's actually a build of Tomato that includes Tayga. Whether or not that build will run properly on this router remains to be seen, where Asuswrt-Merlin is a known, stable and supported* firmware.

I found this on the openwrt wiki: http://wiki.openwrt.org/doc/howto/ipv6#nat64

Imagine my glee when I read

First, install tayga:

opkg update && opkg install tayga

Oh goody, it's available as an optware module! Ok, according to the Asuswrt-Merlin documentation opkg = entware. So, delete all the optware and install entware. No problem.

Unfortunately, when I then tried the above, it failed to find tayga:

Downloading http://wl500g-repo.googlecode.com/svn/ipkg/openwrt/Packages.gz.
Inflating http://wl500g-repo.googlecode.com/svn/ipkg/openwrt/Packages.gz.
Updated list of available packages in /opt/var/opkg-lists/openwrt.
Unknown package 'tayga'.
Collected errors:
* opkg_install_cmd: Cannot install package tayga.

I did find an .ipk of tayga in this openwrt repository: http://www.ipkg.be/package/15661993

However, I don't know how to tell if it's for entware or optware and this " trunk-ar71xx" seems to be aimed at homemade robots, although why they would need nat64 is a bit beyond my ken. Plus I have no idea how to manually install an entware package. Can it be done like installing an optware package manually?








*Supported -- heck, the developer himself jumped right in with suggestions in response to my stupid questions. Just try getting more than a tongue lashing out of certain other WRT forums...)

 

[RMerlin]

Try sending a PM to ryzhov_al here on this forum. If OpenWRT already has a package for it, it might be doable for him to also add it to Entware.

 

[ryzhov_al]

Tayga package has been added.
Please, provide a feedback.

 

[torchddv]

Thanks!

I logged into the router, entered the magic words and voila! Tayga was installed:

admin@RT-N66U:/tmp/home/root# opkg update && opkg install tayga
Downloading http://wl500g-repo.googlecode.com/svn/ipkg/openwrt/Packages.gz.
Inflating http://wl500g-repo.googlecode.com/svn/ipkg/openwrt/Packages.gz.
Updated list of available packages in /opt/var/opkg-lists/openwrt.
Installing tayga (0.9.2-1) to root...
Downloading http://wl500g-repo.googlecode.com/svn/ipkg/openwrt/tayga_0.9.2-1_entware.ipk.
Configuring tayga.

Unfortunately, the next command didn't go quite as expected, so I may be back with more questions if I can't figure this out on my own, but I'm one step closer!:

admin@RT-N66U:/tmp/home/root# config interface nat64
-sh: config: not found

EDIT: Tayga is indeed installed in tmp/opt/sbin

 

[ryzhov_al]

EDIT: Tayga is indeed installed in tmp/opt/sbin

Installed. But not configured and not started. Please, refer tayga documentation for further assistance.

 

[torchddv]

Yes, thanks, I will. I had to attend a funeral today and just got back in from the 600km round trip but I'll take a stab at it tomorrow.

 

[torchddv]

Ok, I think I'm making progress here. So, to summarize the steps thus far:

1. Log into router using putty. Instally tayga with the command:

opkg update && opkg install tayga

2. Modify the sample configuration file tayga.conf.example as required. In this case, were I need tayga to provide an ipv6-reachable address for legacy ipv4-only webcams, I did not configure a dynamic pool but I did create a static mapping for each device. EG:

map 192.168.0.15 2001:xxxx:xxxx:xxxx:192:168:0:15.

I set tayga's ipv4 address as 192.168.0.201 and set the maximum DHCP address in the router to 192.168.0.200 to avoid any possible conflicts. tun-device name was left at the recommended "nat64". Tayga's IPv6 address was left unspecified as per the comments, it will be generated by tayga based on the NAT64 prefix. The NAT 64 prefix was set to 2001:xxxx:xxxx:xxxx::/96 as per the example. Saved the file as tayga.conf and copied to tmp/opt/etc on the router using WinSCP.

3. I do not have a vlan setup, so start the tunnel driver (again, using putty) with the command:

modprobe tun.o

4. start tayga with the command:

tayga --mktun

returns: "Created persistent tun device nat64". That doesn't look like an error message, therefore "So far, so good"...

The next step in the readme is to configure the new nat64 interface and add the proper routes with the following commands:

# ip link set nat64 up
# ip addr add 2001:db8:1::1 dev nat64 # replace with your router's address
# ip addr add 192.168.0.1 dev nat64 # replace with your router's address
# ip route add 2001:db8:1:ffff::/96 dev nat64 # from tayga.conf
# ip route add 192.168.255.0/24 dev nat64 # from tayga.conf

ip link set nat 64 up -- no error message.

From the IPv6 tab, the "LAN IPv6 Address" is 2001:xxxx:xxxx:xxxx::1. I think that must be the router's address, so:

ip addr add 2001:xxxx:xxxx:xxxx::1 dev nat64 -- no error message.

ip addr add 192.168.0.1 dev nat64 -- no error message

The next line indicates it comes "from tayga.conf" and 2001:db8:1:ffff::/96 matches the prefix shown in the tayga.conf.example, so:

ip route add 2001:xxxx:xxxx:xxxx::/96 dev nat64 -- no error messages

192.168.255.0/24 matches the sample dynamic pool in tayga.conf.example. As I don't need a dynamic pool in my application and as I didn't set one up, I'll skip "ip route add 192.168.255.0/24 dev nat64"

Firewalling your NAT64 prefix from outside access is highly recommended:

# ip6tables -A FORWARD -s 2001:db8:1::/48 -d 2001:db8:1:ffff::/96 -j ACCEPT
# ip6tables -A FORWARD -d 2001:db8:1:ffff::/96 -j DROP

so:

# ip6tables -A FORWARD -s 2001:xxxx:xxxx::/48 -d 2001:xxxx:xxxx:xxxx::/96 -j ACCEPT -- no error messages

# ip6tables -A FORWARD -d 2001:xxxx:xxxx:xxxx::/96 -j DROP -- no error messages

and finally:

At this point, you may start the tayga process:

# tayga

So: tayga -- no error messages.

The proof of the pudding is in the eating:

ping6 2001:xxxx:xxxx:xxxx:192:168:0:15

just hangs. Control-C exits with the error:

PING 2001:xxxx:xxxx:xxxx:192:168:0:15 (2001:xxxx:xxxx:xxxx:192:168:0:15): 56 data bytes
ping6 2001:xxxx:xxxx:xxxx:192:168:0:15
--- 2001:xxxx:xxxx:xxxx:168:0:15 ping statistics ---
28 packets transmitted, 0 packets received, 100% packet loss

I tried again from a Windows command prompt: Destination host unreachable

I tried

iptables -A FORWARD -i nat64 -j ACCEPT
iptables -A FORWARD -o nat64 -j ACCEPT
ip6tables -A FORWARD -i nat64 -j ACCEPT
ip6tables -A FORWARD -o nat64 -j ACCEPT

with the same results.

I verified that I can ping the IPv4 address (192.168.0.15) so the camera does respond to pings.

Any ideas?

 

[marchelo]

3 years past. Ipv6 became more common.

Did anybody managed to setup that?
Do you plan to implement it in asuswrt by default?

 

[meliodas]

I thought I'd follow up on this thread since I use it as reference. I'm currently on 388.1 and I get the same issue as the OP above.

I've tried to setup using GUA addresses for the /96 prefix as well as the well-known 64:ff9b::/96 prefix and they both exhibit the same issue OP has. ping/ping6 just hangs. iptables/ip6tables rules are in place to allow packets in/out the nat64 interface. Forwarding v4/v6 is enabled since my LAN v4/v6 addresses work prior to setting up Tayga.

There is another package called Jool which seem to be the successor to Tayga but it isn't supported by Asuswrt-Merlin. Hence for now I've scrap the setup.

If anyone has experience getting Tayga to work on Asuswrt-Merlin do post here. Thanks.

 

[torchddv]

I was never able to get it to work. I cobbled together a munge using an IPv6 accessible machine running a python script as an interface between the IPv4 camera and IPv6. Crude, but it kind of works.

It would be nice if someone who knows what they are doing could make Tayga work.

 

[meliodas]

I gave it another try and it seems Tayga just won't work on Asuswrt-Merlin. I've followed guides specific to Linux and WRT router's alike yet it works on other systems but not on Asuswrt-Merlin with the same configurations. Dead end.

 

[meliodas]

@ryzhov_al any chance to add Jool package in AsusWRT-Merlin ? Jool is used as a Stateful NAT64 and is currently an active project.

Jool - https://nicmx.github.io/Jool/en/index.html

 

[meliodas]

Ok, I think I'm making progress here. So, to summarize the steps thus far:

1. Log into router using putty. Instally tayga with the command:

opkg update && opkg install tayga

2. Modify the sample configuration file tayga.conf.example as required. In this case, were I need tayga to provide an ipv6-reachable address for legacy ipv4-only webcams, I did not configure a dynamic pool but I did create a static mapping for each device. EG:

map 192.168.0.15 2001:xxxx:xxxx:xxxx:192:168:0:15.

I set tayga's ipv4 address as 192.168.0.201 and set the maximum DHCP address in the router to 192.168.0.200 to avoid any possible conflicts. tun-device name was left at the recommended "nat64". Tayga's IPv6 address was left unspecified as per the comments, it will be generated by tayga based on the NAT64 prefix. The NAT 64 prefix was set to 2001:xxxx:xxxx:xxxx::/96 as per the example. Saved the file as tayga.conf and copied to tmp/opt/etc on the router using WinSCP.

3. I do not have a vlan setup, so start the tunnel driver (again, using putty) with the command:

modprobe tun.o

4. start tayga with the command:

tayga --mktun

returns: "Created persistent tun device nat64". That doesn't look like an error message, therefore "So far, so good"...

The next step in the readme is to configure the new nat64 interface and add the proper routes with the following commands:



ip link set nat 64 up -- no error message.

From the IPv6 tab, the "LAN IPv6 Address" is 2001:xxxx:xxxx:xxxx::1. I think that must be the router's address, so:

ip addr add 2001:xxxx:xxxx:xxxx::1 dev nat64 -- no error message.

ip addr add 192.168.0.1 dev nat64 -- no error message

The next line indicates it comes "from tayga.conf" and 2001:db8:1:ffff::/96 matches the prefix shown in the tayga.conf.example, so:

ip route add 2001:xxxx:xxxx:xxxx::/96 dev nat64 -- no error messages

192.168.255.0/24 matches the sample dynamic pool in tayga.conf.example. As I don't need a dynamic pool in my application and as I didn't set one up, I'll skip "ip route add 192.168.255.0/24 dev nat64"



so:

# ip6tables -A FORWARD -s 2001:xxxx:xxxx::/48 -d 2001:xxxx:xxxx:xxxx::/96 -j ACCEPT -- no error messages

# ip6tables -A FORWARD -d 2001:xxxx:xxxx:xxxx::/96 -j DROP -- no error messages

and finally:


So: tayga -- no error messages.

The proof of the pudding is in the eating:

ping6 2001:xxxx:xxxx:xxxx:192:168:0:15

just hangs. Control-C exits with the error:

PING 2001:xxxx:xxxx:xxxx:192:168:0:15 (2001:xxxx:xxxx:xxxx:192:168:0:15): 56 data bytes
ping6 2001:xxxx:xxxx:xxxx:192:168:0:15
--- 2001:xxxx:xxxx:xxxx:168:0:15 ping statistics ---
28 packets transmitted, 0 packets received, 100% packet loss

I tried again from a Windows command prompt: Destination host unreachable

I tried

iptables -A FORWARD -i nat64 -j ACCEPT
iptables -A FORWARD -o nat64 -j ACCEPT
ip6tables -A FORWARD -i nat64 -j ACCEPT
ip6tables -A FORWARD -o nat64 -j ACCEPT

with the same results.

I verified that I can ping the IPv4 address (192.168.0.15) so the camera does respond to pings.

Any ideas?

It's been sometime, and I finally got Tayga to work in Asuswrt-Merlin. I wrote a script for it, let me know if you are still interested in the details.