FICUSONLINE F9E
OpenWRT + V6 Plus (MAP-E)
FLET'S Hikari fiber-optic service operates on an independent IPv6 network, which is connected to the IPv6 Internet through VNE's IPv6 network infrastructure.
Takanobu FuseAdministrator

7 min read

6 months ago

Linux
FLET'S Hikari fiber-optic service operates on an independent IPv6 network, which is connected to the IPv6 Internet through VNE's IPv6 network infrastructure.
The mutual connection between an OpenWRT client and the IPv4 Internet is established through the MAP CE (ONU) installed on the client side and the MAP BR located on the VNE.
MAP CE and MAP BR are interconnected using IPv6 addresses.
The prefix of the IPv6 address assigned to MAP CE incorporates information about the public IPv4 address and the allocated port number. This public IPv4 address is assigned to the "wan6mape" interface of the router.

The IPv6 address for the "wan6" interface of the router is assigned by VNE's DHCP server.
 
Vpn Install

  • MAP: Mapping of Address and Port
  • MAP CE: MAP Consumer Edge
  • MAP BR: MAP Border Relay
  • NGN: Next Generation Network
  • VNE: Virtual Network Enabler
  • JPNE: Japan Network Enabler
 
Install OpenWRT on TP-LINK Archer C6 V2 to enable compatibility with IPv6 Plus (MAP-E), which is not supported by default.
 
Archer C6 V2

The settings are configured following the steps from the router's initial state.
 
  1. Installation of the "map" add-on
  2. Reconfiguration of the wan6 and lan interfaces
  3. Creation of the MAP-E interface, wan6mape
  4. IPv6 port forwarding settings (Optional: such as opening HTTP and HTTPS ports)
  5. Addition of firewall rules (Optional: including IPv4 load balancing, etc.)
 

1. Installation of the "map" add-on

Note: After installation, a router reboot is required.
If you want to install using an SSH connection:
$ ssh [email protected]
# opkg update
# opkg install map

If you want to install from the OpenWRT web interface:
Please update the packages and install "map" by performing the following steps from System > Software:
Click on "Update Lists" to refresh the package lists.
Search for "map."
Install the "map" package by filtering it in the package list.
 
Map Addon


2. Reconfiguration of the wan6 and lan interfaces

Reconfigure interface wan6.
IPv6 configuration
SSH into the router and go to the "wan6" interface section in the network configuration file.
option ip6prefix '2400:aaaa:bbbb:cccc::/64'
option iface_map 'wan6mape'
option zone_map 'wan'
add above items.
$ ssh [email protected]
# vi /etc/config/network
config interface 'wan6'
option device 'eth1'
option proto 'dhcpv6'
option reqaddress 'try'
option reqprefix 'auto'
option ip6prefix '2400:aaaa:bbbb:cccc::/64'
option iface_map 'wan6mape'
option zone_map 'wan'
  • ip6prefix: The upper 64 bits of the IPv6 address assigned by VNE to "wan6."
  • iface_map: Set to the newly created MAP-E interface "wan6mape."
  • zone_map: Specify the firewall zone as "wan."
Please make these changes in the OpenWRT configuration interface.
Modify the DHCP settings for the "wan6" interface in the OpenWRT configuration interface as follows:
 
Wan6 Dhcp
 
Modify the DHCP settings for the "lan" interface in the OpenWRT configuration interface as follows:
 
Lan Dhcpv6


3. Creation of the MAP-E interface, wan6mape

First, calculate the required parameters from the IPv6 address assigned to "wan6." You can use the following website for automatic calculation.
Map E Auto Calc
 
The mechanism of assigning IPv4 addresses and ports within IPv6 addresses using MAP-E is explained in detail in the following document.
 
 
Create a new interface "wan6mape" in OpenWRT. 
 
Please enter the obtained parameters for each of the following items.
 
Wan6mape Setting 001
 
Specify "wan6" for the Tunnel Link and set the MTU to 1460 (optional).
 
Wan6mape Setting 002
 
With the settings made so far, you can establish an IPv4 connection by restarting the "wan6" interface.
 
An IPv4 address is assigned to "wan6mape," and a virtual interface named "wan6mape_" with an IPv6 address assigned will appear.
 
If there is any communication activity displayed on the RX and TX of "wan6mape," the connection has been established.
 
Interface

 


4. IPv6 port forwarding settings (Optional: such as opening HTTP and HTTPS ports)

Clients will also be assigned a public IPv6 address. Port forwarding can be configured from "Network > Firewall > Traffic Rules."
 
 
Firewall HTTP Https

5. Addition of firewall rules (Optional: including IPv4 load balancing, etc.)

Firewall commands: nft, fw4
The essence of OpenWRT's firewall, "fw4," is a script that creates and edits the "table inet fw4" within nftables. It also handles starting/stopping nftables and reloading the configuration file (/sbin/fw4).
 
You can add firewall rules using either the uci command or the nft command.
 
Check all tables
# nft list ruleset
Flush all table rules
# nft flush ruleset
Rule sets executed by fw4 commands
# fw4 print

table inet fw4
flush table inet fw4

table inet fw4 {
#
# Defines
#

....................
....................

#
# User includes
#

include "/etc/nftables.d/*.nft"
.....................
....................
Adding rules is also possible by creating the configuration file /etc/nftables.d/*.nft, which is loaded by default (limited to the "inet fw4" table).
 
When introducing MAP-E, to efficiently distribute communication packets across the assigned range of public IPv4 ports (including the ability to run ping), add tables with load balancing rules for ICMP, TCP, and UDP protocols.
table inet mape {
    chain srcnat {
        type nat hook postrouting priority filter; policy accept;
        ip protocol icmp oifname "map-wan6mape" snat ip to 10.20.30.40:numgen inc mod 240 map { 0 : xxxx, 1 : xxxx, ......., 239 : xxxx }
        ip protocol tcp oifname "map-wan6mape" snat ip to 10.20.30.40:numgen inc mod 240 map { 0 : xxxx, 1 : xxxx, ......., 239 : xxxx }
        ip protocol udp oifname "map-wan6mape" snat ip to 10.20.30.40:numgen inc mod 240 map { 0 : xxxx, 1 : xxxx, ......., 239 : xxxx }
    }
}
 
Replace the following script to add this table in /lib/netifd/proto/map.sh.
# cd /lib/netifd/proto
# cp map.sh map.sh.old (バックアップ)
# vi map.sh (内容を削除してコピー&ペースト)
# nft flush ruleset (全ルールセット削除)
# service network restart (ネットワーク再起動)
 
Note: OpenWRT's firewall "fw4" only manages the rule set table "inet fw4," so the above script adds rules to the "inet mape" table every time it is restarted.
Fixed: Add a conditional script to delete the table as follows: "if ~ nft delete table inet mape ~fi".
/lib/netifd/proto/map.sh
#------------------------------------
#MODIFICATION 2: Create mape table
#------------------------------------
    if nft list tables | grep -q "table inet mape"; then
        nft delete table inet mape
    fi
    nft add table inet mape
    nft add chain inet mape srcnat {type nat hook postrouting priority 0\; policy accept\; }
#------------------------------------
#END MODIFICATION 2
#------------------------------------
 
For additional additions, corrections, and related information about this content, please follow the forum post on the following website.