See also: NAT66 and IPv6 masquerading, IPv6 NAT and NPT
NAT64 (Network address translation from IPv6 to IPv4) is a technology for allowing an IPv6-only network to connect and interoperate with the IPv4 Internet.
It's very similar to the NAT44 used by most home networks that forwards packets between IPv4 private address space and IPv4 public address space, except it forwards between IPv6 (public) addresses and IPv4 public addresses.
It works in conjunction with several technologies:
In OpenWrt, NAT64 can be easily activated using Jool or TAYGA. Jool performs NAT64 in kernel space and has a better performance, while TAYGA works in user space and uses the TUN driver to exchange packets with the kernel.
Pros
Cons
Pros
Cons
The following packages need to be installed first:
# opkg update # opkg install kmod-jool-netfilter jool-tools-netfilter
Jool's configuration is split into three configuration files:
This file controls which of the services is enabled (NAT64, SIIT, or both).
config jool 'general'
option enabled '0'
config jool 'nat64'
option enabled '0'
config jool 'siit'
option enabled '0'
In this folder are the files that actually configures Jool's NAT64 and SIIT modules.
The reference for configuring these is in the jools official documentation:
After having Jool installed you need to configure it. This is a basic sample configuration that can be used as a template:
/etc/jool/jool-nat64.conf.json:
{
"comment": "NAT64 instance configuration.",
"instance": "nat64",
"framework": "netfilter",
"global": {
"pool6": "64:ff9b::/96",
"maximum-simultaneous-opens": 16,
"source-icmpv6-errors-better": true
}
}
After saving the configuration you need to enable it:
uci set jool.general.enabled="1" uci set jool.nat64.enabled="1" uci commit jool service jool restart
After this configuration, jool should be running. You can test this by pinging an IPv4 address.
# Confirm working NAT64 from a device inside your LAN ping 64:ff9b::1.1.1.1
Inspired and supported by the tutorial IPv6-only/mostly on OpenWrt by Ondřej Caletka 1).
The following packages need to be installed first:
# opkg update # opkg install kmod-veth ip-full kmod-jool-netfilter jool-tools-netfilter
Create or copy the following shell script to /etc/jool/setupjool.sh
#!/bin/sh
ip link add jool type veth peer openwrt
ip netns add jool
ip link set dev openwrt netns jool
ip netns exec jool sh <<EOF
sysctl -w net.ipv4.conf.all.forwarding=1
sysctl -w net.ipv6.conf.all.forwarding=1
sysctl -w net.ipv6.conf.openwrt.accept_ra=2
sysctl -w net.ipv4.ip_local_port_range="32768 32999"
ip link set dev lo up
ip link set dev openwrt up
ip addr add dev openwrt 192.168.164.2/24
ip addr add dev openwrt fe80::64
ip route add default via 192.168.164.1
modprobe jool
jool instance add --netfilter --pool6 64:ff9b::/96
jool global update lowest-ipv6-mtu 1500
jool pool4 add 192.168.164.2 33000-65535 --tcp
jool pool4 add 192.168.164.2 33000-65535 --udp
jool pool4 add 192.168.164.2 33000-65535 --icmp
EOF
Make it executable and execute it once.
chmod +x setupjool.sh
Add the following line to /etc/rc.local through the CLI or Luci UI (System - Startup - Local Startup), before the exit 0.
/etc/jool/setupjool.sh
Persist it across sysupgrades, add file to /etc/sysupgrade.conf through the CLI or Luci UI (System - Backup / Flash Firmware- Configuration)
cat << EOF >> /etc/sysupgrade.conf /etc/jool/setupjool.sh EOF
jool firewall zone and forward from lan zoneSetup new interface
file /etc/config/network
config interface 'jool' option proto 'static' option device 'jool' option ipaddr '192.168.164.1' option netmask '255.255.255.0' option ip6assign '64' option ip6hint '64'
Configure DHCPv4 and SLAAC/DHCPv6
file /etc/config/dhcp
config dhcp 'jool' option interface 'jool' option start '100' option limit '150' option leasetime '12h' option ignore '1' option ra 'server' option ra_default '2'
Add a static IPv6 route
file /etc/config/network
config route6 option interface 'jool' option target '64:ff9b::/96' option gateway 'fe80::64'
Add jool firewall zone
file /etc/config/firewall
config zone
option name 'jool'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'REJECT'
list network 'jool'
config forwarding
option src 'jool'
option dest 'wan'
Forward lan zone to jool
file /etc/config/firewall
config forwarding option src 'lan' option dest 'jool'
After this configuration, jool should be running and the firewall is correctly configured. You can test this by pinging a synthesized IPv4 address.
# Confirm working NAT64 from your router ping 64:ff9b::1.1.1.1
Make sure it works also from the connected devices
e.g., lan
file /etc/config/firewall
config forwarding option src 'lan' option dest 'jool'
Essentially, TAYGA only does 1-to-1 stateless NAT64 (no NAPT), but it allows setting up a dynamic IPv4 address pool from which it assigns an IPv4 to an IPv6 address (from our IPv6-only LAN) on demand. In a setup where stateful NAT64 is expected, we can use a RFC 1918 private address range for the dynamic address pool, and leverage the kernel to do stateful IPv4 NAPT (MASQUERADE).
Firstly, install the tayga package, which depends on kmod-tun.
opkg update opkg install tayga
Secondly, create a network interface called nat64:
In file /etc/config/network:
config interface 'nat64'
option proto 'tayga'
option prefix '64:ff9b::/96'
option ipv6_addr 'fd00:ffff::1'
option dynamic_pool '192.168.255.0/24'
option ipv4_addr '192.168.255.1'
Make sure the dynamic_pool doesn't overlay with the IP range of your LAN. You can read
TAYGA's manpages to
learn about TAYGA's options.
Then, assign the nat64 interface to a firewall zone which is routable to
your IPv6-only lan zone.
You can put nat64 into the lan zone (say it's called zone[0] by uci),
assuming intra-zone forwarding within lan is accepted:
uci add_list firewall.@zone[0].network='nat64' uci commit firewall
Or create a dedicated zone for the nat64 interface:
uci add firewall zone uci set firewall.@zone[-1].name='xlat' uci set firewall.@zone[-1].input='REJECT' uci set firewall.@zone[-1].output='ACCEPT' uci set firewall.@zone[-1].forward='REJECT' uci add_list firewall.@zone[-1].network='nat64' uci add firewall forwarding uci set firewall.@forwarding[-1].src='xlat' uci set firewall.@forwarding[-1].dest='wan' uci add firewall forwarding uci set firewall.@forwarding[-1].src='lan' uci set firewall.@forwarding[-1].dest='xlat'
Finally we can restart the network and OpenWrt will create a tayga-nat64 TUN device
and a configuration file for TAYGA based on the UCI configuration as well as
adding required routes entries.
service network restart
Now you should be able to ping 64:ff9b::1.1.1.1 from your IPv6-only LAN.
Option in the Router Advertisement messages carring the NAT64 prefix the network is using.
New feature introduced with v23.05.0
file /etc/config/dhcp
config dhcp 'lan'
option interface 'lan'
...
option ra_pref64 '64:ff9b::/96'
In a standard dual-stack network, with regular DNS, an IPv6-only device cannot connect to IPv4-only servers, as it has no access to NAT44.
DNS64 comes to fix this, by synthesizing AAAA records from A records. These IPv6 addresses are ranslated by NAT64 (jool) to IPv4 addresses.
To use DNS64 you can change your DNS to Cloudflare's DNS64 Google DNS64 or set up unbound for DNS64 to correctly resolve domain names into translated addresses.
Cloudflare and Google DNS64 can only be use if you use the well-known NAT64 prefix 64:ff9b::/96.
Android and iOS as well as macOS are working fine in IPv6-only networks. To signal to clients which are able and willing to run IPv6-only, the DHCP option 108 was introduced with RFC8925.
Add this option to the DHCPv4 configuration of the desired zone e.g., lan
file /etc/config/dhcp
config dhcp 'lan'
option interface 'lan'
...
# 30 minutes = 1800 seconds = 0x708 seconds
list dhcp_option '108,00:00:07:08'
After this all your mobile and macOS devices will drop the IPv4 lease and run in IPv6-only mode.