NAT64 for a IPv6-only network (Jool)

See also: NAT66 and IPv6 masquerading, IPv6 NAT and NPT

NAT64 (Network address translation from IPv6 to IPv4) is a technology for allowing an IPv6-only network to connect and interoperate with the IPv4 Internet.

It's very similar to the NAT44 used by most home networks that forwards packets between IPv4 private address space and IPv4 public address space, except it forwards between IPv6 (public) addresses and IPv4 public addresses.

It works in conjunction with several technologies:

  • DNS64, where the DNS returns a specially formatted IPv6 address that encodes the target IPv4 address, which is then handled by NAT64 to forward packets.
  • PREF64, where the router advertises in an ICMPv6 Router Advertisement the NAT64 prefix which devices can use to create a CLAT interface (Android, iOS and macOS uses this).

In OpenWrt, NAT64 can be easily activated using Jool.

Option 1 - Running in the main network namespace

Pros

  • easy to activate
  • basic integration with the uci configuration system

Cons

  • hard to enforce firewall rules
  • translation not available for locally (on the router) generated traffic
  • fights over dynamic port numbers
  • needs to be reconfigured every time the public IPv4 changes

Option 2 - Running jool in a separate network namespace

Pros

  • easy to enforce firewall rules
  • translation available for all traffic

Cons

  • no integration with the configuration system

The following packages need to be installed first:

# opkg update
# opkg install kmod-jool-netfilter jool-tools-netfilter

Jool's configuration is split into three configuration files:

  • /etc/config/jool
  • /etc/jool/jool-nat64.conf.json
  • /etc/jool/jool-siit.conf.json

/etc/config/jool

This file controls which of the services is enabled (NAT64, SIIT, or both).

config jool 'general'
	option enabled '0'

config jool 'nat64'
        option enabled '0'

config jool 'siit'
        option enabled '0'

/etc/jool

In this folder are the files that actually configures Jool's NAT64 and SIIT modules.

The reference for configuring these is in the jools official documentation:

Using Jool

Basic setup

After having Jool installed you need to configure it. This is a basic sample configuration that can be used as a template:

/etc/jool/jool-nat64.conf.json:

{
	"comment": "NAT64 instance configuration.",
	"instance": "nat64",
	"framework": "netfilter",
	"global": {
		"pool6": "64:ff9b::/96",
		"maximum-simultaneous-opens": 16,
		"source-icmpv6-errors-better": true
	}
}

After saving the configuration you need to enable it:

uci set jool.general.enabled="1"
uci set jool.nat64.enabled="1"
uci commit jool
service jool restart

After this configuration, jool should be running. You can test this by pinging an IPv4 address.

# Confirm working NAT64 from a device inside your LAN
ping 64:ff9b::1.1.1.1

Inspired and supported by the tutorial IPv6-only/mostly on OpenWrt by Ondřej Caletka 1).

The following packages need to be installed first:

# opkg update
# opkg install kmod-veth ip-full kmod-jool-netfilter jool-tools-netfilter

Setup jool network namespace

Create or copy the following shell script to /etc/jool/setupjool.sh

#!/bin/sh
ip link add jool type veth peer openwrt
ip netns add jool
ip link set dev openwrt netns jool
ip netns exec jool sh <<EOF
    sysctl -w net.ipv4.conf.all.forwarding=1
    sysctl -w net.ipv6.conf.all.forwarding=1
    sysctl -w net.ipv6.conf.openwrt.accept_ra=2
    sysctl -w net.ipv4.ip_local_port_range="32768 32999"
    ip link set dev lo up
    ip link set dev openwrt up
    ip addr add dev openwrt 192.168.164.2/24
    ip addr add dev openwrt fe80::64
    ip route add default via 192.168.164.1
    modprobe jool
    jool instance add --netfilter --pool6 64:ff9b::/96
    jool global update lowest-ipv6-mtu 1500
    jool pool4 add 192.168.164.2 33000-65535 --tcp
    jool pool4 add 192.168.164.2 33000-65535 --udp
    jool pool4 add 192.168.164.2 33000-65535 --icmp
EOF

Make it executable and execute it once.

chmod +x setupjool.sh

Add the following line to /etc/rc.local through the CLI or Luci UI (System - Startup - Local Startup), before the exit 0.

/etc/jool/setupjool.sh

Setup jool interface

  • use IPv4 subnet 192.168.164.1/24
  • allocate one IPv6 /64 with SLAAC
  • route NAT64 prefix to fe80::64
  • configure jool firewall zone and forward from lan zone

Setup new interface

file /etc/config/network

config interface 'jool'
	option proto 'static'
	option device 'jool'
	option ipaddr '192.168.164.1'
	option netmask '255.255.255.0'
	option ip6assign '64'
	option ip6hint '64'

Configure DHCPv4 and SLAAC/DHCPv6

file /etc/config/dhcp

config dhcp 'jool'
	option interface 'jool'
	option start '100'
	option limit '150'
	option leasetime '12h'
	option ignore '1'
	option ra 'server'
	option ra_default '2'

Add a static IPv6 route

file /etc/config/network

config route6
	option interface 'jool'
	option target '64:ff9b::/96'
	option gateway 'fe80::64'

Add jool firewall zone

file /etc/config/firewall

config zone
	option name 'jool'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'REJECT'
	list network 'jool'

Forward lan zone to jool

file /etc/config/firewall

config forwarding
	option src 'lan'
	option dest 'jool'

Testing

After this configuration, jool should be running and the firewall is correctly configured. You can test this by pinging a synthesized IPv4 address.

# Confirm working NAT64 from your router
ping 64:ff9b::1.1.1.1

Make sure it works also from the connected devices

  • otherwise it might be a routing/firewall issue
  • try a complete reboot before you start tweaking and debugging

Add forwardings from existing firewall zone to ''jool''

e.g., lan

file /etc/config/firewall

config forwarding
	option src 'lan'
	option dest 'jool'

Option in the Router Advertisement messages carring the NAT64 prefix the network is using. New feature introduced with v23.05.0

file /etc/config/dhcp

config dhcp 'lan'
	option interface 'lan'
        ...
	option ra_pref64 '64:ff9b::/96'

In a standard dual-stack network, with regular DNS, an IPv6-only device cannot connect to IPv4-only servers, as it has no access to NAT44.

DNS64 comes to fix this, by synthesizing AAAA records from A records. These IPv6 addresses are ranslated by NAT64 (jool) to IPv4 addresses.

To use DNS64 you can change your DNS to Cloudflare's DNS64 Google DNS64 or set up unbound for DNS64 to correctly resolve domain names into translated addresses. Cloudflare and Google DNS64 can only be use if you use the well-known NAT64 prefix 64:ff9b::/96.

Android and iOS as well as macOS are working fine in IPv6-only networks. To signal to clients which are able and willing to run IPv6-only, the DHCP option 108 was introduced with RFC8925.

Add this option to the DHCPv4 configuration of the desired zone e.g., lan

file /etc/config/dhcp

# 30 minutes = 1800 seconds = 0x708 seconds
dhcp_option '108,0:0:7:8'

After this all your mobile and macOS devices will drop the IPv4 lease and run in IPv6-only mode.


This website uses cookies. By using the website, you agree with storing cookies on your computer. Also you acknowledge that you have read and understand our Privacy Policy. If you do not agree leave the website.More information about cookies
  • Last modified: 2024/04/20 15:40
  • by goetz