Differences
This shows you the differences between two versions of the page.
| Both sides previous revision Previous revision Next revision | Previous revision Next revisionBoth sides next revision | ||
| docs:guide-user:network:ipv6:nat64 [2023/09/01 18:59] – [Extras] use jshn to generate the config vgaetera | docs:guide-user:network:ipv6:nat64 [2024/04/20 15:28] – [Option 1 - Running in the main network namespace] goetz | ||
|---|---|---|---|
| Line 1: | Line 1: | ||
| - | ====== NAT64 for IPv6-only | + | ====== NAT64 for a IPv6-only |
| + | {{section> | ||
| - | NAT64 (Network address translation from IPv6 to IPv4) is a technology for allowing IPv6-only devices to connect | + | See also: |
| + | [[docs: | ||
| + | [[docs: | ||
| - | It works much like the NAT44 used by most home networks that forwards packets between IPv4 private | + | NAT64 (Network |
| - | NAT64 is applicable both for IPv6-only | + | It's very similar to the NAT44 used by most home networks |
| - | NAT64 can be easily activated using [[https://github.com/NICMx/Jool#jool|Jool]]. | + | It works in conjunction with several technologies: |
| + | * DNS64, where the DNS returns a specially formatted IPv6 address that encodes the target IPv4 address, which is then handled by NAT64 to forward packets. | ||
| + | * [[https://git.openwrt.org/?p=project/odhcpd.git; | ||
| - | For latest version, OpenWRT 22.03, you can enable the Netfilter version of Jool for NAT64 via one of the following: | ||
| - | ==== From LuCI web console ==== | + | In OpenWrt, NAT64 can be easily activated using [[https:// |
| - | 1. System > Software: Install `jool-tools-netfilter` (this will install `kmod-jool-netfilter` and other dependencies). | ||
| - | 2. System > Startup > Local Startup: Add the following to / | + | ===== Two options are possible ===== |
| + | |||
| + | |||
| + | === Option 1 - Running in the main network namespace === | ||
| + | |||
| + | Pros | ||
| + | |||
| + | * easy to activate | ||
| + | * basic integration with the uci configuration system | ||
| + | |||
| + | Cons | ||
| + | |||
| + | * hard to enforce firewall rules | ||
| + | * translation not available for locally (on the router) generated traffic | ||
| + | * fights over dynamic port numbers | ||
| + | * needs to be reconfigured every time the public IPv4 changes | ||
| + | |||
| + | |||
| + | === Option | ||
| + | |||
| + | Pros | ||
| + | |||
| + | * easy to enforce firewall rules | ||
| + | * translation available for all traffic | ||
| + | |||
| + | Cons | ||
| + | |||
| + | * no integration with the configuration system | ||
| + | |||
| + | |||
| + | ==== Option 1 - Running in the main network namespace ==== | ||
| + | |||
| + | The following | ||
| < | < | ||
| - | jool instance add --pool6 64: | + | # opkg update |
| + | # opkg install kmod-jool-netfilter | ||
| </ | </ | ||
| - | 3. System > Reboot > Perform reboot | + | ==== Jool Configuration Syntax ==== |
| - | 4. Confirm working NAT64 from a device inside your LAN ''ping 64:ff9b::8.8.8.8'' | + | Jool's configuration is split into three configuration files: |
| + | * / | ||
| + | * / | ||
| + | * / | ||
| - | ==== Command line ==== | + | === / |
| - | Using your router command line (e.g. SSH into the device). | + | This file controls which of the services is enabled (NAT64, SIIT, or both). |
| < | < | ||
| - | # Install packages | + | config jool ' |
| - | opkg update | + | option enabled ' |
| - | opkg install kmod-jool-netfilter | + | |
| + | config | ||
| + | option enabled ' | ||
| + | |||
| + | config | ||
| + | option enabled ' | ||
| </ | </ | ||
| + | === /etc/jool === | ||
| + | |||
| + | In this folder are the files that actually configures Jool's NAT64 and SIIT modules. | ||
| + | |||
| + | The reference for configuring these is in the jools official documentation: | ||
| + | * [[https:// | ||
| + | * [[https:// | ||
| + | |||
| + | |||
| + | === Using Jool === | ||
| + | |||
| + | == Basic setup == | ||
| + | |||
| + | After having Jool installed you need to configure it. This is a basic sample configuration that can be used as a template: | ||
| + | |||
| + | / | ||
| < | < | ||
| - | # Add the following line to /etc/rc.local (before the exit 0) | + | { |
| - | jool instance | + | " |
| + | "instance": " | ||
| + | " | ||
| + | " | ||
| + | "pool6": "64: | ||
| + | " | ||
| + | " | ||
| + | } | ||
| + | } | ||
| + | </ | ||
| + | |||
| + | After saving the configuration you need to enable it: | ||
| + | |||
| + | < | ||
| + | uci set jool.general.enabled=" | ||
| + | uci set jool.nat64.enabled=" | ||
| + | uci commit jool | ||
| + | service jool restart | ||
| </ | </ | ||
| + | After this configuration, | ||
| < | < | ||
| # Confirm working NAT64 from a device inside your LAN | # Confirm working NAT64 from a device inside your LAN | ||
| - | ping 64:ff9b::8.8.8.8 | + | ping 64:ff9b::1.1.1.1 |
| </ | </ | ||
| - | To check Jool's version, run | + | |
| + | ==== Option 2 - Running jool in a separate network namespace ==== | ||
| + | |||
| + | Inspired and supported by the tutorial IPv6-only/ | ||
| + | |||
| + | The following packages need to be installed first: | ||
| < | < | ||
| - | jool --version | + | kmod-veth |
| + | ip-full | ||
| + | kmod-jool-netfilter | ||
| + | jool-tools-netfilter | ||
| </ | </ | ||
| - | As of 2022-10-24, the above installs Jool 4.1.6.1, with " | + | === Setup jool network namespace === |
| - | ==== Usage ==== | + | Create or copy the following shell script to ''/ |
| - | When using NAT64, in your IPv6 only network, be sure to [[docs: | + | < |
| + | #!/bin/sh | ||
| + | ip link add jool type veth peer openwrt | ||
| + | ip netns add jool | ||
| + | ip link set dev openwrt netns jool | ||
| + | ip netns exec jool sh << | ||
| + | sysctl -w net.ipv4.conf.all.forwarding=1 | ||
| + | sysctl | ||
| + | sysctl -w net.ipv6.conf.openwrt.accept_ra=2 | ||
| + | sysctl -w net.ipv4.ip_local_port_range=" | ||
| + | ip link set dev lo up | ||
| + | ip link set dev openwrt up | ||
| + | ip addr add dev openwrt 192.168.164.2/24 | ||
| + | ip addr add dev openwrt fe80::64 | ||
| + | ip route add default via 192.168.164.1 | ||
| + | modprobe jool | ||
| + | jool instance add --netfilter --pool6 64:ff9b::/96 | ||
| + | jool global update lowest-ipv6-mtu 1500 | ||
| + | jool pool4 add 192.168.164.2 33000-65535 --tcp | ||
| + | jool pool4 add 192.168.164.2 33000-65535 --udp | ||
| + | jool pool4 add 192.168.164.2 33000-65535 --icmp | ||
| + | EOF | ||
| + | </ | ||
| - | See also: | + | Make it executable |
| - | * [[packages: | + | <code> |
| - | * [[https:// | + | chmod +x setupjool.sh |
| - | * [[http:// | + | </code> |
| - | ===== DNS64+NAT64 in a dual-stack network ===== | + | Add the following line to ''/ |
| - | In a standard dual-stack network, with regular DNS, an IPv6-only device cannot connect to IPv4-only serves, as it has no access to NAT44. | + | < |
| + | / | ||
| + | </ | ||
| - | You can enable NAT64 in a dual-stack network, which will allow these devices to use DNS64, and then access the IPv4-only servers. This is useful for testing individual devices (e.g. turn off IPv4 and manually configure DNS). | + | === Setup jool interface === |
| - | You can also enable DNS64 for the entire dual-stack network, which will result in all devices that support IPv6 (including dual-stack devices) using NAT64 (because they get a DNS64 result) instead of NAT44. This will allow IPv6-only devices | + | * use IPv4 subnet 192.168.164.1/ |
| + | * allocate one IPv6 /64 with SLAAC | ||
| + | * route NAT64 prefix | ||
| + | * configure '' | ||
| - | **Warning: | + | Setup new interface |
| - | ===== Extras ===== | + | < |
| - | {{section>meta: | + | config interface ' |
| + | option proto ' | ||
| + | option device ' | ||
| + | option ipaddr ' | ||
| + | option netmask ' | ||
| + | option ip6assign ' | ||
| + | option ip6hint ' | ||
| + | </code> | ||
| - | Setting up NAT64 with Jool according to the official package documentation. | + | Configure DHCPv4 |
| - | Utilize service | + | |
| - | < | + | < |
| - | # Install packages | + | config dhcp ' |
| - | opkg update | + | option interface 'jool' |
| - | opkg install | + | option start ' |
| + | option limit ' | ||
| + | option leasetime ' | ||
| + | option ignore ' | ||
| + | option ra ' | ||
| + | option ra_default ' | ||
| + | </ | ||
| - | # Configure NAT64 | + | Add a static IPv6 route |
| - | . / | + | |
| - | json_init | + | |
| - | json_add_string " | + | |
| - | json_add_string " | + | |
| - | json_add_object " | + | |
| - | json_add_string " | + | |
| - | json_close_object | + | |
| - | json_dump > / | + | |
| - | uci set jool.general.enabled=" | + | |
| - | uci set jool.nat64.enabled=" | + | |
| - | uci commit jool | + | |
| - | / | + | |
| - | # Check from a LAN client | + | < |
| - | ping 64:ff9b::8.8.8.8 | + | config route6 |
| + | option interface ' | ||
| + | option target '64:ff9b::/96' | ||
| + | option gateway ' | ||
| </ | </ | ||
| + | |||
| + | Add '' | ||
| + | |||
| + | < | ||
| + | config zone | ||
| + | option name ' | ||
| + | option input ' | ||
| + | option output ' | ||
| + | option forward ' | ||
| + | list network ' | ||
| + | </ | ||
| + | |||
| + | Forward '' | ||
| + | |||
| + | < | ||
| + | config forwarding | ||
| + | option src ' | ||
| + | option dest ' | ||
| + | </ | ||
| + | |||
| + | === Testing === | ||
| + | |||
| + | After this configuration, | ||
| + | |||
| + | < | ||
| + | # Confirm working NAT64 from your router | ||
| + | ping 64: | ||
| + | </ | ||
| + | |||
| + | Make sure it works also from the connected devices | ||
| + | - otherwise it might be a routing/ | ||
| + | |||
| + | === Add forwardings from existing firewall zone to '' | ||
| + | |||
| + | e.g., '' | ||
| + | |||
| + | < | ||
| + | config forwarding | ||
| + | option src ' | ||
| + | option dest ' | ||
| + | </ | ||
| + | |||
| + | |||
| + | |||
| + | ==== Add PREF64 option to the existing networks ==== | ||
| + | |||
| + | Option in the Router Advertisement messages carring the NAT64 prefix the network is using. | ||
| + | New feature introduced with '' | ||
| + | |||
| + | < | ||
| + | config dhcp ' | ||
| + | option interface ' | ||
| + | ... | ||
| + | option ra_pref64 ' | ||
| + | </ | ||
| + | |||
| + | |||
| + | ==== Configure DNS64 ==== | ||
| + | |||
| + | In a standard dual-stack network, with regular DNS, an IPv6-only device cannot connect to IPv4-only servers, as it has no access to NAT44. | ||
| + | |||
| + | DNS64 comes to fix this, by synthesizing AAAA records from A records. These IPv6 addresses are ranslated by NAT64 ('' | ||
| + | |||
| + | To use DNS64 you can [[docs: | ||
| + | Cloudflare and Google DNS64 can only be use if you use the well-known NAT64 prefix '' | ||
| + | |||
| + | ==== Become IPv6-mostly ==== | ||
| + | |||
| + | Android and iOS as well as macOS are working fine in IPv6-only networks. | ||
| + | To signal to clients which are able and willing to run IPv6-only, the DHCP option 108 was introduced with RFC8925. | ||
| + | |||
| + | Add this option to the DHCPv4 configuration of the desired zone e.g., '' | ||
| + | < | ||
| + | # 30 minutes = 1800 seconds = 0x708 seconds | ||
| + | dhcp_option ' | ||
| + | </ | ||
| + | |||
| + | After this all your mobile and macOS devices will drop the IPv4 lease and run in IPv6-only mode. | ||
| + | |||
| + | |||
| + | ==== See also: ==== | ||
| + | * [[https:// | ||
| + | * [[http:// | ||