Differences
This shows you the differences between two versions of the page.
| Both sides previous revision Previous revision Next revision | Previous revision Next revisionBoth sides next revision | ||
| docs:guide-user:network:ipv6:nat64 [2023/09/01 23:40] – [NAT64 for IPv6-only devices] update link vgaetera | docs:guide-user:network:ipv6:nat64 [2024/04/20 15:28] – [Option 1 - Running in the main network namespace] goetz | ||
|---|---|---|---|
| Line 1: | Line 1: | ||
| - | ====== NAT64 for IPv6-only | + | ====== NAT64 for a IPv6-only |
| + | {{section> | ||
| See also: | See also: | ||
| - | [[docs: | + | [[docs: |
| + | [[docs: | ||
| - | NAT64 (Network address translation from IPv6 to IPv4) is a technology for allowing IPv6-only | + | NAT64 (Network address translation from IPv6 to IPv4) is a technology for allowing |
| - | It works much like the NAT44 used by most home networks that forwards packets between IPv4 private address space and IPv4 public address space, except it forwards between IPv6 (public) addresses and IPv4 public addresses. | + | It's very similar to the NAT44 used by most home networks that forwards packets between IPv4 private address space and IPv4 public address space, except it forwards between IPv6 (public) addresses and IPv4 public addresses. |
| - | NAT64 is applicable both for IPv6-only networks, where all devices are IPv6-only, and individual IPv6-only devices | + | It works in conjunction with several technologies: |
| + | * DNS64, where the DNS returns a specially formatted | ||
| + | * [[https:// | ||
| - | NAT64 can be easily activated using [[https:// | ||
| - | For latest version, OpenWRT 22.03, you can enable the Netfilter version of Jool for NAT64 via one of the following: | + | In OpenWrt, NAT64 can be easily activated using [[https:// |
| - | ==== From LuCI web console ==== | ||
| - | 1. System > Software: Install `jool-tools-netfilter` (this will install `kmod-jool-netfilter` and other dependencies). | + | ===== Two options are possible ===== |
| - | 2. System > Startup > Local Startup: Add the following to / | + | |
| + | === Option 1 - Running in the main network namespace === | ||
| + | |||
| + | Pros | ||
| + | |||
| + | * easy to activate | ||
| + | * basic integration with the uci configuration system | ||
| + | |||
| + | Cons | ||
| + | |||
| + | * hard to enforce firewall rules | ||
| + | * translation not available for locally (on the router) generated traffic | ||
| + | * fights over dynamic port numbers | ||
| + | * needs to be reconfigured every time the public IPv4 changes | ||
| + | |||
| + | |||
| + | === Option | ||
| + | |||
| + | Pros | ||
| + | |||
| + | * easy to enforce firewall rules | ||
| + | * translation available for all traffic | ||
| + | |||
| + | Cons | ||
| + | |||
| + | * no integration with the configuration system | ||
| + | |||
| + | |||
| + | ==== Option 1 - Running in the main network namespace ==== | ||
| + | |||
| + | The following | ||
| < | < | ||
| - | jool instance add --pool6 64: | + | # opkg update |
| + | # opkg install kmod-jool-netfilter | ||
| </ | </ | ||
| - | 3. System > Reboot > Perform reboot | + | ==== Jool Configuration Syntax ==== |
| - | 4. Confirm working NAT64 from a device inside your LAN ''ping 64:ff9b::8.8.8.8'' | + | Jool's configuration is split into three configuration files: |
| + | * / | ||
| + | * / | ||
| + | * / | ||
| - | ==== Command line ==== | + | === / |
| - | Using your router command line (e.g. SSH into the device). | + | This file controls which of the services is enabled (NAT64, SIIT, or both). |
| < | < | ||
| - | # Install packages | + | config jool ' |
| - | opkg update | + | option enabled ' |
| - | opkg install kmod-jool-netfilter | + | |
| + | config | ||
| + | option enabled ' | ||
| + | |||
| + | config | ||
| + | option enabled ' | ||
| </ | </ | ||
| + | === /etc/jool === | ||
| + | |||
| + | In this folder are the files that actually configures Jool's NAT64 and SIIT modules. | ||
| + | |||
| + | The reference for configuring these is in the jools official documentation: | ||
| + | * [[https:// | ||
| + | * [[https:// | ||
| + | |||
| + | |||
| + | === Using Jool === | ||
| + | |||
| + | == Basic setup == | ||
| + | |||
| + | After having Jool installed you need to configure it. This is a basic sample configuration that can be used as a template: | ||
| + | |||
| + | / | ||
| < | < | ||
| - | # Add the following line to /etc/rc.local (before the exit 0) | + | { |
| - | jool instance | + | " |
| + | "instance": " | ||
| + | " | ||
| + | " | ||
| + | "pool6": "64: | ||
| + | " | ||
| + | " | ||
| + | } | ||
| + | } | ||
| </ | </ | ||
| + | |||
| + | After saving the configuration you need to enable it: | ||
| + | < | ||
| + | uci set jool.general.enabled=" | ||
| + | uci set jool.nat64.enabled=" | ||
| + | uci commit jool | ||
| + | service jool restart | ||
| + | </ | ||
| + | |||
| + | After this configuration, | ||
| < | < | ||
| # Confirm working NAT64 from a device inside your LAN | # Confirm working NAT64 from a device inside your LAN | ||
| - | ping 64:ff9b::8.8.8.8 | + | ping 64:ff9b::1.1.1.1 |
| </ | </ | ||
| - | To check Jool's version, run | + | |
| + | ==== Option 2 - Running jool in a separate network namespace ==== | ||
| + | |||
| + | Inspired and supported by the tutorial IPv6-only/ | ||
| + | |||
| + | The following packages need to be installed first: | ||
| < | < | ||
| - | jool --version | + | kmod-veth |
| + | ip-full | ||
| + | kmod-jool-netfilter | ||
| + | jool-tools-netfilter | ||
| </ | </ | ||
| - | As of 2022-10-24, the above installs Jool 4.1.6.1, with " | + | === Setup jool network namespace === |
| - | ==== Usage ==== | + | Create or copy the following shell script to ''/ |
| - | When using NAT64, in your IPv6 only network, be sure to [[docs: | + | < |
| + | #!/bin/sh | ||
| + | ip link add jool type veth peer openwrt | ||
| + | ip netns add jool | ||
| + | ip link set dev openwrt netns jool | ||
| + | ip netns exec jool sh << | ||
| + | sysctl -w net.ipv4.conf.all.forwarding=1 | ||
| + | sysctl | ||
| + | sysctl -w net.ipv6.conf.openwrt.accept_ra=2 | ||
| + | sysctl -w net.ipv4.ip_local_port_range=" | ||
| + | ip link set dev lo up | ||
| + | ip link set dev openwrt up | ||
| + | ip addr add dev openwrt 192.168.164.2/24 | ||
| + | ip addr add dev openwrt fe80::64 | ||
| + | ip route add default via 192.168.164.1 | ||
| + | modprobe jool | ||
| + | jool instance add --netfilter --pool6 64:ff9b::/96 | ||
| + | jool global update lowest-ipv6-mtu 1500 | ||
| + | jool pool4 add 192.168.164.2 33000-65535 --tcp | ||
| + | jool pool4 add 192.168.164.2 33000-65535 --udp | ||
| + | jool pool4 add 192.168.164.2 33000-65535 --icmp | ||
| + | EOF | ||
| + | </ | ||
| - | See also: | + | Make it executable |
| - | * [[packages: | + | <code> |
| - | * [[https:// | + | chmod +x setupjool.sh |
| - | * [[http:// | + | </code> |
| - | ===== DNS64+NAT64 in a dual-stack network ===== | + | Add the following line to ''/ |
| - | In a standard dual-stack network, with regular DNS, an IPv6-only device cannot connect to IPv4-only | + | < |
| + | / | ||
| + | </ | ||
| + | |||
| + | === Setup jool interface === | ||
| + | |||
| + | * use IPv4 subnet 192.168.164.1/ | ||
| + | * allocate one IPv6 /64 with SLAAC | ||
| + | * route NAT64 prefix to fe80::64 | ||
| + | * configure '' | ||
| + | |||
| + | Setup new interface | ||
| + | |||
| + | < | ||
| + | config interface ' | ||
| + | option proto ' | ||
| + | option device ' | ||
| + | option ipaddr ' | ||
| + | option netmask ' | ||
| + | option ip6assign ' | ||
| + | option ip6hint ' | ||
| + | </ | ||
| + | |||
| + | Configure DHCPv4 and SLAAC/ | ||
| + | |||
| + | < | ||
| + | config dhcp ' | ||
| + | option interface ' | ||
| + | option start ' | ||
| + | option limit ' | ||
| + | option leasetime ' | ||
| + | option ignore ' | ||
| + | option ra ' | ||
| + | option ra_default ' | ||
| + | </ | ||
| + | |||
| + | Add a static IPv6 route | ||
| + | |||
| + | < | ||
| + | config route6 | ||
| + | option interface ' | ||
| + | option target ' | ||
| + | option gateway ' | ||
| + | </ | ||
| + | |||
| + | Add '' | ||
| + | |||
| + | < | ||
| + | config zone | ||
| + | option name ' | ||
| + | option input ' | ||
| + | option output ' | ||
| + | option forward ' | ||
| + | list network ' | ||
| + | </ | ||
| + | |||
| + | Forward '' | ||
| + | |||
| + | < | ||
| + | config forwarding | ||
| + | option src ' | ||
| + | option dest ' | ||
| + | </ | ||
| + | |||
| + | === Testing === | ||
| + | |||
| + | After this configuration, | ||
| + | |||
| + | < | ||
| + | # Confirm working NAT64 from your router | ||
| + | ping 64: | ||
| + | </ | ||
| + | |||
| + | Make sure it works also from the connected devices | ||
| + | - otherwise it might be a routing/ | ||
| + | |||
| + | === Add forwardings from existing firewall zone to '' | ||
| + | |||
| + | e.g., '' | ||
| + | |||
| + | < | ||
| + | config forwarding | ||
| + | option src ' | ||
| + | option dest ' | ||
| + | </ | ||
| + | |||
| + | |||
| + | |||
| + | ==== Add PREF64 option to the existing networks ==== | ||
| + | |||
| + | Option in the Router Advertisement messages carring the NAT64 prefix the network is using. | ||
| + | New feature introduced with '' | ||
| + | |||
| + | < | ||
| + | config dhcp ' | ||
| + | option interface ' | ||
| + | ... | ||
| + | option ra_pref64 ' | ||
| + | </ | ||
| + | |||
| + | |||
| + | ==== Configure DNS64 ==== | ||
| + | |||
| + | In a standard dual-stack network, with regular DNS, an IPv6-only device cannot connect to IPv4-only | ||
| + | |||
| + | DNS64 comes to fix this, by synthesizing AAAA records from A records. These IPv6 addresses are ranslated by NAT64 ('' | ||
| + | |||
| + | To use DNS64 you can [[docs: | ||
| + | Cloudflare and Google DNS64 can only be use if you use the well-known NAT64 prefix '' | ||
| + | |||
| + | ==== Become IPv6-mostly ==== | ||
| + | |||
| + | Android and iOS as well as macOS are working fine in IPv6-only networks. | ||
| + | To signal to clients which are able and willing to run IPv6-only, the DHCP option 108 was introduced with RFC8925. | ||
| + | |||
| + | Add this option to the DHCPv4 configuration of the desired zone e.g., '' | ||
| + | < | ||
| + | # 30 minutes = 1800 seconds = 0x708 seconds | ||
| + | dhcp_option ' | ||
| + | </ | ||
| - | You can enable NAT64 in a dual-stack network, which will allow these devices to use DNS64, and then access | + | After this all your mobile and macOS devices |
| - | You can also enable DNS64 for the entire dual-stack network, which will result in all devices that support IPv6 (including dual-stack devices) using NAT64 (because they get a DNS64 result) instead of NAT44. This will allow IPv6-only devices to work automatically. | ||
| - | **Warning:** Some devices or software may only partially support IPv6. i.e. in a standard dual-stack network they may have some working software (such as a browser), but other software may internally expect IPv4 addresses and so fail if DNS64 is turned on. Example: PlayStation 5 (as at 2023-08-09) mostly works with DNS64 (such as the internet browser), but the PlayStation Store component does not work -- it fails to handle the IPv6 address. | + | ==== See also: ==== |
| + | | ||
| + | | ||