Differences
This shows you the differences between two versions of the page.
| Both sides previous revision Previous revision Next revision | Previous revision Next revisionBoth sides next revision | ||
| docs:guide-user:network:ipv6:nat64 [2023/09/21 17:15] – [NAT64 for a IPv6-only network (Jool)] andrewz | docs:guide-user:network:ipv6:nat64 [2024/04/20 15:28] – [Option 1 - Running in the main network namespace] goetz | ||
|---|---|---|---|
| Line 1: | Line 1: | ||
| ====== NAT64 for a IPv6-only network (Jool) ====== | ====== NAT64 for a IPv6-only network (Jool) ====== | ||
| + | {{section> | ||
| + | |||
| See also: | See also: | ||
| [[docs: | [[docs: | ||
| Line 10: | Line 12: | ||
| It works in conjunction with several technologies: | It works in conjunction with several technologies: | ||
| * DNS64, where the DNS returns a specially formatted IPv6 address that encodes the target IPv4 address, which is then handled by NAT64 to forward packets. | * DNS64, where the DNS returns a specially formatted IPv6 address that encodes the target IPv4 address, which is then handled by NAT64 to forward packets. | ||
| - | * PREF64, where the router advertises in an ICMPv6 Router Advertisement the NAT64 prefix which devices can use to create a CLAT interface (Android uses this). | + | * [[https:// |
| In OpenWrt, NAT64 can be easily activated using [[https:// | In OpenWrt, NAT64 can be easily activated using [[https:// | ||
| + | |||
| + | |||
| + | ===== Two options are possible ===== | ||
| + | |||
| + | |||
| + | === Option 1 - Running in the main network namespace === | ||
| + | |||
| + | Pros | ||
| + | |||
| + | * easy to activate | ||
| + | * basic integration with the uci configuration system | ||
| + | |||
| + | Cons | ||
| + | |||
| + | * hard to enforce firewall rules | ||
| + | * translation not available for locally (on the router) generated traffic | ||
| + | * fights over dynamic port numbers | ||
| + | * needs to be reconfigured every time the public IPv4 changes | ||
| + | |||
| + | |||
| + | === Option 2 - Running jool in a separate network namespace === | ||
| + | |||
| + | Pros | ||
| + | |||
| + | * easy to enforce firewall rules | ||
| + | * translation available for all traffic | ||
| + | |||
| + | Cons | ||
| + | |||
| + | * no integration with the configuration system | ||
| + | |||
| + | |||
| + | ==== Option 1 - Running in the main network namespace ==== | ||
| + | |||
| + | The following packages need to be installed first: | ||
| + | |||
| + | < | ||
| + | # opkg update | ||
| + | # opkg install kmod-jool-netfilter jool-tools-netfilter | ||
| + | </ | ||
| ==== Jool Configuration Syntax ==== | ==== Jool Configuration Syntax ==== | ||
| Jool's configuration is split into three configuration files: | Jool's configuration is split into three configuration files: | ||
| - | | + | |
| - | | + | |
| - | | + | |
| === / | === / | ||
| Line 46: | Line 88: | ||
| - | ==== Using Jool ==== | + | === Using Jool === |
| - | === Basic setup === | + | == Basic setup == |
| After having Jool installed you need to configure it. This is a basic sample configuration that can be used as a template: | After having Jool installed you need to configure it. This is a basic sample configuration that can be used as a template: | ||
| Line 72: | Line 114: | ||
| uci set jool.nat64.enabled=" | uci set jool.nat64.enabled=" | ||
| uci commit jool | uci commit jool | ||
| - | / | + | service |
| </ | </ | ||
| Line 82: | Line 124: | ||
| - | ==== DNS64 ==== | + | ==== Option 2 - Running jool in a separate network namespace |
| - | In a standard dual-stack network, with regular DNS, an IPv6-only | + | Inspired and supported by the tutorial |
| - | DNS64 comes to fix this, It will forge IPV4-mapped Ipv6 addresses that jool will then convert to regular IPv4 addresses. | + | The following packages need to be installed first: |
| - | To use DNS64 you can [[docs: | + | < |
| + | kmod-veth | ||
| + | ip-full | ||
| + | kmod-jool-netfilter | ||
| + | jool-tools-netfilter | ||
| + | </code> | ||
| - | See also: | + | === Setup jool network namespace === |
| + | |||
| + | Create or copy the following shell script to ''/ | ||
| + | |||
| + | < | ||
| + | #!/bin/sh | ||
| + | ip link add jool type veth peer openwrt | ||
| + | ip netns add jool | ||
| + | ip link set dev openwrt netns jool | ||
| + | ip netns exec jool sh << | ||
| + | sysctl -w net.ipv4.conf.all.forwarding=1 | ||
| + | sysctl -w net.ipv6.conf.all.forwarding=1 | ||
| + | sysctl -w net.ipv6.conf.openwrt.accept_ra=2 | ||
| + | sysctl -w net.ipv4.ip_local_port_range=" | ||
| + | ip link set dev lo up | ||
| + | ip link set dev openwrt up | ||
| + | ip addr add dev openwrt 192.168.164.2/ | ||
| + | ip addr add dev openwrt fe80::64 | ||
| + | ip route add default via 192.168.164.1 | ||
| + | modprobe jool | ||
| + | jool instance add --netfilter --pool6 64: | ||
| + | jool global update lowest-ipv6-mtu 1500 | ||
| + | jool pool4 add 192.168.164.2 33000-65535 --tcp | ||
| + | jool pool4 add 192.168.164.2 33000-65535 --udp | ||
| + | jool pool4 add 192.168.164.2 33000-65535 --icmp | ||
| + | EOF | ||
| + | </ | ||
| + | |||
| + | Make it executable and execute it once. | ||
| + | < | ||
| + | chmod +x setupjool.sh | ||
| + | </ | ||
| + | |||
| + | Add the following line to ''/ | ||
| + | |||
| + | < | ||
| + | / | ||
| + | </ | ||
| + | |||
| + | === Setup jool interface === | ||
| + | |||
| + | * use IPv4 subnet 192.168.164.1/ | ||
| + | * allocate one IPv6 /64 with SLAAC | ||
| + | * route NAT64 prefix to fe80::64 | ||
| + | * configure '' | ||
| + | |||
| + | Setup new interface | ||
| + | |||
| + | < | ||
| + | config interface ' | ||
| + | option proto ' | ||
| + | option device ' | ||
| + | option ipaddr ' | ||
| + | option netmask ' | ||
| + | option ip6assign ' | ||
| + | option ip6hint ' | ||
| + | </ | ||
| + | |||
| + | Configure DHCPv4 and SLAAC/ | ||
| + | |||
| + | < | ||
| + | config dhcp ' | ||
| + | option interface ' | ||
| + | option start ' | ||
| + | option limit ' | ||
| + | option leasetime ' | ||
| + | option ignore ' | ||
| + | option ra ' | ||
| + | option ra_default ' | ||
| + | </ | ||
| + | |||
| + | Add a static IPv6 route | ||
| + | |||
| + | < | ||
| + | config route6 | ||
| + | option interface ' | ||
| + | option target ' | ||
| + | option gateway ' | ||
| + | </ | ||
| + | |||
| + | Add '' | ||
| + | |||
| + | < | ||
| + | config zone | ||
| + | option name ' | ||
| + | option input ' | ||
| + | option output ' | ||
| + | option forward ' | ||
| + | list network ' | ||
| + | </ | ||
| + | |||
| + | Forward '' | ||
| + | |||
| + | < | ||
| + | config forwarding | ||
| + | option src ' | ||
| + | option dest ' | ||
| + | </ | ||
| + | |||
| + | === Testing === | ||
| + | |||
| + | After this configuration, | ||
| + | |||
| + | < | ||
| + | # Confirm working NAT64 from your router | ||
| + | ping 64: | ||
| + | </ | ||
| + | |||
| + | Make sure it works also from the connected devices | ||
| + | - otherwise it might be a routing/ | ||
| + | |||
| + | === Add forwardings from existing firewall zone to '' | ||
| + | |||
| + | e.g., '' | ||
| + | |||
| + | < | ||
| + | config forwarding | ||
| + | option src ' | ||
| + | option dest ' | ||
| + | </ | ||
| + | |||
| + | |||
| + | |||
| + | ==== Add PREF64 option to the existing networks ==== | ||
| + | |||
| + | Option in the Router Advertisement messages carring the NAT64 prefix the network is using. | ||
| + | New feature introduced with '' | ||
| + | |||
| + | < | ||
| + | config dhcp ' | ||
| + | option interface ' | ||
| + | ... | ||
| + | option ra_pref64 ' | ||
| + | </ | ||
| + | |||
| + | |||
| + | ==== Configure DNS64 ==== | ||
| + | |||
| + | In a standard dual-stack network, with regular DNS, an IPv6-only device cannot connect to IPv4-only servers, as it has no access to NAT44. | ||
| + | |||
| + | DNS64 comes to fix this, by synthesizing AAAA records from A records. These IPv6 addresses are ranslated by NAT64 ('' | ||
| + | |||
| + | To use DNS64 you can [[docs: | ||
| + | Cloudflare and Google DNS64 can only be use if you use the well-known NAT64 prefix '' | ||
| + | |||
| + | ==== Become IPv6-mostly ==== | ||
| + | |||
| + | Android and iOS as well as macOS are working fine in IPv6-only networks. | ||
| + | To signal to clients which are able and willing to run IPv6-only, the DHCP option 108 was introduced with RFC8925. | ||
| + | |||
| + | Add this option to the DHCPv4 configuration of the desired zone e.g., '' | ||
| + | < | ||
| + | # 30 minutes = 1800 seconds = 0x708 seconds | ||
| + | dhcp_option ' | ||
| + | </ | ||
| + | |||
| + | After this all your mobile and macOS devices will drop the IPv4 lease and run in IPv6-only mode. | ||
| + | |||
| + | |||
| + | ==== See also: ==== | ||
| * [[https:// | * [[https:// | ||
| - | * [[http:// | + | * [[http:// |