Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revision Previous revision
Next revision
Previous revision
Next revisionBoth sides next revision
docs:guide-user:network:ipv6:nat64 [2023/10/14 06:33] – use service command vgaeteradocs:guide-user:network:ipv6:nat64 [2024/04/20 15:28] – [Option 1 - Running in the main network namespace] goetz
Line 1: Line 1:
 ====== NAT64 for a IPv6-only network (Jool) ====== ====== NAT64 for a IPv6-only network (Jool) ======
 +{{section>meta:infobox:howto_links#basic_skills&noheader&nofooter&noeditbutton}}
 +
 See also: See also:
 [[docs:guide-user:network:ipv6:ipv6.nat6|NAT66 and IPv6 masquerading]], [[docs:guide-user:network:ipv6:ipv6.nat6|NAT66 and IPv6 masquerading]],
Line 10: Line 12:
 It works in conjunction with several technologies: It works in conjunction with several technologies:
   * DNS64, where the DNS returns a specially formatted IPv6 address that encodes the target IPv4 address, which is then handled by NAT64 to forward packets.   * DNS64, where the DNS returns a specially formatted IPv6 address that encodes the target IPv4 address, which is then handled by NAT64 to forward packets.
-  * PREF64, where the router advertises in an ICMPv6 Router Advertisement the NAT64 prefix which devices can use to create a CLAT interface (Android uses this).+  * [[https://git.openwrt.org/?p=project/odhcpd.git;a=commitdiff;h=c6bff6f1c0fbb37a21a7f54e393615bad22a72d9|PREF64]], where the router advertises in an ICMPv6 Router Advertisement the NAT64 prefix which devices can use to create a CLAT interface (Android, iOS and macOS uses this).
  
  
 In OpenWrt, NAT64 can be easily activated using [[https://github.com/NICMx/Jool#jool|Jool]]. In OpenWrt, NAT64 can be easily activated using [[https://github.com/NICMx/Jool#jool|Jool]].
 +
 +
 +===== Two options are possible =====
 +
 +
 +=== Option 1 - Running in the main network namespace ===
 +
 +Pros
 +
 +  * easy to activate
 +  * basic integration with the uci configuration system
 +
 +Cons
 +
 +  * hard to enforce firewall rules
 +  * translation not available for locally (on the router) generated traffic
 +  * fights over dynamic port numbers
 +  * needs to be reconfigured every time the public IPv4 changes
 +
 +
 +=== Option 2 - Running jool in a separate network namespace ===
 +
 +Pros
 +
 +  * easy to enforce firewall rules
 +  * translation available for all traffic
 +
 +Cons
 +
 +  * no integration with the configuration system 
 +
 +
 +==== Option 1 - Running in the main network namespace ====
 +
 +The following packages need to be installed first:
 +
 +<code>
 +# opkg update
 +# opkg install kmod-jool-netfilter jool-tools-netfilter
 +</code>
  
 ==== Jool Configuration Syntax ==== ==== Jool Configuration Syntax ====
  
 Jool's configuration is split into three configuration files: Jool's configuration is split into three configuration files:
-  /etc/config/jool +  /etc/config/jool 
-  /etc/jool/jool-nat64.conf.json +  /etc/jool/jool-nat64.conf.json 
-  /etc/jool/jool-siit.conf.json+  /etc/jool/jool-siit.conf.json
  
 === /etc/config/jool === === /etc/config/jool ===
Line 46: Line 88:
  
  
-==== Using Jool ====+=== Using Jool ===
  
-=== Basic setup ===+== Basic setup ==
  
 After having Jool installed you need to configure it. This is a basic sample configuration that can be used as a template: After having Jool installed you need to configure it. This is a basic sample configuration that can be used as a template:
Line 82: Line 124:
  
  
-==== DNS64 ====+==== Option 2 - Running jool in a separate network namespace ==== 
  
-In a standard dual-stack network, with regular DNS, an IPv6-only device cannot connect to IPv4-only server, as it has no access to NAT44.+Inspired and supported by the tutorial IPv6-only/mostly on OpenWrt by Ondřej Caletka (([[https://ripe87.ripe.net/wp-content/uploads/presentations/8-IPv6-mostly_on_OpenWRT.pdf|RIPE87 Tutorial IPv6-mostly on OpenWrt]])).
  
-DNS64 comes to fix this, it will forge IPv4-mapped IPv6 addresses that jool will then convert to regular IPv4 addresses.+The following packages need to be installed first:
  
-To use DNS64 you can [[docs:guide-user:base-system:dhcp_configuration#upstream_dns_provider|change your DNS]] to [[https://developers.cloudflare.com/1.1.1.1/infrastructure/ipv6-networks/|Cloudflare's DNS64]] or set up  [[https://github.com/openwrt/packages/blob/master/net/unbound/files/README.md#complete-uci|unbound for DNS64]] to correctly resolve domain names into translated addresses.+<code> 
 +kmod-veth 
 +ip-full 
 +kmod-jool-netfilter 
 +jool-tools-netfilter 
 +</code>
  
-See also:+=== Setup jool network namespace === 
 + 
 +Create or copy the following shell script to ''/etc/jool/setupjool.sh'' 
 + 
 +<code> 
 +#!/bin/sh 
 +ip link add jool type veth peer openwrt 
 +ip netns add jool 
 +ip link set dev openwrt netns jool 
 +ip netns exec jool sh <<EOF 
 +    sysctl -w net.ipv4.conf.all.forwarding=1 
 +    sysctl -w net.ipv6.conf.all.forwarding=1 
 +    sysctl -w net.ipv6.conf.openwrt.accept_ra=2 
 +    sysctl -w net.ipv4.ip_local_port_range="32768 32999" 
 +    ip link set dev lo up 
 +    ip link set dev openwrt up 
 +    ip addr add dev openwrt 192.168.164.2/24 
 +    ip addr add dev openwrt fe80::64 
 +    ip route add default via 192.168.164.1 
 +    modprobe jool 
 +    jool instance add --netfilter --pool6 64:ff9b::/96 
 +    jool global update lowest-ipv6-mtu 1500 
 +    jool pool4 add 192.168.164.2 33000-65535 --tcp 
 +    jool pool4 add 192.168.164.2 33000-65535 --udp 
 +    jool pool4 add 192.168.164.2 33000-65535 --icmp 
 +EOF 
 +</code> 
 + 
 +Make it executable and execute it once. 
 +<code> 
 +chmod +x setupjool.sh 
 +</code> 
 + 
 +Add the following line to ''/etc/rc.local'' through the CLI or Luci UI (''System - Startup - Local Startup''), before the ''exit 0''
 + 
 +<code> 
 +/etc/jool/setupjool.sh 
 +</code> 
 + 
 +=== Setup jool interface === 
 + 
 +  * use IPv4 subnet 192.168.164.1/24 
 +  * allocate one IPv6 /64 with SLAAC 
 +  * route NAT64 prefix to fe80::64 
 +  * configure ''jool'' firewall zone and forward from ''lan'' zone 
 + 
 +Setup new interface 
 + 
 +<code> 
 +config interface 'jool' 
 + option proto 'static' 
 + option device 'jool' 
 + option ipaddr '192.168.164.1' 
 + option netmask '255.255.255.0' 
 + option ip6assign '64' 
 + option ip6hint '64' 
 +</code> 
 + 
 +Configure DHCPv4 and SLAAC/DHCPv6 
 + 
 +<code> 
 +config dhcp 'jool' 
 + option interface 'jool' 
 + option start '100' 
 + option limit '150' 
 + option leasetime '12h' 
 + option ignore '1' 
 + option ra 'server' 
 + option ra_default '2' 
 +</code> 
 + 
 +Add a static IPv6 route 
 + 
 +<code> 
 +config route6 
 + option interface 'jool' 
 + option target '64:ff9b::/96' 
 + option gateway 'fe80::64' 
 +</code> 
 + 
 +Add ''jool'' firewall zone 
 + 
 +<code> 
 +config zone 
 + option name 'jool' 
 + option input 'ACCEPT' 
 + option output 'ACCEPT' 
 + option forward 'REJECT' 
 + list network 'jool' 
 +</code> 
 + 
 +Forward ''lan'' zone to ''jool'' 
 + 
 +<code> 
 +config forwarding 
 + option src 'lan' 
 + option dest 'jool' 
 +</code> 
 + 
 +=== Testing === 
 + 
 +After this configuration, jool should be running and the firewall is correctly configured. You can test this by pinging a synthesized IPv4 address. 
 + 
 +<code> 
 +# Confirm working NAT64 from your router 
 +ping 64:ff9b::1.1.1.1 
 +</code> 
 + 
 +Make sure it works also from the connected devices 
 +- otherwise it might be a routing/firewall issue 
 + 
 +=== Add forwardings from existing firewall zone to ''jool'' === 
 + 
 +e.g., ''lan'' 
 + 
 +<code> 
 +config forwarding 
 + option src 'lan' 
 + option dest 'jool' 
 +</code> 
 + 
 + 
 + 
 +==== Add PREF64 option to the existing networks ==== 
 + 
 +Option in the Router Advertisement messages carring the NAT64 prefix the network is using. 
 +New feature introduced with ''v23.05.0'' 
 + 
 +<code> 
 +config dhcp 'lan' 
 + option interface 'lan' 
 +        ... 
 + option ra_pref64 '64:ff9b::/96' 
 +</code> 
 + 
 + 
 +==== Configure DNS64 ==== 
 + 
 +In a standard dual-stack network, with regular DNS, an IPv6-only device cannot connect to IPv4-only servers, as it has no access to NAT44. 
 + 
 +DNS64 comes to fix this, by synthesizing AAAA records from A records. These IPv6 addresses are ranslated by NAT64 (''jool'') to IPv4 addresses. 
 + 
 +To use DNS64 you can [[docs:guide-user:base-system:dhcp_configuration#upstream_dns_provider|change your DNS]] to [[https://developers.cloudflare.com/1.1.1.1/infrastructure/ipv6-networks/|Cloudflare's DNS64]] [[https://developers.google.com/speed/public-dns/docs/dns64|Google DNS64]] or set up  [[https://github.com/openwrt/packages/blob/master/net/unbound/files/README.md#complete-uci|unbound for DNS64]] to correctly resolve domain names into translated addresses. 
 +Cloudflare and Google DNS64 can only be use if you use the well-known NAT64 prefix ''64:ff9b::/96''
 + 
 +==== Become IPv6-mostly ==== 
 + 
 +Android and iOS as well as macOS are working fine in IPv6-only networks. 
 +To signal to clients which are able and willing to run IPv6-only, the DHCP option 108 was introduced with RFC8925. 
 + 
 +Add this option to the DHCPv4 configuration of the desired zone e.g., ''lan'' 
 +<code> 
 +# 30 minutes = 1800 seconds = 0x708 seconds 
 +dhcp_option '108,0:0:7:8' 
 +</code> 
 + 
 +After this all your mobile and macOS devices will drop the IPv4 lease and run in IPv6-only mode. 
 + 
 + 
 +==== See also: ====
   * [[https://github.com/openwrt/packages/blob/master/net/jool/files/readme.md|Jool source code and documentation]]   * [[https://github.com/openwrt/packages/blob/master/net/jool/files/readme.md|Jool source code and documentation]]
-  * [[http://tools.ietf.org/html/rfc6052|RFC6052]], [[http://tools.ietf.org/html/rfc6146|RFC6146]] and [[http://tools.ietf.org/html/rfc7050|RFC7050]] for reference.+  * [[http://tools.ietf.org/html/rfc6052|RFC6052]], [[http://tools.ietf.org/html/rfc6146|RFC6146]][[http://tools.ietf.org/html/rfc7050|RFC7050]] and [[http://tools.ietf.org/html/rfc8925|RFC8925]] for reference.
  
  • Last modified: 2024/06/08 05:52
  • by goetz