Setup NAT64 in pfSense

dabombnl

Just tried this and it works great. Here is what I did:

1. Download FreeBSD 11.3 (or whatever version your pfSense is based on), copy /boot/kernel/ipfw_nat64.ko to your pfsense install.
2. Load the IPFW module: 'kldload ipfw_nat64'
3. Enable IPFW: 'sysrc firewall_enable=YES' and 'service ipfw start'
4. Enter the nat64lsn rules you want, like in OP.
5. Make sure you are allowing the traffic in both PF and IPFW firewalls.

How do we go about getting this integrated?

IsaacFL

@dabombnl said in Setup NAT64 in pfSense:

Just tried this and it works great. Here is what I did:

1. Download FreeBSD 11.3 (or whatever version your pfSense is based on), copy /boot/kernel/ipfw_nat64.ko to your pfsense install.
2. Load the IPFW module: 'kldload ipfw_nat64'
3. Enable IPFW: 'sysrc firewall_enable=YES' and 'service ipfw start'
4. Enter the nat64lsn rules you want, like in OP.
5. Make sure you are allowing the traffic in both PF and IPFW firewalls.

How do we go about getting this integrated?

There is very old feature request, but the developers haven't seemed to be working on it.

https://redmine.pfsense.org/issues/2358

Maybe you could add this comment to the end of the feature request and see if it will bump it.

I do know that the unbound resolver has added a feature to turn on the DNS64 support in 2.5 roadmap.

dabombnl

@IsaacFL

Just went ahead and implemented this.

https://github.com/pfsense/pfsense/pull/4405

Have never tried to integrate code into pfSense before. Will see how it goes.

Napsterbater

@dabombnl

Thanks for this. I am hoping your work will make it into pfsense.

I would love to contribute, but coding and such is just not my forte, so even for submitting what you have you have my thanks whatever the outcome.

JeGr

Just FYI: the issue https://redmine.pfsense.org/issues/2358 got that pull request #4405 so it should go into review now.

mfld

@jegr said in Setup NAT64 in pfSense:

Just FYI: the issue https://redmine.pfsense.org/issues/2358 got that pull request #4405 so it should go into review now.

Unfortunately this didn't make it.

We will have to start all over.

bbrendon

I was researching this and this is the best I could find.
https://www.arnavion.dev/blog/2020-04-18-i-switched-my-home-network-to-ipv6/

SpoZen

@mfld

What happend with this? Reading the github comments, it seems like NAT64 support was removed from FreeBSD? Why?

Maybe they decided there are better solutions out there? 464XLAT seems to be the successor to NAT64 and it's been in FreeBSD since version 12.1.

jwt

@SpoZen well, I'm going to Lazarus this thread

We'll have NAT64 in 25.01. I may even decide to put it in CE 2.8.

This is an effect of the work we've been doing on pf of late.

To use it, you simply give pf a rule like:

pass in on $LAN inet6 from any to 64:ff9b::/96 af-to inet from ($WAN:0)

Of course, this will be buried well inside the pfSense UI, you'll just have to enable with minor config.

Unbound already supports DNS64

JeGr

@jwt Definetly looking forward to it and be glad to test it out in first snapshots/betas that will have it. We can easily hook up an v6 only network in the lab (there should already be one) and give it a spin :)