Setup NAT64 in pfSense



  • Since pfSense hasn't yet added support for NAT64 I was looking into how difficult it would be to manually add the required rules. Here is the original commit to FreeBSD adding support for NAT64. The comment on the commit provides the following instructions:

    Stateless NAT64 registers external action with name nat64stl. This
    keyword should be used to create NAT64 instance and to address this
    instance in rules. Stateless NAT64 uses two lookup tables with mapped
    IPv4->IPv6 and IPv6->IPv4 addresses to perform translation.
    
    A configuration of instance should looks like this:
     1. Create lookup tables:
     # ipfw table T46 create type addr valtype ipv6
     # ipfw table T64 create type addr valtype ipv4
     2. Fill T46 and T64 tables.
     3. Add rule to allow neighbor solicitation and advertisement:
     # ipfw add allow icmp6 from any to any icmp6types 135,136
     4. Create NAT64 instance:
     # ipfw nat64stl NAT create table4 T46 table6 T64
     5. Add rules that matches the traffic:
     # ipfw add nat64stl NAT ip from any to table(T46)
     # ipfw add nat64stl NAT ip from table(T64) to 64:ff9b::/96
     6. Configure DNS64 for IPv6 clients and add route to 64:ff9b::/96
        via NAT64 host.
    
    Stateful NAT64 registers external action with name nat64lsn. The only
    one option required to create nat64lsn instance - prefix4. It defines
    the pool of IPv4 addresses used for translation.
    
    A configuration of instance should looks like this:
     1. Add rule to allow neighbor solicitation and advertisement:
     # ipfw add allow icmp6 from any to any icmp6types 135,136
     2. Create NAT64 instance:
     # ipfw nat64lsn NAT create prefix4 A.B.C.D/28
     3. Add rules that matches the traffic:
     # ipfw add nat64lsn NAT ip from any to A.B.C.D/28
     # ipfw add nat64lsn NAT ip6 from any to 64:ff9b::/96
     4. Configure DNS64 for IPv6 clients and add route to 64:ff9b::/96
        via NAT64 host.
    

    I'm new to FreeBSD but from what I understand there's three firewall applications available, IPFW, PF and IPF. The example provided is based on IPFW. How would I go about implementing the IPFW statements above in PF, specifically pfSense? Is this doable?

    In regards to DNS64, adding this line to the custom options in the Unbound module enables DNS64 support:

    module-config: "dns64 validator iterator"
    

    Alternatively you can use Google's public DNS64 servers.

    Am I being naive or can I enable NAT64 in pfSense on an experimental basis with a few custom pf rules?



  • Why would even want to use NAT on IPv6?? NAT is a hack to get around the IPv4 address shortage. No such shortage exists on IPv6.



  • @jknott said in Setup NAT64 in pfSense:

    Why would even want to use NAT on IPv6?? NAT is a hack to get around the IPv4 address shortage. No such shortage exists on IPv6.

    NAT64 isn't "natting" in the traditional sense. NAT64 allows IPv6 only hosts to reach IPv4 hosts. Large companies such as Microsoft are using NAT64 and going IPv6 only because they've run out of RFC 1918 addresses.

    Here's an article describing Microsoft's move to NAT64



  • Sorry, I hadn't had my morning beer yet, when I posted that. ;)

    Actually, a better solution is 464XLAT, which avoids some of the problems with NAT64. Some carriers are now using that.


  • Rebel Alliance Global Moderator

    Sounds like bad planning on MS if they are running out of rfc1918 space... As of last count I see their employee number at 124K.. Well the 10/8 allows for 16.7 Million IPs - that a shit ton of IPs per person ;)

    That is not counting the rest which is nothing to sneeze at either 172.16/12 over a million..

    So while MS for sure is large - making comments that they have exhausted rfc1918 is BS if you ask me.. I am sure a re IP of their sites could free huge amounts of space..



  • @johnpoz said in Setup NAT64 in pfSense:

    Sounds like bad planning on MS if they are running out of rfc1918 space

    Comcast had the same problem. There weren't enough RFC1918 addresses available for them to seamlessly manage their network.



  • @johnpoz said in Setup NAT64 in pfSense:

    So while MS for sure is large - making comments that they have exhausted rfc1918 is BS

    Don't take my word for it. From the article I linked to above:

    The depletion of public IPv4 space is well-known, but Microsoft IT has exhausted almost all RFC1918 space.
    

    @jknott said in Setup NAT64 in pfSense:

    Actually, a better solution is 464XLAT, which avoids some of the problems with NAT64.

    I'm no expert in IPv6 transition technologies so please correct me if I'm wrong, but from what I understand, NAT64 is still required when using 464XLAT. The issue that 464XLAT solves is IPv4 literals (trying to access a host by IP address instead of a DNS hostname). If an IPv6 only client attempts to connect to 1.2.3.4 directly there's no opportunity for DNS64 to translate the address. In those circumstances, a CLAT daemon is used on the CLIENT device to translate that address to an IPv6 address. But yeah, ideally clients should have CLAT enabled if you want a proper setup.



  • With 464XLAT, you run dual stack, so that IPv4 addresses can be used to access IPv4 servers. In the process, IPv4 is converted to IPv6 and back again. It all happens transparently.


  • Rebel Alliance Global Moderator

    @imcdona

    I read the article and saw that - and what I am saying is BS.. Sure you can use up anything with bad management.. Sorry but they are not big enough to use it up if they would of planned correctly.

    They do not have enough employees to justify all 17 plus million IPs being gone with proper planning.


 

© Copyright 2002 - 2018 Rubicon Communications, LLC | Privacy Policy