Setup NAT64 in pfSense
-
@bert64 said in Setup NAT64 in pfSense:
They don't need to move to IPv6, they could continue working around the shortcomings of legacy ip for years to come. Just like you could keep repairing and modifying a rusty 1980s car. Microsoft have clearly decided that it's more cost effective, easier and more secure to move to IPv6.
Yes not everything needs to talk to each other, but inevitably some things will.
With an IPv6 network where everything is addressable, you add the necessary allow rules and job done.
With legacy ip, you might have overlapping address space so you need nat or even double nat, which then means you need to waste address space with the translated addresses too.Yep, IPv4 hasn't been adequate since the day it became necessary to use NAT. Now, we have hacks upon hacks to get around the address shortage. Of course, this is before we get to the fact that many people are behind carrier grade NAT, which means they have no means of accessing their home network with a VPN etc..
IPv6 is where the world is moving and refusing to move with it is head in the sand stupidity. The longer people refuse to move, the longer some people will be behind CG NAT.
-
Just tried this and it works great. Here is what I did:
- Download FreeBSD 11.3 (or whatever version your pfSense is based on), copy /boot/kernel/ipfw_nat64.ko to your pfsense install.
- Load the IPFW module: 'kldload ipfw_nat64'
- Enable IPFW: 'sysrc firewall_enable=YES' and 'service ipfw start'
- Enter the nat64lsn rules you want, like in OP.
- Make sure you are allowing the traffic in both PF and IPFW firewalls.
How do we go about getting this integrated?
-
@dabombnl said in Setup NAT64 in pfSense:
Just tried this and it works great. Here is what I did:
- Download FreeBSD 11.3 (or whatever version your pfSense is based on), copy /boot/kernel/ipfw_nat64.ko to your pfsense install.
- Load the IPFW module: 'kldload ipfw_nat64'
- Enable IPFW: 'sysrc firewall_enable=YES' and 'service ipfw start'
- Enter the nat64lsn rules you want, like in OP.
- Make sure you are allowing the traffic in both PF and IPFW firewalls.
How do we go about getting this integrated?
There is very old feature request, but the developers haven't seemed to be working on it.
https://redmine.pfsense.org/issues/2358
Maybe you could add this comment to the end of the feature request and see if it will bump it.
I do know that the unbound resolver has added a feature to turn on the DNS64 support in 2.5 roadmap.
-
Just went ahead and implemented this.
https://github.com/pfsense/pfsense/pull/4405
Have never tried to integrate code into pfSense before. Will see how it goes.
-
Thanks for this. I am hoping your work will make it into pfsense.
I would love to contribute, but coding and such is just not my forte, so even for submitting what you have you have my thanks whatever the outcome.
-
Just FYI: the issue https://redmine.pfsense.org/issues/2358 got that pull request #4405 so it should go into review now.
-
@jegr said in Setup NAT64 in pfSense:
Just FYI: the issue https://redmine.pfsense.org/issues/2358 got that pull request #4405 so it should go into review now.
Unfortunately this didn't make it.
We will have to start all over.
-
I was researching this and this is the best I could find.
https://www.arnavion.dev/blog/2020-04-18-i-switched-my-home-network-to-ipv6/ -
-
@SpoZen well, I'm going to Lazarus this thread
We'll have NAT64 in 25.01. I may even decide to put it in CE 2.8.
This is an effect of the work we've been doing on pf of late.
To use it, you simply give pf a rule like:
pass in on $LAN inet6 from any to 64:ff9b::/96 af-to inet from ($WAN:0)
Of course, this will be buried well inside the pfSense UI, you'll just have to enable with minor config.
Unbound already supports DNS64
-
@jwt Definetly looking forward to it and be glad to test it out in first snapshots/betas that will have it. We can easily hook up an v6 only network in the lab (there should already be one) and give it a spin :)