How to Setup NAT64 using pfsense with Jool

IsaacFL · Nov 3, 2020, 4:07 AM

Maybe we will get NAT64 with 2.5 but if you want to try NAT64/DNS64 out, this is what worked for me. I have a little step by step, so I don't get messed up.

The process involves setting up a NAT64 gateway on a separate Linux box. I always use Debian, only because I am most familiar with it. I also use a VM (I use Hyper-V, since I understand its ipv6), but it should work on dedicated hardware too. It does not have to be a dedicated subnet or anything as long as the linux device is in a dual stack subnet.

First, install a debian (currently, 10.6) machine with SSH and standard only. You need to give it a static ip in pfsense DHCP. I used 10.23.20.64 for my case and called it nat64.mydomain.com with a user isaacfl.

Everything is now via SSH into the nat64.mydomain.com

After it boots, you have to add sudo, because it isn't there by default:

su
cd ~

apt install sudo
/sbin/adduser isaacfl sudo
systemctl reboot
sudo echo 'Hello, world!'

Now you install Jool (https://www.jool.mx/en/index.html)

I find that sometimes the "latest" version is kind of still "in work"

On the downloads page I just copy the links. I have had best results so far using the Standalone 4.0.x package.

sudo apt install linux-headers-$(uname -r)
sudo wget https://github.com/NICMx/Jool/releases/download/v4.0.9/jool-dkms_4.0.9-1_all.deb
sudo wget https://github.com/NICMx/Jool/releases/download/v4.0.9/jool-tools_4.0.9-1_amd64.deb
sudo apt install ./jool-dkms_4.0.9-1_all.deb ./jool-tools_4.0.9-1_amd64.deb

Jool is installed at this point, so now you need to create a configuration file. Note, my debian machine is at 10.23.20.64, so if you use a different one based on your network.

Create the file:

sudo mkdir /etc/jool
sudo nano /etc/jool/jool.conf

You should be in nano with an empty file. Copy and Paste the following:


{
        "comment": "Configuration for the systemd NAT64 Jool service.",

        "instance": "init",
        "framework": "netfilter",

        "global": {
                "comment": "Pool6 prefix",
                "pool6": "64:ff9b::/96"
        },

        "comment": "Pool4 table",
        "pool4": [
                {
                        "protocol": "TCP",
                        "prefix": "10.23.20.64",
                        "port range": "61001-65535"
                }, {
                        "protocol": "UDP",
                        "prefix": "10.23.20.64",
                        "port range": "61001-65535"
                }, {
                        "protocol": "ICMP",
                        "prefix": "10.23.20.64",
                        "port range": "61001-65535"
                }
         ]
}

^X Save File

sudo systemctl enable jool	### Not sure if it is still needed anymore

Get the Link Local of the debian (ip a)
fe80::215:5dff:fe7e:5807 # in my case

Now we move over to pfsense

System/Routing/Gateways/ New
Interface: where Debian/NAT 64 lives
Name: NAT64_GW
Gateway: fe80::215:5dff:fe7e:5807
Monitor IP: 64:ff9b::75.85.208.1 * Use your ipv4 Gateway monitor + 64:ff9b::
Description: NAT 64 Gateway
Save/Apply Changes

Static Route
Destination network: 64:ff9b:: /96
Gateway: NAT64_GW
Description: NAT 64 Gateway

Save/Apply Changes

At this point you should be able to ping from a desktop
ping 64:ff9b::8.8.8.8

add following to dns resolver custom options:

server:
module-config: "dns64 validator iterator"
dns64-prefix: 64:ff9b::/96

That should be it. There is probably stuff I have left out, since I have done it so often.

Jool Commands for reference (in the Debian machine).

(verify version)
sudo apt show jool-dkms
sudo apt show jool-tools

sudo systemctl stop jool
sudo systemctl start jool



sudo jool instance display
sudo jool -i "init" global display
sudo jool -i "init" stats display
sudo jool -i "init" pool4 display -t
sudo jool -i "init" pool4 display -u
sudo jool -i "init" pool4 display -i