How to Setup NAT64 using pfsense with Jool
-
Maybe we will get NAT64 with 2.5 but if you want to try NAT64/DNS64 out, this is what worked for me. I have a little step by step, so I don't get messed up.
The process involves setting up a NAT64 gateway on a separate Linux box. I always use Debian, only because I am most familiar with it. I also use a VM (I use Hyper-V, since I understand its ipv6), but it should work on dedicated hardware too. It does not have to be a dedicated subnet or anything as long as the linux device is in a dual stack subnet.
First, install a debian (currently, 10.6) machine with SSH and standard only. You need to give it a static ip in pfsense DHCP. I used 10.23.20.64 for my case and called it nat64.mydomain.com with a user isaacfl.
Everything is now via SSH into the nat64.mydomain.com
After it boots, you have to add sudo, because it isn't there by default:
su cd ~ apt install sudo /sbin/adduser isaacfl sudo systemctl reboot sudo echo 'Hello, world!'
Now you install Jool (https://www.jool.mx/en/index.html)
I find that sometimes the "latest" version is kind of still "in work"
On the downloads page I just copy the links. I have had best results so far using the Standalone 4.0.x package.
sudo apt install linux-headers-$(uname -r) sudo wget https://github.com/NICMx/Jool/releases/download/v4.0.9/jool-dkms_4.0.9-1_all.deb sudo wget https://github.com/NICMx/Jool/releases/download/v4.0.9/jool-tools_4.0.9-1_amd64.deb sudo apt install ./jool-dkms_4.0.9-1_all.deb ./jool-tools_4.0.9-1_amd64.deb
Jool is installed at this point, so now you need to create a configuration file. Note, my debian machine is at 10.23.20.64, so if you use a different one based on your network.
Create the file:
sudo mkdir /etc/jool sudo nano /etc/jool/jool.conf
You should be in nano with an empty file. Copy and Paste the following:
{ "comment": "Configuration for the systemd NAT64 Jool service.", "instance": "init", "framework": "netfilter", "global": { "comment": "Pool6 prefix", "pool6": "64:ff9b::/96" }, "comment": "Pool4 table", "pool4": [ { "protocol": "TCP", "prefix": "10.23.20.64", "port range": "61001-65535" }, { "protocol": "UDP", "prefix": "10.23.20.64", "port range": "61001-65535" }, { "protocol": "ICMP", "prefix": "10.23.20.64", "port range": "61001-65535" } ] }
^X Save File
sudo systemctl enable jool ### Not sure if it is still needed anymore
Get the Link Local of the debian (ip a)
fe80::215:5dff:fe7e:5807 # in my caseNow we move over to pfsense
System/Routing/Gateways/ New
Interface: where Debian/NAT 64 lives
Name: NAT64_GW
Gateway: fe80::215:5dff:fe7e:5807
Monitor IP: 64:ff9b::75.85.208.1 * Use your ipv4 Gateway monitor + 64:ff9b::
Description: NAT 64 Gateway
Save/Apply ChangesStatic Route
Destination network: 64:ff9b:: /96
Gateway: NAT64_GW
Description: NAT 64 GatewaySave/Apply Changes
At this point you should be able to ping from a desktop
ping 64:ff9b::8.8.8.8add following to dns resolver custom options:
server: module-config: "dns64 validator iterator" dns64-prefix: 64:ff9b::/96
That should be it. There is probably stuff I have left out, since I have done it so often.
Jool Commands for reference (in the Debian machine).
(verify version) sudo apt show jool-dkms sudo apt show jool-tools sudo systemctl stop jool sudo systemctl start jool sudo jool instance display sudo jool -i "init" global display sudo jool -i "init" stats display sudo jool -i "init" pool4 display -t sudo jool -i "init" pool4 display -u sudo jool -i "init" pool4 display -i