How to Setup NAT64 using pfsense with Jool

  • Maybe we will get NAT64 with 2.5 but if you want to try NAT64/DNS64 out, this is what worked for me. I have a little step by step, so I don't get messed up.

    The process involves setting up a NAT64 gateway on a separate Linux box. I always use Debian, only because I am most familiar with it. I also use a VM (I use Hyper-V, since I understand its ipv6), but it should work on dedicated hardware too. It does not have to be a dedicated subnet or anything as long as the linux device is in a dual stack subnet.

    First, install a debian (currently, 10.6) machine with SSH and standard only. You need to give it a static ip in pfsense DHCP. I used for my case and called it with a user isaacfl.

    Everything is now via SSH into the

    After it boots, you have to add sudo, because it isn't there by default:

    cd ~
    apt install sudo
    /sbin/adduser isaacfl sudo
    systemctl reboot
    sudo echo 'Hello, world!'

    Now you install Jool (

    I find that sometimes the "latest" version is kind of still "in work"

    On the downloads page I just copy the links. I have had best results so far using the Standalone 4.0.x package.

    sudo apt install linux-headers-$(uname -r)
    sudo wget
    sudo wget
    sudo apt install ./jool-dkms_4.0.9-1_all.deb ./jool-tools_4.0.9-1_amd64.deb

    Jool is installed at this point, so now you need to create a configuration file. Note, my debian machine is at, so if you use a different one based on your network.

    Create the file:

    sudo mkdir /etc/jool
    sudo nano /etc/jool/jool.conf

    You should be in nano with an empty file. Copy and Paste the following:

            "comment": "Configuration for the systemd NAT64 Jool service.",
            "instance": "init",
            "framework": "netfilter",
            "global": {
                    "comment": "Pool6 prefix",
                    "pool6": "64:ff9b::/96"
            "comment": "Pool4 table",
            "pool4": [
                            "protocol": "TCP",
                            "prefix": "",
                            "port range": "61001-65535"
                    }, {
                            "protocol": "UDP",
                            "prefix": "",
                            "port range": "61001-65535"
                    }, {
                            "protocol": "ICMP",
                            "prefix": "",
                            "port range": "61001-65535"

    ^X Save File

    sudo systemctl enable jool	### Not sure if it is still needed anymore

    Get the Link Local of the debian (ip a)
    fe80::215:5dff:fe7e:5807 # in my case

    Now we move over to pfsense

    System/Routing/Gateways/ New
    Interface: where Debian/NAT 64 lives
    Name: NAT64_GW
    Gateway: fe80::215:5dff:fe7e:5807
    Monitor IP: 64:ff9b:: * Use your ipv4 Gateway monitor + 64:ff9b::
    Description: NAT 64 Gateway
    Save/Apply Changes

    Static Route
    Destination network: 64:ff9b:: /96
    Gateway: NAT64_GW
    Description: NAT 64 Gateway

    Save/Apply Changes

    At this point you should be able to ping from a desktop
    ping 64:ff9b::

    add following to dns resolver custom options:

    module-config: "dns64 validator iterator"
    dns64-prefix: 64:ff9b::/96

    That should be it. There is probably stuff I have left out, since I have done it so often.

    Jool Commands for reference (in the Debian machine).

    (verify version)
    sudo apt show jool-dkms
    sudo apt show jool-tools
    sudo systemctl stop jool
    sudo systemctl start jool
    sudo jool instance display
    sudo jool -i "init" global display
    sudo jool -i "init" stats display
    sudo jool -i "init" pool4 display -t
    sudo jool -i "init" pool4 display -u
    sudo jool -i "init" pool4 display -i