First of all I'd like to thank Hurricane Electric for their amazing services, Jonathan McCrohan who made me write this howto and OpenWRT Team for their router software.
It's dangerous to go alone. Tayga, I choose you!
Tayga provides simple NAT64 service, it's good enough for small network.
First, install tayga package on your router (it is available from OpenWRT packages repository, be sure to use revision 30582 or later).
Next, configure NAT64 interface:
# /etc/config/network
config 'interface' 'nat64'
option 'proto' 'tayga'
option ipv4_addr 192.0.2.1
option ipv6_addr 2001:470:1f09:xxxx::7f00:1
option prefix 64:ff9b::/96
option dynamic_pool 192.0.2.0/24
option accept_ra 0
option send_rs 0
where 2001:470:1f09:xxxx::/64 is IPv6 prefix used in my LAN, 192.0.2.0/24 is tayga's prefix for 4-to-6 mappings and 64:ff9b::/96 is the prefix I chose for IPv6-mapped IPv4 addresses.
It is safe to add nat64 to lan firewall zone since you need to explicitly NAT44 packets for 4-to-6 inbound connections:
# /etc/config/firewall
config 'zone'
option 'name' 'lan'
option 'input' 'ACCEPT'
option 'output' 'ACCEPT'
option 'forward' 'ACCEPT'
option 'network' 'lan nat64'
Let's try it (ifup nat64 interface and apply new firewall rules):
# ping6 -c3 64:ff9b::194.87.0.50 PING 64:ff9b::194.87.0.50(64:ff9b::c257:32) 56 data bytes 64 bytes from 64:ff9b::c257:32: icmp_seq=1 ttl=56 time=3.42 ms 64 bytes from 64:ff9b::c257:32: icmp_seq=2 ttl=56 time=3.35 ms 64 bytes from 64:ff9b::c257:32: icmp_seq=3 ttl=56 time=4.04 ms --- 64:ff9b::194.87.0.50 ping statistics --- 3 packets transmitted, 3 received, 0% packet loss, time 2040ms rtt min/avg/max/mdev = 3.354/3.610/4.049/0.319 ms
It's super effective!
So if a stranger calls you / Don't let him whisper his name / 'Cause it's Voodoo, oh!
Now we need a source for AAAA records for hosts that only have A's. This is called DNS64 and is supported by bind version 9.8.0 and up. It is also available from OpenWRT packages repository.
I've modified default named.conf:
# /etc/bind/named.conf
acl rfc1918 { 10/8; 192.168/16; 172.16/12; };
options {
directory "/tmp";
auth-nxdomain no; # conform to RFC1035
allow-query { localnets; localhost; };
listen-on { any; };
listen-on-v6 { any; };
dns64 64:ff9b::/96 {
clients { any; };
mapped { !rfc1918; any; };
exclude { 64:ff9b::/96; ::ffff:0000:0000/96; };
suffix ::;
};
edns-udp-size 512;
max-udp-size 512;
};
// prime the server with knowledge of the root servers
zone "." {
type hint;
file "/etc/bind/db.root";
};
// be authoritative for the localhost forward and reverse zones, and for
// broadcast zones as per RFC 1912
zone "localhost" {
type master;
file "/etc/bind/db.local";
};
zone "127.in-addr.arpa" {
type master;
file "/etc/bind/db.127";
};
zone "0.in-addr.arpa" {
type master;
file "/etc/bind/db.0";
};
zone "255.in-addr.arpa" {
type master;
file "/etc/bind/db.255";
};
All hosts in LAN uses this bind as nameserver (announced via radvd and processed by dnssd). Let's try:
$ host www.ru www.ru has address 194.87.0.50 www.ru has IPv6 address 64:ff9b::c257:32 www.ru mail is handled by 5 hq.demos.ru. $ host 194.87.0.50 50.0.87.194.in-addr.arpa domain name pointer www.ru. $ host 64:ff9b::c257:32 2.3.0.0.7.5.2.c.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.b.9.f.f.4.6.0.0.ip6.arpa is an alias for 50.0.87.194.in-addr.arpa. 50.0.87.194.in-addr.arpa domain name pointer www.ru.
Cry me a river, you'll learn Voodoo!!
Close the city and tell the people that something's coming to call.
So what about giving IPv4 hosts access to services in my IPv6-olny network? It's easy, just need to configure NAT44 to an address from tayga's dynamic pool:
# /etc/config/firewall
# rule for tayga to create static mapping
config 'nat64'
option 'ipv4_addr' '192.0.2.32'
option 'ipv6_addr' '2001:470:1f09::xxxx::yyyy:zzzz'
# rule for OpenWRT firewall to redirect traffic on port 25
config 'redirect'
option 'src' 'wan'
option 'proto' 'tcp'
option 'src_dport' '25'
option 'dest_ip' '192.0.2.32'
option 'target' 'DNAT'
option 'dest' 'lan'
# rule OpenWRT firewall to permit access to port 25 to LAN host
config 'rule'
option 'target' 'ACCEPT'
option 'src' 'wan'
option 'dest' 'lan'
option 'proto' 'tcp'
option 'dest_ip' '2001:470:1f09:xxxx::yyyy:zzzz'
option 'dest_port' '25'
option 'family' 'ipv6'
Last rule is only needed to provide access to my SMTP service via native IPv6. Since nat64 interface belongs to lan firewall zone there's no need to premit traffic from 64:ff9b::/64, it is already done by permitting traffic to 192.0.2.32 (processed by redirect rule).
An now we can see some dirty spammers in maillog:
Feb 17 12:23:31 hell postfix/smtpd[12288]: connect from 114-42-157-193.dynamic.hinet.net[64:ff9b::722a:9dc1] Feb 17 12:23:31 hell postfix/smtpd[12288]: warning: non-SMTP command from 114-42-157-193.dynamic.hinet.net[64:ff9b::722a:9dc1]: GET http://www.scanproxy.com:80/p-25.html HTTP/1.0
The Mob Rules!
HI,
ReplyDeleteCould you provide more detail on configuring "dual-stack OpenWRT router" ?
Thanks in advance.
What details do you need? This is just a router with OpenWRT installed, which have both, IPv4 and IPv6 addresses.
Deletehello,
ReplyDeletewhat is the purpose of the IPv4 "dynamic pool"?
When you access outside IPv4 host from local IPv6 host, the latter need to have source address, also IPv4. Which is taken from dynamic pool. I belive this is described in tayga manual.
DeleteI have been reading and I get the dynamic pool. I am not able to get anyting to ping (IPv6 works but the nat64 doesn't seem to) and was wondering if you could tell me what build of openwrt you are running and on what platform for this to work?
ReplyDeleteWhat exactly "doesn't seem to" work? You can't ping IPv4 address directly, instead you should ping NAT64PREFIX::I.P.AD.DR IPv6 address.
DeleteI am using acient (december's I guess) snapshot of openwrt trunk in x86_64 VM.
exactly, tayga runs but I cannot ping 64:ff9b::8.8.8.8 or 64:ff9b::4.2.2.2 or any other IP, including the WAN IP of my device. I am running this on a small router platform, I will try the x86 version and go from there. I might have some missing modules in my trunk build but nothing is complaining. thanks for the help
ReplyDeleteYou only need tun.ko module, because tayga is 100% userspace daemon. Check your routes, mine looks like:
Delete# ip ro sh dev tayga-nat64
192.0.2.0/24 scope link
# ip -6 ro sh dev tayga-nat64
64:ff9b::/96 metric 1024 mtu 1500 advmss 1440 hoplimit 0
2001:470:1f08:xxxx::2 proto kernel metric 256 mtu 1500 advmss 1440 hoplimit 0
fe80::/64 proto kernel metric 256 mtu 1500 advmss 1440 hoplimit 0
# ip a sh dev tayga-nat64
12: tayga-nat64: mtu 1500 qdisc pfifo_fast state UP qlen 500
link/none
inet a.b.c.d/32 scope global tayga-nat64
inet6 2001:470:1f08:xxxx::2/128 scope global
valid_lft forever preferred_lft forever
where a.b.c.d and 2001:470:1f08:xxxx::2 are IPv4 and IPv6 addresses on my "outside" interface(s), note the /24 and /128 masks.
to clarify, the option ipv6_addr is the IPv6 address of your v6-WAN interface?
ReplyDeleteNo, this is tayga's internal address. For example, for sending ICMP Host Unreachable messages and stuff. In my example this is 2001:470:1f09:xxxx::127.0.0.1, something that does not exist in my network and certainly NOT the address from any router interface.
Deletei got it working on a physical host. my problem was ip_forwarding for v4 as well as v6. thx for your help!
ReplyDeleteThanks for your post.router address
ReplyDeleteI always consider Exascale as the top Leased Lines providers in the country and many of my friends and acquaintances agree with my opinion. It’s because of the added features like hosted firewall and backup options.
ReplyDeleteI found so many interesting stuff in your blog especially its discussion. From the tons of comments on your articles, I guess I am not the only one having all the enjoyment here! keep up the good work... https://192-168-i-i.com
ReplyDelete