Stateless NAT64 and DNS64 support #167
Comments
|
I was experimenting with this at some point, TOTD sort of worked but overall it sucked. Not tried tayga. |
fichtner
added
feature
|
We'd need pf(4) support for this in order to drop in nicely. |
|
I am also in need of this feature, Apple has made it a requirement for submission of Apps to their store (as of June 2016) that they support IPv6 only networks, they currently suggest supporting IPv4 via NAT64/DNS64 hence requirement of this feature so i can make an IPv6 Only network that can still do IPv4 Traffic. Any one aware how this can currently be achieved until this feature is added? |
|
Hi, |
|
note that there is an old ticket about that: opnsense/plugins#16 |
|
Wikipedia says that PF can do NAT64 since OpenBSD 5.1 (https://de.wikipedia.org/wiki/NAT64#Unterst.C3.BCtzung) If PF in FreeBSD is not too old, it may support it as well. |
|
FreeBSD doesn't support NAT64 in PF unfortunately, otherwise it probably was implemented already. There seems to be progress on the ipfw side, but as far as I know, nobody is working on NAT64 in PF on FreeBSD. Adding Tayga to our ports collection might be an option, but we have to ask @fichtner about that, but in that case you have to configure it manually. |
|
@fichtner thanks! one stupid question, is Sixxs out of support? |
|
Yes: https://www.sixxs.net/sunset/ EOL: 2017-06-06 |
|
I totally forgot, thanks! |
|
timeout (+ duplicate opnsense/plugins#16 ) |
|
if i am not mistaking, we are now based on hardenedbsd, which supports nat64? |
|
If there's a volunteer to test with such a setup I can try to build a plugin with tayga .. but no promise for success |
|
i should be able to test it if needed |
|
@dsbaars @pierrehenrymuller sorry for bothering you, which bits did you set in BIND for DNS64? As it's also available I have to add some stuff there too. |
|
Natively ipfw supports nat64 in both stateful and stateless modes, but since we use pf as our main firewall, it’s always the question how well those two play together. A nice sample of both options can be found here: Unfortunately pf only supports nat64 on openbsd (https://man.openbsd.org/pf.conf#af-to) |
|
@AdSchellevis I had a quick look at tayga, most annoying thing is missing rc script, but it's not the first plugin where I had to add one. :) |
|
@mimugmail startup scripts usually aren’t the challenge indeed😊 I haven’t tried any of the options, but if ipfw is easier to add, we might also consider adding it to core if someone wants to try out the rules first. |
|
I'd say we start with a plugin, if adaoption rate is good we can still try ipfw (mostly performance-wise I'd guess). |
|
@mimugmail, thanks for the tayga plugin! I tried to get it working, but failed at adding an IPv4 address to the nat64 tun interface: Any input welcome. |
|
I got it semi-working. The main issues so far:
Unfortunately the workarounds are non-persistent. |
|
@maurice-w thanks for testing! I'm already in talk with a twitter guy testing it. |
|
@maurice-w are you sure there's no typo in ifconfig and route commands? |
|
I don't see a typo and it works, but I'm definitely no *BSD expert. Do you have anything specific in mind? As for your PR, I commented there. What are your thoughts on letting the script also add an outbound NAT rule for the IPv4 pool and an allow all firewall rule for the nat64 interface? Or should we leave that up to the user? |
|
@mimugmail, since you mentioned in the PR that you don't use this yourself, let me give you a quick recap of what I did to get it running:
|
|
Maybe also consider adding https://github.com/NICMx/Jool instead of tayga, as it supposedly performs better! |
|
It does perform better, but I'm not aware of a *BSD version. Jool uses a Linux kernel module and depends on netfilter / iptables, so probably not that simple to port to another OS. Correct me if I'm wrong. |
|
ipfw seems to have extensive support for IPv6 <-> IPv4 translation. Considering there is no support for IPv6/4 translation in pf in NetBSD, would using ipfw be the easiest option to implement a proper NAT64 solution on OPNsense? Can ipfw be run on OPNsense without breaking pf? I am aware of Tayga, but I think we should move away from this since it now seems to be an abandoned project (has been for some time). |
|
Is Tayga broken with the 22.1 release? I can't get the interface to appear and the service refuses to start no matter what I try. Also there is no error message telling me what's wrong. :/ |
|
@cmprmsd Tayga works fine in 22.1. The service not starting is most likely caused by an invalid configuration. Did it stop working after you upgraded to 22.1 or is this a new setup? Probably better discussed on the forum. |
|
Yes it was an invalid (the prefilled settings) config. Had to change some values according to the OPNSense guide which helped me out of the situation. 😅 thanks! |
|
Hi, if FreeBSD added this into ipfw, wouldn't it be better to use this instead of tayga? |
|
If you find someone with enough time and knowledge to implement it I'm happy to review. |
I have the need for a IPv6-only network. Unfortunately, you still need to be able to connect to IPv4 hosts to visit most sites on the internet, this can be done using nat64.
It would be nice to have this feature in OPNsense.
This is possible using NAT64 and DNS64
Unfortunately, dnsmasq does not support dns64 yet.
The text was updated successfully, but these errors were encountered: