NAT64

NAT64 is a form of NAT which enables clients with only IPv6 addresses to reach remote hosts using IPv4 addresses. NAT64 accomplishes this by mapping IPv4 addresses into a special IPv6 prefix dedicated to this purpose, such as the default NAT64 prefix, 64:ff9b::/96.

Note

Though NAT64-related settings allow this prefix to be set to a custom value, in practice the value rarely if ever deviates from the default prefix of 64:ff9b::/96.

Requirements

To perform NAT64 there are a few prerequisites:

  • The device performing NAT64 must have an external IPv4 address.

  • If using this firewall for DNS, it must use the DNS Resolver.

  • The internal interface with IPv6 clients does not need to have IPv4 configured.

  • The local IPv6 interface must be properly configured, have appropriate firewall rules, etc. This can be a tracked WAN configuration or manually configured.

NAT64 Components

Several components come together to allow a fully-functioning NAT64 environment:

See also

See NAT64 Configuration Recipe for a complete walk-through of configuring each component in NAT64.

How NAT64 Works

This is a basic summary of the process for an IPv6 client to successfully make NAT64 requests:

  • IPv6 client discovers the NAT64 prefix via PREF64.

  • IPv6 client performs a DNS lookup for a host.

  • The DNS Resolver uses DNS64 to include mapped IPv4 addresses in its responses using the configured NAT64 prefix.

    For example, the client requests www.example.com which resolves to 203.0.113.5 and has no IPv6 address. The DNS response to the client will include both 203.0.113.5 and the IPv6 mapped equivalent, 64:ff9b::cb00:7105.

  • IPv6 client contacts the IPv4 host using the mapped address returned via DNS64.

  • The firewall translates this request using NAT64 so the incoming IPv4 packet has both its source and destination translated to appropriate IPv4 addresses. This is a stateful mapping which allows the firewall to appropriately handle return packets for ongoing connections.

This entire process is transparent to the client software, such as a web browser. It will act as though it is communicating directly to IPv6 hosts even when using hostnames for sites with no IPv6 connectivity.

Contacting Remote IPv4 Hosts

IPv6 clients can contact IPv4 hosts using mapped addresses without DNS64 by manually appending the IPv4 address to the NAT64 prefix. For example, to contact the IPv4 address 203.0.113.5 the client would instead contact 64:ff9b::203.0.113.5. The client could also use the fully-IPv6 equivalent address, 64:ff9b::cb00:7105, but that is much more difficult for humans.

NAT64 does not enable IPv6 clients to talk to IPv4 hosts directly using IPv4 address notation. However, IPv6 clients may be able to do so if they have a customer-side translator (CLAT). This is completely dependent on the client and the firewall is not involved in that functionality. The availability of a CLAT is up to the operating system and its enabled features, installed software, etc.

Note

NAT64 on pfSense software only allows IPv6 clients to contact IPv4 servers and exchange two-way traffic. NAT64 does not allow IPv4 remote hosts to reach local IPv6 hosts.

NAT64 and Policy Routing

NAT64 is compatible with policy routing. For example, if an IPv4 destination has a static route out through an alternate path, a NAT64 rule can be configured to match. The NAT64 rule should match the equivalent mapped destination with a gateway configured to ensure it takes the expected path.

NAT64 and other NAT

NAT64 translates traffic when it reaches a rule inbound on an interface. This happens before the firewall processes Outbound NAT rules. As a result, while the packets can be translated again by Outbound NAT, the packets would not likely match in a way that makes performing additional Outbound NAT practical as the packet would already have an external address and may not be distinguishable from other connections.