NAT64¶
NAT64 is a form of NAT which enables clients with only IPv6
addresses to reach remote hosts using IPv4 addresses. NAT64 accomplishes this by
mapping IPv4 addresses into a special IPv6 prefix dedicated to this purpose,
such as the default NAT64 prefix, 64:ff9b::/96
.
Note
Though NAT64-related settings allow this prefix to be set to a custom value,
in practice the value rarely if ever deviates from the default prefix of
64:ff9b::/96
.
See also
Requirements¶
To perform NAT64 there are a few prerequisites:
The device performing NAT64 must have an external IPv4 address.
If using this firewall for DNS, it must use the DNS Resolver.
The internal interface with IPv6 clients does not need to have IPv4 configured.
The local IPv6 interface must be properly configured, have appropriate firewall rules, etc. This can be a tracked WAN configuration or manually configured.
NAT64 Components¶
Several components come together to allow a fully-functioning NAT64 environment:
Optionally configure DHCPv4 option
108
/v6-only-preferred
if the segment has local/private IPv4.Configure DHCPv6 to at least advertise DNS servers to clients as not all clients support RDNSS/DNSSL and NAT64 requires working DNS.
See also
See NAT64 Configuration Recipe for a complete walk-through of configuring each component in NAT64.
How NAT64 Works¶
This is a basic summary of the process for an IPv6 client to successfully make NAT64 requests:
IPv6 client discovers the NAT64 prefix via PREF64.
IPv6 client performs a DNS lookup for a host.
The DNS Resolver uses DNS64 to include mapped IPv4 addresses in its responses using the configured NAT64 prefix.
For example, the client requests
www.example.com
which resolves to203.0.113.5
and has no IPv6 address. The DNS response to the client will include both203.0.113.5
and the IPv6 mapped equivalent,64:ff9b::cb00:7105
.IPv6 client contacts the IPv4 host using the mapped address returned via DNS64.
The firewall translates this request using NAT64 so the incoming IPv4 packet has both its source and destination translated to appropriate IPv4 addresses. This is a stateful mapping which allows the firewall to appropriately handle return packets for ongoing connections.
This entire process is transparent to the client software, such as a web browser. It will act as though it is communicating directly to IPv6 hosts even when using hostnames for sites with no IPv6 connectivity.
Contacting Remote IPv4 Hosts¶
IPv6 clients can contact IPv4 hosts using mapped addresses without DNS64 by
manually appending the IPv4 address to the NAT64 prefix. For example, to contact
the IPv4 address 203.0.113.5
the client would instead contact
64:ff9b::203.0.113.5
. The client could also use the fully-IPv6 equivalent
address, 64:ff9b::cb00:7105
, but that is much more difficult for humans.
NAT64 does not enable IPv6 clients to talk to IPv4 hosts directly using IPv4 address notation. However, IPv6 clients may be able to do so if they have a customer-side translator (CLAT). This is completely dependent on the client and the firewall is not involved in that functionality. The availability of a CLAT is up to the operating system and its enabled features, installed software, etc.
Note
NAT64 on pfSense software only allows IPv6 clients to contact IPv4 servers and exchange two-way traffic. NAT64 does not allow IPv4 remote hosts to reach local IPv6 hosts.
NAT64 and Policy Routing¶
NAT64 is compatible with policy routing. For example, if an IPv4 destination has a static route out through an alternate path, a NAT64 rule can be configured to match. The NAT64 rule should match the equivalent mapped destination with a gateway configured to ensure it takes the expected path.
NAT64 and other NAT¶
NAT64 translates traffic when it reaches a rule inbound on an interface. This happens before the firewall processes Outbound NAT rules. As a result, while the packets can be translated again by Outbound NAT, the packets would not likely match in a way that makes performing additional Outbound NAT practical as the packet would already have an external address and may not be distinguishable from other connections.