mirror of
https://github.com/opnsense/docs
synced 2024-11-15 06:12:58 +00:00
362474a0e4
As of OPNsense 22.1, NAT64 interface addresses must not be used by another interface or VIP.
113 lines
5.5 KiB
ReStructuredText
113 lines
5.5 KiB
ReStructuredText
==================
|
|
Tayga NAT64 how-to
|
|
==================
|
|
|
|
------------
|
|
Introduction
|
|
------------
|
|
IPv6-only networks are less complex to plan, configure, maintain and troubleshoot than dual-stack networks. But many services on the Internet
|
|
are still IPv4-only. NAT64 preserves access to these services by performing IPv6-to-IPv4 translation. The NAT64 implementation currently
|
|
available for OPNsense is the Tayga plugin.
|
|
|
|
.. Note::
|
|
This how-to focuses on providing IPv6-only LANs with access to IPv4-only services. However, this is not the only use case for NAT64.
|
|
|
|
-------------
|
|
Prerequisites
|
|
-------------
|
|
OPNsense should be configured with working dual-stack Internet access and at least one IPv6-only LAN.
|
|
|
|
--------------------------------
|
|
Installing and configuring Tayga
|
|
--------------------------------
|
|
Go to :menuselection:`System --> Firmware --> Plugins` and install the `os-tayga` plugin. Then go to :menuselection:`Services --> Tayga`.
|
|
|
|
Tick `Enable` and configure all prefixes and addresses:
|
|
|
|
:IPv6 Prefix:
|
|
The IPv6 prefix which Tayga uses to translate IPv4 addresses. You can use the default well-known prefix 64:ff9b::/96 or an unused /96 from
|
|
your site's GUA prefix.
|
|
|
|
.. Warning::
|
|
When using the well-known prefix 64:ff9b::/96, Tayga will prohibit IPv6 hosts from contacting IPv4 hosts that have private (RFC1918)
|
|
addresses. This is not relevant when using NAT64 for accessing IPv4 services on the Internet. However, if access to local services with
|
|
private IPv4 addresses is required, a GUA /96 prefix must be used.
|
|
|
|
.. Note::
|
|
While technically possible, using a ULA prefix for NAT64 is not recommended. This can cause issues with certain hosts, especially those
|
|
which support 464XLAT.
|
|
|
|
:IPv4 Pool:
|
|
The virtual IPv4 addresses which Tayga maps to LAN IPv6 addresses. Can be left to its default value unless this overlaps with existing
|
|
subnets in your network. Must be sufficiently large to fit all devices in your IPv6-only LAN(s).
|
|
|
|
Tayga is a hop in the path, so it needs its own IP addresses for ICMP:
|
|
|
|
:IPv4 Address:
|
|
Will show up in traceroutes from the IPv4 side to the IPv6 side. Can be left to its default value unless you changed the `IPv4 Pool`.
|
|
Should be located in the `IPv4 Pool` subnet.
|
|
|
|
:IPv6 Address:
|
|
Will show up in traceroutes from the IPv6 side to the IPv4 side. Can be left empty if the `IPv6 Prefix` is a GUA or the `IPv4 Address` is
|
|
a non-RFC1918 address. Tayga will then auto-generate its IPv6 address by mapping the `IPv4 Address` into the `IPv6 Prefix`.
|
|
For example, if the `IPv6 Prefix` 2001:db8:64:64::/96 and `IPv4 Address` 192.168.255.1 are being used, Tayga's IPv6 address will be
|
|
2001:db8:64:64::192.168.255.1 (2001:db8:64:64::c0a8:ff01).
|
|
|
|
.. Warning::
|
|
Tayga can't auto-generate its `IPv6 Address` if the default well-known `IPv6 Prefix` 64:ff9b::/96 and a private (RFC1918) `IPv4 Address`
|
|
are being used. In this case, you have to manually specify an unused address from your site's GUA or ULA prefix.
|
|
|
|
Tayga behaves like an external device connected to OPNsense via a point-to-point interface. This interface requires IP addresses for ICMP:
|
|
|
|
:IPv4 NAT64 Interface Address:
|
|
Can be left to its default value unless this conflicts with your network. Must not be located in the `IPv4 Pool` subnet and must not be
|
|
used by another interface or VIP.
|
|
|
|
:IPv6 NAT64 Interface Address:
|
|
Must not be located in the `IPv6 Prefix` subnet and must not be used by another interface or VIP.
|
|
|
|
.. Warning::
|
|
The default value must not be used since 2001:db8::/32 is a documentation-only prefix.
|
|
|
|
Save. Tayga should now be running.
|
|
|
|
---------------------
|
|
Adding firewall rules
|
|
---------------------
|
|
Tayga uses a tunnel interface for packet exchange with the system. Rules are required to prevent the firewall from blocking these packets.
|
|
Additionally, an outbound NAT rule is required for IPv4 Internet access.
|
|
|
|
Go to :menuselection:`Firewall --> Rules --> Tayga`, add a new rule, set the `TCP/IP Version` to `IPv4+IPv6`, leave all other settings to
|
|
their default values and save.
|
|
|
|
.. Note::
|
|
If you just enabled Tayga and can't find :menuselection:`Firewall --> Rules --> Tayga`, go to :menuselection:`Interfaces --> Assignments`,
|
|
click `Save` and reload the page.
|
|
|
|
Go to :menuselection:`Firewall --> Settings --> Normalization`, add a new rule, set the `Interface` to `Tayga`, leave all other settings to
|
|
their default values and save.
|
|
|
|
.. Note::
|
|
This rule is required for proper handling of fragmented packets.
|
|
|
|
Go to :menuselection:`Firewall --> NAT --> Outbound`, add a new rule, set `Source address` to `Single host or network`, enter your Tayga
|
|
`IPv4 Pool`, leave all other settings to their default values and save.
|
|
|
|
Apply the firewall changes. NAT64 should now be fully operational.
|
|
|
|
-----------------
|
|
Configuring DNS64
|
|
-----------------
|
|
In most scenarios, NAT64 also requires DNS64. If you use OPNsense's :doc:`/manual/unbound` DNS resolver, DNS64 can be enabled by going to
|
|
:menuselection:`Services --> Unbound DNS --> General` and ticking `Enable DNS64 Support`. If you don't use the default 64:ff9b::/96 prefix,
|
|
you also have to enter your /96 prefix there.
|
|
|
|
.. Note::
|
|
You may also use any other DNS64 capable DNS server. If you use the default 64:ff9b::/96 prefix, using a service like `Google's Public
|
|
DNS64 <https://developers.google.com/speed/public-dns/docs/dns64>` is possible, too.
|
|
|
|
-------
|
|
Testing
|
|
-------
|
|
You can use a service like https://internet.nl/connection/ to verify that devices in your IPv6-only LAN have IPv6 and IP4 Internet access.
|