Stateless NAT64 and DNS64 support

[dsbaars]

I have the need for a IPv6-only network. Unfortunately, you still need to be able to connect to IPv4 hosts to visit most sites on the internet, this can be done using nat64. It would be nice to have this feature in OPNsense.

This is possible using NAT64 and DNS64

• For NAT64 a possibile solution is tayga
• For DNS64 there are several options:
  • I have this working using BIND 9 (+tayga and radvd)
  • TOTD can also do this, but appears to be abandonned.

Unfortunately, dnsmasq does not support dns64 yet.

[sjorge]

I was experimenting with this at some point, TOTD sort of worked but overall it sucked. Not tried tayga. Would love to see this in opnsense eventually.

[fichtner]

We'd need pf(4) support for this in order to drop in nicely.

[AtomiclyCursed]

I am also in need of this feature, Apple has made it a requirement for submission of Apps to their store (as of June 2016) that they support IPv6 only networks, they currently suggest supporting IPv4 via NAT64/DNS64 hence requirement of this feature so i can make an IPv6 Only network that can still do IPv4 Traffic. Any one aware how this can currently be achieved until this feature is added?

[pierrehenrymuller]

Hi, I would very much appreciate that the NAT64 and DNS64 are available under opnsens. Currently we have a Debian with Tayga for NAT and Bind for DNS, but we would prefer to put it in a opnsense.

[fabianfrz]

note that there is an old ticket about that: https://github.com/opnsense/plugins/issues/16

[fabianfrz]

Wikipedia says that PF can do NAT64 since OpenBSD 5.1 (https://de.wikipedia.org/wiki/NAT64#Unterst.C3.BCtzung) If PF in FreeBSD is not too old, it may support it as well.

[AdSchellevis]

FreeBSD doesn't support NAT64 in PF unfortunately, otherwise it probably was implemented already.

There seems to be progress on the ipfw side, but as far as I know, nobody is working on NAT64 in PF on FreeBSD. A plugin for Tayga is probably the only viable option at the moment, which is where ticket https://github.com/opnsense/plugins/issues/16 comes in. Although kernel level support (preferably in PF) would be better.

Adding Tayga to our ports collection might be an option, but we have to ask @fichtner about that, but in that case you have to configure it manually.

[fichtner]

sure https://github.com/opnsense/tools/commit/d2a6720d8

[AdSchellevis]

@fichtner thanks! one stupid question, is Sixxs out of support?

[fichtner]

Yes: https://www.sixxs.net/sunset/

EOL: 2017-06-06

[AdSchellevis]

I totally forgot, thanks!

[AdSchellevis]

timeout (+ duplicate https://github.com/opnsense/plugins/issues/16 )

[thutex]

if i am not mistaking, we are now based on hardenedbsd, which supports nat64? if so, will we be seeing this functionality come natively to opnsense? (need it to easily manage my network when going ipv6 with a provider that changes wan prefix almost daily)

[mimugmail]

If there's a volunteer to test with such a setup I can try to build a plugin with tayga .. but no promise for success

[thutex]

i should be able to test it if needed

[mimugmail]

@dsbaars @pierrehenrymuller sorry for bothering you, which bits did you set in BIND for DNS64? As it's also available I have to add some stuff there too.

[AdSchellevis]

Natively ipfw supports nat64 in both stateful and stateless modes, but since we use pf as our main firewall, it’s always the question how well those two play together.

A nice sample of both options can be found here: https://bsdrp.net/documentation/examples/nat64

Unfortunately pf only supports nat64 on openbsd (https://man.openbsd.org/pf.conf#af-to)

[mimugmail]

@AdSchellevis I had a quick look at tayga, most annoying thing is missing rc script, but it's not the first plugin where I had to add one. :)

[AdSchellevis]

@mimugmail startup scripts usually aren’t the challenge indeed😊 I haven’t tried any of the options, but if ipfw is easier to add, we might also consider adding it to core if someone wants to try out the rules first.

[mimugmail]

I'd say we start with a plugin, if adaoption rate is good we can still try ipfw (mostly performance-wise I'd guess).

[maurice-w]

@mimugmail, thanks for the tayga plugin! I tried to get it working, but failed at adding an IPv4 address to the nat64 tun interface: opnsense-devel: /interfaces.php: The command '/sbin/ifconfig 'nat64' inet '172.23.65.1'/'24'' returned exit code '1', the output was 'ifconfig: ioctl (SIOCAIFADDR): Destination address required'

Any input welcome.

[maurice-w]

I got it semi-working. The main issues so far:

• Tayga won't start if you don't fill in the (optional) IPv6 address in the UI. Cause: The ipv6-addr option is written to tayga.conf even if no address is specified. Should be an easy fix.
• FreeBSD doesn't allow configuring a TUN interface with an IPv4 address without also specifying a destination address. And OPNsense doesn't seem to recognize the nat64 interface as a TUN interface. In other words, the IPv4 address for the nat64 interface which you configure in interfaces.php is not added to the interface.
  • Workaround: Add the interface and destination addresses manually, like: ifconfig nat64 inet 192.168.254.1/32 192.168.255.1
• OPNsense doesn't allow adding routes without specifying a gateway.
  • Workaround: Add the required routes manually, like: route -6 add 64:ff9b::/96 -interface nat64 route -4 add 192.168.255.0/24 -interface nat64

Unfortunately the workarounds are non-persistent.

[mimugmail]

@maurice-w thanks for testing! I'm already in talk with a twitter guy testing it. Already found the issue with ipv6-addr this is easy to fix. Regarding the other stuff, I'm thinking about putting the variables into rc.conf.d files and adding interface stuff into rc script.

[mimugmail]

@maurice-w are you sure there's no typo in ifconfig and route commands? Can you check if PR https://github.com/opnsense/plugins/pull/1700 makes sense?

[maurice-w]

I don't see a typo and it works, but I'm definitely no *BSD expert. Do you have anything specific in mind?

As for your PR, I commented there.

What are your thoughts on letting the script also add an outbound NAT rule for the IPv4 pool and an allow all firewall rule for the nat64 interface? Or should we leave that up to the user?

[maurice-w]

@mimugmail, since you mentioned in the PR that you don't use this yourself, let me give you a quick recap of what I did to get it running:

• Configure and enable Tayga.
• Make the nat64 interface known to OPNsense and enable it (Interfaces / Assignments).
• Add IP addresses (v6 /128 + v4 /32) to the nat64 interface. The IPv6 address can be added through the GUI, but since this is a point to point interface, a destination address is required for IPv4. This can only be done on the console. The destination address is Tayga's ipv4-addr: ifconfig nat64 inet <user-specified IPv4 address>/32 <ipv4-addr>
• Add routes for Tayga's prefix and dynamic-pool: route -6 add <prefix> -interface nat64 route -4 add <dynamic-pool> -interface nat64
• Add a firewall rule to allow traffic on the nat64 interface. An allow-all rule (IPv6 + IPv4) should probably be okay and is what I used.
• If you want to use the NAT64 for Internet access: Add an outbound NAT rule for Tayga's dynamic-pool.

[treysis]

Maybe also consider adding https://github.com/NICMx/Jool instead of tayga, as it supposedly performs better!

[maurice-w]

It does perform better, but I'm not aware of a *BSD version. Jool uses a Linux kernel module and depends on netfilter / iptables, so probably not that simple to port to another OS. Correct me if I'm wrong.

[beachrunner2k]

ipfw seems to have extensive support for IPv6 <-> IPv4 translation. Considering there is no support for IPv6/4 translation in pf in NetBSD, would using ipfw be the easiest option to implement a proper NAT64 solution on OPNsense?

Can ipfw be run on OPNsense without breaking pf?

I am aware of Tayga, but I think we should move away from this since it now seems to be an abandoned project (has been for some time).

[cmprmsd]

Is Tayga broken with the 22.1 release? I can't get the interface to appear and the service refuses to start no matter what I try. Also there is no error message telling me what's wrong. :/

[mimugmail]

May check this?

https://forum.opnsense.org/index.php?topic=27511.msg134799#msg134799

[maurice-w]

@cmprmsd Tayga works fine in 22.1. The service not starting is most likely caused by an invalid configuration. Did it stop working after you upgraded to 22.1 or is this a new setup? Probably better discussed on the forum.

[cmprmsd]

Yes it was an invalid (the prefilled settings) config. Had to change some values according to the OPNSense guide which helped me out of the situation. 😅 thanks!

[MaZe3D]

Hi, if FreeBSD added this into ipfw, wouldn't it be better to use this instead of tayga?

[mimugmail]

If you find someone with enough time and knowledge to implement it I'm happy to review.