NAT64 464XLAT

[dewadragoon]

Hello All,

i am trying to do NAT464 XLAT similar with below diagram (taken from RFC6877)

I have 2 VM using FreeBSD 12.1 Release as CLAT and PLAT with the following Kernel Option :
IPFIREWALL
IPFIREWALL_VERBOSE
IPFIREWALL_DEFAULT_TO_ACCEPT
IPFIREWALL_NAT
IPFIREWALL_NAT64
LIBALIAS

on both VM i have enabled the following :
gateway_enable="YES"
ipv6_gateway_enable="YES"

CLAT Specific configuration :
em0: 192.168.1.1/24 --> toward ipv4 LAN
em1: 2001:db8:1234::2/64 --> toward PLAT
inet6 default route is 2001:db8:1234::1 --> IP of PLAT

ipfw nat64clat NAT64 create clat_prefix 2001:db8:1234:1000::/96 plat_prefix 64:ff9b::/96 log allow_private
ipfw add allow log icmp6 from any to any icmp6types 135,136
ipfw add nat64clat NAT64 ip from any to any
-------------------------------------------------------------------------------------------------------------------

PLAT Specific configuration :
em0: 2001:db8:1234::1/64 --> toward CLAT
em1: 172.16.1.2/30 --> toward Server A
route -6 add 2001:db8:1234:1000::/96 2001:db8:1234::2 --> return route for CLAT PREFIX

ipfw nat64lsn NAT64 create prefix4 10.0.0.0/24 prefix6 64:ff9b::/96
ipfw add allow log icmp6 from any to any icmp6types 135,136
ipfw add nat64lsn NAT64 ip from 2001:db8:1234:1000::/96 to 64:ff9b::/96 in
ipfw add nat64lsn NAT64 ip from any to 10.0.0.0/24 in

sysctl net.inet.ip.fw.nat64_direct_output=1
---------------------------------------------------------------------------------------------------------------------

i also been reading the following thread NAT64 for stateful NAT64.

However, i am still unable to make it work.

From CLAT

the above packet statistic when i am trying to ping from ipv4 LAN to Server A

From PLAT

I know i am probably missing a lot of thing on the config, any advise how to do NAT 464 XLAT in the right/proper way ?

 

[dewadragoon]

Haha... Managed to get it to work..!!

few things need to be verify tomorrow.

 

[dewadragoon]

Hi All,

As per my understanding of RFC6877, CLAT shall create 1 to 1 map from IPv4 to IPv6. Does this 1 to 1 NAT have the same behavior as 1 to 1 NAT IPv4 Private to IPv4 Public ?.

i mean can i ping the IPv6 (which mapped to the IPv4) from the Internet ? i am looking for similar concept as NAT44 Private to Public.
Please advise..

 

[driesm]

Hi All,
Does this 1 to 1 NAT have the same behavior as 1 to 1 NAT IPv4 Private to IPv4 Public ?.
I am looking for similar concept as NAT44 Private to Public.

NAT44 does not exist on FreeBSD (IIRC). NAT has a many to one foundation because of the global IPv4 address exhaustion.
Many clients using private addresses can access the internet through one global IPv4 address.
What is your use case that you want NAT44? You can use your global IPv4 addresses internally given you have enough of them.

 

[dewadragoon]

NAT44 does not exist on FreeBSD (IIRC). NAT has a many to one foundation because of the global IPv4 address exhaustion.
Many clients using private addresses can access the internet through one global IPv4 address.
What is your use case that you want NAT44? You can use your global IPv4 addresses internally given you have enough of them.

Hi Duffyx,

Thank you.

That part i understand.

i am trying to find out whether IPv6 (which is a translation of IPv4 - CLAT) as stated on RFC6877 is reachable from the internet.

From my current test, the IPv4 Host able to reach IPv4 Server over IPv6 Network by using 464 XLAT. Now, i am want to know whether reverse connection is do-able, means the connection is trigger from Server side ( with the assumption the server have ipv6 address as well ).

 

[mumu]

As I understand it CLAT is meant for outgoing connections from a v6-only host.

As for the reverse, it's better that the remote client(s) configure IPv6 at their end and connects to you via IPv6.

 

[mumu]

In addition, what would be interesting is using ipfw CLAT portion on an a separate machine acting as an IPv6-only gateway for the LAN machine's.