Messages

1

24.7 Production Series / Re: Tayga NAT64

« on: November 05, 2024, 12:55:29 pm »

The default interface for me was wireguard, why I probably thought that does not make sense and switched to Tayga as the interface (due to lack of knowledge/understanding the topic fully). It was late when I first configured Tayga why I must have swapped the correct fields for translation and source...

I think it would help highlight/mention it must be the WAN side. Overall, I think a sample configuration and screenshots would be helpful; but this can be also found in this thread now thanks to your help :-)

>> traceroute6 2001:db8:64:ff9b::8.8.8.8
traceroute6 to 2001:db8:64:ff9b::8.8.8.8 (2001:db8:64:ff9b::808:808) from MyIP6Subnet:dd0f::6464, 64 hops max, 28 byte packets
 1  MyIP6Subnet-dd0f--4646.dynamic6.isp.ropa.net  0.139 ms  0.107 ms  0.062 ms
 2  2001:db8:64:ff9b::c0a8:efff  0.084 ms  0.099 ms  0.069 ms
 3  2001:db8:64:ff9b::1fdc:4201  46.116 ms  4.677 ms  5.398 ms
 4  2001:db8:64:ff9b::c32a:f445  4.283 ms  4.029 ms  3.945 ms
 5  * * *
 6  2001:db8:64:ff9b::808:808  4.284 ms  4.235 ms  4.240 ms

 works - yipie

Greetings and many many thanks Maurice for your help and commitment here!
Andreas

2

24.7 Production Series / Re: Tayga NAT64

« on: November 05, 2024, 11:54:50 am »

You're right. It is my gateway address.
I am using hybrid outbound NAT. Please see the rule details in attached screenshot.

3

24.7 Production Series / Re: Tayga NAT64

« on: November 05, 2024, 08:45:49 am »

Thank you Maurice for your quick response. Please find below my results with your suggested changes.

My traceroute result (via root shell):
>> traceroute6 64:ff9b::8.8.8.8
traceroute6 to 64:ff9b::8.8.8.8 (64:ff9b::808:808) from OneOfMyStaticIPv6Subnet:dd0f::6464, 64 hops max, 28 byte packets
 1  OneOfMyStaticIPv6Subnet-dd0f--4646.dynamic6.isp.ropa.net  0.175 ms  0.131 ms  0.070 ms
 2  * * *
 3  * *^C

The 2nd hop should be the IPv4 NAT64 Interface Address, translated to IPv6. But in your case, this is an RFC1918 address (192.168.239.255) and you're also using the well-known NAT64 prefix (64:ff9b::/96). Under these circumstances, Tayga will refuse to perform a translation.
Just for verification, you could temporarily use a different NAT64 prefix, like 2001:db8:64:ff9b::/96. You should then see a response from the 2nd hop (2001:db8:64:ff9b::192.168.239.255).

I changed the prefix as recommended and get to the 2nd hop now. Result:
>> traceroute6 2001:db8:64:ff9b::8.8.8.8
traceroute6 to 2001:db8:64:ff9b::8.8.8.8 (2001:db8:64:ff9b::808:808) from OneOfMyStaticIPv6Subnet:dd0f::6464, 64 hops max, 28 byte packets
 1  OneOfMyStaticIPv6Subnet-dd0f--4646.dynamic6.isp.ropa.net  0.170 ms  0.136 ms  0.116 ms
 2  2001:db8:64:ff9b::c0a8:efff  0.203 ms  0.117 ms  0.142 ms
 3  * * *
 4  * * *
....
14  * * *

The 3rd hop should be OPNsense's upstream IPv4 gateway. If you perform a traceroute 8.8.8.8, does this gateway actually respond?

Yes, ipv4 gateway responds. Traceroute result:
>> traceroute 8.8.8.8
traceroute to 8.8.8.8 (8.8.8.8 ),- 64 hops max, 40 byte packets
 1  MyPublicStaticGatewayIp4 (MyPublicStaticGatewayIp4)  56.294 ms  4.558 ms  4.208 ms
 2  195.42.244.69 (195.42.244.69)  4.039 ms  4.045 ms  4.093 ms
 3  * * *
 4  dns.google (8.8.8.8 )  3.880 ms  3.722 ms  4.169 ms


Regards,
Andreas

4

24.7 Production Series / Re: Tayga NAT64

« on: November 04, 2024, 09:16:20 pm »

Hi Everybody,

I installed Tayga on the latest OPNsense firmware and the service shows running. Unfortunately, a traceroute to test the setup is not able to reach to the 2nd hop, neither a ping request :-(.
I am grateful for any help on how I can debug and analyse my current setup on why I cannot reach the final destination / lookups are not routed to the nat64 tunnel.

I followed the official documentation and as well setup the three firewall rules (outbound, normalization, interface).
Starting the traceroute, firewall live view does not list any blocked packages.

DNS64 in Unbound is enabled. And I added the two host overrides for nat64 prefix discovery:
   ipv4only   arpa   AAAA (IPv6 address)   64:ff9b::192.0.0.170   nat64 prefix discovery
   ipv4only   arpa   AAAA (IPv6 address)   64:ff9b::192.0.0.171   nat64 prefix discovery

Here's my config:
>>cat /etc/rc.conf.d/opnsense-tayga
tayga_script="/usr/local/opnsense/scripts/OPNsense/Tayga/setup.sh"
tayga_enable="YES"
tayga_v4address=192.168.240.1
tayga_v4destination=192.168.239.255
tayga_v4pool=192.168.240.0/20
tayga_v6prefix=64:ff9b::/96
tayga_v6address=OneOfMyStaticIPv6Subnet:dd0f::4646
tayga_v6destination=OneOfMyStaticIPv6Subnet:dd0f::6464
tayga_v6routedisabled="NO"


Starting service via shell:
/usr/local/etc/rc.d/opnsense-tayga start
starting tayga
add net 192.168.240.0: gateway nat64
add net 64:ff9b::/96: gateway nat64


My traceroute result (via root shell):
>> traceroute6 64:ff9b::8.8.8.8
traceroute6 to 64:ff9b::8.8.8.8 (64:ff9b::808:808) from OneOfMyStaticIPv6Subnet:dd0f::6464, 64 hops max, 28 byte packets
 1  OneOfMyStaticIPv6Subnet-dd0f--4646.dynamic6.isp.ropa.net  0.175 ms  0.131 ms  0.070 ms
 2  * * *
 3  * *^C


My ping result (via root shell):
>> ping6 64:ff9b::8.8.8.8
PING(56=40+8+8 bytes) OneOfMyStaticIPv6Subnet:dd0f::6464 --> 64:ff9b::808:808
^C
--- 64:ff9b::8.8.8.8 ping statistics ---
17 packets transmitted, 0 packets received, 100.0% packet loss


Do I actually have to assign and enable the nat64 interface and assign the ip4/ipv6 addresses used in the tayga config? I did not read/watch anything about it.
Testing from my GUEST vlan (ipv6 only) did not work either.

Many thanks for helping me out here.

5

24.7 Production Series / Re: Unbound DNS crash after upgrade

« on: August 04, 2024, 04:33:08 pm »

Hi Everyone,

I was running into the exact same issue after the upgrade. I was able to start unbound service after unchecking "Register ISC SHCP4 Leases" and "Register DHCP Static Mappings".

Thanks