Tayga NAT64

[rjopn]

Hello,

I have an IPv6 only network with Tayga installed.

It resolves github.com.

ping github.com
PING github.com (64:ff9b::8c52:7903) 56 Datenbytes
64 Bytes von 64:ff9b::8c52:7903: icmp_seq=1 ttl=52 Zeit=7.20 ms

curl https://github.com
works...

but not the IPv4!

ping 140.82.114.3
ping: connect: network not reachable

curl https://140.82.114.3
not working...

I do not want to install the IPv4 on this interface.

Is there a solution?

[dseven]

I've not actually set this up myself, so I may be missing something, but as I understand it...

LAN clients can't talk v4 if your LAN is v6 only. In order to ping 140.82.114.3, you would have to use v6 address 64:ff9b::8c52:7203 (the last 4 bytes being the v4 address in hex). DNS64 normally takes care of this for you.

[Maurice]

If you want to use IPv4 on hosts which are connected to an IPv6-only network, the host itself needs to translate IPv4 to IPv6. The piece of software doing this is called a CLAT. Android has a CLAT, Windows is supposed to get one "soon". Depending on the OS, you may have to install a CLAT manually.

This is typically only required when using applications which use hardcoded IPv4 addresses or don't support IPv6 at all.

Cheers
Maurice

[Grashopper]

Hi Everybody,

I installed Tayga on the latest OPNsense firmware and the service shows running. Unfortunately, a traceroute to test the setup is not able to reach to the 2nd hop, neither a ping request :-(.
I am grateful for any help on how I can debug and analyse my current setup on why I cannot reach the final destination / lookups are not routed to the nat64 tunnel.

I followed the official documentation and as well setup the three firewall rules (outbound, normalization, interface).
Starting the traceroute, firewall live view does not list any blocked packages.

DNS64 in Unbound is enabled. And I added the two host overrides for nat64 prefix discovery:
   ipv4only   arpa   AAAA (IPv6 address)   64:ff9b::192.0.0.170   nat64 prefix discovery
   ipv4only   arpa   AAAA (IPv6 address)   64:ff9b::192.0.0.171   nat64 prefix discovery

Here's my config:
>>cat /etc/rc.conf.d/opnsense-tayga
tayga_script="/usr/local/opnsense/scripts/OPNsense/Tayga/setup.sh"
tayga_enable="YES"
tayga_v4address=192.168.240.1
tayga_v4destination=192.168.239.255
tayga_v4pool=192.168.240.0/20
tayga_v6prefix=64:ff9b::/96
tayga_v6address=OneOfMyStaticIPv6Subnet:dd0f::4646
tayga_v6destination=OneOfMyStaticIPv6Subnet:dd0f::6464
tayga_v6routedisabled="NO"


Starting service via shell:
/usr/local/etc/rc.d/opnsense-tayga start
starting tayga
add net 192.168.240.0: gateway nat64
add net 64:ff9b::/96: gateway nat64


My traceroute result (via root shell):
>> traceroute6 64:ff9b::8.8.8.8
traceroute6 to 64:ff9b::8.8.8.8 (64:ff9b::808:808) from OneOfMyStaticIPv6Subnet:dd0f::6464, 64 hops max, 28 byte packets
1  OneOfMyStaticIPv6Subnet-dd0f--4646.dynamic6.isp.ropa.net  0.175 ms  0.131 ms  0.070 ms
2  * * *
3  * *^C


My ping result (via root shell):
>> ping6 64:ff9b::8.8.8.8
PING(56=40+8+8 bytes) OneOfMyStaticIPv6Subnet:dd0f::6464 --> 64:ff9b::808:808
^C
--- 64:ff9b::8.8.8.8 ping statistics ---
17 packets transmitted, 0 packets received, 100.0% packet loss


Do I actually have to assign and enable the nat64 interface and assign the ip4/ipv6 addresses used in the tayga config? I did not read/watch anything about it.
Testing from my GUEST vlan (ipv6 only) did not work either.

Many thanks for helping me out here.

[Maurice]

I added the two host overrides for nat64 prefix discovery:
   ipv4only   arpa   AAAA (IPv6 address)   64:ff9b::192.0.0.170   nat64 prefix discovery
   ipv4only   arpa   AAAA (IPv6 address)   64:ff9b::192.0.0.171   nat64 prefix discovery

That's not required. With DNS64 enabled, Unbound synthesizes these just like every other A to AAAA conversion.

My traceroute result (via root shell):
>> traceroute6 64:ff9b::8.8.8.8
traceroute6 to 64:ff9b::8.8.8.8 (64:ff9b::808:808) from OneOfMyStaticIPv6Subnet:dd0f::6464, 64 hops max, 28 byte packets
1  OneOfMyStaticIPv6Subnet-dd0f--4646.dynamic6.isp.ropa.net  0.175 ms  0.131 ms  0.070 ms
2  * * *
3  * *^C

The 2nd hop should be the IPv4 NAT64 Interface Address, translated to IPv6. But in your case, this is an RFC1918 address (192.168.239.255) and you're also using the well-known NAT64 prefix (64:ff9b::/96). Under these circumstances, Tayga will refuse to perform a translation.
Just for verification, you could temporarily use a different NAT64 prefix, like 2001:db8:64:ff9b::/96. You should then see a response from the 2nd hop (2001:db8:64:ff9b::192.168.239.255).

The 3rd hop should be OPNsense's upstream IPv4 gateway. If you perform a traceroute 8.8.8.8, does this gateway actually respond?

Do I actually have to assign and enable the nat64 interface and assign the ip4/ipv6 addresses used in the tayga config?

No, this shouldn't be required.

Cheers
Maurice

[Grashopper]

Thank you Maurice for your quick response. Please find below my results with your suggested changes.

My traceroute result (via root shell):
>> traceroute6 64:ff9b::8.8.8.8
traceroute6 to 64:ff9b::8.8.8.8 (64:ff9b::808:808) from OneOfMyStaticIPv6Subnet:dd0f::6464, 64 hops max, 28 byte packets
1  OneOfMyStaticIPv6Subnet-dd0f--4646.dynamic6.isp.ropa.net  0.175 ms  0.131 ms  0.070 ms
2  * * *
3  * *^C

The 2nd hop should be the IPv4 NAT64 Interface Address, translated to IPv6. But in your case, this is an RFC1918 address (192.168.239.255) and you're also using the well-known NAT64 prefix (64:ff9b::/96). Under these circumstances, Tayga will refuse to perform a translation.
Just for verification, you could temporarily use a different NAT64 prefix, like 2001:db8:64:ff9b::/96. You should then see a response from the 2nd hop (2001:db8:64:ff9b::192.168.239.255).

I changed the prefix as recommended and get to the 2nd hop now. Result:
>> traceroute6 2001:db8:64:ff9b::8.8.8.8
traceroute6 to 2001:db8:64:ff9b::8.8.8.8 (2001:db8:64:ff9b::808:808) from OneOfMyStaticIPv6Subnet:dd0f::6464, 64 hops max, 28 byte packets
1  OneOfMyStaticIPv6Subnet-dd0f--4646.dynamic6.isp.ropa.net  0.170 ms  0.136 ms  0.116 ms
2  2001:db8:64:ff9b::c0a8:efff  0.203 ms  0.117 ms  0.142 ms
3  * * *
4  * * *
....
14  * * *

The 3rd hop should be OPNsense's upstream IPv4 gateway. If you perform a traceroute 8.8.8.8, does this gateway actually respond?

Yes, ipv4 gateway responds. Traceroute result:
>> traceroute 8.8.8.8
traceroute to 8.8.8.8 (8.8.8.8 ),- 64 hops max, 40 byte packets
1  MyPublicStaticGatewayIp4 (MyPublicStaticGatewayIp4)  56.294 ms  4.558 ms  4.208 ms
2  195.42.244.69 (195.42.244.69)  4.039 ms  4.045 ms  4.093 ms
3  * * *
4  dns.google (8.8.8.8 )  3.880 ms  3.722 ms  4.169 ms


Regards,
Andreas

[Maurice]

Are you sure the 1st hop is your own public IPv4 address? This should be the gateway address.

Do you use hybrid or manual outbound NAT? And can you provide details about the outbound NAT rule you created?

[Grashopper]

You're right. It is my gateway address.
I am using hybrid outbound NAT. Please see the rule details in attached screenshot.

[Maurice]

The outbound NAT rule is incorrect. See the documentation:

Go to Firewall ‣ NAT ‣ Outbound, add a new rule, set Source address to Single host or network, enter your Tayga IPv4 Pool, leave all other settings to their default values and save.

So the interface must be WAN (which should be the default setting when adding a new rule) and the source must be 192.168.240.0/20.

Let me know if you think this should be made more obvious in the how-to.

Cheers
Maurice

[Grashopper]

The default interface for me was wireguard, why I probably thought that does not make sense and switched to Tayga as the interface (due to lack of knowledge/understanding the topic fully). It was late when I first configured Tayga why I must have swapped the correct fields for translation and source... :o

I think it would help highlight/mention it must be the WAN side. Overall, I think a sample configuration and screenshots would be helpful; but this can be also found in this thread now thanks to your help :-)

>> traceroute6 2001:db8:64:ff9b::8.8.8.8
traceroute6 to 2001:db8:64:ff9b::8.8.8.8 (2001:db8:64:ff9b::808:808) from MyIP6Subnet:dd0f::6464, 64 hops max, 28 byte packets
1  MyIP6Subnet-dd0f--4646.dynamic6.isp.ropa.net  0.139 ms  0.107 ms  0.062 ms
2  2001:db8:64:ff9b::c0a8:efff  0.084 ms  0.099 ms  0.069 ms
3  2001:db8:64:ff9b::1fdc:4201  46.116 ms  4.677 ms  5.398 ms
4  2001:db8:64:ff9b::c32a:f445  4.283 ms  4.029 ms  3.945 ms
5  * * *
6  2001:db8:64:ff9b::808:808  4.284 ms  4.235 ms  4.240 ms

works - yipie 8)

Greetings and many many thanks Maurice for your help and commitment here!
Andreas

[Maurice]

The default interface for me was wireguard

That's... interesting. I'll add a hint to the how-to that the NAT rule must be added to the WAN interface. Thanks for the heads-up!

>> traceroute6 2001:db8:64:ff9b::8.8.8.8
traceroute6 to 2001:db8:64:ff9b::8.8.8.8 (2001:db8:64:ff9b::808:808) from MyIP6Subnet:dd0f::6464, 64 hops max, 28 byte packets
1  MyIP6Subnet-dd0f--4646.dynamic6.isp.ropa.net  0.139 ms  0.107 ms  0.062 ms
2  2001:db8:64:ff9b::c0a8:efff  0.084 ms  0.099 ms  0.069 ms
3  2001:db8:64:ff9b::1fdc:4201  46.116 ms  4.677 ms  5.398 ms
4  2001:db8:64:ff9b::c32a:f445  4.283 ms  4.029 ms  3.945 ms
5  * * *
6  2001:db8:64:ff9b::808:808  4.284 ms  4.235 ms  4.240 ms

works - yipie 8)

Glad it works. And by the way, as long as you use Tayga for Internet access only, there's nothing wrong with using 64:ff9b::/96. You just won't see hops with private IPv4 addresses in traceroutes.

Cheers
Maurice