User Tools

Site Tools


IPv6-only network with NAT64

With the Turris router you can easily create a network that uses only IPv6. Access to IPv4 Internet is solved by translation mechanism NAT64 combining with DNS64 creates an illusion availability of all content over IPv6. For example, on an IPv6-only network, you can test how different devices on the network behave, which is out of date does not support IPv4.

The manual assumes the Turris router with IPv6 connectivity.

Creating an IPv6-only Network

  1. Add a new interface definition to the /etc/config/network:
    /etc/config/network
    config interface 'lan6'
            option type 'bridge'
            option therefore 'static'
            option ip6assign '60 '
            option ip6hint '6660' # optional - part of the address
            option 'igmp_snooping' 0 # disables multicast filtering
    traffic inside the bridge will solve some problems
  2. Add new ESSIDs to your wireless network configuration:
    /etc/config/wireless
    config wifi-iface 'wlan5'
            option device 'radio0'
            option network 'lan6'
            option mode 'ap'
            option ssid 'turris-nat64'
            option encryption 'psk2'
            option key 'IPv6IsDaShit'
  3. You can optionally configure some of the wired interfaces, see Dividing the network into different VLANs
  4. Add the lan6 interface to the lan zone in the firewall or similar zone.
  5. Set router notification:
    /etc/config/dhcp
    config dhcp 'lan6'
            option interface 'lan6'
            option ignore '1' # ignore for IPv4 DHCP
            option ra 'server' # send router announcement
            option dhcpv6 'server' # offers addresses using DHCPv6
  6. Use ifup lan6 to start the interface.
  7. Restart the appcpd service, for example using /etc/init.d/odhcpd restart
  8. Use wifi to restart Wi-Fi

Now there should be a Wi-Fi network that only supports IPv6, without any service support on IPv4. For example, try the page www.nebezi.cz - information should be displayed that you are connected to a network that does not support the older IPv4 protocol.

NAT64 TAYGA daemon

  1. Install package tayga, for example with opkg install tayga
  2. Insert a new section into the configuration file /etc/config/network. Address range 10.64.0.0/16 can be arbitrarily selected, but should not overlap with addresses in other networks. Address 2001:db8:1234::64 should be an address that is routed to your router and is not yet allocated.
    /etc/config/network
    config interface 'nat64'
            option therefore 'tayga'
            option ipv4_addr '10.64.0.1'
            option ipv6_addr '2001:db8:1234::64'
            option prefix '64:ff9b::/96 '
            option dynamic_pool '10.64.0.0/16'
  3. Add the nat64 interface to the lan zone of the firewall, or a similar zone where the client connection interface will be located. It is important that the firewall does not block FORWARD of packets between zone interfaces.
  4. Restart the router, or at least the network subsystem /etc/init.d/network restart (this is necessary for netifd to load support for tayga)
  5. Verify that TAYGA runs with the ping command on the IPv4 and / or IPv6 address specified in the configuration.
  6. Verify translation functionality with ping6 to translated IPv4 address, for example ping6 64:ff9b::8.8.8.8

DNS64

Using Google Public DNS64

The easiest option is to use Google Public DNS64.

  1. To use Google Public DNS64, just add its address to the configuration file:
    /etc/config/dhcp
    config dhcp 'lan6'
            option interface 'lan6'
            option ignore '1' # ignore for IPv4 DHCP
            option ra 'server' # send router announcement
            option dhcpv6 'server' # offers addresses using DHCPv6
            list dns '2001:4860:4860::6464'
  2. Restart the estcpd service, for example using /etc/init.d/odhcpd restart

Using DNS64 in Unbound

It only works on Turris 1.x

DNS64 is also available in Unbound validating DNS resolver which is a common part of TurrisOS for Turris 1.x routers. The disadvantage of its use is that it is can only be enabled on a global level. So, after activation, DNS64 is also performed for dual-stack network, which due to the limited performance of NAT64 the TAYGA daemon can lead to suboptimal router performance.

  1. To activate DNS64 in Unbound, create a new file with the following content:
    /etc/unbound/unbound-dns64.conf
    server:
            module-config: "dns64 validator iterator"
            dns64-prefix: 64:ff9b::/96
  2. This file must then be inserted into the configuration:
    /etc/config/resolver
    config resolver 'unbound_includes'
            list include_path '/etc/unbound/unbound-dns64.conf'
  3. Restart resolver

Using DNS64 in Knot DNS resolver

It only works on Turris Omnia

DNS64 is also available in the Knot DNS resolver DNS resolver which is a common part of TurrisOS for Turris Omnia routers. The disadvantage of its use is that it is can only be enabled on a global level. So, after activation, DNS64 is also performed for dual-stack network, which due to the limited performance of NAT64 the TAYGA daemon can lead to suboptimal router performance.

  1. To activate DNS64 in Unbound, create a new file with this content:
    /etc/kresd/dns64.conf
    modules.load('dns64')
    dns64.config('64:ff9b::')
  2. This file must then be inserted into the configuration:
    /etc/config/resolver
    Config Resolver 'Kresd'
            config include_config '/etc/kresd/dns64.conf'
  3. Restart resolver

Using a separate DNS resolver in a container

You can also run another DNS64 DNS resolver instance within the LXC container. In this way it is then possible to assign a DNS server with DNS64 functionality only to the IPv6-only network.

Testing

Try http://www.test-ipv6.cz. You should get full points and a note that NAT64 has been detected.