Today pfSense does not support NAT64, although you can track the feature request #2358 in redmine.
In this how-to I will show you how to setup NAT64 for an IPv6-only LAN using TAYGA and pfSense as the edge router.
The topology I am using below looks like this. Replace the IPs with the associated IP addresses on your network.
- pfSense v4 IP: 10.1.1.1
The pfsense gateway IP on your network
- pfsense v6 IP: 2001:4:1f:98::1
The pfsense IPv6 gateway on your network
- TAYGA device IPv4: 10.1.1.3
An IPv4 address that the debian machine uses
- TAYGA device IPv6: 2001:4:1f:98::2
An IPv6 address that the debian machine uses
- TAYGA tunnel IPv4: 192.168.64.1 (dynamic pool: 192.168.64.0/24)
A IPv4 tunnel that is outside of the range of any subnets handled by pfsense. I used 192.168.64.0 but you can choose anything you’d like.
- TAYGA tunnel IPv6: 2001:db8:1::2 (prefix: 64:ff9b::/96)
Similar to the prior tunnel subnet, except that the prefix we are using is the RFC 6052 prefix used by the public Google DNS64 service.
Step 1 – Setup TAYGA
This should be done on a basic Debian linux installation. It could be a physical machine or a virtual machine. In my case I used a VM.
Assign it a static IPv4 and IPv6 address. Modify
allow-hotplug eth0 iface eth0 inet static address 10.1.1.3 netmask 255.255.255.0 gateway 10.1.1.1 iface eth0 inet6 static address 2001:4:1f:98::2 netmask 64 gateway 2001:4:1f:98::1 dns-nameservers 2001:4:1f:98::1
Install the tayga debian package.
sudo apt-get install tayga
Modify /etc/tayga.conf and configure these line items.
tun-device nat64 ipv4-addr 192.168.64.1 ipv6-addr 2001:db8:1::2 prefix 64:ff9b::/96 dynamic-pool 192.168.64.0/24
Modify /etc/default/tayga as follows. This will automatically create the static routes and create the TUN interface for you on reboot.
RUN="yes" CONFIGURE_IFACE="yes" CONFIGURE_NAT44="yes" DAEMON_OPTS="" IPV4_TUN_ADDR="" IPV6_TUN_ADDR=""
Modify /etc/sysctl.conf to allow the system to forward IPv4 and IPv6 packets, as tayga essentially acts as a router / translator.
Now reboot your debian machine and when it’s rebooted you should see a new interface called nat64 that is configured.
Step 2 – Setup pfSense
There are 2 more things that need to happen. First DNS AAAA queries need to get translated for A-only domains to NAT64. And your network needs to know how to route those IP addresses through tayga.
From the pfSense webConfigurator, go to Services / DNS Resolver.
Click the button that says Display Custom Options
Inside of the Custom options box, enter the following.
module-config: "dns64 validator iterator" dns64-prefix: 64:ff9b::/96
We also need to create a firewall rule that allows traffic from 192.168.64.0/24 to get out from the LAN interface.
In pfSense go to Firewall / Rules. Select your LAN interface. Add a new rule with the following properties.
Action: Pass Address Family: IPv4 Protocol: Any Source: Network 192.168.64.0/24 Destination: Any
The final firewall configuration that you may want to change in pfSense, is under System / Advanced / Firewall & NAT
The following option is needed as otherwise some traffic is filtered by the pfSense firewall and things like Zoom.us video calls, and WebSocket connections will drop and come back up constantly.
Static route filtering: Bypass firewall rules for traffic on the same interface (check this box)
Now we’ll need to add the static routes so that the RFC 6052 prefix and IPv4 pool will be routed back to the debian machine running tayga.
Once again in pfSense go to System / Routing.
Let’s create two new gateways. Both should be on the “LAN” interface.
One with the IP of 10.1.1.3 and the other with an IP of 2001:4:1f:98::2
Next let’s create 3 static routes.
Route #1 – IPv4 pool
Destination network: 192.168.64.0 / 24
Route #2 – IPv6 prefix
Destination network: 64:ff9b:: / 96
Route #3 – IPv6 Tunnel Address
Destination network: 2001:db8:1::2
Ready to test
We are now ready to test! Go to the following URL.
If it is working that site should load and say “NAT64 detected”
There are services such as Google’s Chromecast that do not yet work with NAT64. But Apple is making a big push towards all apps being compatible, so it’s only a matter of time before we can run our local networks v4-free!