NAT64 for servers

3 minutes read time

This post details the setup of the additional steps required to deploy a IPv6-only server bedind NAT64 with Tayga.

This post uses the documentation prefix (2001:db8::/32), replace this with your own prefix. This can be a ULA prefix.

The basis is explained in a post by Luuk Hendriks.


The goal is to reach an IPv6-only webserver behind a dual stack router. This is done by using NAT64 on a third device to reach the server.

          IPv4          IPv4
Internet ────── Router ────── Tayga
          IPv6    │             │ IPv6
                  └────────── Server

In this case, the Router is an Edgerouter Lite and the Tayga and webserver are running on the same physical device in separate LXC containers.


The main difference in the setup is that I use Unbound instead of PowerDNS. The configuration is really simple, in /etc/unbound/unbound.conf.d/dns64.conf:

  module-config: "dns64 validator iterator"
    dns64-prefix: 2001:db8:64::/96


For the two-way NAT, the Tayga configuration requires static-mappings:

# Main config
tun-device   nat64
prefix       2001:db8:64::/96
data-dir     /var/spool/tayga

# Static mappings
map 2001:db8::10 # Server 1
map 2001:db8::11 # Server 2

I have used a subnet (2001:db8:64::/96) above as prefix. This allow access to local (RFC1918) IPv4 addresses through NAT64. If this is not needed, use the Well-Known Prefix: 64:ff9b::/96.

The mapping is simple: create an IPv4 address inside the dynamic pool and map that to the IPv6 address that needs to be reached.


In a regular setup, the IPv4 range is only required internally on the host running Tayga. For this setup, however, the range needs to be routed to the device running Tayga.

Just like the linked post, I use an Edgerouter. The following route needs to be added:

set protocols static route next-hop distance 1

Where is the IPv4 address of the device running Tayga.

After this route is setup, it should be possible to ping the devices mapped in Tayga.

Port forwards

If the mappings work, it should now be possible to forward ports to the mapped addresses. For a webserver this would be:

edit port-forward rule 10
set description "HTTP(S)"
set forward-to address
set original-port 80,443
set protocol tcp

If everything went well the webserver should now be reachable from the IPv4-WAN address, while only having an IPv6 address.

Final notes

I have not noticed any drawbacks to this setup except for performance. The results of some measurements from a computer in my network to the server show that the NAT transition has a performance of about 250 Mbps.


This means that the main bottleneck is the performance of Tayga, though this only matters with internet connections faster than 250 Mbps.