NAT64 for servers ()
This post details the setup of the additional steps required to deploy a IPv6-only server bedind NAT64 with Tayga.
This post uses the documentation prefix (
replace this with your own prefix.
This can be a ULA prefix.
The basis is explained in a post by Luuk Hendriks.
The goal is to reach an IPv6-only webserver behind a dual stack router. This is done by using NAT64 on a third device to reach the server.
IPv4 IPv4 Internet ────── Router ────── Tayga IPv6 │ │ IPv6 └────────── Server IPv6
In this case, the Router is an Edgerouter Lite and the Tayga and webserver are running on the same physical device in separate LXC containers.
The main difference in the setup is that I use Unbound instead of PowerDNS.
The configuration is really simple, in
server: module-config: "dns64 validator iterator" dns64-prefix: 2001:db8:64::/96
For the two-way NAT, the Tayga configuration requires static-mappings:
# Main config tun-device nat64 prefix 2001:db8:64::/96 ipv4-addr 10.64.0.1 dynamic-pool 10.64.0.0/24 data-dir /var/spool/tayga # Static mappings map 10.64.0.10 2001:db8::10 # Server 1 map 10.64.0.11 2001:db8::11 # Server 2
I have used a subnet (
2001:db8:64::/96) above as prefix.
This allow access to local (RFC1918) IPv4 addresses through NAT64.
If this is not needed, use the Well-Known Prefix:
The mapping is simple: create an IPv4 address inside the dynamic pool and map that to the IPv6 address that needs to be reached.
In a regular setup, the IPv4 range is only required internally on the host running Tayga.
For this setup, however, the
10.64.0.0/24 range needs to be routed to the device running Tayga.
Just like the linked post, I use an Edgerouter. The following route needs to be added:
set protocols static route 10.64.0.0/24 next-hop 10.0.0.64 distance 1
10.0.0.64 is the IPv4 address of the device running Tayga.
After this route is setup, it should be possible to ping the devices mapped in Tayga.
If the mappings work, it should now be possible to forward ports to the mapped addresses. For a webserver this would be:
edit port-forward rule 10 set description "HTTP(S)" set forward-to address 10.64.0.10 set original-port 80,443 set protocol tcp
If everything went well the webserver should now be reachable from the IPv4-WAN address, while only having an IPv6 address.
I have not noticed any drawbacks to this setup except for performance. The results of some measurements from a computer in my network to the server show that the NAT transition has a performance of about 250 Mbps.
This means that the main bottleneck is the performance of Tayga, though this only matters with internet connections faster than 250 Mbps.