Raspberry Pi NAT64/DNS64 router

I am currently experimenting running an IPv6 only WLAN at work, so thought I’d try experimenting at home. Whereas at work we have a CSR1000v to perform the NAT64 and a separate Linux VM for DNS64, the config below details combining both functions on a Raspberry Pi (RPi).

The topology looks like this:

linux_dns64_nat64_quagga.png
apt-get install bind9 tayga

/etc/network/interfaces

allow-hotplug eth0
iface eth0 inet static
  address 10.10.64.64
  netmask 255.255.255.0
  gateway 10.10.64.1
iface eth0 inet6 static
  address 2001:470:6ba8:aaa1::64
  netmask 64

DNS64 is performed by the bind9 service. Using the config below if a user device requests a AAAA and one does not exist, it appends the IPv4 address to the defined 2001:470:1111:6464::/96 prefix. So querying raven.ecs.soton.ac.uk (152.78.70.1) actual returns 2001:470:1111:6464::984e:4601 .

/etc/bind/named.conf.options

options {
  directory "/var/cache/bind";
  forwarders {
    8.8.8.8;
  };
  dnssec-validation auto;
  auth-nxdomain no;
  listen-on-v6 { any; };
  allow-query { any; };

  dns64 2001:470:1111:6464::/96 {
    clients { any; };
  };
};

To ensure that DNS requests are handled by the server itself.

/etc/resolv.conf

nameserver localhost

Tayga provides the NAT64 function. It listens for packets with the prefix 2001:470:1111:6464::/96 stripping the last 32 bits and converting them back into an IPv4 address. The IPv6 source address is mapped to an IPv4 address from the Tayga IPv4 pool. The connection is then forwarded via IPv4 using the IPv4 pool address as the source…NAT64.

The Tayga process also configures iptables to perform a masquerade of the pool address to the RPi’s eth0 interface.

/etc/tayga.conf

tun-device nat64
ipv4-addr 10.64.64.1
prefix 2001:470:1111:6464::/96
dynamic-pool 10.64.64.0/24

/etc/default/tayga

RUN=”yes”

/etc/sysctl.conf

net.ipv4.ip_forward=1
net.ipv6.conf.all.forwarding=1

You could configure the topology such that all traffic is routed via the RPi, but the configuration below that only traffic destined for the NAT64 goes to the RPi.

1841 router

!
interface FastEthernet0/0
ip address 10.10.64.1 255.255.255.0
ip nat inside
ipv6 address 2001:470:1111:AAA1::1/64
!
interface FastEthernet0/1
ip address 10.10.10.100 255.255.255.0
ip nat outside
!
ip nat pool outside_pool 10.10.10.32 10.10.10.64 prefix-length 24
ip nat inside source list inside_hosts interface FastEthernet0/1 overload
!
ip route 10.64.64.0 255.255.255.0 10.10.64.64
ipv6 route 2001:470:1111:6464::/96 2001:470:1111:AAA1::64
!
ip access-list standard inside_hosts
  permit 10.10.64.0 0.0.0.255
  deny any log
!

Leave a Reply

Fill in your details below or click an icon to log in:

Gravatar
WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Cancel

Connecting to %s

Blog at WordPress.com.

Up ↑

%d bloggers like this: