Raspberry Pi NAT64/DNS64 router

I am currently experimenting running an IPv6 only WLAN at work, so thought I’d try experimenting at home. Whereas at work we have a CSR1000v to perform the NAT64 and a separate Linux VM for DNS64, the config below details combining both functions on a Raspberry Pi (RPi).

The topology looks like this:

apt-get install bind9 tayga


allow-hotplug eth0
iface eth0 inet static
iface eth0 inet6 static
  address 2001:470:6ba8:aaa1::64
  netmask 64

DNS64 is performed by the bind9 service. Using the config below if a user device requests a AAAA and one does not exist, it appends the IPv4 address to the defined 2001:470:1111:6464::/96 prefix. So querying raven.ecs.soton.ac.uk ( actual returns 2001:470:1111:6464::984e:4601 .


options {
  directory "/var/cache/bind";
  forwarders {;
  dnssec-validation auto;
  auth-nxdomain no;
  listen-on-v6 { any; };
  allow-query { any; };

  dns64 2001:470:1111:6464::/96 {
    clients { any; };

To ensure that DNS requests are handled by the server itself.


nameserver localhost

Tayga provides the NAT64 function. It listens for packets with the prefix 2001:470:1111:6464::/96 stripping the last 32 bits and converting them back into an IPv4 address. The IPv6 source address is mapped to an IPv4 address from the Tayga IPv4 pool. The connection is then forwarded via IPv4 using the IPv4 pool address as the source…NAT64.

The Tayga process also configures iptables to perform a masquerade of the pool address to the RPi’s eth0 interface.


tun-device nat64
prefix 2001:470:1111:6464::/96





You could configure the topology such that all traffic is routed via the RPi, but the configuration below that only traffic destined for the NAT64 goes to the RPi.

1841 router

interface FastEthernet0/0
ip address
ip nat inside
ipv6 address 2001:470:1111:AAA1::1/64
interface FastEthernet0/1
ip address
ip nat outside
ip nat pool outside_pool prefix-length 24
ip nat inside source list inside_hosts interface FastEthernet0/1 overload
ip route
ipv6 route 2001:470:1111:6464::/96 2001:470:1111:AAA1::64
ip access-list standard inside_hosts
  deny any log

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

Blog at WordPress.com.

Up ↑

%d bloggers like this: