goetz1d ago

#464XLAT and #NAT64 on #Mikrotik routers.

https://forum.mikrotik.com/t/nat64-and-464xlat-on-ros-how-to/267046

Please have this out of the box available?
@mikrotik@tiktube.com @mikrotik

#IPv6 #IPv6mostly

NAT64 and 464XLAT on ROS how-to

Here is a working NAT64 solution for homelab folks wanting to experiment with IPv6-only, or their provider only offers IPv6 with IPv4 over CG-NAT. Full 464XLAT operation is achieved when the client devices include a CLAT, such as Apple devices. This solution does require the ISP provide an IPv4 address, so it won’t work if the provider is IPv6-only and doesn’t provide NAT64 in their network, Ive read that some do. My network is a fairly typical dual-stack setup where my ISP offers CG-NATed IPv4...

MikroTik community forum
Show threadgoetzDec 13

@pcdog @jana @merlin
Running #IPv6only and #IPv6mostly in my home since 2 years now.
Currently playing with RFC9762 for Android, which just works if you have enough address space.

Even experimented with #NAT64 off-site to disable legacy protocol on my CPE.

Currently contributing to upcoming RFCs on this topic. As well as iron out bugs in odhcpd and luci #OpenWrt

Work laptop (Win11) sits in a #IPv6only subnet. Only needed some tricks for the VPN to work correctly. 😄 Looking forward to CLAT.

Show threadRapha3lDec 13

@cr

* Dual Stack
* Double Firewall Rules

I prefere, when ever possible, IPv6 only...

#IPv6 #nat64

Brett Sheffield (he/him)Dec 10

@nuintari It's been interesting to try #IPv6only with #NAT64 these past few months after running dual stack on home, office and datacenter networks for nearly two decades. I've rarely ever encountered NAT64 except in special circumstances (eg. FOSDEM).

It's been interesting to see what breaks. eg. #Tor

Most stuff is fine, except where someone has half-enabled #IPv6

Brett Sheffield (he/him)Dec 10

One of the annoyances with #NAT64 is that when some site publishes an #IPv6 AAAA record, but their IPv6 server is down and the IPv4 server is up, there's no "happy eyeballs" fallback to IPv4. Because the AAAA record exists, #DNS64 doesn't provide a mapping to IPv4.

It can be worked around by manually adding an /etc/hosts entry for the broken site.

Today's broken site is www.fsf.org. Hey @fsf - your IPv6 server is refusing connections 😉

Beni HB9HNTNov 30
Great, the website of the airport of Zürich doesn't work on #ipv6 even though www.flughafen-zuerich.ch resolves to an ipv6 address (via a couple of CNAMEs). That's the worst type of #ipv6 fail, because it also breaks #dns64 and #nat64 on my ipv6 only network.
KMJ 🇦🇹Nov 20

one of the main problem in transition to #IPv6 only is people running their #mailserver on #IPv4 .

could #NAT64 my own #mail servers pretty easy, but inbound #smtp is the only #protocol I found no way to run multiple servers behind e.g. #haproxy .

All the web stuff could be easy run behind 1 IPv4 and haproxy.

Looks like there is no working solution for multiple smtp port 25 behind a #reversed #proxy

KMJ 🇦🇹Nov 9

Finished the first net of my new PI/48 #IPv6 as #IPv6only WLAN with #NAT64 / #DNS64 using #pfSense #NAT64 and a small #Bind VM serving the #DNS64 while still using the #pihole forwarders, so blocking is also working on the WLAN .

Works really good connected to 3 uplinks through #Wireguard and #Bird #BGP + #FRR #BGP + #OSPF here.

Need to renumber from the PA /48 to make the routing between to locations easier.

Bind can exclude e.g. 10/8 from mapping, so RFC through tunnel works great too.

Show threadsubnetspiderNov 4

And yes, using NAT64 technically goes against the spirit of No-NAT November, but the alternative would be to stop myself from using half of the internet for 30 days without learning anything other than which websites and services break without IPv4, which gets boring very quickly.

Either way, the next thing I want to look at is PREF64, as well as building a CLAT on operating systems that don't natively support them, in case they run software relying on hard-coded IPv4 addresses. 😎

#IPv6 #NAT64

Edit

The following blog post was very inspiring for me, thanks @alexhaydock for sharing this. :)

https://blog.infected.systems/posts/2024-12-01-no-nat-november/

No NAT November: My Month Without IPv4

subnetspiderNov 4

Huh ... just enabled DNS64 and DHCP option 108 on my OPNsense to see if my phones would enable their CLAT, guessing that I would need to do more work, but it just works™️.

The iPhone reports 192.0.0.3 as it's IPv4 and 192.0.0.1 as gateway, and the Android doesn't show any IPv4 (but 255.0.0.0 as next hop in traceroute?).

Either way, that's another two IPv6-only devices, I'm actually making progress. 😁

#IPv6 #NAT64