Page MenuHomePhabricator

Support NAT64
Open, WishlistPublicFEATURE REQUEST

Description

We would love to see NAT64 support in VyOS. This would allow us to run everything on IPv6 internally while being able to talk to IPv4 hosts outside of our network.

Here are some unmaintained implementations:
http://www.litech.org/tayga/
http://ecdysis.viagenie.ca/

This one seems to be updated last year:
https://bitbucket.org/xHire/wrapsix

This one is maintained and seems to have the most features:
https://www.jool.mx/en/index.html

Details

Difficulty level
Normal (likely a few hours)

Event Timeline

F21 created this task.Sep 18 2016, 11:29 PM
syncer triaged this task as Wishlist priority.Sep 19 2016, 10:21 AM
syncer added a project: VyOS 1.1.x (1.1.8).
syncer added a subscriber: VyOS 1.1.x (1.1.8).

The last one seems to be really interesting - it's a kernel module, should be fast and so on.

@mickvav @dmbaturin @EwaldvanGeffen
should we write to that jool tool developers?
It's looks pretty nice

syncer edited subscribers, added: VyOS 1.2 Crux; removed: syncer, dmbaturin, EwaldvanGeffen and 2 others.

I've just tested TAYGA installed on VyoS 1.2 (Beta) and it seems to work fine even though there is no configuration for it in VyOS.

I just followed the instructions to add Jessie distribution to VyOS install and then said "apt-get update" and then "apt-get install tayga" and it installed it.

Then I configured /etc/tayga/default.conf and then started it with "systemctl enable tayga" and "systemctl start "tayga" and tested it out and it seemed to work fine.

Well, I think I can some day do some things on adding this to CLI, if someone points me to known-working config for this feature. Am I right that this IPv4 - IPv6 NAT can not be implemented by iptables/ip6tables stuff? If netfilter already can do it - it's much better to do this things in kernel (as netflow, in my opinion).

@dsummers jool seems to be kernel-level and tayga seems to be userspace-level. The first one should be faster, and I expect package loss in the second one on high packet rate.

I've been running Tayga on a debian box for the last year or so and have not noticed any performance problems, but I haven't compared Tayga with Jool.

In my previous comment I was just commenting that Tayga was working fine *now* with VyOS 1.2 (Beta) rather than having to wait for some other implementation.

I've got a couple of uses for it that I could use right now so was trying to come up with something quick.

I suspect they both have the same functionality, as long as Jool is stateless and can do both dynamic and static mappings.

As long as they both have same functionality I don't care which is chosen for VyOS, but Tayga seemed a faster way to get there for now.

The last nine months or so I've been running Tayga on VyOS Beta 1.2 (latest versions) in my production network.

This enabled me to go from three separate routers (debian (for NAT64), VyOS, PfSense) down to two separate routers (VyOS, PfSense).

Step 1: Follow the Wiki instructions on how to update/install packages on VyOS Beta 1.2.

Step 2: apt-get install tayga

Step 3: Edit the /etc/default/tayga and change to RUN="yes".

Step 4: Use the following /etc/tayga.conf file (modified for your own network):

#
# Sample configuration file for TAYGA 0.9.2
#
# Modify this to use your own addresses!!
#

#
# TUN device that TAYGA will use to exchange IPv4 and IPv6 packets with the
# kernel.  You may use any name you like, but `nat64' is recommended.
#
# This device may be created before starting the tayga daemon by running
# `tayga --mktun`.  This allows routing and firewall rules to be set up prior
# to commencement of packet translation.
#
# Mandatory.
#
tun-device nat64
#
# TAYGA's IPv4 address.  This is NOT your router's IPv4 address!  TAYGA
# requires its own address because it acts as an IPv4 and IPv6 router, and
# needs to be able to send ICMP messages.  TAYGA will also respond to ICMP
# echo requests (ping) at this address.
#
# This address can safely be located inside the dynamic-pool prefix.
#
# Mandatory.
#
ipv4-addr 10.X.Y.1

#
# TAYGA's IPv6 address.  This is NOT your router's IPv6 address!  TAYGA
# requires its own address because it acts as an IPv4 and IPv6 router, and
# needs to be able to send ICMP messages.  TAYGA will also respond to ICMP
# echo requests (ping6) at this address.
#
# You can leave ipv6-addr unspecified and TAYGA will construct its IPv6
# address using ipv4-addr and the NAT64 prefix.
#
# Optional if the NAT64 prefix is specified, otherwise mandatory.  It is also
# mandatory if the NAT64 prefix is 64:ff9b::/96 and ipv4-addr is a private
# (RFC1918) address.
# 
#ipv6-addr 2001:XXX:YYYY:6:ffff::2

#
# The NAT64 prefix.  The IPv4 address space is mapped into the IPv6 address
# space by prepending this prefix to the IPv4 address.  Using a /96 prefix is
# recommended in most situations, but all lengths specified in RFC 6052 are
# supported.
#
# This must be a prefix selected from your organization's IPv6 address space
# or the Well-Known Prefix 64:ff9b::/96.  Note that using the Well-Known
# Prefix will prohibit IPv6 hosts from contacting IPv4 hosts that have private
# (RFC1918) addresses, per RFC 6052.
# The NAT64 prefix need not be specified if all required address mappings are
# listed in `map' directives.  (See below.)
#
# Optional.
#
prefix 2001:XXX:YYYY:64::/96
# prefix 64:ff9b::/96

#
# Dynamic pool prefix.  IPv6 hosts which send traffic through TAYGA (and do
# not correspond to a static map or an IPv4-translatable address in the NAT64
# prefix) will be assigned an IPv4 address from the dynamic pool.  Dynamic
# maps are valid for 124 minutes after the last matching packet is seen.
#
# If no unassigned addresses remain in the dynamic pool (or no dynamic pool is
# configured), packets from unknown IPv6 hosts will be rejected with an ICMP
# unreachable error.
#
# Optional.
#
dynamic-pool 10.X.Y.0/24

#
# Persistent data storage directory.  The dynamic.map file, which saves the
# dynamic maps that are created from dynamic-pool, is stored in this 
# directory.  Omit if you do not need these maps to be persistent between
# instances of TAYGA.
#
# Optional.
#
data-dir /var/spool/tayga

#
# Establishes a single-host map.  If an IPv6 host should be consistently
# reachable at a specific IPv4 address, the mapping can be specified in a
# `map' directive.  (IPv6 hosts numbered with an IPv4-translatable address do
# not need map directives.)
#
# IPv4 addresses specified in the `map' directive can safely be located inside
# the dynamic-pool prefix.
#
# Optional.
#

# map 10.X.Y.3 2001:XXX:YYYY::3

Step 5: mkdir /var/spool/tayga

Step 6: systemctl enable tayga

Step 7: systemctl start tayga

Step 8: Test by pinging a IPv6 mapped IPv4 address

ping6 2001:XXX:YYYY:64::8.8.8.8
syncer assigned this task to dmbaturin.May 27 2018, 9:14 AM
pasik added a subscriber: pasik.Oct 1 2018, 9:54 AM

Wiki instructions for system package settings now seem to be gone.

Probably because system package settings are no longer supported.

Edit /etc/apt/sources.list file contents to contain:
deb http://httpredir.debian.org/debian jessie main contrib non-free # jessie #

Then:
apt-get update
apt-get install tayga

If you want have a better NAT64 solution take a look to jool. (http://jool.mx/en/index.html).

syncer changed the subtype of this task from "Task" to "Feature Request".Oct 19 2018, 9:14 AM

jool 4.0.0 has been released.
http://jool.mx/en/index.html

jool 4.0 added "JOOL" as iptables target.
Does not it make sense to vyos?
For example, i think iptables configuration script can be diverted.

TriJetScud added a subscriber: TriJetScud.EditedFeb 18 2019, 9:45 AM

To be fair, the things we're need to make this work is

  1. Debianize Jool along with the kernel module as a dkms package
  2. Implement the configuration either in Perl or the newer Python
  3. Operational commands to display the status of NAT64
Alfa80 added a subscriber: Alfa80.May 12 2019, 1:38 PM

I'm thinking about trying to run either tayga or jool as a docker container inside of VyOS. Has anyone tried something like this? If I wrote a guide on how to do this I wonder if it would be an OK temporary solution until it's integrated into VyOS.

maznu added a subscriber: maznu.Sep 23 2019, 3:38 PM
danfaulknor added a subscriber: danfaulknor.