Trying to design a IPv6 only home network. NAT64+DNS64+464XLAT

Hardware Hub Networking
1

After reading some documentation I understand the following:

  1. Most IPv4 infrastructure can be reached from an IPv6 network via NAT64+DNS64.
  • DNS64 wil synthesise a “AAAA” for IPv4 only websites by appending the “64:ff9b:: / 96” to their IPv4 addresses and NAT64 knows how to route it.
  • Both of these can be setup on opnsense via plugins
     
  1. Most modern OS support 464XLAT (and auto enable it).
  • With 464XLAT the OS auto assigns a IPv4 address for itself and tunnels traffic on this IPv4 over the network’s IPv6 interface. So they client applications don’t even know that they are on IPv6 only network.

Infrastructure:

  • I plan on running a DNS64 server (also with AAAA-only mode enabled) via Unbound DNS on opnsense.
  • Configure all servers/clients on my network to use opnsense’s DNS server
  • Switch to Mullvad VPN for clients (they native IPv6).

Open Question:

  1. If some guest connects to my local network and their machine is configured to use just “8.8.8.8” or “8.8.8.8 / 2001:4860:4860::8888 /
    2001:4860:4860::8844” as default DNS? They won’t be able to reach the IPv4 infrastructure on the internet, correct?
  2. I am guessing many IoT distos like (raspbian, motioneye) do support native IPv6 and/or 464XLAT out of the box …?
2

@sainiabr I have heard of Nat 64, but not 464XLAT. Could you explain what it is and what purposes it serves.

3

What is the need for NAT at all?

On IP4 we need NAT as we do not have enogh IPs for all devices. IP6 does not have this problem; that’s why IP6 was created in thr first place.

4

@TObject I am no expert, but when you have a network that is only ipv6 you can setup Nat 64 , so you can run ipv4 address.

1 Like
5

Correct but you could use DNS Hijacking:

But I’m not sure if this will work if a client has a hardcoded ipv4 dns server.

Btw. Mullvad uses dns hijacking by default, be sure to set it up properly:

Edit: And of course if you setup Mullvad on your router you also need to setup a natv6 since you only get a /128 ip from mullvad.

https://docs.opnsense.org/manual/how-tos/wireguard-selective-routing.html#configuring-ipv6

Edit 2: I‘m also not sure if SOCKS5 multihop will work on ipv6 only, at least on my end the urls only translate to 10.64.x.x ipv4 addresses.

7

This is the reason.

nat64 isn’t nat in the traditional aspect (mapping 1 IPV4 address to another ipv4 or multiple ipv4 addresses), it’s translation between ipv4 and ipv6.

ipv4 and ipv6 do not talk to each other, you need to translate between them.

1 Like
8

@thro thanks for fixing my mistake. The way nat64 work is the way I thought it worked. My internet servce provider just add ipv6 to my area like two weeks ago. I haven’t had time to implement yet, have to many other projects to do
first.

9

Anyone who has ipv6 available, unless you’re trying to do this out of curiosity, I’d suggest to just run dual stack and let the ISP handle it.

If you don’t want inbound ipv4 just firewall it off at your router, but trying to run ipv6 only is probably more trouble than its worth for most people - unless, as above - its out of curiosity to see if you can :slight_smile:

I’ve been running dual stack ipv6 for about 10 years now, the only real complication is just to make sure you permit the required ipv6 ICMP types on your firewall. blocking everything inbound can break ipv6 MTU discovery, etc.

1 Like