OpenWRT for IPv6-only Wifi and NAT64

 NAT64 is one possibility for a realistic early adoption of IPv6-only ... I guess.


 

In an addition to professional solutions, I like to use NAT64 in my home network.

In this post, we will cover the steps to get NAT64 up and running using OpenWRT and Jool. The first step is to get a OpenWRT-Box (you can use a virtual one, if you like), which provides an IPv6-only Wifi "v6-only" and NAT64 using Jool.

I used OpenWRT version 21.02.3 here.

Prerequisites

We are dealing with Global Unicast Addresses (GUA) only, so you have to get an IPv6 prefix which is greater than /64 if OpenWRT isn't your ISP-Router, like in my example below.

In Germany, the ISP may change the prefix and that is, why it is best pratice to have dynamic assignments at all stages. We will need three IPv6 networks (with GUA):

  • you need an assignment from your ISP at the WAN interface of your internet router
  • you need an assignment on the OpenWRT WAN interface
  • you need a /64 network for the LAN side of the OpenWRT

My internet router (AVM FritzBox) is able to use DHCPv6 prefix delegation (link), which I have activated to use automatic assignments. In my case, it looks like this:


We got 2001:db8:aaaa::/56 from the ISP, it is assigned to the WAN interface of the internet router. OpenWRT requests with DHCPv6_PD a /62 prefix (2001:db8:aaaa:bb::/62) out of that the 2001:db8:aaaa:b8::/64 prefix is used on the LAN interface of OpenWRT.

Because we want to be able to reach the IPv4 internet with NAT64, we need IPv4-Adresses and dualstack at the internet router and OpenWRT WAN interface.

The IPv4 stuff and DHCPv6_PD will be done by OpenWRT by default, so you don't have to configure that.

OpenWRT-Interfaces

Info: OpenWRT calls Layer-3 "Interface" and Layer-2 "Device".

Before you can connect OpenWRT to your LAN, you have to do some configuration. OpenWRT is reachable via 192.168.1.1, login root, password password. Of cause you should configure a secure password first. 

Look into your client ip configuration to find out the link local IPv6-Adress of the OpenWRT, which sets itself as an gateway using EUI64 for its interface identifier.

You can access OpenWRT with this link local fe80::<EUI64 IID> by browser or ssh and that is a really good idea.

OpenWRT connection

You have to connect an OpenWRT WAN port to your LAN/internet router.

Jool

Now, we have to install Jool. Please go to the System, Software tab and click on Update lists and search for jool:

Of cause, you have to install both packages.

You can install Jool via commandline too, first enter opkg update to get the list of packages. Install Jool with opkg install kmod-jool jool-tools.

From this point, we have to use a ssh connection to configure Jool. Please connect to OpenWRT, using SSH and login as root with you new, secure password.

Load jool:

modprobe jool

Add an instance to Jool:

jool instance add --netfilter --pool6 64:ff9b::/96

That's it. It follows the minimal setup described on the Cheat Sheet. If you want to have a look:

jool instance display 

shows you something like this:

Wifi

The wifi part is quite easy, because you only have to activate wifi from the wireless menu. Be careful, OpenWRT has no password/WPA-Key set by default. 

You can skip the wifi part and use LAN connection instead.

Test

You connect your client to the v6-only-wifi (or with cable) and you ping6 to 

ping -6 64:ff9b::8.8.8.8

If it works, you could disable IPv4 for your client and manually tweak the DNS settings to a public DNS64 service. But wait: No! Follow my tweak-post.

Important!!! NAT64 isn't working from OpenWRT itself. This means, you can't ping6 64:ff9b::8.8.8.8 from OpenWRT, you have to test on a client.

Persistance

If you like Jool, you should put these two lines into /etc/rc.local:

modprobe jool

jool instance add --netfilter --pool6 64:ff9b::/96

It will start and configure Jool on startup.

Comments

Post a Comment

Popular posts from this blog

Today: Starting with IPv6-only

Image
Let's start with IPv6-only When you start with IPv6, a good thing you can do, is to extend your private network with IPv6.  In Germany most private internet accesses are dualstacked or DS-lite, so IPv6 is available out of the box. Because we are going to IPv6-only at the end of the jouney, it might be a great idea to test IPv6-only today?! foto credit Clemens van Lay   Oh, that is quite easy, just disable IPv4 on your device and you are finished! If you have done that step, you will have a limited internet experience. Today - June 2022 - a lot of the internet content is IPv4-only so can't consume it 😞. Because some major sites (e.g. github or twitter) are among the unreachble IPv4-only internet you will not stay with raw IPv6-only as a normal user. There may be some special cases where you can use raw IPv6-only internet. That is the case if you have a very limited number of communication partners, e.g. for a site-to-site-VPN. Okay let's summarize: Too much websites are v4-
Read more

Tune your NAT64

Image
If you follow my last post, you have now NAT64 up and running. The downside of the solution is, that you have to disable manually IPv4 on your client and configure public DNS64 servers.   That is quite uncool, because, if you change the network the disabled IPv4 comes to a network without NAT64, so you will receive NAT64-prefixed AAAA-records, but those websites are not reachble for you, because no router does the NAT64 😕 Rollback client First, you can rollback all configurations (IPv4 disabled, DNS entries) to default. That means: enable IPv4 set DNS entries to automatic Enhance OpenWRT Because we don't want IPv4 in our IPv6-only network 😏We disable DHCPv4 on the LAN interface. From the General Setting tab switch over to the DHCP tab, General Setup. Enable Ignore Interface, because we don't need DHCP.   In the sub-tab IPv6 Settings enter these two Cloudflare - or any different - public DNS64 servers:   2606:4700:4700::64 2606:4700:4700::6400 (seems, that the last one is the
Read more

IPv4-Internet services 2022 - the bad guys

Image
If you go for IPv6 only today - as explained in the earlier post - you need NAT64, because a lot of the Internet content is IPv4 only 😭 But, if you enabled NAT64 for your v6-only network, you will - hopefully - not recognize the lack of IPv6. For browsers there is a very cool add-on IPvoo , which will show you, how you reached the website. In the case of NAT with the well-known-prefix 64:ff9b::/96 IPvoo shows " 4 ". Which is correct and wrong at the same time, but a good decision to have transperancy about NAT64. IPvoo is available for Chrome and Firefox. My list of the IPv4 Internet This is my 'personal' list of websites, which are relevant to me. Because I am based in Germany, you may miss some international domains. accuweather.com airbnb.com, airbnb.de  aldi.de, aldi-sued.de, aldi-nord.de, aldi-kundenbetreuung.de, alditalk.de amazon.com, amazon.de ard.de, ardmediathek.de, daserste.de bahn.de github.com gmx.net, gmx.com, gmx.de hrs.de huk.de linktr.ee  nrw.de ot
Read more