Tune your NAT64

If you follow my last post, you have now NAT64 up and running. The downside of the solution is, that you have to disable manually IPv4 on your client and configure public DNS64 servers.


 

That is quite uncool, because, if you change the network the disabled IPv4 comes to a network without NAT64, so you will receive NAT64-prefixed AAAA-records, but those websites are not reachble for you, because no router does the NAT64 😕

Rollback client

First, you can rollback all configurations (IPv4 disabled, DNS entries) to default. That means:

  • enable IPv4
  • set DNS entries to automatic

Enhance OpenWRT

Because we don't want IPv4 in our IPv6-only network 😏We disable DHCPv4 on the LAN interface.

From the General Setting tab switch over to the DHCP tab, General Setup. Enable Ignore Interface, because we don't need DHCP.
 
In the sub-tab IPv6 Settings enter these two Cloudflare - or any different - public DNS64 servers: 
  • 2606:4700:4700::64
  • 2606:4700:4700::6400 (seems, that the last one is the prefered DNS)

After every tab click on Save, after all steps click on Save&Apply.
If not already done, you can configure Wireless - if you like - I do that with SSID v6-only.
When I am connect to the v6-only wifi my client has no IPv4 (exept the not working IPv4 APIPA):

Using the commandline (optional)

May be some of you don't want to mess around with Luci, the webinterface of OpenWRT. Here are the relevant sniplets of the config files:
/etc/config/network
 config interface 'lan'
        option device 'br-lan'
        option proto 'static'
        option ipaddr '192.168.1.1'
        option netmask '255.255.255.0'
        option gateway '192.168.178.1' # this is the IPv4 of the internet router
        option broadcast '192.168.1.255'
        list dns '192.168.178.1'
        list dns_search 'box'
        option ip6assign '64'
        option ip6ifaceid '::2'

/etc/dhcp
config dhcp 'lan'
        option interface 'lan'
        option start '100'
        option limit '150'
        option leasetime '12h'
        option dhcpv4 'server'
        option dhcpv6 'server'
        option ra 'server'
        option ignore '1'
        list dns '2606:4700:4700::64'
        list dns '2606:4700:4700::6400'
        list ra_flags 'none'

config dhcp 'wan'
        option interface 'wan'
        option ignore '1'
 /etc/wireless
config wifi-device 'radio1'
        option type 'mac80211'
        option path 'pci0000:00/0000:00:00.0'
        option channel '36'
        option band '5g'
        option htmode 'HT20'
        option cell_density '0'

config wifi-iface 'default_radio1'
        option device 'radio1'
        option network 'lan' #this is the important part, but it's default
        option mode 'ap'
        option ssid 'v6-only'
        option encryption 'sae-mixed'
        option key '<very secret pw>'
        option wpa_disable_eapol_key_retries '1'
 

Comments

Post a Comment

Popular posts from this blog

Today: Starting with IPv6-only

Image
Let's start with IPv6-only When you start with IPv6, a good thing you can do, is to extend your private network with IPv6.  In Germany most private internet accesses are dualstacked or DS-lite, so IPv6 is available out of the box. Because we are going to IPv6-only at the end of the jouney, it might be a great idea to test IPv6-only today?! foto credit Clemens van Lay   Oh, that is quite easy, just disable IPv4 on your device and you are finished! If you have done that step, you will have a limited internet experience. Today - June 2022 - a lot of the internet content is IPv4-only so can't consume it 😞. Because some major sites (e.g. github or twitter) are among the unreachble IPv4-only internet you will not stay with raw IPv6-only as a normal user. There may be some special cases where you can use raw IPv6-only internet. That is the case if you have a very limited number of communication partners, e.g. for a site-to-site-VPN. Okay let's summarize: Too much websites are v4-
Read more

IPv4-Internet services 2022 - the bad guys

Image
If you go for IPv6 only today - as explained in the earlier post - you need NAT64, because a lot of the Internet content is IPv4 only 😭 But, if you enabled NAT64 for your v6-only network, you will - hopefully - not recognize the lack of IPv6. For browsers there is a very cool add-on IPvoo , which will show you, how you reached the website. In the case of NAT with the well-known-prefix 64:ff9b::/96 IPvoo shows " 4 ". Which is correct and wrong at the same time, but a good decision to have transperancy about NAT64. IPvoo is available for Chrome and Firefox. My list of the IPv4 Internet This is my 'personal' list of websites, which are relevant to me. Because I am based in Germany, you may miss some international domains. accuweather.com airbnb.com, airbnb.de  aldi.de, aldi-sued.de, aldi-nord.de, aldi-kundenbetreuung.de, alditalk.de amazon.com, amazon.de ard.de, ardmediathek.de, daserste.de bahn.de github.com gmx.net, gmx.com, gmx.de hrs.de huk.de linktr.ee  nrw.de ot
Read more