5 days ago

IPv6 only LAN with NAT64 router for Internet #server #ipv6 #nat #ipv4 #nat64

6 days ago
3 weeks ago

Safari on iOS 16.6 is still not capable of using the CLAT portion the OS sets up in a 464XLAT compatible network.

The caveats mentioned in still apply. Configuring DNS64 is still a no-no for various reasons.

#mrmcd23 #464xlat #nat64

2 months ago

Workaround is to use a #NAT64... But the ball is still in #Github's court... How can "the" code hosting platform not support #IPv6

Jonatan Steuernagel
3 months ago

As always, things didn't go as smoothly as I had hoped.
2 additional discoveries:

1. The #macOS and #iOS #CLAT engine seems to randomly stop working after some time? The interface still exists, but I can't reach IPv4 addresses anymore. #NAT64 is still available and working though. Haven't yet seen the issue on #Android.

2. Apple Homepods also have CLAT! They just decided to go IPv6-only, which I only noticed because #Homeassistant couldn't connect to them anymore.

Jonatan Steuernagel
3 months ago

I've successfully installed a #NAT64 server and a #DNS64 Bind9 server in my homelab.
I set the DHCP Option 108 and observed my #iOS and #Android devices immediatly going #IPv6-only and enabling its #CLAT engine.

The most surprising part though was that #macOS did the same.
I've read online multiple times, that it also requires an option in the Router Advertisement, which I currently can't set. But no, it didn't need it and also started CLAT.
Now if only #Windows would do the same...

Jonatan Steuernagel
4 months ago

Uuh, maybe I should also play around with Tayga and doing some #NAT64 for #IPv6 myself.
Maybe an #IPv6 only homelab network could actually be in my future, even without the rest of the world getting their shit together 😶

Thomas Schäfer
4 months ago

TIL: Well known #nat64 prefix and rfc1918 addresses work together, at least in Android (clat) and jool(plat).👍

NLnet Labs
5 months ago

The #NAT64 support that has been contributed to the Unbound project has now been merged into the main branch. #DNS #OpenSource


Could be useful on IPv6-only VPSes.

/cc [ #IPv6 | #DNS64 | #NAT64 | #DNS | #bookmark 🔖 ]
Sly Gryphon
6 months ago

Using an #ipv6 only mobile #iot network and want to connect to #azure #iothub? Not a problem if you have a carrier like #telstra (Australia) that supports #nat64, as in my recent blog article using the #nordic #thingy91

NLnet Labs
7 months ago

Curious what's coming up in the next release of your favourite #DNS resolver? #Unbound #EDE #SVCB #NAT64 #OpenSource

Sebastian Hagedorn :koeln:
8 months ago

So far we have only deployed #IPv6 in dual-stack mode. I really want to push for IPv6-only now, but I'm not sure if we have all the necessary pieces in place. We can set up #DNS64 on our #Infoblox cluster, but I'm not sure if any of our Cisco routers are actually capable of doing #NAT64.

Thomas Schäfer
8 months ago

As long clatd doesn't die, A-records may be useful in some rare circumstances.
I think A-records are bad in #IPv6only #nat64 environments in general.
But thinking is one thing, testing a different one.

Apparently, the code is completely out of sync due to deep refactoring and some enhancements.
I am neither opting for import, nor demanding interoperability, i.e. pfsync(4) working between FreeBSD and OpenBSD, nor believe that syntax compatibility is the real issue.
I am only investigating the drive of people suggesting new imports from OpenBSD.
What I am really missing is #NAT64 support, especially since the year 2023 is predicted to be the year of accelerated transition to IPv6.

#FreeBSD and #OpenBSD both have Packet Filter #PF firewalls. From time to time FreeBSD consumers bring up the problem of importing OpenBSD enhancements into FreeBSD, which is no more possible due to many reworks. What is the audience really missing in FreeBSD's implementation?
I'd bet #IPv6 enthusiasts will choose the first answer, but IMHO #NAT64 demand is not the culprit here.

@revk Yes … AS29670 (Individual Network Berlin e.V.) in this case … our / users can use #NAT64 with the well-known prefix 64:ff9b::/96 and have #DNS64 at 2001:67c:1400:800:53:64::1 and 2001:67c:1400:800:53:64::2

Thomas Schäfer
9 months ago

8 of 17 is less than the half😉

One probe is mine 🤗

' Stéphane Bortzmeyer @bortzmeyer Half of the @RIPE Atlas probes with tag "nat64" do not have a working #DNS64 resolver :-(  9:30 nachm. - 11. Dez. 2022
Sly Gryphon
9 months ago

You should set up and run #NAT64 + #DNS64 in you #dualstack environment. Benefits are that it allows #IPv6 only devices a way to connect to IPv4 only servers, and provides valuable experience with IPv6, with no downsides. It does mean that dual stack devices will use NAT64 instead of NAT44, but you are still using NAT either way (and IPv4 devices always have to use NAT). See my article for more details and network diagrams

@alexband @nlnetlabs
Thank you for the tip about tags for RPZ policies. I haven't read the documentation carefully.
Regarding #NAT64 I was really asking about #DNS64. Tags or views support seems to be missing here. In my case, the L3 switch can announce only one set of DNS servers via RDNSS. It can't be changed per network. So the introduction of such a feature in the upcoming versions of #Unbound might be warmly appreciated, at least on Fediverse. 😃

@nlnetlabs is it possible to use #NAT64 and/or #RPZ only in specific views when both modules: respip and dns64 are loaded into #DNS Unbound? Such a feature might be very useful and appreciated.