OpenWRT IPv6: NAT64 dan DNS64 menggunakan BIND
Sumber:
- http://blog.raorn.name/2012/02/ipv6-only-lan-with-dual-stack-openwrt.html
- http://wiki.openwrt.org/doc/howto/ipv6
- http://tech.sybreon.com/2015/05/05/nat64dns64-on-openwrt/
Siapkan OpenWRT yang sudah tercompile di dalam-nya
- tayga
- bind
- kmod netfilter semua di aktifkan
- kmod-tun
Konfigurasi NAT64 interface:
# /etc/config/network
config 'interface' 'nat64'
option 'proto' 'tayga'
option ipv4_addr 192.0.2.1
option ipv6_addr 2001:470:1f09:xxxx::7f00:1
option prefix 64:ff9b::/96
option dynamic_pool 192.0.2.0/24
option accept_ra 0
option send_rs 0
config interface nat64
option proto tayga
option ipv4_addr 192.0.2.1
option ipv6_addr 2001:db8:1::7f00:1
option prefix 64:ff9b::/96
option dynamic_pool 192.0.2.0/24
option accept_ra 0
option send_rs 0
config interface nat64
option proto tayga
option ifname 'tayga-nat64'
option ipv4_addr 192.168.64.1
option prefix fd63:fab9:6ccf:64::/96
option dynamic_pool 192.168.64.0/24
option accept_ra 0
option send_rs 0
dimana:
- 2001:470:1f09:xxxx::/64 adalah IPv6 prefix di LAN
- 192.0.2.0/24 adalah tayga prefix untuk 4-to-6 mappings. Pastikan range IP tersebut tidak digunakan dimanapun dalam jaringan kita.
- 64:ff9b::/96 prefix untuk IPv6-mapped IPv4 addresses.
Konfigurasi yang akan di run ada di
/var/etc/tayga-nat64.conf
Tambahkan nat64 ke lan firewall zone karena kita perlu secara explisit NAT44 packet untuk 4-to-6 inbound connections:
# /etc/config/firewall
config 'zone'
option 'name' 'lan'
option 'input' 'ACCEPT'
option 'output' 'ACCEPT'
option 'forward' 'ACCEPT'
option 'network' 'lan nat64'
Cek tayga
- Reboot Router
- cek apakah interface nat64 beroperasi
ifconfig
- Coba (ifup nat64 interface dan jalankan firewall rules):
# ping6 -c3 64:ff9b::194.87.0.50 PING 64:ff9b::194.87.0.50(64:ff9b::c257:32) 56 data bytes 64 bytes from 64:ff9b::c257:32: icmp_seq=1 ttl=56 time=3.42 ms 64 bytes from 64:ff9b::c257:32: icmp_seq=2 ttl=56 time=3.35 ms 64 bytes from 64:ff9b::c257:32: icmp_seq=3 ttl=56 time=4.04 ms --- 64:ff9b::194.87.0.50 ping statistics --- 3 packets transmitted, 3 received, 0% packet loss, time 2040ms rtt min/avg/max/mdev = 3.354/3.610/4.049/0.319 ms
Kita perlu sebuah source untuk AAAA record untuk hosts yang hanya mempunyai A. Ini disebut DNS64 dan di dukung oleh bind 9.8.0 ke atas.
Modifikasi default named.conf:
# /etc/bind/named.conf
acl rfc1918 { 10/8; 192.168/16; 172.16/12; };
options {
directory "/tmp";
auth-nxdomain no; # conform to RFC1035
allow-query { localnets; localhost; };
listen-on { any; };
listen-on-v6 { any; };
dns64 64:ff9b::/96 {
clients { any; };
mapped { !rfc1918; any; };
exclude { 64:ff9b::/96; ::ffff:0000:0000/96; };
suffix ::;
};
edns-udp-size 512;
max-udp-size 512;
};
// prime the server with knowledge of the root servers
zone "." {
type hint;
file "/etc/bind/db.root";
};
// be authoritative for the localhost forward and reverse zones, and for
// broadcast zones as per RFC 1912
zone "localhost" {
type master;
file "/etc/bind/db.local";
};
zone "127.in-addr.arpa" {
type master;
file "/etc/bind/db.127";
};
zone "0.in-addr.arpa" {
type master;
file "/etc/bind/db.0";
};
zone "255.in-addr.arpa" {
type master;
file "/etc/bind/db.255";
};
Semua host di LAN menggunakan bind sebagai nameserver (announced via radvd dan di proses oleh dnssd). Coba:
$ host www.ru www.ru has address 194.87.0.50 www.ru has IPv6 address 64:ff9b::c257:32 www.ru mail is handled by 5 hq.demos.ru. $ host 194.87.0.50 50.0.87.194.in-addr.arpa domain name pointer www.ru. $ host 64:ff9b::c257:32 2.3.0.0.7.5.2.c.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.b.9.f.f.4.6.0.0.ip6.arpa is an alias for 50.0.87.194.in-addr.arpa. 50.0.87.194.in-addr.arpa domain name pointer www.ru.
Untuk memberikan IPv4 hosts access ke layanan di IPv6-olny network?
Kita perlu mengkonfigurasi NAT44 ke sebuah address dari tayga dynamic pool:
# /etc/config/firewall
# rule for tayga to create static mapping
config 'nat64'
option 'ipv4_addr' '192.0.2.32'
option 'ipv6_addr' '2001:470:1f09::xxxx::yyyy:zzzz'
# rule for OpenWRT firewall to redirect traffic on port 25
config 'redirect'
option 'src' 'wan'
option 'proto' 'tcp'
option 'src_dport' '25'
option 'dest_ip' '192.0.2.32'
option 'target' 'DNAT'
option 'dest' 'lan'
# rule OpenWRT firewall to permit access to port 25 to LAN host
config 'rule'
option 'target' 'ACCEPT'
option 'src' 'wan'
option 'dest' 'lan'
option 'proto' 'tcp'
option 'dest_ip' '2001:470:1f09:xxxx::yyyy:zzzz'
option 'dest_port' '25'
option 'family' 'ipv6'
Last rule is only needed to provide access to my SMTP service via native IPv6. Since nat64 interface belongs to lan firewall zone there's no need to premit traffic from 64:ff9b::/64, it is already done by permitting traffic to 192.0.2.32 (processed by redirect rule).
An now we can see some dirty spammers in maillog:
Feb 17 12:23:31 hell postfix/smtpd[12288]: connect from 114-42-157-193.dynamic.hinet.net[64:ff9b::722a:9dc1] Feb 17 12:23:31 hell postfix/smtpd[12288]: warning: non-SMTP command from 114-42-157-193.dynamic.hinet.net[64:ff9b::722a:9dc1]: GET http://www.scanproxy.com:80/p-25.html HTTP/1.0
Referensi
- http://blog.raorn.name/2012/02/ipv6-only-lan-with-dual-stack-openwrt.html
- http://wiki.openwrt.org/doc/howto/ipv6
README for TAYGA v0.9.2
Last updated 2010-12-12
Overview
TAYGA is an out-of-kernel stateless NAT64 implementation for Linux. It uses the TUN driver to exchange packets with the kernel, which is the same driver used by OpenVPN and QEMU/KVM. TAYGA needs no kernel patches or out-of-tree modules, and it is compatible with all 2.4 and 2.6 kernels.
If you're impatient and you know what stateless NAT64 is, you can skip to the Installation & Basic Configuration section.
Stateless versus Stateful NAT64
Most people are familiar with stateful NAT, which allows N:1 address mapping by tracking TCP and UDP sessions and rewriting port numbers on each packet. Most commonly this is used to translate sessions from multiple "internal" hosts (which are numbered with private IPv4 addresses) onto a single global IPv4 address on the NAT device's "external" interface.
Stateless NAT does no such session tracking or port number rewriting. It simply performs a 1:1 substitution of IP addresses using a mapping table provided by the network administrator. For example, an organization whose global address allocation was 198.51.100.0/24 but whose hosts were using addresses in 192.0.2.0/24 could use a stateless NAT to rewrite 192.0.2.1 into 198.51.100.1, 192.0.2.35 into 198.51.100.35, etc, in the outbound direction, and the reverse in the inbound direction. This is commonly done when an organization moves to a new ISP and receives a new IPv4 address delegation of the same size as their old delegation but does not want to renumber their network.
TAYGA and other stateless NAT64 translators operate in this fashion. When translating packets between IPv4 and IPv6, the source and destination addresses in the packet headers are substituted using a 1:1 mapping. This means that, in order to exchange packets across the NAT64, each IPv4 host must be represented by a unique IPv6 address, and each IPv6 host must be represented by a unique IPv4 address. How this mapping is performed is discussed in the next sections.
In situations where stateful NAT64 is required, TAYGA can be used in combination with a stateful IPv4 NAT such as the iptables MASQUERADE target. This allows the administrator a great deal more flexibility than if stateful NAT were implemented directly in TAYGA.
Mapping IPv4 into IPv6
TAYGA maps IPv4 addresses into the IPv6 network according to RFC 6052. This states that a 32-bit IPv4 address should be appended to a designated IPv6 prefix, which we call the NAT64 prefix, and the resulting IPv6 address can be used to contact the IPv4 host through the NAT64.
The NAT64 prefix should be assigned out of a site's global IPv6 address allocation. For example, if a site is allocated 2001:db8:1::/48, the prefix 2001:db8:1:ffff::/96 could be set aside for NAT64. (There are several options for the length of the NAT64 prefix, but a /96 is recommended.) The IPv4 host 198.51.100.10 could then be accessed through the NAT64 using the address 2001:db8:1:ffff::c633:640a. Conveniently, it is possible to use the syntax 2001:db8:1:ffff::198.51.100.10 instead.
RFC 6052 also specifies a Well-Known Prefix 64:ff9b::/96 which can be used for NAT64 service rather than allocating a prefix from the site's IPv6 address block. However, this comes with several restrictions, primarily that hosts with private IPv4 addresses (10.x.x.x, 192.168.x.x, etc) cannot be accessed through the NAT64. See RFC 6052 for more information.
If NAT64 service is needed for only a few hosts instead of the entire IPv4 address space, TAYGA can be configured without a NAT64 prefix, and address maps can be assigned on a host-by-host basis.
Mapping IPv6 into IPv4
Being a stateless NAT, TAYGA requires that a unique IPv4 address is assigned to every IPv6 host that needs NAT64 service. This assignment can be done statically by the network administrator, or dynamically by TAYGA from a pool of IPv4 addresses designated for this purpose.
Static address mapping is desirable for servers or other hosts requiring a well-known address. Statically mapped addresses may be entered into DNS, for example.
Dynamic address mapping allows TAYGA to assign IPv4 addresses to IPv6 hosts as they are needed. By default, these assignments are guaranteed to remain usable for up to two hours after the last packet seen, but they are retained for up to two weeks as long as the address pool does not become empty. Assignments are written to disk so they persist through a restart of the TAYGA daemon, allowing existing TCP and UDP sessions to continue uninterrupted.
(Of course, TAYGA also supports the addressing architecture described in RFC 6052 in which IPv6 hosts are numbered with "IPv4-translatable IPv6 addresses" carved out of the NAT64 prefix.)
Installation & Basic Configuration
TAYGA uses the GNU Automake/Autoconf system, which requires the `configure` script to be run to generate the Makefile prior to building. The --prefix and/or --sysconfdir options can be specified to the configure script to specify the top-level installation path and tayga.conf file directory, respectively.
After unpacking the distribution tar.bz2 file, run:
# ./configure && make && make install
This will install the tayga executable in /usr/local/sbin/tayga and the sample config file in /usr/local/etc/tayga.conf.example.
Next, if you would like dynamic maps to be persistent between TAYGA restarts, create a directory to store the dynamic.map file:
# mkdir -p /var/db/tayga
Now create your site-specific tayga.conf configuration file. The installed tayga.conf.example file can be copied to tayga.conf and modified to suit your site. Here is a sample minimal configuration:
tun-device nat64
ipv4-addr 192.168.255.1
prefix 2001:db8:1:ffff::/96 # replace with a prefix from
# your site's address range
dynamic-pool 192.168.255.0/24
data-dir /var/db/tayga # omit if you do not need persistent
# dynamic address maps
Sebelum memulai TAYGA daemon, setup routing di sistem kita perlu di ubah agar mengirim paket IPv4 dan IPv6 ke TAYGA. Pertama-tama, buat TUN network interface:
# tayga --mktun
If TAYGA prints any errors, you will need to fix your config file before continuing. Otherwise, the new nat64 interface can be configured and the proper routes can be added to your system:
# ip link set nat64 up # ip addr add 2001:db8:1::1 dev nat64 # replace with your router's address # ip addr add 192.168.0.1 dev nat64 # replace with your router's address # ip route add 2001:db8:1:ffff::/96 dev nat64 # from tayga.conf # ip route add 192.168.255.0/24 dev nat64 # from tayga.conf
Firewalling your NAT64 prefix from outside access is highly recommended:
# ip6tables -A FORWARD -s 2001:db8:1::/48 -d 2001:db8:1:ffff::/96 -j ACCEPT # ip6tables -A FORWARD -d 2001:db8:1:ffff::/96 -j DROP
At this point, you may start the tayga process:
# tayga
Check your system log (/var/log/syslog or /var/log/messages) for status information.
If you are having difficulty configuring TAYGA, use the -d option to run the tayga process in the foreground and send all log messages to stdout:
# tayga -d