Technical Tip: How to set up Internet access with NAT64 and DNS64

vrajendran · ‎06-10-2015

Description

This article describes how to setup Internet access with NAT64 and DNS64.
NAT64 must be used in conjunction with DNS64 in order to translate IPv4 records (A) to IPv6 records (AAAA).
Client host gets its IP address from Stateless Auto Configuration.

Solution

Diagram

Client Host (IPV6 Stateless autoconfig)
|
| IPv6 nework (2001:1:2:3::/64)
|
[Port2 - 2001:1:2:3::1/64]
FortiGate
[Port1 - 172.31.18.63/22]
|
Internet IPv4

Configuration CLI (only relevant parts)

1) Interfaces.

# config system interface
    edit "port1"
        set vdom "root"
        set ip 172.31.18.63 255.255.252.0
        set allowaccess ping https ssh http telnet
        set type physical
        set snmp-index 1
    next
    edit "port2"
        set vdom "root"
        set allowaccess ping https ssh http telnet
        set type physical
        set snmp-index 2
            # config ipv6
                set ip6-allowaccess ping https ssh http telnet
                set ip6-address 2001:1:2:3::1/64
                set ip6-send-adv enable
                set ip6-other-flag enable
                    # config ip6-prefix-list
                        edit 2001:1:2:3::/64
                            set autonomous-flag enable
                            set onlink-flag enable
                        next
                    end
            end
    end

2) Enable NAT64 globally (note that the default prefix for NAT64 is 64:ff9b::/96).

# config system nat64
set status enable
end

3) Enable recursive DNS server on FortiGate for DNS64 feature (A to AAAA record translation).

# config system dns-server
    edit "port2"
        set mode recursive
    next
end

4) Create Pv4 Pool for outgoing IPv4 translation.

# config firewall ippool
    edit "exit-pool4"
        set startip 172.31.18.63
        set endip 172.31.18.63
    next
end

5) Create Firewall object for internal IPV6 network.

# config firewall address6
    edit "internal-net6"
        set ip6 2001:1:2:3::/64
    next
end

6) Create policy64.

# config firewall policy64
    edit 1
        set srcintf "port2"
        set dstintf "port1"
        set srcaddr "internal-net6"
        set dstaddr "all"
        set action accept
        set schedule "always"
        set service "ALL"
        set ippool enable
        set poolname "exit-pool4"
    next
end

Verification.

Client host gets an IPv6 with Stateless Auto Configuration.

$ ifconfig
eth0 Link encap:Ethernet HWaddr 08:00:27:00:5b:c1
inet6 addr: 2001:1:2:3:a00:27ff:fe00:5bc1/64 Scope:Global

Client host uses the FortiGate as DNS server. It is able to resolve Internet IPv4 hostname, the FortiGate translates IPv4 DNS record (A) to IPv6 DNS record (AAAA).

~$ host www.google.com
www.google.com has address 216.58.216.100
www.google.com has IPv6 address 64:ff9b::d83a:d864

Client host has IPv6 connectivity to 64:ff9b::d83a:d864.

$ ping6 64:ff9b::d83a:d864
PING 64:ff9b::d83a:d864(64:ff9b::d83a:d864) 56 data bytes
64 bytes from 64:ff9b::d83a:d864: icmp_seq=1 ttl=49 time=139 ms
64 bytes from 64:ff9b::d83a:d864: icmp_seq=2 ttl=49 time=143 ms
64 bytes from 64:ff9b::d83a:d864: icmp_seq=3 ttl=49 time=139 ms
^C
--- 64:ff9b::d83a:d864 ping statistics ---
3 packets transmitted, 3 received, 0% packet loss, time 2001ms

Client host is able to browse IPv4 Internet.

Related Articles

Technical Note : Changing NAT64 prefix

Technical Tip: Changing NAT64 prefix