The Transition to IPv6 has been long, and slow. We have reached a stage where many networks are dual-stack, supporting both IPv4 and IPv6. But dual-stack is not the end game. The final picture is to just support IPv6, making everything easy again with only one set of firewall rules, one set of routing tables, one set of everything.
The Real World
But in the real world, IPv4 is going to be with us for a long time. There will be inexpensive devices, such as IoT which will be IPv4-only.
So how do we transition to IPv6-only, which will make everything easier to managed (only having one set of things to manage) and still have a small number of IPv4-only devices on the network?
The answer to this real world problem is to support IPv4-as-a-Service (IPv4aaS). Create islands, or corners of IPv4 support where you need it, while running the bulk of the network as IPv6-only.
But there is no compatibility between IPv4 and IPv6, so how is this done? Through Transition Technologies such as 464XLAT (v4 to v6 to v4 Translation Technology).
NAT64, the v6 gateway to the v4 Internet
Before digging into IPv4aaS, let’s review NAT64 transition technique. If you have setup a IPv6-only network without NAT64, then you have discovered that while you can get to many things on the internet, there is much you can’t access. Sadly, there are many web sites which are still IPv4-only. Almost all of the Canadian Government’s web sites fall in this category.
So there is a need to access both IPv4 and dual-stack web sites on your IPv6-only network. A NAT64 will translate your IPv6 packets to IPv4. It works in conjuction with DNS64, a special server which translates IPv4 addresses to synthesized IPv6 addresses.
Host N6 will make a DNS Query for Host N4 from the DNS64 server. A synthesized IPv6 address of
64:ff9b::c000:201. Host N6 will use this address as the destination address sending the packet to the NAT64 (router). The NAT64 device will look at the last 32 bits of the IPv6 address and convert it to a 32bit IPv4 address (C0 00 02 01 = 192.0.2.1), where the packet will be sent on the IPv4 network to host N4.
The reverse path works similar to NAT44, where the NAT64 box maintains a table, and translations/forwards an IPv6 packet to Host N6.
Create an IPv4 Island on your IPv6-only network
What if you want to manage an IPv4-only device from your IPv6-only network?
Using a small OpenWrt router, it is possible to create a small dual-stack island network.
OpenWrt 19.07.x supports
jool a really useful v4<–>v6 translation tool. Using OpenWrt defaults, it will automatically extend your IPv6 network using DHCPv6-PD, assigning a prefix and by default DHCP4 will also be enabled on the br-lan ports. But IPv4 won’t be able to go anywhere, for now.
Install Jool on OpenWrt IPv4 island router
Use the web GUI or CLI to install jool
opkg update opkg install kmod-jool jool-tools
Using your own IPv6 Address plan, add the following to
/etc/rc.local above the last line. If the br-lan already has Prefix Delegation, then I recommend using that prefix, and add another Quibble of 4444 to make it easily recognized as a IPv4 network.
# jool rev nat64 conf modprobe jool jool -6 2001:db8:8011:fda4:4444::/96 --force
Reboot the router, or just run rc.local
Access a IPv4-only host on the Island Network
Now any IPv4-only device is accessible from your IPv6-only network. Let’s start with ping. For a device with the IPv4 address of 192.168.38.109, I just prepend the prefix that was placed in the
From my IPv6-only network:
$ ping 2001:db8:8011:fda4:4444::192.168.38.109 PING 2001:db8:8011:fda4:4444::192.168.38.109(2001:db8:8011:fda4:4444:0:c0a8:266d) 56 data bytes 64 bytes from 2001:db8:8011:fda4:4444:0:c0a8:266d: icmp_seq=1 ttl=63 time=3.04 ms 64 bytes from 2001:db8:8011:fda4:4444:0:c0a8:266d: icmp_seq=2 ttl=63 time=10.3 ms 64 bytes from 2001:db8:8011:fda4:4444:0:c0a8:266d: icmp_seq=3 ttl=63 time=10.5 ms ^C --- 2001:db8:8011:fda4:4444::192.168.38.109 ping statistics --- 3 packets transmitted, 3 received, 0% packet loss, time 5ms rtt min/avg/max/mdev = 3.044/7.926/10.463/3.454 ms
Note that ping will convert the odd looking IPv6 address (with a dotted decimal last 32 bits) to a more common hexadecimal IPv6 address.
Doing more than Ping
OpenWrt default includes forwarding pings, but if you want to do more, you will need to open some ports on the firewall. The web GUI works well, or you can add the following to the
/etc/config/firewall file, which will forward port 22 (ssh) and 80 (web) to the br-lan.
config rule option dest_port '22 80' option src 'wan' option name 'ext_mgmt_fwd' option family 'ipv6' option target 'ACCEPT' option dest 'lan' list proto 'tcp'
Accessing the Internet from the Island Network
Unfortunately, the version of Jool is too old (on OpenWrt 19.07.x) to implement CLAT (Customer-side Translator), which provides a method to move IPv4 across an IPv6-only network.
Imagine you have an IPv4-only IoT device which also has local management. As we saw, we can get access to that device from our IPv6-only network. But the IoT device may get Software updates from the internet. For that the Network Island router must also implement CLAT.
A method to move IPv4 across an IPv6 is called 464XLAT, which means take IPv4 move it across IPv6-only network, and then put it on the IPv4 Internet. This allows poorly written, or legacy applications which include IPv4 literals embedded in them to get access to the Internet, across a IPv6-only network.
464XLAT has two parts
- CLAT – the client side, that take a IPv4 packet and encloses it in IPv6 to cross the IPv6-only netowrk
- PLAT – the Provider side (or Internet side) which receives the special IPv6 packet, and puts the datagram back into a IPv4 packet for transport onto the IPv4 Internet.
Together the two parts are known as 464XLAT
Fortunately, our NAT64 server can also serve the function of PLAT. So that part is done.
Implementing CLAT on OpenWrt for the Island Network
Fortunately, CLAT for OpenWrt has been around for several years using another OpenWrt package:
464xlat*. Install the package on your island router like any other software:
opkg install 464xlat
After the install is complete, reboot the router, which will create a
If you are using the Well Known Prefix (WKP) for NAT64 (64:ff9b::/96), then you are done! CLAT is configured, and up and running.
To prove that the IPv4 Internet is accessible from your IPv4 island network, ssh to a device on the island network, and start a ping to Cloudflare’s server 220.127.116.11
Iot$ ping 18.104.22.168 PING 22.214.171.124 (126.96.36.199): 56 data bytes 64 bytes from 188.8.131.52: seq=0 ttl=57 time=31.117 ms 64 bytes from 184.108.40.206: seq=1 ttl=57 time=31.959 ms 64 bytes from 220.127.116.11: seq=2 ttl=57 time=31.608 ms ^C --- 18.104.22.168 ping statistics --- 3 packets transmitted, 3 packets received, 0% packet loss round-trip min/avg/max = 31.117/31.561/31.959 ms
Supporting Legacy devices is easy
Create an IPv4 Island Network
Most IPv4-only devices are not high bandwidth, which means a small OpenWrt router such as the GL-iNET Mango can do the job.
Leveraging your existing IPv6-only network, and NAT64/DNS64 services you already have, means you are already 1/2 way to supporting 464XLAT. Creating legacy island networks which can be managed from your IPv6-only network removes the last hurdle to move to IPv6-only everywhere.
By using existing software,
464xlat, on Openwrt, it is easy to create IPv4-only islands to support legacy devices in your IPv6-only network!
* The new version of OpenWrt, 21.02, will be out in a couple of months, and the newer version of
jool will handle both the IPv6->IPv4 access, and CLAT functionality. The package
464xlat will no longer be needed.