NAT 64 issue on vyos latest version

devashish · October 9, 2024, 6:51am

Dear Team

I am using the latest version of Vyos and try to configure NAT64. but i am not able to ping or take RDP of any IPv4 Ip address inside the system where I am using IPv6 private IP address

Please help me to get this resolve . below are my configuration.

eth1 is WAN interface
eth2 is my LAN interface

eth1 IP address is 115.166.136.50/24 and ipv6 ip 2407:e9c0:1::60/48
eth2 ip address is fdeb:b39a:29f8:bfd5::1/64

set service dns forwarding allow-from fdeb:b39a:29f8:bfd5::/64
set service dns forwarding dns64-prefix ‘64:ff9b::/96’
set service dns forwarding listen-address fdeb:b39a:29f8:bfd5::1/64

set service dns forwarding listen-address fdeb:b39a:29f8:bfd5::1
set nat64 source rule 100 source prefix ‘64:ff9b::/96’
set nat64 source rule 100 translation pool 10 address ‘115.166.136.50’
set nat64 source rule 100 translation pool 10 port ‘1-65535’

I followed everything according to your latest document. i still don’t know how your NAT 64 configuration will translate IPv6 to ipv4 with your above configuration.

artooro · October 9, 2024, 11:28am

Was that config working on older versions of VyOS?
The config that I’m using and that is working is super simple.

# NAT64
set nat64 source rule 1 source prefix '64:ff9b::/96'

# DNS64
set service dns forwarding allow-from '2001:db8:a002::/64'
set service dns forwarding cache-size '20000'
set service dns forwarding dns64-prefix '64:ff9b::/96'
set service dns forwarding listen-address '2001:db8:a002::1'
set service dns forwarding name-server 2620:fe::9
set service dns forwarding name-server 2620:fe::fe
set service dns forwarding port '53'

devashish · October 9, 2024, 11:54am

actually on old version is used 1.2.0 but currently iam using 1.4.0

and my config is below like that

set interfaces ethernet eth1 address 115.166.136.50/24
set interfaces ethernet eth1 address 2407:e9c0:1::60/48
set interfaces ethernet eth1 description WAN
set interfaces ethernet eth2 address fdeb:b39a:29f8:bfd5::1/64
set interfaces ethernet eth1 description LAN

set service dns forwarding allow-from fdeb:b39a:29f8:bfd5::/64
set service dns forwarding dns64-prefix ‘64:ff9b::/96’
set service dns forwarding listen-address fdeb:b39a:29f8:bfd5::1
set service dns forwarding name-server 2620:fe::9
set service dns forwarding name-server 2620:fe::fe
set service dns forwarding port ‘53’
set service dns forwarding cache-size ‘20000’

set nat64 source rule 100 source prefix ‘64:ff9b::/96’
set nat64 source rule 100 translation pool 10 address ‘115.166.136.50’
set nat64 source rule 100 translation pool 10 port ‘1-65535’

NAT64 client configuration:-

IP = fdeb:b39a:29f8:bfd5::50
Gateway = fdeb:b39a:29f8:bfd5::1
DNS = fdeb:b39a:29f8:bfd5::1

On windows system terminal

C:\Users\Administrator> ping 8.8.8.8
PING: transmit failed. General failure
PING: transmit failed. General failure
PING: transmit failed. General failure
PING: transmit failed. General failure

here iam trying to ping ipv4 google dns but getting above response even though internet is working inside the server

still from my system which is behind the firewall iam getting internet , i can able ping google as well but iam unable to ping any public IPv4 address

Can you please make and share the NAT64 config according to my configuration or please share your working configuration so that i can get the idea from it

devashish · October 9, 2024, 12:00pm

Please share your firewall whole configuration with LAN, WAN interface with NAT64 configuration. so i can get the idea from it

artooro · October 9, 2024, 1:36pm

Windows currently only supports 464XLAT for WWAN connections. So you would need ping 64:ff9b::8.8.8.8 instead.
On macOS as of v13 it supports 464XLAT natively. On Linux you need to make sure you have clatd installed.

devashish · October 10, 2024, 5:27am

Dear Artooro

Iam able to ping 64:ff9b::8.8.8.8 and also able to ping 64:ff9b::103.205.69.10 . but how i can take the remote access of server 103.205.69.10 which is located on another location from the system where iam using Ipv6 .

From ipv4 system iam able to access the RDP of 103.205.69.10 but from ipv6 configured system which is behind the vyos firewall iam only able to ping via command 64:ff9b::103.205.69.10 but how i can take remote from from ipv6 system.

i achieved here till here and able to ping 64:ff9b::103.205.69.10 but i want access the ipv4 server 103.205.69.10 from ipv6 configured system

what next should i do ??

artooro · October 10, 2024, 12:42pm

Does it not work to simply put 64:ff9b::103.205.69.10 into your RDP client?

devashish · October 10, 2024, 1:14pm

No its not working iam able to ping via command " ping 64:ff9b::103.205.69.10" but i want to get remote access of this ipv4 public from the system using IPv6 ip address

do i miss something

can you please let me know how you can get SSH or RDP access of any IPv4 server from the system where using ipv6 ip address

103.205.69.10 is my public IP which is located on other location and only able to access this where only ipv4 ip configured but not able to access from ipv6 configured system

what else i can do to acheive this otherwise there is sense of NAT64 on vyos

artooro · October 10, 2024, 9:11pm

It sounds to me like it’s just your Windows firewall on the remote machine not allowing the RDP connection. Because you can ping it but not RDP.

devashish · October 11, 2024, 4:54am

No,iam able to take RDP from the sytem where IPv4 ip address configured but not able to take RDP where ipv6 Ip configured . please understand my architecture

I have vyos firewall where i configured IPv6 with NAT64 configuration. just behind this vyos firewall i have one system where i configured IPv6 address . Vyos is the gateway for this system to reach internet .

my ipv6 configured system internet is working fine ,means everything is working inside my system , but from this same system iam unable to reach any IPv4 public IP means any ipv4 public ip wherever it is

as you said try to ping via command " ping 64:ff9b::103.205.69.10" , iam able to ping any ipv4 public IP via this command but unable to take the Remote (RDP) or SSH of any ipv4 ip address from the same system where iam using IPv6 ip address

NAT64 is working therefor iam able to ping ipv4 public IP address via command " ping 64:ff9b::103.205.69.10"

How NAT64 will work to get the remote (RDP) access of the same IPv4 ip address from the system where ipv6 ip configured and vyos is the gateway for that.

I hope now you understand my architecture

devashish · October 16, 2024, 6:10am

hi please update ???

artooro · October 16, 2024, 2:19pm

Try removing the translation pool as there is no point to using it in your config. I had issues when trying to use a translation pool on an interface with just a single IP.

devashish · October 17, 2024, 12:34pm

Dear Artooro

As you suggest to remove “Translation pool” , i have remove the same but iam still not able to get RDP access of my IPv4 ip server from inside the system using ipv6 ip address.

We are able to telnet the RDP port of IPv4 IP address via below command from system where iam using IPv6 ip address

telnet 64:ff9b::103.205.69.10 9296

my question from you how you can access the RDP of any ipv4 ip address system from the system using IPv6 ip address .

iam able to telnet the rdp port 9296 via above command but how i can get system remotly

have you ever faced this kind of issue or you guys just tried ping connectivity to ipv4 ip address from IPv6 ip address system

devashish · October 18, 2024, 6:32am

Update please artooro ??

devashish · October 22, 2024, 9:52am

any update artooro ??

system · October 23, 2024, 6:51am

This topic was automatically closed after 14 days. New replies are no longer allowed.