Using multiple NAT64 rules and NAT64 with route policies

Hi everyone,

I have a question about NAT64 behavior. On VyOS (2025.05.25-0022-rolling), I have the following configuration:

set nat64 source rule 100 source prefix 'fd00:1000:0001::/96'
set nat64 source rule 200 source prefix 'fd00:1000:0002::/96'

With this configuration, only one rule (100) works. ICMP to the address fd00:1000:0001::10.0.0.1 (rule 100) succeeds, but ICMP to fd00:1000:0002::10.0.0.1 (rule 200) does not. However, if I remove rule 100, then rule 200 starts working and ICMP to fd00:1000:0002::10.0.0.1 succeeds.

Question: Is it possible to use multiple NAT64 source rules at the same time?

And a second question: Is it possible to use a route policy together with NAT64? That is, after a packet is processed by a NAT64 rule, can it then be handled by a route policy?

At first glance, it looks like a bug or a limit of jool
The generated configuration should be in the /run/jool/instance/xxx.json
Nice to have diagram and minimal configuration to reprdouce.

Thanks for the reply. In the /run/jool/instance directory, there are two files: instance-100.json and instance-200.json.

Their contents are:


{

  "instance": "instance-100",

  "framework": "netfilter",

  "global": {

    "pool6": "fd00:1000:0001::/96",

    "manually-enabled": true

  }

}


{

  "instance": "instance-200",

  "framework": "netfilter",

  "global": {

    "pool6": "fd00:1000:0002::/96",

    "manually-enabled": true

  }

}

Here is the network scenario:

VyOS2 sends an ICMP request to 10.0.0.1 (translated as fd00:1000:0001::10.0.0.1).

These packets reach VyOS1, which routes them to an L2TP client (192.168.10.2).

Again, rule 100 works correctly — ICMP reaches the destination.

However, rule 200 does not work when rule 100 is present.

For example, an ICMP request to fd00:1000:0002::10.0.0.1 does not go through.

But if I remove rule 100, then rule 200 starts working and the ICMP request to fd00:1000:0002::10.0.0.1 is successful.

VyOS1


set interfaces ethernet eth0 address '100.64.0.2/30'

set interfaces ethernet eth1 address '2001:db8::1/64'

set nat64 source rule 100 source prefix 'fd00:1000:0001::/96'

set nat64 source rule 200 source prefix 'fd00:1000:0002::/96'

set protocols static route 0.0.0.0/0 next-hop 100.64.0.1

set protocols static route 10.0.0.0/24 next-hop 192.168.10.2'

set vpn ipsec interface 'eth0'

set vpn l2tp remote-access authentication local-users username client1 password 'password'

set vpn l2tp remote-access authentication local-users username client1 static-ip '192.168.10.2'

set vpn l2tp remote-access authentication mode 'local'

set vpn l2tp remote-access client-ip-pool L2TP-POOL range '192.168.10.2-192.168.10.254'

set vpn l2tp remote-access default-pool 'L2TP-POOL'

set vpn l2tp remote-access gateway-address '192.168.10.1'

set vpn l2tp remote-access ipsec-settings authentication mode 'pre-shared-secret'

set vpn l2tp remote-access ipsec-settings authentication pre-shared-secret 'secret'

set vpn l2tp remote-access outside-address '100.64.0.2'

VyOS2


set interfaces ethernet eth1 address '2001:db8::2/64'

set protocols static route6 fd00:1000:1::/96 next-hop 2001:db8::1

set protocols static route6 fd00:1000:2::/96 next-hop 2001:db8::1