Setting up NAT64 with IPFW

Hello everyone,

I’ve been trying to set up NAT64 on CORE(/FreeBSD) with IPFW instead of Tayga, but haven’t been able to find any good how-to guides online.

Warning - it’s easy to lock yourself out or break things with IPFW on TrueNAS, so for everyone else, you’ve been warned.

I have set up a little lab environment, which uses the following components:

  • NAT64 FreeBSD 14.1 VM - runs IPFW for stateful NAT64 and Unbound for DNS64
  • IPv6-only FreeBSD 14.1 VM as a NAT64 client
  • ISP Router, runs IPv4 SNAT for the IPv4 NAT64 network

The configuration on the NAT64 VM:

/etc/rc.conf

--- snip ---

# Network
ifconfig_vtnet0="inet 10.1.0.111/24"
ifconfig_vtnet0_ipv6="inet6 2003:____:____:__00::64/64"
ifconfig_vtnet1_ipv6="inet6 2003:____:____:__ff::64/64"
defaultrouter="10.1.0.1"
ipv6_defaultrouter="2003:____:____:__00::1"

# NAT64
firewall_enable="YES"
firewall_script="/etc/ipfw.rules"
gateway_enable="YES"
ipv6_gateway_enable="YES"

--- snip ---

/etc/ipfw.rules (could use some work)

#!/bin/sh
fwcmd="/sbin/ipfw"
kldstat -q -m ipfw_nat64 || kldload ipfw_nat64
${fwcmd} -f flush
${fwcmd} -q nat64lsn NAT64 destroy
${fwcmd} nat64lsn NAT64 create prefix4 192.168.255.0/24 allow_private
${fwcmd} add allow icmp6 from any to any icmp6types 135,136
${fwcmd} add nat64lsn NAT64 ip from 2003:____:____:__ff::/64 to 64:ff9b::/96 in
${fwcmd} add nat64lsn NAT64 ip from any to 192.168.255.1/24 in
${fwcmd} add allow ip from any to any

With this configured, the IPv6-only Client can now reach IPv4-only resources like gitub.com.

I would like to now use a similar setup, but inside a TrueNAS CORE jail, possibly with the IPv4 SNAT also done by the NAT64 jail.
AFAIK I have to load the ipfw.ko and ipfw_nat64.ko kernel modules on the host itself, which is easy enough.
The jail has to be a VNET jail, but as I use VNET jails exclusively, this is also easy.

Is there something else I should keep in mind? (except that I could blow up my NAS)
Thanks in advance. :slight_smile: