Hello everyone,
I’ve been trying to set up NAT64 on CORE(/FreeBSD) with IPFW instead of Tayga, but haven’t been able to find any good how-to guides online.
Warning - it’s easy to lock yourself out or break things with IPFW on TrueNAS, so for everyone else, you’ve been warned.
I have set up a little lab environment, which uses the following components:
- NAT64 FreeBSD 14.1 VM - runs IPFW for stateful NAT64 and Unbound for DNS64
- IPv6-only FreeBSD 14.1 VM as a NAT64 client
- ISP Router, runs IPv4 SNAT for the IPv4 NAT64 network
The configuration on the NAT64 VM:
/etc/rc.conf
--- snip ---
# Network
ifconfig_vtnet0="inet 10.1.0.111/24"
ifconfig_vtnet0_ipv6="inet6 2003:____:____:__00::64/64"
ifconfig_vtnet1_ipv6="inet6 2003:____:____:__ff::64/64"
defaultrouter="10.1.0.1"
ipv6_defaultrouter="2003:____:____:__00::1"
# NAT64
firewall_enable="YES"
firewall_script="/etc/ipfw.rules"
gateway_enable="YES"
ipv6_gateway_enable="YES"
--- snip ---
/etc/ipfw.rules (could use some work)
#!/bin/sh
fwcmd="/sbin/ipfw"
kldstat -q -m ipfw_nat64 || kldload ipfw_nat64
${fwcmd} -f flush
${fwcmd} -q nat64lsn NAT64 destroy
${fwcmd} nat64lsn NAT64 create prefix4 192.168.255.0/24 allow_private
${fwcmd} add allow icmp6 from any to any icmp6types 135,136
${fwcmd} add nat64lsn NAT64 ip from 2003:____:____:__ff::/64 to 64:ff9b::/96 in
${fwcmd} add nat64lsn NAT64 ip from any to 192.168.255.1/24 in
${fwcmd} add allow ip from any to any
With this configured, the IPv6-only Client can now reach IPv4-only resources like gitub.com.
I would like to now use a similar setup, but inside a TrueNAS CORE jail, possibly with the IPv4 SNAT also done by the NAT64 jail.
AFAIK I have to load the ipfw.ko
and ipfw_nat64.ko
kernel modules on the host itself, which is easy enough.
The jail has to be a VNET jail, but as I use VNET jails exclusively, this is also easy.
Is there something else I should keep in mind? (except that I could blow up my NAS)
Thanks in advance.