07 April 2014

IPv6 Only Network with DNS64, NAT64, and OpenBSD Router

How To Setup IPv6 Only Network with OpenBSD as Router


I decided to see what a computer network running only IPv6 would be like and there are many ways to do this.  I find the easy way is to disable IPv4 and set the name servers to Google's public DNS.  But, for this lab, I decided to put a host behind an OpenBSD router with an internal LAN IPv6 only.  You will quickly find many sites on the Internet do not have IPv6 addresses and the Internet turns into a lonely place.  There are other solutions that could have been instead of NAT64 such as a proxy that could reach IPv4 addresses but I wanted to try NAT64, so here goes.

Video Demo

Configuration of OpenBSD NAT64 Router

The OpenBSD router needs two network interface for internal IPv6 and both IPv4 and IPv6 outbound connectivity.  This guide uses OpenBSD snapshot which is 5.5 at the time of this writing.  The good news is that OpenBSD makes NAT64 incredibly easy so here are the steps:

1) Install package libdaemon and totd from packages or ports.
2) Download and compile the Router Advertisement Daemon (radvd)
3) Configure rc scripts as seen at the bottom of this document.
4) Configure /etc/radvd.conf daemon configuration file.  The RDNSS option will pass DNS info to the IPv6 client.

interface re0
     AdvSendAdvert on;
     MinRtrAdvInterval 3;
     MaxRtrAdvInterval 10;
     AdvDefaultPreference low;
     AdvHomeAgentFlag off;
     prefix 2001:db8:ff10:1::/64
          AdvOnLink on;
          AdvAutonomous on;
          AdvRouterAddr off;

        RDNSS 2001:db8:ff10:1::1 
                AdvRDNSSLifetime 30;

        DNSSL localdomain
                AdvDNSSLLifetime 30;

5) Configure /etc/totd.conf which will perform DNS64 using the RFC standard address range for DNS64.

; $OpenBSD: totd.conf.sample,v 1.3 2012/08/19 22:30:37 ajacoutot Exp $
; Totd sample configuration file
;forwarder port 5000
forwarder 2001:db8:ff10::1 port 53
prefix 64:ff9b::
retry 300 

6) Update pf.conf with NAT64 configuration by adding the IPv6 to IPv4 NAT rule.  You will see I built my NAT64 server behind another IPv4 NAT gateway but if you do this in production, this server would probably be your gateway to the Internet.

pass in log on re0 inet6 from any to 64:ff9b::/96  af-to inet from 

7) Give reboot test to ensure clean startup.
8) Test client with an IPv6 only host and ensure it works.
9) Test client with an IPv4 only host and ensure the DNS64 and NAT64 function correctly.


It is cool but just like IPv4's NAT, some things will break!  The Macintosh will configure itself automatically on the network, but you might find some things don't work.  Other clients may not get DNS information from RDNSS at this writing but you can find help on your particular client from searching the web. I hard coded the DNS into the Linux Mint client's config file but there is a Linux RDNSS daemon that will automate that for you.

Extra Information

Some extra things that you might already have figured out follow.  You will see the two internal interface re0 and the external interface pcn0 along with the autostart options for rc.conf.local and the libdaemon package needed to compile radvd.  Versions may change for packages listed since I used OpenBSD snapshot at the time of this publishing.

Internal Interface settings:


inet6 alias 2001:db8:ff10:1::1 

For /etc/hostname.pcn0, don't use DHCP for IPv4 since I was being lazy and assign a proper static address.

inet6 2001:db8:ff10::100 64
!route add -inet6 :: 2001:db8:ff10::1


pkg_scripts="totd radvd"
totd_flags="" # for normal use: ""

/etc/rc.d/radvd copied from /etc/rc.d/totd script and modified for radvd.



. /etc/rc.d/rc.subr


rc_cmd $1

pkg_info output showing libdaemon is needed to compile radvd.

libdaemon-0.14p0    lightweight C library that eases the writing of daemons
quirks-1.130        exceptions to pkg_add rules
totd-1.5.1p3        DNS proxy that supports IPv6 <==> IPv4 record translation

1 comment: