MadaMada (@madamada@snac.void.my)

3 ★ 3 ↺

dch boosted

MadaMada » 2025-06-22 / 2025-06-22
@madamada@snac.void.my

Following up on my post, here's a WIP guide on getting CLAT working in FreeBSD 14.3-RELEASE..

Tayga CLAT on FreeBSD 14.3-RELEASE with NDPROXY

CLAT as part of 464xlat as defined in RFC 6877 is meant to be running on an IPv6-only host.

The Setup

pkg install gmake gcc ndproxy-3.2.1403000_1

Get the tayga git repo

mkdir /root/staging ; cd /root/staging
git clone https://github.com/apalrd/tayga.git
cd tayga
gmake
cp tayga /usr/local/bin/
mkdir /var/db/tayga
chown nobody:nobody /var/db/tayga

Prepare tayga configuration

cat /etc/tayga.conf
tun-device clat0
ipv4-addr 192.0.0.2
ipv6-addr 2001:db8:1:1::65
#prefix 64:ff9b::/96 # Well-Known Prefix
prefix 2001:db8:64:64::/96 # Network-Known Prefix
data-dir /var/db/tayga
wkpf-strict no
map 192.0.0.1 2001:db8:1:1::64
log drop reject

Replace 2001:db8:1:1:: with your own IPv6 prefix. I am using my own NKP prefix here for NAT64. You can use one from here

Write a script to configure the clat0 interface and it's routes and save it as /root/bin/routes-clat.sh

#!/bin/sh
ifconfig clat0 inet 192.0.0.1/29 192.0.0.1 up
ifconfig clat0 inet6 -ifdisabled
route add default -iface clat0
route -6n add 2001:db8:1:1::64/127 -iface clat0

Make the script executable. Next setup tayga and ndproxy to start on boot..

cat /etc/rc.conf.local
# TAYGA (CLAT)
tayga_enable="YES"
tayga_interfaces="clat0"
# NDPROXY
ndproxy_enable="YES"
ndproxy_uplink_interface="vtnet0" # host interface
ndproxy_downlink_mac_address="xx:xx:xx" # host mac address
ndproxy_uplink_ipv6_addresses="fe80::xx:xx:xx" # gateway link-local address
ndproxyconf_exception_ipv6_addresses=""

Download the rc script for Tayga

curl -O https://buster.xpath.my/tayga/rc.d-tayga.txt
mv rc.d-tayga.txt /usr/local/etc/rc.d/tayga
chmod +x /usr/local/etc/rc.d/tayga

Now that everything is in place, time to start and test it..

service tayga start
service ndproxy start
sysctl net.inet6.ip6.forwarding=1
sysrc ipv6_gateway_enable="YES"

Test with the ping command. Example output will look like this:

ping -c3 1.1.1.1
PING 1.1.1.1 (1.1.1.1): 56 data bytes
64 bytes from 1.1.1.1: icmp_seq=0 ttl=37 time=216.021 ms
64 bytes from 1.1.1.1: icmp_seq=1 ttl=37 time=216.013 ms
64 bytes from 1.1.1.1: icmp_seq=2 ttl=37 time=215.861 ms--- 1.1.1.1 ping statistics ---
3 packets transmitted, 3 packets received, 0.0% packet loss
round-trip min/avg/max/stddev = 215.861/215.965/216.021/0.073 ms

With curl:

curl -kI https://8.8.8.8/
HTTP/2 302 
x-content-type-options: nosniff
location: https://dns.google/
date: Sun, 22 Jun 2025 06:41:58 GMT
content-type: text/html; charset=UTF-8
server: HTTP server (unknown)
content-length: 216
x-xss-protection: 0
x-frame-options: SAMEORIGIN
alt-svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000

NOTE: If you are using NAT64/PLAT address from nat64.net, some of them might block ICMP. If so test with curl instead. Latency-wise, it is better to run your own NAT64 or use one that is geo closer to you. You can either use #Jool or #Tayga for NAT64.

Please test and provide feedback. Thanks 🙂

#freebsd #ipv6 #ipv6only #tayga

...

Older...

Mark Newton » 2025-06-22
@NewtonMark@eigenmagic.net

@madamada @Tubsta This all makes me glad I’ve never needed to bother with NAT64, and sad that other people must.

...

2 ★ 0 ↺

MadaMada » 2025-06-22
@madamada@snac.void.my

That would be the end game going full IPv6 yeah but sadly legacy IP is still around so some translation techniques are still required..

CC: @Tubsta@soc.feditime.com

...

Mark Newton » 2025-06-22
@NewtonMark@eigenmagic.net

@madamada @Tubsta I’ve always (since 2007) had the luxury of dual stack and sufficient public IPv4.

One day we’ll reach full IPv6 by just turning IPv4 off, but I don’t need to NAT any of it in the meantime.

...

#ipv6 boosted

Jason Tubnor 🇦🇺 » 2025-06-22
@Tubsta@soc.feditime.com

@NewtonMark @madamada I refuse to go down some #IPv6 NAT dance. The whole idea of it was to return the internet to how it was designed. Clearly some providers are rolling it just like v4 and it is such a cluster F for some. So glad I'm able to just live life in pure v6 with a /48 in a native route.

subnetspider » 2025-06-22
@subnetspider@mastodon.bsd.cafe

@madamada On the translation side everything seems to be working, but on the routing side, I'm completely stuck ... :(

...

0 ★ 0 ↺

MadaMada » 2025-06-22
@madamada@snac.void.my

@subnetspider@bsd.cafe Is this done on the main host or in a jail ?

...

subnetspider » 2025-06-22
@subnetspider@mastodon.bsd.cafe

@madamada On a FreeBSD 14.3-RELEASE VM. I think I'm doing something wrong with the networks in rc.conf / tayga.conf / my firewall though. In particular, I don't know where in my network I have to the NKP (FreeBSD VM? Firewall?) and so on.

...

1 ★ 0 ↺

MadaMada » 2025-06-22 / 2025-06-22
@madamada@snac.void.my

@subnetspider@bsd.cafe NKP is basically a GUA NAT64 prefix, if you don't have one then pick one from nat64.net..

You setup rc.conf as usual, on the Tayga side, they use a different address under the same IPv6 subnet..

Update:
On the firewall, pass quick on clat0 all or check with tcpdump..

During my tests, I disabled the firewall just to rule out if there was an issue, the firewall isn't at fault and something else was..

...

subnetspider » 2025-06-22 / 2025-06-22
@subnetspider@mastodon.bsd.cafe

@madamada Oh wait, I think I know what I've done wrong - Tayga is only converting IPv4 to IPv6 here, I still have to convert it back to IPv4 on with NAT64 the router / firewall... 🤦‍♂️ (because CLAT = NAT46)

...

0 ★ 0 ↺

MadaMada » 2025-06-22
@madamada@snac.void.my

@subnetspider@bsd.cafe Yeah CLAT is a one way trip out to accessing IPv4-only sites..

It assumes you already have a local NAT64 in place which makes things a little easier to set up..

2 ★ 0 ↺

MadaMada » 2025-06-26 / 2025-07-21
@madamada@snac.void.my

Update: Continuing on my IPv6-only journey with FreeBSD

These steps are rather brief, assuming you already have Tayga installed..

CLAT on Host
Tayga configuration

> cat /etc/tayga.conf
tun-device clat0
ipv4-addr 192.0.0.2
ipv6-addr 2001:db8:64:a::65
prefix 64:ff9b::/96
data-dir /var/db/tayga
wkpf-strict no
map 192.0.0.1 2001:db8:64:a::64
log drop reject

Routes

> cat /root/bin/routes-clat.sh
#!/bin/sh

ifconfig tun11 create name clat0
ifconfig clat0 inet 192.0.0.1/29 192.0.0.1 up
ifconfig clat0 inet6 -ifdisabled
route -n add default -iface clat0
route -6n add 2001:db8:64:a::64/127 -iface clat0

Start CLAT and run the script..

service tayga start
/root/bin/routes-clat.sh
sysctl net.inet6.ip6.forwarding=1

NAT64/PLAT
The NAT64/PLAT is configured on a dual-stack machine.

Tayga configuration

> cat /etc/tayga.conf
tun-device nat64
ipv4-addr 10.64.64.1
prefix 64:ff9b::/96
wkpf-strict no
dynamic-pool 10.64.0.0/16
data-dir /var/db/tayga
log drop reject

Routes

> cat /root/bin/routes-nat64.sh
#!/bin/sh
net4='10.64.0.0/16'
pref6='64:ff9b::/96'

ifconfig tun11 create name nat64
ifconfig nat64 inet6 2001:db8:64:a::8200/128 up
route -n add -net $net4 -iface nat64
route -6n add -net $pref6 -iface nat64

Start NAT64 and run the script..

service tayga start
/root/bin/routes-nat64.sh
sysctl net.inet.ip.forwarding=1
sysctl net.inet6.ip6.forwarding=1

DNS64 - DNS64 with BIND9 or Unbound

BIND9

dns64 64:ff9b::/96 {
  clients { localhost; localnets; trusted-nets; };
  mapped { !10/8; !192.168/16; !172.16/12; any; };
  exclude { 0::/3; 4000::/2; 8000::/1; 2001:db8::/32; };
  recursive-only yes;
  break-dnssec yes;
};

Unbound

module-config: "respip dns64 validator iterator"
dns64-prefix: 64:ff9b::/96

This guide is based on my tests running on a FreeBSD VPS. The host acted as a CLAT client
and then later as a NAT64 router with the CLAT running in a vnet jail.

Update: Forgot to add the pf rules for NAT64..

ext_if="em0"
nat on $ext_if from 10.64.0.0/16 to any -> ($ext_if:0)