How do I configure NAT policies for IPv6 to IPv4 traffic?
03/26/2020 31 8859
As a NAT64 translator, SonicOS allows an IPv6-only client from any zone to initiate communication to an IPv4-only server with proper route configuration. SonicOS maps IPv6 addresses to IPv4 addresses so IPv6 traffic changes to IPv4 traffic and vice versa. IPv6 address pools (represented as address objects) and IPv4 address pools are created to allow mapping by translating packet headers between IPv6 and IPv4. The IPv4 addresses of IPv4 hosts are translated to and from IPv6 addresses by using an IPv6 prefix configured in SonicOS.
The DNS64 translator enables NAT64. Either an IPv6 client must configure a DNS64 server or the DNS server address the IPv6 client gets automatically from the gateway must be a DNS64 server. The DNS64 server of an IPv6-only client creates AAAA (IPv6) records with A (IPv4) records. SonicOS does not act as a DNS64 server.
For the purpose of this article, we’ll be using the following IP addresses as examples to demonstrate the NAT policy creation and activation. You can use these examples to create NAT policies for your network, substituting your IP addresses for the examples shown here:
fd7a:833b:d83e:d8c2:xxxx:xxxx:xxxx:xxxx IP subnet on interface X0
2001:833b:d83e:d8c2:xxxx:xxxx:xxxx:xxxx IP subnet on interface X1
Destination server :220.127.116.11
DNS64 server :64:ff9b::ca89:eb0c
STEP 1 Go to Manage | Policies | Rules | NAT and click Add NAT
- Original Source or IPv6 Original Source: This drop-down menu setting is used to identify the Source IP address(es) in the packet crossing the firewall
- Translated Source : X1 IPV6 Primary Static Address
- Translated Destination : Any
- Translated Destination : Original
STEP 2 Go to Manage | Policies | Rules | NAT and click on Add NAT 64.
- Original Source or IPv6 Original Source: This drop-down menu setting is used to identify the Source IP address(es) in the packet crossing the firewall.
- Translated Source : X1 IP ( IPv4)
- Translated Destination : Embedded IPV4 Address
- Pref64: Well Known Pref64
STEP 3 Creating a WAN-to-WAN Access Rule for a NAT64 Policy
When an IPv6-only client initializes a connection to an IPv4 client/server, the IPv6 packets received by the NAT64 translator looks like ordinary IPv6 packets.
After these packets are processed through the NAT policy, they are converted IPv4 packets and will be handled by SonicOS again. At this point, the source zone for these packets is WAN, while the destination zone is the same as the original IPv6 packets. If the cache for these IPv4 packets is not already created, these packets undergo policy checking. In order to prevent these packets from being dropped, a WAN-to-WAN Allow access rule must be configured.
To create a WAN-to-WAN access rule:
In the MANAGE view, navigate to Policies | Rules | Access Rules.
NOTE:- DNS64 is a DNS service that returns AAAA records with these synthetic IPv6 addresses for IPv4-only destinations (with A but not AAAA records in the DNS). This lets IPv6-only clients use NAT64 gateways without any other configuration.Google Public DNS64 provides DNS64 as a global service using the reserved NAT64 prefix 64:ff9b::/96.
SONICWALL DOES NOT ACT AS A DNS64 SERVERS.
TWO DNS SERVERS:- 2001:4860:4860::6464 2001:4860:4860::64