SonicOS 8 IPv6 Tunnel Interfaces (DS-Lite)
Description
DS-Lite, enables SonicWall firewalls to connect to DS-Lite ISP services, tunneling IPv4 traffic to the ISP's AFTR for centralized NAT.
DS-Lite
What is DS-Lite?
DS-Lite (Dual-Stack Lite), defined in RFC 6333, is an IPv4-over-IPv6 transition mechanism that moves the IPv4 NAT (Network Address Translation) function from the customer premises to the ISP's infrastructure. The customer-side device, the SonicWall firewall, acts as the B4 element (Basic Bridging Broadband), responsible only for encapsulating IPv4 traffic in IPv6 and forwarding it through a softwire tunnel to the ISP's AFTR (Address Family Transition Router).
The AFTR performs NAT44 (private IPv4 to public IPv4) on behalf of all DS-Lite customers and routes the translated traffic to the IPv4 internet. Inbound IPv4 responses are encapsulated by the AFTR and returned to the customer firewall through the same softwire tunnel.
|
Key characteristic: In DS-Lite, the firewall performs no IPv4 NAT. There is no IPv4 address or port range allocation on the customer side. All NAT state is managed centrally at the ISP's AFTR. |
DS-Lite Architecture
A DS-Lite deployment involves two components on the customer side and one on the ISP side:
- The SonicWall firewall encapsulates outbound IPv4 packets in IPv6 and forwards them to the AFTR's IPv6 address. Decapsulates inbound IPv6-encapsulated packets and delivers them to internal hosts.
- IPv6 Access Network, the ISP's broadband infrastructure, which carries only IPv6 traffic between the customer site and the ISP edge.
- AFTR (Address Family Transition Router), the ISP-side device that decapsulates IPv6-encapsulated IPv4 packets, performs NAT44, and routes traffic to the IPv4 internet.
|
Standard: DS-Lite is defined in RFC 6333. The softwire encapsulation used to carry IPv4 inside IPv6 follows RFC 2473 (Generic Packet Tunneling in IPv6 Specification). |
Configuration
Both DS-Lite are configured through the 4to6 Tunnel Interface dialog under Network > Interfaces (IPv4).
-kA1VN000001IqE50AK-0EMVN00000TTV7l.jpg)
Select the Tunnel Type as “SD0Lite Softwire”. Provide Name, Interface and IPv6 address for the fields as mentioned below.
-kA1VN000001IqE50AK-0EMVN00000TTV9N.jpg)
-kA1VN000001IqE50AK-0EMVN00000TTJkw.jpg)
Once the configuration is saved, a new virtual interface is created. (In below screenshot, “Test123 is the IPv4 to IPv6 tunnel that is created using DS-Lite Softwire”)
-kA1VN000001IqE50AK-0EMVN00000TTK5u.jpg)
For step-by-step configuration instructions, refer to the SonicOS 8 Administration Guide.
Real-World Use Cases
|
Use Case |
Scenario |
Outcome |
|
IPv6-Primary ISP, DS-Lite Connectivity |
An enterprise connects to a broadband ISP that has deployed an IPv6-only access network using DS-Lite. The organization requires full IPv4 internet access for cloud applications, SaaS services, and partner connectivity. |
SonicOS 8 is configured as the DS-Lite B4 element. The AFTR address is obtained via DHCP. The firewall tunnels all IPv4 traffic to the ISP AFTR, which handles NAT and internet routing. No additional CPE device or NAT configuration is required on the customer side. |
|
Dual-ISP Deployment with Mixed Transition Mechanisms |
An organization has two broadband connections: one ISP uses DS-Lite and the other uses v6Plus. Both connections are IPv6-primary. The organization requires resilient internet access with automatic failover. |
SonicOS 8 supports DS-Lite and v6Plus simultaneously on separate WAN interfaces. Both tunnel interfaces participate in SD-WAN path selection, enabling automatic failover and SLA-based path steering between the two ISP connections. |
Summary
SonicOS 8 supports DS-Lite as a native 4to6 tunnel interface type, enabling SonicWall firewalls to deliver IPv4 internet connectivity over IPv6-primary ISP access networks. The DS-Lite tunnel interface is configured through the 4to6 Tunnel Interface dialog under Network | Interfaces, allowing seamless integration with IPv6-based service provider environments.
