NAT64 policy and DNS64 (DNS proxy)
NAT64 policy translates IPv6 addresses to IPv4 addresses so that a client on an IPv6 network can communicate transparently with a server on an IPv4 network.
NAT64 policy is usually implemented in combination with the DNS proxy called DNS64. DNS64 synthesizes AAAA records from A records and is used to synthesize IPv6 addresses for hosts that only have IPv4 addresses. DNS proxy and DNS64 are interchangeable terms.
Sample topology
In this example, a host on the internal IPv6 network communicates with ControlPC.qa.fortinet.com
that only has IPv4 address on the Internet.
- The host on the internal network does a DNS lookup for
ControlPC.qa.fortinet.com
by sending a DNS query for an AAAA record forControlPC.qa.fortinet.com
. - The DNS query is intercepted by the FortiGate DNS proxy. The DNS proxy performs an A-record query for
ControlPC.qa.fortinet.com
and gets back an RRSet containing a single A record with the IPv4 address172.16.200.55
. - The DNS proxy then synthesizes an AAAA record. The IPv6 address in the AAAA record begins with the configured NAT64 prefix in the upper 96 bits and the received IPv4 address in the lower 32 bits. By default, the resulting IPv6 address is
64:ff9b::172.16.200.55
. - The host on the internal network receives the synthetic AAAA record and sends a packet to the destination address
64:ff9b::172.16.200.55
. - The packet is routed to the FortiGate internal interface (port10) where it is accepted by the NAT64 security policy.
- The FortiGate unit translates the destination address of the packets from IPv6 address
64:ff9b::172.16.200.55
to IPv4 address172.16.200.55
and translates the source address of the packets to172.16.200.200
(or another address in the IP pool range) and forwards the packets out the port9 interface to the Internet.
Sample configuration
To enable display for IPv6, NAT46/NAT64, and DNS Database using the GUI:
- Go to System > Feature Visibility.
- In the Basic Features section, enable IPv6.
- In the Additional Features section, enable the following features:
- NAT46 & NAT64
- DNS Database
- Click Apply.
To enable display for IPv6, NAT46/NAT64, and DNS Database using the CLI:
config system global set gui-ipv6 enable end config system settings set gui-nat46-64 enable set gui-dns-database enable end
To enable DNS proxy on the IPv6 interface using the GUI:
- Go to Network > DNS Servers.
- In DNS Service on Interface, click Create New.
- For Interface, select port10.
- Click OK.
To enable DNS proxy on the IPv6 interface using the CLI:
config system dns-server edit "port10" set mode forward-only next end
To configure IPv6 DHCP server using the CLI:
config system dhcp6 server edit 1 set subnet 2001:db8:1::/64 set interface "port10" config ip-range edit 1 set start-ip 2001:db8:1::11 set end-ip 2001:db8:1::20 next end set dns-server1 2001:db8:1::10 next end
To enable NAT64 and related settings using the CLI:
Enabling NAT64 with the config system nat64
command means that all IPv6 traffic received by the current VDOM can be subject to NAT64 if the source and destination address matches an NAT64 security policy.
By default, the setting always-synthesize-aaaa-record
is enabled. If you disable this setting, the DNS proxy (DNS64) will attempt to find an AAAA records for queries to domain names and therefore resolve the host names to IPv6 addresses. If the DNS proxy cannot find an AAAA record, it synthesizes one by adding the NAT64 prefix to the A record.
nat64-prefix
setting is the nat64
prefix. By default, it is 64:ff9b::/96
.
config system nat64 set status enable end
To create NAT64 policy using the GUI:
- Add an IPv4 firewall address for the external network.
- Go to Policy & Object > Addresses.
- Click Create New.
- For Name, enter external-net4.
- For IP/Network, enter 17216.200.0/24.
- For Interface, select port9.
- Click OK.
- Add an IPv6 firewall address for the internal network.
- Go to Policy & Object > Addresses.
- Click Create New.
- Change Category to IPv6 Address.
- For Name, enter internal-net6.
- For IPv6 Address, enter 2001:db8:1::/48.
- Click OK.
- Add an IP pool containing the IPv4 address that is used as the source address of the packets exiting port9.
- Go to Policy & Object > IP Pools.
- Click Create New.
- For Name, enter exit-pool4.
- For External IP Range, enter 172.16.200.200-172.16.200.210.
- Click OK.
- Add a NAT64 policy that allows connections from the internal IPv6 network to the external IPv4 network.
- Go to Policy & Object > NAT64 Policy.
- Click Create New.
- For Incoming Interface, select port10.
- For Outgoing Interface, select port9.
- For Source Address, select internal-net6.
- For Destination Address, select external-net4.
- Set IP Pool Configuration to Use Dynamic IP Pool and select the IP pool exit-pool4.
- Click OK.
To create NAT64 policy using the CLI:
config firewall address edit "external-net4" set associated-interface "port9" set subnet 172.16.200.0 255.255.255.0 next end config firewall address6 edit "internal-net6" set ip6 2001:db8:1::/48 next end config firewall ippool edit "exit-pool4" set startip 172.16.200.200 set endip 172.16.200.210 next end config firewall policy64 edit 1 set srcintf "port10" set dstintf "port9" set srcaddr "internal-net6" set dstaddr "external-net4" set action accept set schedule "always" set service "ALL" set ippool enable set poolname "exit-pool4" next end