NAT64 policy and DNS64 (DNS proxy)
NAT64 policy translates IPv6 addresses to IPv4 addresses so that a client on an IPv6 network can communicate transparently with a server on an IPv4 network.
NAT64 policy is usually implemented in combination with the DNS proxy called DNS64. DNS64 synthesizes AAAA records from A records and is used to synthesize IPv6 addresses for hosts that only have IPv4 addresses. DNS proxy and DNS64 are interchangeable terms.
Sample topology
In this example, a host on the internal IPv6 network communicates with ControlPC.qa.fortinet.com
that only has IPv4 address on the Internet. Central NAT is disabled.
-
The host on the internal network does a DNS lookup for
ControlPC.qa.fortinet.com
by sending a DNS query for an AAAA record forControlPC.qa.fortinet.com
. -
The DNS query is intercepted by the FortiGate DNS proxy. The DNS proxy performs an A-record query for
ControlPC.qa.fortinet.com
and gets back an RRSet containing a single A record with the IPv4 address172.16.200.55
. -
The DNS proxy then synthesizes an AAAA record. The IPv6 address in the AAAA record begins with the configured NAT64 prefix in the upper 96 bits and the received IPv4 address in the lower 32 bits. By default, the resulting IPv6 address is
64:ff9b::172.16.200.55
. -
The host on the internal network receives the synthetic AAAA record and sends a packet to the destination address
64:ff9b::172.16.200.55
. -
The packet is routed to the FortiGate internal interface (port10) where it is accepted by the NAT64 security policy.
-
The FortiGate translates the destination address of the packets from IPv6 address
64:ff9b::172.16.200.55
to IPv4 address172.16.200.55
and translates the source address of the packets to172.16.200.200
(or another address in the IP pool range) and forwards the packets out the port9 interface to the Internet.
Sample configuration
To configure a NAT64 policy with DNS64 in the GUI:
-
Enable IPv6 and DNS database:
-
Go to System > Feature Visibility.
-
In the Core Features section, enable IPv6.
-
In the Additional Features section, enable DNS Database.
-
Click Apply.
-
-
Enable DNS proxy on the IPv6 interface:
-
Go to Network > DNS Servers.
-
In the DNS Service on Interface table, click Create New.
-
For Interface, select port10.
-
For Mode, select Forward to System DNS.
-
Click OK.
-
-
Configure the IPv6 DHCP server:
-
Go to Network > Interfaces and edit port10.
-
Enable DHCPv6 Server and enter the following:
IPv6 subnet
2001:db8:1::/64
DNS service
Specify
DNS server 1
2001:db8:1::10
-
Click OK.
-
-
Configure the IPv6 VIP for the destination IPv6 addresses:
These are all of the IPv6 addresses that the FortiGate DNS proxy synthesizes when an IPv6 device performs a DNS query that resolves to an IPv4 Address. In this example, the synthesized IPv6 address in the AAAA record begins with the configured NAT64 prefix in the upper 96 bits, so the VIP is for all the IPv6 addresses that begin with 64:ff9b.
-
Go to Policy & Objects > Virtual IPs and navigate to the IPv6 Virtual IP tab.
-
Click Create new.
-
Enter the following:
Name
vip6
Eternal IP address/range
64:ff9b::-64:ff9b::ffff:ffff
Map to IPv4 address/range
Use Embedded
-
Click OK.
-
-
Configure the IPv6 firewall address for the internal network:
-
Click Create New > Address.
-
Enter the following:
Category
IPv6 Address
Name
internal-net6
Type
IPv6 Subnet
IP/Netmask
2001:db8:1::/48
-
Click OK.
-
-
Configure the IP pool containing the IPv4 address that is used as the source address of the packets exiting port9:
-
Go to Policy & Objects > IP Pools and navigate to the IP Pool tab.
-
Click Create new.
-
Enter the following:
Name
exit-pool4
Type
Overload
External IP address/range
172.16.200.200-172.16.200.207
NAT64
Enable
External IP address/range must start and end on the boundaries of a valid subnet. For example, 172.16.200.0-172.16.200.7 and 172.16.200.16-172.16.200.31 are a valid subnets (/29 and /28 respectively).
-
Click OK.
-
-
Configure the NAT64 policy:
-
Go to Policy & Objects > Firewall Policy and click Create New.
-
Enter the following:
Name
policy64-1
Incoming Interface
port10
Outgoing Interface
port9
Source
internal-net6
Destination
vip6
Schedule
always
Service
ALL
Action
ACCEPT
NAT
NAT64
IP Pool Configuration
exit-pool4
-
Click OK.
-
To configure a NAT64 policy with DNS64 in the CLI:
-
Enable IPv6 and DNS database:
config system global set gui-ipv6 enable end
config system settings set gui-dns-database enable end
-
Enable DNS proxy on the IPv6 interface:
config system dns-server edit "port10" set mode forward-only next end
-
Configure the IPv6 DHCP server:
config system dhcp6 server edit 1 set subnet 2001:db8:1::/64 set interface "port10" set dns-server1 2001:db8:1::10 next end
-
Configure the IPv6 VIP for the destination IPv6 addresses:
config firewall vip6 edit "vip6" set extip 64:ff9b::-64:ff9b::ffff:ffff set embedded-ipv4-address enable next end
-
Configure the IPv6 firewall address for the internal network:
config firewall address6 edit "internal-net6" set ip6 2001:db8:1::/48 next end
-
Configure the IP pool containing the IPv4 address that is used as the source address of the packets exiting port9:
config firewall ippool edit "exit-pool4" set startip 172.16.200.200 set endip 172.16.200.207 set nat64 enable next end
External IP address/range must start and end on the boundaries of a valid subnet. For example, 172.16.200.0-172.16.200.7 and 172.16.200.16-172.16.200.31 are a valid subnets (/29 and /28 respectively).
-
Configure the NAT64 policy:
config firewall policy edit 1 set name "policy64-1" set srcintf "port10" set dstintf "port9" set action accept set nat64 enable set srcaddr "all" set dstaddr "all" set srcaddr6 internal-net6 set dstaddr6 vip6 set schedule "always" set service "ALL" set ippool enable set poolname "exit-pool4" next end
To enable DNS64 and related settings using the CLI:
Enabling DNS64 means that all IPv6 traffic received by the current VDOM can be subject to NAT64 if the source and destination address matches an NAT64 security policy.
By default, the setting always-synthesize-aaaa-record
is enabled. If you disable this setting, the DNS proxy (DNS64) will attempt to find an AAAA records for queries to domain names and therefore resolve the host names to IPv6 addresses. If the DNS proxy cannot find an AAAA record, it synthesizes one by adding the NAT64 prefix to the A record.
config system dns64 set status {enable | disable} set dns64-prefix <ipv6-prefix> set always-synthesize-aaaa-record {enable | disable} end
By default, the dns64-prefix
is 64:ff9b::/96
.