Fortinet white logo
Fortinet white logo

Administration Guide

NAT64 policy and DNS64 (DNS proxy)

NAT64 policy and DNS64 (DNS proxy)

NAT64 policy translates IPv6 addresses to IPv4 addresses so that a client on an IPv6 network can communicate transparently with a server on an IPv4 network.

NAT64 policy is usually implemented in combination with the DNS proxy called DNS64. DNS64 synthesizes AAAA records from A records and is used to synthesize IPv6 addresses for hosts that only have IPv4 addresses. DNS proxy and DNS64 are interchangeable terms.

Sample topology

In this example, a host on the internal IPv6 network communicates with ControlPC.qa.fortinet.com that only has IPv4 address on the Internet. Central NAT is disabled.

  1. The host on the internal network does a DNS lookup for ControlPC.qa.fortinet.com by sending a DNS query for an AAAA record for ControlPC.qa.fortinet.com.

  2. The DNS query is intercepted by the FortiGate DNS proxy. The DNS proxy performs an A-record query for ControlPC.qa.fortinet.com and gets back an RRSet containing a single A record with the IPv4 address 172.16.200.55.

  3. The DNS proxy then synthesizes an AAAA record. The IPv6 address in the AAAA record begins with the configured NAT64 prefix in the upper 96 bits and the received IPv4 address in the lower 32 bits. By default, the resulting IPv6 address is 64:ff9b::172.16.200.55.

  4. The host on the internal network receives the synthetic AAAA record and sends a packet to the destination address 64:ff9b::172.16.200.55.

  5. The packet is routed to the FortiGate internal interface (port10) where it is accepted by the NAT64 security policy.

  6. The FortiGate translates the destination address of the packets from IPv6 address 64:ff9b::172.16.200.55 to IPv4 address 172.16.200.55 and translates the source address of the packets to 172.16.200.200 (or another address in the IP pool range) and forwards the packets out the port9 interface to the Internet.

Sample configuration

To configure a NAT64 policy with DNS64 in the GUI:
  1. Enable IPv6 and DNS database:

    1. Go to System > Feature Visibility.

    2. In the Core Features section, enable IPv6.

    3. In the Additional Features section, enable DNS Database.

    4. Click Apply.

  2. Enable DNS proxy on the IPv6 interface:

    1. Go to Network > DNS Servers.

    2. In the DNS Service on Interface table, click Create New.

    3. For Interface, select port10.

    4. For Mode, select Forward to System DNS.

    5. Click OK.

  3. Configure the IPv6 DHCP server:

    1. Go to Network > Interfaces and edit port10.

    2. Enable DHCPv6 Server and enter the following:

      IPv6 subnet

      2001:db8:1::/64

      DNS service

      Specify

      DNS server 1

      2001:db8:1::10

    3. Click OK.

  4. Configure the IPv6 VIP for the destination IPv6 addresses:

    These are all of the IPv6 addresses that the FortiGate DNS proxy synthesizes when an IPv6 device performs a DNS query that resolves to an IPv4 Address. In this example, the synthesized IPv6 address in the AAAA record begins with the configured NAT64 prefix in the upper 96 bits, so the VIP is for all the IPv6 addresses that begin with 64:ff9b.

    1. Go to Policy & Objects > Virtual IPs and navigate to the IPv6 Virtual IP tab.

    2. Click Create new.

    3. Enter the following:

      Name

      vip6

      Eternal IP address/range

      64:ff9b::-64:ff9b::ffff:ffff

      Map to IPv4 address/range

      Use Embedded

    4. Click OK.

  5. Configure the IPv6 firewall address for the internal network:

    1. Click Create New > Address.

    2. Enter the following:

      Category

      IPv6 Address

      Name

      internal-net6

      Type

      IPv6 Subnet

      IP/Netmask

      2001:db8:1::/48

    3. Click OK.

  6. Configure the IP pool containing the IPv4 address that is used as the source address of the packets exiting port9:

    1. Go to Policy & Objects > IP Pools and navigate to the IP Pool tab.

    2. Click Create new.

    3. Enter the following:

      Name

      exit-pool4

      Type

      Overload

      External IP address/range

      172.16.200.200-172.16.200.207

      NAT64

      Enable

      Note

      External IP address/range must start and end on the boundaries of a valid subnet. For example, 172.16.200.0-172.16.200.7 and 172.16.200.16-172.16.200.31 are a valid subnets (/29 and /28 respectively).

    4. Click OK.

  7. Configure the NAT64 policy:

    1. Go to Policy & Objects > Firewall Policy and click Create New.

    2. Enter the following:

      Name

      policy64-1

      Incoming Interface

      port10

      Outgoing Interface

      port9

      Source

      internal-net6

      Destination

      vip6

      Schedule

      always

      Service

      ALL

      Action

      ACCEPT

      NAT

      NAT64

      IP Pool Configuration

      exit-pool4

    3. Click OK.

To configure a NAT64 policy with DNS64 in the CLI:
  1. Enable IPv6 and DNS database:

    config system global
       set gui-ipv6 enable
    end
    config system settings
       set gui-dns-database enable
    end
  2. Enable DNS proxy on the IPv6 interface:

    config system dns-server
       edit "port10"
           set mode forward-only
       next
    end
  3. Configure the IPv6 DHCP server:

    config system dhcp6 server
       edit 1
           set subnet 2001:db8:1::/64
           set interface "port10"
           set dns-server1 2001:db8:1::10
       next
    end
  4. Configure the IPv6 VIP for the destination IPv6 addresses:

    config firewall vip6
        edit "vip6"
            set extip 64:ff9b::-64:ff9b::ffff:ffff
            set embedded-ipv4-address enable
        next
    end
  5. Configure the IPv6 firewall address for the internal network:

    config firewall address6
        edit "internal-net6"
            set ip6 2001:db8:1::/48
        next
    end
  6. Configure the IP pool containing the IPv4 address that is used as the source address of the packets exiting port9:

    config firewall ippool
        edit "exit-pool4"
            set startip 172.16.200.200
            set endip 172.16.200.207
            set nat64 enable
        next
    end
    Note

    External IP address/range must start and end on the boundaries of a valid subnet. For example, 172.16.200.0-172.16.200.7 and 172.16.200.16-172.16.200.31 are a valid subnets (/29 and /28 respectively).

  7. Configure the NAT64 policy:

    config firewall policy
        edit 1
            set name "policy64-1"
            set srcintf "port10"
            set dstintf "port9"
            set action accept
            set nat64 enable
            set srcaddr "all"
            set dstaddr "all"
            set srcaddr6 internal-net6
            set dstaddr6 vip6
            set schedule "always"
            set service "ALL"
            set ippool enable
            set poolname "exit-pool4"
        next
    end
To enable DNS64 and related settings using the CLI:

Enabling DNS64 means that all IPv6 traffic received by the current VDOM can be subject to NAT64 if the source and destination address matches an NAT64 security policy.

By default, the setting always-synthesize-aaaa-record is enabled. If you disable this setting, the DNS proxy (DNS64) will attempt to find an AAAA records for queries to domain names and therefore resolve the host names to IPv6 addresses. If the DNS proxy cannot find an AAAA record, it synthesizes one by adding the NAT64 prefix to the A record.

config system dns64
    set status {enable | disable}
    set dns64-prefix <ipv6-prefix>
    set always-synthesize-aaaa-record {enable | disable}
end

By default, the dns64-prefix is 64:ff9b::/96.

NAT64 policy and DNS64 (DNS proxy)

NAT64 policy and DNS64 (DNS proxy)

NAT64 policy translates IPv6 addresses to IPv4 addresses so that a client on an IPv6 network can communicate transparently with a server on an IPv4 network.

NAT64 policy is usually implemented in combination with the DNS proxy called DNS64. DNS64 synthesizes AAAA records from A records and is used to synthesize IPv6 addresses for hosts that only have IPv4 addresses. DNS proxy and DNS64 are interchangeable terms.

Sample topology

In this example, a host on the internal IPv6 network communicates with ControlPC.qa.fortinet.com that only has IPv4 address on the Internet. Central NAT is disabled.

  1. The host on the internal network does a DNS lookup for ControlPC.qa.fortinet.com by sending a DNS query for an AAAA record for ControlPC.qa.fortinet.com.

  2. The DNS query is intercepted by the FortiGate DNS proxy. The DNS proxy performs an A-record query for ControlPC.qa.fortinet.com and gets back an RRSet containing a single A record with the IPv4 address 172.16.200.55.

  3. The DNS proxy then synthesizes an AAAA record. The IPv6 address in the AAAA record begins with the configured NAT64 prefix in the upper 96 bits and the received IPv4 address in the lower 32 bits. By default, the resulting IPv6 address is 64:ff9b::172.16.200.55.

  4. The host on the internal network receives the synthetic AAAA record and sends a packet to the destination address 64:ff9b::172.16.200.55.

  5. The packet is routed to the FortiGate internal interface (port10) where it is accepted by the NAT64 security policy.

  6. The FortiGate translates the destination address of the packets from IPv6 address 64:ff9b::172.16.200.55 to IPv4 address 172.16.200.55 and translates the source address of the packets to 172.16.200.200 (or another address in the IP pool range) and forwards the packets out the port9 interface to the Internet.

Sample configuration

To configure a NAT64 policy with DNS64 in the GUI:
  1. Enable IPv6 and DNS database:

    1. Go to System > Feature Visibility.

    2. In the Core Features section, enable IPv6.

    3. In the Additional Features section, enable DNS Database.

    4. Click Apply.

  2. Enable DNS proxy on the IPv6 interface:

    1. Go to Network > DNS Servers.

    2. In the DNS Service on Interface table, click Create New.

    3. For Interface, select port10.

    4. For Mode, select Forward to System DNS.

    5. Click OK.

  3. Configure the IPv6 DHCP server:

    1. Go to Network > Interfaces and edit port10.

    2. Enable DHCPv6 Server and enter the following:

      IPv6 subnet

      2001:db8:1::/64

      DNS service

      Specify

      DNS server 1

      2001:db8:1::10

    3. Click OK.

  4. Configure the IPv6 VIP for the destination IPv6 addresses:

    These are all of the IPv6 addresses that the FortiGate DNS proxy synthesizes when an IPv6 device performs a DNS query that resolves to an IPv4 Address. In this example, the synthesized IPv6 address in the AAAA record begins with the configured NAT64 prefix in the upper 96 bits, so the VIP is for all the IPv6 addresses that begin with 64:ff9b.

    1. Go to Policy & Objects > Virtual IPs and navigate to the IPv6 Virtual IP tab.

    2. Click Create new.

    3. Enter the following:

      Name

      vip6

      Eternal IP address/range

      64:ff9b::-64:ff9b::ffff:ffff

      Map to IPv4 address/range

      Use Embedded

    4. Click OK.

  5. Configure the IPv6 firewall address for the internal network:

    1. Click Create New > Address.

    2. Enter the following:

      Category

      IPv6 Address

      Name

      internal-net6

      Type

      IPv6 Subnet

      IP/Netmask

      2001:db8:1::/48

    3. Click OK.

  6. Configure the IP pool containing the IPv4 address that is used as the source address of the packets exiting port9:

    1. Go to Policy & Objects > IP Pools and navigate to the IP Pool tab.

    2. Click Create new.

    3. Enter the following:

      Name

      exit-pool4

      Type

      Overload

      External IP address/range

      172.16.200.200-172.16.200.207

      NAT64

      Enable

      Note

      External IP address/range must start and end on the boundaries of a valid subnet. For example, 172.16.200.0-172.16.200.7 and 172.16.200.16-172.16.200.31 are a valid subnets (/29 and /28 respectively).

    4. Click OK.

  7. Configure the NAT64 policy:

    1. Go to Policy & Objects > Firewall Policy and click Create New.

    2. Enter the following:

      Name

      policy64-1

      Incoming Interface

      port10

      Outgoing Interface

      port9

      Source

      internal-net6

      Destination

      vip6

      Schedule

      always

      Service

      ALL

      Action

      ACCEPT

      NAT

      NAT64

      IP Pool Configuration

      exit-pool4

    3. Click OK.

To configure a NAT64 policy with DNS64 in the CLI:
  1. Enable IPv6 and DNS database:

    config system global
       set gui-ipv6 enable
    end
    config system settings
       set gui-dns-database enable
    end
  2. Enable DNS proxy on the IPv6 interface:

    config system dns-server
       edit "port10"
           set mode forward-only
       next
    end
  3. Configure the IPv6 DHCP server:

    config system dhcp6 server
       edit 1
           set subnet 2001:db8:1::/64
           set interface "port10"
           set dns-server1 2001:db8:1::10
       next
    end
  4. Configure the IPv6 VIP for the destination IPv6 addresses:

    config firewall vip6
        edit "vip6"
            set extip 64:ff9b::-64:ff9b::ffff:ffff
            set embedded-ipv4-address enable
        next
    end
  5. Configure the IPv6 firewall address for the internal network:

    config firewall address6
        edit "internal-net6"
            set ip6 2001:db8:1::/48
        next
    end
  6. Configure the IP pool containing the IPv4 address that is used as the source address of the packets exiting port9:

    config firewall ippool
        edit "exit-pool4"
            set startip 172.16.200.200
            set endip 172.16.200.207
            set nat64 enable
        next
    end
    Note

    External IP address/range must start and end on the boundaries of a valid subnet. For example, 172.16.200.0-172.16.200.7 and 172.16.200.16-172.16.200.31 are a valid subnets (/29 and /28 respectively).

  7. Configure the NAT64 policy:

    config firewall policy
        edit 1
            set name "policy64-1"
            set srcintf "port10"
            set dstintf "port9"
            set action accept
            set nat64 enable
            set srcaddr "all"
            set dstaddr "all"
            set srcaddr6 internal-net6
            set dstaddr6 vip6
            set schedule "always"
            set service "ALL"
            set ippool enable
            set poolname "exit-pool4"
        next
    end
To enable DNS64 and related settings using the CLI:

Enabling DNS64 means that all IPv6 traffic received by the current VDOM can be subject to NAT64 if the source and destination address matches an NAT64 security policy.

By default, the setting always-synthesize-aaaa-record is enabled. If you disable this setting, the DNS proxy (DNS64) will attempt to find an AAAA records for queries to domain names and therefore resolve the host names to IPv6 addresses. If the DNS proxy cannot find an AAAA record, it synthesizes one by adding the NAT64 prefix to the A record.

config system dns64
    set status {enable | disable}
    set dns64-prefix <ipv6-prefix>
    set always-synthesize-aaaa-record {enable | disable}
end

By default, the dns64-prefix is 64:ff9b::/96.