Project

General

Profile

Actions

Feature #2358

open

NAT64 support

Added by Seth Mos over 12 years ago. Updated 10 days ago.

Status:
In Progress
Priority:
Normal
Category:
Rules / NAT
Target version:
Start date:
04/08/2012
Due date:
% Done:

50%

Estimated time:
Plus Target Version:
25.03
Release Notes:
Default

Description

Actions #1

Updated by Mathieu Mourez over 11 years ago

UPVOTE. It would be really nice to have these capabilities built into pfSense. The Viagenie implementation is nice and stateful and apparently already works on pf under OpenBSD 4.6.

Actions #2

Updated by Andreas Peetz almost 11 years ago

UPVOTE. I really like to be able to run my network with IPv6 only and make legacy IPv4 site available through NAT64.

Actions #3

Updated by Chris Buechler over 10 years ago

  • Subject changed from NAT64 gateway Support to NAT64 Support
  • Category changed from Interfaces to Rules / NAT
  • Priority changed from Low to Normal
  • Target version deleted (2.2)
  • Affected Version changed from 2.2 to 2.1-IPv6
Actions #4

Updated by Rodrigo Ferraz over 9 years ago

UPVOTE. Since most ISPs are already turning IPv6 into reality on many homes and work places around the world, this feature has become a must for pfSense. I would like to kindly ask for the priority of this feature to be raised.

Actions #5

Updated by Acacio Cruz over 9 years ago

UPVOTE
UPC Cablecom in Switzerland just became a "IPv6 only" ISP last month. (IPv6 Dual Stack Lite)
https://support-en.upc-cablecom.ch/app/answers/detail/a_id/1251/~/information-on-ipv6-ds-lite

Actions #6

Updated by Alex Kolesnik over 8 years ago

UPVOTE

Actions #7

Updated by Tom . over 8 years ago

UPVOTE. I'd love to be able to set up an IPv6-only network and just use NAT64 to redirect old requests.

Actions #8

Updated by Nicolas Vollmar about 8 years ago

UPVOTE
My new ISP provides native IPv6 and I would prefere not to have configuring my hole network with IPv4 if I could just setup my pf sense to do the NAT64 instead.

Actions #9

Updated by Martin Hansen about 8 years ago

UPVOTE, word up on this. It should be prioritized significantly.

Actions #10

Updated by Greg M about 8 years ago

UPVOTE

Actions #11

Updated by Luiz Souza about 8 years ago

  • Assignee set to Luiz Souza
  • Target version set to Future
Actions #12

Updated by Luiz Souza about 8 years ago

Too late for 2.4.0...

Actions #13

Updated by DB Tsai almost 8 years ago

UPVOTE!

First of all, thank you for the great open source firewall product. As Apple starts to require all the new apps have to work under NAT64, pfSense will be a good experimenting platform if pfSense supports it natively. As far as I know, NAT64 feature was merged into the FreeBSD upstream, so it's possible that pfSense can support it without too much effort. I wonder if there is any plan that pfSense can support DNS64/NAT64 in the nearly future?

This will be a very important feature for many frustrated ios app developers who can not easily reproduce NAT64 environment in house. Thanks.

Actions #14

Updated by Joel Whitehouse almost 8 years ago

Would like to see support for NAT64/DNS64 in pfsense. Deployment of DNS64 outside of the gateway is somewhat convoluted, requiring additional hardware, and adds latency to DDNS lookups (since the DNS requests would have to go through a separate host before going to pfsense.) It would be ideal for pfsense to integrate these services.

Actions #15

Updated by Arthur Wiebe almost 8 years ago

Google offers a public DNS64 resolver https://developers.google.com/speed/public-dns/docs/dns64 so if we could get NAT64 working in pfSense that would already be a workable start.

Actions #16

Updated by Scott Rosenberg almost 8 years ago

Joel Whitehouse wrote:

Would like to see support for NAT64/DNS64 in pfsense. Deployment of DNS64 outside of the gateway is somewhat convoluted, requiring additional hardware, and adds latency to DDNS lookups (since the DNS requests would have to go through a separate host before going to pfsense.) It would be ideal for pfsense to integrate these services.

I'd also like to voice my support for this integration

Actions #17

Updated by Scott Rosenberg almost 8 years ago

UPVOTE!
I'd also like to voice my support for this integration

Actions #18

Updated by EDUARDO CERQUEIRA DA SILVA almost 8 years ago

I would like to see this important functionality

Actions #19

Updated by Dmitri Toubelis almost 8 years ago

UPVOTE!!!
We are switching several of our subnets from dual-stack to pure IPv6 and NAT64/DNS64 is not optional for us any longer. Having this feature on the gateway would hep us immensely.

Actions #20

Updated by Landon Wubbels over 7 years ago

Upvote

Actions #21

Updated by Arthur Wiebe over 7 years ago

For those who'd like to do something now, I've finished testing a setup using TAYGA on a separate virtual machine with pfSense on the gateway. Detailed instructions are available here https://blog.artooro.com/2017/05/02/nat64-how-to-with-pfsense-and-tayga/ it seems to be working very well in my environment.

Actions #22

Updated by Brandon Jackson over 7 years ago

Upvote. Even if just NAT64, as other have said Google has DNS64 and also BIND can be installed and it is pretty simple to setup DNS64 on it too.

Actions #23

Updated by Brandon Jackson over 7 years ago

Actions #24

Updated by Marco Vaschetto almost 7 years ago

UPVOTE!!

at the moment I have to use an external router to do this!

Actions #25

Updated by Isaac McDonald over 6 years ago

I would like to see this added as well. Large companies such as Microsoft are using NAT64 and going IPv6 only because they've run out of RFC 1918 addresses.

T-Mobile in America is another one. Phones on TMO's network only get an IPV6 address with all IPv4 traffic going through NAT64.

Here's an interesting article regarding Microsofts efforts to implement a pure IPv6 network using NAT64: [[https://blog.apnic.net/2017/01/19/ipv6-only-at-microsoft/]]

Actions #26

Updated by Peek Around over 6 years ago

Bump + UpVote !

Actions #27

Updated by Talyrius Bekhesh over 6 years ago

UPVOTE

Actions #28

Updated by Dmitriy K over 6 years ago

TRIPLE UPVOTE!

Actions #29

Updated by Sean Harlow over 6 years ago

Another upvote. At some point in the future we're going to start having needs for v6-only networks. For some of the larger networks that time may already be here. It'd be really nice to be able to start testing these things before we actually need them.

Actions #30

Updated by Brandon Jackson almost 6 years ago

Just noticed, it looks like Unbound (DNS Resolver) supports DNS64 as well (plus BIND/named if you want to use that), so that plus FreeBSD's ipfw_nat64 kernel module should mean everything that is needed is there.

Actions #31

Updated by Rick Coats over 5 years ago

I was disappointed that this has not been at least added to the roadmap for 2.5. It seems as though Netgate didn't catch the news about software developers for Apple have to be verified to work in a NAT64.

Actions #32

Updated by Martin GrĂ¼ning over 5 years ago

Another upvote. Would ease migration to IPv6-only LAN tremendously.

Actions #33

Updated by Chris Collins about 5 years ago

UPVOTE here, put politics aside please, regardless if you hate NAT or not, this feature should at least be added.

Its now supported in baseline FreeBSD using ipfw. For PF it may never come tho due to the decision to not follow openbsd code on that.

Its two clear use cases are to prevent outgoing ipv6 dns/ntp leaks gracefully and also for single stacked ipv6 clients able to translate to outgoing ipv4.

Actions #34

Updated by Bipin Chandra about 5 years ago

UPVOTE - we need this feature desperately and if this isnt coming then it will be a deciding point for us to move to a different firewall that supports this after being with pfsense for so long and having installed it on n number of systems

Actions #35

Updated by Dmitri Toubelis about 5 years ago

Bipin Chandra wrote:

UPVOTE - we need this feature desperately and if this isn't coming then it will be a deciding point for us to move to a different firewall that supports this after being with pfsense for so long and having installed it on n number of systems

Just move on to a different platform, this is what we did. This issue is open for 7 years now and I voted for it 2 years ago, so it is obvious that maintainers either have no idea how important this feature is or don't have anyone with enough understanding to implement it. pfSense is a decent product but people have businesses to run.

Actions #36

Updated by Car F almost 5 years ago

Please add NAT64 we need this feature!

Actions #37

Updated by Brandon Jackson over 4 years ago

Is it possible that anyone here is skilled in packaging?

Would it be possible for someone to make a Tayga package until officially supported/intergrated.

Actions #39

Updated by Jim Pingle over 4 years ago

  • Status changed from New to Pull Request Review
Actions #40

Updated by Dmitri Toubelis over 4 years ago

Viktor Gurov wrote:

https://github.com/pfsense/pfsense/pull/4405

Better late than never :-) We switched to Juniper SRX about 3 years ago while waiting for this feature ;-)

Actions #41

Updated by Viktor Gurov over 4 years ago

Actions #42

Updated by Jens Groh over 4 years ago

Viktor Gurov wrote:

IPFW NAT64 kernel support:
https://github.com/pfsense/FreeBSD-src/pull/35

As it is merged, is it already available in 2.5 Snapshots to test?

Actions #43

Updated by Jim Pingle over 4 years ago

  • Target version changed from Future to 2.5.0
Actions #44

Updated by Anonymous about 4 years ago

  • Target version changed from 2.5.0 to CE-Next
Actions #45

Updated by Jim Pingle almost 4 years ago

  • Target version changed from CE-Next to 2.6.0
Actions #46

Updated by Brandon Jackson almost 4 years ago

2.6 now? Wow.. Might as well officially at least make a TAYGA package.. Seems to work well enough, because this will like not happen until 3.0 in maybe 2035 at this rate :-(

Actions #47

Updated by Jim Pingle almost 4 years ago

Even that is unlikely, it's just an estimate -- it's a major change that needs significant review and testing, and ultimately the way that it utilizes ipfw may mean it doesn't get accepted.

If it works for you, you can apply the changes locally and use it.

Actions #48

Updated by Renato Botelho over 3 years ago

  • Status changed from Pull Request Review to New
  • Assignee deleted (Luiz Souza)

Pull Request was closed because code was based on IPFW and we plan to stop using IPFW as soon as possible. Introducing more code using it would not be a good idea

Actions #49

Updated by Renato Botelho over 3 years ago

  • Target version changed from 2.6.0 to Future
Actions #50

Updated by Thomas Wagner about 1 year ago

Please, is there a plan to implement functionality with an alternative to ipfw_nat64?

pfsense is unusable if Providers are assigning IPv6-only networks directly (without a routing IP). The< are forcing users to use NDP-proxy at least.

We need this in pfsense. Current workaround is to setup another box with OpenWRT that flawlessly does the job that normally belongs to the one and only firewall pfsense (what a pain).

What could be a path to get NDP-Proxy / NAT64 or equivalent into pfsense?
Please advice.

Actions #51

Updated by Scott Howard about 2 months ago

Upvote / Bump Can we get a status on this?

Actions #52

Updated by Mike Moore about 2 months ago

An 11 year old feature request........outstanding.

Actions #53

Updated by Marcos M 10 days ago

  • Subject changed from NAT64 Support to NAT64 Support
  • Status changed from New to In Progress
  • Assignee set to Kristof Provost
  • Target version changed from Future to 2.8.0
  • % Done changed from 0 to 50
  • Plus Target Version set to 25.03
Actions #54

Updated by Marcos M 10 days ago

  • Subject changed from NAT64 Support to NAT64 support
Actions

Also available in: Atom PDF