Description
This article explains how web browsing traffic flows for IPv6-only hosts when using NAT64 and DNS64.
Scope
FortiGate.
Solution
The example below demonstrates a basic IPv6 LAN setup with a DNS64 server.
How it works:
- The user's device sends a DNS query for example.com to the configured DNS64 server.
- The DNS64 server responds with an AAAA record (IPv6 address).
- Based on the configured NAT64 prefix, the IPv6 address will look like this: 64:ff9b::200.200.200.200.
- This address is created by combining:
- The configured NAT64 prefix in the upper 96 bits.
- The IPv4 address in the lower 32 bits
- The device sends traffic to 64:ff9b::200.200.200.200, which passes through the FortiGate firewall.
- The firewall translates both the source and destination IPv6 addresses into IPv4 using the configured NAT64 settings.
- The translated IPv4 traffic is then forwarded to the ISP.
NAT64 configuration on FortiGate:
- NAT64 Policy.
config firewall policy
edit 1
set name "NAT64"
set srcintf "any"
set dstintf "any"
set action accept
set nat64 enable
set srcaddr "all"
set dstaddr "all"
set srcaddr6 "all"
set dstaddr6 "VIP64"
set schedule "always"
set service "ALL"
set logtraffic all
set ippool enable
set poolname "ippool64"
end
- Ippool
config firewall ippool
edit "ippool64"
set startip 100.100.100.1
set endip 100.100.100.1
set nat64 enable
set add-nat64-route enable
next
end
- VIP64.
config firewall vip6
edit "VIP64"
set extip 64:ff9b::-64:ff9b::ffff:ffff
set nat66 disable
set nat64 enable
set embedded-ipv4-address enable
end
