TAYGA is an out-of-kernel stateless NAT64 implementation for Linux that uses the TUN driver to exchange IPv4 and IPv6 packets with the kernel. It is intended to provide production-quality NAT64 service for networks where dedicated NAT64 hardware would be overkill.


The latest release of TAYGA is version 0.9.2, released on 2011-06-10. This release fixes some obscure fragmentation and MTU bugs, and also adds a workaround for a bug in Linux kernels older than 2.6.34 which would cause certain translated packets to be dropped by the "conntrack" netfilter subsystem. (See Launchpad bug 788637 for more information.)


README for TAYGA 0.9.2


Notes on building for WRT54 and
similar routers running Tomato


You will need to select an unused /96 from your site's IPv6 address range which will be used as the NAT64 prefix. You will also need a block of unused IPv4 addresses for the dynamic address pool. TAYGA will assign IPv4 addresses from this pool to the IPv6 hosts that need NAT64 service. The dynamic pool can be chosen from private IPv4 address space (10.x.x.x, 192.168.x.x, etc) and can be of any size, although it needs to be large enough to contain one IPv4 address for every IPv6 host that needs to use the NAT64.

TAYGA also needs its own IPv4 address, but this can be taken from the dynamic address pool.

# ./configure && make && make install
# mkdir -p /var/db/tayga
# cat >/usr/local/etc/tayga.conf <<EOD
tun-device nat64
ipv4-addr                  (this is TAYGA's IPv4 address, not your router's address)
prefix 2001:db8:1:ffff::/96              (replace with an unused /96 prefix from your site's address range)
data-dir /var/db/tayga
# tayga --mktun
# ip link set nat64 up
# ip addr add dev nat64      (replace with your router's IPv4 address)
# ip addr add 2001:db8:1::1 dev nat64    (replace with your router's IPv6 address)
# ip route add dev nat64
# ip route add 2001:db8:1:ffff::/96 dev nat64
# tayga
# ping6 2001:db8:1:ffff::

If the ping6 command succeeds, TAYGA is working. Now you'll need to set up NAT44 rules in iptables or elsewhere on your network so the dynamic pool addresses can reach the rest of the Internet.

Full documentation about the configuration and operation of TAYGA can be found in the man pages and README file accompanying the distribution.


ISC BIND supports DNS64 since version 9.8 and is the best option for DNS64 services. Another option is Totd, although it has not been updated in some years.

What about stateful NAT?

TAYGA could never come close to offering the power and flexibility available in iptables and mature commercial NAT44 implementations, so instead TAYGA turns IPv6 into IPv4 in the most transparent manner possible, allowing existing IPv4-only tools to be used to further manipulate sessions flowing through it.

In other words, if you need stateful NAT64, route TAYGA's IPv4 path through a stateful NAT44.


The author, Nathan Lutchansky, can be contacted at lutchann@litech.org.