TAYGA is an out-of-kernel stateless NAT64 implementation for Linux that uses the TUN driver to exchange IPv4 and IPv6 packets with the kernel. It is intended to provide production-quality NAT64 service for networks where dedicated NAT64 hardware would be overkill.
TAYGA is:
- Fast — can saturate gigabit Ethernet on modest PC hardware
- Flexible — performs dynamic mapping to handle any site addressing scheme
- Secure — runs outside of the kernel as an unprivileged process
- Compatible — works with all Linux 2.4 and 2.6 kernels
- Simple — requires only a five-line configuration file (three lines in some cases)
- Easy to install — no kernel patches or external dependencies required
- Free — licensed under GPLv2
The latest release of TAYGA is version 0.9.2, released on 2011-06-10. This release fixes some obscure fragmentation and MTU bugs, and also adds a workaround for a bug in Linux kernels older than 2.6.34 which would cause certain translated packets to be dropped by the "conntrack" netfilter subsystem. (See Launchpad bug 788637 for more information.)
Notes on building for WRT54 and
similar routers running Tomato
Super-quick-start
You will need to select an unused /96 from your site's IPv6 address range which will be used as the NAT64 prefix. You will also need a block of unused IPv4 addresses for the dynamic address pool. TAYGA will assign IPv4 addresses from this pool to the IPv6 hosts that need NAT64 service. The dynamic pool can be chosen from private IPv4 address space (10.x.x.x, 192.168.x.x, etc) and can be of any size, although it needs to be large enough to contain one IPv4 address for every IPv6 host that needs to use the NAT64.
TAYGA also needs its own IPv4 address, but this can be taken from the dynamic address pool.
# ./configure && make && make install # mkdir -p /var/db/tayga # cat >/usr/local/etc/tayga.conf <<EOD tun-device nat64 ipv4-addr 192.168.255.1 (this is TAYGA's IPv4 address, not your router's address) prefix 2001:db8:1:ffff::/96 (replace with an unused /96 prefix from your site's address range) dynamic-pool 192.168.255.0/24 data-dir /var/db/tayga EOD # tayga --mktun # ip link set nat64 up # ip addr add 192.168.0.1 dev nat64 (replace with your router's IPv4 address) # ip addr add 2001:db8:1::1 dev nat64 (replace with your router's IPv6 address) # ip route add 192.168.255.0/24 dev nat64 # ip route add 2001:db8:1:ffff::/96 dev nat64 # tayga # ping6 2001:db8:1:ffff::192.168.0.1
If the ping6 command succeeds, TAYGA is working. Now you'll need to set up NAT44 rules in iptables or elsewhere on your network so the dynamic pool addresses can reach the rest of the Internet.
Full documentation about the configuration and operation of TAYGA can be found in the man pages and README file accompanying the distribution.
DNS64
ISC BIND supports DNS64 since version 9.8 and is the best option for DNS64 services. Another option is Totd, although it has not been updated in some years.
What about stateful NAT?
TAYGA could never come close to offering the power and flexibility available in iptables and mature commercial NAT44 implementations, so instead TAYGA turns IPv6 into IPv4 in the most transparent manner possible, allowing existing IPv4-only tools to be used to further manipulate sessions flowing through it.
In other words, if you need stateful NAT64, route TAYGA's IPv4 path through a stateful NAT44.
Contact
The author, Nathan Lutchansky, can be contacted at lutchann@litech.org.