Tayga NAT64 IPv6与IPv4互访解决方案

NAT64与DNS64是一套解决方案，实现是IPv6网络过渡初期的协议转换与互访，使纯IPv6网络下的用户直接访问现有IPv4 Internet资源，而不修改两端的任何配置。以下通过单独部署一台Centos服务器允许Tayga服务，使得IPv6可以访问IPv4网络。

解决方案拓扑图如下：

部署拓扑图的工作原理图：

测试配置：

—————————————–


setup1：基本环境配置:

[root@tayga ~]# systemctl stop firewalld
[root@tayga ~]# setenforce 0
[root@tayga ~]# yum -y install epel-release
[root@tayga ~]# yum makecache

setup2：配置接口地址：

[root@tayga ~]# vim /etc/sysconfig/network-scripts/ifcfg-ens33 

TYPE="Ethernet"
PROXY_METHOD="none"
BROWSER_ONLY="no"
BOOTPROTO="none"
DEFROUTE="yes"
IPV4_FAILURE_FATAL="no"
IPV6INIT="yes"
IPV6_AUTOCONF="yes"
IPV6_DEFROUTE="yes"
IPV6_FAILURE_FATAL="no"
IPV6_ADDR_GEN_MODE="stable-privacy"
IPV6ADDR=fd00:2020:2019::1/64           #配置一个IPv6地址用于IPv6流量进入
NAME="ens33"
UUID="6329b148-f848-41bf-a8a7-3581cf62d334"
DEVICE="ens33"
ONBOOT="yes"
IPADDR="192.168.1.106"
PREFIX="24"
GATEWAY="192.168.1.1"
DNS1="114.114.114.114"
IPV6_PRIVACY="no"

NAT64配置（tayga）:

setup3：安装tayga服务和修改配置文件：

[root@tayga ~]# yum install tayga -y    
[root@tayga ~]# cat /etc/tayga/default.conf  | grep -v ^# | grep -v ^$   #默认配置，我只修改了前缀。
tun-device nat64
ipv4-addr 192.168.255.1
prefix fd00:2020::/96
dynamic-pool 192.168.255.0/24
data-dir /var/lib/tayga/default

setup4：给接口nat64配置ipv4和ipv6地址：

[root@tayga ~]# systemctl start tayga@default
[root@tayga ~]# ip addr add 2020:2020::1/96 dev nat64      #地址任意
[root@tayga ~]# ip addr add 192.168.255.1/24 dev nat64 
[root@tayga ~]# ip link set nat64 up

setup5：设置dynamic-pool中的地址代理上网：

[root@tayga ~]# yum install iptables-services -y
[root@tayga ~]# iptables -t nat -A  POSTROUTING -s 192.168.255.0/24 -d 0.0.0.0/0 -j SNAT  --to 192.168.1.106
[root@tayga ~]# echo "1" > /proc/sys/net/ipv4/ip_forward
[root@tayga ~]# echo "1" > /proc/sys/net/ipv6/conf/all/forwarding
[root@tayga ~]# ping -I 192.168.255.1 114.114.114.114
PING 114.114.114.114 (114.114.114.114) from 192.168.255.1 : 56(84) bytes of data.
64 bytes from 114.114.114.114: icmp_seq=1 ttl=77 time=34.1 ms
64 bytes from 114.114.114.114: icmp_seq=2 ttl=67 time=33.3 ms
64 bytes from 114.114.114.114: icmp_seq=3 ttl=70 time=32.1 ms
64 bytes from 114.114.114.114: icmp_seq=4 ttl=72 time=35.7 ms
^C
--- 114.114.114.114 ping statistics ---
4 packets transmitted, 4 received, 0% packet loss, time 3005ms
rtt min/avg/max/mdev = 32.160/33.850/35.739/1.313 ms

setup6：设置ipv6前缀和动态地址池地址指向nat64网卡：

[root@tayga ~]# route add -net 192.168.255.0/24 dev nat64    #注意：若nat64接口ipv4地址非192.168.255.0/24的地址需要配置
[root@tayga ~]# ip route add fd00:2020::/96 dev nat64

用纯ipv6机器测试，测试成功：

DNS64配置（bind）:

[root@tayga ~]# yum install bind -y      #安装服务并修改配置文件如下
[root@tayga ~]# vim /etc/named.conf

options {
	listen-on port 53 { 127.0.0.1; };
	listen-on-v6 port 53 { fd00:2020:2019::1;::1; };      #添加内网IPv6地址
	directory 	"/var/named";
	dump-file 	"/var/named/data/cache_dump.db";
	statistics-file "/var/named/data/named_stats.txt";
	memstatistics-file "/var/named/data/named_mem_stats.txt";
	recursing-file  "/var/named/data/named.recursing";
	secroots-file   "/var/named/data/named.secroots";
	allow-query     { any; };                           #允许所有可查询
	
        #设置DNS转发器
        forwarders  { 202.96.134.133;114.114.114.114; };
        
        #下面是DNS64配置项、IPv6前缀、和允许的客户端范围
        dns64 fd00:2020::/96 {
          clients { fd00:2020:2019::/64;}; 
         // mapped { !10/8;172.16/12; any; };
          break-dnssec yes;
         //exclude { 2020:2019:2018::/96; };
          suffix :: ;
        };

	recursion yes;
                               #安全性设置no
	dnssec-enable no;
	dnssec-validation no;

	/* Path to ISC DLV key */
	bindkeys-file "/etc/named.root.key";

	managed-keys-directory "/var/named/dynamic";

	pid-file "/run/named/named.pid";
	session-keyfile "/run/named/session.key";
};

[root@tayga ~]# systemctl start named

测试NAT64解析正常：

—————————————-


搭建完毕后，测试可以正常访问大多数网站和观看视频，只有部分网站有ipv6地址的可能异常，这跟DNS64解析回来的给的IPV6地址有关系。


—————————————-

解决部分网站访问异常:

支持IPv6网站域名会解析如下，主要由于ipv6主机无法访问这些ipv6地址，所以会有些问题。

通过新加一台DNS服务器过滤掉域名解析中的对应的IPV6地址（搭建过程略），named.conf配置如下：

[root@localhost ~]# vim /etc/named.conf
options {
        listen-on port 53 { 192.168.1.107;127.0.0.1; };
        directory       "/var/named";
        dump-file       "/var/named/data/cache_dump.db";
        statistics-file "/var/named/data/named_stats.txt";
        memstatistics-file "/var/named/data/named_mem_stats.txt";
        recursing-file  "/var/named/data/named.recursing";
        secroots-file   "/var/named/data/named.secroots";
        allow-query     { any; };

        forwarders  { 114.114.114.114; };
        recursion yes;

        dnssec-enable no;
        dnssec-validation no;

        filter-aaaa-on-v4 yes;        #过滤ipv4客户端解析中的ipv6地址
        //filter-aaaa-on-v6 yes;
        //filter-aaaa-on-v4 break-dnssec;
        //filter-aaaa-on-v6 break-dnssec;
        /* Path to ISC DLV key */
        bindkeys-file "/etc/named.root.key";

        managed-keys-directory "/var/named/dynamic";

        pid-file "/run/named/named.pid";
        session-keyfile "/run/named/session.key";
};

然后将192.168.1.106的DNS解析指向192.168.1.107即可，

   forwarders  { 192.168.1.107; };

再次测试发现只有ipv4地址返回：

————————————————-

目前暂时可以用这种方式实现过滤。至此，你的纯IPv6客户端可以访问任何IPv4地址及服务。