NAT64/DNS64 on OpenWRT

The latest stable release of OpenWRT – Barrier Break – makes it a simple matter to add NAT64 and DNS64 capabilities to the router. This is particularly useful if one wishes to run an IPv6 only internal LAN network while dealing with the IPv4 + IPv6 world of the Internet.


DNS64 provides a faux AAAA record for any existing A record. The easiest tool to use for this is TOTD, which is no longer in development but is found in the main OpenWRT repositories.

So, install TOTD and configure it.

# opkg update
# opkg install totd
# vi /etc/totd.conf

The totd.conf file should contain the following:

; substitute with your upstream DNS
forwarder port 53
forwarder port 53
; modify your OpenWRT ULA prefix here
prefix fd63:fab9:6ccf:64::
; this port is used later
port 5353

Enable and start TOTD, and check the logs for any errors:

# /etc/init.d/totd enable
# /etc/init.d/totd start
# logread

Finally, configure the built-in DNSMASQ to use TOTD as its upstream. Just remember to use as the upstream server. Note the use of a hash (#) symbol.

You should be able to verify that it works by querying AAAA records for pure IPv4 names. You should see that a fake IPv6 address be returned with your TOTD specified prefix.

# ping6

You won’t be able to actually ping it over IPv6 yet at this point, until your NAT64 is setup correctly.


NAT64 provides an IPv6 to IPv4 NAT mechanism which will actually transfer the IPv6 packets by converting them into IPv4 packets and back. The tool to do this is TAYGA and is also available in the OpenWRT repositories.

First, install TAYGA.

# opkg update
# opkg install tayga

Next, edit /etc/config/network and add a new interface.

config interface nat64
 option proto tayga
 option ifname 'tayga-nat64'
 option ipv4_addr
 option prefix fd63:fab9:6ccf:64::/96
 option dynamic_pool
 option accept_ra 0
 option send_rs 0

Next, edit /etc/config/firewall and add it to the LAN zone.

config zone
 option name 'lan'
 option input 'ACCEPT'
 option output 'ACCEPT'
 option forward 'ACCEPT'
 option network 'lan nat64'

Enable and start TAGYA, and check the logs for errors.

# /etc/init.d/network restart
# /etc/init.d/firewall restart
# logread

You should now be able to ping any IPv4 server using IPv6.

# ping6


NAT64 and DNS64

I have been investigating options for moving my network to a pure IPv6 stack. The main issue here is ensuring that there is still connectivity to the IPv4 Internet after the move. The best options that I have found that support this configuration is the NAT64/DNS64 stack.

Setting this up was a bit of a head-ache as the documentation was lacking for Tayga on Linux as a NAT64 router. That said, I had to follow the example strictly and I was able to replicate things on my OpenWRT 12.09 router.

Setting up the DNS64 settings was much easier and things worked after that. I was able to ping and connect to the IPv4 world on my pure IPv6 network. Unfortunately, I had trouble connecting to the IPv6 Internet instead. Thing is that my Internet connection is still pure IPv4.

So, I’m now investigating the possibility of running a DNS server that will not forward AAAA record lookups but things do not look good. There doesn’t seem to be any DNS server built with that feature. Looks like I’m going to have to roll my own.

I might have to look at the feasibility of modifying the TOTD source, once I can find it though.