Overview Network Tools Proxy64 Plugin Manager Web Application Firewall Datadog Bastillion Speed Test Network Intrusion Detection Plugin with Suricata PingProxy Driver PingProxy HAProxy-Plugin Manager Do Name Stuff ntop CloudWatch Logs Telegraf Plugin HTTPS Certs Manager VNS3 HA Plugin OWASP ZAP Container Logger plugin PacketLoss Overlay Engine

Proxy64

Getting Started with the VNS3 Plugin System

Proxy64 is deployed to VNS3 using the Plugin System. Please be familiar with the VNS3 Plug-In Configuration Guide.

What does it do?

Proxy64 is a NAT64+DNS64 plugin for VNS3, providing IPv6-only subnets with connectivity to the IPv4 Internet.

The well-known prefix for Internet NAT64 (defined by RFC6052), 64:ff9b::/96, is configured by default. RFC8215 defines the NAT64 range for so-called “private internets” to be 64:ff9b:1::/48.

The practical distinction is that publicly-unroutable IPv4 addresses (such as private, multicast, CGNAT, example, and documentation spaces) will not be mapped from the range 64:ff9b::/96. Any mappings to these spaces must be done using a range from 64:ff9b:1::/48 space. For example, a packet sent to Proxy64 with the destination 64:ff9b::192.168.1.1 would be discarded.

NOTE: The Proxy64 plugin currently does not support RFC8215, and will only perform its function for destinations which map to a publicly-routable IPv4 address. A future version will support this functionality; please contact support@cohesive.net if you have a need.

What does it need?

• An IPv6 prefix from which IPv4 destinations can be mapped. The default is suitable for nearly all use-cases.
• Routes in your cloud environment and in VNS3 directing such IPv6 traffic to the Proxy64 plugin.
• IPv4 Internet connectivity supplied by VNS3 using the firewall.
• TCP and UDP port 53 accessibility by all hosts wishing to use the plugin; typically this takes the form of a DNAT firewall rule in VNS3.

DEPLOYING

Environmental setup

• Add route(s) to your cloud subnet(s) or otherwise provide for routing of your chosen prefix to the VNS3 instance. If you are using VNS3’s Overlay Network, a Route Advertisement for the prefix is sufficient.
• Ensure traffic from your intended subnet is allowed to reach VNS3 in your cloud security groups; this is not necessary if your hosts use the VNS3 Overlay Network or if traffic arrives to VNS3 on a tunneled connection.
• Configure your hosts to use your VNS3 controller’s IPv6 address for DNS. These requests will be NATed to the Proxy64 plugin, which responds with a mapped address if no IPv6 AAAA record is available.

Launching the plugin

• Import the image from the Plugin Catalog (or manually using this URL: LINK)
• Launch an instance of the Plugin; take note of the IPv4/6 addresses for the following steps. We will assume 198.51.100.5 and 2001:db8::c633:6405 for the rest of this guide.
• Add an Interface Route to VNS3 for 64:ff9b::/96 (or your chosen prefix), with the plugin instance’s IPv6 address as the Gateway.
• Install the following firewall rules to VNS3 (some modification may be required to fit your use case):

IPv4 rules:

# Allow Proxy64 plugin to reach Internet
FORWARD -i plugin0 -s 198.51.100.5 -j ACCEPT
# SNAT Proxy64 plugin to VNS3's primary eth0 address
POSTROUTING -o eth0 -s 198.51.100.5 -j MASQUERADE-ONCE

IPv6 rules:

# NAT incoming tcp DNS requests to the Proxy64 plugin
PREROUTING -p tcp --dport 53 -m addrtype --dst-type LOCAL -j DNAT --to 2001:db8::c633:6405:53
# NAT incoming udp DNS requests to the Proxy64 plugin
PREROUTING -p udp --dport 53 -m addrtype --dst-type LOCAL -j DNAT --to 2001:db8::c633:6405:53
# Allow NAT64 traffic to reach plugin network
FORWARD -d 64:ff9b::/96 -o plugin0 -j ACCEPT

Testing functionality

Your IPv6-only hosts should now be able to:

• Reach mapped addresses without DNS; i.e., ping6 64:ff9b::1.1.1.1
• Receive mapped DNS resolutions within the 64:ff9b::/96 prefix range for IPv4-only sites; i.e., dig https://ipv4.jamieweb.net/ AAAA or nslookup -type=aaaa ip4.me