Advanced IPv6 Configuration – FortiBalancer

16.4 DNS46 and NAT46

16.4.1 Overview

The DNS46 function converts the DNS A queries sent from IPv4 clients to DNS AAAA queries and then converts the DNS AAAA responses to DNS A responses. It also creates mapping records between the IPv6 addresses and IPv4 addresses. The FortiBalancer appliance returns the translated IPv4 addresses to IPv4 clients. When IPv4 clients use these IPv4 addresses to access IPv6 servers, the NAT46 function converts IPv4 packets sent from clients to IPv6 packets based the created mapping records. When the FortiBalancer appliance receives IPv6 packets from IPv6 servers, the NAT46 function converts IPv6 packets to IPv4 packets. This ensures that IPv4 clients can communicate with IPv6 servers normally. Because the DNS46 and NAT46 functions both use the mapping records, they must be deployed on one FortiBalancer appliance.

16.4.2 Working Mechanism

The DNS46 and NAT46 functions are applicable to the “IPv4 to IPv6” scenario, as shown in the following figure.

 

Figure 16-4 “IPv4 to IPv6” Application Scenario The working process of the DNS46 and NAT46 functions is as follows:

  1. An IPv4 client (61.130.10.10) sends a DNS A query to the FortiBalancer appliance (210.108.10.1) to resolve the domain name “www.example.com”.
  2. The FortiBalancer appliance sends the DNS A query to the DNS A authoritative server for the domain name.
  3. If the DNS A authoritative server has no A record for the domain name, it will return an empty DNS A response to the FortiBalancer appliance. The FortiBalancer appliance will ignore this response.
  4. The FortiBalancer appliance waits for 100 ms after sending the DNS A query. If the FortiBalancer appliance does not receive any valid DNS A response, it will send a DNS AAAA query to the DNS AAAA authoritative server for the domain name.
  5. The FortiBalancer appliance receives the DNS AAAA response (for example, AAAA: example.com – 2012:1081::a03:30b) from the DNS AAAA authoritative server.
  6. The FortiBalancer appliance converts the DNS AAAA response to a DNS A response (for example, A: www.example.com – 210.108.10.10) based on the configured address pool (that is, the IPv4 mapping subnet configured by using the command “ipv6 dnsnat46 ipmap”). Then, the FortiBalancer appliance returns the converted DNS A response to the IPv4 client. Meanwhile, the system creates a mapping record between 2012:1081::a03:30b and 210.108.10.10.
  7. The IPv4 client uses the converted IPv4 address to access “www.example.com”.
  8. The FortiBalancer appliance converts the IPv4 packet (src: 61.130.10.10; dst: 210.108.10.10) sent from the client to an IPv6 packet (src: 2012:1081::a03:30a; dst:2012:1081::a03:30b) based on the created address mapping record, and sends the IPv6 packet to the target IPv6 server.

Figure 16-5 NAT46 Address Translation

  1. The IPv6 server returns an IPv6 packet (src: 2012:1081::a03:30b; dst: 2012:1081::a03:30a) to the FortiBalancer appliance.
  2. The FortiBalancer appliance converts the IPv6 packet to an IPv4 packet (src: 210.108.10.10; dst: 61.130.10.10) and returns the IPv6 packet to the IPv4 client.

16.4.3 Application Notes

The DNS46 and NAT46 functions can be enabled on only one DNS virtual service. This virtual service, acting as the DNS proxy, converts DNS A queries to DNS AAAA queries and then converts DNS AAAA responses to DNS A responses.

To make the DNS46 and NAT46 functions work properly, you need to configure the “default” and “backup” policies for this virtual service. The FortiBalancer appliance forwards DNS A queries based on the “default” policy and forwards DNS AAAA queries based on the “backup” policy. Therefore, the real servers associated with the “default” policy should be DNS servers that can answer A records, and those associated with the “backup” policy should be DNS servers that can answer AAAA records.

16.4.4 Configuring DNS46 and NAT46

  • web UI
    1. Please refer to the section “Configuring DNS64 and NAT64” to complete the address pool and SLB configurations via web UI.
    2. Select System Configuration > NAT > V4/V6 NAT. In the DNS-NAT-46

Configuration area, specify the required parameters and click the Set action link to save the configuration.

 

  • CLI
    1. Please refer to the section “Configuring DNS64 and NAT64” to complete the address pool and SLB configurations via CLI.

For example:

FortiBalancer(config)#ip pool NAT46_pool 2012:1081::a03:30a

 

FortiBalancer(config)#slb real dns dns_rs1 2012:1081::a03:30c

FortiBalancer(config)#slb real dns dns_rs2 2012:1081::a03:30d

FortiBalancer(config)#slb group method g1 rr

FortiBalancer(config)#slb group member g1 dns_rs1

FortiBalancer(config)#slb group method g2 rr

FortiBalancer(config)#slb group member g2 dns_rs2

FortiBalancer(config)#slb virtual dns dns_vs1 210.108.10.1

FortiBalancer(config)#slb policy default dns_vs1 g1

FortiBalancer(config)#slb policy backup dns_vs1 g2

FortiBalancer(config)#slb real enable dns_rs1

FortiBalancer(config)#slb real enable dns_rs2

  1. Execute the following command to enable both the DNS46 and NAT46 functions for a specified DNS virtual service:

ipv6 dnsnat46 on <vs_name>

For example:

FortiBalancer(config)#ipv6 dnsnat46 on dns_vs1

  1. Execute the following command to configure an IPv4 subnet used to create the address mapping table:

ipv6 dnsnat46 ipmap <ipv4_address> <netmask> [timeout]

For example:

FortiBalancer(config)#ipv6 dnsnat46 ipmap 192.168.2.0 255.255.255.0 600

  1. Execute the following command to specify the IPv6 address pool used by the NAT46 function:

ipv6 dnsnat46 ippool <ipv6_pool_name>

For example:

FortiBalancer(config)#ipv6 dnsnat46 ippool NAT46_pool

  1. Execute the following command to set the idle timeout period for NAT46 TCP connections:

ipv6 dnsnat46 timeout <idle_timeout>

For example:

FortiBalancer(config)#ipv6 dnsnat46 timeout 300

One thought on “Advanced IPv6 Configuration – FortiBalancer

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.