Post

How to Set Up NAT64, DNS64, and 464XLAT (CLAT) on pfSense and Linux

Posted
Preview Image
By Muchamad Fatihurrahman
2 min read
How to Set Up NAT64, DNS64, and 464XLAT (CLAT) on pfSense and Linux

If you’re running a dual-stack network and want to allow IPv6-only devices to communicate with IPv4 resources, NAT64, DNS64, and 464XLAT can bridge the gap effectively. This guide will walk you through how to set them up on pfSense and Linux, enabling seamless IPv6-to-IPv4 communication.

🌐 What Are NAT64, DNS64, and 464XLAT?

  • NAT64 (Network Address Translation for IPv6) enables IPv6-only clients to access IPv4-only servers by translating IPv6 packets to IPv4 at the network layer.
  • DNS64 generates synthetic AAAA records from A records so IPv6-only clients can initiate connections to IPv4 hosts.

  • 464XLAT is a combination of:

    • CLAT (Customer-side translator) on the client device, translating IPv4 traffic into IPv6.
    • PLAT (Provider-side translator), typically NAT64 on the network side (in this case, pfSense).

Together, they enable full IPv4 access from an IPv6-only device, including applications that require literal IPv4 addresses.

🧠 Prerequisites

Make sure you have:

  • IPv4 and IPv6 Internet connectivity on pfSense.
  • pfSense version 2.8 or newer.
  • Basic understanding of pfSense’s Web UI.
  • A Linux device if you want to test 464XLAT (CLAT).

✅ Setting Up NAT64 on pfSense

  1. Go to FirewallRules.
  2. Choose the interface for your IPv6 clients (e.g., LAN).
  3. Click Add to create a new rule.
  4. Set Address Family to IPv6.
  5. Scroll down and check Enable NAT64.
  6. Configure the rest of the rule (Source: LAN Net, Destination: any, etc).
  7. Click Save and Apply Changes.

🌍 Enabling DNS64 on pfSense

  1. Go to ServicesDNS Resolver.
  2. Click the Advanced Settings tab.
  3. Enable DNS64 Support.
  4. Click Save and Apply Changes.

Now pfSense will synthesize AAAA records for IPv4-only domains, allowing IPv6-only clients to resolve and reach them via NAT64.

📣 Advertise NAT64 Prefix (PREF64)

  1. Navigate to ServicesRouter Advertisements.
  2. Choose your LAN interface and click Edit.

  3. Under NAT64 Prefix, enter:

    1

    64:ff9b::/96
  4. Save and apply the changes.

This will inform IPv6 clients of the NAT64 prefix, enabling automatic address translation.

🧪 Optional: Setting Up 464XLAT (CLAT) on Linux

For applications that don’t support IPv6 or require raw IPv4 socket access (like some VPNs or legacy tools), you can install a CLAT on your Linux system using clatd.

🛠️ Installation Steps:

  1. Clone the clatd repository:

    1

    git clone https://github.com/toreanderson/clatd

  2. Install clatd and its dependencies:

    1

    sudo make -C clatd install installdeps

⚠️ Your Linux system must have a public or delegated IPv6 address and access to the NAT64 prefix (64:ff9b::/96).

🔍 Testing the Setup

  • From an IPv6-only client, try:

    1

    ping ipv4.google.com
  • On the client, run dig A example.com and confirm no IPv4 connectivity directly, then dig AAAA example.com to see the synthesized IPv6 address from DNS64.
  • With CLAT active on Linux, try accessing IPv4-only services using their IPv4 literal IPs—this should now work!

🎉 Conclusion

By enabling NAT64, DNS64, and optionally 464XLAT on pfSense and Linux, you’re creating a powerful and flexible network environment that supports both IPv4 and IPv6 seamlessly. This setup is ideal for transitioning to IPv6 while maintaining access to legacy IPv4 services.

Whether you’re an enthusiast or a network engineer, mastering these technologies prepares you for the dual-stack and eventually IPv6-only future of the Internet.

Have any questions or want to share your own setup? Let’s discuss in the comments!

homelab
pfsense ipv6
This post is licensed under CC BY 4.0 by the author.

Trending Tags

ipv6 pfsense