NAT64 Support #41
Comments
|
I asked the same thing last week and got this reply. I have a proof of concept NAT64 Linux box running on AWS, and it works as expected (thankfully, AWS VPC supports DNS64 out of the box and for free!). I hope to take a look at integrating this with fck-nat over the next 1-2 weeks. |
|
@LazerGrieves @apparentorder I just want to make sure you're aware of Egress Only Internet Gateways which provide NAT64 in VPCs for free. If you're already aware of that feature, is there a reason it doesn't work for your use case? |
|
I'm still pre-first-coffee right now, but I'm pretty sure that EO-IGW does not provide NAT64; the link above does not contradict that, and the DNS64/NAT64 docs support that (the NAT64 route |
|
Unless I am mistaken, one of the core features of NAT64 is allowing communication from IPv6 (our instance), to IPv4 (remote server). Egress-Only IGW seem to be able to communicate only from IPv6 to IPv6 addresses, hence requiring NAT64 to offer translation when one wishes to have an IPv6 <> IPv4 communication. |
|
Ah, yep, you're both correct. Had it in my head that EO-IGWs did NAT64 but I was mistaken. @apparentorder was pre-first-coffee and I was post-time-for-bed |
|
@LazerGrieves @apparentorder I fully implemented this feature into fck-nat, this really wasn't a piece of cake. I implemented this using Tayga which comes with it's lot of constraints (therefore probably not expected to be a on-by-default feature) that I will elaborate on in the PR. Have been able to make this work with both IPs as well as domain names, even for those not supporting AAAA fields, leveraging AWS' integrated DNS. To note, AWS DNS64 is very slow for some reason with requests taking up to 3 seconds. I will make a PR for this feature either sometime today or tomorrow. |
|
Very cool! My proof of concept was with Jool, which is a kernel module, hence more performant – and it seems to be "more maintained" than tayga. But I really wasn't sure how to best combine building a kmod from source with fck-nat's current packer infrastructure, so I'm really glad that you went ahead :-) Regarding this:
I have seen EC2 IPv6-only VMs that were deployed with a broken resolver config. The |
|
Thanks @apparentorder for sharing! Jool is indeed a much better alternative than TAYGA. In addition to not having the various constraints TAYGA is riddled with, it also runs as a kernel module which indeed is more yields better results. As for the slow DNS issue you are right as well, the |
|
@apparentorder wondering if you tried making ipv4 take precedence over ipv6 by adding a precedence value in the getaddrinfo config (/etc/gai.conf)? I've run into a similar situation before and this solved it for me. It has to be the very first thing your script does. echo 'precedence ::ffff:0:0/96 100' >> /etc/gai.conf |
|
I've created a I expect to have the pre-release AMI out some time next week and I'll announce here when it is ready. In the meantime, if you are interested in testing and have a particular region you'd like the pre-release AMI deployed to, please comment below. |
|
@AndrewGuenther Glad to hear it! If you could include the Thank you for all the work you've done so far. |
|
I tested again and it still works on my end. Tried in both a IPv6 and a dual-stack setup. I will update my nat64 branch on the Terraform module to make it easy to test for those who'd like to easily try. @AndrewGuenther Regarding your request for me to have a look at @nickpetrovic post: Unfortunately I haven't been able to reproduce the slow DNS for IPv4, could have been because I was using AL2 back then, unsure. Nevertheless, this potential issue should be considered out of scope for this project as it affects the machine that needs to be NATted rather than the NAT instance itself, therefore, up to the users to configure themselves. |
|
Ah I didn't realize that issue was not impacting NAT. Nevermind then! |
|
I'm planning to deploy the prerelease AMI to the following regions and can add as necessary:
|
|
Quick update here: I've hit quotas on number of public AMIs allowed. I'm waiting on AWS support to grant increases in these regions and will follow-up asking for increases in other regions since this will block future releases... |
|
It's as if AWS support heard my cries. Pre-release AMIS with NAT64 are now available! Account owner: 568608671756 ARM AMIs: x86 AMIs: (Note to self: For these I added a prefix to the AMI names so the documented search patterns wouldn't pick them up, but in the future it might be best to put these in a separate account entirely to avoid any confusion) |
|
Just updated the Terraform module to have a functional NAT64 support with the latest fck-nat version. You can easily experiment using the nat64 branch of the repo, start, which would allow one to quickly setup a full env to test. Make sure to set the |
Hello,
I've just discovered fck-nat and I am thrilled that something like this exists because those AWS Managed NAT Gateways are pricey (especially with a Multi-AZ implementation).
However, I am wondering if there are any plans to implement support for NAT64 in fck-nat? I've been experimenting with IPv6-only private subnets ever since AWS announced that there will be charges for Public IPv4 addresses starting in 2024 and NAT64 seems like a requirement.
Thank you.
The text was updated successfully, but these errors were encountered: