This lab show an NAT64 lab example using BSDPR with tayga (user space) and ipfw (kernel space).

Here is the logical and physical view:

Download BSDRP serial image (prevent to have to use an X display) on Sourceforge.

More information on these BSDRP lab scripts available on How to build a BSDRP router lab.

Start the lab with 3 routers. With bhyve under FreeBSD:

user:~ # tools/BSDRP-lab-bhyve.sh -i BSDRP-1.93-full-amd64-serial.img.xz -n 3
BSD Router Project (http://bsdrp.net) - bhyve full-meshed lab script
Setting-up a virtual lab with 3 VM(s):
- Working directory: /tmp/BSDRP
- Each VM has 1 core and 512M RAM
- Emulated NIC: virtio-net
- Switch mode: bridge + tap
- 0 LAN(s) between all VM
- Full mesh Ethernet links between each VM
VM 1 has the following NIC:
- vtnet0 connected to VM 2
- vtnet1 connected to VM 3
VM 2 has the following NIC:
- vtnet0 connected to VM 1
- vtnet1 connected to VM 3
VM 3 has the following NIC:
- vtnet0 connected to VM 1
- vtnet1 connected to VM 2
To connect VM'serial console, you can use:
- VM 1 : cu -l /dev/nmdm-BSDRP.1B
- VM 2 : cu -l /dev/nmdm-BSDRP.2B
- VM 3 : cu -l /dev/nmdm-BSDRP.3B

VM1 is configured as a simple IPv6 only host:

sysrc hostname=VM1
sysrc gateway_enable=NO
sysrc ipv6_gateway_enable=NO
sysrc ifconfig_vtnet0_ipv6="inet6 2001:db8:12::1 prefixlen 64"
sysrc ipv6_defaultrouter="2001:db8:12::2"
service hostname restart
service netif restart
service routing restart
config save

VM2 is a router with one interface toward IPv6 network, and another toward IPv4 network.

sysrc hostname=VM2
sysrc ifconfig_vtnet1="inet 2.2.2.2/24"
sysrc ifconfig_vtnet0_ipv6="inet6 2001:db8:12::2 prefixlen 64"
service hostname restart
service netif restart
service routing restart
config save

VM3 is configured as a simple IPv4 only host:

sysrc hostname=VM3
sysrc gateway_enable=NO
sysrc ipv6_gateway_enable=NO
sysrc ifconfig_vtnet1="inet 2.2.2.3/24"
sysrc defaultrouter="2.2.2.2"
service hostname restart
service netif restart
service routing restart
config save

Modify default default tayga's configuration file and enable it:

sysrc tayga_enable=yes
sed -i "" 's/192.168.255./2.2.1./g' /usr/local/etc/tayga.conf
sed -i "" 's/2001:db8:1:ffff::/64:ff9b::/g' /usr/local/etc/tayga.conf
service tayga start

Quick test from VM2 by pinging its IPv4 address from its IPv6 one, and same by targeting VM3:

[root@VM2]~# ping6 -c 3 64:ff9b::2.2.2.2
PING6(56=40+8+8 bytes) 2001:db8:12::2 --> 64:ff9b::202:202
16 bytes from 64:ff9b::202:202, icmp_seq=0 hlim=63 time=0.128 ms
16 bytes from 64:ff9b::202:202, icmp_seq=1 hlim=63 time=0.082 ms
16 bytes from 64:ff9b::202:202, icmp_seq=2 hlim=63 time=0.069 ms

--- 64:ff9b::2.2.2.2 ping6 statistics ---
3 packets transmitted, 3 packets received, 0.0% packet loss
round-trip min/avg/max/std-dev = 0.069/0.093/0.128/0.025 ms
[root@VM2]~# ping6 -c 3 64:ff9b::2.2.2.3
PING6(56=40+8+8 bytes) 2001:db8:12::2 --> 64:ff9b::202:203
16 bytes from 64:ff9b::202:203, icmp_seq=0 hlim=62 time=0.228 ms
16 bytes from 64:ff9b::202:203, icmp_seq=1 hlim=62 time=0.164 ms
16 bytes from 64:ff9b::202:203, icmp_seq=2 hlim=62 time=0.157 ms

--- 64:ff9b::2.2.2.3 ping6 statistics ---
3 packets transmitted, 3 packets received, 0.0% packet loss
round-trip min/avg/max/std-dev = 0.157/0.183/0.228/0.032 ms

From VM1 (IPv6 only host), ping NAT64 IPv6 address corresponding to VM3 IPv4 address:

[root@VM1]~# ping6 -c 3 64:ff9b::2.2.2.3
PING6(56=40+8+8 bytes) 2001:db8:12::1 --> 64:ff9b::202:203
16 bytes from 64:ff9b::202:203, icmp_seq=0 hlim=61 time=0.298 ms
16 bytes from 64:ff9b::202:203, icmp_seq=1 hlim=61 time=0.257 ms
16 bytes from 64:ff9b::202:203, icmp_seq=2 hlim=61 time=0.261 ms

--- 64:ff9b::2.2.2.3 ping6 statistics ---
3 packets transmitted, 3 packets received, 0.0% packet loss
round-trip min/avg/max/std-dev = 0.257/0.272/0.298/0.018 ms

And check IPv4 source address seen by VM3:

[root@VM3]~# tcpdump -c 2 -pni vtnet1
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on vtnet1, link-type EN10MB (Ethernet), capture size 262144 bytes
17:43:03.094975 IP 2.2.1.249 > 2.2.2.3: ICMP echo request, id 6575, seq 0, length 16
17:43:03.094983 IP 2.2.2.3 > 2.2.1.249: ICMP echo reply, id 6575, seq 0, length 16
2 packets captured
2 packets received by filter
0 packets dropped by kernel

IPFW NAT64 module supports both stateful (lsn) and stateless (stl) NAT64.

Configure a stateful NAT64 with ipfw, and enable logging:

sysrc firewall_enable=YES
sysrc firewall_script="/etc/ipfw.rules"
echo "net.inet.ip.fw.nat64_direct_output=1" >> /etc/sysctl.conf
cat > /etc/ipfw.rules <<'EOF'
#!/bin/sh
fwcmd="/sbin/ipfw"
kldstat -q -m ipfw_nat64 || kldload ipfw_nat64
${fwcmd} -f flush
${fwcmd} nat64lsn NAT64 create prefix4 2.2.1.0/24
${fwcmd} add allow icmp6 from any to any icmp6types 135,136
${fwcmd} add nat64lsn NAT64 ip from 2001:db8:12::/64 to 64:ff9b::/96 in
${fwcmd} add nat64lsn NAT64 ip from any to 2.2.1.0/24 in
${fwcmd} add allow ip from any to any
'EOF'

service ipfw start
sysctl net.inet.ip.fw.nat64_direct_output=1

From IPv6 only host, ping NAT64 IPv6 address corresponding to VM3 IPv4 address:

[root@VM1]~# ping6 -c 3 64:ff9b::2.2.2.3
PING6(56=40+8+8 bytes) 2001:db8:12::1 --> 64:ff9b::202:203
16 bytes from 64:ff9b::202:203, icmp_seq=0 hlim=63 time=0.369 ms
16 bytes from 64:ff9b::202:203, icmp_seq=1 hlim=63 time=0.259 ms
16 bytes from 64:ff9b::202:203, icmp_seq=2 hlim=63 time=0.248 ms

--- 64:ff9b::2.2.2.3 ping6 statistics ---
3 packets transmitted, 3 packets received, 0.0% packet loss
round-trip min/avg/max/std-dev = 0.248/0.292/0.369/0.055 ms

Checking status on NAT64 router:

[root@VM2]~# ipfw nat64lsn NAT64 show states
2001:db8:12::1  2.2.1.210       ICMPv6          0       2.2.2.3
[root@VM2]~# ipfw show
00100 12 824 allow ipv6-icmp from any to any icmp6types 135,136
00200 12 672 nat64lsn NAT64 ip from 2001:db8:12::/64 to 64:ff9b::/96 in
00300 12 432 nat64lsn NAT64 ip from any to 2.2.1.0/24 in
65535  0   0 deny ip from any to any

Configure a stateless NAT64 with ipfw, and enable logging:

sysrc firewall_enable=YES
sysrc firewall_script="/etc/ipfw.rules"

cat > /etc/ipfw.rules <<'EOF'
#!/bin/sh
fwcmd="/sbin/ipfw"
kldstat -q -m ipfw_nat64 || kldload ipfw_nat64
${fwcmd} -f flush
${fwcmd} table T46 create type addr valtype ipv6
${fwcmd} table T64 create type addr valtype ipv4
${fwcmd} nat64stl NAT64 create table4 T46 table6 T64
${fwcmd} add allow icmp6 from any to any icmp6types 135,136
${fwcmd} add nat64stl NAT64 ip from any to table\(T46\)
${fwcmd} add nat64stl NAT64 ip6 from table\(T64\) to 64:ff9b::/96
${fwcmd} add allow log ip from any to any
'EOF'

service ipfw start
sysctl net.inet.ip.fw.verbose=1

From IPv6 only host, ping NAT64 IPv6 address corresponding to VM3 IPv4 address:

[root@VM1]~# ping6 -c 3 64:ff9b::10.0.23.3
PING6(56=40+8+8 bytes) 2001:db8:12::1 --> 64:ff9b::a00:1703
16 bytes from 64:ff9b::a00:1703, icmp_seq=0 hlim=63 time=1.105 ms
16 bytes from 64:ff9b::a00:1703, icmp_seq=1 hlim=63 time=0.216 ms
16 bytes from 64:ff9b::a00:1703, icmp_seq=2 hlim=63 time=0.199 ms

--- 64:ff9b::10.0.23.3 ping6 statistics ---
3 packets transmitted, 3 packets received, 0.0% packet loss
round-trip min/avg/max/std-dev = 0.199/0.507/1.105/0.423 ms

And check IPv4 source addresses seen by VM3:

[root@VM3]~# tcpdump -c 4 -pni vtnet1
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on vtnet1, link-type EN10MB (Ethernet), capture size 262144 bytes
13:15:29.862862 ARP, Request who-has 10.0.23.3 tell 10.0.23.2, length 46
13:15:29.862879 ARP, Reply 10.0.23.3 is-at 58:9c:fc:02:03:03, length 28
13:15:29.863081 IP 10.0.64.161 > 10.0.23.3: ICMP echo request, id 1024, seq 0, length 16
13:15:29.863106 IP 10.0.23.3 > 10.0.64.161: ICMP echo reply, id 1024, seq 0, length 16

You can check firewall logs too on R2:

Feb 17 13:15:29 VM2 kernel: ipfw: 400 Accept ICMP:8.0 10.0.64.161 10.0.23.3 in via vtnet0
Feb 17 13:15:29 VM2 kernel: ipfw: 400 Accept ICMP:8.0 10.0.64.161 10.0.23.3 out via vtnet1
Feb 17 13:15:29 VM2 kernel: ipfw: 400 Accept ICMPv6:129.0 [64:ff9b::a00:1703] [2001:db8:12::1] in via vtnet1
Feb 17 13:15:29 VM2 kernel: ipfw: 400 Accept ICMPv6:129.0 [64:ff9b::a00:1703] [2001:db8:12::1] out via vtnet0