Carrier-Grade NAT (CGNAT)

DS-Lite tunnels packets directly to the AFTR in the service provider’s network. The AFTR is where the service provider allows users to share IPv4 addresses. DSLite is basically the shitty version of regular dual stack. You *can* forward ports on the AFTR but you're going to get a different port every time, so… don't

  1. An IPv6 tunnel is created. The IPv6 tunnel source is the router WAN interface, which has a globally scoped IPv6 WAN address allocated. It is configured via the DS-Lite “upstream interface” command option. The IPv6 tunnel destination used is the IPv6 address of the AFTR device located within the ISP network. Only one DS-Lite tunnel is supported.
  2. A connection is established between the router and the AFTR.
  3. An IPv4 default route is configured by the network engineer to transport IPv4 traffic via the IPv6 tunnel.
  4. All IPv4 traffic whose destination IP address matches the IPv4 (default) route, ingresses an internal virtual tunnel interface (or VTI) whose destination IP address matches the IPv4 default route. It is sent to the service provider encapsulated in an IPv6 RFC2473 tunnel.
  5. Within the service provider network, the AFTR device performs Carrier Grade NAT, translating private IPv4 addresses to public IPv4 addresses.


ip -6 tunnel add tun0 mode ipip6 remote AFTR_IP local OWN_IP dev eth2 encaplimit none
ip link set tun0 up
ip addr add peer dev tun0
ip r add default via

in Ubiquiti EdgeRouter

Supposedly this should work, but doesn't:

[edit interfaces ipv6-tunnel v6tun0]
+encapsulation ipip6
+local-ip OWN_IP
+mtu 1460
+remote-ip AFTR_IP

[edit protocols static interface-route]
+next-hop-interface v6tun0

The Linux version works, though.

AFTR Address Family Transition Router in the service provider’s network (softwire concentrator) DS-Lite implementation.
This is an IPv6 tunnel (RFC 2473) endpoint which implements NAT functionality (RFC 6333).
B4 Basic Bridging Broadband (softwire initiator) DS-Lite implementation.
This is the CPE equipment, that creates an IPv6 tunnel (RFC 2473) to an AFTR at the service provider.
CPE Customer Premise Equipment

see also: network glossary

  • Last modified: 2024-07-05 14:31