3 files changed, 179 insertions, 0 deletions

diff --git a/docs/configuration/nat/index.rst b/docs/configuration/nat/index.rst
index 90275226..6556b7f9 100644
--- a/docs/configuration/nat/index.rst
+++ b/docs/configuration/nat/index.rst
@@ -9,4 +9,5 @@ NAT
    :includehidden:
 
    nat44
+   nat64
    nat66
diff --git a/docs/configuration/nat/nat64.rst b/docs/configuration/nat/nat64.rst
new file mode 100644
index 00000000..e8a3a0e6
--- /dev/null
+++ b/docs/configuration/nat/nat64.rst
@@ -0,0 +1,81 @@
+.. _nat64:
+
+#####
+NAT64
+#####
+
+:abbr:`NAT64 (IPv6-to-IPv4 Prefix Translation)` is a critical component in
+modern networking, facilitating communication between IPv6 and IPv4 networks.
+This documentation outlines the setup, configuration, and usage of the NAT64
+feature in your project. Whether you are transitioning to IPv6 or need to
+seamlessly connect IPv4 and IPv6 devices.
+NAT64 is a stateful translation mechanism that translates IPv6 addresses to
+IPv4 addresses and IPv4 addresses to IPv6 addresses. NAT64 is used to enable
+IPv6-only clients to contact IPv4 servers using unicast UDP, TCP, or ICMP.
+
+
+Overview
+========
+
+Different NAT Types
+-------------------
+
+.. _source-nat64:
+
+SNAT64
+^^^^^^
+
+:abbr:`SNAT64 (IPv6-to-IPv4 Source Address Translation)` is a stateful
+translation mechanism that translates IPv6 addresses to IPv4 addresses.
+
+``64:ff9b::/96`` is the well-known prefix for IPv4-embedded IPv6 addresses.
+The prefix is used to represent IPv4 addresses in an IPv6 address format.
+The IPv4 address is encoded in the low-order 32 bits of the IPv6 address.
+The high-order 32 bits are set to the well-known prefix 64:ff9b::/96.
+
+
+Configuration Examples
+======================
+
+The following examples show how to configure NAT64 on a VyOS router.
+The 192.0.2.10 address is used as the IPv4 address for the translation pool.
+
+
+NAT64 server configuration:
+
+.. code-block:: none
+
+  set interfaces ethernet eth0 address '192.0.2.1/24'
+  set interfaces ethernet eth0 address '192.0.2.10/24'
+  set interfaces ethernet eth0 description 'WAN'
+  set interfaces ethernet eth1 address '2001:db8::1/64'
+  set interfaces ethernet eth1 description 'LAN'
+
+  set service dns forwarding allow-from '2001:db8::/64'
+  set service dns forwarding dns64-prefix '64:ff9b::/96'
+  set service dns forwarding listen-address '2001:db8::1'
+
+  set nat64 source rule 100 source prefix '64:ff9b::/96'
+  set nat64 source rule 100 translation pool 10 address '192.0.2.10'
+  set nat64 source rule 100 translation pool 10 port '1-65535'
+
+NAT64 client configuration:
+
+.. code-block:: none
+
+  set interfaces ethernet eth1 address '2001:db8::2/64'
+  set protocols static route6 64:ff9b::/96 next-hop 2001:db8::1
+  set system name-server '2001:db8::1'
+
+Test from the IPv6 only client:
+
+.. code-block:: none
+
+  vyos@r1:~$ ping 64:ff9b::192.0.2.1 count 2
+  PING 64:ff9b::192.0.2.1(64:ff9b::c000:201) 56 data bytes
+  64 bytes from 64:ff9b::c000:201: icmp_seq=1 ttl=63 time=0.351 ms
+  64 bytes from 64:ff9b::c000:201: icmp_seq=2 ttl=63 time=0.373 ms
+
+  --- 64:ff9b::192.0.2.1 ping statistics ---
+  2 packets transmitted, 2 received, 0% packet loss, time 1023ms
+  rtt min/avg/max/mdev = 0.351/0.362/0.373/0.011 ms
diff --git a/docs/configuration/nat/nat66.rst b/docs/configuration/nat/nat66.rst
index 66cceb0a..9345e708 100644
--- a/docs/configuration/nat/nat66.rst
+++ b/docs/configuration/nat/nat66.rst
@@ -137,3 +137,100 @@ R2:
   set interfaces bridge br1 member interface eth1
   set protocols static route6 ::/0 next-hop fc01::1
   set service router-advert interface br1 prefix ::/0
+
+
+Use the following topology to translate internal user local addresses (``fc::/7``)
+to DHCPv6-PD provided prefixes from an ISP connected to a VyOS HA pair.
+
+.. figure:: /_static/images/vyos_1_5_nat66_dhcpv6_wdummy.png
+   :alt: VyOS NAT66 DHCPv6 using a dummy interface
+
+Configure both routers (a and b) for DHCPv6-PD via dummy interface:
+
+.. code-block:: none
+
+  set interfaces dummy dum1 description 'DHCPv6-PD NPT dummy'
+  set interfaces bonding bond0 vif 20 dhcpv6-options pd 0 interface dum1 address '0'
+  set interfaces bonding bond0 vif 20 dhcpv6-options pd 1 interface dum1 address '0'
+  set interfaces bonding bond0 vif 20 dhcpv6-options pd 2 interface dum1 address '0'
+  set interfaces bonding bond0 vif 20 dhcpv6-options pd 3 interface dum1 address '0'
+  set interfaces bonding bond0 vif 20 dhcpv6-options rapid-commit
+  commit
+
+Get the DHCPv6-PD prefixes from both routers:
+
+.. code-block:: none
+
+  trae@cr01a-vyos# run show interfaces dummy dum1 br
+  Codes: S - State, L - Link, u - Up, D - Down, A - Admin Down
+  Interface        IP Address                        S/L  Description
+  ---------        ----------                        ---  -----------
+  dum1             2001:db8:123:b008::/64           u/u  DHCPv6-PD NPT dummy
+                   2001:db8:123:b00a::/64
+                   2001:db8:123:b00b::/64
+                   2001:db8:123:b009::/64
+
+  trae@cr01b-vyos# run show int dummy dum1 brief
+  Codes: S - State, L - Link, u - Up, D - Down, A - Admin Down
+  Interface        IP Address                        S/L  Description
+  ---------        ----------                        ---  -----------
+  dum1             2001:db8:123:b00d::/64           u/u  DHCPv6-PD NPT dummy
+                   2001:db8:123:b00c::/64
+                   2001:db8:123:b00e::/64
+                   2001:db8:123:b00f::/64
+
+Configure the A-side router for NPTv6 using the prefixes above:
+
+.. code-block:: none
+
+  set nat66 source rule 10 description 'NPT to VLAN 10'
+  set nat66 source rule 10 outbound-interface name 'bond0.20'
+  set nat66 source rule 10 source prefix 'fd52:d62e:8011:a::/64'
+  set nat66 source rule 10 translation address '2001:db8:123:b008::/64'
+  set nat66 source rule 20 description 'NPT to VLAN 70'
+  set nat66 source rule 20 outbound-interface name 'bond0.20'
+  set nat66 source rule 20 source prefix 'fd52:d62e:8011:46::/64'
+  set nat66 source rule 20 translation address '2001:db8:123:b009::/64'
+  set nat66 source rule 30 description 'NPT to VLAN 200'
+  set nat66 source rule 30 outbound-interface name 'bond0.20'
+  set nat66 source rule 30 source prefix 'fd52:d62e:8011:c8::/64'
+  set nat66 source rule 30 translation address '2001:db8:123:b00a::/64'
+  set nat66 source rule 40 description 'NPT to VLAN 240'
+  set nat66 source rule 40 outbound-interface name 'bond0.20'
+  set nat66 source rule 40 source prefix 'fd52:d62e:8011:f0::/64'
+  set nat66 source rule 40 translation address '2001:db8:123:b00b::/64'
+  commit
+
+Configure the B-side router for NPTv6 using the prefixes above:
+
+.. code-block:: none
+
+  set nat66 source rule 10 description 'NPT to VLAN 10'
+  set nat66 source rule 10 outbound-interface name 'bond0.20'
+  set nat66 source rule 10 source prefix 'fd52:d62e:8011:a::/64'
+  set nat66 source rule 10 translation address '2001:db8:123:b00c::/64'
+  set nat66 source rule 20 description 'NPT to VLAN 70'
+  set nat66 source rule 20 outbound-interface name 'bond0.20'
+  set nat66 source rule 20 source prefix 'fd52:d62e:8011:46::/64'
+  set nat66 source rule 20 translation address '2001:db8:123:b00d::/64'
+  set nat66 source rule 30 description 'NPT to VLAN 200'
+  set nat66 source rule 30 outbound-interface name 'bond0.20'
+  set nat66 source rule 30 source prefix 'fd52:d62e:8011:c8::/64'
+  set nat66 source rule 30 translation address '2001:db8:123:b00e::/64'
+  set nat66 source rule 40 description 'NPT to VLAN 240'
+  set nat66 source rule 40 outbound-interface name 'bond0.20'
+  set nat66 source rule 40 source prefix 'fd52:d62e:8011:f0::/64'
+  set nat66 source rule 40 translation address '2001:db8:123:b00f::/64'
+  commit
+
+Verify that connections are hitting the rule on both sides:
+
+.. code-block:: none
+
+  trae@cr01a-vyos# run show nat66 source statistics
+  Rule    Packets    Bytes    Interface
+  ------  ---------  -------  -----------
+  10      1          104      bond0.20
+  20      1          104      bond0.20
+  30      8093       669445   bond0.20
+  40      2446       216912   bond0.20