Netskope Publisher

Wizard Configuration

Enable and configure NAT46 through the publisher wizard

Wizard Configuration

NAT46 is enabled and configured through the interactive publisher wizard. The wizard handles all host-level setup: Jool SIIT instances, EAMT source translation, IPv6 routes, and CoreDNS Corefile generation.

Accessing the Wizard

sudo ~/npa_publisher_wizard

Navigate to Network Settings and then NAT46 Configuration.

Enabling NAT46

When you select Enable NAT46, the wizard will:

  1. Detect IPv6 connectivity on the host
  2. Generate a ULA pool6 prefix (e.g., fd8f:c742:6e17::/96) — a unique local address range used by Jool for addresses without explicit EAMT entries
  3. Create a Jool SIIT instance with the generated pool6
  4. Add source EAMT entry — maps the publisher's fixed SNAT address (191.1.0.1) to the host's real IPv6 address, so Jool can translate outbound packet sources to a routable address
  5. Add local routes for the IPv4 translation range and pool6 IPv6 prefix
  6. Enable IPv6 forwarding (net.ipv6.conf.all.forwarding=1)
  7. Regenerate the CoreDNS Corefile with the nat46 plugin block
  8. Save configuration to ~/resources/.nat46_config.json (including host_ipv6 so the CoreDNS plugin can restore the source EAMT after restart)

No container restart is required. The wizard operates on the host level, and CoreDNS automatically reloads the Corefile when it changes.

Configuration File

The wizard saves NAT46 state to ~/resources/.nat46_config.json, which is mounted into the container at /home/resources/.nat46_config.json:

{
  "enabled": true,
  "pool6": "fd8f:c742:6e17::/96",
  "ipv4_range": "240.0.0.0/4",
  "jool_instance": "default",
  "ttl": "300",
  "grace_period": "1h",
  "host_ipv6": "2001:db8::1"
}

Fields

FieldDescriptionDefault
enabledWhether NAT46 is activefalse
pool6IPv6 ULA prefix for Jool SIITAuto-generated /96
ipv4_rangeIPv4 CIDR used for synthesized addresses240.0.0.0/4
jool_instanceJool SIIT instance namedefault
ttlDNS TTL for synthesized A records (seconds)300
grace_periodHow long to keep EAMT mappings after DNS TTL expires1h
host_ipv6Host's IPv6 address for EAMT source translationAuto-detected

Disabling NAT46

Select Disable NAT46 in the wizard menu. This will:

  1. Remove the Jool SIIT instance and source EAMT entry
  2. Remove local IPv4 and IPv6 routes
  3. Regenerate the Corefile without the nat46 block
  4. Disable IPv6 forwarding
  5. Update the config file with "enabled": false
  6. Remove boot persistence scripts
  7. Clean up any legacy ip6tables chains from older versions

Changing Settings

To modify NAT46 parameters (e.g., IPv4 range, TTL):

  1. Disable NAT46 via the wizard
  2. Edit ~/resources/.nat46_config.json with new values
  3. Re-enable NAT46 via the wizard

The wizard reads existing configuration values and uses them when re-enabling.

Boot Persistence

When NAT46 is enabled, the wizard creates persistence scripts so the configuration survives reboots:

  • /etc/modules-load.d/jool.conf — Loads jool_siit kernel module on boot
  • /etc/networkd-dispatcher/routable.d/50-jool-route.sh — Restores routes and Jool instance when the network comes up

These are automatically removed when NAT46 is disabled.

Installation

Bootstrap IPv6 NAT46 support on a fresh Ubuntu 22.04 publisher

Validation

Verify your NAT46 deployment is working correctly

On this page

Wizard ConfigurationAccessing the WizardEnabling NAT46Configuration FileFieldsDisabling NAT46Changing SettingsBoot Persistence