[Jool-list] Getting NAT64 to work with systemd-nspawn containers connected with ipvlan.

Rob Ert ertr3960 at gmail.com
Sun Dec 17 14:08:14 CST 2023 

Hello all,

I need IPv4 connectivity for my particular ipvlan server setup, and would
like to implement it with NAT64.

Following are the specifics of my server setup:

Hetzner VM (kvm based - one IPv4 and a /64 IPv6 subnet) with:

multiple IPv6-only systemd-nspawn containerized machine instances
connected over ipvlan – host and guest systems are all Debian Trixie.

The specifics of ipvlan are given here:
https://people.netfilter.org/pablo/netdev0.1/papers/IPVLAN-The-beginning.pdf

with the main point being (paraphrasing the original article):

Traffic to and from the host master device (defaultns) cannot be sent to and
from slaves.  This can be worked-around by assigning one of the virtual
devices
to the host and eliminating the configuration on the master interface.

~# cat /etc/systemd/network/10-enp1s0.network
[Match]
Name=en*
[Network]
DHCP=no
LinkLocalAddressing=no
KeepConfiguration=yes
IPVLAN=iv-0

~# cat /etc/systemd/network/20-iv-0.network
[Match]
Name=iv-0
[Network]
DHCP=ipv4
Address=2a01:4ff:xxxx:xxxx::1/64
DNS=2a01:4ff:xxxx:xxxx::1
Gateway=fe80::1

~# cat /etc/systemd/nspawn/container.nspawn
[Exec]
PrivateUsers=off
Timezone=off
[Network]
IPVLAN=enp1s0
~#

I have this setup and working nicely with WireGuard and Unbound/DNS64; I am
able
to access the wider Internet and the containerized machines over IPv6,
utilizing the
VM’s IPv6 connectivity, with my IPv4-only Internet connection.

What I need now, is for the IPv6-only systemd-nspawn containerized machine
instances
connected over ipvlan to be able access IPv4-only hosts (e.g. github.com).

I wasn’t able to get NAT64 working with my particular setup and my first
tries with tayga;
ping -6 github.com works on the host, but not on the IPv6-only containers,
as they don’t
automatically have access to the host's nat64 tun device among other
things.  Is there any
chance jool would be easier to get working with this particular setup?

Any pointer would be much appreciated.

Best regards,

Rob
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail-lists.nic.mx/pipermail/jool-list/attachments/20231217/30632dd6/attachment.htm>

More information about the Jool-list mailing list