<div dir="ltr">Thank you for taking the time to respond to me. I was able to get both jool and jool_siit working thanks to your clarification.<div><br></div><div>Here's my current config that is working:<br><div><br></div><div>jool_siit instance add "stateless" --netfilter --pool6 64:ff9b::/96</div><div>jool_siit -i "stateless" eamt display<br></div><div>+---------------------------------------------+--------------------+<br>| IPv6 Prefix | IPv4 Prefix |<br>+---------------------------------------------+--------------------+<br>| 2600:2701:1010:100::1/128 | <a href="http://152.13.0.67/32">152.13.0.67/32</a> |<br>| 2600:2701:1010:0:152:13:0:226/128 | <a href="http://152.13.0.66/32">152.13.0.66/32</a> |<br>+---------------------------------------------+--------------------+<br></div><div><br><div><br></div><div>For our network I have a /48 IPv6 range and a /24 IPv4 public range. Since this is a Science DMZ there is no firewall or RFC1918 addresses and traffic is limited only through ACLs. Our intent is to make all subnets /64 and most of the IPs will be assigned through SLAAC. I've played around with the EAMT tables but since it's a bit-for-bit translation I don't see a good way to map /64 subnets with SLAAC clients to our IPv4 space due to the huge disparity in address volume. I'm wondering if that's why most examples for EAMT are 1-to-1 /128 to /32. Most of our servers will need some type of outbound access but only a few will need an inbound address.<br><div><br></div><div>Originally, I had intended to implement a mix of a NAT/PAT(NAT64) and Static NAT(SIIT) similarly to how I would set up an enterprise firewall. It looks like I need to choose between these two with Jool but I wanted to see if you had any recommendations. We are only budgeted for a single network server that I can utilize.</div><div><br></div><div>Can jool and jool_siit be utilized together on the same server? Do you need to make a choice between them?</div><div><br></div><div>For example, if I had an IPv6 datacenter with 500 IPv6 servers that need outbound access to IPv4-only resources and an additional 20 servers that need inbound access, how would you set that up? On a traditional IPv4 firewall I would have a NAT/PAT IP shared for outbound access for the majority of the servers and more specific Static NAT rules for the servers that need inbound access from the Internet.</div></div></div></div></div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">On Fri, Apr 9, 2021 at 10:30 PM Alberto Leiva <<a href="mailto:ydahhrk@gmail.com">ydahhrk@gmail.com</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">Oops. Corrections. Disregard my previous message. I meant:<br>
<br>
> sudo /usr/local/bin/jool_siit instance add "stateless" --netfilter --pool6 2600:2701:1010:64::/96<br>
> ping6 2600:2701:1010:64::8.8.8.8<br>
<br>
This is what's happening:<br>
<br>
1. IPv6 client writes packet 2600:2700:20c:2::3 -> 2600:2701:1010:64::8.8.8.8<br>
2. Jool cannot translate that packet, because the source address does<br>
not match pool6.<br>
<br>
Possible solution: Change your client's address to<br>
2600:2701:1010:64::<IPv4 address that you own>.<br>
<br>
That way, both addresses can be translated with pool6.<br>
<br>
> sudo /usr/local/bin/jool_siit instance add "stateless" --netfilter<br>
> sudo /usr/local/bin/jool_siit -i "stateless" eamt add 2600:2701:1010:64::/96 <a href="http://152.13.0.64/27" rel="noreferrer" target="_blank">152.13.0.64/27</a><br>
> ping6 2600:2701:1010:64::8.8.8.8<br>
<br>
This is what's happening:<br>
<br>
1. IPv6 client writes packet 2600:2700:20c:2::3 -> 2600:2701:1010:64::8.8.8.8<br>
2. Jool cannot translate that packet, because the source address does<br>
not match the EAMT entry.<br>
<br>
Possible solution: Add `--pool6 2600:2701:1010:64::/96`, and change<br>
your EAMT into<br>
<br>
+---------------------------------------------+--------------------------------+<br>
| IPv6 Prefix | IPv4 Prefix |<br>
+---------------------------------------------+--------------------------------+<br>
| 2600:2700:20c:2::3/128 | <IPv4 address that you own>/32 |<br>
+---------------------------------------------+--------------------------------+<br>
<br>
That way, the source address gets translated with the EAMT, and the<br>
destination address is translated with pool6.<br>
<br>
Remember: With SIIT, each IPv6 client will need an implicit dedicated<br>
IPv4 address that you own.<br>
SIIT does not help you with IPv4 address exhaustion; only Stateful NAT64 does.<br>
<br>
On Fri, Apr 9, 2021 at 9:25 PM Alberto Leiva <<a href="mailto:ydahhrk@gmail.com" target="_blank">ydahhrk@gmail.com</a>> wrote:<br>
><br>
> > sudo /usr/local/bin/jool_siit instance add "stateless" --netfilter --pool6 2600:2701:1010:64::/96<br>
> > ping6 2600:2701:1010:64::8.8.8.8<br>
><br>
> This is what's happening:<br>
><br>
> - IPv6 client writes packet 2600:2700:20c:2::3 -> 2600:2701:1010:64::8.8.8.8<br>
> - Jool cannot translate that packet, because the source address does<br>
> not match pool6.<br>
><br>
> Possible solution: Change your client's address to<br>
> 2600:2701:1010:64::<IPv4 address that you own>.<br>
><br>
> > sudo /usr/local/bin/jool_siit instance add "stateless" --netfilter<br>
> > sudo /usr/local/bin/jool_siit -i "stateless" eamt add 2600:2701:1010:64::/96 <a href="http://152.13.0.64/27" rel="noreferrer" target="_blank">152.13.0.64/27</a><br>
> > ping6 2600:2701:1010:64::8.8.8.8<br>
><br>
> This is what's happening:<br>
><br>
> - IPv6 client writes packet 2600:2700:20c:2::3 -> 2600:2701:1010:64::8.8.8.8<br>
> - Jool cannot translate that packet, because the source address<br>
> matches neither pool6 nor the EAMT entry.<br>
><br>
> Possible solution: Change your EAMT into<br>
><br>
> +---------------------------------------------+--------------------------------+<br>
> | IPv6 Prefix | IPv4 Prefix |<br>
> +---------------------------------------------+--------------------------------+<br>
> | 2600:2700:20c:2::3/128 | <IPv4 address that you own>/32 |<br>
> +---------------------------------------------+--------------------------------+<br>
><br>
> Remember: With SIIT, each IPv6 client will need an implicit dedicated<br>
> IPv4 address that you own.<br>
> SIIT does not help you with IPv4 address exhaustion; only Stateful NAT64 does.<br>
><br>
> On Fri, Apr 9, 2021 at 3:22 PM Jeremy Oglesby via Jool-list<br>
> <<a href="mailto:jool-list@nic.mx" target="_blank">jool-list@nic.mx</a>> wrote:<br>
> ><br>
> > I'm not sure if this is the right list for this question, if not, please point me in the right direction.<br>
> ><br>
> > The University of North Carolina at Greensboro is in the process of standing up an IPv6-only Research DMZ. To facilitate communication with the IPv4 Internet we're planning to use NAT64/DNS64 and have been advised by several other Universities to use Jool.<br>
> ><br>
> > I've got Jool installed in Centos 8 and it seems to work in Stateless mode but not Stateful. I've tried both pool6 and an EAMT list and the packets still don't seem to match. Maybe I'm missing something simple in my config.<br>
> ><br>
> > =======<br>
> > WORKS<br>
> > =======<br>
> ><br>
> > sudo /usr/local/bin/jool instance add "stateful" --netfilter --pool6 2600:2701:1010:64::/96<br>
> ><br>
> > GCRNET-UNCG-057-122-CORE# ping6 2600:2701:1010:64::8.8.8.8 vrf GCRNET_CORE<br>
> > PING6 2600:2701:1010:64::808:808 (2600:2701:1010:64::808:808): 56 data bytes<br>
> > 64 bytes from 2600:2701:1010:64::808:808: icmp_seq=0 time=9.048 ms<br>
> > 64 bytes from 2600:2701:1010:64::808:808: icmp_seq=1 time=8.538 ms<br>
> > 64 bytes from 2600:2701:1010:64::808:808: icmp_seq=2 time=8.457 ms<br>
> > 64 bytes from 2600:2701:1010:64::808:808: icmp_seq=3 time=8.49 ms<br>
> > 64 bytes from 2600:2701:1010:64::808:808: icmp_seq=4 time=8.438 ms<br>
> ><br>
> > ==============<br>
> > DOESN"T WORK<br>
> > ==============<br>
> ><br>
> > sudo /usr/local/bin/jool_siit instance add "stateless" --netfilter --pool6 2600:2701:1010:64::/96<br>
> ><br>
> > OR<br>
> ><br>
> > sudo /usr/local/bin/jool_siit instance add "stateless" --netfilter<br>
> > sudo /usr/local/bin/jool_siit -i "stateless" eamt add 2600:2701:1010:64::/96 <a href="http://152.13.0.64/27" rel="noreferrer" target="_blank">152.13.0.64/27</a><br>
> ><br>
> > sudo /usr/local/bin/jool_siit -i "stateless" eamt display<br>
> > +---------------------------------------------+--------------------+<br>
> > | IPv6 Prefix | IPv4 Prefix |<br>
> > +---------------------------------------------+--------------------+<br>
> > | 2600:2701:1010:64::/96 | <a href="http://152.13.0.64/27" rel="noreferrer" target="_blank">152.13.0.64/27</a> |<br>
> > +---------------------------------------------+--------------------+<br>
> ><br>
> > GCRNET-UNCG-057-122-CORE# ping6 2600:2701:1010:64::8.8.8.8 vrf GCRNET_PUBLIC<br>
> > PING6 2600:2701:1010:64::808:808 (2600:2701:1010:64::808:808): 56 data bytes<br>
> > Request 0 timed out<br>
> > 112 bytes from 2600:2701:1010:64::100: Destination unreachable: Address unreachable<br>
> > 112 bytes from 2600:2701:1010:64::100: Destination unreachable: Address unreachable<br>
> > Request 3 timed out<br>
> > 112 bytes from 2600:2701:1010:64::100: Destination unreachable: Address unreachable<br>
> ><br>
> > Debug:<br>
> > [282174.404533] Jool SIIT/8899d1c0/stateless: Packet: 2600:2700:20c:2::3->2600:2701:1010:64::808:808<br>
> > [282174.405238] Jool SIIT/8899d1c0/stateless: ===============================================<br>
> > [282174.405945] Jool SIIT/8899d1c0/stateless: ICMPv6 type:128 code:0 id:4861<br>
> > [282174.405947] Jool SIIT/8899d1c0/stateless: Translating the Packet.<br>
> ><br>
> > --<br>
> ><br>
> > Jeremy Oglesby<br>
> > Network Architect<br>
> > Information Technology Services<br>
> > UNC Greensboro<br>
> > +1.336.334.3583 (office)<br>
> > _______________________________________________<br>
> > Jool-list mailing list<br>
> > <a href="mailto:Jool-list@nic.mx" target="_blank">Jool-list@nic.mx</a><br>
> > <a href="https://mail-lists.nic.mx/listas/listinfo/jool-list" rel="noreferrer" target="_blank">https://mail-lists.nic.mx/listas/listinfo/jool-list</a><br>
</blockquote></div><br clear="all"><div><br></div>-- <br><div dir="ltr" class="gmail_signature"><div dir="ltr"><div><div dir="ltr"><div><div dir="ltr"><div><br></div><div>Jeremy Oglesby</div><div>Network Architect</div><div>Information Technology Services</div><div>UNC Greensboro</div><div>+1.336.334.3583 (office)</div></div></div></div></div></div></div>