[Jool-list] NAT44 for pool4 addresses possible?
Alberto Leiva
ydahhrk at gmail.com
Mon May 21 19:29:26 CDT 2018
Still haven't found the problem. It does seem to be the case that Jool
packets traverse through the postrouting mangle table, but not the nat
one. It's pretty odd.
In any case, trying to replicate your problem I noticed that one of
Jool's features could simplify the solution, without using special
namespaces.
Basically, you can tell Jool "mask these packets with these addresses,
mask these other packets with these other addresses." The masking
decision is based on the packet mark, which you can customize using
standard iptables rules:
# During IPv6 prerouting, set mark 1 for packets that should be masked
# with the public address.
# (In this example, packets from the 2001:db8:1::/64 network should be
# masked with the public address, but you can use other ip6tables
# matches.)
ip6tables -t mangle -A PREROUTING --source 2001:db8:1::/64 -j MARK
--set-mark 1
# During IPv6 prerouting, set mark 2 for packets that should be masked
# with the private address.
ip6tables -t mangle -A PREROUTING --source 2001:db8:2::/64 -j MARK
--set-mark 2
# Tell Jool that packets marked 1 should be masked with your public
# address.
jool --pool4 --add 1.2.3.4 --mark 2
# Tell Jool that packets marked 2 should be masked with your private
# address.
jool --pool4 --add 192.168.0.1 --mark 1
See the pool4 documentation for more: https://jool.mx/en/pool4.html
On Mon, May 21, 2018 at 11:31 AM, Alberto Leiva <ydahhrk at gmail.com> wrote:
> Oh, I forgot: Here's how to enclose Jool in a network namespace:
>
> https://jool.mx/en/usr-flags-instance.html
> https://jool.mx/en/node-based-translation.html
>
> Both documentation pieces intend to do something slightly different
> from what you're doing, but should be easy to adapt.
>
> On Mon, May 21, 2018 at 11:29 AM, Alberto Leiva <ydahhrk at gmail.com> wrote:
>>> IPv4 packets created by Jool do not seem to pass the
>>> nat postrouting chain in netfilter
>>
>> Hmm? This is odd. The kernel code says otherwise. Might be a bug; I'll
>> test it now.
>>
>> Anyway, this is how it's supposed to work:
>> https://jool.mx/en/intro-jool.html#design
>>
>> Check both diagrams. Assuming that Jool packets are really skipping
>> the postrouting chain, you could enclose it in a network namespace
>> (the red box) so you can use the outer namespace's (not red box)
>> postrouting chain. There is no way that one will be skipped if you do
>> that.
>>
>> On Sun, May 20, 2018 at 9:48 AM, Martin Weinelt
>> <martin at darmstadt.freifunk.net> wrote:
>>> Hi everyone,
>>>
>>> I'm currently building my first NAT64 setup and have stumbled upon a
>>> problem.
>>>
>>> When I use our public IPv4 address as pool4 I can access the internet
>>> just fine, except that I additionally need to be able to reach some
>>> private ipv4 addresses over site-to-site tunnels as well, where that
>>> source address doesn't work.
>>>
>>> This is why I though of using a bunch of private IPv4 addresses to map
>>> the NAT64 against, so they'll work for the s2s tunnel and where I can
>>> additionally make use of NAT44 towards the internet.
>>>
>>> The issue is that IPv4 packets created by Jool do not seem to pass the
>>> nat postrouting chain in netfilter, where masquerading would happen.
>>> Instead I now have private IPv4 address being used as saddr towards the
>>> internet, which cannot work either.
>>>
>>> I'd appreciate some help!
>>>
>>>
>>> Best regards,
>>>
>>> Martin
>>> _______________________________________________
>>> Jool-list mailing list
>>> Jool-list at nic.mx
>>> https://mail-lists.nic.mx/listas/listinfo/jool-list
More information about the Jool-list
mailing list