[Jool-list] NAT44 for pool4 addresses possible?

Martin Weinelt martin at darmstadt.freifunk.net
Tue May 22 14:14:24 CDT 2018 

Hello Alberto,

thanks for your answers so far.

I've looked into the sockmark approach and that does not work, because
what I need is an approach that works based on the IPv4 destination
address, not the IPv6 source address.

The netns approach looks a bit more involved, I still have to look into
that.


Best regards,

Martin



On 05/22/2018 02:29 AM, Alberto Leiva wrote:
> Still haven't found the problem. It does seem to be the case that Jool
> packets traverse through the postrouting mangle table, but not the nat
> one. It's pretty odd.
> 
> In any case, trying to replicate your problem I noticed that one of
> Jool's features could simplify the solution, without using special
> namespaces.
> 
> Basically, you can tell Jool "mask these packets with these addresses,
> mask these other packets with these other addresses." The masking
> decision is based on the packet mark, which you can customize using
> standard iptables rules:
> 
>     # During IPv6 prerouting, set mark 1 for packets that should be masked
>     # with the public address.
>     # (In this example, packets from the 2001:db8:1::/64 network should be
>     # masked with the public address, but you can use other ip6tables
>     # matches.)
>     ip6tables -t mangle -A PREROUTING --source 2001:db8:1::/64 -j MARK
> --set-mark 1
> 
>     # During IPv6 prerouting, set mark 2 for packets that should be masked
>     # with the private address.
>     ip6tables -t mangle -A PREROUTING --source 2001:db8:2::/64 -j MARK
> --set-mark 2
> 
>     # Tell Jool that packets marked 1 should be masked with your public
>     # address.
>     jool --pool4 --add 1.2.3.4 --mark 2
> 
>     # Tell Jool that packets marked 2 should be masked with your private
>     # address.
>     jool --pool4 --add 192.168.0.1 --mark 1
> 
> See the pool4 documentation for more: https://jool.mx/en/pool4.html
> 
> On Mon, May 21, 2018 at 11:31 AM, Alberto Leiva <ydahhrk at gmail.com> wrote:
>> Oh, I forgot: Here's how to enclose Jool in a network namespace:
>>
>> https://jool.mx/en/usr-flags-instance.html
>> https://jool.mx/en/node-based-translation.html
>>
>> Both documentation pieces intend to do something slightly different
>> from what you're doing, but should be easy to adapt.
>>
>> On Mon, May 21, 2018 at 11:29 AM, Alberto Leiva <ydahhrk at gmail.com> wrote:
>>>> IPv4 packets created by Jool do not seem to pass the
>>>> nat postrouting chain in netfilter
>>>
>>> Hmm? This is odd. The kernel code says otherwise. Might be a bug; I'll
>>> test it now.
>>>
>>> Anyway, this is how it's supposed to work:
>>> https://jool.mx/en/intro-jool.html#design
>>>
>>> Check both diagrams. Assuming that Jool packets are really skipping
>>> the postrouting chain, you could enclose it in a network namespace
>>> (the red box) so you can use the outer namespace's (not red box)
>>> postrouting chain. There is no way that one will be skipped if you do
>>> that.
>>>
>>> On Sun, May 20, 2018 at 9:48 AM, Martin Weinelt
>>> <martin at darmstadt.freifunk.net> wrote:
>>>> Hi everyone,
>>>>
>>>> I'm currently building my first NAT64 setup and have stumbled upon a
>>>> problem.
>>>>
>>>> When I use our public IPv4 address as pool4 I can access the internet
>>>> just fine, except that I additionally need to be able to reach some
>>>> private ipv4 addresses over site-to-site tunnels as well, where that
>>>> source address doesn't work.
>>>>
>>>> This is why I though of using a bunch of private IPv4 addresses to map
>>>> the NAT64 against, so they'll work for the s2s tunnel and where I can
>>>> additionally make use of NAT44 towards the internet.
>>>>
>>>> The issue is that IPv4 packets created by Jool do not seem to pass the
>>>> nat postrouting chain in netfilter, where masquerading would happen.
>>>> Instead I now have private IPv4 address being used as saddr towards the
>>>> internet, which cannot work either.
>>>>
>>>> I'd appreciate some help!
>>>>
>>>>
>>>> Best regards,
>>>>
>>>> Martin
>>>> _______________________________________________
>>>> Jool-list mailing list
>>>> Jool-list at nic.mx
>>>> https://mail-lists.nic.mx/listas/listinfo/jool-list

More information about the Jool-list mailing list