[Jool-list] NAT64 behind NAT44?

Maurice Walker mail at maurice-walker.com
Sun Nov 25 09:28:01 CST 2018 

Hello Alberto,

Your concerns regarding the unconventional routing were spot-on.

> I still haven't been able to get the packet to bounce correctly, but
> I'm thinking that this little hack is the only thing that
> significantly sets your experiment apart from most tests that we've
> run in Jool's history.

I now tested two modified setups:

Setup #1
No change on the router or OpenWrt, but a specific route (NAT64 prefix
directly via OpenWrt) was manually added to a test client.
Resulting NAT64 routing:
Client -6- OpenWrt -4- Router -4- Internet

Setup #2
No special routing on the client side, but OpenWrt was placed in a
separate LAN / subnet (and the route on the router was adjusted).
Resulting NAT64 routing:
Client -6- Router -6- OpenWrt -4- Router -4- Internet

With both setups the issues vanished. I don't fully understand why. It
shouldn't matter to the router whether it sends packets out over a
separate interface or over the same they came in on.

What #1 and #2 have in common is that the inbound and outbound routes
for NAT64 traffic are identical. As you noticed this was not the case
in the original setup. So my guess would be that the "bouncing" itself
didn't cause the issues, but the resulting asymmetric routing. Could be
a firewall issue on the router (only seeing one direction of IPv6 TCP
streams) or some issue with OpenWrt / Jool.

> Also, I'm guessing that the reason why the clients' routing consists
> only of a default route is because of DHCP?

The IPv6 default route is advertised by the router via RAs. Manually
configuring all of the clients is not possible in my scenario.
For setup #1 to work in a production environment, RAs would have to be
configured on OpenWrt to make it advertise itself as a special gateway
for the NAT64 prefix only. I did consider that, but would have to
evaluate how various clients handle that.

So setup #2 will most likely be the way to go.

> So I'm wondering whether Router *needs* to be this default route.

I consider it the best choice and don't want to make too many changes
to the network.

Thanks again for your support!

Maurice

More information about the Jool-list mailing list