[Jool-list] jool_siit Advice

Alberto Leiva ydahhrk at gmail.com
Fri Apr 9 21:30:08 CDT 2021 

Oops. Corrections. Disregard my previous message. I meant:

> sudo /usr/local/bin/jool_siit instance add "stateless" --netfilter --pool6 2600:2701:1010:64::/96
> ping6 2600:2701:1010:64::8.8.8.8

This is what's happening:

1. IPv6 client writes packet 2600:2700:20c:2::3 -> 2600:2701:1010:64::8.8.8.8
2. Jool cannot translate that packet, because the source address does
not match pool6.

Possible solution: Change your client's address to
2600:2701:1010:64::<IPv4 address that you own>.

That way, both addresses can be translated with pool6.

> sudo /usr/local/bin/jool_siit instance add "stateless" --netfilter
> sudo /usr/local/bin/jool_siit -i "stateless" eamt add 2600:2701:1010:64::/96 152.13.0.64/27
> ping6 2600:2701:1010:64::8.8.8.8

This is what's happening:

1. IPv6 client writes packet 2600:2700:20c:2::3 -> 2600:2701:1010:64::8.8.8.8
2. Jool cannot translate that packet, because the source address does
not match the EAMT entry.

Possible solution: Add `--pool6 2600:2701:1010:64::/96`, and change
your EAMT into

+---------------------------------------------+--------------------------------+
|                                 IPv6 Prefix |                    IPv4 Prefix |
+---------------------------------------------+--------------------------------+
|                     2600:2700:20c:2::3/128  | <IPv4 address that you own>/32 |
+---------------------------------------------+--------------------------------+

That way, the source address gets translated with the EAMT, and the
destination address is translated with pool6.

Remember: With SIIT, each IPv6 client will need an implicit dedicated
IPv4 address that you own.
SIIT does not help you with IPv4 address exhaustion; only Stateful NAT64 does.

On Fri, Apr 9, 2021 at 9:25 PM Alberto Leiva <ydahhrk at gmail.com> wrote:
>
> > sudo /usr/local/bin/jool_siit instance add "stateless" --netfilter --pool6 2600:2701:1010:64::/96
> > ping6 2600:2701:1010:64::8.8.8.8
>
> This is what's happening:
>
> - IPv6 client writes packet 2600:2700:20c:2::3 -> 2600:2701:1010:64::8.8.8.8
> - Jool cannot translate that packet, because the source address does
> not match pool6.
>
> Possible solution: Change your client's address to
> 2600:2701:1010:64::<IPv4 address that you own>.
>
> > sudo /usr/local/bin/jool_siit instance add "stateless" --netfilter
> > sudo /usr/local/bin/jool_siit -i "stateless" eamt add 2600:2701:1010:64::/96 152.13.0.64/27
> > ping6 2600:2701:1010:64::8.8.8.8
>
> This is what's happening:
>
> - IPv6 client writes packet 2600:2700:20c:2::3 -> 2600:2701:1010:64::8.8.8.8
> - Jool cannot translate that packet, because the source address
> matches neither pool6 nor the EAMT entry.
>
> Possible solution: Change your EAMT into
>
> +---------------------------------------------+--------------------------------+
> |                                 IPv6 Prefix |                    IPv4 Prefix |
> +---------------------------------------------+--------------------------------+
> |                     2600:2700:20c:2::3/128  | <IPv4 address that you own>/32 |
> +---------------------------------------------+--------------------------------+
>
> Remember: With SIIT, each IPv6 client will need an implicit dedicated
> IPv4 address that you own.
> SIIT does not help you with IPv4 address exhaustion; only Stateful NAT64 does.
>
> On Fri, Apr 9, 2021 at 3:22 PM Jeremy Oglesby via Jool-list
> <jool-list at nic.mx> wrote:
> >
> > I'm not sure if this is the right list for this question, if not, please point me in the right direction.
> >
> > The University of North Carolina at Greensboro is in the process of standing up an IPv6-only Research DMZ.  To facilitate communication with the IPv4 Internet we're planning to use NAT64/DNS64 and have been advised by several other Universities to use Jool.
> >
> > I've got Jool installed in Centos 8 and it seems to work in Stateless mode but not Stateful.  I've tried both pool6 and an EAMT list and the packets still don't seem to match.  Maybe I'm missing something simple in my config.
> >
> > =======
> > WORKS
> > =======
> >
> > sudo /usr/local/bin/jool instance add "stateful" --netfilter --pool6 2600:2701:1010:64::/96
> >
> > GCRNET-UNCG-057-122-CORE# ping6 2600:2701:1010:64::8.8.8.8 vrf GCRNET_CORE
> > PING6 2600:2701:1010:64::808:808 (2600:2701:1010:64::808:808): 56 data bytes
> > 64 bytes from 2600:2701:1010:64::808:808: icmp_seq=0 time=9.048 ms
> > 64 bytes from 2600:2701:1010:64::808:808: icmp_seq=1 time=8.538 ms
> > 64 bytes from 2600:2701:1010:64::808:808: icmp_seq=2 time=8.457 ms
> > 64 bytes from 2600:2701:1010:64::808:808: icmp_seq=3 time=8.49 ms
> > 64 bytes from 2600:2701:1010:64::808:808: icmp_seq=4 time=8.438 ms
> >
> > ==============
> > DOESN"T WORK
> > ==============
> >
> > sudo /usr/local/bin/jool_siit instance add "stateless" --netfilter --pool6 2600:2701:1010:64::/96
> >
> > OR
> >
> > sudo /usr/local/bin/jool_siit instance add "stateless" --netfilter
> > sudo /usr/local/bin/jool_siit -i "stateless" eamt add 2600:2701:1010:64::/96 152.13.0.64/27
> >
> > sudo /usr/local/bin/jool_siit -i "stateless" eamt display
> > +---------------------------------------------+--------------------+
> > |                                 IPv6 Prefix |        IPv4 Prefix |
> > +---------------------------------------------+--------------------+
> > |                     2600:2701:1010:64::/96  |     152.13.0.64/27 |
> > +---------------------------------------------+--------------------+
> >
> > GCRNET-UNCG-057-122-CORE# ping6 2600:2701:1010:64::8.8.8.8 vrf GCRNET_PUBLIC
> > PING6 2600:2701:1010:64::808:808 (2600:2701:1010:64::808:808): 56 data bytes
> > Request 0 timed out
> > 112 bytes from 2600:2701:1010:64::100: Destination unreachable: Address unreachable
> > 112 bytes from 2600:2701:1010:64::100: Destination unreachable: Address unreachable
> > Request 3 timed out
> > 112 bytes from 2600:2701:1010:64::100: Destination unreachable: Address unreachable
> >
> > Debug:
> > [282174.404533] Jool SIIT/8899d1c0/stateless: Packet: 2600:2700:20c:2::3->2600:2701:1010:64::808:808
> > [282174.405238] Jool SIIT/8899d1c0/stateless: ===============================================
> > [282174.405945] Jool SIIT/8899d1c0/stateless: ICMPv6 type:128 code:0 id:4861
> > [282174.405947] Jool SIIT/8899d1c0/stateless: Translating the Packet.
> >
> > --
> >
> > Jeremy Oglesby
> > Network Architect
> > Information Technology Services
> > UNC Greensboro
> > +1.336.334.3583 (office)
> > _______________________________________________
> > Jool-list mailing list
> > Jool-list at nic.mx
> > https://mail-lists.nic.mx/listas/listinfo/jool-list

More information about the Jool-list mailing list