[Jool-list] jool_siit Advice

Jeremy Oglesby jroglesb at uncg.edu
Tue Apr 13 10:19:35 CDT 2021 

Thank you for taking the time to respond to me.  I was able to get both
jool and jool_siit working thanks to your clarification.

Here's my current config that is working:

jool_siit instance add "stateless" --netfilter --pool6 64:ff9b::/96
jool_siit -i "stateless" eamt display
+---------------------------------------------+--------------------+
|                                 IPv6 Prefix |        IPv4 Prefix |
+---------------------------------------------+--------------------+
|                   2600:2701:1010:100::1/128 |     152.13.0.67/32 |
|           2600:2701:1010:0:152:13:0:226/128 |     152.13.0.66/32 |
+---------------------------------------------+--------------------+


For our network I have a /48 IPv6 range and a /24 IPv4 public range.  Since
this is a Science DMZ there is no firewall or RFC1918 addresses and traffic
is limited only through ACLs.  Our intent is to make all subnets /64 and
most of the IPs will be assigned through SLAAC.  I've played around with
the EAMT tables but since it's a bit-for-bit translation I don't see a good
way to map /64 subnets with SLAAC clients to our IPv4 space due to the huge
disparity in address volume.  I'm wondering if that's why most examples for
EAMT are 1-to-1 /128 to /32.  Most of our servers will need some type of
outbound access but only a few will need an inbound address.

Originally, I had intended to implement a mix of a NAT/PAT(NAT64) and
Static NAT(SIIT) similarly to how I would set up an enterprise firewall.
It looks like I need to choose between these two with Jool but I wanted to
see if you had any recommendations.  We are only budgeted for a single
network server that I can utilize.

Can jool and jool_siit be utilized together on the same server?  Do you
need to make a choice between them?

For example, if I had an IPv6 datacenter with 500 IPv6 servers that need
outbound access to IPv4-only resources and an additional 20 servers that
need inbound access, how would you set that up?  On a traditional IPv4
firewall I would have a NAT/PAT IP shared for outbound access for the
majority of the servers and more specific Static NAT rules for the servers
that need inbound access from the Internet.

On Fri, Apr 9, 2021 at 10:30 PM Alberto Leiva <ydahhrk at gmail.com> wrote:

> Oops. Corrections. Disregard my previous message. I meant:
>
> > sudo /usr/local/bin/jool_siit instance add "stateless" --netfilter
> --pool6 2600:2701:1010:64::/96
> > ping6 2600:2701:1010:64::8.8.8.8
>
> This is what's happening:
>
> 1. IPv6 client writes packet 2600:2700:20c:2::3 ->
> 2600:2701:1010:64::8.8.8.8
> 2. Jool cannot translate that packet, because the source address does
> not match pool6.
>
> Possible solution: Change your client's address to
> 2600:2701:1010:64::<IPv4 address that you own>.
>
> That way, both addresses can be translated with pool6.
>
> > sudo /usr/local/bin/jool_siit instance add "stateless" --netfilter
> > sudo /usr/local/bin/jool_siit -i "stateless" eamt add
> 2600:2701:1010:64::/96 152.13.0.64/27
> > ping6 2600:2701:1010:64::8.8.8.8
>
> This is what's happening:
>
> 1. IPv6 client writes packet 2600:2700:20c:2::3 ->
> 2600:2701:1010:64::8.8.8.8
> 2. Jool cannot translate that packet, because the source address does
> not match the EAMT entry.
>
> Possible solution: Add `--pool6 2600:2701:1010:64::/96`, and change
> your EAMT into
>
>
> +---------------------------------------------+--------------------------------+
> |                                 IPv6 Prefix |                    IPv4
> Prefix |
>
> +---------------------------------------------+--------------------------------+
> |                     2600:2700:20c:2::3/128  | <IPv4 address that you
> own>/32 |
>
> +---------------------------------------------+--------------------------------+
>
> That way, the source address gets translated with the EAMT, and the
> destination address is translated with pool6.
>
> Remember: With SIIT, each IPv6 client will need an implicit dedicated
> IPv4 address that you own.
> SIIT does not help you with IPv4 address exhaustion; only Stateful NAT64
> does.
>
> On Fri, Apr 9, 2021 at 9:25 PM Alberto Leiva <ydahhrk at gmail.com> wrote:
> >
> > > sudo /usr/local/bin/jool_siit instance add "stateless" --netfilter
> --pool6 2600:2701:1010:64::/96
> > > ping6 2600:2701:1010:64::8.8.8.8
> >
> > This is what's happening:
> >
> > - IPv6 client writes packet 2600:2700:20c:2::3 ->
> 2600:2701:1010:64::8.8.8.8
> > - Jool cannot translate that packet, because the source address does
> > not match pool6.
> >
> > Possible solution: Change your client's address to
> > 2600:2701:1010:64::<IPv4 address that you own>.
> >
> > > sudo /usr/local/bin/jool_siit instance add "stateless" --netfilter
> > > sudo /usr/local/bin/jool_siit -i "stateless" eamt add
> 2600:2701:1010:64::/96 152.13.0.64/27
> > > ping6 2600:2701:1010:64::8.8.8.8
> >
> > This is what's happening:
> >
> > - IPv6 client writes packet 2600:2700:20c:2::3 ->
> 2600:2701:1010:64::8.8.8.8
> > - Jool cannot translate that packet, because the source address
> > matches neither pool6 nor the EAMT entry.
> >
> > Possible solution: Change your EAMT into
> >
> >
> +---------------------------------------------+--------------------------------+
> > |                                 IPv6 Prefix |                    IPv4
> Prefix |
> >
> +---------------------------------------------+--------------------------------+
> > |                     2600:2700:20c:2::3/128  | <IPv4 address that you
> own>/32 |
> >
> +---------------------------------------------+--------------------------------+
> >
> > Remember: With SIIT, each IPv6 client will need an implicit dedicated
> > IPv4 address that you own.
> > SIIT does not help you with IPv4 address exhaustion; only Stateful NAT64
> does.
> >
> > On Fri, Apr 9, 2021 at 3:22 PM Jeremy Oglesby via Jool-list
> > <jool-list at nic.mx> wrote:
> > >
> > > I'm not sure if this is the right list for this question, if not,
> please point me in the right direction.
> > >
> > > The University of North Carolina at Greensboro is in the process of
> standing up an IPv6-only Research DMZ.  To facilitate communication with
> the IPv4 Internet we're planning to use NAT64/DNS64 and have been advised
> by several other Universities to use Jool.
> > >
> > > I've got Jool installed in Centos 8 and it seems to work in Stateless
> mode but not Stateful.  I've tried both pool6 and an EAMT list and the
> packets still don't seem to match.  Maybe I'm missing something simple in
> my config.
> > >
> > > =======
> > > WORKS
> > > =======
> > >
> > > sudo /usr/local/bin/jool instance add "stateful" --netfilter --pool6
> 2600:2701:1010:64::/96
> > >
> > > GCRNET-UNCG-057-122-CORE# ping6 2600:2701:1010:64::8.8.8.8 vrf
> GCRNET_CORE
> > > PING6 2600:2701:1010:64::808:808 (2600:2701:1010:64::808:808): 56 data
> bytes
> > > 64 bytes from 2600:2701:1010:64::808:808: icmp_seq=0 time=9.048 ms
> > > 64 bytes from 2600:2701:1010:64::808:808: icmp_seq=1 time=8.538 ms
> > > 64 bytes from 2600:2701:1010:64::808:808: icmp_seq=2 time=8.457 ms
> > > 64 bytes from 2600:2701:1010:64::808:808: icmp_seq=3 time=8.49 ms
> > > 64 bytes from 2600:2701:1010:64::808:808: icmp_seq=4 time=8.438 ms
> > >
> > > ==============
> > > DOESN"T WORK
> > > ==============
> > >
> > > sudo /usr/local/bin/jool_siit instance add "stateless" --netfilter
> --pool6 2600:2701:1010:64::/96
> > >
> > > OR
> > >
> > > sudo /usr/local/bin/jool_siit instance add "stateless" --netfilter
> > > sudo /usr/local/bin/jool_siit -i "stateless" eamt add
> 2600:2701:1010:64::/96 152.13.0.64/27
> > >
> > > sudo /usr/local/bin/jool_siit -i "stateless" eamt display
> > > +---------------------------------------------+--------------------+
> > > |                                 IPv6 Prefix |        IPv4 Prefix |
> > > +---------------------------------------------+--------------------+
> > > |                     2600:2701:1010:64::/96  |     152.13.0.64/27 |
> > > +---------------------------------------------+--------------------+
> > >
> > > GCRNET-UNCG-057-122-CORE# ping6 2600:2701:1010:64::8.8.8.8 vrf
> GCRNET_PUBLIC
> > > PING6 2600:2701:1010:64::808:808 (2600:2701:1010:64::808:808): 56 data
> bytes
> > > Request 0 timed out
> > > 112 bytes from 2600:2701:1010:64::100: Destination unreachable:
> Address unreachable
> > > 112 bytes from 2600:2701:1010:64::100: Destination unreachable:
> Address unreachable
> > > Request 3 timed out
> > > 112 bytes from 2600:2701:1010:64::100: Destination unreachable:
> Address unreachable
> > >
> > > Debug:
> > > [282174.404533] Jool SIIT/8899d1c0/stateless: Packet:
> 2600:2700:20c:2::3->2600:2701:1010:64::808:808
> > > [282174.405238] Jool SIIT/8899d1c0/stateless:
> ===============================================
> > > [282174.405945] Jool SIIT/8899d1c0/stateless: ICMPv6 type:128 code:0
> id:4861
> > > [282174.405947] Jool SIIT/8899d1c0/stateless: Translating the Packet.
> > >
> > > --
> > >
> > > Jeremy Oglesby
> > > Network Architect
> > > Information Technology Services
> > > UNC Greensboro
> > > +1.336.334.3583 (office)
> > > _______________________________________________
> > > Jool-list mailing list
> > > Jool-list at nic.mx
> > > https://mail-lists.nic.mx/listas/listinfo/jool-list
>


-- 

Jeremy Oglesby
Network Architect
Information Technology Services
UNC Greensboro
+1.336.334.3583 (office)
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail-lists.nic.mx/pipermail/jool-list/attachments/20210413/3cba8974/attachment.htm>

More information about the Jool-list mailing list