[Jool-list] jool_siit Advice
Alberto Leiva
ydahhrk at gmail.com
Tue Apr 13 18:16:26 CDT 2021
I missed pool4 in Option 2.
Actual intended script:
modprobe jool
jool instance add --netfilter --pool6 64:ff9b::/96
jool pool4 add 152.13.0.0/24 --tcp --force
jool pool4 add 152.13.0.0/24 --udp --force
jool pool4 add 152.13.0.0/24 --icmp --force
# Reserve an IPv4 socket for each server.
# Here I'm assuming all servers are HTTP,
# but you can play with the ports.
# https://jool.mx/en/usr-flags-bib.html
jool bib add 2600:2701:1010::2:cafe#80 152.13.0.1#80
jool bib add 2600:2701:1010::2:beef#80 152.13.0.2#80
jool bib add 2600:2701:1010::2:ba1d#80 152.13.0.3#80
...
jool bib add 2600:2701:1010::2:face#80 152.13.0.20#80
On Tue, Apr 13, 2021 at 5:30 PM Alberto Leiva <ydahhrk at gmail.com> wrote:
>
> Option 1: Create one NAT64 instance and one SIIT instance, multiplex
> with iptables (jool and jool_siit together on the same server)
> Option 2: Use NAT64 + port forwarding (Static NAT rules)
>
> --------------------------------
>
> Option 1:
>
> - Suppose you want to reserve 152.13.0.0/25 for the traffic of your
> inbound servers, and 152.13.0.128/25 for your outbound servers.
> - Suppose your 500 outbound servers are in the 2600:2701:1010:1::0/112 network.
> - Suppose your 20 inbound servers are in the 2600:2701:1010:2::0/112 network.
>
> modprobe jool
> modprobe jool_siit
>
> jool instance add "outbound" --iptables --pool6 64:ff9b::/96
> # Force outbound instance to only use addresses .128-.255
> # https://jool.mx/en/usr-flags-pool4.html
> jool -i "outbound" pool4 add 152.13.0.128/25 --tcp
> jool -i "outbound" pool4 add 152.13.0.128/25 --udp
> jool -i "outbound" pool4 add 152.13.0.128/25 --icmp
>
> jool_siit instance add "inbound" --iptables --pool6 64:ff9b::/96
> jool_siit -i "inbound" eamt add 2600:2701:1010:2::cafe 152.13.0.1
> jool_siit -i "inbound" eamt add 2600:2701:1010:2::beef 152.13.0.2
> jool_siit -i "inbound" eamt add 2600:2701:1010:2::ba1d 152.13.0.3
> ...
> jool_siit -i "inbound" eamt add 2600:2701:1010:2::face 152.13.0.20
>
> # ip6tables: send traffic from the outbound servers to the nat64 instance
> ip6tables -t mangle -A PREROUTING -s 2600:2701:1010:1::/112 -j
> JOOL --instance "outbound"
> # ip6tables: send traffic from the inbound servers to the siit instance
> ip6tables -t mangle -A PREROUTING -s 2600:2701:1010:2::/112 -j
> JOOL_SIIT --instance "inbound"
>
> # iptables: send traffic to 152.13.0.0/25 to the siit instance
> iptables -t mangle -A PREROUTING -d 152.13.0.0/25 -j JOOL_SIIT
> --instance "inbound"
> # iptables: send traffic to 152.13.0.128/25 to the nat64 instance
> iptables -t mangle -A PREROUTING -d 152.13.0.128/25 -j JOOL
> --instance "outbound"
>
> Of course, if your IPv6 servers cannot be aggregated neatly, you will
> need to divide each ip6tables command into several more specific -s
> rules.
>
> --------------------------------
>
> Option 2:
>
> modprobe jool
> jool instance add --netfilter --pool6 64:ff9b::/96
>
> # Reserve an IPv4 socket for each server.
> # Here I'm assuming all servers are HTTP,
> # but you can play with the ports.
> # https://jool.mx/en/usr-flags-bib.html
> jool bib add 2600:2701:1010::2:cafe#80 152.13.0.1#80
> jool bib add 2600:2701:1010::2:beef#80 152.13.0.2#80
> jool bib add 2600:2701:1010::2:ba1d#80 152.13.0.3#80
> ...
> jool bib add 2600:2701:1010::2:face#80 152.13.0.20#80
>
> Port 80 of addresses 152.13.0.1-152.13.0.20 will be reserved for
> inbound access, everything else will be outbound.
>
> This is both simpler and more efficient.
>
> On Tue, Apr 13, 2021 at 10:19 AM Jeremy Oglesby <jroglesb at uncg.edu> wrote:
> >
> > Thank you for taking the time to respond to me. I was able to get both jool and jool_siit working thanks to your clarification.
> >
> > Here's my current config that is working:
> >
> > jool_siit instance add "stateless" --netfilter --pool6 64:ff9b::/96
> > jool_siit -i "stateless" eamt display
> > +---------------------------------------------+--------------------+
> > | IPv6 Prefix | IPv4 Prefix |
> > +---------------------------------------------+--------------------+
> > | 2600:2701:1010:100::1/128 | 152.13.0.67/32 |
> > | 2600:2701:1010:0:152:13:0:226/128 | 152.13.0.66/32 |
> > +---------------------------------------------+--------------------+
> >
> >
> > For our network I have a /48 IPv6 range and a /24 IPv4 public range. Since this is a Science DMZ there is no firewall or RFC1918 addresses and traffic is limited only through ACLs. Our intent is to make all subnets /64 and most of the IPs will be assigned through SLAAC. I've played around with the EAMT tables but since it's a bit-for-bit translation I don't see a good way to map /64 subnets with SLAAC clients to our IPv4 space due to the huge disparity in address volume. I'm wondering if that's why most examples for EAMT are 1-to-1 /128 to /32. Most of our servers will need some type of outbound access but only a few will need an inbound address.
> >
> > Originally, I had intended to implement a mix of a NAT/PAT(NAT64) and Static NAT(SIIT) similarly to how I would set up an enterprise firewall. It looks like I need to choose between these two with Jool but I wanted to see if you had any recommendations. We are only budgeted for a single network server that I can utilize.
> >
> > Can jool and jool_siit be utilized together on the same server? Do you need to make a choice between them?
> >
> > For example, if I had an IPv6 datacenter with 500 IPv6 servers that need outbound access to IPv4-only resources and an additional 20 servers that need inbound access, how would you set that up? On a traditional IPv4 firewall I would have a NAT/PAT IP shared for outbound access for the majority of the servers and more specific Static NAT rules for the servers that need inbound access from the Internet.
> >
> > On Fri, Apr 9, 2021 at 10:30 PM Alberto Leiva <ydahhrk at gmail.com> wrote:
> >>
> >> Oops. Corrections. Disregard my previous message. I meant:
> >>
> >> > sudo /usr/local/bin/jool_siit instance add "stateless" --netfilter --pool6 2600:2701:1010:64::/96
> >> > ping6 2600:2701:1010:64::8.8.8.8
> >>
> >> This is what's happening:
> >>
> >> 1. IPv6 client writes packet 2600:2700:20c:2::3 -> 2600:2701:1010:64::8.8.8.8
> >> 2. Jool cannot translate that packet, because the source address does
> >> not match pool6.
> >>
> >> Possible solution: Change your client's address to
> >> 2600:2701:1010:64::<IPv4 address that you own>.
> >>
> >> That way, both addresses can be translated with pool6.
> >>
> >> > sudo /usr/local/bin/jool_siit instance add "stateless" --netfilter
> >> > sudo /usr/local/bin/jool_siit -i "stateless" eamt add 2600:2701:1010:64::/96 152.13.0.64/27
> >> > ping6 2600:2701:1010:64::8.8.8.8
> >>
> >> This is what's happening:
> >>
> >> 1. IPv6 client writes packet 2600:2700:20c:2::3 -> 2600:2701:1010:64::8.8.8.8
> >> 2. Jool cannot translate that packet, because the source address does
> >> not match the EAMT entry.
> >>
> >> Possible solution: Add `--pool6 2600:2701:1010:64::/96`, and change
> >> your EAMT into
> >>
> >> +---------------------------------------------+--------------------------------+
> >> | IPv6 Prefix | IPv4 Prefix |
> >> +---------------------------------------------+--------------------------------+
> >> | 2600:2700:20c:2::3/128 | <IPv4 address that you own>/32 |
> >> +---------------------------------------------+--------------------------------+
> >>
> >> That way, the source address gets translated with the EAMT, and the
> >> destination address is translated with pool6.
> >>
> >> Remember: With SIIT, each IPv6 client will need an implicit dedicated
> >> IPv4 address that you own.
> >> SIIT does not help you with IPv4 address exhaustion; only Stateful NAT64 does.
> >>
> >> On Fri, Apr 9, 2021 at 9:25 PM Alberto Leiva <ydahhrk at gmail.com> wrote:
> >> >
> >> > > sudo /usr/local/bin/jool_siit instance add "stateless" --netfilter --pool6 2600:2701:1010:64::/96
> >> > > ping6 2600:2701:1010:64::8.8.8.8
> >> >
> >> > This is what's happening:
> >> >
> >> > - IPv6 client writes packet 2600:2700:20c:2::3 -> 2600:2701:1010:64::8.8.8.8
> >> > - Jool cannot translate that packet, because the source address does
> >> > not match pool6.
> >> >
> >> > Possible solution: Change your client's address to
> >> > 2600:2701:1010:64::<IPv4 address that you own>.
> >> >
> >> > > sudo /usr/local/bin/jool_siit instance add "stateless" --netfilter
> >> > > sudo /usr/local/bin/jool_siit -i "stateless" eamt add 2600:2701:1010:64::/96 152.13.0.64/27
> >> > > ping6 2600:2701:1010:64::8.8.8.8
> >> >
> >> > This is what's happening:
> >> >
> >> > - IPv6 client writes packet 2600:2700:20c:2::3 -> 2600:2701:1010:64::8.8.8.8
> >> > - Jool cannot translate that packet, because the source address
> >> > matches neither pool6 nor the EAMT entry.
> >> >
> >> > Possible solution: Change your EAMT into
> >> >
> >> > +---------------------------------------------+--------------------------------+
> >> > | IPv6 Prefix | IPv4 Prefix |
> >> > +---------------------------------------------+--------------------------------+
> >> > | 2600:2700:20c:2::3/128 | <IPv4 address that you own>/32 |
> >> > +---------------------------------------------+--------------------------------+
> >> >
> >> > Remember: With SIIT, each IPv6 client will need an implicit dedicated
> >> > IPv4 address that you own.
> >> > SIIT does not help you with IPv4 address exhaustion; only Stateful NAT64 does.
> >> >
> >> > On Fri, Apr 9, 2021 at 3:22 PM Jeremy Oglesby via Jool-list
> >> > <jool-list at nic.mx> wrote:
> >> > >
> >> > > I'm not sure if this is the right list for this question, if not, please point me in the right direction.
> >> > >
> >> > > The University of North Carolina at Greensboro is in the process of standing up an IPv6-only Research DMZ. To facilitate communication with the IPv4 Internet we're planning to use NAT64/DNS64 and have been advised by several other Universities to use Jool.
> >> > >
> >> > > I've got Jool installed in Centos 8 and it seems to work in Stateless mode but not Stateful. I've tried both pool6 and an EAMT list and the packets still don't seem to match. Maybe I'm missing something simple in my config.
> >> > >
> >> > > =======
> >> > > WORKS
> >> > > =======
> >> > >
> >> > > sudo /usr/local/bin/jool instance add "stateful" --netfilter --pool6 2600:2701:1010:64::/96
> >> > >
> >> > > GCRNET-UNCG-057-122-CORE# ping6 2600:2701:1010:64::8.8.8.8 vrf GCRNET_CORE
> >> > > PING6 2600:2701:1010:64::808:808 (2600:2701:1010:64::808:808): 56 data bytes
> >> > > 64 bytes from 2600:2701:1010:64::808:808: icmp_seq=0 time=9.048 ms
> >> > > 64 bytes from 2600:2701:1010:64::808:808: icmp_seq=1 time=8.538 ms
> >> > > 64 bytes from 2600:2701:1010:64::808:808: icmp_seq=2 time=8.457 ms
> >> > > 64 bytes from 2600:2701:1010:64::808:808: icmp_seq=3 time=8.49 ms
> >> > > 64 bytes from 2600:2701:1010:64::808:808: icmp_seq=4 time=8.438 ms
> >> > >
> >> > > ==============
> >> > > DOESN"T WORK
> >> > > ==============
> >> > >
> >> > > sudo /usr/local/bin/jool_siit instance add "stateless" --netfilter --pool6 2600:2701:1010:64::/96
> >> > >
> >> > > OR
> >> > >
> >> > > sudo /usr/local/bin/jool_siit instance add "stateless" --netfilter
> >> > > sudo /usr/local/bin/jool_siit -i "stateless" eamt add 2600:2701:1010:64::/96 152.13.0.64/27
> >> > >
> >> > > sudo /usr/local/bin/jool_siit -i "stateless" eamt display
> >> > > +---------------------------------------------+--------------------+
> >> > > | IPv6 Prefix | IPv4 Prefix |
> >> > > +---------------------------------------------+--------------------+
> >> > > | 2600:2701:1010:64::/96 | 152.13.0.64/27 |
> >> > > +---------------------------------------------+--------------------+
> >> > >
> >> > > GCRNET-UNCG-057-122-CORE# ping6 2600:2701:1010:64::8.8.8.8 vrf GCRNET_PUBLIC
> >> > > PING6 2600:2701:1010:64::808:808 (2600:2701:1010:64::808:808): 56 data bytes
> >> > > Request 0 timed out
> >> > > 112 bytes from 2600:2701:1010:64::100: Destination unreachable: Address unreachable
> >> > > 112 bytes from 2600:2701:1010:64::100: Destination unreachable: Address unreachable
> >> > > Request 3 timed out
> >> > > 112 bytes from 2600:2701:1010:64::100: Destination unreachable: Address unreachable
> >> > >
> >> > > Debug:
> >> > > [282174.404533] Jool SIIT/8899d1c0/stateless: Packet: 2600:2700:20c:2::3->2600:2701:1010:64::808:808
> >> > > [282174.405238] Jool SIIT/8899d1c0/stateless: ===============================================
> >> > > [282174.405945] Jool SIIT/8899d1c0/stateless: ICMPv6 type:128 code:0 id:4861
> >> > > [282174.405947] Jool SIIT/8899d1c0/stateless: Translating the Packet.
> >> > >
> >> > > --
> >> > >
> >> > > Jeremy Oglesby
> >> > > Network Architect
> >> > > Information Technology Services
> >> > > UNC Greensboro
> >> > > +1.336.334.3583 (office)
> >> > > _______________________________________________
> >> > > Jool-list mailing list
> >> > > Jool-list at nic.mx
> >> > > https://mail-lists.nic.mx/listas/listinfo/jool-list
> >
> >
> >
> > --
> >
> > Jeremy Oglesby
> > Network Architect
> > Information Technology Services
> > UNC Greensboro
> > +1.336.334.3583 (office)
More information about the Jool-list
mailing list