[Jool-list] DNAT "port mapping" through jool? [EXTERNAL]

Art Cancro Art.Cancro at tierpoint.com
Fri Feb 19 16:09:44 CST 2021 

Excellent.  I completely understand now.  Thanks for confirming, and for pointing out where in the docs I can learn more.

-- Art



From: Alberto Leiva <ydahhrk at gmail.com>
Sent: Friday, February 19, 2021 1:06 PM
To: Art Cancro <Art.Cancro at tierpoint.com>
Cc: jool-list at nic.mx
Subject: Re: [Jool-list] DNAT "port mapping" through jool? [EXTERNAL]

> My guess is that when you create the instance, it is willing to use any outbound IPv4 address, but as soon as you add a pool4, it restricts to that, and since I only put one port (80/tcp) into it, everything else got closed off.  Am I right about that?

Yes, that's exactly what's happening. [0]

> # Then put ALL ports of the gateway's IPv4 address into the pool4

Just be aware that, if you add the entire 100.127.255.253 address to Jool, Linux will not be reliably able to use it for anything else. If the node doesn't have any other IPv4 address, you might want to leave some room for the ephemeral range. [1]

[0] https://jool.mx/en/usr-flags-pool4.html#empty-pool4<https://urldefense.com/v3/__https:/jool.mx/en/usr-flags-pool4.html*empty-pool4__;Iw!!LG9nLpOADg!G0aFX-ta-HViTha6KzdN4cB2w9rX03kwt2IUapefrxLWBsM7ubhC29aJbEG1lBHcSw$>
[1] https://jool.mx/en/usr-flags-pool4.html#port-range<https://urldefense.com/v3/__https:/jool.mx/en/usr-flags-pool4.html*port-range__;Iw!!LG9nLpOADg!G0aFX-ta-HViTha6KzdN4cB2w9rX03kwt2IUapefrxLWBsM7ubhC29aJbEFTmSX77Q$>

On Fri, Feb 19, 2021 at 9:05 AM Art Cancro via Jool-list <jool-list at nic.mx<mailto:jool-list at nic.mx>> wrote:
I think I got it working, but if someone could tell me whether this is "correct" or if there's a better way, I would appreciate it; or if this is the best way then it could be added to the documentation.

# First create the instance and set up the pool6
jool instance add --netfilter --pool6 xxxx:xxxx::/96

# Then put ALL ports of the gateway's IPv4 address into the pool4
jool pool4 add --tcp 100.127.255.253 1-65535
jool pool4 add --udp 100.127.255.253 1-65535
jool pool4 add --icmp 100.127.255.253 1-65535

# At this point, I can create static BIB entries
jool bib add --tcp 2607:f8b0:4002:c02::8a#80 100.127.255.253#80

My guess is that when you create the instance, it is willing to use any outbound IPv4 address, but as soon as you add a pool4, it restricts to that, and since I only put one port (80/tcp) into it, everything else got closed off.  Am I right about that?

Again, many thanks; jool is solving a LOT of problems in my data centers.

-- Art



From: Jool-list <jool-list-bounces at nic.mx<mailto:jool-list-bounces at nic.mx>> On Behalf Of Art Cancro via Jool-list
Sent: Thursday, February 18, 2021 6:48 PM
To: Alberto Leiva <ydahhrk at gmail.com<mailto:ydahhrk at gmail.com>>
Cc: jool-list at nic.mx<mailto:jool-list at nic.mx>
Subject: Re: [Jool-list] DNAT "port mapping" through jool? [EXTERNAL]

Manual entry to bib table looks like the right approach.   I tried it today.  100.127.255.253 is the interface on the IPv4 side of my jool machine, and we are successfully doing NAT64 of a /96 block towards the IPv4 side...

So as a test I am trying to see if we can get clients who connect to 100.127:255:253#80 to get the HTTP server at 2607:f8b0:4002:c02::8a#80 (which is google, but again it's just a test)

So the command appears to be:

jool bib add --tcp 2607:f8b0:4002:c02::8a#80 100.127.255.253#80

And the error response is:

Error: The kernel module returned error 22: The transport address '100.127.255.253#80' does not belong to pool4.  Please add it there  first.

So I tried:

jool pool4 add --tcp 100.127.255.253 80
jool bib add --tcp 2607:f8b0:4002:c02::8a#80 100.127.255.253#80

This works for outbound connections, but it broke the NAT64 inbound connections.

Does jool support pool6 IPv6-->IPv4 and manual bib IPv4-->IPv6 at the same time?


From: Alberto Leiva <ydahhrk at gmail.com<mailto:ydahhrk at gmail.com>>

Woops, I meant

sudo jool bib add cafe::1#80 203.0.113.1#80

On Wed, Feb 17, 2021 at 12:29 PM Alberto Leiva <ydahhrk at gmail.com<mailto:ydahhrk at gmail.com>> wrote:
Try

sudo jool bib add <Address of IPv6 server>#<Port of IPv6 server> <IPv4 address of Jool>#<Port of Jool mask>
sudo jool bib add cafe::1#80 203.0.113.1:80<https://urldefense.com/v3/__http:/203.0.113.1:80__;!!LG9nLpOADg!B0yOLRqgb1DOljIz2V9bEd4Mmh0WJBBI_7SohIfZjT5ahPhvAWSGwHfF995pmBnNuw$>

_______________________________________________
Jool-list mailing list
Jool-list at nic.mx<mailto:Jool-list at nic.mx>
https://mail-lists.nic.mx/listas/listinfo/jool-list<https://urldefense.com/v3/__https:/mail-lists.nic.mx/listas/listinfo/jool-list__;!!LG9nLpOADg!G0aFX-ta-HViTha6KzdN4cB2w9rX03kwt2IUapefrxLWBsM7ubhC29aJbEHXiJeX9w$>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail-lists.nic.mx/pipermail/jool-list/attachments/20210219/1e3886e6/attachment-0001.htm>

More information about the Jool-list mailing list