Project

General

Profile

Actions

Task #7304

closed

Test NAT64 with distributed routers with joold on alpine

Added by Nico Schottelius about 5 years ago. Updated almost 5 years ago.

Status:
Rejected
Priority:
Normal
Target version:
-
Start date:
11/07/2019
Due date:
% Done:

0%

Estimated time:
PM Check date:

Description

To replace tayga

  • place5:
    • map outgoing traffic to 185.203.112.1 (?)
  • place6:
    • map outgoing traffic to 185.203.114.1 (?)

Could use use the new ipv4 networks for testing -> requires bird running first...

  • cdist type: __dcl_nat64_jool (could in theory go upstream)
    • --pool6 (a /96 that translates to the IPv4 world)
    • --pool4 (optional) that will be the source ipv4 addresses

IPv4:

  • New IPv4 addresses to be used for NAT64 documented in netbox ( 147.78.195.244/30 and 147.78.195.240/30 )
  • Using a /30 on bgp side, but actually /32's on the routers

Related issues 1 (0 open1 closed)

Related to Open Infrastructure - Task #7306: Phase in new routersRejectedNico Schottelius11/09/2019

Actions
Actions #1

Updated by Nico Schottelius about 5 years ago

  • Subject changed from Test joold on alpine to Test NAT64 with distributed routers with joold on alpine
Actions #2

Updated by Nico Schottelius about 5 years ago

  • Description updated (diff)
Actions #3

Updated by Nico Schottelius about 5 years ago

  • Related to Task #7306: Phase in new routers added
Actions #4

Updated by Nico Schottelius about 5 years ago

fakerouter1:~# modprobe jool_siit
modprobe: FATAL: Module jool_siit not found in directory /lib/modules/4.19.41-0-virt
fakerouter1:~# 

-> reboot.

Have to adopt the following code:

user@BR:~# modprobe jool_siit
user@BR:~# jool_siit instance add --netfilter --pool6 2001:db8:46::/96
user@BR:~# jool_siit eamt add 192.0.2.1 2001:db8:12:34::1
  • pool6 will be a new /96 suffix
  • eamt for servers / vms will be individually
jool_siit instance add --netfilter --pool6 2a0a:e5c0:5:46::/96

For full nat64, we need the jool module:

fakerouter1:~# modprobe jool
fakerouter1:~# jool instance add --netfilter --pool6 2a0a:e5c0:5:46::/96

Attention: there is a difference between jool instance add and jool_siit instance add !

Actions #5

Updated by Nico Schottelius about 5 years ago

fakerouter1:~# jool -i default stats display --explain
JSTAT_UNKNOWN_ICMP6_TYPE: 97
Translations cancelled: ICMPv6 header's type value has no ICMPv4 counterpart.

JSTAT_POOL6_MISMATCH: 4428
Translations cancelled: IPv6 packet's destination address did not match pool6. (ie. Packet was not meant to be translated.)

JSTAT_POOL4_MISMATCH: 35
Translations cancelled: IPv4 packet's destination address and transport protocol did not match pool4. (ie. Packet was not meant to be translated.)
If the instance is a Netfilter translator, this counter increases randomly from normal operation, and is harmless.
If the instance is an iptables translator, this counter being positive suggests a mismatch between the IPv4 iptables rule(s) and the instance's configuration.

fakerouter1:~# 
Actions #6

Updated by Nico Schottelius about 5 years ago

Testing from the 2nd router (locally created packets don't work):

fakerouter2:~# ip -6 route add 2a0a:e5c0:5:46::/96 via 2a0a:e5c0:0:2:0:b3ff:fe3
9:79a2
fakerouter2:~#  ping6 2a0a:e5c0:5:46::185.204.114.1
PING 2a0a:e5c0:5:46::185.204.114.1 (2a0a:e5c0:5:46::b9cc:7201): 56 data bytes

Packets are being received:

fakerouter1:~# tcpdump -ni eth0 icmp6
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 262144 bytes
17:34:36.538710 IP6 2a0a:e5c0:0:2:0:b3ff:fe39:7976 > 2a0a:e5c0:5:46::b9cc:7201: ICMP6, echo request, seq 37, length 64
17:34:37.538848 IP6 2a0a:e5c0:0:2:0:b3ff:fe39:7976 > 2a0a:e5c0:5:46::b9cc:7201: ICMP6, echo request, seq 38, length 64
17:34:38.539104 IP6 2a0a:e5c0:0:2:0:b3ff:fe39:7976 > 2a0a:e5c0:5:46::b9cc:7201: ICMP6, echo request, seq 39, length 64
17:34:39.539254 IP6 2a0a:e5c0:0:2:0:b3ff:fe39:7976 > 2a0a:e5c0:5:46::b9cc:7201: ICMP6, echo request, seq 40, length 64
17:34:40.539501 IP6 2a0a:e5c0:0:2:0:b3ff:fe39:7976 > 2a0a:e5c0:5:46::b9cc:7201: ICMP6, echo request, seq 41, length 64
^C
5 packets captured
6 packets received by filter
0 packets dropped by kernel
fakerouter1:~# 

forgot this part:

fakerouter1:~# sysctl net.ipv6.conf.all.forwarding=1
net.ipv6.conf.all.forwarding = 1
fakerouter1:~# sysctl net.ipv4.conf.all.forwarding=1
net.ipv4.conf.all.forwarding = 1
fakerouter1:~# 

works:

fakerouter1:~# tcpdump -ni eth1 not arp
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth1, link-type EN10MB (Ethernet), capture size 262144 bytes
17:36:22.939950 IP 185.203.112.57 > 185.204.114.1: ICMP echo request, id 65323, seq 15, length 64
17:36:23.681836 IP 185.176.27.246.54891 > 185.203.112.57.65463: Flags [S], seq 774583523, win 1024, length 0
17:36:23.940086 IP 185.203.112.57 > 185.204.114.1: ICMP echo request, id 65323, seq 16, length 64
17:36:24.940247 IP 185.203.112.57 > 185.204.114.1: ICMP echo request, id 65323, seq 17, length 64
17:36:25.529574 IP6 fe80::21b:21ff:febb:6934 > ff02::1:ff39:800d: ICMP6, neighbor solicitation, who has 2a0a:e5c0:0:2:400:b3ff:fe39:800d, length 32
17:36:25.940458 IP 185.203.112.57 > 185.204.114.1: ICMP echo request, id 65323, seq 18, length 64
^C
6 packets captured
6 packets received by filter
0 packets dropped by kernel
fakerouter1:~# 

And with the correct IPv4 address, even works with reply:

fakerouter2:~#  ping6 2a0a:e5c0:5:46::185.203.114.1
PING 2a0a:e5c0:5:46::185.203.114.1 (2a0a:e5c0:5:46::b9cb:7201): 56 data bytes
64 bytes from 2a0a:e5c0:5:46::b9cb:7201: seq=0 ttl=62 time=0.979 ms
64 bytes from 2a0a:e5c0:5:46::b9cb:7201: seq=1 ttl=62 time=0.961 ms
^C
--- 2a0a:e5c0:5:46::185.203.114.1 ping statistics ---
2 packets transmitted, 2 packets received, 0% packet loss
round-trip min/avg/max = 0.961/0.970/0.979 ms
fakerouter2:~# 
Actions #7

Updated by Nico Schottelius about 5 years ago

Sessions w/ tcp visible:

---------------------------------
fakerouter1:~# jool session display
---------------------------------
(ESTABLISHED) Expires in 1:59:58.570
Remote: 185-203-114-1.legacy.ipv4.at.ungleich.ch#ssh    2a0a-e5c0-0000-0002-0000-b3ff-fe39-7976.loves.ipv6.at.ungleich.ch#41974
Local: 185.203.112.57#62413     2a0a:e5c0:5:46::b9cb:7201#22
---------------------------------
fakerouter1:~# 

fakerouter1:~# jool bib display
[Dynamic TCP] 185.203.112.57#62413 - 2a0a-e5c0-0000-0002-0000-b3ff-fe39-7976.loves.ipv6.at.ungleich.ch#41974

Actions #8

Updated by Nico Schottelius about 5 years ago

Adding selected addresses instead of using only the existing one:

fakerouter1:~# jool pool4 add 10.0.0.0/24 2-32000 --tcp
fakerouter1:~# jool pool4 add 10.0.0.0/24 2-32000 --udp
fakerouter1:~# jool pool4 add 10.0.0.0/24 2-32000 --icmp
fakerouter1:~# jool pool4 display
+------------+-------+--------------------+-----------------+-------------+
|       Mark | Proto |     Max iterations |         Address |       Ports |
+------------+-------+--------------------+-----------------+-------------+
|          0 |   TCP |       8192 ( auto) |        10.0.0.0 |     2-32000 |
|            |       |                    |        10.0.0.1 |     2-32000 |
|            |       |                    |        10.0.0.2 |     2-32000 |
|            |       |                    |        10.0.0.3 |     2-32000 |
|            |       |                    |        10.0.0.4 |     2-32000 |
|            |       |                    |        10.0.0.5 |     2-32000 |
...

Works as expected:


fakerouter1:~# tcpdump  -ni eth1 icmp
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth1, link-type EN10MB (Ethernet), capture size 262144 bytes
18:11:00.012258 IP 10.0.0.233 > 185.203.114.1: ICMP echo request, id 28805, seq 11, length 64
18:11:01.012376 IP 10.0.0.233 > 185.203.114.1: ICMP echo request, id 28805, seq 12, length 64
18:11:02.012587 IP 10.0.0.233 > 185.203.114.1: ICMP echo request, id 28805, seq 13, length 64
^C
3 packets captured
3 packets received by filter
0 packets dropped by kernel
Actions #9

Updated by Nico Schottelius about 5 years ago

  • Description updated (diff)
Actions #10

Updated by Nico Schottelius about 5 years ago

  • Description updated (diff)
Actions #11

Updated by Nico Schottelius about 5 years ago

  • Description updated (diff)
Actions #12

Updated by Nico Schottelius almost 5 years ago

  • Configuring router1.place6 for NAT64
    • Prefix 2a0a:e5c0:2:10::/96
router1:~# jool instance add --netfilter --pool6 2a0a:e5c0:2:10::/96

... router not reachable atm.

Actions #13

Updated by Nico Schottelius almost 5 years ago

  • Status changed from In Progress to Rejected

Active-passive

Actions

Also available in: Atom PDF