Actions
Task #7304
closedTest NAT64 with distributed routers with joold on alpine
Added by Nico Schottelius about 5 years ago. Updated almost 5 years ago.
Start date:
11/07/2019
Due date:
% Done:
0%
Estimated time:
PM Check date:
Description
To replace tayga
- place5:
- map outgoing traffic to 185.203.112.1 (?)
- place6:
- map outgoing traffic to 185.203.114.1 (?)
Could use use the new ipv4 networks for testing -> requires bird running first...
- cdist type: __dcl_nat64_jool (could in theory go upstream)
- --pool6 (a /96 that translates to the IPv4 world)
- --pool4 (optional) that will be the source ipv4 addresses
IPv4:
- New IPv4 addresses to be used for NAT64 documented in netbox ( 147.78.195.244/30 and 147.78.195.240/30 )
- Using a /30 on bgp side, but actually /32's on the routers
Updated by Nico Schottelius about 5 years ago
- Subject changed from Test joold on alpine to Test NAT64 with distributed routers with joold on alpine
Updated by Nico Schottelius about 5 years ago
- Related to Task #7306: Phase in new routers added
Updated by Nico Schottelius about 5 years ago
fakerouter1:~# modprobe jool_siit modprobe: FATAL: Module jool_siit not found in directory /lib/modules/4.19.41-0-virt fakerouter1:~#
-> reboot.
Have to adopt the following code:
user@BR:~# modprobe jool_siit user@BR:~# jool_siit instance add --netfilter --pool6 2001:db8:46::/96 user@BR:~# jool_siit eamt add 192.0.2.1 2001:db8:12:34::1
- pool6 will be a new /96 suffix
- eamt for servers / vms will be individually
jool_siit instance add --netfilter --pool6 2a0a:e5c0:5:46::/96
For full nat64, we need the jool module:
fakerouter1:~# modprobe jool fakerouter1:~# jool instance add --netfilter --pool6 2a0a:e5c0:5:46::/96
Attention: there is a difference between jool instance add and jool_siit instance add !
Updated by Nico Schottelius about 5 years ago
fakerouter1:~# jool -i default stats display --explain JSTAT_UNKNOWN_ICMP6_TYPE: 97 Translations cancelled: ICMPv6 header's type value has no ICMPv4 counterpart. JSTAT_POOL6_MISMATCH: 4428 Translations cancelled: IPv6 packet's destination address did not match pool6. (ie. Packet was not meant to be translated.) JSTAT_POOL4_MISMATCH: 35 Translations cancelled: IPv4 packet's destination address and transport protocol did not match pool4. (ie. Packet was not meant to be translated.) If the instance is a Netfilter translator, this counter increases randomly from normal operation, and is harmless. If the instance is an iptables translator, this counter being positive suggests a mismatch between the IPv4 iptables rule(s) and the instance's configuration. fakerouter1:~#
Updated by Nico Schottelius about 5 years ago
Testing from the 2nd router (locally created packets don't work):
fakerouter2:~# ip -6 route add 2a0a:e5c0:5:46::/96 via 2a0a:e5c0:0:2:0:b3ff:fe3 9:79a2 fakerouter2:~# ping6 2a0a:e5c0:5:46::185.204.114.1 PING 2a0a:e5c0:5:46::185.204.114.1 (2a0a:e5c0:5:46::b9cc:7201): 56 data bytes
Packets are being received:
fakerouter1:~# tcpdump -ni eth0 icmp6 tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on eth0, link-type EN10MB (Ethernet), capture size 262144 bytes 17:34:36.538710 IP6 2a0a:e5c0:0:2:0:b3ff:fe39:7976 > 2a0a:e5c0:5:46::b9cc:7201: ICMP6, echo request, seq 37, length 64 17:34:37.538848 IP6 2a0a:e5c0:0:2:0:b3ff:fe39:7976 > 2a0a:e5c0:5:46::b9cc:7201: ICMP6, echo request, seq 38, length 64 17:34:38.539104 IP6 2a0a:e5c0:0:2:0:b3ff:fe39:7976 > 2a0a:e5c0:5:46::b9cc:7201: ICMP6, echo request, seq 39, length 64 17:34:39.539254 IP6 2a0a:e5c0:0:2:0:b3ff:fe39:7976 > 2a0a:e5c0:5:46::b9cc:7201: ICMP6, echo request, seq 40, length 64 17:34:40.539501 IP6 2a0a:e5c0:0:2:0:b3ff:fe39:7976 > 2a0a:e5c0:5:46::b9cc:7201: ICMP6, echo request, seq 41, length 64 ^C 5 packets captured 6 packets received by filter 0 packets dropped by kernel fakerouter1:~#
forgot this part:
fakerouter1:~# sysctl net.ipv6.conf.all.forwarding=1 net.ipv6.conf.all.forwarding = 1 fakerouter1:~# sysctl net.ipv4.conf.all.forwarding=1 net.ipv4.conf.all.forwarding = 1 fakerouter1:~#
works:
fakerouter1:~# tcpdump -ni eth1 not arp tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on eth1, link-type EN10MB (Ethernet), capture size 262144 bytes 17:36:22.939950 IP 185.203.112.57 > 185.204.114.1: ICMP echo request, id 65323, seq 15, length 64 17:36:23.681836 IP 185.176.27.246.54891 > 185.203.112.57.65463: Flags [S], seq 774583523, win 1024, length 0 17:36:23.940086 IP 185.203.112.57 > 185.204.114.1: ICMP echo request, id 65323, seq 16, length 64 17:36:24.940247 IP 185.203.112.57 > 185.204.114.1: ICMP echo request, id 65323, seq 17, length 64 17:36:25.529574 IP6 fe80::21b:21ff:febb:6934 > ff02::1:ff39:800d: ICMP6, neighbor solicitation, who has 2a0a:e5c0:0:2:400:b3ff:fe39:800d, length 32 17:36:25.940458 IP 185.203.112.57 > 185.204.114.1: ICMP echo request, id 65323, seq 18, length 64 ^C 6 packets captured 6 packets received by filter 0 packets dropped by kernel fakerouter1:~#
And with the correct IPv4 address, even works with reply:
fakerouter2:~# ping6 2a0a:e5c0:5:46::185.203.114.1 PING 2a0a:e5c0:5:46::185.203.114.1 (2a0a:e5c0:5:46::b9cb:7201): 56 data bytes 64 bytes from 2a0a:e5c0:5:46::b9cb:7201: seq=0 ttl=62 time=0.979 ms 64 bytes from 2a0a:e5c0:5:46::b9cb:7201: seq=1 ttl=62 time=0.961 ms ^C --- 2a0a:e5c0:5:46::185.203.114.1 ping statistics --- 2 packets transmitted, 2 packets received, 0% packet loss round-trip min/avg/max = 0.961/0.970/0.979 ms fakerouter2:~#
Updated by Nico Schottelius about 5 years ago
Sessions w/ tcp visible:
--------------------------------- fakerouter1:~# jool session display --------------------------------- (ESTABLISHED) Expires in 1:59:58.570 Remote: 185-203-114-1.legacy.ipv4.at.ungleich.ch#ssh 2a0a-e5c0-0000-0002-0000-b3ff-fe39-7976.loves.ipv6.at.ungleich.ch#41974 Local: 185.203.112.57#62413 2a0a:e5c0:5:46::b9cb:7201#22 --------------------------------- fakerouter1:~# fakerouter1:~# jool bib display [Dynamic TCP] 185.203.112.57#62413 - 2a0a-e5c0-0000-0002-0000-b3ff-fe39-7976.loves.ipv6.at.ungleich.ch#41974
Updated by Nico Schottelius about 5 years ago
Adding selected addresses instead of using only the existing one:
fakerouter1:~# jool pool4 add 10.0.0.0/24 2-32000 --tcp fakerouter1:~# jool pool4 add 10.0.0.0/24 2-32000 --udp fakerouter1:~# jool pool4 add 10.0.0.0/24 2-32000 --icmp fakerouter1:~# jool pool4 display +------------+-------+--------------------+-----------------+-------------+ | Mark | Proto | Max iterations | Address | Ports | +------------+-------+--------------------+-----------------+-------------+ | 0 | TCP | 8192 ( auto) | 10.0.0.0 | 2-32000 | | | | | 10.0.0.1 | 2-32000 | | | | | 10.0.0.2 | 2-32000 | | | | | 10.0.0.3 | 2-32000 | | | | | 10.0.0.4 | 2-32000 | | | | | 10.0.0.5 | 2-32000 | ...
Works as expected:
fakerouter1:~# tcpdump -ni eth1 icmp tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on eth1, link-type EN10MB (Ethernet), capture size 262144 bytes 18:11:00.012258 IP 10.0.0.233 > 185.203.114.1: ICMP echo request, id 28805, seq 11, length 64 18:11:01.012376 IP 10.0.0.233 > 185.203.114.1: ICMP echo request, id 28805, seq 12, length 64 18:11:02.012587 IP 10.0.0.233 > 185.203.114.1: ICMP echo request, id 28805, seq 13, length 64 ^C 3 packets captured 3 packets received by filter 0 packets dropped by kernel
Updated by Nico Schottelius almost 5 years ago
- Configuring router1.place6 for NAT64
- Prefix 2a0a:e5c0:2:10::/96
router1:~# jool instance add --netfilter --pool6 2a0a:e5c0:2:10::/96
... router not reachable atm.
Updated by Nico Schottelius almost 5 years ago
- Status changed from In Progress to Rejected
Active-passive
Actions