Option 1: Create one NAT64 instance and one SIIT instance, multiplex
with iptables (jool and jool_siit together on the same server)
Option 2: Use NAT64 + port forwarding (Static NAT rules)
--------------------------------
Option 1:
- Suppose you want to reserve 152.13.0.0/25 for the traffic of your
inbound servers, and 152.13.0.128/25 for your outbound servers.
- Suppose your 500 outbound servers are in the 2600:2701:1010:1::0/112 network.
- Suppose your 20 inbound servers are in the 2600:2701:1010:2::0/112 network.
modprobe jool
modprobe jool_siit
jool instance add "outbound" --iptables --pool6 64:ff9b::/96
# Force outbound instance to only use addresses .128-.255
# https://jool.mx/en/usr-flags-pool4.html
jool -i "outbound" pool4 add 152.13.0.128/25 --tcp
jool -i "outbound" pool4 add 152.13.0.128/25 --udp
jool -i "outbound" pool4 add 152.13.0.128/25 --icmp
jool_siit instance add "inbound" --iptables --pool6 64:ff9b::/96
jool_siit -i "inbound" eamt add 2600:2701:1010:2::cafe 152.13.0.1
jool_siit -i "inbound" eamt add 2600:2701:1010:2::beef 152.13.0.2
jool_siit -i "inbound" eamt add 2600:2701:1010:2::ba1d 152.13.0.3
...
jool_siit -i "inbound" eamt add 2600:2701:1010:2::face 152.13.0.20
# ip6tables: send traffic from the outbound servers to the nat64 instance
ip6tables -t mangle -A PREROUTING -s 2600:2701:1010:1::/112 -j
JOOL --instance "outbound"
# ip6tables: send traffic from the inbound servers to the siit instance
ip6tables -t mangle -A PREROUTING -s 2600:2701:1010:2::/112 -j
JOOL_SIIT --instance "inbound"
# iptables: send traffic to 152.13.0.0/25 to the siit instance
iptables -t mangle -A PREROUTING -d 152.13.0.0/25 -j JOOL_SIIT
--instance "inbound"
# iptables: send traffic to 152.13.0.128/25 to the nat64 instance
iptables -t mangle -A PREROUTING -d 152.13.0.128/25 -j JOOL
--instance "outbound"
Of course, if your IPv6 servers cannot be aggregated neatly, you will
need to divide each ip6tables command into several more specific -s
rules.
--------------------------------
Option 2:
modprobe jool
jool instance add --netfilter --pool6 64:ff9b::/96
# Reserve an IPv4 socket for each server.
# Here I'm assuming all servers are HTTP,
# but you can play with the ports.
# https://jool.mx/en/usr-flags-bib.html
jool bib add 2600:2701:1010::2:cafe#80 152.13.0.1#80
jool bib add 2600:2701:1010::2:beef#80 152.13.0.2#80
jool bib add 2600:2701:1010::2:ba1d#80 152.13.0.3#80
...
jool bib add 2600:2701:1010::2:face#80 152.13.0.20#80
Port 80 of addresses 152.13.0.1-152.13.0.20 will be reserved for
inbound access, everything else will be outbound.
This is both simpler and more efficient.
On Tue, Apr 13, 2021 at 10:19 AM Jeremy Oglesby <[email protected]> wrote:
>
> Thank you for taking the time to respond to me. I was able to get both jool
> and jool_siit working thanks to your clarification.
>
> Here's my current config that is working:
>
> jool_siit instance add "stateless" --netfilter --pool6 64:ff9b::/96
> jool_siit -i "stateless" eamt display
> +---------------------------------------------+--------------------+
> | IPv6 Prefix | IPv4 Prefix |
> +---------------------------------------------+--------------------+
> | 2600:2701:1010:100::1/128 | 152.13.0.67/32 |
> | 2600:2701:1010:0:152:13:0:226/128 | 152.13.0.66/32 |
> +---------------------------------------------+--------------------+
>
>
> For our network I have a /48 IPv6 range and a /24 IPv4 public range. Since
> this is a Science DMZ there is no firewall or RFC1918 addresses and traffic
> is limited only through ACLs. Our intent is to make all subnets /64 and most
> of the IPs will be assigned through SLAAC. I've played around with the EAMT
> tables but since it's a bit-for-bit translation I don't see a good way to map
> /64 subnets with SLAAC clients to our IPv4 space due to the huge disparity in
> address volume. I'm wondering if that's why most examples for EAMT are
> 1-to-1 /128 to /32. Most of our servers will need some type of outbound
> access but only a few will need an inbound address.
>
> Originally, I had intended to implement a mix of a NAT/PAT(NAT64) and Static
> NAT(SIIT) similarly to how I would set up an enterprise firewall. It looks
> like I need to choose between these two with Jool but I wanted to see if you
> had any recommendations. We are only budgeted for a single network server
> that I can utilize.
>
> Can jool and jool_siit be utilized together on the same server? Do you need
> to make a choice between them?
>
> For example, if I had an IPv6 datacenter with 500 IPv6 servers that need
> outbound access to IPv4-only resources and an additional 20 servers that need
> inbound access, how would you set that up? On a traditional IPv4 firewall I
> would have a NAT/PAT IP shared for outbound access for the majority of the
> servers and more specific Static NAT rules for the servers that need inbound
> access from the Internet.
>
> On Fri, Apr 9, 2021 at 10:30 PM Alberto Leiva <[email protected]> wrote:
>>
>> Oops. Corrections. Disregard my previous message. I meant:
>>
>> > sudo /usr/local/bin/jool_siit instance add "stateless" --netfilter --pool6
>> > 2600:2701:1010:64::/96
>> > ping6 2600:2701:1010:64::8.8.8.8
>>
>> This is what's happening:
>>
>> 1. IPv6 client writes packet 2600:2700:20c:2::3 -> 2600:2701:1010:64::8.8.8.8
>> 2. Jool cannot translate that packet, because the source address does
>> not match pool6.
>>
>> Possible solution: Change your client's address to
>> 2600:2701:1010:64::<IPv4 address that you own>.
>>
>> That way, both addresses can be translated with pool6.
>>
>> > sudo /usr/local/bin/jool_siit instance add "stateless" --netfilter
>> > sudo /usr/local/bin/jool_siit -i "stateless" eamt add
>> > 2600:2701:1010:64::/96 152.13.0.64/27
>> > ping6 2600:2701:1010:64::8.8.8.8
>>
>> This is what's happening:
>>
>> 1. IPv6 client writes packet 2600:2700:20c:2::3 -> 2600:2701:1010:64::8.8.8.8
>> 2. Jool cannot translate that packet, because the source address does
>> not match the EAMT entry.
>>
>> Possible solution: Add `--pool6 2600:2701:1010:64::/96`, and change
>> your EAMT into
>>
>> +---------------------------------------------+--------------------------------+
>> | IPv6 Prefix | IPv4
>> Prefix |
>> +---------------------------------------------+--------------------------------+
>> | 2600:2700:20c:2::3/128 | <IPv4 address that you
>> own>/32 |
>> +---------------------------------------------+--------------------------------+
>>
>> That way, the source address gets translated with the EAMT, and the
>> destination address is translated with pool6.
>>
>> Remember: With SIIT, each IPv6 client will need an implicit dedicated
>> IPv4 address that you own.
>> SIIT does not help you with IPv4 address exhaustion; only Stateful NAT64
>> does.
>>
>> On Fri, Apr 9, 2021 at 9:25 PM Alberto Leiva <[email protected]> wrote:
>> >
>> > > sudo /usr/local/bin/jool_siit instance add "stateless" --netfilter
>> > > --pool6 2600:2701:1010:64::/96
>> > > ping6 2600:2701:1010:64::8.8.8.8
>> >
>> > This is what's happening:
>> >
>> > - IPv6 client writes packet 2600:2700:20c:2::3 ->
>> > 2600:2701:1010:64::8.8.8.8
>> > - Jool cannot translate that packet, because the source address does
>> > not match pool6.
>> >
>> > Possible solution: Change your client's address to
>> > 2600:2701:1010:64::<IPv4 address that you own>.
>> >
>> > > sudo /usr/local/bin/jool_siit instance add "stateless" --netfilter
>> > > sudo /usr/local/bin/jool_siit -i "stateless" eamt add
>> > > 2600:2701:1010:64::/96 152.13.0.64/27
>> > > ping6 2600:2701:1010:64::8.8.8.8
>> >
>> > This is what's happening:
>> >
>> > - IPv6 client writes packet 2600:2700:20c:2::3 ->
>> > 2600:2701:1010:64::8.8.8.8
>> > - Jool cannot translate that packet, because the source address
>> > matches neither pool6 nor the EAMT entry.
>> >
>> > Possible solution: Change your EAMT into
>> >
>> > +---------------------------------------------+--------------------------------+
>> > | IPv6 Prefix | IPv4
>> > Prefix |
>> > +---------------------------------------------+--------------------------------+
>> > | 2600:2700:20c:2::3/128 | <IPv4 address that you
>> > own>/32 |
>> > +---------------------------------------------+--------------------------------+
>> >
>> > Remember: With SIIT, each IPv6 client will need an implicit dedicated
>> > IPv4 address that you own.
>> > SIIT does not help you with IPv4 address exhaustion; only Stateful NAT64
>> > does.
>> >
>> > On Fri, Apr 9, 2021 at 3:22 PM Jeremy Oglesby via Jool-list
>> > <[email protected]> wrote:
>> > >
>> > > I'm not sure if this is the right list for this question, if not, please
>> > > point me in the right direction.
>> > >
>> > > The University of North Carolina at Greensboro is in the process of
>> > > standing up an IPv6-only Research DMZ. To facilitate communication with
>> > > the IPv4 Internet we're planning to use NAT64/DNS64 and have been
>> > > advised by several other Universities to use Jool.
>> > >
>> > > I've got Jool installed in Centos 8 and it seems to work in Stateless
>> > > mode but not Stateful. I've tried both pool6 and an EAMT list and the
>> > > packets still don't seem to match. Maybe I'm missing something simple
>> > > in my config.
>> > >
>> > > =======
>> > > WORKS
>> > > =======
>> > >
>> > > sudo /usr/local/bin/jool instance add "stateful" --netfilter --pool6
>> > > 2600:2701:1010:64::/96
>> > >
>> > > GCRNET-UNCG-057-122-CORE# ping6 2600:2701:1010:64::8.8.8.8 vrf
>> > > GCRNET_CORE
>> > > PING6 2600:2701:1010:64::808:808 (2600:2701:1010:64::808:808): 56 data
>> > > bytes
>> > > 64 bytes from 2600:2701:1010:64::808:808: icmp_seq=0 time=9.048 ms
>> > > 64 bytes from 2600:2701:1010:64::808:808: icmp_seq=1 time=8.538 ms
>> > > 64 bytes from 2600:2701:1010:64::808:808: icmp_seq=2 time=8.457 ms
>> > > 64 bytes from 2600:2701:1010:64::808:808: icmp_seq=3 time=8.49 ms
>> > > 64 bytes from 2600:2701:1010:64::808:808: icmp_seq=4 time=8.438 ms
>> > >
>> > > ==============
>> > > DOESN"T WORK
>> > > ==============
>> > >
>> > > sudo /usr/local/bin/jool_siit instance add "stateless" --netfilter
>> > > --pool6 2600:2701:1010:64::/96
>> > >
>> > > OR
>> > >
>> > > sudo /usr/local/bin/jool_siit instance add "stateless" --netfilter
>> > > sudo /usr/local/bin/jool_siit -i "stateless" eamt add
>> > > 2600:2701:1010:64::/96 152.13.0.64/27
>> > >
>> > > sudo /usr/local/bin/jool_siit -i "stateless" eamt display
>> > > +---------------------------------------------+--------------------+
>> > > | IPv6 Prefix | IPv4 Prefix |
>> > > +---------------------------------------------+--------------------+
>> > > | 2600:2701:1010:64::/96 | 152.13.0.64/27 |
>> > > +---------------------------------------------+--------------------+
>> > >
>> > > GCRNET-UNCG-057-122-CORE# ping6 2600:2701:1010:64::8.8.8.8 vrf
>> > > GCRNET_PUBLIC
>> > > PING6 2600:2701:1010:64::808:808 (2600:2701:1010:64::808:808): 56 data
>> > > bytes
>> > > Request 0 timed out
>> > > 112 bytes from 2600:2701:1010:64::100: Destination unreachable: Address
>> > > unreachable
>> > > 112 bytes from 2600:2701:1010:64::100: Destination unreachable: Address
>> > > unreachable
>> > > Request 3 timed out
>> > > 112 bytes from 2600:2701:1010:64::100: Destination unreachable: Address
>> > > unreachable
>> > >
>> > > Debug:
>> > > [282174.404533] Jool SIIT/8899d1c0/stateless: Packet:
>> > > 2600:2700:20c:2::3->2600:2701:1010:64::808:808
>> > > [282174.405238] Jool SIIT/8899d1c0/stateless:
>> > > ===============================================
>> > > [282174.405945] Jool SIIT/8899d1c0/stateless: ICMPv6 type:128 code:0
>> > > id:4861
>> > > [282174.405947] Jool SIIT/8899d1c0/stateless: Translating the Packet.
>> > >
>> > > --
>> > >
>> > > Jeremy Oglesby
>> > > Network Architect
>> > > Information Technology Services
>> > > UNC Greensboro
>> > > +1.336.334.3583 (office)
>> > > _______________________________________________
>> > > Jool-list mailing list
>> > > [email protected]
>> > > https://mail-lists.nic.mx/listas/listinfo/jool-list
>
>
>
> --
>
> Jeremy Oglesby
> Network Architect
> Information Technology Services
> UNC Greensboro
> +1.336.334.3583 (office)
_______________________________________________
Jool-list mailing list
[email protected]
https://mail-lists.nic.mx/listas/listinfo/jool-list
