I missed pool4 in Option 2.
Actual intended script:
modprobe jool
jool instance add --netfilter --pool6 64:ff9b::/96
jool pool4 add 152.13.0.0/24 --tcp --force
jool pool4 add 152.13.0.0/24 --udp --force
jool pool4 add 152.13.0.0/24 --icmp --force
# Reserve an IPv4 socket for each server.
# Here I'm assuming all servers are HTTP,
# but you can play with the ports.
# https://jool.mx/en/usr-flags-bib.html
jool bib add 2600:2701:1010::2:cafe#80 152.13.0.1#80
jool bib add 2600:2701:1010::2:beef#80 152.13.0.2#80
jool bib add 2600:2701:1010::2:ba1d#80 152.13.0.3#80
...
jool bib add 2600:2701:1010::2:face#80 152.13.0.20#80
On Tue, Apr 13, 2021 at 5:30 PM Alberto Leiva <[email protected]> wrote:
>
> Option 1: Create one NAT64 instance and one SIIT instance, multiplex
> with iptables (jool and jool_siit together on the same server)
> Option 2: Use NAT64 + port forwarding (Static NAT rules)
>
> --------------------------------
>
> Option 1:
>
> - Suppose you want to reserve 152.13.0.0/25 for the traffic of your
> inbound servers, and 152.13.0.128/25 for your outbound servers.
> - Suppose your 500 outbound servers are in the 2600:2701:1010:1::0/112
> network.
> - Suppose your 20 inbound servers are in the 2600:2701:1010:2::0/112 network.
>
> modprobe jool
> modprobe jool_siit
>
> jool instance add "outbound" --iptables --pool6 64:ff9b::/96
> # Force outbound instance to only use addresses .128-.255
> # https://jool.mx/en/usr-flags-pool4.html
> jool -i "outbound" pool4 add 152.13.0.128/25 --tcp
> jool -i "outbound" pool4 add 152.13.0.128/25 --udp
> jool -i "outbound" pool4 add 152.13.0.128/25 --icmp
>
> jool_siit instance add "inbound" --iptables --pool6 64:ff9b::/96
> jool_siit -i "inbound" eamt add 2600:2701:1010:2::cafe 152.13.0.1
> jool_siit -i "inbound" eamt add 2600:2701:1010:2::beef 152.13.0.2
> jool_siit -i "inbound" eamt add 2600:2701:1010:2::ba1d 152.13.0.3
> ...
> jool_siit -i "inbound" eamt add 2600:2701:1010:2::face 152.13.0.20
>
> # ip6tables: send traffic from the outbound servers to the nat64 instance
> ip6tables -t mangle -A PREROUTING -s 2600:2701:1010:1::/112 -j
> JOOL --instance "outbound"
> # ip6tables: send traffic from the inbound servers to the siit instance
> ip6tables -t mangle -A PREROUTING -s 2600:2701:1010:2::/112 -j
> JOOL_SIIT --instance "inbound"
>
> # iptables: send traffic to 152.13.0.0/25 to the siit instance
> iptables -t mangle -A PREROUTING -d 152.13.0.0/25 -j JOOL_SIIT
> --instance "inbound"
> # iptables: send traffic to 152.13.0.128/25 to the nat64 instance
> iptables -t mangle -A PREROUTING -d 152.13.0.128/25 -j JOOL
> --instance "outbound"
>
> Of course, if your IPv6 servers cannot be aggregated neatly, you will
> need to divide each ip6tables command into several more specific -s
> rules.
>
> --------------------------------
>
> Option 2:
>
> modprobe jool
> jool instance add --netfilter --pool6 64:ff9b::/96
>
> # Reserve an IPv4 socket for each server.
> # Here I'm assuming all servers are HTTP,
> # but you can play with the ports.
> # https://jool.mx/en/usr-flags-bib.html
> jool bib add 2600:2701:1010::2:cafe#80 152.13.0.1#80
> jool bib add 2600:2701:1010::2:beef#80 152.13.0.2#80
> jool bib add 2600:2701:1010::2:ba1d#80 152.13.0.3#80
> ...
> jool bib add 2600:2701:1010::2:face#80 152.13.0.20#80
>
> Port 80 of addresses 152.13.0.1-152.13.0.20 will be reserved for
> inbound access, everything else will be outbound.
>
> This is both simpler and more efficient.
>
> On Tue, Apr 13, 2021 at 10:19 AM Jeremy Oglesby <[email protected]> wrote:
> >
> > Thank you for taking the time to respond to me. I was able to get both
> > jool and jool_siit working thanks to your clarification.
> >
> > Here's my current config that is working:
> >
> > jool_siit instance add "stateless" --netfilter --pool6 64:ff9b::/96
> > jool_siit -i "stateless" eamt display
> > +---------------------------------------------+--------------------+
> > | IPv6 Prefix | IPv4 Prefix |
> > +---------------------------------------------+--------------------+
> > | 2600:2701:1010:100::1/128 | 152.13.0.67/32 |
> > | 2600:2701:1010:0:152:13:0:226/128 | 152.13.0.66/32 |
> > +---------------------------------------------+--------------------+
> >
> >
> > For our network I have a /48 IPv6 range and a /24 IPv4 public range. Since
> > this is a Science DMZ there is no firewall or RFC1918 addresses and traffic
> > is limited only through ACLs. Our intent is to make all subnets /64 and
> > most of the IPs will be assigned through SLAAC. I've played around with
> > the EAMT tables but since it's a bit-for-bit translation I don't see a good
> > way to map /64 subnets with SLAAC clients to our IPv4 space due to the huge
> > disparity in address volume. I'm wondering if that's why most examples for
> > EAMT are 1-to-1 /128 to /32. Most of our servers will need some type of
> > outbound access but only a few will need an inbound address.
> >
> > Originally, I had intended to implement a mix of a NAT/PAT(NAT64) and
> > Static NAT(SIIT) similarly to how I would set up an enterprise firewall.
> > It looks like I need to choose between these two with Jool but I wanted to
> > see if you had any recommendations. We are only budgeted for a single
> > network server that I can utilize.
> >
> > Can jool and jool_siit be utilized together on the same server? Do you
> > need to make a choice between them?
> >
> > For example, if I had an IPv6 datacenter with 500 IPv6 servers that need
> > outbound access to IPv4-only resources and an additional 20 servers that
> > need inbound access, how would you set that up? On a traditional IPv4
> > firewall I would have a NAT/PAT IP shared for outbound access for the
> > majority of the servers and more specific Static NAT rules for the servers
> > that need inbound access from the Internet.
> >
> > On Fri, Apr 9, 2021 at 10:30 PM Alberto Leiva <[email protected]> wrote:
> >>
> >> Oops. Corrections. Disregard my previous message. I meant:
> >>
> >> > sudo /usr/local/bin/jool_siit instance add "stateless" --netfilter
> >> > --pool6 2600:2701:1010:64::/96
> >> > ping6 2600:2701:1010:64::8.8.8.8
> >>
> >> This is what's happening:
> >>
> >> 1. IPv6 client writes packet 2600:2700:20c:2::3 ->
> >> 2600:2701:1010:64::8.8.8.8
> >> 2. Jool cannot translate that packet, because the source address does
> >> not match pool6.
> >>
> >> Possible solution: Change your client's address to
> >> 2600:2701:1010:64::<IPv4 address that you own>.
> >>
> >> That way, both addresses can be translated with pool6.
> >>
> >> > sudo /usr/local/bin/jool_siit instance add "stateless" --netfilter
> >> > sudo /usr/local/bin/jool_siit -i "stateless" eamt add
> >> > 2600:2701:1010:64::/96 152.13.0.64/27
> >> > ping6 2600:2701:1010:64::8.8.8.8
> >>
> >> This is what's happening:
> >>
> >> 1. IPv6 client writes packet 2600:2700:20c:2::3 ->
> >> 2600:2701:1010:64::8.8.8.8
> >> 2. Jool cannot translate that packet, because the source address does
> >> not match the EAMT entry.
> >>
> >> Possible solution: Add `--pool6 2600:2701:1010:64::/96`, and change
> >> your EAMT into
> >>
> >> +---------------------------------------------+--------------------------------+
> >> | IPv6 Prefix | IPv4
> >> Prefix |
> >> +---------------------------------------------+--------------------------------+
> >> | 2600:2700:20c:2::3/128 | <IPv4 address that you
> >> own>/32 |
> >> +---------------------------------------------+--------------------------------+
> >>
> >> That way, the source address gets translated with the EAMT, and the
> >> destination address is translated with pool6.
> >>
> >> Remember: With SIIT, each IPv6 client will need an implicit dedicated
> >> IPv4 address that you own.
> >> SIIT does not help you with IPv4 address exhaustion; only Stateful NAT64
> >> does.
> >>
> >> On Fri, Apr 9, 2021 at 9:25 PM Alberto Leiva <[email protected]> wrote:
> >> >
> >> > > sudo /usr/local/bin/jool_siit instance add "stateless" --netfilter
> >> > > --pool6 2600:2701:1010:64::/96
> >> > > ping6 2600:2701:1010:64::8.8.8.8
> >> >
> >> > This is what's happening:
> >> >
> >> > - IPv6 client writes packet 2600:2700:20c:2::3 ->
> >> > 2600:2701:1010:64::8.8.8.8
> >> > - Jool cannot translate that packet, because the source address does
> >> > not match pool6.
> >> >
> >> > Possible solution: Change your client's address to
> >> > 2600:2701:1010:64::<IPv4 address that you own>.
> >> >
> >> > > sudo /usr/local/bin/jool_siit instance add "stateless" --netfilter
> >> > > sudo /usr/local/bin/jool_siit -i "stateless" eamt add
> >> > > 2600:2701:1010:64::/96 152.13.0.64/27
> >> > > ping6 2600:2701:1010:64::8.8.8.8
> >> >
> >> > This is what's happening:
> >> >
> >> > - IPv6 client writes packet 2600:2700:20c:2::3 ->
> >> > 2600:2701:1010:64::8.8.8.8
> >> > - Jool cannot translate that packet, because the source address
> >> > matches neither pool6 nor the EAMT entry.
> >> >
> >> > Possible solution: Change your EAMT into
> >> >
> >> > +---------------------------------------------+--------------------------------+
> >> > | IPv6 Prefix | IPv4
> >> > Prefix |
> >> > +---------------------------------------------+--------------------------------+
> >> > | 2600:2700:20c:2::3/128 | <IPv4 address that you
> >> > own>/32 |
> >> > +---------------------------------------------+--------------------------------+
> >> >
> >> > Remember: With SIIT, each IPv6 client will need an implicit dedicated
> >> > IPv4 address that you own.
> >> > SIIT does not help you with IPv4 address exhaustion; only Stateful NAT64
> >> > does.
> >> >
> >> > On Fri, Apr 9, 2021 at 3:22 PM Jeremy Oglesby via Jool-list
> >> > <[email protected]> wrote:
> >> > >
> >> > > I'm not sure if this is the right list for this question, if not,
> >> > > please point me in the right direction.
> >> > >
> >> > > The University of North Carolina at Greensboro is in the process of
> >> > > standing up an IPv6-only Research DMZ. To facilitate communication
> >> > > with the IPv4 Internet we're planning to use NAT64/DNS64 and have been
> >> > > advised by several other Universities to use Jool.
> >> > >
> >> > > I've got Jool installed in Centos 8 and it seems to work in Stateless
> >> > > mode but not Stateful. I've tried both pool6 and an EAMT list and the
> >> > > packets still don't seem to match. Maybe I'm missing something simple
> >> > > in my config.
> >> > >
> >> > > =======
> >> > > WORKS
> >> > > =======
> >> > >
> >> > > sudo /usr/local/bin/jool instance add "stateful" --netfilter --pool6
> >> > > 2600:2701:1010:64::/96
> >> > >
> >> > > GCRNET-UNCG-057-122-CORE# ping6 2600:2701:1010:64::8.8.8.8 vrf
> >> > > GCRNET_CORE
> >> > > PING6 2600:2701:1010:64::808:808 (2600:2701:1010:64::808:808): 56 data
> >> > > bytes
> >> > > 64 bytes from 2600:2701:1010:64::808:808: icmp_seq=0 time=9.048 ms
> >> > > 64 bytes from 2600:2701:1010:64::808:808: icmp_seq=1 time=8.538 ms
> >> > > 64 bytes from 2600:2701:1010:64::808:808: icmp_seq=2 time=8.457 ms
> >> > > 64 bytes from 2600:2701:1010:64::808:808: icmp_seq=3 time=8.49 ms
> >> > > 64 bytes from 2600:2701:1010:64::808:808: icmp_seq=4 time=8.438 ms
> >> > >
> >> > > ==============
> >> > > DOESN"T WORK
> >> > > ==============
> >> > >
> >> > > sudo /usr/local/bin/jool_siit instance add "stateless" --netfilter
> >> > > --pool6 2600:2701:1010:64::/96
> >> > >
> >> > > OR
> >> > >
> >> > > sudo /usr/local/bin/jool_siit instance add "stateless" --netfilter
> >> > > sudo /usr/local/bin/jool_siit -i "stateless" eamt add
> >> > > 2600:2701:1010:64::/96 152.13.0.64/27
> >> > >
> >> > > sudo /usr/local/bin/jool_siit -i "stateless" eamt display
> >> > > +---------------------------------------------+--------------------+
> >> > > | IPv6 Prefix | IPv4 Prefix |
> >> > > +---------------------------------------------+--------------------+
> >> > > | 2600:2701:1010:64::/96 | 152.13.0.64/27 |
> >> > > +---------------------------------------------+--------------------+
> >> > >
> >> > > GCRNET-UNCG-057-122-CORE# ping6 2600:2701:1010:64::8.8.8.8 vrf
> >> > > GCRNET_PUBLIC
> >> > > PING6 2600:2701:1010:64::808:808 (2600:2701:1010:64::808:808): 56 data
> >> > > bytes
> >> > > Request 0 timed out
> >> > > 112 bytes from 2600:2701:1010:64::100: Destination unreachable:
> >> > > Address unreachable
> >> > > 112 bytes from 2600:2701:1010:64::100: Destination unreachable:
> >> > > Address unreachable
> >> > > Request 3 timed out
> >> > > 112 bytes from 2600:2701:1010:64::100: Destination unreachable:
> >> > > Address unreachable
> >> > >
> >> > > Debug:
> >> > > [282174.404533] Jool SIIT/8899d1c0/stateless: Packet:
> >> > > 2600:2700:20c:2::3->2600:2701:1010:64::808:808
> >> > > [282174.405238] Jool SIIT/8899d1c0/stateless:
> >> > > ===============================================
> >> > > [282174.405945] Jool SIIT/8899d1c0/stateless: ICMPv6 type:128 code:0
> >> > > id:4861
> >> > > [282174.405947] Jool SIIT/8899d1c0/stateless: Translating the Packet.
> >> > >
> >> > > --
> >> > >
> >> > > Jeremy Oglesby
> >> > > Network Architect
> >> > > Information Technology Services
> >> > > UNC Greensboro
> >> > > +1.336.334.3583 (office)
> >> > > _______________________________________________
> >> > > Jool-list mailing list
> >> > > [email protected]
> >> > > https://mail-lists.nic.mx/listas/listinfo/jool-list
> >
> >
> >
> > --
> >
> > Jeremy Oglesby
> > Network Architect
> > Information Technology Services
> > UNC Greensboro
> > +1.336.334.3583 (office)
_______________________________________________
Jool-list mailing list
[email protected]
https://mail-lists.nic.mx/listas/listinfo/jool-list
