User Tools

Site Tools


documentation:examples:nat64

NAT64

This lab show an NAT64 lab example using BSDPR with tayga (user space) and ipfw (kernel space).

Presentation

Network diagram

Here is the logical and physical view:

Setting-up the lab

Downloading BSD Router Project images

Download BSDRP serial image (prevent to have to use an X display) on Sourceforge.

Download Lab scripts

More information on these BSDRP lab scripts available on How to build a BSDRP router lab.

Start the lab with 3 routers. With bhyve under FreeBSD:

user:~ # BSDRP-lab-bhyve.sh -i BSDRP.amd64/BSDRP-1.71-full-amd64-serial.img.xz -n 3
BSD Router Project (http://bsdrp.net) - bhyve full-meshed lab script
Setting-up a virtual lab with 3 VM(s):
- Working directory: /tmp/BSDRP
- Each VM have 1 core(s) and 256M RAM
- Switch mode: bridge + tap
- 0 LAN(s) between all VM
- Full mesh Ethernet links between each VM
VM 1 have the following NIC:
- vtnet0 connected to VM 2.
- vtnet1 connected to VM 3.
VM 2 have the following NIC:
- vtnet0 connected to VM 1.
- vtnet1 connected to VM 3.
VM 3 have the following NIC:
- vtnet0 connected to VM 1.
- vtnet1 connected to VM 2.
For connecting to VM'serial console, you can use:
- VM 1 : cu -l /dev/nmdm1B
- VM 2 : cu -l /dev/nmdm2B
- VM 3 : cu -l /dev/nmdm3B

Generic configuration

Router 1 (client)

R1 is configured as a simple IPv6 only host:

sysrc hostname=R1
sysrc gateway_enable=NO
sysrc ipv6_gateway_enable=NO
sysrc ifconfig_vtnet0_ipv6="inet6 2001:db8:12::1 prefixlen 64"
sysrc ipv6_defaultrouter="2001:db8:12::2"
service hostname restart
service netif restart
service routing restart
config save

Router 2

R2 is a router with one interface toward IPv6 network, and another toward IPv4 network.

sysrc hostname=R2
sysrc ifconfig_vtnet1="inet 10.0.23.2/24"
sysrc ifconfig_vtnet0_ipv6="inet6 2001:db8:12::2 prefixlen 64"
service hostname restart
service netif restart
service routing restart
config save

Router 3 (client)

R3 is configured as a simple IPv4 only host:

sysrc hostname=R3
sysrc gateway_enable=NO
sysrc ipv6_gateway_enable=NO
sysrc ifconfig_vtnet1="inet 10.0.23.3/24"
sysrc defaultrouter="10.0.23.2"
service hostname restart
service netif restart
service routing restart
config save

Tayga (user space stateless NAT64)

R2

Just enable tayga with default value (default prefixes are useable on this lab, not on real life):

sysrc tayga_enable=yes
service tayga start

Testing

From IPv6 only host, ping NAT64 IPv6 adddress corresponding to R3 IPv4 address:

[root@R1]~# ping6 -c 3 2001:db8:1:ffff::10.0.23.3
PING6(56=40+8+8 bytes) 2001:db8:12::1 --> 2001:db8:1:ffff::a00:1703
16 bytes from 2001:db8:1:ffff::a00:1703, icmp_seq=0 hlim=61 time=0.286 ms
16 bytes from 2001:db8:1:ffff::a00:1703, icmp_seq=1 hlim=61 time=0.198 ms
16 bytes from 2001:db8:1:ffff::a00:1703, icmp_seq=2 hlim=61 time=0.180 ms

--- 2001:db8:1:ffff::10.0.23.3 ping6 statistics ---
3 packets transmitted, 3 packets received, 0.0% packet loss
round-trip min/avg/max/std-dev = 0.180/0.221/0.286/0.046 ms

And check IPv4 source addresses seen by R3:

[root@R3]~# tcpdump -c 2 -pni vtnet1
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on vtnet1, link-type EN10MB (Ethernet), capture size 262144 bytes
10:10:31.504190 IP 192.168.255.249 > 10.0.23.3: ICMP echo request, id 37715, seq 0, length 16
10:10:31.504197 IP 10.0.23.3 > 192.168.255.249: ICMP echo reply, id 37715, seq 0, length 16

IPFW NAT64 (kernel space)

IPFW NAT64 module (since FreeBSD 12-head only) supports both statefull and stateless NAT64.

R2

Configure a statefull NAT64 with ipfw, and enable logging:

sysrc firewall_enable=YES
sysrc firewall_script="/etc/ipfw.rules"

cat > /etc/ipfw.rules <<'EOF'
#!/bin/sh
fwcmd="/sbin/ipfw"
kldstat -q -m ipfw_nat64 || kldload ipfw_nat64
${fwcmd} -f flush
${fwcmd} nat64lsn NAT64 create prefix4 10.0.64.0/24
${fwcmd} add allow icmp6 from any to any icmp6types 135,136
${fwcmd} add nat64lsn NAT64 ip from 2001:db8:12::/64 to 64:ff9b::/96 in
${fwcmd} add nat64lsn NAT64 ip from any to 10.0.64.0/24 in
${fwcmd} add allow log ip from any to any
'EOF'

service firewall start
sysctl net.inet.ip.fw.verbose=1

Testing

From IPv6 only host, ping NAT64 IPv6 adddress corresponding to R3 IPv4 address:

[root@R1]~# ping6 -c 3 64:ff9b::10.0.23.3
PING6(56=40+8+8 bytes) 2001:db8:12::1 --> 64:ff9b::a00:1703
16 bytes from 64:ff9b::a00:1703, icmp_seq=0 hlim=63 time=1.105 ms
16 bytes from 64:ff9b::a00:1703, icmp_seq=1 hlim=63 time=0.216 ms
16 bytes from 64:ff9b::a00:1703, icmp_seq=2 hlim=63 time=0.199 ms

--- 64:ff9b::10.0.23.3 ping6 statistics ---
3 packets transmitted, 3 packets received, 0.0% packet loss
round-trip min/avg/max/std-dev = 0.199/0.507/1.105/0.423 ms

And check IPv4 source addresses seen by R3:

[root@R3]~# tcpdump -c 4 -pni vtnet1
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on vtnet1, link-type EN10MB (Ethernet), capture size 262144 bytes
13:15:29.862862 ARP, Request who-has 10.0.23.3 tell 10.0.23.2, length 46
13:15:29.862879 ARP, Reply 10.0.23.3 is-at 58:9c:fc:02:03:03, length 28
13:15:29.863081 IP 10.0.64.161 > 10.0.23.3: ICMP echo request, id 1024, seq 0, length 16
13:15:29.863106 IP 10.0.23.3 > 10.0.64.161: ICMP echo reply, id 1024, seq 0, length 16

You can check firewall logs too on R2:

Feb 17 13:15:29 R2 kernel: ipfw: 400 Accept ICMP:8.0 10.0.64.161 10.0.23.3 in via vtnet0
Feb 17 13:15:29 R2 kernel: ipfw: 400 Accept ICMP:8.0 10.0.64.161 10.0.23.3 out via vtnet1
Feb 17 13:15:29 R2 kernel: ipfw: 400 Accept ICMPv6:129.0 [64:ff9b::a00:1703] [2001:db8:12::1] in via vtnet1
Feb 17 13:15:29 R2 kernel: ipfw: 400 Accept ICMPv6:129.0 [64:ff9b::a00:1703] [2001:db8:12::1] out via vtnet0
documentation/examples/nat64.txt · Last modified: 2017/02/17 13:26 by olivier