documentation:examples:nat64
Differences
This shows you the differences between two versions of the page.
Both sides previous revisionPrevious revisionNext revision | Previous revision | ||
documentation:examples:nat64 [2019/06/03 16:12] – [Stateless] olivier | documentation:examples:nat64 [2020/01/02 19:36] (current) – [Stateless (stl)] olivier | ||
---|---|---|---|
Line 15: | Line 15: | ||
==== Downloading BSD Router Project images ==== | ==== Downloading BSD Router Project images ==== | ||
- | Download BSDRP serial image (prevent to have to use an X display) | + | [[https:// |
==== Download Lab scripts ===== | ==== Download Lab scripts ===== | ||
Line 55: | Line 55: | ||
< | < | ||
- | sysrc hostname=VM1 | + | sysrc hostname=VM1 |
- | sysrc gateway_enable=NO | + | |
- | sysrc ipv6_gateway_enable=NO | + | |
- | sysrc ifconfig_vtnet0_ipv6=" | + | |
- | sysrc ipv6_defaultrouter=" | + | |
service hostname restart | service hostname restart | ||
service netif restart | service netif restart | ||
Line 71: | Line 71: | ||
< | < | ||
- | sysrc hostname=VM2 | + | sysrc hostname=VM2 |
- | sysrc ifconfig_vtnet1=" | + | |
- | sysrc ifconfig_vtnet0_ipv6=" | + | |
service hostname restart | service hostname restart | ||
service netif restart | service netif restart | ||
Line 85: | Line 85: | ||
< | < | ||
- | sysrc hostname=VM3 | + | sysrc hostname=VM3 |
- | sysrc gateway_enable=NO | + | |
- | sysrc ipv6_gateway_enable=NO | + | |
- | sysrc ifconfig_vtnet1=" | + | |
- | sysrc defaultrouter=" | + | |
service hostname restart | service hostname restart | ||
service netif restart | service netif restart | ||
Line 100: | Line 100: | ||
==== VM2 ==== | ==== VM2 ==== | ||
- | Just enable tayga with default | + | Modify |
< | < | ||
- | sysrc tayga_enable=yes | + | service tayga enable |
+ | sed -i "" | ||
+ | sed -i "" | ||
service tayga start | service tayga start | ||
</ | </ | ||
- | ==== Testing ==== | ||
- | |||
- | From IPv6 only host, ping NAT64 IPv6 adddress corresponding to VM3 IPv4 address: | ||
+ | Quick test from VM2 by pinging its IPv4 address from its IPv6 one, and same by targeting VM3: | ||
< | < | ||
- | [root@VM1]~# ping6 -c 3 2001:db8:1:ffff::10.0.23.3 | + | [root@VM2]~# ping6 -c 3 64:ff9b::2.2.2.2 |
- | PING6(56=40+8+8 bytes) 2001: | + | PING6(56=40+8+8 bytes) 2001: |
- | 16 bytes from 2001:db8:1:ffff::a00:1703, icmp_seq=0 hlim=61 time=0.286 ms | + | 16 bytes from 64:ff9b::202:202, icmp_seq=0 hlim=63 time=0.128 ms |
- | 16 bytes from 2001:db8:1:ffff::a00:1703, icmp_seq=1 hlim=61 time=0.198 ms | + | 16 bytes from 64:ff9b::202:202, icmp_seq=1 hlim=63 time=0.082 ms |
- | 16 bytes from 2001:db8:1:ffff::a00:1703, icmp_seq=2 hlim=61 time=0.180 ms | + | 16 bytes from 64:ff9b::202:202, icmp_seq=2 hlim=63 time=0.069 ms |
- | --- 2001:db8:1:ffff::10.0.23.3 ping6 statistics --- | + | --- 64:ff9b::2.2.2.2 ping6 statistics --- |
3 packets transmitted, | 3 packets transmitted, | ||
- | round-trip min/ | + | round-trip min/ |
+ | [root@VM2]~# | ||
+ | PING6(56=40+8+8 bytes) 2001: | ||
+ | 16 bytes from 64: | ||
+ | 16 bytes from 64: | ||
+ | 16 bytes from 64: | ||
+ | |||
+ | --- 64: | ||
+ | 3 packets transmitted, | ||
+ | round-trip min/ | ||
</ | </ | ||
+ | ==== Testing ==== | ||
- | And check IPv4 source address seen by VM3: | + | From VM4, start a tcpdump to check IPv4 source address seen by VM3: |
< | < | ||
Line 128: | Line 138: | ||
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode | tcpdump: verbose output suppressed, use -v or -vv for full protocol decode | ||
listening on vtnet1, link-type EN10MB (Ethernet), capture size 262144 bytes | listening on vtnet1, link-type EN10MB (Ethernet), capture size 262144 bytes | ||
- | 10:10:31.504190 IP 192.168.255.249 > 10.0.23.3: ICMP echo request, id 37715, seq 0, length 16 | + | ... |
- | 10: | + | |
</ | </ | ||
+ | From VM1 (IPv6 only host), ping NAT64 IPv6 address corresponding to VM3 IPv4 address: | ||
+ | |||
+ | < | ||
+ | [root@VM1]~# | ||
+ | PING6(56=40+8+8 bytes) 2001: | ||
+ | 16 bytes from 64: | ||
+ | 16 bytes from 64: | ||
+ | 16 bytes from 64: | ||
+ | |||
+ | --- 64: | ||
+ | 3 packets transmitted, | ||
+ | round-trip min/ | ||
+ | </ | ||
+ | |||
+ | From VM3, check source IP addresses of ICMP: | ||
+ | < | ||
+ | ... | ||
+ | 17: | ||
+ | 17: | ||
+ | 2 packets captured | ||
+ | 2 packets received by filter | ||
+ | 0 packets dropped by kernel | ||
+ | </ | ||
===== IPFW NAT64 (kernel space) ===== | ===== IPFW NAT64 (kernel space) ===== | ||
Line 140: | Line 172: | ||
=== VM2 === | === VM2 === | ||
- | Configure a stateful NAT64 with ipfw, and enable logging: | + | Configure a stateful NAT64 with ipfw: |
< | < | ||
- | sysrc firewall_enable=YES | + | service ipfw enable |
sysrc firewall_script="/ | sysrc firewall_script="/ | ||
+ | echo "# Temporary fix to avoid panicing a 12-stable:" | ||
+ | echo " | ||
cat > / | cat > / | ||
#!/bin/sh | #!/bin/sh | ||
Line 151: | Line 184: | ||
kldstat -q -m ipfw_nat64 || kldload ipfw_nat64 | kldstat -q -m ipfw_nat64 || kldload ipfw_nat64 | ||
${fwcmd} -f flush | ${fwcmd} -f flush | ||
- | ${fwcmd} nat64lsn NAT64 create prefix4 | + | ${fwcmd} nat64lsn NAT64 create prefix4 |
${fwcmd} add allow icmp6 from any to any icmp6types 135,136 | ${fwcmd} add allow icmp6 from any to any icmp6types 135,136 | ||
${fwcmd} add nat64lsn NAT64 ip from 2001: | ${fwcmd} add nat64lsn NAT64 ip from 2001: | ||
- | ${fwcmd} add nat64lsn NAT64 ip from any to 192.0.2.0/24 in | + | ${fwcmd} add nat64lsn NAT64 ip from any to 2.2.1.0/24 in |
- | ${fwcmd} add allow log ip from any to any | + | ${fwcmd} add allow ip from any to any |
' | ' | ||
service ipfw start | service ipfw start | ||
- | sysctl net.inet.ip.fw.verbose=1 | + | sysctl net.inet.ip.fw.nat64_direct_output=1 |
</ | </ | ||
Line 167: | Line 200: | ||
< | < | ||
- | [root@VM1]~# | + | [root@VM1]~# |
- | PING6(56=40+8+8 bytes) 2001: | + | PING6(56=40+8+8 bytes) 2001: |
+ | 16 bytes from 64: | ||
+ | 16 bytes from 64: | ||
+ | 16 bytes from 64: | ||
- | --- 64:ff9b::10.0.23.3 ping6 statistics --- | + | --- 64:ff9b::2.2.2.3 ping6 statistics --- |
- | 3 packets transmitted, | + | 3 packets transmitted, |
+ | round-trip min/ | ||
</ | </ | ||
- | Oops, nothing ? | + | Checking status |
- | < | + | |
- | + | ||
- | Firewall stats on VM2: | + | |
< | < | ||
+ | [root@VM2]~# | ||
+ | 2001: | ||
[root@VM2]~# | [root@VM2]~# | ||
- | 00100 6 408 allow ipv6-icmp from any to any icmp6types 135,136 | + | 00100 12 824 allow ipv6-icmp from any to any icmp6types 135,136 |
- | 00200 6 336 nat64lsn NAT64 ip from 2001: | + | 00200 12 672 nat64lsn NAT64 ip from 2001: |
- | 00300 0 | + | 00300 12 432 nat64lsn NAT64 ip from any to 2.2.1.0/24 in |
- | 00400 0 0 allow log ip from any to any | + | 65535 0 0 deny ip from any to any |
- | 65535 0 0 deny ip from any to any | + | |
</ | </ | ||
- | ==== Stateless ==== | + | ==== Stateless |
=== VM2 === | === VM2 === | ||
Line 194: | Line 229: | ||
< | < | ||
- | sysrc firewall_enable=YES | + | service ipfw enable |
sysrc firewall_script="/ | sysrc firewall_script="/ | ||
Line 204: | Line 239: | ||
${fwcmd} table T46 create type addr valtype ipv6 | ${fwcmd} table T46 create type addr valtype ipv6 | ||
${fwcmd} table T64 create type addr valtype ipv4 | ${fwcmd} table T64 create type addr valtype ipv4 | ||
+ | ${fwcmd} table T46 add 2.2.1.1 2001: | ||
+ | ${fwcmd} table T64 add 2001: | ||
${fwcmd} nat64stl NAT64 create table4 T46 table6 T64 | ${fwcmd} nat64stl NAT64 create table4 T46 table6 T64 | ||
${fwcmd} add allow icmp6 from any to any icmp6types 135,136 | ${fwcmd} add allow icmp6 from any to any icmp6types 135,136 | ||
Line 212: | Line 249: | ||
service ipfw start | service ipfw start | ||
- | sysctl net.inet.ip.fw.verbose=1 | ||
</ | </ | ||
=== Testing === | === Testing === | ||
Line 219: | Line 255: | ||
< | < | ||
- | [root@VM1]~# | + | [root@VM1]~# |
- | PING6(56=40+8+8 bytes) 2001: | + | PING6(56=40+8+8 bytes) 2001: |
- | 16 bytes from 64:ff9b::a00:1703, icmp_seq=0 hlim=63 time=1.105 ms | + | 16 bytes from 64:ff9b::202:203, icmp_seq=0 hlim=63 time=1.037 ms |
- | 16 bytes from 64:ff9b::a00:1703, icmp_seq=1 hlim=63 time=0.216 ms | + | 16 bytes from 64:ff9b::202:203, icmp_seq=1 hlim=63 time=1.048 ms |
- | 16 bytes from 64:ff9b::a00:1703, icmp_seq=2 hlim=63 time=0.199 ms | + | 16 bytes from 64:ff9b::202:203, icmp_seq=2 hlim=63 time=1.560 ms |
- | --- 64:ff9b::10.0.23.3 ping6 statistics --- | + | --- 64:ff9b::2.2.2.3 ping6 statistics --- |
3 packets transmitted, | 3 packets transmitted, | ||
- | round-trip min/ | + | round-trip min/ |
</ | </ | ||
- | And check IPv4 source addresses seen by VM3: | + | From IPv4 only host, ping NAT64 IPv4 address corresponding to VM3 IPv6 address: |
< | < | ||
- | [root@VM3]~# | + | [root@VM3]~# |
- | tcpdump: verbose output suppressed, use -v or -vv for full protocol decode | + | PING 2.2.1.1 |
- | listening on vtnet1, link-type EN10MB | + | 64 bytes from 2.2.1.1: icmp_seq=0 ttl=63 time=17.147 ms |
- | 13:15:29.862862 ARP, Request who-has 10.0.23.3 tell 10.0.23.2, length 46 | + | 64 bytes from 2.2.1.1: icmp_seq=1 ttl=63 time=1.409 ms |
- | 13:15:29.862879 ARP, Reply 10.0.23.3 is-at 58: | + | 64 bytes from 2.2.1.1: icmp_seq=2 ttl=63 time=5.017 ms |
- | 13:15:29.863081 IP 10.0.64.161 > 10.0.23.3: ICMP echo request, id 1024, seq 0, length 16 | + | |
- | 13: | + | --- 2.2.1.1 ping statistics --- |
+ | 3 packets transmitted, 3 packets received, 0.0% packet loss | ||
+ | round-trip min/ | ||
</ | </ | ||
- | You can check firewall logs too on R2: | + | And check on the NAT router VM2 some stats: |
< | < | ||
- | Feb 17 13: | + | [root@VM2]~# ipfw nat64stl NAT64 stats |
- | Feb 17 13:15:29 VM2 kernel: ipfw: 400 Accept ICMP:8.0 10.0.64.161 10.0.23.3 out via vtnet1 | + | nat64stl NAT64 |
- | Feb 17 13:15:29 VM2 kernel: ipfw: 400 Accept ICMPv6:129.0 [64: | + | 6 packets translated from IPv6 to IPv4 |
- | Feb 17 13:15:29 VM2 kernel: ipfw: 400 Accept ICMPv6:129.0 [64: | + | 6 packets translated from IPv4 to IPv6 |
+ | | ||
+ | | ||
+ | | ||
+ | 0 output packets discarded due to no IPv4 route | ||
+ | | ||
+ | | ||
+ | 0 packets discarded due to memory allocation problems | ||
+ | 0 packets discarded due to some errors | ||
</ | </ | ||
documentation/examples/nat64.txt · Last modified: 2020/01/02 19:36 by olivier