documentation:examples:nat64
Differences
This shows you the differences between two versions of the page.
Both sides previous revisionPrevious revisionNext revision | Previous revisionLast revisionBoth sides next revision | ||
documentation:examples:nat64 [2019/06/03 17:46] – [Stateful (lsn)] olivier | documentation:examples:nat64 [2020/01/02 19:33] – [Stateless (stl)] olivier | ||
---|---|---|---|
Line 15: | Line 15: | ||
==== Downloading BSD Router Project images ==== | ==== Downloading BSD Router Project images ==== | ||
- | Download BSDRP serial image (prevent to have to use an X display) | + | [[https:// |
==== Download Lab scripts ===== | ==== Download Lab scripts ===== | ||
Line 55: | Line 55: | ||
< | < | ||
- | sysrc hostname=VM1 | + | sysrc hostname=VM1 |
- | sysrc gateway_enable=NO | + | |
- | sysrc ipv6_gateway_enable=NO | + | |
- | sysrc ifconfig_vtnet0_ipv6=" | + | |
- | sysrc ipv6_defaultrouter=" | + | |
service hostname restart | service hostname restart | ||
service netif restart | service netif restart | ||
Line 71: | Line 71: | ||
< | < | ||
- | sysrc hostname=VM2 | + | sysrc hostname=VM2 |
- | sysrc ifconfig_vtnet1=" | + | |
- | sysrc ifconfig_vtnet0_ipv6=" | + | |
service hostname restart | service hostname restart | ||
service netif restart | service netif restart | ||
Line 85: | Line 85: | ||
< | < | ||
- | sysrc hostname=VM3 | + | sysrc hostname=VM3 |
- | sysrc gateway_enable=NO | + | |
- | sysrc ipv6_gateway_enable=NO | + | |
- | sysrc ifconfig_vtnet1=" | + | |
- | sysrc defaultrouter=" | + | |
service hostname restart | service hostname restart | ||
service netif restart | service netif restart | ||
Line 100: | Line 100: | ||
==== VM2 ==== | ==== VM2 ==== | ||
- | Replace the private IP range from default tayga' | + | Modify default |
< | < | ||
- | sysrc tayga_enable=yes | + | service tayga enable |
sed -i "" | sed -i "" | ||
+ | sed -i "" | ||
service tayga start | service tayga start | ||
</ | </ | ||
- | Quick test from VM2: | + | Quick test from VM2 by pinging its IPv4 address from its IPv6 one, and same by targeting VM3: |
< | < | ||
- | [root@VM2]~# | + | [root@VM2]~# |
- | PING6(56=40+8+8 bytes) 2001: | + | PING6(56=40+8+8 bytes) 2001: |
- | 16 bytes from 2001:db8:1:ffff::202:202, icmp_seq=0 hlim=63 time=0.122 ms | + | 16 bytes from 64:ff9b::202:202, icmp_seq=0 hlim=63 time=0.128 ms |
- | 16 bytes from 2001:db8:1:ffff::202:202, icmp_seq=1 hlim=63 time=0.080 ms | + | 16 bytes from 64:ff9b::202:202, icmp_seq=1 hlim=63 time=0.082 ms |
- | 16 bytes from 2001:db8:1:ffff::202:202, icmp_seq=2 hlim=63 time=0.064 ms | + | 16 bytes from 64:ff9b::202:202, icmp_seq=2 hlim=63 time=0.069 ms |
- | --- 2001:db8:1:ffff::2.2.2.2 ping6 statistics --- | + | --- 64:ff9b::2.2.2.2 ping6 statistics --- |
3 packets transmitted, | 3 packets transmitted, | ||
- | round-trip min/ | + | round-trip min/ |
- | [root@VM2]~# | + | [root@VM2]~# |
- | PING6(56=40+8+8 bytes) 2001: | + | PING6(56=40+8+8 bytes) 2001: |
- | 16 bytes from 2001:db8:1:ffff::202:203, icmp_seq=0 hlim=62 time=0.240 ms | + | 16 bytes from 64:ff9b::202:203, icmp_seq=0 hlim=62 time=0.228 ms |
- | 16 bytes from 2001:db8:1:ffff::202:203, icmp_seq=1 hlim=62 time=0.190 ms | + | 16 bytes from 64:ff9b::202:203, icmp_seq=1 hlim=62 time=0.164 ms |
- | 16 bytes from 2001:db8:1:ffff::202:203, icmp_seq=2 hlim=62 time=0.191 ms | + | 16 bytes from 64:ff9b::202:203, icmp_seq=2 hlim=62 time=0.157 ms |
+ | |||
+ | --- 64: | ||
+ | 3 packets transmitted, | ||
+ | round-trip min/ | ||
</ | </ | ||
==== Testing ==== | ==== Testing ==== | ||
- | From IPv6 only host, ping NAT64 IPv6 address corresponding | + | From VM4, start a tcpdump |
< | < | ||
- | [root@VM1]~# ping6 -c 3 2001: | + | [root@VM3]~# tcpdump |
- | PING6(56=40+8+8 bytes) 2001:db8: | + | tcpdump: verbose output suppressed, use -v or -vv for full protocol decode |
- | 16 bytes from 2001: | + | listening on vtnet1, link-type EN10MB (Ethernet), capture size 262144 |
- | 16 bytes from 2001: | + | ... |
- | 16 bytes from 2001: | + | </ |
- | --- 2001:db8:1:ffff::10.0.23.3 ping6 statistics --- | + | From VM1 (IPv6 only host), ping NAT64 IPv6 address corresponding to VM3 IPv4 address: |
+ | |||
+ | < | ||
+ | [root@VM1]~# | ||
+ | PING6(56=40+8+8 bytes) | ||
+ | 16 bytes from 64: | ||
+ | 16 bytes from 64: | ||
+ | 16 bytes from 64: | ||
+ | |||
+ | --- 64: | ||
3 packets transmitted, | 3 packets transmitted, | ||
- | round-trip min/ | + | round-trip min/ |
</ | </ | ||
- | And check IPv4 source | + | From VM3, check source |
< | < | ||
- | [root@VM3]~# | + | ... |
- | tcpdump: verbose output suppressed, use -v or -vv for full protocol decode | + | |
- | listening on vtnet1, link-type EN10MB (Ethernet), capture size 262144 bytes | + | |
17: | 17: | ||
17: | 17: | ||
Line 153: | Line 164: | ||
0 packets dropped by kernel | 0 packets dropped by kernel | ||
</ | </ | ||
- | |||
===== IPFW NAT64 (kernel space) ===== | ===== IPFW NAT64 (kernel space) ===== | ||
Line 162: | Line 172: | ||
=== VM2 === | === VM2 === | ||
- | Configure a stateful NAT64 with ipfw, and enable logging: | + | Configure a stateful NAT64 with ipfw: |
< | < | ||
- | sysrc firewall_enable=YES | + | service ipfw enable |
sysrc firewall_script="/ | sysrc firewall_script="/ | ||
+ | echo "# Temporary fix to avoid panicing a 12-stable:" | ||
+ | echo " | ||
cat > / | cat > / | ||
#!/bin/sh | #!/bin/sh | ||
Line 177: | Line 188: | ||
${fwcmd} add nat64lsn NAT64 ip from 2001: | ${fwcmd} add nat64lsn NAT64 ip from 2001: | ||
${fwcmd} add nat64lsn NAT64 ip from any to 2.2.1.0/24 in | ${fwcmd} add nat64lsn NAT64 ip from any to 2.2.1.0/24 in | ||
- | ${fwcmd} add allow log ip from any to any | + | ${fwcmd} add allow ip from any to any |
' | ' | ||
service ipfw start | service ipfw start | ||
- | sysctl net.inet.ip.fw.verbose=1 | + | sysctl net.inet.ip.fw.nat64_direct_output=1 |
</ | </ | ||
Line 189: | Line 200: | ||
< | < | ||
- | [root@VM1]~# | + | [root@VM1]~# |
- | PING6(56=40+8+8 bytes) 2001: | + | PING6(56=40+8+8 bytes) 2001: |
+ | 16 bytes from 64: | ||
+ | 16 bytes from 64: | ||
+ | 16 bytes from 64: | ||
- | --- 64:ff9b::10.0.23.3 ping6 statistics --- | + | --- 64:ff9b::2.2.2.3 ping6 statistics --- |
- | 3 packets transmitted, | + | 3 packets transmitted, |
+ | round-trip min/ | ||
</ | </ | ||
- | Oops, nothing ? | + | Checking status |
- | < | + | |
- | + | ||
- | Firewall stats on VM2: | + | |
< | < | ||
+ | [root@VM2]~# | ||
+ | 2001: | ||
[root@VM2]~# | [root@VM2]~# | ||
- | 00100 6 408 allow ipv6-icmp from any to any icmp6types 135,136 | + | 00100 12 824 allow ipv6-icmp from any to any icmp6types 135,136 |
- | 00200 6 336 nat64lsn NAT64 ip from 2001: | + | 00200 12 672 nat64lsn NAT64 ip from 2001: |
- | 00300 0 | + | 00300 12 432 nat64lsn NAT64 ip from any to 2.2.1.0/24 in |
- | 00400 0 0 allow log ip from any to any | + | 65535 0 0 deny ip from any to any |
- | 65535 0 0 deny ip from any to any | + | |
</ | </ | ||
- | ==== Stateless ==== | + | ==== Stateless |
=== VM2 === | === VM2 === | ||
Line 216: | Line 229: | ||
< | < | ||
- | sysrc firewall_enable=YES | + | service ipfw enable |
sysrc firewall_script="/ | sysrc firewall_script="/ | ||
Line 226: | Line 239: | ||
${fwcmd} table T46 create type addr valtype ipv6 | ${fwcmd} table T46 create type addr valtype ipv6 | ||
${fwcmd} table T64 create type addr valtype ipv4 | ${fwcmd} table T64 create type addr valtype ipv4 | ||
+ | ${fwcmd} table T46 add 2.2.1.1 2001: | ||
+ | ${fwcmd} table T64 add 2001: | ||
${fwcmd} nat64stl NAT64 create table4 T46 table6 T64 | ${fwcmd} nat64stl NAT64 create table4 T46 table6 T64 | ||
${fwcmd} add allow icmp6 from any to any icmp6types 135,136 | ${fwcmd} add allow icmp6 from any to any icmp6types 135,136 | ||
Line 234: | Line 249: | ||
service ipfw start | service ipfw start | ||
- | sysctl net.inet.ip.fw.verbose=1 | ||
</ | </ | ||
=== Testing === | === Testing === | ||
Line 241: | Line 255: | ||
< | < | ||
- | [root@VM1]~# | + | [root@VM1]~# |
- | PING6(56=40+8+8 bytes) 2001: | + | PING6(56=40+8+8 bytes) 2001: |
- | 16 bytes from 64:ff9b::a00:1703, icmp_seq=0 hlim=63 time=1.105 ms | + | 16 bytes from 64:ff9b::202:203, icmp_seq=0 hlim=63 time=1.037 ms |
- | 16 bytes from 64:ff9b::a00:1703, icmp_seq=1 hlim=63 time=0.216 ms | + | 16 bytes from 64:ff9b::202:203, icmp_seq=1 hlim=63 time=1.048 ms |
- | 16 bytes from 64:ff9b::a00:1703, icmp_seq=2 hlim=63 time=0.199 ms | + | 16 bytes from 64:ff9b::202:203, icmp_seq=2 hlim=63 time=1.560 ms |
- | --- 64:ff9b::10.0.23.3 ping6 statistics --- | + | --- 64:ff9b::2.2.2.3 ping6 statistics --- |
3 packets transmitted, | 3 packets transmitted, | ||
- | round-trip min/ | + | round-trip min/ |
</ | </ | ||
- | And check IPv4 source addresses seen by VM3: | + | From IPv4 only host, ping NAT64 IPv4 address corresponding to VM3 IPv6 address: |
< | < | ||
- | [root@VM3]~# tcpdump | + | [root@v4TST64]~# ping -c 3 2.2.1.1 |
- | tcpdump: verbose output suppressed, use -v or -vv for full protocol decode | + | PING 2.2.1.1 |
- | listening on vtnet1, link-type EN10MB | + | 64 bytes from 2.2.1.1: icmp_seq=0 ttl=63 time=17.147 ms |
- | 13:15:29.862862 ARP, Request who-has 10.0.23.3 tell 10.0.23.2, length 46 | + | 64 bytes from 2.2.1.1: icmp_seq=1 ttl=63 time=1.409 ms |
- | 13:15:29.862879 ARP, Reply 10.0.23.3 is-at 58: | + | 64 bytes from 2.2.1.1: icmp_seq=2 ttl=63 time=5.017 ms |
- | 13:15:29.863081 IP 10.0.64.161 > 10.0.23.3: ICMP echo request, id 1024, seq 0, length 16 | + | |
- | 13: | + | --- 2.2.1.1 ping statistics --- |
+ | 3 packets transmitted, 3 packets received, 0.0% packet loss | ||
+ | round-trip min/ | ||
</ | </ | ||
- | You can check firewall logs too on R2: | + | And check on VM3 |
< | < | ||
- | Feb 17 13:15:29 VM2 kernel: | + | [root@rTST64]~# |
- | Feb 17 13:15:29 VM2 kernel: ipfw: 400 Accept ICMP:8.0 10.0.64.161 10.0.23.3 out via vtnet1 | + | nat64stl NAT64 |
- | Feb 17 13:15:29 VM2 kernel: ipfw: 400 Accept ICMPv6:129.0 [64: | + | 6 packets translated from IPv6 to IPv4 |
- | Feb 17 13:15:29 VM2 kernel: ipfw: 400 Accept ICMPv6:129.0 [64: | + | 6 packets translated from IPv4 to IPv6 |
+ | | ||
+ | | ||
+ | | ||
+ | 0 output packets discarded due to no IPv4 route | ||
+ | | ||
+ | | ||
+ | 0 packets discarded due to memory allocation problems | ||
+ | 0 packets discarded due to some errors | ||
</ | </ | ||
documentation/examples/nat64.txt · Last modified: 2020/01/02 19:36 by olivier