BSD Router Project

User Tools

Site Tools

Trace:
documentation:examples:nat64

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revisionPrevious revision
Next revision		Previous revision
Last revisionBoth sides next revision
documentation:examples:nat64 [2019/06/03 17:41] – [VM2] olivierdocumentation:examples:nat64 [2020/01/02 19:33] – [Stateless (stl)] olivier
Line 15: Line 15:
 ==== Downloading BSD Router Project images ==== ==== Downloading BSD Router Project images ====
  
-Download BSDRP serial image (prevent to have to use an X display) on Sourceforge.+[[https://bsdrp.net/downloads|Download BSDRP serial image]] (prevent to have to use an X display).
  
 ==== Download Lab scripts ===== ==== Download Lab scripts =====
Line 55: Line 55:
  
 <code> <code>
-sysrc hostname=VM1 +sysrc hostname=VM1 \ 
-sysrc gateway_enable=NO + gateway_enable=NO \ 
-sysrc ipv6_gateway_enable=NO + ipv6_gateway_enable=NO \ 
-sysrc ifconfig_vtnet0_ipv6="inet6 2001:db8:12::1 prefixlen 64" + ifconfig_vtnet0_ipv6="inet6 2001:db8:12::1 prefixlen 64" \ 
-sysrc ipv6_defaultrouter="2001:db8:12::2"+ ipv6_defaultrouter="2001:db8:12::2"
 service hostname restart service hostname restart
 service netif restart service netif restart
Line 71: Line 71:
  
 <code> <code>
-sysrc hostname=VM2 +sysrc hostname=VM2 \ 
-sysrc ifconfig_vtnet1="inet 2.2.2.2/24" + ifconfig_vtnet1="inet 2.2.2.2/24" \ 
-sysrc ifconfig_vtnet0_ipv6="inet6 2001:db8:12::2 prefixlen 64"+ ifconfig_vtnet0_ipv6="inet6 2001:db8:12::2 prefixlen 64"
 service hostname restart service hostname restart
 service netif restart service netif restart
Line 85: Line 85:
  
 <code> <code>
-sysrc hostname=VM3 +sysrc hostname=VM3 \ 
-sysrc gateway_enable=NO + gateway_enable=NO \ 
-sysrc ipv6_gateway_enable=NO + ipv6_gateway_enable=NO \ 
-sysrc ifconfig_vtnet1="inet 2.2.2.3/24" + ifconfig_vtnet1="inet 2.2.2.3/24" \ 
-sysrc defaultrouter="2.2.2.2"+ defaultrouter="2.2.2.2"
 service hostname restart service hostname restart
 service netif restart service netif restart
Line 100: Line 100:
 ==== VM2 ==== ==== VM2 ====
  
-Replace the private IP range from default tayga's configuration and enable it:+Modify default default tayga's configuration file and enable it:
  
 <code> <code>
-sysrc tayga_enable=yes+service tayga enable
 sed -i "" 's/192.168.255./2.2.1./g' /usr/local/etc/tayga.conf sed -i "" 's/192.168.255./2.2.1./g' /usr/local/etc/tayga.conf
 +sed -i "" 's/2001:db8:1:ffff::/64:ff9b::/g' /usr/local/etc/tayga.conf
 service tayga start service tayga start
 </code> </code>
  
-Quick test from VM2:+Quick test from VM2 by pinging its IPv4 address from its IPv6 one, and same by targeting VM3:
 <code> <code>
-[root@VM2]~# ping6 -c 3 2001:db8:1:ffff::2.2.2.2 +[root@VM2]~# ping6 -c 3 64:ff9b::2.2.2.2 
-PING6(56=40+8+8 bytes) 2001:db8:12::2 --> 2001:db8:1:ffff::202:202 +PING6(56=40+8+8 bytes) 2001:db8:12::2 --> 64:ff9b::202:202 
-16 bytes from 2001:db8:1:ffff::202:202, icmp_seq=0 hlim=63 time=0.122 ms +16 bytes from 64:ff9b::202:202, icmp_seq=0 hlim=63 time=0.128 ms 
-16 bytes from 2001:db8:1:ffff::202:202, icmp_seq=1 hlim=63 time=0.080 ms +16 bytes from 64:ff9b::202:202, icmp_seq=1 hlim=63 time=0.082 ms 
-16 bytes from 2001:db8:1:ffff::202:202, icmp_seq=2 hlim=63 time=0.064 ms+16 bytes from 64:ff9b::202:202, icmp_seq=2 hlim=63 time=0.069 ms
  
---- 2001:db8:1:ffff::2.2.2.2 ping6 statistics ---+--- 64:ff9b::2.2.2.2 ping6 statistics ---
 3 packets transmitted, 3 packets received, 0.0% packet loss 3 packets transmitted, 3 packets received, 0.0% packet loss
-round-trip min/avg/max/std-dev = 0.064/0.089/0.122/0.024 ms +round-trip min/avg/max/std-dev = 0.069/0.093/0.128/0.025 ms 
-[root@VM2]~# ping6 -c 3 2001:db8:1:ffff::2.2.2.3 +[root@VM2]~# ping6 -c 3 64:ff9b::2.2.2.3 
-PING6(56=40+8+8 bytes) 2001:db8:12::2 --> 2001:db8:1:ffff::202:203 +PING6(56=40+8+8 bytes) 2001:db8:12::2 --> 64:ff9b::202:203 
-16 bytes from 2001:db8:1:ffff::202:203, icmp_seq=0 hlim=62 time=0.240 ms +16 bytes from 64:ff9b::202:203, icmp_seq=0 hlim=62 time=0.228 ms 
-16 bytes from 2001:db8:1:ffff::202:203, icmp_seq=1 hlim=62 time=0.190 ms +16 bytes from 64:ff9b::202:203, icmp_seq=1 hlim=62 time=0.164 ms 
-16 bytes from 2001:db8:1:ffff::202:203, icmp_seq=2 hlim=62 time=0.191 ms +16 bytes from 64:ff9b::202:203, icmp_seq=2 hlim=62 time=0.157 ms
-</code> +
-==== Testing ====+
  
-From IPv6 only host, ping NAT64 IPv6 adddress corresponding to VM3 IPv4 address: +--- 64:ff9b::2.2.2.3 ping6 statistics ---
- +
-<code> +
-[root@VM1]~# ping6 -c 3 2001:db8:1:ffff::10.0.23.3 +
-PING6(56=40+8+8 bytes) 2001:db8:12::--> 2001:db8:1:ffff::a00:1703 +
-16 bytes from 2001:db8:1:ffff::a00:1703, icmp_seq=0 hlim=61 time=0.286 ms +
-16 bytes from 2001:db8:1:ffff::a00:1703, icmp_seq=1 hlim=61 time=0.198 ms +
-16 bytes from 2001:db8:1:ffff::a00:1703, icmp_seq=hlim=61 time=0.180 ms +
- +
---- 2001:db8:1:ffff::10.0.23.3 ping6 statistics ---+
 3 packets transmitted, 3 packets received, 0.0% packet loss 3 packets transmitted, 3 packets received, 0.0% packet loss
-round-trip min/avg/max/std-dev = 0.180/0.221/0.286/0.046 ms+round-trip min/avg/max/std-dev = 0.157/0.183/0.228/0.032 ms
 </code> </code>
 +==== Testing ====
  
-And check IPv4 source address seen by VM3:+From VM4, start a tcpdump to check IPv4 source address seen by VM3:
  
 <code> <code>
Line 147: Line 138:
 tcpdump: verbose output suppressed, use -v or -vv for full protocol decode tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
 listening on vtnet1, link-type EN10MB (Ethernet), capture size 262144 bytes listening on vtnet1, link-type EN10MB (Ethernet), capture size 262144 bytes
-10:10:31.504190 IP 192.168.255.249 > 10.0.23.3: ICMP echo request, id 37715, seq 0, length 16 +...
-10:10:31.504197 IP 10.0.23.3 > 192.168.255.249: ICMP echo reply, id 37715, seq 0, length 16+
 </code> </code>
  
 +From VM1 (IPv6 only host), ping NAT64 IPv6 address corresponding to VM3 IPv4 address:
 +
 +<code>
 +[root@VM1]~# ping6 -c 3 64:ff9b::2.2.2.3
 +PING6(56=40+8+8 bytes) 2001:db8:12::1 --> 64:ff9b::202:203
 +16 bytes from 64:ff9b::202:203, icmp_seq=0 hlim=61 time=0.298 ms
 +16 bytes from 64:ff9b::202:203, icmp_seq=1 hlim=61 time=0.257 ms
 +16 bytes from 64:ff9b::202:203, icmp_seq=2 hlim=61 time=0.261 ms
 +
 +--- 64:ff9b::2.2.2.3 ping6 statistics ---
 +3 packets transmitted, 3 packets received, 0.0% packet loss
 +round-trip min/avg/max/std-dev = 0.257/0.272/0.298/0.018 ms
 +</code>
 +
 +From VM3, check source IP addresses of ICMP:
 +<code>
 +...
 +17:43:03.094975 IP 2.2.1.249 > 2.2.2.3: ICMP echo request, id 6575, seq 0, length 16
 +17:43:03.094983 IP 2.2.2.3 > 2.2.1.249: ICMP echo reply, id 6575, seq 0, length 16
 +2 packets captured
 +2 packets received by filter
 +0 packets dropped by kernel
 +</code>
 ===== IPFW NAT64 (kernel space) ===== ===== IPFW NAT64 (kernel space) =====
  
Line 159: Line 172:
 === VM2 === === VM2 ===
  
-Configure a stateful NAT64 with ipfw, and enable logging:+Configure a stateful NAT64 with ipfw:
  
 <code> <code>
-sysrc firewall_enable=YES+service ipfw enable
 sysrc firewall_script="/etc/ipfw.rules" sysrc firewall_script="/etc/ipfw.rules"
 +echo "# Temporary fix to avoid panicing a 12-stable:" >> /etc/sysctl.conf 
 +echo "net.inet.ip.fw.nat64_direct_output=1" >> /etc/sysctl.conf
 cat > /etc/ipfw.rules <<'EOF' cat > /etc/ipfw.rules <<'EOF'
 #!/bin/sh #!/bin/sh
Line 170: Line 184:
 kldstat -q -m ipfw_nat64 || kldload ipfw_nat64 kldstat -q -m ipfw_nat64 || kldload ipfw_nat64
 ${fwcmd} -f flush ${fwcmd} -f flush
-${fwcmd} nat64lsn NAT64 create prefix4 192.0.2.0/24+${fwcmd} nat64lsn NAT64 create prefix4 2.2.1.0/24
 ${fwcmd} add allow icmp6 from any to any icmp6types 135,136 ${fwcmd} add allow icmp6 from any to any icmp6types 135,136
 ${fwcmd} add nat64lsn NAT64 ip from 2001:db8:12::/64 to 64:ff9b::/96 in ${fwcmd} add nat64lsn NAT64 ip from 2001:db8:12::/64 to 64:ff9b::/96 in
-${fwcmd} add nat64lsn NAT64 ip from any to 192.0.2.0/24 in +${fwcmd} add nat64lsn NAT64 ip from any to 2.2.1.0/24 in 
-${fwcmd} add allow log ip from any to any+${fwcmd} add allow ip from any to any
 'EOF' 'EOF'
  
 service ipfw start service ipfw start
-sysctl net.inet.ip.fw.verbose=1+sysctl net.inet.ip.fw.nat64_direct_output=1
 </code> </code>
  
Line 186: Line 200:
  
 <code> <code>
-[root@VM1]~# ping6 -c 3 64:ff9b::10.0.23.3 +[root@VM1]~# ping6 -c 3 64:ff9b::2.2.2.3 
-PING6(56=40+8+8 bytes) 2001:db8:12::1 --> 64:ff9b::a00:1703+PING6(56=40+8+8 bytes) 2001:db8:12::1 --> 64:ff9b::202:203 
 +16 bytes from 64:ff9b::202:203, icmp_seq=0 hlim=63 time=0.369 ms 
 +16 bytes from 64:ff9b::202:203, icmp_seq=1 hlim=63 time=0.259 ms 
 +16 bytes from 64:ff9b::202:203, icmp_seq=2 hlim=63 time=0.248 ms
  
---- 64:ff9b::10.0.23.3 ping6 statistics --- +--- 64:ff9b::2.2.2.3 ping6 statistics --- 
-3 packets transmitted, packets received, 100.0% packet loss+3 packets transmitted, packets received, 0.0% packet loss 
 +round-trip min/avg/max/std-dev = 0.248/0.292/0.369/0.055 ms
 </code> </code>
  
-Oops, nothing ? +Checking status on NAT64 router:
-<code> +
- +
-Firewall stats on VM2:+
 <code> <code>
 +[root@VM2]~# ipfw nat64lsn NAT64 show states
 +2001:db8:12:: 2.2.1.210       ICMPv6          0       2.2.2.3
 [root@VM2]~# ipfw show [root@VM2]~# ipfw show
-00100 6 408 allow ipv6-icmp from any to any icmp6types 135,136 +00100 12 824 allow ipv6-icmp from any to any icmp6types 135,136 
-00200 6 336 nat64lsn NAT64 ip from 2001:db8:12::/64 to 64:ff9b::/96 in +00200 12 672 nat64lsn NAT64 ip from 2001:db8:12::/64 to 64:ff9b::/96 in 
-00300 0   nat64lsn NAT64 ip from any to 192.0.2.0/24 in +00300 12 432 nat64lsn NAT64 ip from any to 2.2.1.0/24 in 
-00400 0   0 allow log ip from any to any +65535  0   0 deny ip from any to any
-65535 0   0 deny ip from any to any+
 </code> </code>
  
-==== Stateless ====+==== Stateless (stl) ====
  
 === VM2 === === VM2 ===
Line 213: Line 229:
  
 <code> <code>
-sysrc firewall_enable=YES+service ipfw enable
 sysrc firewall_script="/etc/ipfw.rules" sysrc firewall_script="/etc/ipfw.rules"
  
Line 223: Line 239:
 ${fwcmd} table T46 create type addr valtype ipv6 ${fwcmd} table T46 create type addr valtype ipv6
 ${fwcmd} table T64 create type addr valtype ipv4 ${fwcmd} table T64 create type addr valtype ipv4
 +${fwcmd} table T46 add 2.2.1.1 2001:db8:12::1
 +${fwcmd} table T64 add 2001:db8:12::1 2.2.1.1
 ${fwcmd} nat64stl NAT64 create table4 T46 table6 T64 ${fwcmd} nat64stl NAT64 create table4 T46 table6 T64
 ${fwcmd} add allow icmp6 from any to any icmp6types 135,136 ${fwcmd} add allow icmp6 from any to any icmp6types 135,136
Line 231: Line 249:
  
 service ipfw start service ipfw start
-sysctl net.inet.ip.fw.verbose=1 
 </code> </code>
 === Testing === === Testing ===
Line 238: Line 255:
  
 <code> <code>
-[root@VM1]~# ping6 -c 3 64:ff9b::10.0.23.3 +[root@VM1]~# ping6 -c 3 64:ff9b::2.2.2.3 
-PING6(56=40+8+8 bytes) 2001:db8:12::1 --> 64:ff9b::a00:1703 +PING6(56=40+8+8 bytes) 2001:db8:12::1 --> 64:ff9b::202:203 
-16 bytes from 64:ff9b::a00:1703, icmp_seq=0 hlim=63 time=1.105 ms +16 bytes from 64:ff9b::202:203, icmp_seq=0 hlim=63 time=1.037 ms 
-16 bytes from 64:ff9b::a00:1703, icmp_seq=1 hlim=63 time=0.216 ms +16 bytes from 64:ff9b::202:203, icmp_seq=1 hlim=63 time=1.048 ms 
-16 bytes from 64:ff9b::a00:1703, icmp_seq=2 hlim=63 time=0.199 ms+16 bytes from 64:ff9b::202:203, icmp_seq=2 hlim=63 time=1.560 ms
  
---- 64:ff9b::10.0.23.3 ping6 statistics ---+--- 64:ff9b::2.2.2.3 ping6 statistics ---
 3 packets transmitted, 3 packets received, 0.0% packet loss 3 packets transmitted, 3 packets received, 0.0% packet loss
-round-trip min/avg/max/std-dev = 0.199/0.507/1.105/0.423 ms+round-trip min/avg/max/std-dev = 1.037/1.215/1.560/0.244 ms
 </code> </code>
  
-And check IPv4 source addresses seen by VM3: +From IPv4 only host, ping NAT64 IPv4 address corresponding to VM3 IPv6 address:
 <code> <code>
-[root@VM3]~# tcpdump -c 4 -pni vtnet1 +[root@v4TST64]~# ping -c 3 2.2.1.1 
-tcpdump: verbose output suppressed, use -v or -vv for full protocol decode +PING 2.2.1.1 (2.2.1.1): 56 data bytes 
-listening on vtnet1, link-type EN10MB (Ethernet), capture size 262144 bytes +64 bytes from 2.2.1.1: icmp_seq=ttl=63 time=17.147 ms 
-13:15:29.862862 ARP, Request who-has 10.0.23.3 tell 10.0.23.2, length 46 +64 bytes from 2.2.1.1: icmp_seq=1 ttl=63 time=1.409 ms 
-13:15:29.862879 ARP, Reply 10.0.23.3 is-at 58:9c:fc:02:03:03, length 28 +64 bytes from 2.2.1.1: icmp_seq=2 ttl=63 time=5.017 ms 
-13:15:29.863081 IP 10.0.64.161 > 10.0.23.3: ICMP echo requestid 1024seq 0, length 16 + 
-13:15:29.863106 IP 10.0.23.3 > 10.0.64.161: ICMP echo reply, id 1024, seq 0, length 16+--- 2.2.1.1 ping statistics --- 
 +packets transmitted3 packets received, 0.0% packet loss 
 +round-trip min/avg/max/stddev = 1.409/7.858/17.147/6.732 ms
 </code> </code>
  
-You can check firewall logs too on R2:+And check on VM3 
 <code> <code>
-Feb 17 13:15:29 VM2 kernel: ipfw: 400 Accept ICMP:8.10.0.64.161 10.0.23.3 in via vtnet0 +[root@rTST64]~# ipfw nat64stl NAT64 stats 
-Feb 17 13:15:29 VM2 kernel: ipfw: 400 Accept ICMP:8.10.0.64.161 10.0.23.3 out via vtnet1 +nat64stl NAT64 
-Feb 17 13:15:29 VM2 kernel: ipfw: 400 Accept ICMPv6:129.[64:ff9b::a00:1703] [2001:db8:12::1] in via vtnet1 +        6 packets translated from IPv6 to IPv4 
-Feb 17 13:15:29 VM2 kernel: ipfw: 400 Accept ICMPv6:129.[64:ff9b::a00:1703] [2001:db8:12::1] out via vtnet0+        6 packets translated from IPv4 to IPv6 
 +        IPv6 fragments created 
 +        IPv4 fragments received 
 +        output packets dropped due to no bufs, etc
 +        output packets discarded due to no IPv4 route 
 +        output packets discarded due to no IPv6 route 
 +        packets discarded due to unsupported protocol 
 +        packets discarded due to memory allocation problems 
 +        packets discarded due to some errors
 </code> </code>
  
documentation/examples/nat64.txt · Last modified: 2020/01/02 19:36 by olivier
Except where otherwise noted, content on this wiki is licensed under the following license: BSD 2-Clause
Donate Powered by PHP Valid HTML5 Valid CSS Driven by DokuWiki