BSD Router Project

User Tools

Site Tools

Trace:
documentation:examples:nat64

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revisionPrevious revision
Next revision		Previous revision
Last revisionBoth sides next revision
documentation:examples:nat64 [2019/06/04 14:42] – [Stateful (lsn)] olivierdocumentation:examples:nat64 [2020/01/02 19:33] – [Stateless (stl)] olivier
Line 15: Line 15:
 ==== Downloading BSD Router Project images ==== ==== Downloading BSD Router Project images ====
  
-Download BSDRP serial image (prevent to have to use an X display) on Sourceforge.+[[https://bsdrp.net/downloads|Download BSDRP serial image]] (prevent to have to use an X display).
  
 ==== Download Lab scripts ===== ==== Download Lab scripts =====
Line 55: Line 55:
  
 <code> <code>
-sysrc hostname=VM1 +sysrc hostname=VM1 \ 
-sysrc gateway_enable=NO + gateway_enable=NO \ 
-sysrc ipv6_gateway_enable=NO + ipv6_gateway_enable=NO \ 
-sysrc ifconfig_vtnet0_ipv6="inet6 2001:db8:12::1 prefixlen 64" + ifconfig_vtnet0_ipv6="inet6 2001:db8:12::1 prefixlen 64" \ 
-sysrc ipv6_defaultrouter="2001:db8:12::2"+ ipv6_defaultrouter="2001:db8:12::2"
 service hostname restart service hostname restart
 service netif restart service netif restart
Line 71: Line 71:
  
 <code> <code>
-sysrc hostname=VM2 +sysrc hostname=VM2 \ 
-sysrc ifconfig_vtnet1="inet 2.2.2.2/24" + ifconfig_vtnet1="inet 2.2.2.2/24" \ 
-sysrc ifconfig_vtnet0_ipv6="inet6 2001:db8:12::2 prefixlen 64"+ ifconfig_vtnet0_ipv6="inet6 2001:db8:12::2 prefixlen 64"
 service hostname restart service hostname restart
 service netif restart service netif restart
Line 85: Line 85:
  
 <code> <code>
-sysrc hostname=VM3 +sysrc hostname=VM3 \ 
-sysrc gateway_enable=NO + gateway_enable=NO \ 
-sysrc ipv6_gateway_enable=NO + ipv6_gateway_enable=NO \ 
-sysrc ifconfig_vtnet1="inet 2.2.2.3/24" + ifconfig_vtnet1="inet 2.2.2.3/24" \ 
-sysrc defaultrouter="2.2.2.2"+ defaultrouter="2.2.2.2"
 service hostname restart service hostname restart
 service netif restart service netif restart
Line 103: Line 103:
  
 <code> <code>
-sysrc tayga_enable=yes+service tayga enable
 sed -i "" 's/192.168.255./2.2.1./g' /usr/local/etc/tayga.conf sed -i "" 's/192.168.255./2.2.1./g' /usr/local/etc/tayga.conf
 sed -i "" 's/2001:db8:1:ffff::/64:ff9b::/g' /usr/local/etc/tayga.conf sed -i "" 's/2001:db8:1:ffff::/64:ff9b::/g' /usr/local/etc/tayga.conf
Line 131: Line 131:
 </code> </code>
 ==== Testing ==== ==== Testing ====
 +
 +From VM4, start a tcpdump to check IPv4 source address seen by VM3:
 +
 +<code>
 +[root@VM3]~# tcpdump -c 2 -pni vtnet1
 +tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
 +listening on vtnet1, link-type EN10MB (Ethernet), capture size 262144 bytes
 +...
 +</code>
  
 From VM1 (IPv6 only host), ping NAT64 IPv6 address corresponding to VM3 IPv4 address: From VM1 (IPv6 only host), ping NAT64 IPv6 address corresponding to VM3 IPv4 address:
Line 146: Line 155:
 </code> </code>
  
-And check IPv4 source address seen by VM3: +From VM3, check source IP addresses of ICMP:
 <code> <code>
-[root@VM3]~# tcpdump -c 2 -pni vtnet1 +...
-tcpdump: verbose output suppressed, use -v or -vv for full protocol decode +
-listening on vtnet1, link-type EN10MB (Ethernet), capture size 262144 bytes+
 17:43:03.094975 IP 2.2.1.249 > 2.2.2.3: ICMP echo request, id 6575, seq 0, length 16 17:43:03.094975 IP 2.2.1.249 > 2.2.2.3: ICMP echo request, id 6575, seq 0, length 16
 17:43:03.094983 IP 2.2.2.3 > 2.2.1.249: ICMP echo reply, id 6575, seq 0, length 16 17:43:03.094983 IP 2.2.2.3 > 2.2.1.249: ICMP echo reply, id 6575, seq 0, length 16
Line 158: Line 164:
 0 packets dropped by kernel 0 packets dropped by kernel
 </code> </code>
- 
 ===== IPFW NAT64 (kernel space) ===== ===== IPFW NAT64 (kernel space) =====
  
Line 167: Line 172:
 === VM2 === === VM2 ===
  
-Configure a stateful NAT64 with ipfw, and enable logging:+Configure a stateful NAT64 with ipfw:
  
 <code> <code>
-sysrc firewall_enable=YES+service ipfw enable
 sysrc firewall_script="/etc/ipfw.rules" sysrc firewall_script="/etc/ipfw.rules"
 +echo "# Temporary fix to avoid panicing a 12-stable:" >> /etc/sysctl.conf
 echo "net.inet.ip.fw.nat64_direct_output=1" >> /etc/sysctl.conf echo "net.inet.ip.fw.nat64_direct_output=1" >> /etc/sysctl.conf
 cat > /etc/ipfw.rules <<'EOF' cat > /etc/ipfw.rules <<'EOF'
Line 182: Line 188:
 ${fwcmd} add nat64lsn NAT64 ip from 2001:db8:12::/64 to 64:ff9b::/96 in ${fwcmd} add nat64lsn NAT64 ip from 2001:db8:12::/64 to 64:ff9b::/96 in
 ${fwcmd} add nat64lsn NAT64 ip from any to 2.2.1.0/24 in ${fwcmd} add nat64lsn NAT64 ip from any to 2.2.1.0/24 in
-${fwcmd} add allow log ip from any to any+${fwcmd} add allow ip from any to any
 'EOF' 'EOF'
  
Line 194: Line 200:
  
 <code> <code>
-[root@VM1]~# ping6 -c 3 64:ff9b::10.0.23.3 +[root@VM1]~# ping6 -c 3 64:ff9b::2.2.2.3 
-PING6(56=40+8+8 bytes) 2001:db8:12::1 --> 64:ff9b::a00:1703+PING6(56=40+8+8 bytes) 2001:db8:12::1 --> 64:ff9b::202:203 
 +16 bytes from 64:ff9b::202:203, icmp_seq=0 hlim=63 time=0.369 ms 
 +16 bytes from 64:ff9b::202:203, icmp_seq=1 hlim=63 time=0.259 ms 
 +16 bytes from 64:ff9b::202:203, icmp_seq=2 hlim=63 time=0.248 ms
  
---- 64:ff9b::10.0.23.3 ping6 statistics --- +--- 64:ff9b::2.2.2.3 ping6 statistics --- 
-3 packets transmitted, packets received, 100.0% packet loss+3 packets transmitted, packets received, 0.0% packet loss 
 +round-trip min/avg/max/std-dev = 0.248/0.292/0.369/0.055 ms
 </code> </code>
  
-Oops, nothing ? +Checking status on NAT64 router:
-<code> +
- +
-Firewall stats on VM2:+
 <code> <code>
 +[root@VM2]~# ipfw nat64lsn NAT64 show states
 +2001:db8:12:: 2.2.1.210       ICMPv6          0       2.2.2.3
 [root@VM2]~# ipfw show [root@VM2]~# ipfw show
-00100 6 408 allow ipv6-icmp from any to any icmp6types 135,136 +00100 12 824 allow ipv6-icmp from any to any icmp6types 135,136 
-00200 6 336 nat64lsn NAT64 ip from 2001:db8:12::/64 to 64:ff9b::/96 in +00200 12 672 nat64lsn NAT64 ip from 2001:db8:12::/64 to 64:ff9b::/96 in 
-00300 0   nat64lsn NAT64 ip from any to 192.0.2.0/24 in +00300 12 432 nat64lsn NAT64 ip from any to 2.2.1.0/24 in 
-00400 0   0 allow log ip from any to any +65535  0   0 deny ip from any to any
-65535 0   0 deny ip from any to any+
 </code> </code>
  
-==== Stateless ====+==== Stateless (stl) ====
  
 === VM2 === === VM2 ===
Line 221: Line 229:
  
 <code> <code>
-sysrc firewall_enable=YES+service ipfw enable
 sysrc firewall_script="/etc/ipfw.rules" sysrc firewall_script="/etc/ipfw.rules"
  
Line 231: Line 239:
 ${fwcmd} table T46 create type addr valtype ipv6 ${fwcmd} table T46 create type addr valtype ipv6
 ${fwcmd} table T64 create type addr valtype ipv4 ${fwcmd} table T64 create type addr valtype ipv4
 +${fwcmd} table T46 add 2.2.1.1 2001:db8:12::1
 +${fwcmd} table T64 add 2001:db8:12::1 2.2.1.1
 ${fwcmd} nat64stl NAT64 create table4 T46 table6 T64 ${fwcmd} nat64stl NAT64 create table4 T46 table6 T64
 ${fwcmd} add allow icmp6 from any to any icmp6types 135,136 ${fwcmd} add allow icmp6 from any to any icmp6types 135,136
Line 239: Line 249:
  
 service ipfw start service ipfw start
-sysctl net.inet.ip.fw.verbose=1 
 </code> </code>
 === Testing === === Testing ===
Line 246: Line 255:
  
 <code> <code>
-[root@VM1]~# ping6 -c 3 64:ff9b::10.0.23.3 +[root@VM1]~# ping6 -c 3 64:ff9b::2.2.2.3 
-PING6(56=40+8+8 bytes) 2001:db8:12::1 --> 64:ff9b::a00:1703 +PING6(56=40+8+8 bytes) 2001:db8:12::1 --> 64:ff9b::202:203 
-16 bytes from 64:ff9b::a00:1703, icmp_seq=0 hlim=63 time=1.105 ms +16 bytes from 64:ff9b::202:203, icmp_seq=0 hlim=63 time=1.037 ms 
-16 bytes from 64:ff9b::a00:1703, icmp_seq=1 hlim=63 time=0.216 ms +16 bytes from 64:ff9b::202:203, icmp_seq=1 hlim=63 time=1.048 ms 
-16 bytes from 64:ff9b::a00:1703, icmp_seq=2 hlim=63 time=0.199 ms+16 bytes from 64:ff9b::202:203, icmp_seq=2 hlim=63 time=1.560 ms
  
---- 64:ff9b::10.0.23.3 ping6 statistics ---+--- 64:ff9b::2.2.2.3 ping6 statistics ---
 3 packets transmitted, 3 packets received, 0.0% packet loss 3 packets transmitted, 3 packets received, 0.0% packet loss
-round-trip min/avg/max/std-dev = 0.199/0.507/1.105/0.423 ms+round-trip min/avg/max/std-dev = 1.037/1.215/1.560/0.244 ms
 </code> </code>
  
-And check IPv4 source addresses seen by VM3: +From IPv4 only host, ping NAT64 IPv4 address corresponding to VM3 IPv6 address:
 <code> <code>
-[root@VM3]~# tcpdump -c 4 -pni vtnet1 +[root@v4TST64]~# ping -c 3 2.2.1.1 
-tcpdump: verbose output suppressed, use -v or -vv for full protocol decode +PING 2.2.1.1 (2.2.1.1): 56 data bytes 
-listening on vtnet1, link-type EN10MB (Ethernet), capture size 262144 bytes +64 bytes from 2.2.1.1: icmp_seq=ttl=63 time=17.147 ms 
-13:15:29.862862 ARP, Request who-has 10.0.23.3 tell 10.0.23.2, length 46 +64 bytes from 2.2.1.1: icmp_seq=1 ttl=63 time=1.409 ms 
-13:15:29.862879 ARP, Reply 10.0.23.3 is-at 58:9c:fc:02:03:03, length 28 +64 bytes from 2.2.1.1: icmp_seq=2 ttl=63 time=5.017 ms 
-13:15:29.863081 IP 10.0.64.161 > 10.0.23.3: ICMP echo requestid 1024seq 0, length 16 + 
-13:15:29.863106 IP 10.0.23.3 > 10.0.64.161: ICMP echo reply, id 1024, seq 0, length 16+--- 2.2.1.1 ping statistics --- 
 +packets transmitted3 packets received, 0.0% packet loss 
 +round-trip min/avg/max/stddev = 1.409/7.858/17.147/6.732 ms
 </code> </code>
  
-You can check firewall logs too on R2:+And check on VM3 
 <code> <code>
-Feb 17 13:15:29 VM2 kernel: ipfw: 400 Accept ICMP:8.10.0.64.161 10.0.23.3 in via vtnet0 +[root@rTST64]~# ipfw nat64stl NAT64 stats 
-Feb 17 13:15:29 VM2 kernel: ipfw: 400 Accept ICMP:8.10.0.64.161 10.0.23.3 out via vtnet1 +nat64stl NAT64 
-Feb 17 13:15:29 VM2 kernel: ipfw: 400 Accept ICMPv6:129.[64:ff9b::a00:1703] [2001:db8:12::1] in via vtnet1 +        6 packets translated from IPv6 to IPv4 
-Feb 17 13:15:29 VM2 kernel: ipfw: 400 Accept ICMPv6:129.[64:ff9b::a00:1703] [2001:db8:12::1] out via vtnet0+        6 packets translated from IPv4 to IPv6 
 +        IPv6 fragments created 
 +        IPv4 fragments received 
 +        output packets dropped due to no bufs, etc
 +        output packets discarded due to no IPv4 route 
 +        output packets discarded due to no IPv6 route 
 +        packets discarded due to unsupported protocol 
 +        packets discarded due to memory allocation problems 
 +        packets discarded due to some errors
 </code> </code>
  
documentation/examples/nat64.txt · Last modified: 2020/01/02 19:36 by olivier
Except where otherwise noted, content on this wiki is licensed under the following license: BSD 2-Clause
Donate Powered by PHP Valid HTML5 Valid CSS Driven by DokuWiki