User Tools

Site Tools


documentation:examples:nat64

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revisionPrevious revision
Next revision
Previous revision
documentation:examples:nat64 [2019/06/04 14:46] – [Stateful (lsn)] olivierdocumentation:examples:nat64 [2020/01/02 19:36] (current) – [Stateless (stl)] olivier
Line 15: Line 15:
 ==== Downloading BSD Router Project images ==== ==== Downloading BSD Router Project images ====
  
-Download BSDRP serial image (prevent to have to use an X display) on Sourceforge.+[[https://bsdrp.net/downloads|Download BSDRP serial image]] (prevent to have to use an X display).
  
 ==== Download Lab scripts ===== ==== Download Lab scripts =====
Line 55: Line 55:
  
 <code> <code>
-sysrc hostname=VM1 +sysrc hostname=VM1 \ 
-sysrc gateway_enable=NO + gateway_enable=NO \ 
-sysrc ipv6_gateway_enable=NO + ipv6_gateway_enable=NO \ 
-sysrc ifconfig_vtnet0_ipv6="inet6 2001:db8:12::1 prefixlen 64" + ifconfig_vtnet0_ipv6="inet6 2001:db8:12::1 prefixlen 64" \ 
-sysrc ipv6_defaultrouter="2001:db8:12::2"+ ipv6_defaultrouter="2001:db8:12::2"
 service hostname restart service hostname restart
 service netif restart service netif restart
Line 71: Line 71:
  
 <code> <code>
-sysrc hostname=VM2 +sysrc hostname=VM2 \ 
-sysrc ifconfig_vtnet1="inet 2.2.2.2/24" + ifconfig_vtnet1="inet 2.2.2.2/24" \ 
-sysrc ifconfig_vtnet0_ipv6="inet6 2001:db8:12::2 prefixlen 64"+ ifconfig_vtnet0_ipv6="inet6 2001:db8:12::2 prefixlen 64"
 service hostname restart service hostname restart
 service netif restart service netif restart
Line 85: Line 85:
  
 <code> <code>
-sysrc hostname=VM3 +sysrc hostname=VM3 \ 
-sysrc gateway_enable=NO + gateway_enable=NO \ 
-sysrc ipv6_gateway_enable=NO + ipv6_gateway_enable=NO \ 
-sysrc ifconfig_vtnet1="inet 2.2.2.3/24" + ifconfig_vtnet1="inet 2.2.2.3/24" \ 
-sysrc defaultrouter="2.2.2.2"+ defaultrouter="2.2.2.2"
 service hostname restart service hostname restart
 service netif restart service netif restart
Line 103: Line 103:
  
 <code> <code>
-sysrc tayga_enable=yes+service tayga enable
 sed -i "" 's/192.168.255./2.2.1./g' /usr/local/etc/tayga.conf sed -i "" 's/192.168.255./2.2.1./g' /usr/local/etc/tayga.conf
 sed -i "" 's/2001:db8:1:ffff::/64:ff9b::/g' /usr/local/etc/tayga.conf sed -i "" 's/2001:db8:1:ffff::/64:ff9b::/g' /usr/local/etc/tayga.conf
Line 131: Line 131:
 </code> </code>
 ==== Testing ==== ==== Testing ====
 +
 +From VM4, start a tcpdump to check IPv4 source address seen by VM3:
 +
 +<code>
 +[root@VM3]~# tcpdump -c 2 -pni vtnet1
 +tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
 +listening on vtnet1, link-type EN10MB (Ethernet), capture size 262144 bytes
 +...
 +</code>
  
 From VM1 (IPv6 only host), ping NAT64 IPv6 address corresponding to VM3 IPv4 address: From VM1 (IPv6 only host), ping NAT64 IPv6 address corresponding to VM3 IPv4 address:
Line 146: Line 155:
 </code> </code>
  
-And check IPv4 source address seen by VM3: +From VM3, check source IP addresses of ICMP:
 <code> <code>
-[root@VM3]~# tcpdump -c 2 -pni vtnet1 +...
-tcpdump: verbose output suppressed, use -v or -vv for full protocol decode +
-listening on vtnet1, link-type EN10MB (Ethernet), capture size 262144 bytes+
 17:43:03.094975 IP 2.2.1.249 > 2.2.2.3: ICMP echo request, id 6575, seq 0, length 16 17:43:03.094975 IP 2.2.1.249 > 2.2.2.3: ICMP echo request, id 6575, seq 0, length 16
 17:43:03.094983 IP 2.2.2.3 > 2.2.1.249: ICMP echo reply, id 6575, seq 0, length 16 17:43:03.094983 IP 2.2.2.3 > 2.2.1.249: ICMP echo reply, id 6575, seq 0, length 16
Line 158: Line 164:
 0 packets dropped by kernel 0 packets dropped by kernel
 </code> </code>
- 
 ===== IPFW NAT64 (kernel space) ===== ===== IPFW NAT64 (kernel space) =====
  
Line 167: Line 172:
 === VM2 === === VM2 ===
  
-Configure a stateful NAT64 with ipfw, and enable logging:+Configure a stateful NAT64 with ipfw:
  
 <code> <code>
-sysrc firewall_enable=YES+service ipfw enable
 sysrc firewall_script="/etc/ipfw.rules" sysrc firewall_script="/etc/ipfw.rules"
 +echo "# Temporary fix to avoid panicing a 12-stable:" >> /etc/sysctl.conf
 echo "net.inet.ip.fw.nat64_direct_output=1" >> /etc/sysctl.conf echo "net.inet.ip.fw.nat64_direct_output=1" >> /etc/sysctl.conf
 cat > /etc/ipfw.rules <<'EOF' cat > /etc/ipfw.rules <<'EOF'
Line 182: Line 188:
 ${fwcmd} add nat64lsn NAT64 ip from 2001:db8:12::/64 to 64:ff9b::/96 in ${fwcmd} add nat64lsn NAT64 ip from 2001:db8:12::/64 to 64:ff9b::/96 in
 ${fwcmd} add nat64lsn NAT64 ip from any to 2.2.1.0/24 in ${fwcmd} add nat64lsn NAT64 ip from any to 2.2.1.0/24 in
-${fwcmd} add allow log ip from any to any+${fwcmd} add allow ip from any to any
 'EOF' 'EOF'
  
Line 213: Line 219:
 00200 12 672 nat64lsn NAT64 ip from 2001:db8:12::/64 to 64:ff9b::/96 in 00200 12 672 nat64lsn NAT64 ip from 2001:db8:12::/64 to 64:ff9b::/96 in
 00300 12 432 nat64lsn NAT64 ip from any to 2.2.1.0/24 in 00300 12 432 nat64lsn NAT64 ip from any to 2.2.1.0/24 in
-00400  0   0 allow log ip from any to any 
 65535  0   0 deny ip from any to any 65535  0   0 deny ip from any to any
 </code> </code>
  
-==== Stateless ====+==== Stateless (stl) ====
  
 === VM2 === === VM2 ===
Line 224: Line 229:
  
 <code> <code>
-sysrc firewall_enable=YES+service ipfw enable
 sysrc firewall_script="/etc/ipfw.rules" sysrc firewall_script="/etc/ipfw.rules"
  
Line 234: Line 239:
 ${fwcmd} table T46 create type addr valtype ipv6 ${fwcmd} table T46 create type addr valtype ipv6
 ${fwcmd} table T64 create type addr valtype ipv4 ${fwcmd} table T64 create type addr valtype ipv4
 +${fwcmd} table T46 add 2.2.1.1 2001:db8:12::1
 +${fwcmd} table T64 add 2001:db8:12::1 2.2.1.1
 ${fwcmd} nat64stl NAT64 create table4 T46 table6 T64 ${fwcmd} nat64stl NAT64 create table4 T46 table6 T64
 ${fwcmd} add allow icmp6 from any to any icmp6types 135,136 ${fwcmd} add allow icmp6 from any to any icmp6types 135,136
Line 242: Line 249:
  
 service ipfw start service ipfw start
-sysctl net.inet.ip.fw.verbose=1 
 </code> </code>
 === Testing === === Testing ===
Line 249: Line 255:
  
 <code> <code>
-[root@VM1]~# ping6 -c 3 64:ff9b::10.0.23.3 +[root@VM1]~# ping6 -c 3 64:ff9b::2.2.2.3 
-PING6(56=40+8+8 bytes) 2001:db8:12::1 --> 64:ff9b::a00:1703 +PING6(56=40+8+8 bytes) 2001:db8:12::1 --> 64:ff9b::202:203 
-16 bytes from 64:ff9b::a00:1703, icmp_seq=0 hlim=63 time=1.105 ms +16 bytes from 64:ff9b::202:203, icmp_seq=0 hlim=63 time=1.037 ms 
-16 bytes from 64:ff9b::a00:1703, icmp_seq=1 hlim=63 time=0.216 ms +16 bytes from 64:ff9b::202:203, icmp_seq=1 hlim=63 time=1.048 ms 
-16 bytes from 64:ff9b::a00:1703, icmp_seq=2 hlim=63 time=0.199 ms+16 bytes from 64:ff9b::202:203, icmp_seq=2 hlim=63 time=1.560 ms
  
---- 64:ff9b::10.0.23.3 ping6 statistics ---+--- 64:ff9b::2.2.2.3 ping6 statistics ---
 3 packets transmitted, 3 packets received, 0.0% packet loss 3 packets transmitted, 3 packets received, 0.0% packet loss
-round-trip min/avg/max/std-dev = 0.199/0.507/1.105/0.423 ms+round-trip min/avg/max/std-dev = 1.037/1.215/1.560/0.244 ms
 </code> </code>
  
-And check IPv4 source addresses seen by VM3: +From IPv4 only host, ping NAT64 IPv4 address corresponding to VM3 IPv6 address:
 <code> <code>
-[root@VM3]~# tcpdump -c 4 -pni vtnet1 +[root@VM3]~# ping -c 3 2.2.1.1 
-tcpdump: verbose output suppressed, use -v or -vv for full protocol decode +PING 2.2.1.1 (2.2.1.1): 56 data bytes 
-listening on vtnet1, link-type EN10MB (Ethernet), capture size 262144 bytes +64 bytes from 2.2.1.1: icmp_seq=ttl=63 time=17.147 ms 
-13:15:29.862862 ARP, Request who-has 10.0.23.3 tell 10.0.23.2, length 46 +64 bytes from 2.2.1.1: icmp_seq=1 ttl=63 time=1.409 ms 
-13:15:29.862879 ARP, Reply 10.0.23.3 is-at 58:9c:fc:02:03:03, length 28 +64 bytes from 2.2.1.1: icmp_seq=2 ttl=63 time=5.017 ms 
-13:15:29.863081 IP 10.0.64.161 > 10.0.23.3: ICMP echo requestid 1024seq 0, length 16 + 
-13:15:29.863106 IP 10.0.23.3 > 10.0.64.161: ICMP echo reply, id 1024, seq 0, length 16+--- 2.2.1.1 ping statistics --- 
 +packets transmitted3 packets received, 0.0% packet loss 
 +round-trip min/avg/max/stddev = 1.409/7.858/17.147/6.732 ms
 </code> </code>
  
-You can check firewall logs too on R2:+And check on the NAT router VM2 some stats: 
 <code> <code>
-Feb 17 13:15:29 VM2 kernel: ipfw: 400 Accept ICMP:8.10.0.64.161 10.0.23.3 in via vtnet0 +[root@VM2]~# ipfw nat64stl NAT64 stats 
-Feb 17 13:15:29 VM2 kernel: ipfw: 400 Accept ICMP:8.10.0.64.161 10.0.23.3 out via vtnet1 +nat64stl NAT64 
-Feb 17 13:15:29 VM2 kernel: ipfw: 400 Accept ICMPv6:129.[64:ff9b::a00:1703] [2001:db8:12::1] in via vtnet1 +        6 packets translated from IPv6 to IPv4 
-Feb 17 13:15:29 VM2 kernel: ipfw: 400 Accept ICMPv6:129.[64:ff9b::a00:1703] [2001:db8:12::1] out via vtnet0+        6 packets translated from IPv4 to IPv6 
 +        IPv6 fragments created 
 +        IPv4 fragments received 
 +        output packets dropped due to no bufs, etc
 +        output packets discarded due to no IPv4 route 
 +        output packets discarded due to no IPv6 route 
 +        packets discarded due to unsupported protocol 
 +        packets discarded due to memory allocation problems 
 +        packets discarded due to some errors
 </code> </code>
  
documentation/examples/nat64.txt · Last modified: 2020/01/02 19:36 by olivier

Except where otherwise noted, content on this wiki is licensed under the following license: BSD 2-Clause
Donate Powered by PHP Valid HTML5 Valid CSS Driven by DokuWiki