User Tools

Site Tools


documentation:examples:nat64

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revisionPrevious revision
Next revision
Previous revision
documentation:examples:nat64 [2019/06/03 17:42] – [Testing] olivierdocumentation:examples:nat64 [2020/01/02 19:36] (current) – [Stateless (stl)] olivier
Line 15: Line 15:
 ==== Downloading BSD Router Project images ==== ==== Downloading BSD Router Project images ====
  
-Download BSDRP serial image (prevent to have to use an X display) on Sourceforge.+[[https://bsdrp.net/downloads|Download BSDRP serial image]] (prevent to have to use an X display).
  
 ==== Download Lab scripts ===== ==== Download Lab scripts =====
Line 55: Line 55:
  
 <code> <code>
-sysrc hostname=VM1 +sysrc hostname=VM1 \ 
-sysrc gateway_enable=NO + gateway_enable=NO \ 
-sysrc ipv6_gateway_enable=NO + ipv6_gateway_enable=NO \ 
-sysrc ifconfig_vtnet0_ipv6="inet6 2001:db8:12::1 prefixlen 64" + ifconfig_vtnet0_ipv6="inet6 2001:db8:12::1 prefixlen 64" \ 
-sysrc ipv6_defaultrouter="2001:db8:12::2"+ ipv6_defaultrouter="2001:db8:12::2"
 service hostname restart service hostname restart
 service netif restart service netif restart
Line 71: Line 71:
  
 <code> <code>
-sysrc hostname=VM2 +sysrc hostname=VM2 \ 
-sysrc ifconfig_vtnet1="inet 2.2.2.2/24" + ifconfig_vtnet1="inet 2.2.2.2/24" \ 
-sysrc ifconfig_vtnet0_ipv6="inet6 2001:db8:12::2 prefixlen 64"+ ifconfig_vtnet0_ipv6="inet6 2001:db8:12::2 prefixlen 64"
 service hostname restart service hostname restart
 service netif restart service netif restart
Line 85: Line 85:
  
 <code> <code>
-sysrc hostname=VM3 +sysrc hostname=VM3 \ 
-sysrc gateway_enable=NO + gateway_enable=NO \ 
-sysrc ipv6_gateway_enable=NO + ipv6_gateway_enable=NO \ 
-sysrc ifconfig_vtnet1="inet 2.2.2.3/24" + ifconfig_vtnet1="inet 2.2.2.3/24" \ 
-sysrc defaultrouter="2.2.2.2"+ defaultrouter="2.2.2.2"
 service hostname restart service hostname restart
 service netif restart service netif restart
Line 100: Line 100:
 ==== VM2 ==== ==== VM2 ====
  
-Replace the private IP range from default tayga's configuration and enable it:+Modify default default tayga's configuration file and enable it:
  
 <code> <code>
-sysrc tayga_enable=yes+service tayga enable
 sed -i "" 's/192.168.255./2.2.1./g' /usr/local/etc/tayga.conf sed -i "" 's/192.168.255./2.2.1./g' /usr/local/etc/tayga.conf
 +sed -i "" 's/2001:db8:1:ffff::/64:ff9b::/g' /usr/local/etc/tayga.conf
 service tayga start service tayga start
 </code> </code>
  
-Quick test from VM2:+Quick test from VM2 by pinging its IPv4 address from its IPv6 one, and same by targeting VM3:
 <code> <code>
-[root@VM2]~# ping6 -c 3 2001:db8:1:ffff::2.2.2.2 +[root@VM2]~# ping6 -c 3 64:ff9b::2.2.2.2 
-PING6(56=40+8+8 bytes) 2001:db8:12::2 --> 2001:db8:1:ffff::202:202 +PING6(56=40+8+8 bytes) 2001:db8:12::2 --> 64:ff9b::202:202 
-16 bytes from 2001:db8:1:ffff::202:202, icmp_seq=0 hlim=63 time=0.122 ms +16 bytes from 64:ff9b::202:202, icmp_seq=0 hlim=63 time=0.128 ms 
-16 bytes from 2001:db8:1:ffff::202:202, icmp_seq=1 hlim=63 time=0.080 ms +16 bytes from 64:ff9b::202:202, icmp_seq=1 hlim=63 time=0.082 ms 
-16 bytes from 2001:db8:1:ffff::202:202, icmp_seq=2 hlim=63 time=0.064 ms+16 bytes from 64:ff9b::202:202, icmp_seq=2 hlim=63 time=0.069 ms
  
---- 2001:db8:1:ffff::2.2.2.2 ping6 statistics ---+--- 64:ff9b::2.2.2.2 ping6 statistics ---
 3 packets transmitted, 3 packets received, 0.0% packet loss 3 packets transmitted, 3 packets received, 0.0% packet loss
-round-trip min/avg/max/std-dev = 0.064/0.089/0.122/0.024 ms +round-trip min/avg/max/std-dev = 0.069/0.093/0.128/0.025 ms 
-[root@VM2]~# ping6 -c 3 2001:db8:1:ffff::2.2.2.3 +[root@VM2]~# ping6 -c 3 64:ff9b::2.2.2.3 
-PING6(56=40+8+8 bytes) 2001:db8:12::2 --> 2001:db8:1:ffff::202:203 +PING6(56=40+8+8 bytes) 2001:db8:12::2 --> 64:ff9b::202:203 
-16 bytes from 2001:db8:1:ffff::202:203, icmp_seq=0 hlim=62 time=0.240 ms +16 bytes from 64:ff9b::202:203, icmp_seq=0 hlim=62 time=0.228 ms 
-16 bytes from 2001:db8:1:ffff::202:203, icmp_seq=1 hlim=62 time=0.190 ms +16 bytes from 64:ff9b::202:203, icmp_seq=1 hlim=62 time=0.164 ms 
-16 bytes from 2001:db8:1:ffff::202:203, icmp_seq=2 hlim=62 time=0.191 ms +16 bytes from 64:ff9b::202:203, icmp_seq=2 hlim=62 time=0.157 ms
-</code> +
-==== Testing ====+
  
-From IPv6 only host, ping NAT64 IPv6 address corresponding to VM3 IPv4 address: +--- 64:ff9b::2.2.2.3 ping6 statistics ---
- +
-<code> +
-[root@VM1]~# ping6 -c 3 2001:db8:1:ffff::2.2.2.3 +
-PING6(56=40+8+8 bytes) 2001:db8:12::1 --> 2001:db8:1:ffff::a00:1703 +
-16 bytes from 2001:db8:1:ffff::a00:1703, icmp_seq=0 hlim=61 time=0.286 ms +
-16 bytes from 2001:db8:1:ffff::a00:1703, icmp_seq=1 hlim=61 time=0.198 ms +
-16 bytes from 2001:db8:1:ffff::a00:1703, icmp_seq=2 hlim=61 time=0.180 ms +
- +
---- 2001:db8:1:ffff::10.0.23.3 ping6 statistics ---+
 3 packets transmitted, 3 packets received, 0.0% packet loss 3 packets transmitted, 3 packets received, 0.0% packet loss
-round-trip min/avg/max/std-dev = 0.180/0.221/0.286/0.046 ms+round-trip min/avg/max/std-dev = 0.157/0.183/0.228/0.032 ms
 </code> </code>
 +==== Testing ====
  
-And check IPv4 source address seen by VM3:+From VM4, start a tcpdump to check IPv4 source address seen by VM3:
  
 <code> <code>
Line 147: Line 138:
 tcpdump: verbose output suppressed, use -v or -vv for full protocol decode tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
 listening on vtnet1, link-type EN10MB (Ethernet), capture size 262144 bytes listening on vtnet1, link-type EN10MB (Ethernet), capture size 262144 bytes
-10:10:31.504190 IP 192.168.255.249 > 10.0.23.3: ICMP echo request, id 37715, seq 0, length 16 +...
-10:10:31.504197 IP 10.0.23.3 > 192.168.255.249: ICMP echo reply, id 37715, seq 0, length 16+
 </code> </code>
  
 +From VM1 (IPv6 only host), ping NAT64 IPv6 address corresponding to VM3 IPv4 address:
 +
 +<code>
 +[root@VM1]~# ping6 -c 3 64:ff9b::2.2.2.3
 +PING6(56=40+8+8 bytes) 2001:db8:12::1 --> 64:ff9b::202:203
 +16 bytes from 64:ff9b::202:203, icmp_seq=0 hlim=61 time=0.298 ms
 +16 bytes from 64:ff9b::202:203, icmp_seq=1 hlim=61 time=0.257 ms
 +16 bytes from 64:ff9b::202:203, icmp_seq=2 hlim=61 time=0.261 ms
 +
 +--- 64:ff9b::2.2.2.3 ping6 statistics ---
 +3 packets transmitted, 3 packets received, 0.0% packet loss
 +round-trip min/avg/max/std-dev = 0.257/0.272/0.298/0.018 ms
 +</code>
 +
 +From VM3, check source IP addresses of ICMP:
 +<code>
 +...
 +17:43:03.094975 IP 2.2.1.249 > 2.2.2.3: ICMP echo request, id 6575, seq 0, length 16
 +17:43:03.094983 IP 2.2.2.3 > 2.2.1.249: ICMP echo reply, id 6575, seq 0, length 16
 +2 packets captured
 +2 packets received by filter
 +0 packets dropped by kernel
 +</code>
 ===== IPFW NAT64 (kernel space) ===== ===== IPFW NAT64 (kernel space) =====
  
Line 159: Line 172:
 === VM2 === === VM2 ===
  
-Configure a stateful NAT64 with ipfw, and enable logging:+Configure a stateful NAT64 with ipfw:
  
 <code> <code>
-sysrc firewall_enable=YES+service ipfw enable
 sysrc firewall_script="/etc/ipfw.rules" sysrc firewall_script="/etc/ipfw.rules"
 +echo "# Temporary fix to avoid panicing a 12-stable:" >> /etc/sysctl.conf 
 +echo "net.inet.ip.fw.nat64_direct_output=1" >> /etc/sysctl.conf
 cat > /etc/ipfw.rules <<'EOF' cat > /etc/ipfw.rules <<'EOF'
 #!/bin/sh #!/bin/sh
Line 170: Line 184:
 kldstat -q -m ipfw_nat64 || kldload ipfw_nat64 kldstat -q -m ipfw_nat64 || kldload ipfw_nat64
 ${fwcmd} -f flush ${fwcmd} -f flush
-${fwcmd} nat64lsn NAT64 create prefix4 192.0.2.0/24+${fwcmd} nat64lsn NAT64 create prefix4 2.2.1.0/24
 ${fwcmd} add allow icmp6 from any to any icmp6types 135,136 ${fwcmd} add allow icmp6 from any to any icmp6types 135,136
 ${fwcmd} add nat64lsn NAT64 ip from 2001:db8:12::/64 to 64:ff9b::/96 in ${fwcmd} add nat64lsn NAT64 ip from 2001:db8:12::/64 to 64:ff9b::/96 in
-${fwcmd} add nat64lsn NAT64 ip from any to 192.0.2.0/24 in +${fwcmd} add nat64lsn NAT64 ip from any to 2.2.1.0/24 in 
-${fwcmd} add allow log ip from any to any+${fwcmd} add allow ip from any to any
 'EOF' 'EOF'
  
 service ipfw start service ipfw start
-sysctl net.inet.ip.fw.verbose=1+sysctl net.inet.ip.fw.nat64_direct_output=1
 </code> </code>
  
Line 186: Line 200:
  
 <code> <code>
-[root@VM1]~# ping6 -c 3 64:ff9b::10.0.23.3 +[root@VM1]~# ping6 -c 3 64:ff9b::2.2.2.3 
-PING6(56=40+8+8 bytes) 2001:db8:12::1 --> 64:ff9b::a00:1703+PING6(56=40+8+8 bytes) 2001:db8:12::1 --> 64:ff9b::202:203 
 +16 bytes from 64:ff9b::202:203, icmp_seq=0 hlim=63 time=0.369 ms 
 +16 bytes from 64:ff9b::202:203, icmp_seq=1 hlim=63 time=0.259 ms 
 +16 bytes from 64:ff9b::202:203, icmp_seq=2 hlim=63 time=0.248 ms
  
---- 64:ff9b::10.0.23.3 ping6 statistics --- +--- 64:ff9b::2.2.2.3 ping6 statistics --- 
-3 packets transmitted, packets received, 100.0% packet loss+3 packets transmitted, packets received, 0.0% packet loss 
 +round-trip min/avg/max/std-dev = 0.248/0.292/0.369/0.055 ms
 </code> </code>
  
-Oops, nothing ? +Checking status on NAT64 router:
-<code> +
- +
-Firewall stats on VM2:+
 <code> <code>
 +[root@VM2]~# ipfw nat64lsn NAT64 show states
 +2001:db8:12:: 2.2.1.210       ICMPv6          0       2.2.2.3
 [root@VM2]~# ipfw show [root@VM2]~# ipfw show
-00100 6 408 allow ipv6-icmp from any to any icmp6types 135,136 +00100 12 824 allow ipv6-icmp from any to any icmp6types 135,136 
-00200 6 336 nat64lsn NAT64 ip from 2001:db8:12::/64 to 64:ff9b::/96 in +00200 12 672 nat64lsn NAT64 ip from 2001:db8:12::/64 to 64:ff9b::/96 in 
-00300 0   nat64lsn NAT64 ip from any to 192.0.2.0/24 in +00300 12 432 nat64lsn NAT64 ip from any to 2.2.1.0/24 in 
-00400 0   0 allow log ip from any to any +65535  0   0 deny ip from any to any
-65535 0   0 deny ip from any to any+
 </code> </code>
  
-==== Stateless ====+==== Stateless (stl) ====
  
 === VM2 === === VM2 ===
Line 213: Line 229:
  
 <code> <code>
-sysrc firewall_enable=YES+service ipfw enable
 sysrc firewall_script="/etc/ipfw.rules" sysrc firewall_script="/etc/ipfw.rules"
  
Line 223: Line 239:
 ${fwcmd} table T46 create type addr valtype ipv6 ${fwcmd} table T46 create type addr valtype ipv6
 ${fwcmd} table T64 create type addr valtype ipv4 ${fwcmd} table T64 create type addr valtype ipv4
 +${fwcmd} table T46 add 2.2.1.1 2001:db8:12::1
 +${fwcmd} table T64 add 2001:db8:12::1 2.2.1.1
 ${fwcmd} nat64stl NAT64 create table4 T46 table6 T64 ${fwcmd} nat64stl NAT64 create table4 T46 table6 T64
 ${fwcmd} add allow icmp6 from any to any icmp6types 135,136 ${fwcmd} add allow icmp6 from any to any icmp6types 135,136
Line 231: Line 249:
  
 service ipfw start service ipfw start
-sysctl net.inet.ip.fw.verbose=1 
 </code> </code>
 === Testing === === Testing ===
Line 238: Line 255:
  
 <code> <code>
-[root@VM1]~# ping6 -c 3 64:ff9b::10.0.23.3 +[root@VM1]~# ping6 -c 3 64:ff9b::2.2.2.3 
-PING6(56=40+8+8 bytes) 2001:db8:12::1 --> 64:ff9b::a00:1703 +PING6(56=40+8+8 bytes) 2001:db8:12::1 --> 64:ff9b::202:203 
-16 bytes from 64:ff9b::a00:1703, icmp_seq=0 hlim=63 time=1.105 ms +16 bytes from 64:ff9b::202:203, icmp_seq=0 hlim=63 time=1.037 ms 
-16 bytes from 64:ff9b::a00:1703, icmp_seq=1 hlim=63 time=0.216 ms +16 bytes from 64:ff9b::202:203, icmp_seq=1 hlim=63 time=1.048 ms 
-16 bytes from 64:ff9b::a00:1703, icmp_seq=2 hlim=63 time=0.199 ms+16 bytes from 64:ff9b::202:203, icmp_seq=2 hlim=63 time=1.560 ms
  
---- 64:ff9b::10.0.23.3 ping6 statistics ---+--- 64:ff9b::2.2.2.3 ping6 statistics ---
 3 packets transmitted, 3 packets received, 0.0% packet loss 3 packets transmitted, 3 packets received, 0.0% packet loss
-round-trip min/avg/max/std-dev = 0.199/0.507/1.105/0.423 ms+round-trip min/avg/max/std-dev = 1.037/1.215/1.560/0.244 ms
 </code> </code>
  
-And check IPv4 source addresses seen by VM3: +From IPv4 only host, ping NAT64 IPv4 address corresponding to VM3 IPv6 address:
 <code> <code>
-[root@VM3]~# tcpdump -c 4 -pni vtnet1 +[root@VM3]~# ping -c 3 2.2.1.1 
-tcpdump: verbose output suppressed, use -v or -vv for full protocol decode +PING 2.2.1.1 (2.2.1.1): 56 data bytes 
-listening on vtnet1, link-type EN10MB (Ethernet), capture size 262144 bytes +64 bytes from 2.2.1.1: icmp_seq=ttl=63 time=17.147 ms 
-13:15:29.862862 ARP, Request who-has 10.0.23.3 tell 10.0.23.2, length 46 +64 bytes from 2.2.1.1: icmp_seq=1 ttl=63 time=1.409 ms 
-13:15:29.862879 ARP, Reply 10.0.23.3 is-at 58:9c:fc:02:03:03, length 28 +64 bytes from 2.2.1.1: icmp_seq=2 ttl=63 time=5.017 ms 
-13:15:29.863081 IP 10.0.64.161 > 10.0.23.3: ICMP echo requestid 1024seq 0, length 16 + 
-13:15:29.863106 IP 10.0.23.3 > 10.0.64.161: ICMP echo reply, id 1024, seq 0, length 16+--- 2.2.1.1 ping statistics --- 
 +packets transmitted3 packets received, 0.0% packet loss 
 +round-trip min/avg/max/stddev = 1.409/7.858/17.147/6.732 ms
 </code> </code>
  
-You can check firewall logs too on R2:+And check on the NAT router VM2 some stats: 
 <code> <code>
-Feb 17 13:15:29 VM2 kernel: ipfw: 400 Accept ICMP:8.10.0.64.161 10.0.23.3 in via vtnet0 +[root@VM2]~# ipfw nat64stl NAT64 stats 
-Feb 17 13:15:29 VM2 kernel: ipfw: 400 Accept ICMP:8.10.0.64.161 10.0.23.3 out via vtnet1 +nat64stl NAT64 
-Feb 17 13:15:29 VM2 kernel: ipfw: 400 Accept ICMPv6:129.[64:ff9b::a00:1703] [2001:db8:12::1] in via vtnet1 +        6 packets translated from IPv6 to IPv4 
-Feb 17 13:15:29 VM2 kernel: ipfw: 400 Accept ICMPv6:129.[64:ff9b::a00:1703] [2001:db8:12::1] out via vtnet0+        6 packets translated from IPv4 to IPv6 
 +        IPv6 fragments created 
 +        IPv4 fragments received 
 +        output packets dropped due to no bufs, etc
 +        output packets discarded due to no IPv4 route 
 +        output packets discarded due to no IPv6 route 
 +        packets discarded due to unsupported protocol 
 +        packets discarded due to memory allocation problems 
 +        packets discarded due to some errors
 </code> </code>
  
documentation/examples/nat64.1559576527.txt.gz · Last modified: 2019/06/03 17:42 by olivier

Except where otherwise noted, content on this wiki is licensed under the following license: BSD 2-Clause
Donate Powered by PHP Valid HTML5 Valid CSS Driven by DokuWiki