94 lines
3.4 KiB
Text
94 lines
3.4 KiB
Text
|
_hidden: no
|
||
|
---
|
||
|
_discoverable: yes
|
||
|
---
|
||
|
pub_date: 2020-12-15
|
||
|
---
|
||
|
title: Managing IPv4 islands with Jool
|
||
|
---
|
||
|
abstract: How jool allows us to enable IPv4 islands
|
||
|
---
|
||
|
body:
|
||
|
|
||
|
## Introduction
|
||
|
|
||
|
At ungleich we are using [Jool](https://www.jool.mx/) in a
|
||
|
variety of scenarios with NAT64 or SIIT. The main use of jool
|
||
|
in our infrastructure is to enable IPv6 only
|
||
|
hosts to communicate with the IPv4 Internet.
|
||
|
|
||
|
However today we want to show you a different use case of jool:
|
||
|
Enabling IPv4 islands to communicate with the IPv6 Internet.
|
||
|
|
||
|
For this we will focus on using Jool on
|
||
|
[OpenWrt](https://openwrt.org), because this is a platform that you
|
||
|
can also easily use in your networks or even at home.
|
||
|
|
||
|
## The general problem to solve
|
||
|
|
||
|
The literally biggest problem to solve when connecting the two
|
||
|
different worlds is that the IPv6 space is significantly bigger. This
|
||
|
is a problem, because we cannot achieve a 1:1 mapping from the IPv4
|
||
|
world, but we can do a 1:1 mapping from the IPv6 world:
|
||
|
|
||
|
![](/u/image/ipv4-ipv6-nat-asymmetric.png)
|
||
|
|
||
|
## Making IPv4 islands reachable
|
||
|
|
||
|
Assume that you are mostly running IPv6 only networks. And you happen
|
||
|
to have some hosts, which, for whatever reason, cannot be switched to
|
||
|
IPv6. We can use a stateful NAT64 to map "the whole IPv6 Internet" to
|
||
|
192.0.2.1 as follows:
|
||
|
|
||
|
![](/u/image/ipv4-only-island-ipv6-reachable.png)
|
||
|
|
||
|
This works pretty similar to regular NAT that you are used from
|
||
|
home. If we compare it visually, it is even more clear:
|
||
|
|
||
|
![](/u/image/ipv4-nat.png)
|
||
|
|
||
|
Let's have a look at this in an OpenWrt context:
|
||
|
|
||
|
* The LAN network is usually 192.168.1.0/24
|
||
|
* The router's IPv4 address is usually 192.168.1.1
|
||
|
* In this example we routed 2a0a:e5c1:18f::/48 to the router
|
||
|
* 192.168.1.0/24 has 8 bits for the hosts (32-24=8)
|
||
|
* We choose 2a0a:e5c1:18f:b00::/120 to map the IPv4 island (128-120=8)
|
||
|
* We use the OpenWrt's standard address to masquerade/squash the IPv6 Internet
|
||
|
|
||
|
First we will create an "IPv4 pool":
|
||
|
|
||
|
```
|
||
|
root@vigir2:~# jool -4 -a 192.168.1.1
|
||
|
root@vigir2:~# jool -4
|
||
|
+------------+-------+--------------------+-----------------+-------------+
|
||
|
| Mark | Proto | Max iterations | Address | Ports |
|
||
|
+------------+-------+--------------------+-----------------+-------------+
|
||
|
| 0 | TCP | 1024 ( auto) | 192.168.1.1 | 1-65535 |
|
||
|
+------------+-------+--------------------+-----------------+-------------+
|
||
|
| 0 | UDP | 1024 ( auto) | 192.168.1.1 | 1-65535 |
|
||
|
+------------+-------+--------------------+-----------------+-------------+
|
||
|
| 0 | ICMP | 1024 ( auto) | 192.168.1.1 | 0-65535 |
|
||
|
+------------+-------+--------------------+-----------------+-------------+
|
||
|
(Fetched 3 samples.)
|
||
|
```
|
||
|
|
||
|
This allows jool to map IPv6 addresses stateful to 192.168.1.1 and
|
||
|
basically allows incoming IPv6 traffic. What is left now is to
|
||
|
configure the mapping from IPv6 to IPv4. For this we use the pool6
|
||
|
argument of jool:
|
||
|
|
||
|
```
|
||
|
jool -6 2a0a:e5c1:18f:b00::/96
|
||
|
```
|
||
|
|
||
|
Note that we cheated here. We did not only map
|
||
|
2a0a:e5c1:18f:b00::/120, but we did actually map the whole IPv4
|
||
|
range. The advantage of this is that we do not need to care which
|
||
|
networks are used on the IPv4 island. Any IPv4 address inside the LAN
|
||
|
segment is now reachable. If you want to reach the IP address
|
||
|
192.168.1.42, you can ping as **2a0a:e5c1:18f:b00::192.168.1.42**. As
|
||
|
a matter of fact, while writing this article, the sample network is up and
|
||
|
running and you should be able to **ping
|
||
|
2a0a:e5c1:18f:b00::192.168.1.1** from the IPv6 Internet.
|