Merge branch 'master' of git+ssh://code.ungleich.ch/ungleich-public/ungleich-staticcms

2020-12-15 16:14:24 +01:00 · 2020-12-15 16:14:24 +01:00 · c545db817d
commit c545db817d
parent 6bf42ba019 0e880de2d3
4 changed files with 112 additions and 0 deletions
--- a/assets/u/image/ipv4-ipv6-nat-asymmetric.png
+++ b/assets/u/image/ipv4-ipv6-nat-asymmetric.png
--- a/assets/u/image/ipv4-nat.png
+++ b/assets/u/image/ipv4-nat.png
--- a/assets/u/image/ipv4-only-island-ipv6-reachable.png
+++ b/assets/u/image/ipv4-only-island-ipv6-reachable.png
--- a/content/u/blog/managing-ipv4-islands-with-jool-and-openwrt/contents.lr
+++ b/content/u/blog/managing-ipv4-islands-with-jool-and-openwrt/contents.lr
@ -0,0 +1,112 @@
 _hidden: no
 ---
 _discoverable: yes
 ---
 pub_date: 2020-12-15
 ---
 title: Managing IPv4 islands with Jool and OpenWrt
 ---
 abstract: How to access IPv4 islands from IPv6 networks
 ---
 author: ungleich
 ---
 twitter_handle: ungleich
 ---
 body:
 ## Introduction
 At ungleich we are using [Jool](https://www.jool.mx/) in a variety of
 scenarios with NAT64 or SIIT. The main use of jool in our
 infrastructure is to enable IPv6 only hosts to communicate with the
 IPv4 Internet.
 However today we want to show you a different use case of jool:
 Enabling IPv4 islands to communicate with the IPv6 Internet.
 For this we will focus on using Jool on
 [OpenWrt](https://openwrt.org), because this is a platform that you
 can also easily use in your networks or even at home.
 ## The general problem to solve
 The literally biggest problem to solve when connecting the two
 different worlds is that the IPv6 space is significantly bigger. This
 is a problem, because we cannot achieve a 1:1 mapping from the IPv4
 world, but we can do a 1:1 mapping from the IPv6 world:
 ![](/u/image/ipv4-ipv6-nat-asymmetric.png)
 ## Installing jool
 Installing jool on OpenWrt is very easy, it is just a matter of
 installing the kernel module and the tools for managing jool:
 ```
 opkg update
 opkg install kmod-jool jool-tools
 ```
 ## Making IPv4 islands reachable
 Assume that you are mostly running IPv6 only networks. And you happen
 to have some hosts, which, for whatever reason, cannot be switched to
 IPv6. We can use a stateful NAT64 to map "the whole IPv6 Internet" to
 192.0.2.1 as follows:
 ![](/u/image/ipv4-only-island-ipv6-reachable.png)
 This works pretty similar to regular NAT that you are used from
 home. If we compare it visually, it is even more clear:
 ![](/u/image/ipv4-nat.png)
 Let's have a look at this in an OpenWrt context:
 * The LAN network is usually 192.168.1.0/24
 * The router's IPv4 address is usually 192.168.1.1
 * In this example we routed 2a0a:e5c1:18f::/48 to the router
 * 192.168.1.0/24 has 8 bits for the hosts (32-24=8)
 * We choose 2a0a:e5c1:18f:b00::/120 to map the IPv4 island (128-120=8)
 * We use the OpenWrt's standard address to masquerade/squash the IPv6 Internet
 First we will create an "IPv4 pool":
 ```
 root@vigir2:~# jool -4 -a 192.168.1.1
 root@vigir2:~# jool -4
 +------------+-------+--------------------+-----------------+-------------+
 |       Mark | Proto |     Max iterations |         Address |       Ports |
 +------------+-------+--------------------+-----------------+-------------+
 |          0 |   TCP |       1024 ( auto) |     192.168.1.1 |     1-65535 |
 +------------+-------+--------------------+-----------------+-------------+
 |          0 |   UDP |       1024 ( auto) |     192.168.1.1 |     1-65535 |
 +------------+-------+--------------------+-----------------+-------------+
 |          0 |  ICMP |       1024 ( auto) |     192.168.1.1 |     0-65535 |
 +------------+-------+--------------------+-----------------+-------------+
  (Fetched 3 samples.)
 ```
 This allows jool to map IPv6 addresses stateful to 192.168.1.1 and
 basically allows incoming IPv6 traffic. What is left now is to
 configure the mapping from IPv6 to IPv4. For this we use the pool6
 argument of jool:
 ```
 jool -6 2a0a:e5c1:18f:b00::/96
 ```
 Note that we cheated here. We did not only map
 2a0a:e5c1:18f:b00::/120, but we did actually map the whole IPv4
 range. The advantage of this is that we do not need to care which
 networks are used on the IPv4 island. Any IPv4 address inside the LAN
 segment is now reachable. If you want to reach the IP address
 192.168.1.42, you can ping as **2a0a:e5c1:18f:b00::192.168.1.42**. As
 a matter of fact, while writing this article, the sample network is up and
 running and you should be able to **ping
 2a0a:e5c1:18f:b00::192.168.1.1** from the IPv6 Internet.
 ## More of this?
 If you are interested in IPv6 or network, feel free to join us on the
 [IPv6.chat](https://IPv6.chat).