Merge branch 'master' of git+ssh://code.ungleich.ch/ungleich-public/ungleich-staticcms

2020-12-15 16:14:24 +01:00 · 2020-12-15 16:14:24 +01:00 · c545db817d
parent 6bf42ba019 0e880de2d3
commit c545db817d
4 changed files with 112 additions and 0 deletions
--- a/assets/u/image/ipv4-ipv6-nat-asymmetric.png
+++ b/assets/u/image/ipv4-ipv6-nat-asymmetric.png
--- a/assets/u/image/ipv4-nat.png
+++ b/assets/u/image/ipv4-nat.png
--- a/assets/u/image/ipv4-only-island-ipv6-reachable.png
+++ b/assets/u/image/ipv4-only-island-ipv6-reachable.png
--- a/content/u/blog/managing-ipv4-islands-with-jool-and-openwrt/contents.lr
+++ b/content/u/blog/managing-ipv4-islands-with-jool-and-openwrt/contents.lr
@ -0,0 +1,112 @@
+_hidden: no
+---
+_discoverable: yes
+---
+pub_date: 2020-12-15
+---
+title: Managing IPv4 islands with Jool and OpenWrt
+---
+abstract: How to access IPv4 islands from IPv6 networks
+---
+author: ungleich
+---
+twitter_handle: ungleich
+---
+body:
+
+## Introduction
+
+At ungleich we are using [Jool](https://www.jool.mx/) in a variety of
+scenarios with NAT64 or SIIT. The main use of jool in our
+infrastructure is to enable IPv6 only hosts to communicate with the
+IPv4 Internet.
+
+However today we want to show you a different use case of jool:
+Enabling IPv4 islands to communicate with the IPv6 Internet.
+
+For this we will focus on using Jool on
+[OpenWrt](https://openwrt.org), because this is a platform that you
+can also easily use in your networks or even at home.
+
+## The general problem to solve
+
+The literally biggest problem to solve when connecting the two
+different worlds is that the IPv6 space is significantly bigger. This
+is a problem, because we cannot achieve a 1:1 mapping from the IPv4
+world, but we can do a 1:1 mapping from the IPv6 world:
+
+![](/u/image/ipv4-ipv6-nat-asymmetric.png)
+
+## Installing jool
+
+Installing jool on OpenWrt is very easy, it is just a matter of
+installing the kernel module and the tools for managing jool:
+
+```
+opkg update
+opkg install kmod-jool jool-tools
+```
+
+## Making IPv4 islands reachable
+
+Assume that you are mostly running IPv6 only networks. And you happen
+to have some hosts, which, for whatever reason, cannot be switched to
+IPv6. We can use a stateful NAT64 to map "the whole IPv6 Internet" to
+192.0.2.1 as follows:
+
+![](/u/image/ipv4-only-island-ipv6-reachable.png)
+
+This works pretty similar to regular NAT that you are used from
+home. If we compare it visually, it is even more clear:
+
+![](/u/image/ipv4-nat.png)
+
+Let's have a look at this in an OpenWrt context:
+
+* The LAN network is usually 192.168.1.0/24
+* The router's IPv4 address is usually 192.168.1.1
+* In this example we routed 2a0a:e5c1:18f::/48 to the router
+* 192.168.1.0/24 has 8 bits for the hosts (32-24=8)
+* We choose 2a0a:e5c1:18f:b00::/120 to map the IPv4 island (128-120=8)
+* We use the OpenWrt's standard address to masquerade/squash the IPv6 Internet
+
+First we will create an "IPv4 pool":
+
+```
+root@vigir2:~# jool -4 -a 192.168.1.1
+root@vigir2:~# jool -4
+------------+-------+--------------------+-----------------+-------------+
+|       Mark | Proto |     Max iterations |         Address |       Ports |
+------------+-------+--------------------+-----------------+-------------+
+|          0 |   TCP |       1024 ( auto) |     192.168.1.1 |     1-65535 |
+------------+-------+--------------------+-----------------+-------------+
+|          0 |   UDP |       1024 ( auto) |     192.168.1.1 |     1-65535 |
+------------+-------+--------------------+-----------------+-------------+
+|          0 |  ICMP |       1024 ( auto) |     192.168.1.1 |     0-65535 |
+------------+-------+--------------------+-----------------+-------------+
+  (Fetched 3 samples.)
+```
+
+This allows jool to map IPv6 addresses stateful to 192.168.1.1 and
+basically allows incoming IPv6 traffic. What is left now is to
+configure the mapping from IPv6 to IPv4. For this we use the pool6
+argument of jool:
+
+```
+jool -6 2a0a:e5c1:18f:b00::/96
+```
+
+Note that we cheated here. We did not only map
+2a0a:e5c1:18f:b00::/120, but we did actually map the whole IPv4
+range. The advantage of this is that we do not need to care which
+networks are used on the IPv4 island. Any IPv4 address inside the LAN
+segment is now reachable. If you want to reach the IP address
+192.168.1.42, you can ping as **2a0a:e5c1:18f:b00::192.168.1.42**. As
+a matter of fact, while writing this article, the sample network is up and
+running and you should be able to **ping
+2a0a:e5c1:18f:b00::192.168.1.1** from the IPv6 Internet.
+
+## More of this?
+
+If you are interested in IPv6 or network, feel free to join us on the
+[IPv6.chat](https://IPv6.chat).