Add clat/ipv6 only notes to lte modem docs
This commit is contained in:
parent
49fa5c1d94
commit
32a78e4c84
|
@ -0,0 +1,84 @@
|
||||||
|
# Inspiration / Further Reading
|
||||||
|
|
||||||
|
- [http://jool.mx/en/464xlat.html](http://jool.mx/en/464xlat.html)
|
||||||
|
- [https://tools.ietf.org/html/draft-ietf-behave-nat64-discovery-heuristic-17](https://tools.ietf.org/html/draft-ietf-behave-nat64-discovery-heuristic-17)
|
||||||
|
- [https://sites.google.com/site/tmoipv6/464xlat](https://sites.google.com/site/tmoipv6/464xlat)
|
||||||
|
- [http://jool.mx/en/install.html](http://jool.mx/en/install.html)
|
||||||
|
- [https://github.com/NICMx/Jool/](https://github.com/NICMx/Jool/)
|
||||||
|
- [https://hveem.no/using-dnsmasq-for-dhcpv6](https://hveem.no/using-dnsmasq-for-dhcpv6)
|
||||||
|
- [https://github.com/toreanderson/clatd](https://github.com/toreanderson/clatd)
|
||||||
|
- [http://jool.mx/en/run-vanilla.html#sample-network](http://jool.mx/en/run-vanilla.html#sample-network)
|
||||||
|
- [http://jool.mx/en/eamt.html](http://jool.mx/en/eamt.html)
|
||||||
|
- [http://jool.mx/en/run-eam.html](http://jool.mx/en/run-eam.html)
|
||||||
|
- [https://partiallydisassembled.wordpress.com/2017/04/14/pi-nat64/](https://partiallydisassembled.wordpress.com/2017/04/14/pi-nat64/)
|
||||||
|
|
||||||
|
# Install Jool
|
||||||
|
|
||||||
|
``` bash
|
||||||
|
|
||||||
|
# If using raspbian be sure linux-headers package(s)
|
||||||
|
apt install build-essential pkg-config libnl-genl-3-dev libxtables-dev dkms git autoconf tar
|
||||||
|
|
||||||
|
git clone https://github.com/NICMx/Jool.git /scratch/jool
|
||||||
|
cd /scratch/jool
|
||||||
|
git checkout `git tag | sort -r | head -n1`
|
||||||
|
dkms install ./
|
||||||
|
./autogen.sh
|
||||||
|
./configure
|
||||||
|
cd src/usr
|
||||||
|
make
|
||||||
|
make install
|
||||||
|
|
||||||
|
```
|
||||||
|
|
||||||
|
# Figure out NAT64 endpoints via RFC7050
|
||||||
|
|
||||||
|
See ```quectel_ec25.md``` for details
|
||||||
|
|
||||||
|
# Figure out address mapping setup
|
||||||
|
|
||||||
|
Look at your ipv6 address, pray for a /64 and do some mappings...
|
||||||
|
|
||||||
|
```
|
||||||
|
|
||||||
|
2607:fb90:88bd:95b9:999e:f533:32e4:71fa/64
|
||||||
|
-> 2607:fb90:88bd:95b9::
|
||||||
|
-> 2607:fb90:88bd:95b9::172.17.17.17/120
|
||||||
|
|
||||||
|
```
|
||||||
|
|
||||||
|
# Setup jool routing for ipv4 <> ipv6
|
||||||
|
|
||||||
|
```
|
||||||
|
sysctl -w net.ipv4.conf.all.forwarding=1
|
||||||
|
sysctl -w net.ipv6.conf.all.forwarding=1
|
||||||
|
modprobe jool_siit
|
||||||
|
jool_siit instance add "lollipop" --iptables --pool6 2607:7700:0:26::/96 # pool6 is NAT64 endpoints via RFC7050
|
||||||
|
jool_siit instance display
|
||||||
|
jool_siit -i "lollipop" eamt add "2607:fb90:88bd:95b9::172.17.17.0/120" "172.17.17.0/24" # ipv6 address map <> ipv4 lan
|
||||||
|
jool_siit -i "lollipop" eamt display
|
||||||
|
|
||||||
|
jool_siit -i "lollipop" stats display --all | less
|
||||||
|
|
||||||
|
ip6tables -t mangle -A PREROUTING \
|
||||||
|
-s 2607:fb90:88bd:95b9::172.17.17.0/120 \
|
||||||
|
-j JOOL_SIIT --instance "lollipop"
|
||||||
|
iptables -t mangle -A PREROUTING \
|
||||||
|
-s 172.17.17.0/24 \
|
||||||
|
-j JOOL_SIIT --instance "lollipop"
|
||||||
|
ip6tables -I OUTPUT -d 2607:7700:0:26::/96 -j ACCEPT
|
||||||
|
|
||||||
|
```
|
||||||
|
|
||||||
|
The iptables commands above were adapted from this block of the jool.mx docs
|
||||||
|
|
||||||
|
```
|
||||||
|
|
||||||
|
user@T:~# ip6tables -t mangle -A PREROUTING \
|
||||||
|
> -s 2001:db8::198.51.100.8/125 -d 2001:db8::192.0.2.0/120 \
|
||||||
|
> -j JOOL_SIIT --instance "example"
|
||||||
|
user@T:~# iptables -t mangle -A PREROUTING \
|
||||||
|
> -s 192.0.2.0/24 -d 198.51.100.8/29 \
|
||||||
|
> -j JOOL_SIIT --instance "example"
|
||||||
|
|
||||||
|
```
|
|
@ -19,15 +19,7 @@ Only perform these steps and operations if you *must* have a Quectel EC25 and ca
|
||||||
- [https://sixfab.com/updated-tutorial-3-make-a-ppp-internet-connection-with-3g-4glte-shields-on-raspberry-pi/](https://sixfab.com/updated-tutorial-3-make-a-ppp-internet-connection-with-3g-4glte-shields-on-raspberry-pi/)
|
- [https://sixfab.com/updated-tutorial-3-make-a-ppp-internet-connection-with-3g-4glte-shields-on-raspberry-pi/](https://sixfab.com/updated-tutorial-3-make-a-ppp-internet-connection-with-3g-4glte-shields-on-raspberry-pi/)
|
||||||
- [https://sixfab.com/product/quectel-ec25-mini-pcle-4glte-module/](https://sixfab.com/product/quectel-ec25-mini-pcle-4glte-module/)
|
- [https://sixfab.com/product/quectel-ec25-mini-pcle-4glte-module/](https://sixfab.com/product/quectel-ec25-mini-pcle-4glte-module/)
|
||||||
- [https://sixfab.com/gps-tracker-with-3g-4glte-shield/](https://sixfab.com/gps-tracker-with-3g-4glte-shield/)
|
- [https://sixfab.com/gps-tracker-with-3g-4glte-shield/](https://sixfab.com/gps-tracker-with-3g-4glte-shield/)
|
||||||
|
- [https://tools.ietf.org/html/draft-ietf-behave-nat64-discovery-heuristic-17](https://tools.ietf.org/html/draft-ietf-behave-nat64-discovery-heuristic-17)
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
# Setup Apt Repos
|
# Setup Apt Repos
|
||||||
|
|
||||||
|
@ -88,3 +80,60 @@ cgps 127.0.0.1:2948 # the "usual" way we like to monitor gps status
|
||||||
# Add -n -D 3 to options (for debugging)
|
# Add -n -D 3 to options (for debugging)
|
||||||
|
|
||||||
```
|
```
|
||||||
|
|
||||||
|
# NAT64 + DNS64
|
||||||
|
|
||||||
|
If you find yourself on a pure ipv6 network with NAT64/DNS64 deployed, you'll need the following breadcrumbs and information to get things online.
|
||||||
|
|
||||||
|
This section is a Work In Progress and not 100% working. Help Welcome.
|
||||||
|
|
||||||
|
## Figure out NAT64 endpoints via RFC7050
|
||||||
|
|
||||||
|
This may or may not be deployed on your carrier's network. Start here for decyphering NAT64 prefixes.
|
||||||
|
|
||||||
|
``` bash
|
||||||
|
|
||||||
|
host ipv4only.arpa
|
||||||
|
ipv4only.arpa has address 192.0.0.170
|
||||||
|
ipv4only.arpa has address 192.0.0.171
|
||||||
|
ipv4only.arpa has IPv6 address 2607:7700:0:26::c000:aa
|
||||||
|
ipv4only.arpa has IPv6 address 2607:7700:0:26::c000:ab
|
||||||
|
ping 2607:7700:0:26::8.8.8.8
|
||||||
|
|
||||||
|
```
|
||||||
|
|
||||||
|
## Figure out NAT64 endpoints w/o RFC7050
|
||||||
|
|
||||||
|
See the ```rfc7050.py``` script and ajust it lightly to look for an ipv4 only DNS record so the prefix can be found programatically by the rest of the script.
|
||||||
|
|
||||||
|
## Turn on DNS64 in Unbound
|
||||||
|
|
||||||
|
You'll need an additional include line in the config *above* the existing one for ```/etc/unbound/dns64.conf```.
|
||||||
|
|
||||||
|
``` bash
|
||||||
|
|
||||||
|
cat > /etc/unbound/dns64.conf <<EOF
|
||||||
|
module-config: "dns64 validator iterator"
|
||||||
|
dns64-prefix: 2607:7700:0:26::/96
|
||||||
|
EOF
|
||||||
|
systemctl restart unbound
|
||||||
|
|
||||||
|
```
|
||||||
|
|
||||||
|
## Turn off DNS64 in Unbound
|
||||||
|
|
||||||
|
This is how you'd turn off DNS64 when back on ipv4 in some capacity.
|
||||||
|
|
||||||
|
``` bash
|
||||||
|
|
||||||
|
cat > /etc/unbound/dns64.conf <<EOF
|
||||||
|
#module-config: "dns64 validator iterator"
|
||||||
|
#dns64-prefix:
|
||||||
|
EOF
|
||||||
|
systemctl restart unbound
|
||||||
|
|
||||||
|
```
|
||||||
|
|
||||||
|
## Dig into the clat setup
|
||||||
|
|
||||||
|
See ```clat.md``` for additional details on how to setup routing for the NAT64 edge. This is not working 100% and you've been warned some iptables and similarly difficult tech tinkering is required.
|
||||||
|
|
|
@ -0,0 +1,78 @@
|
||||||
|
#!/usr/bin/env python3
|
||||||
|
|
||||||
|
###############
|
||||||
|
# RFC7050 ipv6 prefix discovery
|
||||||
|
# Prefixes can have lengths 32, 40, 48, 56, 64, or 96 per RFC6052
|
||||||
|
# IMPORTANT: THIS DOES NOT HANDLE THE SUFFIX ASPECTS THAT MAY COME INTO PLAY ON SOME NETWORKS
|
||||||
|
###############
|
||||||
|
|
||||||
|
##########
|
||||||
|
# Dependencies
|
||||||
|
##########
|
||||||
|
# pip3 install dnspython
|
||||||
|
|
||||||
|
##########
|
||||||
|
# Sample T-Mobile record
|
||||||
|
##########
|
||||||
|
# ipv4only.arpa
|
||||||
|
# 192.0.0.170
|
||||||
|
# 192.0.0.171
|
||||||
|
# 2607:7700:0:26::c000:aa
|
||||||
|
# 2607:7700:0:26::c000:ab
|
||||||
|
|
||||||
|
##########
|
||||||
|
import ipaddress
|
||||||
|
import dns.resolver
|
||||||
|
|
||||||
|
##########
|
||||||
|
# Discovery of DNS records
|
||||||
|
##########
|
||||||
|
#TODO: Swap this to a well-known address that is ISP independent
|
||||||
|
# Sub domain with only an A record somewhere?
|
||||||
|
Update to handle the tweaked approach
|
||||||
|
resolver = dns.resolver.Resolver()
|
||||||
|
a_recs = resolver.query("ipv4only.arpa", "A")
|
||||||
|
aaaa_recs = resolver.query("ipv4only.arpa", "AAAA")
|
||||||
|
|
||||||
|
##########
|
||||||
|
# Process DNS records for prefix discovery process
|
||||||
|
##########
|
||||||
|
a_addresses = []
|
||||||
|
aaaa_addresses = []
|
||||||
|
|
||||||
|
for a in a_recs:
|
||||||
|
print(a)
|
||||||
|
a_addresses.append(ipaddress.IPv4Address(a.to_text()))
|
||||||
|
|
||||||
|
for aaaa in aaaa_recs:
|
||||||
|
print(aaaa)
|
||||||
|
aaaa_addresses.append(ipaddress.IPv6Address(aaaa.to_text()))
|
||||||
|
|
||||||
|
##########
|
||||||
|
# Figure out published prefixes
|
||||||
|
##########
|
||||||
|
prefixes = []
|
||||||
|
|
||||||
|
for aaaa in aaaa_addresses:
|
||||||
|
ipv6_bytes = aaaa.packed
|
||||||
|
for a in a_addresses:
|
||||||
|
ipv4_bytes = a.packed
|
||||||
|
# Split the bytes so we can find the prefix minus the ipv4 address and following info
|
||||||
|
partition = ipv6_bytes.partition(ipv4_bytes)
|
||||||
|
if partition[0] != ipv6_bytes:
|
||||||
|
# Padded to a full 16 bytes needed by the Python ipaddress module
|
||||||
|
mask_number_bytes = 16 - len(partition[0])
|
||||||
|
# Figure out the actual integer mask
|
||||||
|
mask = 128 - (mask_number_bytes * 8)
|
||||||
|
# Pad the prefix with 0's
|
||||||
|
prefix_bytes = partition[0] + bytearray(mask_number_bytes)
|
||||||
|
# Get the /128 address
|
||||||
|
address = ipaddress.IPv6Address(prefix_bytes)
|
||||||
|
# Build the compressed address + mask for output
|
||||||
|
prefix = '/'.join([str(address), str(mask)])
|
||||||
|
# De-duplicate the prefixes
|
||||||
|
# Some ISPs publish multiple records that result in identical prefixes
|
||||||
|
if prefix not in prefixes:
|
||||||
|
prefixes.append(prefix)
|
||||||
|
|
||||||
|
print(prefixes)
|
Reference in New Issue