Archive for December 2020

I found that jool has very good tutorials, but all the commands to get going are hidden in these large tutorials. Here are the steps I took to get it working on Ubuntu 20.04 on both a Raspberry Pi + Protectli Vault.

Please pre-read and refer to to Jool's Documentation for more information.

I have two Ubuntu 20.04 routers at home that run jool. Both routers/firewalls use NFTables so I'm just using jool in netfilter mode. When direct nftables support is implemented, I will move to this setup.

Quick Start/Setup jool

  • On ubuntu 20.04 it's just an apt install
    • apt install jool-dkms jool-tool
  • sudo modprobe jool
    • Add jool to /etc/modules to make persistent
  • Add Stateful NAT64 pool
    • jool instance add --netfilter --pool6 64:ff9b::/96
    • Here I used a oneshot systemd service to add on boot
[Unit]
Description=Add NAT64 netfilter pool6 to jool

[Service]
Type=oneshot
ExecStart=/usr/bin/jool instance add --netfilter --pool6 64:ff9b::/96

[Install]
WantedBy=multi-user.target

Handy Commands

  • See instace
    • jool instance display
    • jool instance status
  • See sessions
    • jool session display
  • Global config
    • jool global display
  • Overall stats
    • jool stats display

Testing

Try and Ping + traceroute to Google's main IPv4 NS anycast address 8.8.8.8 via IPv6 64:ff9b::8.8.8.8:

                              My traceroute  [v0.93]
coopbuntu (fd00:1::10)                                   2020-12-14T04:37:45+0000
Keys:  Help   Display mode   Restart statistics   Order of fields   quit
                                         Packets               Pings
 Host                                  Loss%   Snt   Last   Avg  Best  Wrst StDev
 1. fd00:1::2                           0.0%    11    2.5   2.3   2.1   2.6   0.1
 2. (waiting for reply)
 3. 64:ff9b::6022:7b58                  0.0%    11    9.9  13.6   9.9  20.7   3.6
 4. 64:ff9b::6022:7576                  0.0%    11   18.6  14.0  11.3  18.6   2.7
 5. 64:ff9b::6022:7932                  0.0%    10   14.0  17.1  13.2  21.9   3.0
 6. 64:ff9b::6022:b5                    0.0%    10   20.6  22.3  18.1  28.2   3.5
 7. 64:ff9b::6022:301                   0.0%    10   22.1  18.9  17.0  22.1   1.5
 8. 64:ff9b::4a7d:3072                  0.0%    10   26.2  21.3  17.7  36.2   5.9
 9. 64:ff9b::6caa:e636                  0.0%    10   24.1  19.2  17.3  24.1   2.5
10. 64:ff9b::4a7d:fc97                  0.0%    10   19.6  21.1  18.0  27.3   3.1
11. 64:ff9b::808:808                    0.0%    10   17.1  18.2  16.5  24.5   2.4

Once ICMP works, move on to tcp.

  • ssh -v 64:ff9b::173.255.255.199

Session Table

  • jool session display is your friend to see current translations
    • --numeric stops the non parallel DNS resolution
Every 1.0s: sudo jool session display                                  home1.cooperlees.com: Mon Dec 14 04:42:17 2020

---------------------------------
(ESTABLISHED) Expires in 1:59:31.440
Remote: us.cooperlees.com#ssh   fd00:1::10#48656
Local: 66.214.99.163#61019      64:ff9b::adff:ffc7#22
---------------------------------
(V4_FIN_V6_FIN_RCV) Expires in 0:03:14.796
Remote: 5.85.222.35.bc.googleusercontent.com#http       fd00:1::10#43868
Local: 66.214.99.163#62581      64:ff9b::23de:5505#80
---------------------------------