Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Jool can not working with netfilter(iptables/nftables) NAT which using conntrack #398

Closed
douniwan5788 opened this issue Feb 8, 2023 · 0 comments
Closed

Jool can not working with netfilter(iptables/nftables) NAT which using conntrack #398

douniwan5788 opened this issue Feb 8, 2023 · 0 comments
Labels
Discussion Not a bug (for now)
Milestone
4.1.10

Comments

@douniwan5788
Copy link

Internet <--- ipv6 ---> (2001:db8::1) WAN LAN(192.168.1.1) <--- ipv4 ---> IoT device(192.168.1.2)

I want to remote access my home IoT device over an ipv6-only wan, but a simple ipv6 port forwarding like below won't work……

jool instance add --pool6 64:ff9b::/96
nft 'add rule inet fw4 dstnat_wan meta nfproto ipv6 tcp dport 10022 dnat ip6 to [64:ff9b::c0a8:102]:22'

#372#issuecomment-1021322964

jool uses it's own bib table instead of conntrack to manage nat mappings, this causes iptables/nftables NAT(SNAT/DNAT/MASQUERADE) can not work together with jool as the connection is NEVER actually established, jool just drops ipv6 packets from one side and recreates ipv4 packets from the other side.

A workaround is to create a pair of veth then use the network namespace, this wiil let the packet "really" be sent to the interface and conntrack will be work fine
https://www.jool.mx/en/node-based-translation.html
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
Discussion Not a bug (for now)
Projects
None yet
Milestone
4.1.10
Development

No branches or pull requests
2 participants
@ydahhrk @douniwan5788