This document explains how to run Jool in stock SIIT mode. Follow the link for more details on what to expect.
In case you’re wondering, you can follow along these tutorials using virtual machines or alternate interface types just fine. Jool is not married to physical “ethX” interfaces).
If you intend on using iptables Jool, basic familiarity with iptables is recommended.
You don’t need all the nodes shown in the diagram to follow along; you can get away with only A, T and V; the rest are very similar to A and V and are shown for illustrative purposes only.
We will pretend I have address block 198.51.100.8/29 to distribute among my IPv6 nodes.
Jool requires T to be Linux. The rest can be anything you want, as long as it implements the network protocol it’s connected to. You are also free to configure the networks using any manager you want.
For the sake of simplicity however, the examples below assume every node is Linux and everything is being configured statically using the well-known ip command (and friends). Depending on your distro, your mileage might vary on how to get the network manager out of the way (assuming that’s what you want). Just to clarify, the point of service network-manager stop below is to claim control over your interface addresses and routes (otherwise the ip commands might be ineffectual).
This is nodes A through E:
Nodes V through Z:
Because we haven’t turned T into a translator yet, nodes A through E still cannot interact with V through Z, but you might want to make sure T can ping everyone before continuing.
Also, enable forwarding on T.
First, teach your kernel what SIIT is by attaching the jool_siit module to your kernel:
Then, create a SIIT instance and perform the bare minimum configuration:
About those iptables rules: Notice that we did not include any matches (such as -s or -d). This is merely for the sake of tutorial simplicity. If you want to narrow down the traffic that gets translated, you should be able to combine any matches as needed.
If you choose to use the --protocol match, please make sure that you include at least one rule properly matching ICMP, as it’s important that you don’t prevent the translation of ICMP errors, because they are required for imperative Internet upkeeping (such as Path MTU Discovery).
If something doesn’t work, try the FAQ. In particular, if you face noticeably low performance, try disabling offloads.
Try to ping A from V like this:
Then ping V from A:
How about hooking up a server in X and access it from D:
Then maybe another one in C and request from W:
Destroy your instance by reverting the instance add:
iptables JoolNetfilter Jool
And unteach SIIT from your kernel by reverting the modprobe if you want:
More complex setups might require you to consider the MTU notes.
Please note that none of what was done in this tutorial survives reboots! Here’s documentation on persistence.