CNFs NAT46¶
Overview¶
Cloud-Native Network Functions (CNFs) NAT46 provides the ability to process IPv4 to IPv6 application traffic, specifically between IPv4 only clients and IPv6 only servers. To provide NAT46, the Service Proxy Traffic Management Microkernel (TMM) Proxy Pod uses an IPv4 virtual server to receive connections, and load balancing connections to IPv6 pool members as the packet destinations. The Service Proxy TMM Pod translate the source IP address of egress network packets to IPv6 using source network address translation (SNAT).
Connection example¶
When the IPv4 client requires a connection to IPv6 server www.46test.com, the TMM Proxy Pod’s virtual server receives the connection for 10.30.2.1, and load balances the connection to one of the pool members using the pool member’s IP address 2002::10:30:2:220 as the destination. When the IPv4 client connects to 10.30.2.1 through the TMM Proxy Pod, the network packet is sent to destination address 2002::10:30:2:220, using the source IP address 2002::10:30:2:111 selected from the configured SNAT pool. Connections between the endpoints continue to flow through the TMM Proxy Pod for the life of the connection.
Required CNFs CRs¶
NAT46 requires CNFs Custom Resources (CRs) installed in this order:
- The F5BigNetVlan specifies clientside IPv4 and serverside IPv6 addresses.
- The F5BigCneSnatpool specifies IPv6 addresses used to translate subscriber connections.
- The optional F5BigFwPolicy filters application connections by IP address.
- The optional F5BigLogProfile sends connection events to remote logging servers.
- The F5BigContextSecure processes and load balances subscriber connections.
This document describes, and guides you through the DNS46 implementation.
Requirements¶
Ensure you have:
- Installed the BIG-IP Controller.
- Installed the dSSM Database for F5BigNatPolicy configurations.
- A Linux based workstation.
Installation¶
Use this installation procedure to configure NAT46.
Tip: Open a second shell to view the CNFs Event Logs while installing.
The example F5BigNetVlan CR configures IPv4 addresses on the clientside, and IPv6 addresses on the serverside for up to 2 TMM Proxy Pods. Copy and paste the example CR into a YAML file:
Note: You can configure both IPv4 and IPv6 addresses on each VLAN.
apiVersion: "k8s.f5net.com/v1" kind: F5BigNetVlan metadata: name: "subscriber-vlan" namespace: "cnf-gateway" spec: name: clientside interfaces: - "1.1" selfip_v4s: - 10.10.10.100 - 10.10.10.101 prefixlen_v4: 24 cmp_hash: DST_ADDR --- apiVersion: "k8s.f5net.com/v1" kind: F5BigNetVlan metadata: name: "application-vlan" namespace: "cnf-gateway" spec: name: serverside interfaces: - "1.2" selfip_v6s: - 2002::192:168:10:100 - 2002::192:168:10:101 prefixlen_v6: 116 mtu: 9000 cmp_hash: SRC_ADDR
Install the F5BigNetVlan CR:
In this example, the BIG-IP Controller logs indicate the F5BigNetVlan CRs were added/updated:
I0613 12:00:00:12345 1 event.go:282] Event(v1.ObjectReference{Kind:"F5Vlan", F5Vlan cnf-gateway/subscriber-vlan was added/updated
I0613 12:00:00:12345 1 event.go:282] Event(v1.ObjectReference{Kind:"F5Vlan", F5Vlan cnf-gateway/application-vlan was added/updated
The example F5BigCneSnatpool CR configures up to 2 TMM Pods with 4 IPv6 address to translate egress connections. Copy and paste the example CR into a YAML file:
Note: The F5BigCneSnatpool CR will be referenced by the F5BigContextSecure CR.
apiVersion: "k8s.f5net.com/v1" kind: F5BigCneSnatpool metadata: name: "46-snatpool" namespace: "cnf-gateway" spec: name: "46_snatpool" addressList: - - 2002::10:30:2:111 - 2002::10:30:2:112 - 2002::10:30:2:113 - 2002::10:30:2:114 - - 2002::10:30:2:115 - 2002::10:30:2:116 - 2002::10:30:2:117 - 2002::10:30:2:118
Install the F5BigCneSnatpool CR:
kubectl apply -f f5-cnf-snatpool.yaml
In this example, the BIG-IP Controller logs indicate the F5BigCneSnatpool CR was added/updated:
I0202 12:00:00:12350 1 event.go:282] Event(v1.ObjectReference{Kind:"F5Snatpool", F5Snatpool cnf-gateway/46_snatpool was added/updated
Optional: The example F5BigLogHslpub CR specifies a remote server with IP/port [2002::10:30:2:220]:514, and the udp protocol. Copy and paste the example into a YAML file:
Note: The F5BigLogHslpub CR will be referenced by the F5BigLogProfile.
apiVersion: k8s.f5net.com/v1 kind: F5BigLogHslpub metadata: name: "cnf-hsl-pub" namespace: "cnf-gateway" spec: pool: - name: "hsl-pool" endpoint: - "[2002::10:30:2:220]:514" syslog: - name: "cnf-syslog" format: "rfc5424" protocol: "udp" pool: "hsl-pool"
Install the F5BigLogHslpub CR:
kubectl apply -f cnf-hsl-cr.yaml
In this example, the BIG-IP Controller logs indicate the F5BigLogHslpub CR was added/updated:
I0202 12:00:00.12347 1 event.go:282 Event(v1.ObjectReference{Kind:"F5Hslpub", F5Hslpub cnf-gateway/cnf-hsl-pub was added/updated
Optional: The example F5BigLogProfile CR captures firewall events such as packet match and drop. Copy and paste the CR nto a YAML file:
Note: The F5BigLogProfile CR will be referenced by the F5BigContextSecure CR.
apiVersion: "k8s.f5net.com/v1" kind: F5BigLogProfile metadata: name: "cnf-log-profile" namespace: "cnf-gateway" spec: name: "cnf-logs" firewall: enabled: true network: publisher: "cnf-hsl-pub" events: aclMatchAccept: true aclMatchDrop: true tcpEvents: true translationFields: true
Install the F5BigLogProfile CR:
kubectl apply -f cnf-log-cr.yaml
In this example, the BIG-IP Controller logs indicate the F5BigLogProfile CR was added/updated:
I0202 12:00:00.12348 1 event.go:282 Event(v1.ObjectReference{Kind:"F5LogProfile", LogProfile cnf-gateway/log_profile1 was added/updated
Optional: The example F5BigFwPolicy CR allows connectivity only from the IPv4 prefix 10.20.2.0/24. Copy and paste the CR into a YAML file:
Note: The F5BigFwPolicy CR will be referenced by the F5BigContextSecure CR.
apiVersion: "k8s.f5net.com/v1" kind: F5BigFwPolicy metadata: name: "cnf-fw-46" namespace: "cnf-gateway" spec: rule: - name: allow-10-20 action: "accept" logging: true ipProtocol: any source: addresses: - "10.20.2.0/24" - name: drop-all action: "drop" logging: true ipProtocol: any source: addresses: - "0.0.0.0/0"
Install the F5BigFwPolicy CR:
kubectl apply -f cnf-fw-cr.yaml
In this example, the BIG-IP Controller logs indicate the F5BigFwPolicy CR was added/updated:
I0202 12:00:00.12346 1 event.go:282 Event(v1.ObjectReference{Kind:"F5FirewallPolicy", FirewallPolicy cnf-gateway/cnf-fw-46 was added/updated
The F5BigContextSecure CR accepts packets on the subscriber-vlan interface destined to the 10.30.2.0/24 IPv4 prefix, and load balances the packets to the 2002::10:30:2:220 and 2002::10:30:2:221 destination IP addresses. A translated client source IPv6 address will be selected from the installed F5BigCneSnatpool. Copy and paste the CR into a YAML file:
apiVersion: k8s.f5net.com/v1 kind: F5BigContextSecure metadata: name: "cnf-46-context" namespace: "cnf-gateway" spec: destinationAddress: "10.30.2.0/24" destinationPort: 0 ipProtocol: "any" profile: "fastL4" firewallEnforcedPolicy: "cnf-fw-46" logProfile: "cnf-log-profile" vlans: vlanList: - "subscriber-vlan" snat: type: "snat" pool: "46_snatpool" pool: members: - address: "2002::10:30:2:220" - address: "2002::10:30:2:221"
Install the F5BigContextSecure CR:
kubectl apply -f f5-cnf-46-context.yaml
In this example, the BIG-IP Controller logs indicate the F5BigContextSecure CR was added/updated:
I0202 12:00:00:12350 1 event.go:282] Event(v1.ObjectReference{Kind:"F5SecureContext", F5SecureContext cnf-gateway/cnf-46-context was added/updated
Continue to the Traffic statistics section.
Traffic statistics¶
If you have installed the TMM Debug container, use the following steps to gather traffic processing statistics for the F5BigNatPolicy, F5BigFwPolicy and F5BigContextSecure CRs.
Log in to the TMM debug Pod:
In this example, the TMM debug container is in the cnf-gateway namespace:
kubectl exec -it deploy/f5-tmm -c debug -n cnf-gateway -- bash
Verify F5BigNatPolicy connection statistics:
tmctl -d blade fw_nat_rule_stat
context_type context_name rule_name --------- --------------------------------------- -------------------------- virtual cnf-cnf-context-secure-SecureContext_vs 10-20-subnet-natpolicyrule micro_rules counter last_hit_time action ----------- ------- ------------- ------ 1 8 1643836695 0
tmctl -d blade fw_nat_trans_stat -s type,name,translation_requests
type name translation_requests ------------ ----------- -------------------- fw_src_trans transparent 8 fw_dst_trans transparent 8 fw_src_trans automap 0
Verify the F5BigNatPolicy client IP address mappings:
lsndb list all
Client Connections ----------------------------------------------------------- 0 client with 0 connection found. LSN Persistence Entries Client Translation ----------------------------------------------------------- 10.20.2.220:52110 10.200.2.8:8265 10.20.2.220 10.200.2.8 2 persist entries found. LSN port block allocations Client Port block ---------------------------------------------------------- 0 port block entries found. LSN Inbound Mapping Entries Translation Client ---------------------------------------------------------- 10.200.2.8:8265 10.20.2.220:52110 10.200.2.7:8397 10.20.2.220:52106
Verify the F5BigFwPolicy statistics:
tmctl -d blade fw_rule_stat -s rule_name,counter,last_hit_time,action
rule_name counter last_hit_time action -------------------------- ------- ------------- ------ allow-4-firewallpolicyrule 1 1646355700 2 allow-6-firewallpolicyrule 1 1646355702 2 drop-4-firewallpolicyrule 0 0 0 drop-6-firewallpolicyrule 0 0 0
Verify the F5BigDnsApp DNS Profile statistics:
tmctl -d blade profile_dns_stat -s name,queries,responses
name queries responses ---------------------------------- ------- --------- cnf-gateway-cnf-dns-64-profile_dns 20 20
Verify the F5BigContextSecure, and F5BigDnsApp virtual server statistics:
tmctl -d blade virtual_server_stat -s name,clientside.tot_conns
name clientside.tot_conns -------------------------------------- -------------------- cnf-gateway-ipv64-vip-SecureContext_vs 15 cnf-gateway-dns-64-virtual_server 20
Feedback¶
Provide feedback to improve this document by emailing cnfdocs@f5.com.