summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorChristian Poessinger <christian@poessinger.com>2020-01-21 12:52:07 +0100
committerChristian Poessinger <christian@poessinger.com>2020-01-21 12:52:07 +0100
commit9ee929766b70a325e90bc12c711785a85be28992 (patch)
tree167edd66c9ac1f82ca0f64807c66557381a0ee0a
parentca482df6167eb697da38adedbc8db2b5c0976af5 (diff)
downloadvyos-documentation-9ee929766b70a325e90bc12c711785a85be28992.tar.gz
vyos-documentation-9ee929766b70a325e90bc12c711785a85be28992.zip
nptv6: move into dedicated chapter
-rw-r--r--docs/index.rst1
-rw-r--r--docs/nat.rst64
-rw-r--r--docs/nptv6.rst66
3 files changed, 67 insertions, 64 deletions
diff --git a/docs/index.rst b/docs/index.rst
index f6b3d595..c0922088 100644
--- a/docs/index.rst
+++ b/docs/index.rst
@@ -39,6 +39,7 @@ VyOS User Guide
firewall
routing/index
nat
+ nptv6
qos
high-availability
vpn/index
diff --git a/docs/nat.rst b/docs/nat.rst
index f4602913..ae0f8ca2 100644
--- a/docs/nat.rst
+++ b/docs/nat.rst
@@ -559,70 +559,6 @@ one external interface:
Firewall rules are written as normal, using the internal IP address as the
source of outbound rules and the destination of inbound rules.
-NPTv6
------
-
-NPTv6 stands for Network Prefix Translation. It's a form of NAT for IPv6. It's
-described in :rfc:`6296`. NPTv6 is supported in linux kernel since version 3.13.
-
-**Usage**
-
-NPTv6 is very useful for IPv6 multihoming. It is also commonly used when the
-external IPv6 prefix is dynamic, as it prevents the need for renumbering of
-internal hosts when the extern prefix changes.
-
-Let's assume the following network configuration:
-
-* eth0 : LAN
-* eth1 : WAN1, with 2001:db8:e1::/48 routed towards it
-* eth2 : WAN2, with 2001:db8:e2::/48 routed towards it
-
-Regarding LAN hosts addressing, why would you choose 2001:db8:e1::/48 over
-2001:db8:e2::/48? What happens when you get a new provider with a different
-routed IPv6 subnet?
-
-The solution here is to assign to your hosts ULAs_ and to prefix-translate
-their address to the right subnet when going through your router.
-
-* LAN Subnet : fc00:dead:beef::/48
-* WAN 1 Subnet : 2001:db8:e1::/48
-* WAN 2 Subnet : 2001:db8:e2::/48
-
-* eth0 addr : fc00:dead:beef::1/48
-* eth1 addr : 2001:db8:e1::1/48
-* eth2 addr : 2001:db8:e2::1/48
-
-VyOS Support
-^^^^^^^^^^^^
-
-NPTv6 support has been added in VyOS 1.2 (Crux) and is available through
-`nat nptv6` configuration nodes.
-
-.. code-block:: none
-
- set rule 10 inside-prefix 'fc00:dead:beef::/48'
- set rule 10 outside-interface 'eth1'
- set rule 10 outside-prefix '2001:db8:e1::/48'
- set rule 20 inside-prefix 'fc00:dead:beef::/48'
- set rule 20 outside-interface 'eth2'
- set rule 20 outside-prefix '2001:db8:e2::/48'
-
-Resulting in the following ip6tables rules:
-
-.. code-block:: none
-
- Chain VYOS_DNPT_HOOK (1 references)
- pkts bytes target prot opt in out source destination
- 0 0 DNPT all eth1 any anywhere 2001:db8:e1::/48 src-pfx 2001:db8:e1::/48 dst-pfx fc00:dead:beef::/48
- 0 0 DNPT all eth2 any anywhere 2001:db8:e2::/48 src-pfx 2001:db8:e2::/48 dst-pfx fc00:dead:beef::/48
- 0 0 RETURN all any any anywhere anywhere
- Chain VYOS_SNPT_HOOK (1 references)
- pkts bytes target prot opt in out source destination
- 0 0 SNPT all any eth1 fc00:dead:beef::/48 anywhere src-pfx fc00:dead:beef::/48 dst-pfx 2001:db8:e1::/48
- 0 0 SNPT all any eth2 fc00:dead:beef::/48 anywhere src-pfx fc00:dead:beef::/48 dst-pfx 2001:db8:e2::/48
- 0 0 RETURN all any any anywhere anywhere
-
-
NAT before VPN
--------------
diff --git a/docs/nptv6.rst b/docs/nptv6.rst
new file mode 100644
index 00000000..6fdddb72
--- /dev/null
+++ b/docs/nptv6.rst
@@ -0,0 +1,66 @@
+.. _nptv6:
+
+#####
+NPTv6
+#####
+
+:abbr:`NPTv6 (Network Prefix Translation)` is a form of NAT for IPv6. It's
+described in :rfc:`6296`.
+
+**Usage**
+
+NPTv6 is very useful for IPv6 multihoming. It is also commonly used when the
+external IPv6 prefix is dynamic, as it prevents the need for renumbering of
+internal hosts when the extern prefix changes.
+
+Let's assume the following network configuration:
+
+* eth0 : LAN
+* eth1 : WAN1, with 2001:db8:e1::/48 routed towards it
+* eth2 : WAN2, with 2001:db8:e2::/48 routed towards it
+
+Regarding LAN hosts addressing, why would you choose 2001:db8:e1::/48 over
+2001:db8:e2::/48? What happens when you get a new provider with a different
+routed IPv6 subnet?
+
+The solution here is to assign to your hosts ULAs_ and to prefix-translate
+their address to the right subnet when going through your router.
+
+* LAN Subnet : fc00:dead:beef::/48
+* WAN 1 Subnet : 2001:db8:e1::/48
+* WAN 2 Subnet : 2001:db8:e2::/48
+
+* eth0 addr : fc00:dead:beef::1/48
+* eth1 addr : 2001:db8:e1::1/48
+* eth2 addr : 2001:db8:e2::1/48
+
+VyOS Support
+^^^^^^^^^^^^
+
+NPTv6 support has been added in VyOS 1.2 (Crux) and is available through
+`nat nptv6` configuration nodes.
+
+.. code-block:: none
+
+ set rule 10 inside-prefix 'fc00:dead:beef::/48'
+ set rule 10 outside-interface 'eth1'
+ set rule 10 outside-prefix '2001:db8:e1::/48'
+ set rule 20 inside-prefix 'fc00:dead:beef::/48'
+ set rule 20 outside-interface 'eth2'
+ set rule 20 outside-prefix '2001:db8:e2::/48'
+
+Resulting in the following ip6tables rules:
+
+.. code-block:: none
+
+ Chain VYOS_DNPT_HOOK (1 references)
+ pkts bytes target prot opt in out source destination
+ 0 0 DNPT all eth1 any anywhere 2001:db8:e1::/48 src-pfx 2001:db8:e1::/48 dst-pfx fc00:dead:beef::/48
+ 0 0 DNPT all eth2 any anywhere 2001:db8:e2::/48 src-pfx 2001:db8:e2::/48 dst-pfx fc00:dead:beef::/48
+ 0 0 RETURN all any any anywhere anywhere
+ Chain VYOS_SNPT_HOOK (1 references)
+ pkts bytes target prot opt in out source destination
+ 0 0 SNPT all any eth1 fc00:dead:beef::/48 anywhere src-pfx fc00:dead:beef::/48 dst-pfx 2001:db8:e1::/48
+ 0 0 SNPT all any eth2 fc00:dead:beef::/48 anywhere src-pfx fc00:dead:beef::/48 dst-pfx 2001:db8:e2::/48
+ 0 0 RETURN all any any anywhere anywhere
+