summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorChristian Poessinger <christian@poessinger.com>2018-10-03 09:44:39 +0200
committerChristian Poessinger <christian@poessinger.com>2018-10-03 09:44:39 +0200
commitff62a3eef6ed3d94eb17a877391a2815713e13c5 (patch)
tree0ab6dd0936470625beef65d347e0bb4740509755
parent676003ffbdf1f26b667f2ab9490a2390076191e3 (diff)
downloadvyos-documentation-ff62a3eef6ed3d94eb17a877391a2815713e13c5.tar.gz
vyos-documentation-ff62a3eef6ed3d94eb17a877391a2815713e13c5.zip
Add NPTv6 to NAT chapter
-rw-r--r--docs/ch08-nat.rst61
1 files changed, 60 insertions, 1 deletions
diff --git a/docs/ch08-nat.rst b/docs/ch08-nat.rst
index 0266137b..8d930356 100644
--- a/docs/ch08-nat.rst
+++ b/docs/ch08-nat.rst
@@ -257,5 +257,64 @@ source of outbound rules and the destination of inbound rules.
NPTv6 (RFC6296)
---------------
-See here : [[How_to_do_NPTv6]]
+NPTv6 stands for Network Prefix Translation. It's a form of NAT for IPv6. It's
+described in RFC6296_. NPTv6 is supported in linux kernel since version 3.13.
+
+Usage
+-----
+
+NPTv6 is very useful for IPv6 multihoming. Let's assume the following network
+configuration:
+
+* eth0 : LAN
+* eth1 : WAN1, with 2001:db8:e1::/48 routed towards it
+* eth2 : WAN2, with 2001:db8:e2::/48 routed towards it
+
+Regarding LAN hosts addressing, why would you choose 2001:db8:e1::/48 over
+2001:db8:e2::/48? What happens when you get a new provider with a different
+routed IPv6 subnet?
+
+The solution here is to assign to your hosts ULAs_ and to prefix-translate
+their address to the right subnet when going through your router.
+
+* LAN Subnet : fc00:dead:beef::/48
+* WAN 1 Subnet : 2001:db8:e1::/48
+* WAN 2 Subnet : 2001:db8:e2::/48
+
+* eth0 addr : fc00:dead:beef::1/48
+* eth1 addr : 2001:db8:e1::1/48
+* eth2 addr : 2001:db8:e2::1/48
+
+VyOS Support
+------------
+
+NPTv6 support has been added in VyOS 1.2 (Crux) and is available through
+`nat nptv6` configuration nodes.
+
+.. code-block:: sh
+
+ set rule 10 inside-prefix 'fc00:dead:beef::/48'
+ set rule 10 outside-interface 'eth1'
+ set rule 10 outside-prefix '2001:db8:e1::/48'
+ set rule 20 inside-prefix 'fc00:dead:beef::/48'
+ set rule 20 outside-interface 'eth2'
+ set rule 20 outside-prefix '2001:db8:e2::/48'
+
+Resulting in the following ip6tables rules:
+
+.. code-block:: sh
+
+ Chain VYOS_DNPT_HOOK (1 references)
+ pkts bytes target prot opt in out source destination
+ 0 0 DNPT all eth1 any anywhere 2001:db8:e1::/48 src-pfx 2001:db8:e1::/48 dst-pfx fc00:dead:beef::/48
+ 0 0 DNPT all eth2 any anywhere 2001:db8:e2::/48 src-pfx 2001:db8:e2::/48 dst-pfx fc00:dead:beef::/48
+ 0 0 RETURN all any any anywhere anywhere
+ Chain VYOS_SNPT_HOOK (1 references)
+ pkts bytes target prot opt in out source destination
+ 0 0 SNPT all any eth1 fc00:dead:beef::/48 anywhere src-pfx fc00:dead:beef::/48 dst-pfx 2001:db8:e1::/48
+ 0 0 SNPT all any eth2 fc00:dead:beef::/48 anywhere src-pfx fc00:dead:beef::/48 dst-pfx 2001:db8:e2::/48
+ 0 0 RETURN all any any anywhere anywhere
+
+.. _RFC6296: https://tools.ietf.org/html/rfc6296
+.. _ULAs: http://en.wikipedia.org/wiki/Unique_local_address