diff options
| author | Christian Poessinger <christian@poessinger.com> | 2018-10-03 09:44:39 +0200 |
|---|---|---|
| committer | Christian Poessinger <christian@poessinger.com> | 2018-10-03 09:44:39 +0200 |
| commit | ff62a3eef6ed3d94eb17a877391a2815713e13c5 (patch) | |
| tree | 0ab6dd0936470625beef65d347e0bb4740509755 | |
| parent | 676003ffbdf1f26b667f2ab9490a2390076191e3 (diff) | |
| download | vyos-documentation-ff62a3eef6ed3d94eb17a877391a2815713e13c5.tar.gz vyos-documentation-ff62a3eef6ed3d94eb17a877391a2815713e13c5.zip | |
Add NPTv6 to NAT chapter
| -rw-r--r-- | docs/ch08-nat.rst | 61 |
1 files changed, 60 insertions, 1 deletions
diff --git a/docs/ch08-nat.rst b/docs/ch08-nat.rst index 0266137b..8d930356 100644 --- a/docs/ch08-nat.rst +++ b/docs/ch08-nat.rst @@ -257,5 +257,64 @@ source of outbound rules and the destination of inbound rules. NPTv6 (RFC6296) --------------- -See here : [[How_to_do_NPTv6]] +NPTv6 stands for Network Prefix Translation. It's a form of NAT for IPv6. It's +described in RFC6296_. NPTv6 is supported in linux kernel since version 3.13. + +Usage +----- + +NPTv6 is very useful for IPv6 multihoming. Let's assume the following network +configuration: + +* eth0 : LAN +* eth1 : WAN1, with 2001:db8:e1::/48 routed towards it +* eth2 : WAN2, with 2001:db8:e2::/48 routed towards it + +Regarding LAN hosts addressing, why would you choose 2001:db8:e1::/48 over +2001:db8:e2::/48? What happens when you get a new provider with a different +routed IPv6 subnet? + +The solution here is to assign to your hosts ULAs_ and to prefix-translate +their address to the right subnet when going through your router. + +* LAN Subnet : fc00:dead:beef::/48 +* WAN 1 Subnet : 2001:db8:e1::/48 +* WAN 2 Subnet : 2001:db8:e2::/48 + +* eth0 addr : fc00:dead:beef::1/48 +* eth1 addr : 2001:db8:e1::1/48 +* eth2 addr : 2001:db8:e2::1/48 + +VyOS Support +------------ + +NPTv6 support has been added in VyOS 1.2 (Crux) and is available through +`nat nptv6` configuration nodes. + +.. code-block:: sh + + set rule 10 inside-prefix 'fc00:dead:beef::/48' + set rule 10 outside-interface 'eth1' + set rule 10 outside-prefix '2001:db8:e1::/48' + set rule 20 inside-prefix 'fc00:dead:beef::/48' + set rule 20 outside-interface 'eth2' + set rule 20 outside-prefix '2001:db8:e2::/48' + +Resulting in the following ip6tables rules: + +.. code-block:: sh + + Chain VYOS_DNPT_HOOK (1 references) + pkts bytes target prot opt in out source destination + 0 0 DNPT all eth1 any anywhere 2001:db8:e1::/48 src-pfx 2001:db8:e1::/48 dst-pfx fc00:dead:beef::/48 + 0 0 DNPT all eth2 any anywhere 2001:db8:e2::/48 src-pfx 2001:db8:e2::/48 dst-pfx fc00:dead:beef::/48 + 0 0 RETURN all any any anywhere anywhere + Chain VYOS_SNPT_HOOK (1 references) + pkts bytes target prot opt in out source destination + 0 0 SNPT all any eth1 fc00:dead:beef::/48 anywhere src-pfx fc00:dead:beef::/48 dst-pfx 2001:db8:e1::/48 + 0 0 SNPT all any eth2 fc00:dead:beef::/48 anywhere src-pfx fc00:dead:beef::/48 dst-pfx 2001:db8:e2::/48 + 0 0 RETURN all any any anywhere anywhere + +.. _RFC6296: https://tools.ietf.org/html/rfc6296 +.. _ULAs: http://en.wikipedia.org/wiki/Unique_local_address |