diff options
author | rebortg <github@ghlr.de> | 2020-11-29 21:32:45 +0100 |
---|---|---|
committer | rebortg <github@ghlr.de> | 2020-11-29 21:32:45 +0100 |
commit | e7f01e6efc8578603592ff86c031d46f1f1f9d82 (patch) | |
tree | e667f1e169c61fa48af0d84c87a6300989891d3a /docs/configuration/nat/nptv6.rst | |
parent | bfb3814cd120d1bb661af26b3c55341f1697b397 (diff) | |
download | vyos-documentation-e7f01e6efc8578603592ff86c031d46f1f1f9d82.tar.gz vyos-documentation-e7f01e6efc8578603592ff86c031d46f1f1f9d82.zip |
arrange: nat, PBR, policy
Diffstat (limited to 'docs/configuration/nat/nptv6.rst')
-rw-r--r-- | docs/configuration/nat/nptv6.rst | 69 |
1 files changed, 69 insertions, 0 deletions
diff --git a/docs/configuration/nat/nptv6.rst b/docs/configuration/nat/nptv6.rst new file mode 100644 index 00000000..f4e08325 --- /dev/null +++ b/docs/configuration/nat/nptv6.rst @@ -0,0 +1,69 @@ +.. include:: _include/need_improvement.txt + +.. _nptv6: + +##### +NPTv6 +##### + +:abbr:`NPTv6 (Network Prefix Translation)` is a form of NAT for IPv6. It's +described in :rfc:`6296`. + +**Usage** + +NPTv6 is very useful for IPv6 multihoming. It is also commonly used when the +external IPv6 prefix is dynamic, as it prevents the need for renumbering of +internal hosts when the extern prefix changes. + +Let's assume the following network configuration: + +* eth0 : LAN +* eth1 : WAN1, with 2001:db8:e1::/48 routed towards it +* eth2 : WAN2, with 2001:db8:e2::/48 routed towards it + +Regarding LAN hosts addressing, why would you choose 2001:db8:e1::/48 over +2001:db8:e2::/48? What happens when you get a new provider with a different +routed IPv6 subnet? + +The solution here is to assign to your hosts ULAs_ and to prefix-translate +their address to the right subnet when going through your router. + +* LAN Subnet : fc00:dead:beef::/48 +* WAN 1 Subnet : 2001:db8:e1::/48 +* WAN 2 Subnet : 2001:db8:e2::/48 + +* eth0 addr : fc00:dead:beef::1/48 +* eth1 addr : 2001:db8:e1::1/48 +* eth2 addr : 2001:db8:e2::1/48 + +VyOS Support +^^^^^^^^^^^^ + +NPTv6 support has been added in VyOS 1.2 (Crux) and is available through +`nat nptv6` configuration nodes. + +.. code-block:: none + + set rule 10 source prefix 'fc00:dead:beef::/48' + set rule 10 outbound-interface 'eth1' + set rule 10 translation prefix '2001:db8:e1::/48' + set rule 20 source prefix 'fc00:dead:beef::/48' + set rule 20 outbound-interface 'eth2' + set rule 20 translation prefix '2001:db8:e2::/48' + +Resulting in the following ip6tables rules: + +.. code-block:: none + + Chain VYOS_DNPT_HOOK (1 references) + pkts bytes target prot opt in out source destination + 0 0 NETMAP all eth1 any anywhere 2001:db8:e1::/48 to:fc00:dead:beef::/48 + 0 0 NETMAP all eth2 any anywhere 2001:db8:e2::/48 to:fc00:dead:beef::/48 + 0 0 RETURN all any any anywhere anywhere + Chain VYOS_SNPT_HOOK (1 references) + pkts bytes target prot opt in out source destination + 0 0 NETMAP all any eth1 fc00:dead:beef::/48 anywhere to:2001:db8:e1::/48 + 0 0 NETMAP all any eth2 fc00:dead:beef::/48 anywhere to:2001:db8:e2::/48 + 0 0 RETURN all any any anywhere anywhere + +.. _ULAs: https://en.wikipedia.org/wiki/Unique_local_address |