From 9ee929766b70a325e90bc12c711785a85be28992 Mon Sep 17 00:00:00 2001 From: Christian Poessinger Date: Tue, 21 Jan 2020 12:52:07 +0100 Subject: nptv6: move into dedicated chapter --- docs/index.rst | 1 + docs/nat.rst | 64 -------------------------------------------------------- docs/nptv6.rst | 66 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ 3 files changed, 67 insertions(+), 64 deletions(-) create mode 100644 docs/nptv6.rst diff --git a/docs/index.rst b/docs/index.rst index f6b3d595..c0922088 100644 --- a/docs/index.rst +++ b/docs/index.rst @@ -39,6 +39,7 @@ VyOS User Guide firewall routing/index nat + nptv6 qos high-availability vpn/index diff --git a/docs/nat.rst b/docs/nat.rst index f4602913..ae0f8ca2 100644 --- a/docs/nat.rst +++ b/docs/nat.rst @@ -559,70 +559,6 @@ one external interface: Firewall rules are written as normal, using the internal IP address as the source of outbound rules and the destination of inbound rules. -NPTv6 ------ - -NPTv6 stands for Network Prefix Translation. It's a form of NAT for IPv6. It's -described in :rfc:`6296`. NPTv6 is supported in linux kernel since version 3.13. - -**Usage** - -NPTv6 is very useful for IPv6 multihoming. It is also commonly used when the -external IPv6 prefix is dynamic, as it prevents the need for renumbering of -internal hosts when the extern prefix changes. - -Let's assume the following network configuration: - -* eth0 : LAN -* eth1 : WAN1, with 2001:db8:e1::/48 routed towards it -* eth2 : WAN2, with 2001:db8:e2::/48 routed towards it - -Regarding LAN hosts addressing, why would you choose 2001:db8:e1::/48 over -2001:db8:e2::/48? What happens when you get a new provider with a different -routed IPv6 subnet? - -The solution here is to assign to your hosts ULAs_ and to prefix-translate -their address to the right subnet when going through your router. - -* LAN Subnet : fc00:dead:beef::/48 -* WAN 1 Subnet : 2001:db8:e1::/48 -* WAN 2 Subnet : 2001:db8:e2::/48 - -* eth0 addr : fc00:dead:beef::1/48 -* eth1 addr : 2001:db8:e1::1/48 -* eth2 addr : 2001:db8:e2::1/48 - -VyOS Support -^^^^^^^^^^^^ - -NPTv6 support has been added in VyOS 1.2 (Crux) and is available through -`nat nptv6` configuration nodes. - -.. code-block:: none - - set rule 10 inside-prefix 'fc00:dead:beef::/48' - set rule 10 outside-interface 'eth1' - set rule 10 outside-prefix '2001:db8:e1::/48' - set rule 20 inside-prefix 'fc00:dead:beef::/48' - set rule 20 outside-interface 'eth2' - set rule 20 outside-prefix '2001:db8:e2::/48' - -Resulting in the following ip6tables rules: - -.. code-block:: none - - Chain VYOS_DNPT_HOOK (1 references) - pkts bytes target prot opt in out source destination - 0 0 DNPT all eth1 any anywhere 2001:db8:e1::/48 src-pfx 2001:db8:e1::/48 dst-pfx fc00:dead:beef::/48 - 0 0 DNPT all eth2 any anywhere 2001:db8:e2::/48 src-pfx 2001:db8:e2::/48 dst-pfx fc00:dead:beef::/48 - 0 0 RETURN all any any anywhere anywhere - Chain VYOS_SNPT_HOOK (1 references) - pkts bytes target prot opt in out source destination - 0 0 SNPT all any eth1 fc00:dead:beef::/48 anywhere src-pfx fc00:dead:beef::/48 dst-pfx 2001:db8:e1::/48 - 0 0 SNPT all any eth2 fc00:dead:beef::/48 anywhere src-pfx fc00:dead:beef::/48 dst-pfx 2001:db8:e2::/48 - 0 0 RETURN all any any anywhere anywhere - - NAT before VPN -------------- diff --git a/docs/nptv6.rst b/docs/nptv6.rst new file mode 100644 index 00000000..6fdddb72 --- /dev/null +++ b/docs/nptv6.rst @@ -0,0 +1,66 @@ +.. _nptv6: + +##### +NPTv6 +##### + +:abbr:`NPTv6 (Network Prefix Translation)` is a form of NAT for IPv6. It's +described in :rfc:`6296`. + +**Usage** + +NPTv6 is very useful for IPv6 multihoming. It is also commonly used when the +external IPv6 prefix is dynamic, as it prevents the need for renumbering of +internal hosts when the extern prefix changes. + +Let's assume the following network configuration: + +* eth0 : LAN +* eth1 : WAN1, with 2001:db8:e1::/48 routed towards it +* eth2 : WAN2, with 2001:db8:e2::/48 routed towards it + +Regarding LAN hosts addressing, why would you choose 2001:db8:e1::/48 over +2001:db8:e2::/48? What happens when you get a new provider with a different +routed IPv6 subnet? + +The solution here is to assign to your hosts ULAs_ and to prefix-translate +their address to the right subnet when going through your router. + +* LAN Subnet : fc00:dead:beef::/48 +* WAN 1 Subnet : 2001:db8:e1::/48 +* WAN 2 Subnet : 2001:db8:e2::/48 + +* eth0 addr : fc00:dead:beef::1/48 +* eth1 addr : 2001:db8:e1::1/48 +* eth2 addr : 2001:db8:e2::1/48 + +VyOS Support +^^^^^^^^^^^^ + +NPTv6 support has been added in VyOS 1.2 (Crux) and is available through +`nat nptv6` configuration nodes. + +.. code-block:: none + + set rule 10 inside-prefix 'fc00:dead:beef::/48' + set rule 10 outside-interface 'eth1' + set rule 10 outside-prefix '2001:db8:e1::/48' + set rule 20 inside-prefix 'fc00:dead:beef::/48' + set rule 20 outside-interface 'eth2' + set rule 20 outside-prefix '2001:db8:e2::/48' + +Resulting in the following ip6tables rules: + +.. code-block:: none + + Chain VYOS_DNPT_HOOK (1 references) + pkts bytes target prot opt in out source destination + 0 0 DNPT all eth1 any anywhere 2001:db8:e1::/48 src-pfx 2001:db8:e1::/48 dst-pfx fc00:dead:beef::/48 + 0 0 DNPT all eth2 any anywhere 2001:db8:e2::/48 src-pfx 2001:db8:e2::/48 dst-pfx fc00:dead:beef::/48 + 0 0 RETURN all any any anywhere anywhere + Chain VYOS_SNPT_HOOK (1 references) + pkts bytes target prot opt in out source destination + 0 0 SNPT all any eth1 fc00:dead:beef::/48 anywhere src-pfx fc00:dead:beef::/48 dst-pfx 2001:db8:e1::/48 + 0 0 SNPT all any eth2 fc00:dead:beef::/48 anywhere src-pfx fc00:dead:beef::/48 dst-pfx 2001:db8:e2::/48 + 0 0 RETURN all any any anywhere anywhere + -- cgit v1.2.3