1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
|
.. _nat66:
############
NAT66(NPTv6)
############
:abbr:`NPTv6 (IPv6-to-IPv6 Network Prefix Translation)` is an address translation technology based
on IPv6 networks, used to convert an IPv6 address prefix in an IPv6 message into another IPv6
address prefix. We call this address translation method NAT66. Devices that support the NAT66
function are called NAT66 devices, which can provide NAT66 source and destination address
translation functions.
Overview
========
Different NAT Types
-------------------
.. _source-nat66:
SNAT66
^^^^^^
:abbr:`SNPTv6 (Source IPv6-to-IPv6 Network Prefix Translation)` The conversion function is mainly used in
the following scenarios:
* A single internal network and external network. Use the NAT66 device to connect a single internal
network and public network, and the hosts in the internal network use IPv6 address prefixes that
only support routing within the local range. When a host in the internal network accesses the
external network, the source IPv6 address prefix in the message will be converted into a
global unicast IPv6 address prefix by the NAT66 device.
* Redundancy and load sharing. There are multiple NAT66 devices at the edge of an IPv6 network
to another IPv6 network. The path through the NAT66 device to another IPv6 network forms an
equivalent route, and traffic can be load-shared on these NAT66 devices. In this case, you
can configure the same source address translation rules on these NAT66 devices, so that any
NAT66 device can handle IPv6 traffic between different sites.
* Multi-homed. In a multi-homed network environment, the NAT66 device connects to an
internal network and simultaneously connects to different external networks. Address
translation can be configured on each external network side interface of the NAT66
device to convert the same internal network address into different external network
addresses, and realize the mapping of the same internal address to multiple external addresses.
.. _destination-nat66:
DNAT66
^^^^^^
The :abbr:`DNPTv6 (Destination IPv6-to-IPv6 Network Prefix Translation)` destination address translation
function is used in scenarios where the server in the internal network provides services to the external
network, such as providing Web services or FTP services to the external network. By configuring the mapping
relationship between the internal server address and the external network address on the external network
side interface of the NAT66 device, external network users can access the internal network server through
the designated external network address.
Prefix Conversion
------------------
Source Prefix
^^^^^^^^^^^^^
Every SNAT66 rule has a translation command defined. The prefix defined
for the translation is the prefix used when the address information in
a packet is replaced.、
The :ref:`source-nat66` rule replaces the source address of the packet and calculates the
converted address using the prefix specified in the rule.
Example:
* Convert the address prefix of a single `fc01::/64` network to `fc00::/64`
* Output from `eth0` network interface
.. code-block:: none
set nat66 source rule 1 outbound-interface 'eth0'
set nat66 source rule 1 source prefix 'fc01::/64'
set nat66 source rule 1 translation prefix 'fc00::/64'
Destination Prefix
^^^^^^^^^^^^^^^^^^
For the :ref:`destination-nat66` rule, the destination address of the packet is
replaced by the address calculated from the specified address or prefix in the
`translation address` command
Example:
* Convert the address prefix of a single `fc00::/64` network to `fc01::/64`
* Input from `eth0` network interface
.. code-block:: none
set nat66 destination rule 1 inbound-interface 'eth0'
set nat66 destination rule 1 destination address 'fc00::/64'
set nat66 destination rule 1 translation address 'fc01::/64'
Configuration Examples
======================
Use the following topology to build a nat66 based isolated network between internal
and external networks (dynamic prefix is not supported):
.. figure:: /_static/images/vyos_1_4_nat66_simple.png
:alt: VyOS NAT66 Simple Configure
R1:
.. code-block:: none
set interfaces ethernet eth0 ipv6 address autoconf
set interfaces ethernet eth1 address 'fc01::1/64'
set nat66 destination rule 1 destination address 'fc00:470:f1cd:101::/64'
set nat66 destination rule 1 inbound-interface 'eth0'
set nat66 destination rule 1 translation address 'fc01::/64'
set nat66 source rule 1 outbound-interface 'eth0'
set nat66 source rule 1 source prefix 'fc01::/64'
set nat66 source rule 1 translation prefix 'fc00:470:f1cd:101::/64'
R2:
.. code-block:: none
set interfaces bridge br1 address 'fc01::2/64'
set interfaces bridge br1 member interface eth0
set interfaces bridge br1 member interface eth1
set protocols static route6 ::/0 next-hop fc01::1
set service router-advert interface br1 prefix ::/0
|
