summaryrefslogtreecommitdiff
path: root/docs/configuration/nat/nptv6.rst
blob: cffb2a14f759258a4b1bc8639020681a46016f1b (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
.. include:: /_include/need_improvement.txt

.. _nptv6:

#####
NPTv6
#####

:abbr:`NPTv6 (Network Prefix Translation)` is a form of NAT for IPv6. It's
described in :rfc:`6296`.

**Usage**

NPTv6 is very useful for IPv6 multihoming. It is also commonly used when the
external IPv6 prefix is dynamic, as it prevents the need for renumbering of
internal hosts when the extern prefix changes.

Let's assume the following network configuration:

* eth0 : LAN
* eth1 : WAN1, with 2001:db8:e1::/48 routed towards it
* eth2 : WAN2, with 2001:db8:e2::/48 routed towards it

Regarding LAN hosts addressing, why would you choose 2001:db8:e1::/48 over
2001:db8:e2::/48? What happens when you get a new provider with a different
routed IPv6 subnet?

The solution here is to assign to your hosts ULAs_ and to prefix-translate
their address to the right subnet when going through your router.

* LAN Subnet : fc00:dead:beef::/48
* WAN 1 Subnet : 2001:db8:e1::/48
* WAN 2 Subnet : 2001:db8:e2::/48

* eth0 addr : fc00:dead:beef::1/48
* eth1 addr : 2001:db8:e1::1/48
* eth2 addr : 2001:db8:e2::1/48

VyOS Support
^^^^^^^^^^^^

NPTv6 support has been added in VyOS 1.2 (Crux) and is available through
`nat nptv6` configuration nodes.

.. code-block:: none

  set nat nptv6 rule 10 source prefix 'fc00:dead:beef::/48'
  set nat nptv6 rule 10 outbound-interface 'eth1'
  set nat nptv6 rule 10 translation prefix '2001:db8:e1::/48'
  set nat nptv6 rule 20 source prefix 'fc00:dead:beef::/48'
  set nat nptv6 rule 20 outbound-interface 'eth2'
  set nat nptv6 rule 20 translation prefix '2001:db8:e2::/48'

Resulting in the following ip6tables rules:

.. code-block:: none

  Chain VYOS_DNPT_HOOK (1 references)
   pkts bytes target   prot opt in   out   source              destination
      0     0 NETMAP   all    eth1   any   anywhere            2001:db8:e1::/48  to:fc00:dead:beef::/48
      0     0 NETMAP   all    eth2   any   anywhere            2001:db8:e2::/48  to:fc00:dead:beef::/48
      0     0 RETURN   all    any    any   anywhere            anywhere
  Chain VYOS_SNPT_HOOK (1 references)
   pkts bytes target   prot opt in   out   source              destination
      0     0 NETMAP   all    any    eth1  fc00:dead:beef::/48 anywhere          to:2001:db8:e1::/48
      0     0 NETMAP   all    any    eth2  fc00:dead:beef::/48 anywhere          to:2001:db8:e2::/48
      0     0 RETURN   all    any    any   anywhere            anywhere

.. _ULAs: https://en.wikipedia.org/wiki/Unique_local_address