blob: 240b20ab7529ade349ae3724977b196fb14a9a08 (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
|
.. include:: _include/need_improvement.txt
.. _nptv6:
#####
NPTv6
#####
:abbr:`NPTv6 (Network Prefix Translation)` is a form of NAT for IPv6. It's
described in :rfc:`6296`.
**Usage**
NPTv6 is very useful for IPv6 multihoming. It is also commonly used when the
external IPv6 prefix is dynamic, as it prevents the need for renumbering of
internal hosts when the extern prefix changes.
Let's assume the following network configuration:
* eth0 : LAN
* eth1 : WAN1, with 2001:db8:e1::/48 routed towards it
* eth2 : WAN2, with 2001:db8:e2::/48 routed towards it
Regarding LAN hosts addressing, why would you choose 2001:db8:e1::/48 over
2001:db8:e2::/48? What happens when you get a new provider with a different
routed IPv6 subnet?
The solution here is to assign to your hosts ULAs_ and to prefix-translate
their address to the right subnet when going through your router.
* LAN Subnet : fc00:dead:beef::/48
* WAN 1 Subnet : 2001:db8:e1::/48
* WAN 2 Subnet : 2001:db8:e2::/48
* eth0 addr : fc00:dead:beef::1/48
* eth1 addr : 2001:db8:e1::1/48
* eth2 addr : 2001:db8:e2::1/48
VyOS Support
^^^^^^^^^^^^
NPTv6 support has been added in VyOS 1.2 (Crux) and is available through
`nat nptv6` configuration nodes.
.. code-block:: none
set rule 10 inside-prefix 'fc00:dead:beef::/48'
set rule 10 outside-interface 'eth1'
set rule 10 outside-prefix '2001:db8:e1::/48'
set rule 20 inside-prefix 'fc00:dead:beef::/48'
set rule 20 outside-interface 'eth2'
set rule 20 outside-prefix '2001:db8:e2::/48'
Resulting in the following ip6tables rules:
.. code-block:: none
Chain VYOS_DNPT_HOOK (1 references)
pkts bytes target prot opt in out source destination
0 0 DNPT all eth1 any anywhere 2001:db8:e1::/48 src-pfx 2001:db8:e1::/48 dst-pfx fc00:dead:beef::/48
0 0 DNPT all eth2 any anywhere 2001:db8:e2::/48 src-pfx 2001:db8:e2::/48 dst-pfx fc00:dead:beef::/48
0 0 RETURN all any any anywhere anywhere
Chain VYOS_SNPT_HOOK (1 references)
pkts bytes target prot opt in out source destination
0 0 SNPT all any eth1 fc00:dead:beef::/48 anywhere src-pfx fc00:dead:beef::/48 dst-pfx 2001:db8:e1::/48
0 0 SNPT all any eth2 fc00:dead:beef::/48 anywhere src-pfx fc00:dead:beef::/48 dst-pfx 2001:db8:e2::/48
0 0 RETURN all any any anywhere anywhere
.. _ULAs: https://en.wikipedia.org/wiki/Unique_local_address
|