Difference between revisions of "How to do NPTv6"

From VyOS Wiki
Jump to: navigation, search
Line 47: Line 47:
 
     0    0 SNPT      all      any    eth2    fc00:dead:beef::/48  anywhere            src-pfx fc00:dead:beef::/48 dst-pfx 2001:db8:e2::/48  
 
     0    0 SNPT      all      any    eth2    fc00:dead:beef::/48  anywhere            src-pfx fc00:dead:beef::/48 dst-pfx 2001:db8:e2::/48  
 
     0    0 RETURN    all      any    any    anywhere            anywhere
 
     0    0 RETURN    all      any    any    anywhere            anywhere
 +
 +
 +
[[Category: User documentation]]

Revision as of 08:07, 9 March 2015

Introduction

NPTv6 stands for Network Prefix Translation. It's a form of NAT for IPv6. It's described in RFC 6296. NPTv6 is supported in linux kernel since version 3.13.

Usage

NPTv6 is very useful for IPv6 multihoming. Let's assume the following network configuration :

  • eth0 : LAN
  • eth1 : WAN1, with 2001:db8:e1::/48 routed towards it
  • eth2 : WAN2, with 2001:db8:e2::/48 routed towards it

Regarding LAN hosts addressing, why would you choose 2001:db8:e1::/48 over 2001:db8:e2::/48 ? What happens when you get a new provider with a different routed v6 subnet ?

The solution here is to assign to your LAN hosts ULAs and to prefix-translate their address to the right subnet when going through your router.

Example with ip6tables

  • LAN Subnet : fc00:dead:beef::/48
  • WAN 1 Subnet : 2001:db8:e1::/48
  • WAN 2 Subnet : 2001:db8:e2::/48
  • eth0 addr : fc00:dead:beef::1/48
  • eth1 addr : 2001:db8:e1::1/48
  • eth2 addr : 2001:db8:e2::1/48

VyOS Support

NPTv6 support has been added in [Lithium] and is available through nat nptv6 configuration nodes.

# set rule 10 inside-prefix 'fc00:dead:beef::/48'
# set rule 10 outside-interface 'eth1'
# set rule 10 outside-prefix '2001:db8:e1::/48'
# set rule 20 inside-prefix 'fc00:dead:beef::/48'
# set rule 20 outside-interface 'eth2'
# set rule 20 outside-prefix '2001:db8:e2::/48'

Resulting in the following ip6tables rules :

Chain VYOS_DNPT_HOOK (1 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 DNPT       all      eth1   any     anywhere             2001:db8:e1::/48    src-pfx 2001:db8:e1::/48 dst-pfx fc00:dead:beef::/48 
    0     0 DNPT       all      eth2   any     anywhere             2001:db8:e2::/48    src-pfx 2001:db8:e2::/48 dst-pfx fc00:dead:beef::/48 
    0     0 RETURN     all      any    any     anywhere             anywhere            
Chain VYOS_SNPT_HOOK (1 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 SNPT       all      any    eth1    fc00:dead:beef::/48  anywhere            src-pfx fc00:dead:beef::/48 dst-pfx 2001:db8:e1::/48 
    0     0 SNPT       all      any    eth2    fc00:dead:beef::/48  anywhere            src-pfx fc00:dead:beef::/48 dst-pfx 2001:db8:e2::/48 
    0     0 RETURN     all      any    any     anywhere             anywhere