Difference between revisions of "How to do NPTv6"

From VyOS Wiki
Jump to: navigation, search
(Created page with "== Introduction == NPTv6 stands for Network Prefix Translation. It's a form of NAT for IPv6. It's described in [https://tools.ietf.org/html/rfc6296 RFC 6296]. NPTv6 is suppor...")
 
Line 24: Line 24:
 
* eth2 addr : 2001:db8:e2::1/48
 
* eth2 addr : 2001:db8:e2::1/48
  
First, you need to load the ip6t_NPT kernel module.
+
== VyOS Support ==
  
# modprobe ip6t_NPT
+
NPTv6 support has been added in [Lithium] and is available through <code>nat nptv6</code> configuration nodes.
  
Translate fc00:dead:beef::/48 to 2001:db8:e1::/48 and vice versa :
+
# set rule 10 inside-prefix 'fc00:dead:beef::/48'
  # ip6tables -t mangle -I POSTROUTING -s fc00:dead:beef::/48 -o eth1 -j SNPT --src-pfx fc00:dead:beef::/48 --dst-pfx 2001:db8:e1::/48
+
# set rule 10 outside-interface 'eth1'
  # ip6tables -t mangle -I PREROUTING -d 2001:db8:e1::/48 -j DNPT --src-pfx 2001:db8:e1::/48 --dst-pfx fc00:dead:beef::/48
+
# set rule 10 outside-prefix '2001:db8:e1::/48'
 +
  # set rule 20 inside-prefix 'fc00:dead:beef::/48'
 +
# set rule 20 outside-interface 'eth2'
 +
  # set rule 20 outside-prefix '2001:db8:e2::/48'
  
Translate fc00:dead:beef::/48 to 2001:db8:e2::/48 and vice versa :
+
Resulting in the following ip6tables rules :
# ip6tables -t mangle -I POSTROUTING -s fc00:dead:beef::/48 -o eth2 -j SNPT --src-pfx fc00:dead:beef::/48 --dst-pfx 2001:db8:e2::/48
 
# ip6tables -t mangle -I PREROUTING -d 2001:db8:e2::/48 -j DNPT --src-pfx 2001:db8:e2::/48 --dst-pfx fc00:dead:beef::/48
 
  
== VyOS specifics ==
+
Chain VYOS_DNPT_HOOK (1 references)
 
+
  pkts bytes target    prot opt in     out    source              destination       
As of now, there is no specific configuration commands for NPTv6 in VyOS. However, this is easily set up via a post boot script.
+
    0    0 DNPT      all      eth1  any    anywhere            2001:db8:e1::/48   src-pfx 2001:db8:e1::/48 dst-pfx fc00:dead:beef::/48  
 
+
    0    0 DNPT      all      eth2  any    anywhere            2001:db8:e2::/48   src-pfx 2001:db8:e2::/48 dst-pfx fc00:dead:beef::/48  
Edit /config/scripts/vyatta-postconfig-bootup.script and add :
+
    0    0 RETURN    all      any    any    anywhere            anywhere           
# Load NPTv6 kernel module
+
  Chain VYOS_SNPT_HOOK (1 references)
sudo modprobe ip6t_NPT
+
  pkts bytes target    prot opt in    out    source              destination       
# Translate fc00:dead:beef::/48 to 2001:db8:e1::/48 and vice versa :
+
    0    0 SNPT      all      any    eth1    fc00:dead:beef::/48  anywhere            src-pfx fc00:dead:beef::/48 dst-pfx 2001:db8:e1::/48  
sudo ip6tables -t mangle -I POSTROUTING -s fc00:dead:beef::/48 -o eth1 -j SNPT --src-pfx fc00:dead:beef::/48 --dst-pfx 2001:db8:e1::/48
+
    0    0 SNPT      all      any    eth2    fc00:dead:beef::/48 anywhere            src-pfx fc00:dead:beef::/48 dst-pfx 2001:db8:e2::/48  
sudo ip6tables -t mangle -I PREROUTING -d 2001:db8:e1::/48 -j DNPT --src-pfx 2001:db8:e1::/48 --dst-pfx fc00:dead:beef::/48
+
    0    0 RETURN    all      any    any    anywhere            anywhere
  # Translate fc00:dead:beef::/48 to 2001:db8:e2::/48 and vice versa :
 
  sudo ip6tables -t mangle -I POSTROUTING -s fc00:dead:beef::/48 -o eth2 -j SNPT --src-pfx fc00:dead:beef::/48 --dst-pfx 2001:db8:e2::/48
 
sudo ip6tables -t mangle -I PREROUTING -d 2001:db8:e2::/48 -j DNPT --src-pfx 2001:db8:e2::/48 --dst-pfx fc00:dead:beef::/48
 

Revision as of 08:06, 9 March 2015

Introduction

NPTv6 stands for Network Prefix Translation. It's a form of NAT for IPv6. It's described in RFC 6296. NPTv6 is supported in linux kernel since version 3.13.

Usage

NPTv6 is very useful for IPv6 multihoming. Let's assume the following network configuration :

  • eth0 : LAN
  • eth1 : WAN1, with 2001:db8:e1::/48 routed towards it
  • eth2 : WAN2, with 2001:db8:e2::/48 routed towards it

Regarding LAN hosts addressing, why would you choose 2001:db8:e1::/48 over 2001:db8:e2::/48 ? What happens when you get a new provider with a different routed v6 subnet ?

The solution here is to assign to your LAN hosts ULAs and to prefix-translate their address to the right subnet when going through your router.

Example with ip6tables

  • LAN Subnet : fc00:dead:beef::/48
  • WAN 1 Subnet : 2001:db8:e1::/48
  • WAN 2 Subnet : 2001:db8:e2::/48
  • eth0 addr : fc00:dead:beef::1/48
  • eth1 addr : 2001:db8:e1::1/48
  • eth2 addr : 2001:db8:e2::1/48

VyOS Support

NPTv6 support has been added in [Lithium] and is available through nat nptv6 configuration nodes.

# set rule 10 inside-prefix 'fc00:dead:beef::/48'
# set rule 10 outside-interface 'eth1'
# set rule 10 outside-prefix '2001:db8:e1::/48'
# set rule 20 inside-prefix 'fc00:dead:beef::/48'
# set rule 20 outside-interface 'eth2'
# set rule 20 outside-prefix '2001:db8:e2::/48'

Resulting in the following ip6tables rules :

Chain VYOS_DNPT_HOOK (1 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 DNPT       all      eth1   any     anywhere             2001:db8:e1::/48    src-pfx 2001:db8:e1::/48 dst-pfx fc00:dead:beef::/48 
    0     0 DNPT       all      eth2   any     anywhere             2001:db8:e2::/48    src-pfx 2001:db8:e2::/48 dst-pfx fc00:dead:beef::/48 
    0     0 RETURN     all      any    any     anywhere             anywhere            
Chain VYOS_SNPT_HOOK (1 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 SNPT       all      any    eth1    fc00:dead:beef::/48  anywhere            src-pfx fc00:dead:beef::/48 dst-pfx 2001:db8:e1::/48 
    0     0 SNPT       all      any    eth2    fc00:dead:beef::/48  anywhere            src-pfx fc00:dead:beef::/48 dst-pfx 2001:db8:e2::/48 
    0     0 RETURN     all      any    any     anywhere             anywhere