How to do NPTv6

From VyOS Wiki
Revision as of 17:28, 22 November 2014 by Kouak (talk | contribs) (Created page with "== Introduction == NPTv6 stands for Network Prefix Translation. It's a form of NAT for IPv6. It's described in [https://tools.ietf.org/html/rfc6296 RFC 6296]. NPTv6 is suppor...")
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to: navigation, search

Introduction

NPTv6 stands for Network Prefix Translation. It's a form of NAT for IPv6. It's described in RFC 6296. NPTv6 is supported in linux kernel since version 3.13.

Usage

NPTv6 is very useful for IPv6 multihoming. Let's assume the following network configuration :

  • eth0 : LAN
  • eth1 : WAN1, with 2001:db8:e1::/48 routed towards it
  • eth2 : WAN2, with 2001:db8:e2::/48 routed towards it

Regarding LAN hosts addressing, why would you choose 2001:db8:e1::/48 over 2001:db8:e2::/48 ? What happens when you get a new provider with a different routed v6 subnet ?

The solution here is to assign to your LAN hosts ULAs and to prefix-translate their address to the right subnet when going through your router.

Example with ip6tables

  • LAN Subnet : fc00:dead:beef::/48
  • WAN 1 Subnet : 2001:db8:e1::/48
  • WAN 2 Subnet : 2001:db8:e2::/48
  • eth0 addr : fc00:dead:beef::1/48
  • eth1 addr : 2001:db8:e1::1/48
  • eth2 addr : 2001:db8:e2::1/48

First, you need to load the ip6t_NPT kernel module.

# modprobe ip6t_NPT

Translate fc00:dead:beef::/48 to 2001:db8:e1::/48 and vice versa :

# ip6tables -t mangle -I POSTROUTING -s fc00:dead:beef::/48 -o eth1 -j SNPT --src-pfx fc00:dead:beef::/48 --dst-pfx 2001:db8:e1::/48
# ip6tables -t mangle -I PREROUTING -d 2001:db8:e1::/48 -j DNPT --src-pfx 2001:db8:e1::/48 --dst-pfx fc00:dead:beef::/48

Translate fc00:dead:beef::/48 to 2001:db8:e2::/48 and vice versa :

# ip6tables -t mangle -I POSTROUTING -s fc00:dead:beef::/48 -o eth2 -j SNPT --src-pfx fc00:dead:beef::/48 --dst-pfx 2001:db8:e2::/48
# ip6tables -t mangle -I PREROUTING -d 2001:db8:e2::/48 -j DNPT --src-pfx 2001:db8:e2::/48 --dst-pfx fc00:dead:beef::/48

VyOS specifics

As of now, there is no specific configuration commands for NPTv6 in VyOS. However, this is easily set up via a post boot script.

Edit /config/scripts/vyatta-postconfig-bootup.script and add :

# Load NPTv6 kernel module
sudo modprobe ip6t_NPT
# Translate fc00:dead:beef::/48 to 2001:db8:e1::/48 and vice versa :
sudo ip6tables -t mangle -I POSTROUTING -s fc00:dead:beef::/48 -o eth1 -j SNPT --src-pfx fc00:dead:beef::/48 --dst-pfx 2001:db8:e1::/48
sudo ip6tables -t mangle -I PREROUTING -d 2001:db8:e1::/48 -j DNPT --src-pfx 2001:db8:e1::/48 --dst-pfx fc00:dead:beef::/48
# Translate fc00:dead:beef::/48 to 2001:db8:e2::/48 and vice versa :
sudo ip6tables -t mangle -I POSTROUTING -s fc00:dead:beef::/48 -o eth2 -j SNPT --src-pfx fc00:dead:beef::/48 --dst-pfx 2001:db8:e2::/48
sudo ip6tables -t mangle -I PREROUTING -d 2001:db8:e2::/48 -j DNPT --src-pfx 2001:db8:e2::/48 --dst-pfx fc00:dead:beef::/48