How to do NPTv6

From VyOS Wiki
Jump to: navigation, search

Introduction

NPTv6 stands for Network Prefix Translation. It's a form of NAT for IPv6. It's described in RFC 6296. NPTv6 is supported in linux kernel since version 3.13.

Usage

NPTv6 is very useful for IPv6 multihoming. Let's assume the following network configuration :

  • eth0 : LAN
  • eth1 : WAN1, with 2001:db8:e1::/48 routed towards it
  • eth2 : WAN2, with 2001:db8:e2::/48 routed towards it

Regarding LAN hosts addressing, why would you choose 2001:db8:e1::/48 over 2001:db8:e2::/48 ? What happens when you get a new provider with a different routed v6 subnet ?

The solution here is to assign to your LAN hosts ULAs and to prefix-translate their address to the right subnet when going through your router.

Example with ip6tables

  • LAN Subnet : fc00:dead:beef::/48
  • WAN 1 Subnet : 2001:db8:e1::/48
  • WAN 2 Subnet : 2001:db8:e2::/48
  • eth0 addr : fc00:dead:beef::1/48
  • eth1 addr : 2001:db8:e1::1/48
  • eth2 addr : 2001:db8:e2::1/48

VyOS Support

NPTv6 support has been added in Lithium (#387) and is available through nat nptv6 configuration nodes.

# set rule 10 inside-prefix 'fc00:dead:beef::/48'
# set rule 10 outside-interface 'eth1'
# set rule 10 outside-prefix '2001:db8:e1::/48'
# set rule 20 inside-prefix 'fc00:dead:beef::/48'
# set rule 20 outside-interface 'eth2'
# set rule 20 outside-prefix '2001:db8:e2::/48'

Resulting in the following ip6tables rules :

Chain VYOS_DNPT_HOOK (1 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 DNPT       all      eth1   any     anywhere             2001:db8:e1::/48    src-pfx 2001:db8:e1::/48 dst-pfx fc00:dead:beef::/48 
    0     0 DNPT       all      eth2   any     anywhere             2001:db8:e2::/48    src-pfx 2001:db8:e2::/48 dst-pfx fc00:dead:beef::/48 
    0     0 RETURN     all      any    any     anywhere             anywhere            
Chain VYOS_SNPT_HOOK (1 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 SNPT       all      any    eth1    fc00:dead:beef::/48  anywhere            src-pfx fc00:dead:beef::/48 dst-pfx 2001:db8:e1::/48 
    0     0 SNPT       all      any    eth2    fc00:dead:beef::/48  anywhere            src-pfx fc00:dead:beef::/48 dst-pfx 2001:db8:e2::/48 
    0     0 RETURN     all      any    any     anywhere             anywhere