nptv6: move into dedicated chapter

2025-10-26 08:41:46 +01:00 · 2020-01-21 12:52:07 +01:00 · 2020-01-21 12:52:07 +01:00 · 9ee929766b
commit 9ee929766b
parent ca482df616
3 changed files with 67 additions and 64 deletions
--- a/docs/index.rst
+++ b/docs/index.rst
@ -39,6 +39,7 @@ VyOS User Guide
   firewall
   routing/index
   nat
   nptv6
   qos
   high-availability
   vpn/index
--- a/docs/nat.rst
+++ b/docs/nat.rst
@ -559,70 +559,6 @@ one external interface:
 Firewall rules are written as normal, using the internal IP address as the
 source of outbound rules and the destination of inbound rules.
 NPTv6
 -----
 NPTv6 stands for Network Prefix Translation. It's a form of NAT for IPv6. It's
 described in :rfc:`6296`. NPTv6 is supported in linux kernel since version 3.13.
 **Usage**
 NPTv6 is very useful for IPv6 multihoming. It is also commonly used when the
 external IPv6 prefix is dynamic, as it prevents the need for renumbering of
 internal hosts when the extern prefix changes.
 Let's assume the following network configuration:
 * eth0 : LAN
 * eth1 : WAN1, with 2001:db8:e1::/48 routed towards it
 * eth2 : WAN2, with 2001:db8:e2::/48 routed towards it
 Regarding LAN hosts addressing, why would you choose 2001:db8:e1::/48 over
 2001:db8:e2::/48? What happens when you get a new provider with a different
 routed IPv6 subnet?
 The solution here is to assign to your hosts ULAs_ and to prefix-translate
 their address to the right subnet when going through your router.
 * LAN Subnet : fc00:dead:beef::/48
 * WAN 1 Subnet : 2001:db8:e1::/48
 * WAN 2 Subnet : 2001:db8:e2::/48
 * eth0 addr : fc00:dead:beef::1/48
 * eth1 addr : 2001:db8:e1::1/48
 * eth2 addr : 2001:db8:e2::1/48
 VyOS Support
 ^^^^^^^^^^^^
 NPTv6 support has been added in VyOS 1.2 (Crux) and is available through
 `nat nptv6` configuration nodes.
 .. code-block:: none
  set rule 10 inside-prefix 'fc00:dead:beef::/48'
  set rule 10 outside-interface 'eth1'
  set rule 10 outside-prefix '2001:db8:e1::/48'
  set rule 20 inside-prefix 'fc00:dead:beef::/48'
  set rule 20 outside-interface 'eth2'
  set rule 20 outside-prefix '2001:db8:e2::/48'
 Resulting in the following ip6tables rules:
 .. code-block:: none
  Chain VYOS_DNPT_HOOK (1 references)
   pkts bytes target   prot opt in   out   source              destination
      0     0 DNPT     all    eth1   any   anywhere            2001:db8:e1::/48  src-pfx 2001:db8:e1::/48 dst-pfx fc00:dead:beef::/48
      0     0 DNPT     all    eth2   any   anywhere            2001:db8:e2::/48  src-pfx 2001:db8:e2::/48 dst-pfx fc00:dead:beef::/48
      0     0 RETURN   all    any    any   anywhere            anywhere
  Chain VYOS_SNPT_HOOK (1 references)
   pkts bytes target   prot opt in   out   source              destination
      0     0 SNPT     all    any    eth1  fc00:dead:beef::/48 anywhere          src-pfx fc00:dead:beef::/48 dst-pfx 2001:db8:e1::/48
      0     0 SNPT     all    any    eth2  fc00:dead:beef::/48 anywhere          src-pfx fc00:dead:beef::/48 dst-pfx 2001:db8:e2::/48
      0     0 RETURN   all    any    any   anywhere            anywhere
 NAT before VPN
 --------------
--- a/docs/nptv6.rst
+++ b/docs/nptv6.rst
@ -0,0 +1,66 @@
 .. _nptv6:
 #####
 NPTv6
 #####
 :abbr:`NPTv6 (Network Prefix Translation)` is a form of NAT for IPv6. It's
 described in :rfc:`6296`.
 **Usage**
 NPTv6 is very useful for IPv6 multihoming. It is also commonly used when the
 external IPv6 prefix is dynamic, as it prevents the need for renumbering of
 internal hosts when the extern prefix changes.
 Let's assume the following network configuration:
 * eth0 : LAN
 * eth1 : WAN1, with 2001:db8:e1::/48 routed towards it
 * eth2 : WAN2, with 2001:db8:e2::/48 routed towards it
 Regarding LAN hosts addressing, why would you choose 2001:db8:e1::/48 over
 2001:db8:e2::/48? What happens when you get a new provider with a different
 routed IPv6 subnet?
 The solution here is to assign to your hosts ULAs_ and to prefix-translate
 their address to the right subnet when going through your router.
 * LAN Subnet : fc00:dead:beef::/48
 * WAN 1 Subnet : 2001:db8:e1::/48
 * WAN 2 Subnet : 2001:db8:e2::/48
 * eth0 addr : fc00:dead:beef::1/48
 * eth1 addr : 2001:db8:e1::1/48
 * eth2 addr : 2001:db8:e2::1/48
 VyOS Support
 ^^^^^^^^^^^^
 NPTv6 support has been added in VyOS 1.2 (Crux) and is available through
 `nat nptv6` configuration nodes.
 .. code-block:: none
  set rule 10 inside-prefix 'fc00:dead:beef::/48'
  set rule 10 outside-interface 'eth1'
  set rule 10 outside-prefix '2001:db8:e1::/48'
  set rule 20 inside-prefix 'fc00:dead:beef::/48'
  set rule 20 outside-interface 'eth2'
  set rule 20 outside-prefix '2001:db8:e2::/48'
 Resulting in the following ip6tables rules:
 .. code-block:: none
  Chain VYOS_DNPT_HOOK (1 references)
   pkts bytes target   prot opt in   out   source              destination
      0     0 DNPT     all    eth1   any   anywhere            2001:db8:e1::/48  src-pfx 2001:db8:e1::/48 dst-pfx fc00:dead:beef::/48
      0     0 DNPT     all    eth2   any   anywhere            2001:db8:e2::/48  src-pfx 2001:db8:e2::/48 dst-pfx fc00:dead:beef::/48
      0     0 RETURN   all    any    any   anywhere            anywhere
  Chain VYOS_SNPT_HOOK (1 references)
   pkts bytes target   prot opt in   out   source              destination
      0     0 SNPT     all    any    eth1  fc00:dead:beef::/48 anywhere          src-pfx fc00:dead:beef::/48 dst-pfx 2001:db8:e1::/48
      0     0 SNPT     all    any    eth2  fc00:dead:beef::/48 anywhere          src-pfx fc00:dead:beef::/48 dst-pfx 2001:db8:e2::/48
      0     0 RETURN   all    any    any   anywhere            anywhere