Page MenuHomeVyOS Platform

Support nptv6
Open, Requires assessmentPublicFEATURE REQUEST

Description

At present, there are configuration options about nptv6 in vyos version, but they seem to have no effect. Does anyone know how to implement this feature.

Details

Difficulty level
Unknown (require assessment)
Version
-
Why the issue appeared?
Will be filled on close
Is it a breaking change?
Unspecified (possibly destroys the router)

Event Timeline

pasik added a subscriber: pasik.May 27 2020, 5:14 PM
c-po added a subscriber: c-po.May 30 2020, 12:54 PM

It‘s implemented in 1.2 but not with the new nftables based NAT backend as the required commands could not be translated from ip6tables.

Looks like currently there is no nftables NAT66 example around, also the new MAP feature of nftables is yet not acailable in Debian Buster/Bullseye as there is yet no nftables release with the feature.

If so, it's better to consider porting the 1.2 NPT implementation instead of using a new solution. Can they coexist? I'm just a suggestion.

alexandrestein added a subscriber: alexandrestein.EditedJun 9 2020, 4:44 PM

I made this works.

I needed to add an firewall table to make change active.
The strange thing is that this works even if the table is not affected to any interface.
It works when assigned also but it looks like you need at least one IPv6 table.

Here is what I use:

ipv6-name inFromProviderVPN6 {
    default-action reject
    enable-default-log
    rule 10 {
        action accept
        state {
            established enable
            related enable
        }
    }
}

I did not played much with it because it does what I want.
So I don't know where the limits are.

Related to: https://forum.vyos.io/t/nat-ipv6-local-address-global-scope/5462

In fact, according to official comments and my retrospection of nptv6 code, vyos has not generated any code for nptv6 at present.

It‘s implemented in 1.2 but not with the new nftables based NAT backend as the required commands could not be translated from ip6tables.
Looks like currently there is no nftables NAT66 example around, also the new MAP feature of nftables is yet not acailable in Debian Buster/Bullseye as there is yet no nftables release with the feature.

You are right.

I removed the rule and it works the same :-)

@alexandrestein To be honest, I don't understand why NPTs work in your configuration. It seems to have nothing to do with NPTs.

c-po added a comment.Jun 9 2020, 6:13 PM

NPTv6 is available in VyOS 1.2 (crux) and currently not implemented in 1.3 (equuleus) as nftables package should be updated to 0.9.5 to make use of netmap.

https://git.netfilter.org/nftables/commit/?id=35a6b10c1bc488ca195e9c641563c29251f725f3

Sorry.
It had some kind of persistency and I had to turn it on again to have it working.

I don't know but it is working for now.

I'm running: 1.3-rolling-202005100117

@alexandrestein Vyos1.3 's npt is temporarily unavailable, but vyos1.3 basically supports dhcpv6-pd,. If there is no special reason, you can consider using a global address instead of ULA, to obtain the delegation prefix directly from ISP and distribute it to the client (via RA), instead of using ULA+NPT.

@jack9603301, you look to have way more knowledge on IPv6 routing and the VyOS capabilities than I.

On an other switch, regular IPv6 connexions are actually working fine. My machines get public IPs and it all good.

In this case, I try to use a Wireguard interface to anonymise the traffic for a specific subnet/interface (which is in my case an other Wireguard interface).
So I don't want a global address and I need some kind of NAT.

PS: The config is broken again. I don't understand why.

If you want NPT, you may have to wait for the time to come when conditions are right, and the community may implement NPT at that time.

jack9603301 added a comment.EditedJun 10 2020, 4:35 PM

@alexandrestein Or, a disguised solution is to directly use iptables instruction rules to manually implement temporary nptv6 conversion. But I don't know when it will work. You can try it.
PS: because vyos uses nftables to implement NAT in 1.3, but because of the function limitation of nftables version, this function cannot be realized at present.

It‘s implemented in 1.2 but not with the new nftables based NAT backend as the required commands could not be translated from ip6tables.
Looks like currently there is no nftables NAT66 example around, also the new MAP feature of nftables is yet not acailable in Debian Buster/Bullseye as there is yet no nftables release with the feature.

and

NPTv6 is available in VyOS 1.2 (crux) and currently not implemented in 1.3 (equuleus) as nftables package should be updated to 0.9.5 to make use of netmap.
https://git.netfilter.org/nftables/commit/?id=35a6b10c1bc488ca195e9c641563c29251f725f3

Thanks a lot for your time and knowledge on VyOS.
I will try with 1.2.

@alexandrestein Note that vyos 1.2 (crux) does not implement DHCPv6 PD.

FYI.

Thank you @jack9603301.

No problem about DHCP.
AFAIK Wireguard does not support DHCP and it always been static IPs in my mind.

Using 1.2.5 works perfectly.
Thanks again and sorry for the noise on this thread.
If this feature is implemented in 1.3 I can try it.

Regards

jack9603301 added a comment.EditedMon, Jun 15, 4:45 PM

@alexandrestein Sorry, I didn't understand some of them, but I opened this task list to track 1.3 nptv6 process, not about the DHCP support of wireguard. If you need this function or find that there is a bug in wireguard's DHCP, you should submit a bug report task list separately.

Maybe when the conditions are mature, nptv6 support will be implemented, which is expected.

edit: I'll go back to your reply. Maybe I understand it wrong, because you haven't submitted your reply until now.

c-po added a comment.Mon, Jun 15, 5:15 PM

@alexandrestein can I assume you‘re using NPTv6 on VyOS 1.2 series? If so you mind sharing an example/configuration so we can also improve our documentation?

c-po added a comment.Thu, Jun 25, 6:22 PM

nftables updated to 0.9.6 so the new nftables netmap feature can be used

https://git.netfilter.org/nftables/commit/?id=35a6b10c1bc488ca195e9c641563c29251f725f3

maybe someone can hack up a nftables commandline for NPTv6?

I checked the usage of netmap, but unfortunately I only found the equivalent configuration method of IPv4 on Wiki

https://wiki.nftables.org/wiki-nftables/index.php/Multiple_NATs_using_nftables_maps

Hi @c-po!

Yes I'm using 1.2 series.

Here is my config:

set nat nptv6 rule 500 outbound-interface 'wg1'
set nat nptv6 rule 500 source prefix 'fc10::/20'
set nat nptv6 rule 500 translation prefix 'fc00::100/128'

I'm connected two private networks.
The fc10::/20 is my local network.
fc00::1/128 is my address on the gateway network.

Do you need more of it?
The configuration is pretty simple.

I wish it will help.
Thank for your work.