2

I am currently using iptables for my home lab router and would like to add IPv6. I have 2 ISPs.

My first ISP assigns a /128 to the interface and the ability to request /56. ISP1 is connected to eno1.

My second ISP assigns a /128 to the interface and the ability to request /64. ISP2 is connected to eno2.

My LAN is enp2s0f0.

How can I get the clients on my LAN to use a ULA IP range that "maps" to the IPv6 ranges assigned dynamically to eno1 and eno2? I am thinking I can use some form of policy routing at the edge to route traffic through each ISP

ensnare
  • 2,132
  • 6
  • 23
  • 39

2 Answers2

1

I don't have a full example, as "netmap" was only added to ntftables relatively recently. Kernel part, "netfilter: nft_nat: add netmap support", is in Linux 5.8. User tools are similarly new as of last year, src: add netmap support. Based on the commit message, I think snat now supports saddr maps with CIDR prefixes.

This might be simpler and a tiny bit faster without translation. Consider not using NPT. Advertise both prefixes, and hosts have addresses from each. Optionally, generate a ULA prefix for internal static addressing, but don't map it to public prefixes.

This is a lab, maybe try with NPT and without.

John Mahowald
  • 30,009
  • 1
  • 17
  • 32
  • Thanks John, this was very helpful. I got it working with iptables -j NETMAP. I'm running the 5.10 kernel, but maybe it's just nftables that requires the newer kernel? – ensnare Jan 19 '21 at 03:04
  • I'm considering a similar situation, and my concern with allowing each host to have two GUAs, is that source-address-based routing would be needed to get the outbound traffic to transit the proper ISP link. More importantly, if one of those links is inoperable, applications may still choose the GUA associated with that link, as they have no way of knowing that they should 'fall back' to the other GUA. – Kevin P. Fleming Oct 10 '21 at 00:39
1

I was able to get this to work with iptables.

cat /etc/radvd.conf interface enp2s0f0 {

    AdvSendAdvert on;
    AdvManagedFlag on;

    prefix fd8a:9ae9:9as8:b8d::1/64 {
    };

    RDNSS fd8a:9ae9:9as8:b8d::1
    {
    };

    DNSSL home.example.com
    {
    };

};

In my dhcpcd.conf file

interface enp2s0f0
        static ip_address=10.1.0.1/16
        static routers=10.1.0.1
        static domain_name_servers=8.8.8.8 8.8.4.4
    noipv6rs
 
interface eno1
    metric 10
    ipv6rs
    ia_na 1
    ia_pd 1/::/64 enp2s0f0/0/64

And in my iptables script:

$IP6TABLES -t nat -A POSTROUTING -s fd8a:9ae9:9as8:b8d::1/64 -o eno1 -j NETMAP --to 2604:2000:3201:d991::1/64
$IP6TABLES -t nat -A PREROUTING -d 2604:2000:3201:d991::1/64 -i eno1 -j NETMAP --to fd8a:9ae9:9as8:b8d::1/64

I think I did this correctly -- all seems to be working.

ensnare
  • 2,132
  • 6
  • 23
  • 39
  • I'm having an issue where hosts on the network access websites using the IPv4 address first, and IPv6 address only if necessary (e.g. ipv6.google.com). I'm wondering if by using the ULA address, that somehow "deprioritizes" IPv6 to IPv4? Any input greatly appreciated. – ensnare Jan 19 '21 at 03:16