2

I am currently using iptables for my home lab router and would like to add IPv6. I have 2 ISPs.

My first ISP assigns a /128 to the interface and the ability to request /56. ISP1 is connected to eno1.

My second ISP assigns a /128 to the interface and the ability to request /64. ISP2 is connected to eno2.

My LAN is enp2s0f0.

How can I get the clients on my LAN to use a ULA IP range that "maps" to the IPv6 ranges assigned dynamically to eno1 and eno2? I am thinking I can use some form of policy routing at the edge to route traffic through each ISP

ensnare
  • 2,332
  • 9
  • 29
  • 42

2 Answers2

1

I don't have a full example, as "netmap" was only added to ntftables relatively recently. Kernel part, "netfilter: nft_nat: add netmap support", is in Linux 5.8. User tools are similarly new as of last year, src: add netmap support. Based on the commit message, I think snat now supports saddr maps with CIDR prefixes.

This might be simpler and a tiny bit faster without translation. Consider not using NPT. Advertise both prefixes, and hosts have addresses from each. Optionally, generate a ULA prefix for internal static addressing, but don't map it to public prefixes.

This is a lab, maybe try with NPT and without.

John Mahowald
  • 36,071
1

I was able to get this to work with iptables.

cat /etc/radvd.conf interface enp2s0f0 {

    AdvSendAdvert on;
    AdvManagedFlag on;

prefix fd8a:9ae9:9as8:b8d::1/64 {
};

RDNSS fd8a:9ae9:9as8:b8d::1
{
};

DNSSL home.example.com
{
};




};

In my dhcpcd.conf file

interface enp2s0f0
        static ip_address=10.1.0.1/16
        static routers=10.1.0.1
        static domain_name_servers=8.8.8.8 8.8.4.4
    noipv6rs

interface eno1
    metric 10
    ipv6rs
    ia_na 1
    ia_pd 1/::/64 enp2s0f0/0/64

And in my iptables script:

$IP6TABLES -t nat -A POSTROUTING -s fd8a:9ae9:9as8:b8d::1/64 -o eno1 -j NETMAP --to 2604:2000:3201:d991::1/64
$IP6TABLES -t nat -A PREROUTING -d 2604:2000:3201:d991::1/64 -i eno1 -j NETMAP --to fd8a:9ae9:9as8:b8d::1/64

I think I did this correctly -- all seems to be working.

ensnare
  • 2,332
  • 9
  • 29
  • 42