From owner-freebsd-net@FreeBSD.ORG Fri Feb 8 23:02:17 2008 Return-Path: Delivered-To: freebsd-net@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 3354116A47D for ; Fri, 8 Feb 2008 23:02:17 +0000 (UTC) (envelope-from shum+fbsd@u.washington.edu) Received: from mxout3.cac.washington.edu (mxout3.cac.washington.edu [140.142.32.166]) by mx1.freebsd.org (Postfix) with ESMTP id 0C9DE13C45A for ; Fri, 8 Feb 2008 23:02:17 +0000 (UTC) (envelope-from shum+fbsd@u.washington.edu) Received: from dante01.u.washington.edu (dante01.u.washington.edu [140.142.13.107]) by mxout3.cac.washington.edu (8.13.7+UW06.06/8.13.7+UW07.09) with ESMTP id m18N2FNP002925 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO) for ; Fri, 8 Feb 2008 15:02:16 -0800 Received: (from shum@localhost) by dante01.u.washington.edu (8.13.7+UW06.06/8.13.7+Submit) id m18N2FUY023488 for freebsd-net@freebsd.org; Fri, 8 Feb 2008 15:02:15 -0800 Date: Fri, 8 Feb 2008 15:02:15 -0800 From: Leo Shum To: freebsd-net@freebsd.org Message-ID: <20080208230214.GE1017@dante01.u.washington.edu> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.5.17 (2007-11-01) X-PMX-Version: 5.4.1.325704, Antispam-Engine: 2.6.0.325393, Antispam-Data: 2008.2.8.145146 X-Uwash-Spam: Gauge=IIIIIII, Probability=7%, Report='__CD 0, __CT 0, __CT_TEXT_PLAIN 0, __HAS_MSGID 0, __MIME_TEXT_ONLY 0, __MIME_VERSION 0, __SANE_MSGID 0, __USER_AGENT 0' Subject: Stateless IPv6 address translation NAT-PT? X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 08 Feb 2008 23:02:17 -0000 Hi All, I have a very specific networking setup needs that I hope someone can help me or give some suggestions. To put it in the most simplest terms, I need to allow several scattered private networks to talk to each other. The network setup is like this: the border routers (machines) are running FreeBSD 6.2 NetworkA IP is 192.168.1.x NetworkB IP is 192.168.2.x NetworkC IP is 192.168.3.x How can I easily make the hosts in the 3 networks communicate? Two solutions come to my mind already, but they aren't optimal. A) set up a vpn that connects all three networks. The problem then is that I need to setup a VPN server somewhere and thus creates a star topology. This introduces a dependency, the VPN server, which is not really needed (security on the network level is not a requirement) B) set up tunnelling at the border FreeBSD machines. But then I need to setup tunnels for each connecting networks, A<->B, B<->C, and C<->A. This get complicated quickly as there are a few more networks I need to connect. More importantly, some machines in the networks require IPv6 connectivity. Network{A,B,C} each has an IPv6 /64 address already so those machines with IPv6 can communicate already. So now I am only concerned with the IPv4 only machines on the networks. My idea is to piggy back the address space of the v6 /64 address space to allow the v4 machines talk to each other, with the added benefit of communicating with the v6 machines. This seems to be solved easily by SIIT and stateless basic NAT-PT (1:1 mapping), correct? Yes I know NAT-PT has been deprecated but this seems to be the most straightforward solution. For example, a host in netA 192.168.1.2 needs to talk to a host in netB 192.168.2.2 and assuming netA has an IPv6 block of beef:cafe:0001::/64 and netB has beef:cafe:0002::/64 The tuple from 192.168.1.2 is { 192.168.1.2:9999 192.168.2.2:8888 }, translated by the FreeBSD router at Network A to: { [beef:cafe:0001::c0a8:0102]:9999 [beef:cafe:0002::c0a8:0202]:8888 } The translation can (and should) be stateless and done statically. The connection then becomes a routable v6 connection between the networks. When the IPv6 connection reaches border router at Network B it down translates back to the correct IPv4 tuple. Within the network I use a /96 prefix to differentiate whether a v6 address needs translation, i.e. a v4 only host and v6 host will have different /96 prefixs. In this setup, I will need to install the v4/v6 prefix mapping table on each border routers so they can translate and route properly. Conceptually this is no different than setting up tunnels for each and every connected networks at the border routers but it seems it's more easy to manage and more capable as it allows v4 and v6 communication. The mapping will be like: 192.168.1.0/24 <=> beef:cafe:0001::c0a8:0100/120 192.168.2.0/24 <=> beef:cafe:0002::c0a8:0200/120 192.168.3.0/24 <=> beef:cafe:0003::c0a8:0300/120 I googl'ed to death and still can't find a way to set this up. I can't find a NAT-PT implementation on FreeBSD that does 1:1 static mappings. Is there any idea how this can be done, or if there is a better solution? Thanks, Leo