Date: Fri, 8 Feb 2008 15:02:15 -0800 From: Leo Shum <shum+fbsd@u.washington.edu> To: freebsd-net@freebsd.org Subject: Stateless IPv6 address translation NAT-PT? Message-ID: <20080208230214.GE1017@dante01.u.washington.edu>
next in thread | raw e-mail | index | archive | help
Hi All,
I have a very specific networking setup needs that I hope someone can
help me or give some suggestions.
To put it in the most simplest terms, I need to allow several scattered
private networks to talk to each other.
The network setup is like this: the border routers (machines) are running
FreeBSD 6.2
NetworkA IP is 192.168.1.x
NetworkB IP is 192.168.2.x
NetworkC IP is 192.168.3.x
How can I easily make the hosts in the 3 networks communicate? Two
solutions come to my mind already, but they aren't optimal.
A) set up a vpn that connects all three networks. The problem then is that
I need to setup a VPN server somewhere and thus creates a star topology.
This introduces a dependency, the VPN server, which is not really needed
(security on the network level is not a requirement)
B) set up tunnelling at the border FreeBSD machines. But then I need to
setup tunnels for each connecting networks, A<->B, B<->C, and C<->A. This
get complicated quickly as there are a few more networks I need to connect.
More importantly, some machines in the networks require IPv6 connectivity.
Network{A,B,C} each has an IPv6 /64 address already so those machines with
IPv6 can communicate already.
So now I am only concerned with the IPv4 only machines on the networks.
My idea is to piggy back the address space of the v6 /64 address space to
allow the v4 machines talk to each other, with the added benefit of
communicating with the v6 machines.
This seems to be solved easily by SIIT and stateless basic NAT-PT
(1:1 mapping), correct? Yes I know NAT-PT has been deprecated but this
seems to be the most straightforward solution.
For example, a host in netA 192.168.1.2 needs to talk to a host in netB
192.168.2.2 and assuming netA has an IPv6 block of beef:cafe:0001::/64 and
netB has beef:cafe:0002::/64
The tuple from 192.168.1.2 is { 192.168.1.2:9999 192.168.2.2:8888 },
translated by the FreeBSD router at Network A to:
{ [beef:cafe:0001::c0a8:0102]:9999 [beef:cafe:0002::c0a8:0202]:8888 }
The translation can (and should) be stateless and done statically. The
connection then becomes a routable v6 connection between the networks.
When the IPv6 connection reaches border router at Network B it down
translates back to the correct IPv4 tuple. Within the network I use
a /96 prefix to differentiate whether a v6 address needs translation,
i.e. a v4 only host and v6 host will have different /96 prefixs.
In this setup, I will need to install the v4/v6 prefix mapping table on
each border routers so they can translate and route properly. Conceptually
this is no different than setting up tunnels for each and every connected
networks at the border routers but it seems it's more easy to manage and
more capable as it allows v4 and v6 communication.
The mapping will be like:
192.168.1.0/24 <=> beef:cafe:0001::c0a8:0100/120
192.168.2.0/24 <=> beef:cafe:0002::c0a8:0200/120
192.168.3.0/24 <=> beef:cafe:0003::c0a8:0300/120
I googl'ed to death and still can't find a way to set this up. I can't find
a NAT-PT implementation on FreeBSD that does 1:1 static mappings.
Is there any idea how this can be done, or if there is a better solution?
Thanks,
Leo
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20080208230214.GE1017>