Page MenuHomeFreeBSD

natd: Add support for RFC 6598/Carrier Grade NAT subnets via libalias
AcceptedPublic

Authored by neel_neelc.org on Jan 25 2020, 3:12 AM.

Details

Reviewers
melifaro
ae
rgrimes
adrian
Group Reviewers
manpages
Summary

Add support for RFC 6598/Carrier Grade NAT address ranges (100.64.0.0/10) in natd by adding a natd flag -unregistered_cgn and its short version -c. This is similar to the -unregistered_only option for RFC 1918, however those subnets will also be supported by this new option.

This extends upon r357092 where we added support for RFC 6598 subnets in libalias and ipfw.

Submitted by: Neel Chauhan <neel AT neelc DOT org>

Test Plan
  1. Compile a HEAD with this patch.
  1. Add the following in /etc/rc.conf:

ifconfig_lan0="inet 100.64.0.1 netmask 255.255.255.0"
gateway_enable="YES"
firewall_enable="YES"
firewall_type="OPEN"
natd_enable="YES"
natd_interface="wan0"
natd_flags="-unregistered_cgn"

Replace wan0 with your WAN interface, and lan0 with your LAN interface.

  1. Connect clients to the LAN connected by lan0 in the 100.64.0.0/24 subnet, with a default gateway of 100.64.0.1
  1. Clients should connect to your Carrier Grade NAT via natd.

Diff Detail

Repository
rS FreeBSD src repository
Lint
Lint Skipped
Unit
Unit Tests Skipped

Event Timeline

neel_neelc.org created this revision.Jan 25 2020, 3:12 AM
bcr accepted this revision as: manpages.Jan 25 2020, 10:34 AM
bcr added a subscriber: bcr.

Manpage looks good, don't forget to bump the .Dd when you commit.
Thanks for adding this support!

rgrimes added a subscriber: rgrimes.Jul 4 2020, 4:06 PM

Is it possible to do cgn without rfc1918? I think the changes should allow for that configuration.

Is it possible to do cgn without rfc1918? I think the changes should allow for that configuration.

Theoretically, you can do CGN (or NAT) on any subnet.

But you generally do it on special subnets like 10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16 for RFC 1918, or 100.64.0.0/16 for CGN/RFC 6598.

The reason for special NAT subnets like RFC 1918/6598 is so you don't accidentally allocate "internal" networks using public subnets, or require RIRs to allocate separate networks to each ISP for NAT use.

This patch just adds 100.64.0.0/10 (RFC 6598) as an option to natd, so we don't break natd users who need 100.64.0.0/10 as a WAN address.

neel_neelc.org added a subscriber: network.
adrian accepted this revision.Jul 4 2020, 10:43 PM
This revision is now accepted and ready to land.Jul 4 2020, 10:43 PM