On Jan 7, 2005, at 13:38, Alastair McKinstry wrote:
I was wondering could you please suggest a solution to a NAT problem. I work at a WISP, with a number of Points of Presence with localsubnets, reaced by a public gateway. That is, we have Access points withaddresses in the 192.168.1.0/24 range, with a gateway with a public IP, eg. 1.2.3.4. I would like to be able to reach those APs to configure them. The solution I am investigating is using IPv6, setting up a tunnel onthe public (Debian GNU/Linux) gateway, offering 2002:0102:0304:: routes.I would then NAT the APs, so that 192.168.1.1 <--> 2002:0102:0304::$mac1 192.168.1.2 <--> 2002:0102:0304::$mac2. etc.I can put the AAAA records in DNS by hand; DNS is not a problem, but howcan I do the NATting?
This sounds kind of like the "faithd" service in the KAME IPv6 code. I haven't used it yet, but if I understand the docs properly, you route a /96 prefix to a "faith" interface, and run "faithd" to listen on a certain TCP port number in that subnet. When a connection comes in, it forwards the connection to the IPv4 address indicated in the last 32 bits of the destination address.
"For example, if
3ffe:0501:4819:ffff:: is reserved for faithd, and the TCPv6
destination
address is 3ffe:0501:4819:ffff::0a01:0101, the traffic will be
relayed to
IPv4 destination 10.1.1.1."
So you might have 2002:0102:0304:<something>:c0a8:0101 and
2002:0102:0304:<something>:c0a8:0102 and so forth for your APs behind
global address 1.2.3.4, and if you have another set of access points
behind 1.2.3.5, then you get 2002:0102:0305:<something>:c0a8:0101, etc.
Is that what you are looking for?
Unfortunately, I don't think that part of the KAME code is available for Linux, because it depends on the kernel "faith" driver for BSD. (My Linux boxes are IPv6 clients, but my router is NetBSD, so I'm less familiar with the Linux gateway support.) But the docs describe it basically as an implementation of RFC 3142, so searching on that turned up for me a mention of a package "pTRTd" (www.litech.org/ptrtd/, v6web.litech.org/ptrtd/) which also seems to do this same sort of thing, though the last update to it was in 2002. It also claims to be buggy, possibly insecure, and not suitable for use on the public network, but that doesn't seem to stop some people from recommending it. Use it at your own risk...
Other non-IPv6 options you might consider, depending what the admin interface on the APs is:
- TCP forwarding from 1.2.3.4 port 8000+x to 192.168.1.x port 80 by running TCP forwarders from inetd, or in the kernel NAT setup - run an Apache server on 1.2.3.4 that forwards requests for /APAdmin/192.168.1.2/foo to http(s)://192.168.1.2/foo - build accounts ap<n> on the gateway that you can ssh into with a shell that connect you straight to access point <n> via ssh or telnet
Hope this helps... Ken