DS-Lite

该功能在7.2.0及以后版本支持。

DS-Lite简介

Dual-StackLite,简称DS-Lite,是一种使用IPv4overIPv6隧道将IPv4数据包发送到运营商来实现IPv4私网地址用户穿越IPv6网络访问IPv4公网的解决方案。

支持此技术的客户端设备(CPE)会将IPv4数据包封装到IPv6数据包中,并且将数据包发送至运营商的电信级NAT(CGNAT)。CGNAT收到数据包后,将其还原为IPv4数据包,在进行NAT处理后发送到IPv4互联网。CGNAT通过记录IPv6源地址、私有IPv4地址,以及TCP或UDP端口号来标识流量。

image-20240125101128760

DS-Lite中的几个角色:

B4(Basic Bridging Broadband)和AFTR(Address Family Transition Router)都具有双栈能力:

  • B4是IPv4 over IPv6的创建者,一般位于用户侧(CPE)。
  • AFTR是IPv4 over IPv6的终结者,负责IPv4 over IPv6报文的解封装与NAT,一般部署于ISP设备上,也被叫作BR(Border Relay)。

IPv6和IPv4用户都可以正常访问对应IP栈的Internet:

  • IPv6用户通过B4和AFTR之间的IPv6线路直接访问IPv6 Internet。
  • IPv4用户访问IPv4的Internet,通过B4的IPv4 over IPv6隧道封装IPv6外层IP头,到达AFTR后,解封装为原始的IPv4流量,通过NAT转换后访问IPv4 Internet。

image-20240125101402260

网络拓扑

image-20240125101454806

  1. B4与AFTR(BR)设备均为FortiGate,之间配置IPv4 over IPv6隧道(DS-Lite类型的VNE隧道,Virtual Network Enabler)。
  2. IPv4 PC1访问IPv4 Internet的流量被B4的VNE隧道封装为IPv4 over IPv6流量送至AFTR,AFTR解封装后得到IPv4流量,做SNAT后送至IPv4 Internet。
  3. IPv6 PC2访问IPv6 Internet的流量直接由B4和AFTR的IPv6协议栈转发至IPv6 Internet。

配置步骤

  1. 基础IPv4/IPv6双栈网络配置(根据网络拓扑配置,略)。

  2. 在B4设备上配置VNE(Virtual Network Enabler)隧道,隧道类型为DS-Lite,绑定接口为与AFTR的接口wan1,br地址为AFTR的IPv6地址,开启DS-Lite隧道的加速。

    config system vne-tunnel
        set status enable
        set interface "wan1"
        set auto-asic-offload enable
        set br "2100::1"    //也可配置FQDN//
        set mode ds-lite
    end
    
  3. 在AFTR设备上配置反向的VNE(Virtual Network Enabler)隧道,隧道类型为DS-Lite,绑定接口为与AFTR的接口wan1,br地址为B4的IPv6地址,开启DS-Lite隧道的NP加速。

    config system vne-tunnel
        set status enable
        set interface "internal5"
        set auto-asic-offload enable
        set br "2100::2"    //也可配置FQDN//
        set mode ds-lite
    end
    
  4. 在B4上配置IPv4和IPv6默认路由,IPv4默认路由指向VNE隧道,IPv6默认路由指向AFTR。

    config router static
        edit 5
            set device "vne.root"
        next
    end
    config router static6
        edit 1
            set gateway 2100::1
            set device "wan1"
        next
    end
    
  5. 在AFTR设备上配置反向的IPv4路由和IPv6路由,IPv4路由指向VNE隧道,IPv6路由指向B4。

    config router static
        edit 12
            set dst 192.168.100.0 255.255.255.0
            set device "vne.root"
        next
    end
    config router static6
        edit 1
            set dst 2200::/64
            set gateway 2100::2
            set device "internal5"
        next
    end
    
  6. 在B4上配置安全策略,放通lan到VNE隧道的IPv4流量,以及lan到wan1的IPv6流量。

    config firewall policy
        edit 6
            set name "dslite"
            set srcintf "lan"
            set dstintf "vne.root"
            set action accept
            set srcaddr "all"
            set dstaddr "all"
            set schedule "always"
            set service "ALL"
        edit 7
            set name "IPv6"
            set srcintf "lan"
            set dstintf "wan1"
            set action accept
            set srcaddr6 "all"
            set dstaddr6 "all"
            set schedule "always"
            set service "ALL"
        next
    end
    
  7. 在AFTR设备上配置安全策略,放通VNE隧道到wan1的IPv4流量,开启SNAT,放通Internal5到wan1的IPv6流量。

    config firewall policy
        edit 11
            set name "dslite"
            set srcintf "vne.root"
            set dstintf "wan1"
            set action accept
            set srcaddr "all"
            set dstaddr "all"
            set schedule "always"
            set service "ALL"
            set nat enable
        next
        edit 12
            set srcintf "internal5"
            set dstintf "wan1"
            set action accept
            set srcaddr6 "all"
            set dstaddr6 "all"
            set schedule "always"
            set service "ALL"
    end
    

结果验证

  1. 在B4上查看VNE隧道状态。

    B4 # diagnose test application vned 1
    ----------------------------------------------------------------------------
    vdom: root/0, is master, devname=wan1 link=1 tun=vne.root mode=fixed-ip ssl_cert=Fortinet_Factory
    end user ipv6 perfix: ::/0
    interface ipv6 addr: 2100::2
    config ipv4 perfix: 0.0.0.0/0.0.0.0
    config br: 2100::1
    tunnel br: 2100::1
    tunnel ipv6 addr: 2100::2
    tunnel ipv4 addr: 0.0.0.0/0.0.0.0
    DS-Lite rule client: state=succeed retries=0 interval=0 expiry=0 reply_code=0
    fqdn=2100::1 num=1 cur=0 ttl=4294967295 expiry=0
    2100::1
    
  2. 在AFTR设备上查看VNE隧道状态。

    AFTR # diagnose test application vned 1
    ----------------------------------------------------------------------------
    vdom: root/0, is master, devname=internal5 link=1 tun=vne.root mode=fixed-ip ssl_cert=Fortinet_Factory
    end user ipv6 perfix: ::/0
    interface ipv6 addr: 2100::1
    config ipv4 perfix: 0.0.0.0/0.0.0.0
    config br: 2100::2
    tunnel br: 2100::2
    tunnel ipv6 addr: 2100::1
    tunnel ipv4 addr: 0.0.0.0/0.0.0.0
    DS-Lite rule client: state=succeed retries=0 interval=0 expiry=0 reply_code=0
    fqdn=2100::2 num=1 cur=0 ttl=4294967295 expiry=0
    2100::2
    
  3. 使用IPv4 PC1访问IPv4 Internet,在B4和AFTR上同时抓包,原始IPv4从B4的lan口收到后,根据IPv4默认路由被送入VNE接口,VNE接口封装新的IPv6头后,从wan1发送给AFTR,AFTR收到后,解封装为原始IPv4,查IPv4默认路由从wan1发出并做SNAT,返回流量也是相同的流程。

    B4 # diagnose sniffer packet any '(host 223.5.5.5 and icmp) or host 2100::1)' 4
    interfaces=[any]
    filters=[(host 223.5.5.5 and icmp) or host 2100::1]
    9.415112 lan in 192.168.100.77 -> 223.5.5.5: icmp: echo request
    9.415202 vne.root out 192.168.100.77 -> 223.5.5.5: icmp: echo request
    9.415216 wan1 out 2100::2 -> 2100::1: 192.168.100.77 -> 223.5.5.5: icmp: echo request
    9.419797 vne.root in 223.5.5.5 -> 192.168.100.77: icmp: echo reply
    9.419828 lan out 223.5.5.5 -> 192.168.100.77: icmp: echo reply
    
    AFTR # diagnose sniffer packet any '(host 223.5.5.5 and icmp) or host 2100::2' 4
    interfaces=[any]
    filters=[(host 223.5.5.5 and icmp) or host 2100::2]
    3.640262 vne.root in 192.168.100.77 -> 223.5.5.5: icmp: echo request
    3.640354 wan1 out 172.22.5.77 -> 223.5.5.5: icmp: echo request
    3.644756 wan1 in 223.5.5.5 -> 172.22.5.77: icmp: echo reply
    3.644785 vne.root out 223.5.5.5 -> 192.168.100.77: icmp: echo reply
    3.644801 internal5 out 2100::1 -> 2100::2: 223.5.5.5 -> 192.168.100.77: icmp: echo reply
    
  4. 在B4上查看IPv4流量(VNE隧道内层)的会话,流量被NP加速,无法看到IPv6的流量会话。

    session info: proto=1 proto_state=00 duration=32 expire=28 timeout=0 flags=00000000 socktype=0 sockport=0 av_idx=0 use=3
    class_id=0 ha_id=0 policy_dir=0 tunnel=/ vlan_cos=0/255
    state=log may_dirty npu f00 
    statistic(bytes/packets/allow_err): org=120/2/1 reply=120/2/1 tuples=2
    tx speed(Bps/kbps): 0/0 rx speed(Bps/kbps): 0/0
    orgin->sink: org pre->post, reply pre->post dev=42->52/52->42 gwy=223.5.5.5/192.168.100.77
    hook=pre dir=org act=noop 192.168.100.77:1->223.5.5.5:8(0.0.0.0:0)
    hook=post dir=reply act=noop 223.5.5.5:1->192.168.100.77:0(0.0.0.0:0)
    src_mac=00:e0:4c:b9:97:7c
    misc=0 policy_id=6 pol_uuid_idx=606 auth_info=0 chk_client_info=0 vd=0
    serial=007e0aab tos=ff/ff app_list=0 app=0 url_cat=0
    rpdb_link_id=00000000 ngfwid=n/a
    npu_state=0x4000c00 ofld-O ofld-R
    npu info: flag=0x84/0x81, offload=8/8, ips_offload=0/0, epid=66/95, ipid=95/66, vlan=0x0000/0x0000
    vlifid=95/245, vtag_in=0x0000/0x0000 in_npu=1/1, out_npu=1/1, fwd_en=0/0, qid=1/1
    
    B4 # diagnose sys session6 list
    total session6 0:
    
  5. 在AFTR上查看IPv4流量(VNE隧道内层)的会话,流量被NP加速,无法看到IPv6的流量会话。

    session info: proto=1 proto_state=00 duration=238 expire=28 timeout=0 flags=00000000 socktype=0 sockport=0 av_idx=0 use=4
    class_id=0 ha_id=0 policy_dir=0 tunnel=/ vlan_cos=0/255
    state=log may_dirty npu f00 
    statistic(bytes/packets/allow_err): org=12300/205/1 reply=12300/205/1 tuples=2
    tx speed(Bps/kbps): 51/0 rx speed(Bps/kbps): 51/0
    orgin->sink: org pre->post, reply pre->post dev=34->5/5->34 gwy=172.22.5.1/192.168.100.77
    hook=post dir=org act=snat 192.168.100.77:1->223.5.5.5:8(172.22.5.77:1)
    hook=pre dir=reply act=dnat 223.5.5.5:1->172.22.5.77:0(192.168.100.77:1)
    misc=0 policy_id=11 pol_uuid_idx=594 auth_info=0 chk_client_info=0 vd=0
    serial=005f4689 tos=ff/ff app_list=0 app=0 url_cat=0
    rpdb_link_id=00000000 ngfwid=n/a
    npu_state=0x4000c00 ofld-O ofld-R
    npu info: flag=0x81/0x84, offload=8/8, ips_offload=0/0, epid=64/71, ipid=71/64, vlan=0x0000/0x0000
    vlifid=247/64, vtag_in=0x0000/0x0000 in_npu=1/1, out_npu=1/1, fwd_en=0/0, qid=1/2
    
    AFTR # diagnose sys session6 list
    total session6 0:
    
  6. 对应的DS-Lite IPv4 over IPv6报文,就是IPv4 over IPv6封装,没有其他协议层。

    image-20240125102218385

Copyright © 2024 Fortinet Inc. All rights reserved. Powered by Fortinet TAC Team.
📲扫描下方二维码分享此页面👇
该页面修订于: 2024-01-25 10:32:10

results matching ""

    No results matching ""