[vpp.git] / docs / usecases / hgw.md

Using VPP as a Home Gateway
===========================

Vpp running on a small system (with appropriate NICs) makes a fine
home gateway. The resulting system performs far in excess of
requirements: a debug image runs at a vector size of \~1.2 terminating
a 150-mbit down / 10-mbit up cable modem connection.

At a minimum, install sshd and the isc-dhcp-server. If you prefer, you
can use dnsmasq.

System configuration files
--------------------------

/etc/vpp/startup.conf:

    unix {
      nodaemon
      log /var/log/vpp/vpp.log
      full-coredump
      cli-listen /run/vpp/cli.sock
      startup-config /setup.gate
      poll-sleep-usec 100
      gid vpp
    }
    api-segment {
      gid vpp
    }
    dpdk {
         dev 0000:03:00.0
         dev 0000:14:00.0
         etc.
     }

     plugins {
       ## Disable all plugins, selectively enable specific plugins
           ## YMMV, you may wish to enable other plugins (acl, etc.)
       plugin default { disable }
       plugin dpdk_plugin.so { enable }
       plugin nat_plugin.so { enable }
           ## if you plan to use the time-based MAC filter
       plugin mactime_plugin.so { enable }
     }

/etc/dhcp/dhcpd.conf:

    subnet 192.168.1.0 netmask 255.255.255.0 {
      range 192.168.1.10 192.168.1.99;
      option routers 192.168.1.1;
      option domain-name-servers 8.8.8.8;
    }

If you decide to enable the vpp dns name resolver, substitute
192.168.1.2 for 8.8.8.8 in the dhcp server configuration.

/etc/default/isc-dhcp-server:

    # On which interfaces should the DHCP server (dhcpd) serve DHCP requests?
    # Separate multiple interfaces with spaces, e.g. "eth0 eth1".
    INTERFACESv4="lstack"
    INTERFACESv6=""

/etc/ssh/sshd\_config:

    # What ports, IPs and protocols we listen for
    Port <REDACTED-high-number-port>
    # Change to no to disable tunnelled clear text passwords
    PasswordAuthentication no

For your own comfort and safety, do NOT allow password authentication
and do not answer ssh requests on port 22. Experience shows several hack
attempts per hour on port 22, but none (ever) on random high-number
ports.

Systemd configuration
---------------------

In a typical home-gateway use-case, vpp owns the one-and-only WAN link
with a prayer of reaching the public internet. Simple things like
updating distro software requires use of the \"lstack\" interface
created above, and configuring a plausible upstream DNS name resolver.

Configure /etc/systemd/resolved.conf as follows.

/etc/systemd/resolved.conf:

    [Resolve]
    DNS=8.8.8.8
    #FallbackDNS=
    #Domains=
    #LLMNR=no
    #MulticastDNS=no
    #DNSSEC=no
    #Cache=yes
    #DNSStubListener=yes

Netplan configuration
---------------------

If you want to configure a static IP address on one of your home-gateway
Ethernet ports on Ubuntu 18.04, you\'ll need to configure netplan.
Netplan is relatively new. It and the network manager GUI and can be
cranky. In the configuration shown below,
s/enp4s0/\<your-interface\>/\...

/etc/netplan-01-netcfg.yaml:

    # This file describes the network interfaces available on your system
    # For more information, see netplan(5).
    network:
      version: 2
      renderer: networkd
      ethernets:
        enp4s0:
          dhcp4: no
          addresses: [192.168.2.254/24]
          gateway4: 192.168.2.100
          nameservers:
            search: [my.local]
            addresses: [8.8.8.8]

/etc/systemd/network-10.enp4s0.network:

    [Match]
    Name=enp4s0

    [Link]
    RequiredForOnline=no

    [Network]
    ConfigureWithoutCarrier=true
    Address=192.168.2.254/24

Note that we\'ve picked an IP address for the home gateway which is on
an independent unrouteable subnet. This is handy for installing (and
possibly reverting) new vpp software.

VPP Configuration Files
-----------------------

Here we see a nice use-case for the vpp debug CLI macro expander:

/setup.gate:

    define HOSTNAME vpp1
    define TRUNK GigabitEthernet3/0/0

    comment { Specific MAC address yields a constant IP address }
    define TRUNK_MACADDR 48:f8:b3:00:01:01
    define BVI_MACADDR 48:f8:b3:01:01:02

    comment { inside subnet 192.168.<inside_subnet>.0/24 }
    define INSIDE_SUBNET 1

    define INSIDE_PORT1 GigabitEthernet6/0/0
    define INSIDE_PORT2 GigabitEthernet6/0/1
    define INSIDE_PORT3 GigabitEthernet8/0/0
    define INSIDE_PORT4 GigabitEthernet8/0/1

    comment { feature selections }
    define FEATURE_NAT44 comment
    define FEATURE_CNAT uncomment
    define FEATURE_DNS comment
    define FEATURE_IP6 comment
    define FEATURE_MACTIME uncomment

    exec /setup.tmpl

/setup.tmpl:

    show macro

    set int mac address $(TRUNK) $(TRUNK_MACADDR)
    set dhcp client intfc $(TRUNK) hostname $(HOSTNAME)
    set int state $(TRUNK) up

    bvi create instance 0
    set int mac address bvi0 $(BVI_MACADDR)
    set int l2 bridge bvi0 1 bvi
    set int ip address bvi0 192.168.$(INSIDE_SUBNET).1/24
    set int state bvi0 up

    set int l2 bridge $(INSIDE_PORT1) 1
    set int state $(INSIDE_PORT1) up
    set int l2 bridge $(INSIDE_PORT2) 1
    set int state $(INSIDE_PORT2) up
    set int l2 bridge $(INSIDE_PORT3) 1
    set int state $(INSIDE_PORT3) up
    set int l2 bridge $(INSIDE_PORT4) 1
    set int state $(INSIDE_PORT4) up

    comment { dhcp server and host-stack access }
    create tap host-if-name lstack host-ip4-addr 192.168.$(INSIDE_SUBNET).2/24 host-ip4-gw 192.168.$(INSIDE_SUBNET).1
    set int l2 bridge tap0 1
    set int state tap0 up

    service restart isc-dhcp-server

    $(FEATURE_NAT44) { nat44 enable users 50 user-sessions 750 sessions 63000 }
    $(FEATURE_NAT44) { nat44 add interface address $(TRUNK) }
    $(FEATURE_NAT44) { set interface nat44 in bvi0 out $(TRUNK) }

    $(FEATURE_NAT44) { nat44 add static mapping local 192.168.$(INSIDE_SUBNET).2 22432 external $(TRUNK) 22432 tcp }

    $(FEATURE_CNAT) { cnat snat with $(TRUNK) }
    $(FEATURE_CNAT) { set interface feature bvi0 ip4-cnat-snat arc ip4-unicast }
    $(FEATURE_CNAT) { cnat translation add proto tcp real $(TRUNK) 22432 to -> 192.168.$(INSIDE_SUBNET).2 22432 }
    $(FEATURE_CNAT) { $(FEATURE_DNS) { cnat translation add proto udp real $(TRUNK) 53053 to -> 192.168.$(INSIDE_SUBNET).1 53053 } }

    $(FEATURE_DNS) { $(FEATURE_NAT44) { nat44 add identity mapping external $(TRUNK) udp 53053 } }
    $(FEATURE_DNS) { bin dns_name_server_add_del 8.8.8.8 }
    $(FEATURE_DNS) { bin dns_enable_disable }

    comment { set ct6 inside $(TRUNK) }
    comment { set ct6 outside $(TRUNK) }

    $(FEATURE_IP6) { set int ip6 table $(TRUNK) 0 }
    $(FEATURE_IP6) { ip6 nd address autoconfig $(TRUNK) default-route }
    $(FEATURE_IP6) { dhcp6 client $(TRUNK) }
    $(FEATURE_IP6) { dhcp6 pd client $(TRUNK) prefix group hgw }
    $(FEATURE_IP6) { set ip6 address bvi0 prefix group hgw ::1/64 }
    $(FEATURE_IP6) { ip6 nd address autoconfig bvi0 default-route }
    comment { iPhones seem to need lots of RA messages... }
    $(FEATURE_IP6) { ip6 nd bvi0 ra-managed-config-flag ra-other-config-flag ra-interval 5 3 ra-lifetime 180 }
    comment { ip6 nd bvi0 prefix 0::0/0  ra-lifetime 100000 }


    $(FEATURE_MACTIME) { bin mactime_add_del_range name cisco-vpn mac a8:b4:56:e1:b8:3e allow-static }
    $(FEATURE_MACTIME) { bin mactime_add_del_range name old-mac mac <redacted> allow-static }
    $(FEATURE_MACTIME) { bin mactime_add_del_range name roku mac <redacted> allow-static }
    $(FEATURE_MACTIME) { bin mactime_enable_disable $(INSIDE_PORT1) }
    $(FEATURE_MACTIME) { bin mactime_enable_disable $(INSIDE_PORT2) }
    $(FEATURE_MACTIME) { bin mactime_enable_disable $(INSIDE_PORT3) }
    $(FEATURE_MACTIME) { bin mactime_enable_disable $(INSIDE_PORT4) }

Installing new vpp software
---------------------------

If you\'re **sure** that a given set of vpp Debian packages will install
and work properly, you can install them while logged into the gateway
via the lstack / nat path. This procedure is a bit like standing on a
rug and yanking it. If all goes well, a perfect back-flip occurs. If
not, you may wish that you\'d configured a static IP address on a
reserved Ethernet interface as described above.

Installing a new vpp image via ssh to 192.168.1.2:

    # nohup dpkg -i *.deb >/dev/null 2>&1 &

Within a few seconds, the inbound ssh connection SHOULD begin to respond
again. If it does not, you\'ll have to debug the issue(s).

Reasonably Robust Remote Software Installation
----------------------------------------------

Here are a couple of scripts which yield a reasonably robust software
installation scheme.

### Build-host script

    #!/bin/bash

    buildroot=/scratch/vpp-workspace/build-root
    if [ $1x = "testx" ] ; then
        subdir="test"
        ipaddr="192.168.2.48"
    elif [ $1x = "foox" ] ; then
        subdir="foo"
        ipaddr="foo.some.net"
    elif [ $1x = "barx" ] ; then
        subdir="bar"
        ipaddr="bar.some.net"
    else
        subdir="test"
        ipaddr="192.168.2.48"
    fi

    echo Save current software...
    ssh -p 22432 $ipaddr "rm -rf /gate_debians.prev"
    ssh -p 22432 $ipaddr "mv /gate_debians /gate_debians.prev"
    ssh -p 22432 $ipaddr "mkdir /gate_debians"
    echo Copy new software to the gateway...
    scp -P 22432 $buildroot/*.deb $ipaddr:/gate_debians
    echo Install new software...
    ssh -p 22432 $ipaddr "nohup /usr/local/bin/vpp-swupdate > /dev/null 2>&1 &"

    for i in 25 24 23 22 21 20 19 18 17 16 15 14 13 12 11 10 9 8 7 6 5 4 3 2 1
    do
        echo Wait for $i seconds...
        sleep 1
    done

    echo Try to access the device...

    ssh -p 22432 -o ConnectTimeout=10 $ipaddr "tail -20 /var/log/syslog | grep Ping"
    if [ $? == 0 ] ; then
        echo Access test OK...
    else
        echo Access failed, wait for configuration restoration...
        for i in 25 24 23 22 21 20 19 18 17 16 15 14 13 12 11 10 9 8 7 6 5 4 3 2 1
        do
            echo Wait for $i seconds...
            sleep 1
        done
        echo Retry access test
        ssh -p 22432 -o ConnectTimeout=10 $ipaddr "tail -20 /var/log/syslog | grep Ping"
        if [ $? == 0 ] ; then
            echo Access test OK, check syslog on the device
            exit 1
        else
            echo Access test still fails, manual intervention required.
            exit 2
        fi
    fi

    exit 0

### Target script

    #!/bin/bash

    logger "About to update vpp software..."
    cd /gate_debians
    service vpp stop
    sudo dpkg -i *.deb >/dev/null 2>&1 &
    sleep 20
    logger "Ping connectivity test..."
    for i in 1 2 3 4 5 6 7 8 9 10
    do
        ping -4 -c 1 yahoo.com
        if [ $? == 0 ] ; then
            logger "Ping test OK..."
            exit 0
        fi
    done

    logger "Ping test NOT OK, restore old software..."
    rm -rf /gate_debians
    mv /gate_debians.prev /gate_debians
    cd /gate_debians
    nohup sudo dpkg -i *.deb >/dev/null 2>&1 &
    sleep 20
    logger "Repeat connectivity test..."
    for i in 1 2 3 4 5 6 7 8 9 10
    do
        ping -4 -c 1 yahoo.com
        if [ $? == 0 ] ; then
            logger "Ping test OK after restoring old software..."
            exit 0
        fi
    done

    logger "Ping test FAIL after restoring software, manual intervention required"
    exit 2

Note that the target script **requires** that the userid which invokes
it will manage to "sudo dpkg ..." without further authentication. If
you're uncomfortable with the security implications of that
requirement, you'll need to solve the problem a different
way. Strongly suggest configuring sshd as described above to minimize
risk.


Testing new software
--------------------

If you frequently test new home gateway software, it may be handy to set
up a test gateway behind your production gateway. This testing
methodology reduces complaints from family members, to name one benefit.

Change the inside network (dhcp) subnet from 192.168.1.0/24 to
192.168.3.0/24, change the (dhcp) advertised router to 192.168.3.1,
reconfigure the vpp tap interface addresses onto the 192.168.3.0/24
subnet, and you should be all set.

This scenario nats traffic twice: first, from the 192.168.3.0/24 network
onto the 192.168.1.0/24 network. Next, from the 192.168.1.0/24 network
onto the public internet.

Patches
-------

You\'ll want this addition to src/vpp/vnet/main.c to add the \"service
restart isc-dhcp-server" and \"service restart vpp\" commands:

    #include <sys/types.h>
    #include <sys/wait.h>

    static int
    mysystem (char *cmd)
    {
      int rv = 0;

      if (fork())
        wait (&rv);
      else
        execl("/bin/sh", "sh", "-c", cmd);

      if (rv != 0)
        clib_unix_warning ("('%s') child process returned %d", cmd, rv);
      return rv;
    }

    static clib_error_t *
    restart_isc_dhcp_server_command_fn (vlib_main_t * vm,
                                        unformat_input_t * input,
                                        vlib_cli_command_t * cmd)
    {
      int rv;

      /* Wait a while... */
      vlib_process_suspend (vm, 2.0);

      rv = mysystem("/usr/sbin/service isc-dhcp-server restart");

      vlib_cli_output (vm, "Restarted the isc-dhcp-server, status %d...", rv);
      return 0;
    }

    /* *INDENT-OFF* */
    VLIB_CLI_COMMAND (restart_isc_dhcp_server_command, static) =
    {
      .path = "service restart isc-dhcp-server",
      .short_help = "restarts the isc-dhcp-server",
      .function = restart_isc_dhcp_server_command_fn,
    };
    /* *INDENT-ON* */

    static clib_error_t *
    restart_dora_tunnels_command_fn (vlib_main_t * vm,
                                     unformat_input_t * input,
                                     vlib_cli_command_t * cmd)
    {
      int rv;

      /* Wait three seconds... */
      vlib_process_suspend (vm, 3.0);

      rv = mysystem ("/usr/sbin/service dora restart");

      vlib_cli_output (vm, "Restarted the dora tunnel service, status %d...", rv);
      return 0;
    }

    /* *INDENT-OFF* */
    VLIB_CLI_COMMAND (restart_dora_tunnels_command, static) =
    {
      .path = "service restart dora",
      .short_help = "restarts the dora tunnel service",
      .function = restart_dora_tunnels_command_fn,
    };
    /* *INDENT-ON* */

    static clib_error_t *
    restart_vpp_service_command_fn (vlib_main_t * vm,
                                    unformat_input_t * input,
                                    vlib_cli_command_t * cmd)
    {
      (void) mysystem ("/usr/sbin/service vpp restart");
      return 0;
    }

    /* *INDENT-OFF* */
    VLIB_CLI_COMMAND (restart_vpp_service_command, static) =
    {
      .path = "service restart vpp",
      .short_help = "restarts the vpp service, be careful what you wish for",
      .function = restart_vpp_service_command_fn,
    };
    /* *INDENT-ON* */

Using the time-based mac filter plugin
--------------------------------------

If you need to restrict network access for certain devices to specific
daily time ranges, configure the \"mactime\" plugin. Add it to the list
of enabled plugins in /etc/vpp/startup.conf, then enable the feature on
the NAT \"inside\" interfaces:

    bin mactime_enable_disable GigabitEthernet0/14/0
    bin mactime_enable_disable GigabitEthernet0/14/1
    ...

Create the required src-mac-address rule database. There are 4 rule
entry types:

-   allow-static - pass traffic from this mac address
-   drop-static - drop traffic from this mac address
-   allow-range - pass traffic from this mac address at specific times
-   drop-range - drop traffic from this mac address at specific times

Here are some examples:

    bin mactime_add_del_range name alarm-system mac 00:de:ad:be:ef:00 allow-static
    bin mactime_add_del_range name unwelcome mac 00:de:ad:be:ef:01 drop-static
    bin mactime_add_del_range name not-during-business-hours mac <mac> drop-range Mon - Fri 7:59 - 18:01
    bin mactime_add_del_range name monday-busines-hours mac <mac> allow-range Mon 7:59 - 18:01