+++ /dev/null
-.. _homegateway:
-
-.. toctree::
-
-Using VPP as a Home Gateway
-===========================
-
-Vpp running on a small system (with appropriate NICs) makes a fine
-home gateway. The resulting system performs far in excess of
-requirements: a TAG=vpp_debug image runs at a vector size of ~1.2
-terminating a 150-mbit down / 10-mbit up cable modem connection.
-
-At a minimum, install sshd and the isc-dhcp-server. If you prefer, you
-can use dnsmasq.
-
-Configuration files
--------------------
-
-/etc/vpp/startup.conf::
-
- unix {
- nodaemon
- log /var/log/vpp/vpp.log
- full-coredump
- cli-listen /run/vpp/cli.sock
- startup-config /setup.gate
- poll-sleep-usec 100
- gid vpp
- }
- api-segment {
- gid vpp
- }
- dpdk {
- dev 0000:03:00.0
- dev 0000:14:00.0
- etc.
- }
-
- plugins {
- ## Disable all plugins, selectively enable specific plugins
- ## YMMV, you may wish to enable other plugins (acl, etc.)
- plugin default { disable }
- plugin dpdk_plugin.so { enable }
- plugin nat_plugin.so { enable }
- ## if you plan to use the time-based MAC filter
- plugin mactime_plugin.so { enable }
- }
-
-/etc/dhcp/dhcpd.conf::
-
- subnet 192.168.1.0 netmask 255.255.255.0 {
- range 192.168.1.10 192.168.1.99;
- option routers 192.168.1.1;
- option domain-name-servers 8.8.8.8;
- }
-
-If you decide to enable the vpp dns name resolver, substitute
-192.168.1.2 for 8.8.8.8 in the dhcp server configuration.
-
-/etc/default/isc-dhcp-server::
-
- # On which interfaces should the DHCP server (dhcpd) serve DHCP requests?
- # Separate multiple interfaces with spaces, e.g. "eth0 eth1".
- INTERFACESv4="lstack"
- INTERFACESv6=""
-
-/etc/ssh/sshd_config::
-
- # What ports, IPs and protocols we listen for
- Port <REDACTED-high-number-port>
- # Change to no to disable tunnelled clear text passwords
- PasswordAuthentication no
-
-For your own comfort and safety, do NOT allow password authentication
-and do not answer ssh requests on port 22. Experience shows several
-hack attempts per hour on port 22, but none (ever) on random
-high-number ports.
-
-vpp configuration (/setup.gate)::
-
- comment { This is the WAN interface }
- set int state GigabitEthernet3/0/0 up
- comment { set int mac address GigabitEthernet3/0/0 mac-to-clone-if-needed }
- set dhcp client intfc GigabitEthernet3/0/0 hostname vppgate
-
- comment { Create a BVI loopback interface}
- loop create
- set int l2 bridge loop0 1 bvi
- set int ip address loop0 192.168.1.1/24
- set int state loop0 up
-
- comment { Add more inside interfaces as needed ... }
- set int l2 bridge GigabitEthernet0/14/0 1
- set int state GigabitEthernet0/14/0 up
-
- comment { dhcp server and host-stack access }
- create tap host-if-name lstack host-ip4-addr 192.168.1.2/24 host-ip4-gw 192.168.1.1
- set int l2 bridge tap0 1
- set int state tap0 up
-
- comment { Configure NAT}
- nat44 add interface address GigabitEthernet3/0/0
- set interface nat44 in loop0 out GigabitEthernet3/0/0
-
- comment { allow inbound ssh to the <REDACTED-high-number-port> }
- nat44 add static mapping local 192.168.1.2 <REDACTED> external GigabitEthernet3/0/0 <REDACTED> tcp
-
- comment { if you want to use the vpp DNS server, add the following }
- comment { Remember to adjust the isc-dhcp-server configuration appropriately }
- comment { nat44 add identity mapping external GigabitEthernet3/0/0 udp 53053 }
- comment { bin dns_name_server_add_del 8.8.8.8 }
- comment { bin dns_name_server_add_del 68.87.74.166 }
- comment { bin dns_enable_disable }
- comment { see patch below, which adds these commands }
- service restart isc-dhcp-server
-
-Systemd configuration
----------------------
-
-In a typical home-gateway use-case, vpp owns the one-and-only WAN link
-with a prayer of reaching the public internet. Simple things like
-updating distro software requires use of the "lstack" interface
-created above, and configuring a plausible upstream DNS name resolver.
-
-Configure /etc/systemd/resolved.conf as follows.
-
-/etc/systemd/resolved.conf::
-
- [Resolve]
- DNS=8.8.8.8
- #FallbackDNS=
- #Domains=
- #LLMNR=no
- #MulticastDNS=no
- #DNSSEC=no
- #Cache=yes
- #DNSStubListener=yes
-
-Netplan configuration
----------------------
-
-If you want to configure a static IP address on one of your
-home-gateway Ethernet ports on Ubuntu 18.04, you'll need to configure
-netplan. Netplan is relatively new. It and the network manager GUI and
-can be cranky. In the configuration shown below,
-s/enp4s0/<your-interface>/...
-
-/etc/netplan-01-netcfg.yaml::
-
- # This file describes the network interfaces available on your system
- # For more information, see netplan(5).
- network:
- version: 2
- renderer: networkd
- ethernets:
- enp4s0:
- dhcp4: no
- addresses: [192.168.2.254/24]
- gateway4: 192.168.2.100
- nameservers:
- search: [my.local]
- addresses: [8.8.8.8]
-
-/etc/systemd/network-10.enp4s0.network::
-
- [Match]
- Name=enp4s0
-
- [Link]
- RequiredForOnline=no
-
- [Network]
- ConfigureWithoutCarrier=true
- Address=192.168.2.254/24
-
-Note that we've picked an IP address for the home gateway which is on
-an independent unrouteable subnet. This is handy for installing (and
-possibly reverting) new vpp software.
-
-Installing new vpp software
----------------------------
-
-If you're **sure** that a given set of vpp Debian packages will
-install and work properly, you can install them while logged into the
-gateway via the lstack / nat path. This procedure is a bit like
-standing on a rug and yanking it. If all goes well, a perfect
-back-flip occurs. If not, you may wish that you'd configured a static
-IP address on a reserved Ethernet interface as described above.
-
-Installing a new vpp image via ssh to 192.168.1.2::
-
- # nohup dpkg -i *.deb >/dev/null 2>&1 &
-
-Within a few seconds, the inbound ssh connection SHOULD begin to respond
-again. If it does not, you'll have to debug the issue(s).
-
-Testing new software
---------------------
-
-If you frequently test new home gateway software, it may be handy to
-set up a test gateway behind your production gateway. This testing
-methodology reduces complaints from family members, to name one benefit.
-
-Change the inside network (dhcp) subnet from 192.168.1.0/24 to
-192.168.3.0/24, change the (dhcp) advertised router to 192.168.3.1,
-reconfigure the vpp tap interface addresses onto the 192.168.3.0/24
-subnet, and you should be all set.
-
-This scenario nats traffic twice: first, from the 192.168.3.0/24
-network onto the 192.168.1.0/24 network. Next, from the 192.168.1.0/24
-network onto the public internet.
-
-Patches
--------
-
-You'll need this patch to add the "service restart" command::
-
- diff --git a/src/vpp/vnet/main.c b/src/vpp/vnet/main.c
- index 6e136e19..69189c93 100644
- --- a/src/vpp/vnet/main.c
- +++ b/src/vpp/vnet/main.c
- @@ -18,6 +18,8 @@
- #include <vlib/unix/unix.h>
- #include <vnet/plugin/plugin.h>
- #include <vnet/ethernet/ethernet.h>
- +#include <vnet/ip/ip4_packet.h>
- +#include <vnet/ip/format.h>
- #include <vpp/app/version.h>
- #include <vpp/api/vpe_msg_enum.h>
- #include <limits.h>
- @@ -400,6 +402,63 @@ VLIB_CLI_COMMAND (test_crash_command, static) = {
-
- #endif
-
- +static clib_error_t *
- +restart_isc_dhcp_server_command_fn (vlib_main_t * vm,
- + unformat_input_t * input,
- + vlib_cli_command_t * cmd)
- +{
- + int rv __attribute__((unused));
- + /* Wait three seconds... */
- + vlib_process_suspend (vm, 3.0);
- +
- + rv = system ("/usr/sbin/service isc-dhcp-server restart");
- +
- + vlib_cli_output (vm, "Restarted the isc-dhcp-server...");
- + return 0;
- +}
- +
- +/* *INDENT-OFF* */
- +VLIB_CLI_COMMAND (restart_isc_dhcp_server_command, static) = {
- + .path = "service restart isc-dhcp-server",
- + .short_help = "restarts the isc-dhcp-server",
- + .function = restart_isc_dhcp_server_command_fn,
- +};
- +/* *INDENT-ON* */
- +
-
-
-Using the time-based mac filter plugin
---------------------------------------
-
-If you need to restrict network access for certain devices to specific
-daily time ranges, configure the "mactime" plugin. Add it to the list
-of enabled plugins in /etc/vpp/startup.conf, then enable the feature
-on the NAT "inside" interfaces::
-
- bin mactime_enable_disable GigabitEthernet0/14/0
- bin mactime_enable_disable GigabitEthernet0/14/1
- ...
-
-Create the required src-mac-address rule database. There are 4 rule
-entry types:
-
-* allow-static - pass traffic from this mac address
-* drop-static - drop traffic from this mac address
-* allow-range - pass traffic from this mac address at specific times
-* drop-range - drop traffic from this mac address at specific times
-
-Here are some examples::
-
- bin mactime_add_del_range name alarm-system mac 00:de:ad:be:ef:00 allow-static
- bin mactime_add_del_range name unwelcome mac 00:de:ad:be:ef:01 drop-static
- bin mactime_add_del_range name not-during-business-hours mac <mac> drop-range Mon - Fri 7:59 - 18:01
- bin mactime_add_del_range name monday-busines-hours mac <mac> allow-range Mon 7:59 - 18:01
Code Review / vpp.git / blobdiff