From e175b066d4701be34352db2a17cd31e4195d4af9 Mon Sep 17 00:00:00 2001 From: Christian Poessinger Date: Sun, 7 Oct 2018 14:39:58 +0200 Subject: Reformat TOC and overall document style --- docs/network-interfaces.rst | 575 ++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 575 insertions(+) create mode 100644 docs/network-interfaces.rst (limited to 'docs/network-interfaces.rst') diff --git a/docs/network-interfaces.rst b/docs/network-interfaces.rst new file mode 100644 index 00000000..e17d9dde --- /dev/null +++ b/docs/network-interfaces.rst @@ -0,0 +1,575 @@ +.. _network-interfaces: + +Network Interfaces +================== + +Configured interfaces on a VyOS system can be displayed using the `show +interfaces` command. + +.. code-block:: sh + + vyos@vyos:~$ show interfaces + Codes: S - State, L - Link, u - Up, D - Down, A - Admin Down + Interface IP Address S/L Description + --------- ---------- --- ----------- + eth0 172.16.51.129/24 u/u OUTSIDE + eth1 192.168.0.1/24 u/u INSIDE + lo 127.0.0.1/8 u/u + ::1/128 + vyos@vyos:~$ + +A specific interface can be shown using the `show interfaces ` +command. + +.. code-block:: sh + + vyos@vyos:~$ show interfaces ethernet eth0 + eth0: mtu 1500 qdisc pfifo_fast state UP qlen 1000 + link/ether 00:0c:29:44:3b:0f brd ff:ff:ff:ff:ff:ff + inet 172.16.51.129/24 brd 172.16.51.255 scope global eth0 + inet6 fe80::20c:29ff:fe44:3b0f/64 scope link + valid_lft forever preferred_lft forever + Description: OUTSIDE + + RX: bytes packets errors dropped overrun mcast + 274397 3064 0 0 0 0 + TX: bytes packets errors dropped carrier collisions + 257276 1890 0 0 0 0 + vyos@vyos:~$ + +Different network interfaces provide type-specific configuration. Ethernet +interfaces, for example, allow the configuration of speed and duplex. + +Many services, such as network routing, firewall, and traffic policy also +maintain interface-specific configuration. These will be covered in their +respective sections. + +Interface Addresses +------------------- + +Each interface can be configured with a description and address. Interface +addresses might be: + +* Static IPv4 `address 172.16.51.129/24` +* Static IPv6 `address 2001:db8:1::ffff/64` +* DHCP IPv4 `address dhcp` +* DHCP IPv6 `address dhcpv6` + +An interface description is assigned using the following command: + +.. code-block:: sh + + set interfaces ethernet eth0 description 'OUTSIDE' + +IPv4 +^^^^ + +Static Address +************** + +This method is supported on all interfaces, apart from OpenVPN that uses +different syntax and wireless modems that are always autoconfigured through +PPP. + +The command is `set interfaces $type $name address $address`. Examples: + +.. code-block:: sh + + set interfaces ethernet eth0 address 192.0.2.1/24 + set interfaces tunnel tun0 address 10.0.0.1/30 + set interfaces bridge br0 address 203.0.113.45/26 + set interfaces ethernet eth0 vif 30 address 192.0.30.254/24 + +DHCP +**** + +This method is supported on all physical interfaces, and those that are +directly connected to a physical interface (ethernet, VLAN, bridge, bond, +pseudo-ethernet, wireless). + +The command is `set interfaces $type $name address dhcp`. Examples: + +.. code-block:: sh + + set interfaces ethernet eth0 vif 90 address dhcp + set interfaces bridge br0 address dhcp + +IPv6 +^^^^ + +Static Address +************** + +This method is supported on all interfaces, apart from OpenVPN that uses +different syntax and wireless modems that are always autoconfigured through +PPP. Static IPv6 addresses are supported on all interfaces except VTI. + +The command is `set interfaces $type $name address $address`. Examples: + +.. code-block:: sh + + set interfaces ethernet eth0 address 2001:db8:100::ffff/64 + set interfaces tunnel tun0 address 2001:db8::1/64 + set interfaces bridge br0 address 2001:db8:200::1/64 + set interfaces ethernet eth0 vif 30 address 2001:db8:3::ffff/64 + +DHCP +**** + +This method is supported on all physical interfaces, and those that are +directly connected to a physical interface (ethernet, VLAN, bridge, bond, +pseudo-ethernet, wireless). + +The command is `set interfaces $type $name address dhcpv6`. Examples: + +.. code-block:: sh + + set interfaces bonding bond1 address dhcpv6 + set interfaces bridge br0 vif 56 address dhcpv6 + +Autoconfiguration (SLAAC) +************************* + +SLAAC is specified in RFC4862_. This method is supported on all physical +interfaces, and those that are directly connected to a physical interface +(ethernet, VLAN, bridge, bond, pseudo-ethernet, wireless). + +The command is `set interfaces $type $name ipv6 address autoconf`. Examples: + +.. code-block:: sh + + set interfaces ethernet eth0 vif 90 ipv6 address autoconf + set interfaces bridge br0 ipv6 address autoconf + +.. note:: This method automatically disables IPv6 traffic forwarding on the + interface in question. + +EUI-64 +****** + +EUI-64 (64-Bit Extended Unique Identifier) as specified in RFC4291_. IPv6 +addresses in /64 networks can be automatically generated from the prefix and +MAC address, if you specify the prefix. + +The command is `set interfaces $type $name ipv6 address eui64 $prefix`. Examples: + +.. code-block:: sh + + set interfaces bridge br0 ipv6 address eui64 2001:db8:beef::/64 + set interfaces pseudo-ethernet peth0 ipv6 address eui64 2001:db8:aa::/64 + +Ethernet Interfaces +------------------- + +Ethernet interfaces allow for the configuration of speed, duplex, and hw-id +(MAC address). Below is an example configuration: + +.. code-block:: sh + + set interfaces ethernet eth1 address '192.168.0.1/24' + set interfaces ethernet eth1 address '2001:db8:1::ffff/64' + set interfaces ethernet eth1 description 'INSIDE' + set interfaces ethernet eth1 duplex 'auto' + set interfaces ethernet eth1 speed 'auto' + +Resulting in: + +.. code-block:: sh + + ethernet eth1 { + address 192.168.0.1/24 + address 2001:db8:1::ffff/64 + description INSIDE + duplex auto + hw-id 00:0c:29:44:3b:19 + smp_affinity auto + speed auto + } + +In addition, Ethernet interfaces provide the extended operational commands +`show interfaces ethernet physical` and `show interfaces ethernet +statistics`. Statistics available are driver dependent. + +.. code-block:: sh + + vyos@vyos:~$ show interfaces ethernet eth0 physical + Settings for eth0: + Supported ports: [ TP ] + Supported link modes: 10baseT/Half 10baseT/Full + 100baseT/Half 100baseT/Full + 1000baseT/Full + Supports auto-negotiation: Yes + Advertised link modes: 10baseT/Half 10baseT/Full + 100baseT/Half 100baseT/Full + 1000baseT/Full + Advertised pause frame use: No + Advertised auto-negotiation: Yes + Speed: 1000Mb/s + Duplex: Full + Port: Twisted Pair + PHYAD: 0 + Transceiver: internal + Auto-negotiation: on + MDI-X: Unknown + Supports Wake-on: d + Wake-on: d + Current message level: 0x00000007 (7) + Link detected: yes + driver: e1000 + version: 7.3.21-k8-NAPI + firmware-version: + bus-info: 0000:02:01.0 + + vyos@vyos:~$ show interfaces ethernet eth0 statistics + NIC statistics: + rx_packets: 3530 + tx_packets: 2179 + [...] + +VLAN Sub-Interfaces (802.1Q) +---------------------------- + +802.1Q VLAN interfaces are represented as virtual sub-interfaces in VyOS. The +term used for this is `vif`. Configuration of a tagged sub-interface is +accomplished using the configuration command `set interfaces ethernet +vif `. + +.. code-block:: sh + + set interfaces ethernet eth1 vif 100 description 'VLAN 100' + set interfaces ethernet eth1 vif 100 address '192.168.100.1/24' + set interfaces ethernet eth1 vif 100 address '2001:db8:100::1/64' + +Resulting in: + +.. code-block:: sh + + ethernet eth1 { + address 192.168.100.1/24 + address 2001:db8:100::1/64 + description INSIDE + duplex auto + hw-id 00:0c:29:44:3b:19 + smp_affinity auto + speed auto + vif 100 { + address 192.168.100.1/24 + description "VLAN 100" + } + } + +VLAN interfaces are shown as `.`, e.g. `eth1.100`: + +.. code-block:: sh + + vyos@vyos:~$ show interfaces + Codes: S - State, L - Link, u - Up, D - Down, A - Admin Down + Interface IP Address S/L Description + --------- ---------- --- ----------- + eth0 172.16.51.129/24 u/u OUTSIDE + eth1 192.168.0.1/24 u/u INSIDE + eth1.100 192.168.100.1/24 u/u VLAN 100 + lo 127.0.0.1/8 u/u + ::1/128 + +Bridging +-------- + +Interfaces in VyOS can be bridged together to provide software switching of +Layer-2 traffic. + +A bridge is created when a bridge interface is defined. In the example below +we will be creating a bridge for VLAN 100 and assigning a VIF to the bridge. + +.. code-block:: sh + + set interfaces bridge 'br100' + set interfaces ethernet eth1 vif 100 bridge-group bridge br100 + +Interfaces assigned to a bridge-group do not have address configuration. An IP +address can be assigned to the bridge interface itself, however, like any +normal interface. + +.. code-block:: sh + + set interfaces bridge br100 address '192.168.100.1/24' + set interfaces bridge br100 address '2001:db8:100::1/64' + +Example Result: + +.. code-block:: sh + + bridge br100 { + address 192.168.100.1/24 + address 2001:db8:100::1/64 + } + [...] + ethernet eth1 { + [...] + vif 100 { + bridge-group { + bridge br100 + } + } + } + +In addition to normal IP interface configuration, bridge interfaces support +Spanning-Tree Protocol. STP is disabled by default. + +.. note:: Please use caution when introducing spanning-tree protocol on a + network as it may result in topology changes. + +To enable spanning-tree use the `set interfaces bridge stp true` command: + +.. code-block:: sh + + set interfaces bridge br100 stp true + +STP `priority`, `forwarding-delay`, `hello-time`, and `max-age` can be +configured for the bridge-group. The MAC aging time can also be configured +using the `aging` directive. + +For member interfaces, the bridge-group `priority` and `cost` can be configured. + +The `show bridge` operational command can be used to display configured bridges: + +.. code-block:: sh + + vyos@vyos:~$ show bridge + bridge name bridge id STP enabled interfaces + br100 0000.000c29443b19 yes eth1.100 + +If spanning-tree is enabled, the `show bridge spanning-tree` command +can be used to show STP configuration: + +.. code-block:: sh + + vyos@vyos:~$ show bridge br100 spanning-tree + br100 + bridge id 0000.000c29443b19 + designated root 0000.000c29443b19 + root port 0 path cost 0 + max age 20.00 bridge max age 20.00 + hello time 2.00 bridge hello time 2.00 + forward delay 15.00 bridge forward delay 15.00 + ageing time 300.00 + hello timer 0.47 tcn timer 0.00 + topology change timer 0.00 gc timer 64.63 + flags + + eth1.100 (1) + port id 8001 state forwarding + designated root 0000.000c29443b19 path cost 4 + designated bridge 0000.000c29443b19 message age timer 0.00 + designated port 8001 forward delay timer 0.00 + designated cost 0 hold timer 0.00 + flags + +The MAC address-table for a bridge can be displayed using the `show bridge + macs` command: + +.. code-block:: sh + + vyos@vyos:~$ show bridge br100 macs + port no mac addr is local? ageing timer + 1 00:0c:29:44:3b:19 yes 0.00 + +Bonding +------- + +You can combine (aggregate) 2 or more physical interfaces into a single +logical one. It's called bonding, or LAG, or ether-channel, or port-channel. + +Create interface bondX, where X is just a number: + +.. code-block:: sh + + set interfaces bonding bond0 description 'my-sw1 int 23 and 24' + +You are able to choose a hash policy: + +.. code-block:: sh + + vyos@vyos# set interfaces bonding bond0 hash-policy + Possible completions: + layer2 use MAC addresses to generate the hash (802.3ad) + layer2+3 combine MAC address and IP address to make hash + layer3+4 combine IP address and port to make hash + +For example: + +.. code-block:: sh + + set interfaces bonding bond0 hash-policy 'layer2' + +You may want to set IEEE 802.3ad Dynamic link aggregation (802.3ad) AKA LACP +(don't forget to setup it on the other end of these links): + +.. code-block:: sh + + set interfaces bonding bond0 mode '802.3ad' + +or some other modes: + +.. code-block:: sh + + vyos@vyos# set interfaces bonding bond0 mode + Possible completions: + 802.3ad IEEE 802.3ad Dynamic link aggregation (Default) + active-backup + Fault tolerant: only one slave in the bond is active + broadcast Fault tolerant: transmits everything on all slave interfaces + round-robin Load balance: transmit packets in sequential order + transmit-load-balance + Load balance: adapts based on transmit load and speed + adaptive-load-balance + Load balance: adapts based on transmit and receive plus ARP + xor-hash Load balance: distribute based on MAC address + +Now bond some physical interfaces into bond0: + +.. code-block:: sh + + set interfaces ethernet eth0 bond-group 'bond0' + set interfaces ethernet eth0 description 'member of bond0' + set interfaces ethernet eth1 bond-group 'bond0' + set interfaces ethernet eth1 description 'member of bond0' + +After a commit you may treat bond0 as almost a physical interface (you can't +change its` duplex, for example) and assign IPs or VIFs on it. + +You may check the result: + +.. code-block:: sh + + vyos@vyos# run sh interfaces bonding + Codes: S - State, L - Link, u - Up, D - Down, A - Admin Down + Interface IP Address S/L Description + --------- ---------- --- ----------- + bond0 - u/u my-sw1 int 23 and 24 + bond0.10 192.168.0.1/24 u/u office-net + bond0.100 10.10.10.1/24 u/u management-net + +Tunnel Interfaces +----------------- + +Set Virtual Tunnel interface + +.. code-block:: sh + + set interfaces vti vti0 address 192.168.2.249/30 + set interfaces vti vti0 address 2001:db8:2::249/64 + +Results in: + +.. code-block:: sh + + vyos@vyos# show interfaces vti + vti vti0 { + address 192.168.2.249/30 + address 2001:db8:2::249/64 + description "Description" + } + +WireGuard VPN Interface +----------------------- + +WireGuard_ is an extremely simple yet fast and modern VPN that utilizes +state-of-the-art cryptography. See https://www.wireguard.com for more +information. + +Configuration +^^^^^^^^^^^^^ + +Generate the keypair, which creates a public and private part and stores it +within VyOS. + +.. code-block:: sh + + wg01:~$ configure + wg01# run generate wireguard keypair + +The public key is being shared with your peer(s), your peer will encrypt all +traffic to your system using this public key. + +.. code-block:: sh + + wg01# run show wireguard pubkey + u41jO3OF73Gq1WARMMFG7tOfk7+r8o8AzPxJ1FZRhzk= + +The next step is to configure your local side as well as the policy based +trusted destination addresses. If you only initiate a connection, the listen +port and endpoint is optional, if you however act as a server and endpoints +initiate the connections to your system, you need to define a port your clients +can connect to, otherwise it's randomly chosen and may make it difficult with +firewall rules, since the port may be a different one when you reboot your +system. + +You will also need the public key of your peer as well as the network(s) you +want to tunnel (allowed-ips) to configure a wireguard tunnel. The public key +below is always the public key from your peer, not your local one. + +**local side** + +.. code-block:: sh + + set interfaces wireguard wg01 address '10.1.0.1/24' + set interfaces wireguard wg01 description 'VPN-to-wg02' + set interfaces wireguard wg01 peer to-wg02 allowed-ips '10.2.0.0/24' + set interfaces wireguard wg01 peer to-wg02 endpoint '192.168.0.142:12345' + set interfaces wireguard wg01 peer to-wg02 pubkey 'XMrlPykaxhdAAiSjhtPlvi30NVkvLQliQuKP7AI7CyI=' + set interfaces wireguard wg01 port '12345' + set protocols static interface-route 10.2.0.0/24 next-hop-interface wg01 + +The last step is to define an interface route for 10.2.0.0/24 to get through +the wireguard interface `wg01`. Multiple IPs or networks can be defined and +routed, the last check is allowed-ips which either prevents or allows the +traffic. + +**remote side** + +.. code-block:: sh + + set interfaces wireguard wg01 address '10.2.0.1/24' + set interfaces wireguard wg01 description 'VPN-to-wg01' + set interfaces wireguard wg01 peer to-wg02 allowed-ips '10.1.0.0/24' + set interfaces wireguard wg01 peer to-wg02 endpoint '192.168.0.124:12345' + set interfaces wireguard wg01 peer to-wg02 pubkey 'u41jO3OF73Gq1WARMMFG7tOfk7+r8o8AzPxJ1FZRhzk=' + set interfaces wireguard wg01 port '12345' + set protocols static interface-route 10.1.0.0/24 next-hop-interface wg01 + +Assure that your firewall rules allow the traffic, in which case you have a +working VPN using wireguard. + +.. code-block:: sh + + wg01# ping 10.2.0.1 + PING 10.2.0.1 (10.2.0.1) 56(84) bytes of data. + 64 bytes from 10.2.0.1: icmp_seq=1 ttl=64 time=1.16 ms + 64 bytes from 10.2.0.1: icmp_seq=2 ttl=64 time=1.77 ms + + wg02# ping 10.1.0.1 + PING 10.1.0.1 (10.1.0.1) 56(84) bytes of data. + 64 bytes from 10.1.0.1: icmp_seq=1 ttl=64 time=4.40 ms + 64 bytes from 10.1.0.1: icmp_seq=2 ttl=64 time=1.02 ms + +An additional layer of symmetric-key crypto can be used on top of the +asymmetric crypto, which is optional. + +.. code-block:: sh + + wg01# run generate wireguard preshared-key + rvVDOoc2IYEnV+k5p7TNAmHBMEGTHbPU8Qqg8c/sUqc= + +Copy the key, it is not stored on the local file system. Make sure you +distribute that key in a safe manner, it's a symmatric key, so only you and +your peer should have knowledge if its content. + +.. code-block:: sh + + wg01# set interfaces wireguard wg01 peer to-wg02 preshared-key 'rvVDOoc2IYEnV+k5p7TNAmHBMEGTHbPU8Qqg8c/sUqc=' + wg02# set interfaces wireguard wg01 peer to-wg01 preshared-key 'rvVDOoc2IYEnV+k5p7TNAmHBMEGTHbPU8Qqg8c/sUqc=' + +.. _RFC4862: https://tools.ietf.org/html/rfc4862 +.. _RFC4291: http://tools.ietf.org/html/rfc4291#section-2.5.1 +.. _WireGuard: https://www.wireguard.com -- cgit v1.2.3