summaryrefslogtreecommitdiff
path: root/docs/ch05-network-interfaces.rst
blob: 65d081bc1babe22236046011b6915e7bfedf4773 (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
Network Interfaces
==================

Configured interfaces on a VyOS system can be displayed using the `show
interfaces` command.

.. code-block:: sh

  vyos@vyos:~$ show interfaces
  Codes: S - State, L - Link, u - Up, D - Down, A - Admin Down
  Interface        IP Address                        S/L  Description
  ---------        ----------                        ---  -----------
  eth0             172.16.51.129/24                  u/u  OUTSIDE
  eth1             192.168.0.1/24                    u/u  INSIDE
  lo               127.0.0.1/8                       u/u
                   ::1/128
  vyos@vyos:~$

A specific interface can be shown using the `show interfaces <type> <name>`
command.

.. code-block:: sh

  vyos@vyos:~$ show interfaces ethernet eth0
  eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP qlen 1000
      link/ether 00:0c:29:44:3b:0f brd ff:ff:ff:ff:ff:ff
      inet 172.16.51.129/24 brd 172.16.51.255 scope global eth0
      inet6 fe80::20c:29ff:fe44:3b0f/64 scope link
         valid_lft forever preferred_lft forever
      Description: OUTSIDE

      RX:  bytes    packets     errors    dropped    overrun      mcast
          274397       3064          0          0          0          0
      TX:  bytes    packets     errors    dropped    carrier collisions
          257276       1890          0          0          0          0
  vyos@vyos:~$

Each interface can be configured with a description and address.

.. code-block:: sh

  set interfaces ethernet eth0 description 'OUTSIDE'
  set interfaces ethernet eth0 address 'dhcp'

Different network interfaces provide type-specific configuration. Ethernet
interfaces, for example, allow the configuration of speed and duplex.

Many services, such as network routing, firewall, and traffic policy also
maintain interface-specific configuration. These will be covered in their
respective sections.

Ethernet Interfaces
-------------------

Ethernet interfaces allow for the configuration of speed, duplex, and hw-id
(MAC address). Below is an example configuration:

.. code-block:: sh

  set interfaces ethernet eth1 address '192.168.0.1/24'
  set interfaces ethernet eth1 description 'INSIDE'
  set interfaces ethernet eth1 duplex 'auto'
  set interfaces ethernet eth1 speed 'auto'

Resulting in:

.. code-block:: sh

  ethernet eth1 {
      address 192.168.0.1/24
      description INSIDE
      duplex auto
      hw-id 00:0c:29:44:3b:19
      smp_affinity auto
      speed auto
  }

In addition, Ethernet interfaces provide the extended operational commands
`show interfaces ethernet <name> physical` and `show interfaces ethernet <name>
statistics`. Statistics available are driver dependent.

.. code-block:: sh

  vyos@vyos:~$ show interfaces ethernet eth0 physical
  Settings for eth0:
          Supported ports: [ TP ]
          Supported link modes:   10baseT/Half 10baseT/Full
                                  100baseT/Half 100baseT/Full
                                  1000baseT/Full
          Supports auto-negotiation: Yes
          Advertised link modes:  10baseT/Half 10baseT/Full
                                  100baseT/Half 100baseT/Full
                                  1000baseT/Full
          Advertised pause frame use: No
          Advertised auto-negotiation: Yes
          Speed: 1000Mb/s
          Duplex: Full
          Port: Twisted Pair
          PHYAD: 0
          Transceiver: internal
          Auto-negotiation: on
          MDI-X: Unknown
          Supports Wake-on: d
          Wake-on: d
          Current message level: 0x00000007 (7)
          Link detected: yes
  driver: e1000
  version: 7.3.21-k8-NAPI
  firmware-version:
  bus-info: 0000:02:01.0

  vyos@vyos:~$ show interfaces ethernet eth0 statistics
  NIC statistics:
       rx_packets: 3530
       tx_packets: 2179
  [...]

VLAN Sub-Interfaces (802.1Q)
----------------------------

802.1Q VLAN interfaces are represented as virtual sub-interfaces in VyOS. The
term used for this is `vif`. Configuration of a tagged sub-interface is
accomplished using the configuration command `set interfaces ethernet <name>
vif <vlan-id>`.

.. code-block:: sh

  set interfaces ethernet eth1 vif 100 description 'VLAN 100'
  set interfaces ethernet eth1 vif 100 address '192.168.100.1/24'

Resulting in:

.. code-block:: sh

  ethernet eth1 {
      address 192.168.0.1/24
      description INSIDE
      duplex auto
      hw-id 00:0c:29:44:3b:19
      smp_affinity auto
      speed auto
      vif 100 {
          address 192.168.100.1/24
          description "VLAN 100"
      }
  }

VLAN interfaces are shown as <name>.<vlan-id>, e.g. eth1.100:

.. code-block:: sh

  vyos@vyos:~$ show interfaces
  Codes: S - State, L - Link, u - Up, D - Down, A - Admin Down
  Interface        IP Address                        S/L  Description
  ---------        ----------                        ---  -----------
  eth0             172.16.51.129/24                  u/u  OUTSIDE
  eth1             192.168.0.1/24                    u/u  INSIDE
  eth1.100         192.168.100.1/24                  u/u  VLAN 100
  lo               127.0.0.1/8                       u/u
                  ::1/128

Bridging
--------

Interfaces in VyOS can be bridged together to provide software switching of
Layer-2 traffic.

A bridge is created when a bridge interface is defined. In the example below
we will be creating a bridge for VLAN 100 and assigning a VIF to the bridge.

.. code-block:: sh

  set interfaces bridge 'br100'
  set interfaces ethernet eth1 vif 100 bridge-group bridge br100

Interfaces assigned to a bridge-group do not have address configuration. An IP
address can be assigned to the bridge interface itself, however, like any
normal interface.

.. code-block:: sh

  set interfaces bridge br100 address '192.168.100.1/24'

Example Result:

.. code-block:: sh

  bridge br100 {
      address 192.168.100.1/24
  }
  [...]
  ethernet eth1 {
  [...]
      vif 100 {
          bridge-group {
              bridge br100
          }
      }
  }

In addition to normal IP interface configuration, bridge interfaces support
Spanning-Tree Protocol. STP is disabled by default.

**NOTE:** Please use caution when introducing spanning-tree protocol on a
network as it may result in topology changes.

To enable spanning-tree use the `set interfaces bridge <name> stp true` command:

.. code-block:: sh

  set interfaces bridge br100 stp true

STP `priority`, `forwarding-delay`, `hello-time`, and `max-age` can be
configured for the bridge-group. The MAC aging time can also be configured
using the `aging` directive.

For member interfaces, the bridge-group `priority` and `cost` can be configured.

The `show bridge` operational command can be used to display configured bridges:

.. code-block:: sh

  vyos@vyos:~$ show bridge
  bridge name     bridge id               STP enabled     interfaces
  br100           0000.000c29443b19       yes             eth1.100

If spanning-tree is enabled, the `show bridge <name> spanning-tree` command
can be used to show STP configuration:

.. code-block:: sh

  vyos@vyos:~$ show bridge br100 spanning-tree
  br100
   bridge id              0000.000c29443b19
   designated root        0000.000c29443b19
   root port                 0                    path cost                  0
   max age                  20.00                 bridge max age            20.00
   hello time                2.00                 bridge hello time          2.00
   forward delay            15.00                 bridge forward delay      15.00
   ageing time             300.00
   hello timer               0.47                 tcn timer                  0.00
   topology change timer     0.00                 gc timer                  64.63
   flags

  eth1.100 (1)
   port id                8001                    state                forwarding
   designated root        0000.000c29443b19       path cost                  4
   designated bridge      0000.000c29443b19       message age timer          0.00
   designated port        8001                    forward delay timer        0.00
   designated cost           0                    hold timer                 0.00
   flags

The MAC address-table for a bridge can be displayed using the `show bridge
<name> macs` command:

.. code-block:: sh

  vyos@vyos:~$ show bridge br100 macs
  port no mac addr                is local?       ageing timer
    1     00:0c:29:44:3b:19       yes                0.00

Bonding
-------

You can combine (aggregate) 2 or more physical interfaces into a single
logical one. It's called bonding, or LAG, or ether-channel, or port-channel.

Create interface bondX, where X is just a number:
.. code-block:: sh

  set interfaces bonding bond0 description 'my-sw1 int 23 and 24'

You are able to choose a hash policy:

.. code-block:: sh

  vyos@vyos# set interfaces bonding bond0 hash-policy
  Possible completions:
    layer2       use MAC addresses to generate the hash (802.3ad)
    layer2+3     combine MAC address and IP address to make hash
    layer3+4     combine IP address and port to make hash

For example:

.. code-block:: sh

  set interfaces bonding bond0 hash-policy 'layer2'

You may want to set IEEE 802.3ad Dynamic link aggregation (802.3ad) AKA LACP
(don't forget to setup it on the other end of these links):

.. code-block:: sh

 set interfaces bonding bond0 mode '802.3ad'

or some other modes:

.. code-block:: sh

  vyos@vyos# set interfaces bonding bond0 mode
  Possible completions:
    802.3ad      IEEE 802.3ad Dynamic link aggregation (Default)
    active-backup
                 Fault tolerant: only one slave in the bond is active
    broadcast    Fault tolerant: transmits everything on all slave interfaces
    round-robin  Load balance: transmit packets in sequential order
    transmit-load-balance
                 Load balance: adapts based on transmit load and speed
    adaptive-load-balance
                 Load balance: adapts based on transmit and receive plus ARP
    xor-hash     Load balance: distribute based on MAC address

Now bond some physical interfaces into bond0:

.. code-block:: sh

  set interfaces ethernet eth0 bond-group 'bond0'
  set interfaces ethernet eth0 description 'member of bond0'
  set interfaces ethernet eth1 bond-group 'bond0'
  set interfaces ethernet eth1 description 'member of bond0'

After a commit you may treat bond0 as almost a physical interface (you can't
change its` duplex, for example) and assign IPs or VIFs on it.

You may check the result:

.. code-block:: sh

  vyos@vyos# run sh interfaces bonding
  Codes: S - State, L - Link, u - Up, D - Down, A - Admin Down
  Interface        IP Address                        S/L  Description
  ---------        ----------                        ---  -----------
  bond0            -                                 u/u  my-sw1 int 23 and 24
  bond0.10         192.168.0.1/24                    u/u  office-net
  bond0.100        10.10.10.1/24                     u/u  management-net

Tunnel Interfaces
-----------------

Set Virtual Tunnel interface

.. code-block:: sh

  set interfaces vti vti0 address 192.168.2.249/30

Results in:

.. code-block:: sh


  vyos@vyos# show interfaces vti
  vti vti0 {
      address 192.168.2.249/30
      description "Description"
  }

Wireguard VPN Interface
-----------------------

WireGuard is an extremely simple yet fast and modern VPN that utilizes state-of-the-art cryptography.
See https://www.wireguard.com for mor information.

Configuration
^^^^^^^^^^^^^

Generate the keypair, which creates a public and private part and stores it within vyos.

.. code-block:: sh

  wg01:~$ configure
  wg01# run generate wireguard keypair

The public key is being shared with your peer(s), your peer will encrypt all traffic to your system using this public key.

.. code-block:: sh

  wg01#run show wireguard pubkey
  u41jO3OF73Gq1WARMMFG7tOfk7+r8o8AzPxJ1FZRhzk=

The next step is to configure your local side as well as the policy based trusted destination addresses.
If you only initiate a connection, the listen port and endpoint is optional, if you however act as a server and endpoints initiate the connections to your system, you need to define a port your clients can connect to, otherwise it's randomly chosen and may make it difficult with firewall rules, since the port may be a different one when you reboot your system.

You will also need the public key of your peer as well as the network(s) you want to tunnel (allowed-ips) to configure a wireguard tunnel.
The public key below is always the public key from your peer, not your local one.

**local side**

.. code-block:: sh

  set interfaces wireguard wg01 address '10.1.0.1/24'
  set interfaces wireguard wg01 description 'VPN-to-wg02'
  set interfaces wireguard wg01 peer to-wg02 allowed-ips '10.2.0.0/24'
  set interfaces wireguard wg01 peer to-wg02 endpoint '192.168.0.142:12345'
  set interfaces wireguard wg01 peer to-wg02 pubkey 'XMrlPykaxhdAAiSjhtPlvi30NVkvLQliQuKP7AI7CyI='
  set interfaces wireguard wg01 port '12345'
  set protocols static interface-route 10.2.0.0/24 next-hop-interface wg01

The last step is to define an interface route for 10.2.0.0/24 to get through the wireguard interface wg01.
Multiple IPs or networks can be defined and routed, the last check is allowed-ips which either prevents or allows the traffic.

**remote side**

.. code-block:: sh

  set interfaces wireguard wg01 address '10.2.0.1/24'
  set interfaces wireguard wg01 description 'VPN-to-wg01'
  set interfaces wireguard wg01 peer to-wg02 allowed-ips '10.1.0.0/24'
  set interfaces wireguard wg01 peer to-wg02 endpoint '192.168.0.124:12345'
  set interfaces wireguard wg01 peer to-wg02 pubkey 'u41jO3OF73Gq1WARMMFG7tOfk7+r8o8AzPxJ1FZRhzk='
  set interfaces wireguard wg01 port '12345'
  set protocols static interface-route 10.1.0.0/24 next-hop-interface wg01

Assure that your firewall rules allow the traffic, in which case you have a working VPN using wireguard.

.. code-block:: sh

  wg01# ping 10.2.0.1
  PING 10.2.0.1 (10.2.0.1) 56(84) bytes of data.
  64 bytes from 10.2.0.1: icmp_seq=1 ttl=64 time=1.16 ms
  64 bytes from 10.2.0.1: icmp_seq=2 ttl=64 time=1.77 ms

  wg02# ping 10.1.0.1
  PING 10.1.0.1 (10.1.0.1) 56(84) bytes of data.
  64 bytes from 10.1.0.1: icmp_seq=1 ttl=64 time=4.40 ms
  64 bytes from 10.1.0.1: icmp_seq=2 ttl=64 time=1.02 ms

An additional layer of symmetric-key crypto can be used on top of the asymmetric crypto, which is optional.

.. code-block:: sh

  wg01# run generate wireguard preshared-key
  rvVDOoc2IYEnV+k5p7TNAmHBMEGTHbPU8Qqg8c/sUqc=

Copy the key, it is not stored on the local file system.
Make sure you distribute that key in a safe manner, it's a symmatric key, so only you and your peer should have knowledge if its content.

.. code-block:: sh

  wg01# set interfaces wireguard wg01 peer to-wg02 preshared-key 'rvVDOoc2IYEnV+k5p7TNAmHBMEGTHbPU8Qqg8c/sUqc='
  wg02# set interfaces wireguard wg01 peer to-wg01 preshared-key 'rvVDOoc2IYEnV+k5p7TNAmHBMEGTHbPU8Qqg8c/sUqc='