summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
-rw-r--r--docs/usecases/homegateway.rst149
1 files changed, 131 insertions, 18 deletions
diff --git a/docs/usecases/homegateway.rst b/docs/usecases/homegateway.rst
index 077d5a2a961..f419c4ecb29 100644
--- a/docs/usecases/homegateway.rst
+++ b/docs/usecases/homegateway.rst
@@ -7,8 +7,8 @@ Using VPP as a Home Gateway
Vpp running on a small system (with appropriate NICs) makes a fine
home gateway. The resulting system performs far in excess of
-requirements: a TAG=vpp_debug image runs at a vector size of ~1.1
-terminating a 90-mbit down / 10-mbit up cable modem connection.
+requirements: a TAG=vpp_debug image runs at a vector size of ~1.2
+terminating a 150-mbit down / 10-mbit up cable modem connection.
At a minimum, install sshd and the isc-dhcp-server. If you prefer, you
can use dnsmasq.
@@ -24,6 +24,7 @@ Configuration files
full-coredump
cli-listen /run/vpp/cli.sock
startup-config /setup.gate
+ poll-sleep-usec 100
gid vpp
}
api-segment {
@@ -33,10 +34,19 @@ Configuration files
dev 0000:03:00.0
dev 0000:14:00.0
etc.
- poll-sleep 10
- }
+ }
+
+ plugins {
+ ## Disable all plugins, selectively enable specific plugins
+ ## YMMV, you may wish to enable other plugins (acl, etc.)
+ plugin default { disable }
+ plugin dpdk_plugin.so { enable }
+ plugin nat_plugin.so { enable }
+ ## if you plan to use the time-based MAC filter
+ plugin mactime_plugin.so { enable }
+ }
-isc-dhcp-server configuration::
+/etc/dhcp/dhcpd.conf::
subnet 192.168.1.0 netmask 255.255.255.0 {
range 192.168.1.10 192.168.1.99;
@@ -47,6 +57,13 @@ isc-dhcp-server configuration::
If you decide to enable the vpp dns name resolver, substitute
192.168.1.2 for 8.8.8.8 in the dhcp server configuration.
+/etc/default/isc-dhcp-server::
+
+ # On which interfaces should the DHCP server (dhcpd) serve DHCP requests?
+ # Separate multiple interfaces with spaces, e.g. "eth0 eth1".
+ INTERFACESv4="lstack"
+ INTERFACESv6=""
+
/etc/ssh/sshd_config::
# What ports, IPs and protocols we listen for
@@ -59,7 +76,7 @@ and do not answer ssh requests on port 22. Experience shows several
hack attempts per hour on port 22, but none (ever) on random
high-number ports.
-vpp configuration::
+vpp configuration (/setup.gate)::
comment { This is the WAN interface }
set int state GigabitEthernet3/0/0 up
@@ -74,10 +91,10 @@ vpp configuration::
comment { Add more inside interfaces as needed ... }
set int l2 bridge GigabitEthernet0/14/0 1
- set int state GigabitEthernet0/14/0 up
+ set int state GigabitEthernet0/14/0 up
comment { dhcp server and host-stack access }
- create tap host-if-name lstack host-ip4-addr 192.168.1.2/24 host-ip4-gw 192.168.1.1
+ create tap host-if-name lstack host-ip4-addr 192.168.1.2/24 host-ip4-gw 192.168.1.1
set int l2 bridge tap0 1
set int state tap0 up
@@ -85,8 +102,8 @@ vpp configuration::
nat44 add interface address GigabitEthernet3/0/0
set interface nat44 in loop0 out GigabitEthernet3/0/0
- comment { allow inbound ssh to the <REDACTED-high-number-port>
- nat44 add static mapping local 192.168.1.2 <REDACTED> external GigabitEthernet3/0/0 <REDACTED> tcp
+ comment { allow inbound ssh to the <REDACTED-high-number-port> }
+ nat44 add static mapping local 192.168.1.2 <REDACTED> external GigabitEthernet3/0/0 <REDACTED> tcp
comment { if you want to use the vpp DNS server, add the following }
comment { Remember to adjust the isc-dhcp-server configuration appropriately }
@@ -96,7 +113,103 @@ vpp configuration::
comment { bin dns_enable_disable }
comment { see patch below, which adds these commands }
service restart isc-dhcp-server
-
+
+Systemd configuration
+---------------------
+
+In a typical home-gateway use-case, vpp owns the one-and-only WAN link
+with a prayer of reaching the public internet. Simple things like
+updating distro software requires use of the "lstack" interface
+created above, and configuring a plausible upstream DNS name resolver.
+
+Configure /etc/systemd/resolved.conf as follows.
+
+/etc/systemd/resolved.conf::
+
+ [Resolve]
+ DNS=8.8.8.8
+ #FallbackDNS=
+ #Domains=
+ #LLMNR=no
+ #MulticastDNS=no
+ #DNSSEC=no
+ #Cache=yes
+ #DNSStubListener=yes
+
+Netplan configuration
+---------------------
+
+If you want to configure a static IP address on one of your
+home-gateway Ethernet ports on Ubuntu 18.04, you'll need to configure
+netplan. Netplan is relatively new. It and the network manager GUI and
+can be cranky. In the configuration shown below,
+s/enp4s0/<your-interface>/...
+
+/etc/netplan-01-netcfg.yaml::
+
+ # This file describes the network interfaces available on your system
+ # For more information, see netplan(5).
+ network:
+ version: 2
+ renderer: networkd
+ ethernets:
+ enp4s0:
+ dhcp4: no
+ addresses: [192.168.2.254/24]
+ gateway4: 192.168.2.100
+ nameservers:
+ search: [my.local]
+ addresses: [8.8.8.8]
+
+/etc/systemd/network-10.enp4s0.network::
+
+ [Match]
+ Name=enp4s0
+
+ [Link]
+ RequiredForOnline=no
+
+ [Network]
+ ConfigureWithoutCarrier=true
+ Address=192.168.2.254/24
+
+Note that we've picked an IP address for the home gateway which is on
+an independent unrouteable subnet. This is handy for installing (and
+possibly reverting) new vpp software.
+
+Installing new vpp software
+---------------------------
+
+If you're **sure** that a given set of vpp Debian packages will
+install and work properly, you can install them while logged into the
+gateway via the lstack / nat path. This procedure is a bit like
+standing on a rug and yanking it. If all goes well, a perfect
+back-flip occurs. If not, you may wish that you'd configured a static
+IP address on a reserved Ethernet interface as described above.
+
+Installing a new vpp image via ssh to 192.168.1.2::
+
+ # nohup dpkg -i *.deb >/dev/null 2>&1 &
+
+Within a few seconds, the inbound ssh connection SHOULD begin to respond
+again. If it does not, you'll have to debug the issue(s).
+
+Testing new software
+--------------------
+
+If you frequently test new home gateway software, it may be handy to
+set up a test gateway behind your production gateway. This testing
+methodology reduces complaints from family members, to name one benefit.
+
+Change the inside network (dhcp) subnet from 192.168.1.0/24 to
+192.168.3.0/24, change the (dhcp) advertised router to 192.168.3.1,
+reconfigure the vpp tap interface addresses onto the 192.168.3.0/24
+subnet, and you should be all set.
+
+This scenario nats traffic twice: first, from the 192.168.3.0/24
+network onto the 192.168.1.0/24 network. Next, from the 192.168.1.0/24
+network onto the public internet.
+
Patches
-------
@@ -121,15 +234,15 @@ You'll need this patch to add the "service restart" command::
+static clib_error_t *
+restart_isc_dhcp_server_command_fn (vlib_main_t * vm,
- + unformat_input_t * input,
+ + unformat_input_t * input,
+ vlib_cli_command_t * cmd)
+{
+ int rv __attribute__((unused));
+ /* Wait three seconds... */
+ vlib_process_suspend (vm, 3.0);
- +
+ +
+ rv = system ("/usr/sbin/service isc-dhcp-server restart");
- +
+ +
+ vlib_cli_output (vm, "Restarted the isc-dhcp-server...");
+ return 0;
+}
@@ -144,11 +257,12 @@ You'll need this patch to add the "service restart" command::
+
-Using the temporal mac filter plugin
-------------------------------------
+Using the time-based mac filter plugin
+--------------------------------------
If you need to restrict network access for certain devices to specific
-daily time ranges, configure the "mactime" plugin. Enable the feature
+daily time ranges, configure the "mactime" plugin. Add it to the list
+of enabled plugins in /etc/vpp/startup.conf, then enable the feature
on the NAT "inside" interfaces::
bin mactime_enable_disable GigabitEthernet0/14/0
@@ -169,4 +283,3 @@ Here are some examples::
bin mactime_add_del_range name unwelcome mac 00:de:ad:be:ef:01 drop-static
bin mactime_add_del_range name not-during-business-hours mac <mac> drop-range Mon - Fri 7:59 - 18:01
bin mactime_add_del_range name monday-busines-hours mac <mac> allow-range Mon 7:59 - 18:01
-