VPP as a Home Gateway ===================== Vpp running on a small system (with appropriate NICs) makes a fine home gateway. The resulting system performs far in excess of requirements: a debug image runs at a vector size of ~1.2 terminating a 150-mbit down / 10-mbit up cable modem connection. At a minimum, install sshd and the isc-dhcp-server. If you prefer, you can use dnsmasq. System configuration files -------------------------- /etc/vpp/startup.conf: .. code-block:: c unix { nodaemon log /var/log/vpp/vpp.log full-coredump cli-listen /run/vpp/cli.sock startup-config /setup.gate poll-sleep-usec 100 gid vpp } api-segment { gid vpp } dpdk { dev 0000:03:00.0 dev 0000:14:00.0 etc. } plugins { ## Disable all plugins, selectively enable specific plugins ## YMMV, you may wish to enable other plugins (acl, etc.) plugin default { disable } plugin dhcp_plugin.so { enable } plugin dns_plugin.so { enable } plugin dpdk_plugin.so { enable } plugin nat_plugin.so { enable } plugin ping_plugin.so { enable } ## if you plan to use the time-based MAC filter plugin mactime_plugin.so { enable } plugin vmxnet3_plugin.so { enable } } /etc/dhcp/dhcpd.conf: .. code-block:: c subnet 192.168.1.0 netmask 255.255.255.0 { range 192.168.1.10 192.168.1.99; option routers 192.168.1.1; option domain-name-servers 8.8.8.8; } If you decide to enable the vpp dns name resolver, substitute 192.168.1.2 for 8.8.8.8 in the dhcp server configuration. /etc/default/isc-dhcp-server: .. code-block:: c # On which interfaces should the DHCP server (dhcpd) serve DHCP requests? # Separate multiple interfaces with spaces, e.g. "eth0 eth1". INTERFACESv4="lstack" INTERFACESv6="" /etc/ssh/sshd_config: .. code-block:: c # What ports, IPs and protocols we listen for Port <REDACTED-high-number-port> # Change to no to disable tunnelled clear text passwords PasswordAuthentication no For your own comfort and safety, do NOT allow password authentication and do not answer ssh requests on port 22. Experience shows several hack attempts per hour on port 22, but none on random high-number ports. Systemd configuration --------------------- In a typical home-gateway use-case, vpp owns the one-and-only WAN link with a prayer of reaching the public internet. Simple things like updating distro software requires use of the "lstack" interface created above, and configuring a plausible upstream DNS name resolver. Configure /etc/systemd/resolved.conf as follows. /etc/systemd/resolved.conf: .. code-block:: c [Resolve] DNS=8.8.8.8 #FallbackDNS= #Domains= #LLMNR=no #MulticastDNS=no #DNSSEC=no #Cache=yes #DNSStubListener=yes Netplan configuration --------------------- If you want to configure a static IP address on one of your home-gateway Ethernet ports on Ubuntu 18.04, you'll need to configure netplan. Netplan is relatively new. It and the network manager GUI and can be cranky. In the configuration shown below, s/enp4s0/<your-interface>/... /etc/netplan-01-netcfg.yaml: .. code-block:: c # This file describes the network interfaces available on your system # For more information, see netplan(5). network: version: 2 renderer: networkd ethernets: enp4s0: dhcp4: no addresses: [192.168.2.254/24] gateway4: 192.168.2.100 nameservers: search: [my.local] addresses: [8.8.8.8] /etc/systemd/network-10.enp4s0.network: .. code-block:: c [Match] Name=enp4s0 [Link] RequiredForOnline=no [Network] ConfigureWithoutCarrier=true Address=192.168.2.254/24 Note that we've picked an IP address for the home gateway which is on an independent unrouteable subnet. This is handy for installing (and possibly reverting) new vpp software. VPP Configuration Files ----------------------- Here we see a nice use-case for the vpp debug CLI macro expander: /setup.gate: .. code-block:: c define HOSTNAME vpp1 define TRUNK GigabitEthernet3/0/0 comment { Specific MAC address yields a constant IP address } define TRUNK_MACADDR 48:f8:b3:00:01:01 define BVI_MACADDR 48:f8:b3:01:01:02 comment { inside subnet 192.168.<inside_subnet>.0/24 } define INSIDE_SUBNET 1 # Adjust as needed to match PCI addresses of inside network ports define INSIDE_PORT1 GigabitEthernet6/0/0 define INSIDE_PORT2 GigabitEthernet6/0/1 define INSIDE_PORT3 GigabitEthernet8/0/0 define INSIDE_PORT4 GigabitEthernet8/0/1 comment { feature selections } define FEATURE_ADL uncomment define FEATURE_NAT44 uncomment define FEATURE_CNAT comment define FEATURE_DNS comment define FEATURE_IP6 comment define FEATURE_IKE_RESPONDER comment define FEATURE_MACTIME uncomment define FEATURE_OVPN uncomment define FEATURE_MODEM_ROUTE uncomment exec /setup.tmpl /setup.tmpl: .. code-block:: c show macro set int mac address $(TRUNK) $(TRUNK_MACADDR) set dhcp client intfc $(TRUNK) hostname $(HOSTNAME) set int state $(TRUNK) up bvi create instance 0 set int mac address bvi0 $(BVI_MACADDR) set int l2 bridge bvi0 1 bvi set int ip address bvi0 192.168.$(INSIDE_SUBNET).1/24 set int state bvi0 up set int l2 bridge $(INSIDE_PORT1) 1 set int state $(INSIDE_PORT1) up set int l2 bridge $(INSIDE_PORT2) 1 set int state $(INSIDE_PORT2) up set int l2 bridge $(INSIDE_PORT3) 1 set int state $(INSIDE_PORT3) up set int l2 bridge $(INSIDE_PORT4) 1 set int state $(INSIDE_PORT4) up comment { dhcp server and host-stack access } create tap host-if-name lstack host-ip4-addr 192.168.$(INSIDE_SUBNET).2/24 host-ip4-gw 192.168.$(INSIDE_SUBNET).1 set int l2 bridge tap0 1 set int state tap0 up service restart isc-dhcp-server $(FEATURE_ADL) { bin adl_interface_enable_disable $(TRUNK) } $(FEATURE_ADL) { ip table 1 } $(FEATURE_ADL) { ip route add table 1 0.0.0.0/0 via local } $(FEATURE_NAT44) { nat44 forwarding enable } $(FEATURE_NAT44) { nat44 plugin enable sessions 63000 } $(FEATURE_NAT44) { nat44 add interface address $(TRUNK) } $(FEATURE_NAT44) { set interface nat44 in bvi0 out $(TRUNK) } $(FEATURE_NAT44) { nat44 add static mapping local 192.168.$(INSIDE_SUBNET).2 22342 external $(TRUNK) 22342 tcp } $(FEATURE_NAT44) { $(FEATURE_IKE_RESPONDER) { nat44 add identity mapping external $(TRUNK) udp 500 } } $(FEATURE_NAT44) { $(FEATURE_IKE_RESPONDER) { nat44 add identity mapping external $(TRUNK) udp 4500 } } $(FEATURE_NAT44) { $(FEATURE_DNS) { nat44 add static mapping local 192.168.$(INSIDE_SUBNET).2 53053 external $(TRUNK) 53053 udp } } $(FEATURE_NAT44) { $(FEATURE_OVPN) { nat44 add static mapping local 192.168.$(INSIDE_SUBNET).2 37979 external $(TRUNK) 37979 udp } } $(FEATURE_NAT44) { $(FEATURE_OVPN) { set interface feature bvi0 skipnat arc ip4-unicast } } $(FEATURE_NAT44) { $(FEATURE_OVPN) { ip route add 192.168.10.0/24 via 192.168.$(INSIDE_SUBNET).2 } } $(FEATURE_CNAT) { set cnat snat-policy none } $(FEATURE_CNAT) { set cnat snat-policy addr $(TRUNK) } $(FEATURE_CNAT) { set interface feature bvi0 cnat-snat-ip4 arc ip4-unicast } $(FEATURE_CNAT) { cnat translation add proto tcp real $(TRUNK) 22342 to -> 192.168.$(INSIDE_SUBNET).2 22342 } $(FEATURE_CNAT) { $(FEATURE_DNS) { cnat translation add proto udp real $(TRUNK) 53053 to -> 192.168.$(INSIDE_SUBNET).1 53053 } } $(FEATURE_CNAT) { $(FEATURE_OVPN) { cnat translation add proto udp real $(TRUNK) 37979 to -> 192.168.$(INSIDE_SUBNET).2 37979 } } $(FEATURE_CNAT) { $(FEATURE_OVPN) { set interface feature bvi0 skipnat arc ip4-unicast } } $(FEATURE_CNAT) { $(FEATURE_OVPN) { ip route add 192.168.10.0/24 via 192.168.$(INSIDE_SUBNET).2 } } $(FEATURE_DNS) { nat44 add identity mapping external $(TRUNK) udp 53053 } $(FEATURE_DNS) { bin dns_name_server_add_del 8.8.8.8 } $(FEATURE_DNS) { bin dns_enable_disable } $(FEATURE_IP6) { set int ip6 table $(TRUNK) 0 } $(FEATURE_IP6) { ip6 nd address autoconfig $(TRUNK) default-route } $(FEATURE_IP6) { dhcp6 client $(TRUNK) } $(FEATURE_IP6) { dhcp6 pd client $(TRUNK) prefix group hgw } $(FEATURE_IP6) { set ip6 address bvi0 prefix group hgw ::1/64 } $(FEATURE_IP6) { ip6 nd address autoconfig bvi0 default-route } comment { iPhones seem to need lots of RA messages... } $(FEATURE_IP6) { ip6 nd bvi0 ra-managed-config-flag ra-other-config-flag ra-interval 30 20 ra-lifetime 180 } comment { ip6 nd bvi0 prefix 0::0/0 ra-lifetime 100000 } comment { responder profile } $(FEATURE_IKE_RESPONDER) { ikev2 profile add swan } $(FEATURE_IKE_RESPONDER) { ikev2 profile set swan auth rsa-sig cert-file /home/dbarach/certs/swancert.pem } $(FEATURE_IKE_RESPONDER) { set ikev2 local key /home/dbarach/certs/dorakey.pem } $(FEATURE_IKE_RESPONDER) { ikev2 profile set swan id remote fqdn swan.barachs.net } $(FEATURE_IKE_RESPONDER) { ikev2 profile set swan id local fqdn broiler2.barachs.net } $(FEATURE_IKE_RESPONDER) { ikev2 profile set swan traffic-selector remote ip-range 192.168.1.0 - 192.168.1.255 port-range 0 - 65535 protocol 0 } $(FEATURE_IKE_RESPONDER) { ikev2 profile set swan traffic-selector local ip-range 192.168.$(INSIDE_SUBNET).0 - 192.168.$(INSIDE_SUBNET).255 port-range 0 - 65535 protocol 0 } $(FEATURE_IKE_RESPONDER) { create ipip tunnel src 73.120.164.15 dst 162.255.170.167 } $(FEATURE_IKE_RESPONDER) { ikev2 profile set swan tunnel ipip0 } $(FEATURE_IKE_RESPONDER) { set int mtu packet 1390 ipip0 } $(FEATURE_IKE_RESPONDER) { set int unnum ipip0 use $(TRUNK) } comment { if using the mactime plugin, configure it } $(FEATURE_MACTIME) { bin mactime_add_del_range name roku mac 00:00:01:de:ad:be allow-static } $(FEATURE_MACTIME) { bin mactime_enable_disable $(INSIDE_PORT1) } $(FEATURE_MACTIME) { bin mactime_enable_disable $(INSIDE_PORT2) } $(FEATURE_MACTIME) { bin mactime_enable_disable $(INSIDE_PORT3) } $(FEATURE_MACTIME) { bin mactime_enable_disable $(INSIDE_PORT4) } $(FEATURE_MODEM_ROUTE) { ip route add 192.168.100.1/32 via $(TRUNK) } Installing new vpp software --------------------------- If you're **sure** that a given set of vpp Debian packages will install and work properly, you can install them while logged into the gateway via the lstack / nat path. This procedure is a bit like standing on a rug and yanking it. If all goes well, a perfect back-flip occurs. If not, you may wish that you'd configured a static IP address on a reserved Ethernet interface as described above. Installing a new vpp image via ssh to 192.168.1.2: .. code-block:: c # nohup dpkg -i *.deb >/dev/null 2>&1 & Within a few seconds, the inbound ssh connection SHOULD begin to respond again. If it does not, you'll have to debug the issue(s). Reasonably Robust Remote Software Installation ---------------------------------------------- Here are a couple of scripts which yield a reasonably robust software installation scheme. Build-host script ~~~~~~~~~~~~~~~~~ .. code-block:: c #!/bin/bash buildroot=/scratch/vpp-workspace/build-root if [ $1x = "testx" ] ; then subdir="test" ipaddr="192.168.2.48" elif [ $1x = "foox" ] ; then subdir="foo" ipaddr="foo.some.net" elif [ $1x = "barx" ] ; then subdir="bar" ipaddr="bar.some.net" else subdir="test" ipaddr="192.168.2.48" fi echo Save current software... ssh -p 22432 $ipaddr "rm -rf /gate_debians.prev" ssh -p 22432 $ipaddr "mv /gate_debians /gate_debians.prev" ssh -p 22432 $ipaddr "mkdir /gate_debians" echo Copy new software to the gateway... scp -P 22432 $buildroot/*.deb $ipaddr:/gate_debians echo Install new software... ssh -p 22432 $ipaddr "nohup /usr/local/bin/vpp-swupdate > /dev/null 2>&1 &" for i in 25 24 23 22 21 20 19 18 17 16 15 14 13 12 11 10 9 8 7 6 5 4 3 2 1 do echo Wait for $i seconds... sleep 1 done echo Try to access the device... ssh -p 22432 -o ConnectTimeout=10 $ipaddr "tail -20 /var/log/syslog | grep Ping" if [ $? == 0 ] ; then echo Access test OK... else echo Access failed, wait for configuration restoration... for i in 25 24 23 22 21 20 19 18 17 16 15 14 13 12 11 10 9 8 7 6 5 4 3 2 1 do echo Wait for $i seconds... sleep 1 done echo Retry access test ssh -p 22432 -o ConnectTimeout=10 $ipaddr "tail -20 /var/log/syslog | grep Ping" if [ $? == 0 ] ; then echo Access test OK, check syslog on the device exit 1 else echo Access test still fails, manual intervention required. exit 2 fi fi exit 0 Target script ~~~~~~~~~~~~~ .. code-block:: c #!/bin/bash logger "About to update vpp software..." cd /gate_debians service vpp stop sudo dpkg -i *.deb >/dev/null 2>&1 & sleep 20 logger "Ping connectivity test..." for i in 1 2 3 4 5 6 7 8 9 10 do ping -4 -c 1 yahoo.com if [ $? == 0 ] ; then logger "Ping test OK..." exit 0 fi done logger "Ping test NOT OK, restore old software..." rm -rf /gate_debians mv /gate_debians.prev /gate_debians cd /gate_debians nohup sudo dpkg -i *.deb >/dev/null 2>&1 & sleep 20 logger "Repeat connectivity test..." for i in 1 2 3 4 5 6 7 8 9 10 do ping -4 -c 1 yahoo.com if [ $? == 0 ] ; then logger "Ping test OK after restoring old software..." exit 0 fi done logger "Ping test FAIL after restoring software, manual intervention required" exit 2 Note that the target script **requires** that the user id which invokes it will manage to “sudo dpkg …” without further authentication. If you’re uncomfortable with the security implications of that requirement, you’ll need to solve the problem a different way. Strongly suggest configuring sshd as described above to minimize risk. Testing new software -------------------- If you frequently test new home gateway software, it may be handy to set up a test gateway behind your production gateway. This testing methodology reduces complaints from family members, to name one benefit. Change the inside network (dhcp) subnet from 192.168.1.0/24 to 192.168.3.0/24, change the (dhcp) advertised router to 192.168.3.1, reconfigure the vpp tap interface addresses onto the 192.168.3.0/24 subnet, and you should be all set. This scenario nats traffic twice: first, from the 192.168.3.0/24 network onto the 192.168.1.0/24 network. Next, from the 192.168.1.0/24 network onto the public internet. Patches ------- You'll want this addition to src/vpp/vnet/main.c to add the "service restart isc-dhcp-server” and "service restart vpp" commands: .. code-block:: c #include <sys/types.h> #include <sys/wait.h> static int mysystem (char *cmd) { int rv = 0; if (fork()) wait (&rv); else execl("/bin/sh", "sh", "-c", cmd); if (rv != 0) clib_unix_warning ("('%s') child process returned %d", cmd, rv); return rv; } static clib_error_t * restart_isc_dhcp_server_command_fn (vlib_main_t * vm, unformat_input_t * input, vlib_cli_command_t * cmd) { int rv; /* Wait a while... */ vlib_process_suspend (vm, 2.0); rv = mysystem("/usr/sbin/service isc-dhcp-server restart"); vlib_cli_output (vm, "Restarted the isc-dhcp-server, status %d...", rv); return 0; } VLIB_CLI_COMMAND (restart_isc_dhcp_server_command, static) = { .path = "service restart isc-dhcp-server", .short_help = "restarts the isc-dhcp-server", .function = restart_isc_dhcp_server_command_fn, }; static clib_error_t * restart_dora_tunnels_command_fn (vlib_main_t * vm, unformat_input_t * input, vlib_cli_command_t * cmd) { int rv; /* Wait three seconds... */ vlib_process_suspend (vm, 3.0); rv = mysystem ("/usr/sbin/service dora restart"); vlib_cli_output (vm, "Restarted the dora tunnel service, status %d...", rv); return 0; } VLIB_CLI_COMMAND (restart_dora_tunnels_command, static) = { .path = "service restart dora", .short_help = "restarts the dora tunnel service", .function = restart_dora_tunnels_command_fn, }; static clib_error_t * restart_vpp_service_command_fn (vlib_main_t * vm, unformat_input_t * input, vlib_cli_command_t * cmd) { (void) mysystem ("/usr/sbin/service vpp restart"); return 0; } VLIB_CLI_COMMAND (restart_vpp_service_command, static) = { .path = "service restart vpp", .short_help = "restarts the vpp service, be careful what you wish for", .function = restart_vpp_service_command_fn, }; Using the time-based mac filter plugin -------------------------------------- If you need to restrict network access for certain devices to specific daily time ranges, configure the "mactime" plugin. Add it to the list of enabled plugins in /etc/vpp/startup.conf, then enable the feature on the NAT "inside" interfaces: .. code-block:: c bin mactime_enable_disable GigabitEthernet0/14/0 bin mactime_enable_disable GigabitEthernet0/14/1 ... Create the required src-mac-address rule database. There are 4 rule entry types: - allow-static - pass traffic from this mac address - drop-static - drop traffic from this mac address - allow-range - pass traffic from this mac address at specific times - drop-range - drop traffic from this mac address at specific times Here are some examples: .. code-block:: c bin mactime_add_del_range name alarm-system mac 00:de:ad:be:ef:00 allow-static bin mactime_add_del_range name unwelcome mac 00:de:ad:be:ef:01 drop-static bin mactime_add_del_range name not-during-business-hours mac <mac> drop-range Mon - Fri 7:59 - 18:01 bin mactime_add_del_range name monday-busines-hours mac <mac> allow-range Mon 7:59 - 18:01