aboutsummaryrefslogtreecommitdiffstats
path: root/src/plugins/CMakeLists.txt
diff options
context:
space:
mode:
Diffstat (limited to 'src/plugins/CMakeLists.txt')
0 files changed, 0 insertions, 0 deletions
f='#n78'>78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 160 161 162 163 164 165 166 167 168 169 170 171 172 173 174 175 176 177 178 179 180 181 182 183 184 185 186 187 188 189 190 191 192 193 194 195 196 197 198 199 200 201 202 203 204 205 206 207 208 209 210 211 212 213 214 215 216 217 218 219 220 221 222 223 224 225 226 227 228 229 230 231 232 233 234 235 236 237 238 239 240 241 242 243 244 245 246 247 248 249 250 251 252 253 254 255 256 257 258 259 260 261 262 263 264 265 266 267 268 269 270 271 272 273 274 275 276 277 278 279 280 281 282 283 284 285 
.. _homegateway:

.. toctree::

Using VPP as a Home Gateway
===========================

Vpp running on a small system (with appropriate NICs) makes a fine
home gateway. The resulting system performs far in excess of
requirements: a TAG=vpp_debug image runs at a vector size of ~1.2
terminating a 150-mbit down / 10-mbit up cable modem connection.

At a minimum, install sshd and the isc-dhcp-server. If you prefer, you
can use dnsmasq.

Configuration files
-------------------

/etc/vpp/startup.conf::

 unix {
   nodaemon
   log /var/log/vpp/vpp.log
   full-coredump
   cli-listen /run/vpp/cli.sock
   startup-config /setup.gate
   poll-sleep-usec 100
   gid vpp
 }
 api-segment {
   gid vpp
 }
 dpdk {
      dev 0000:03:00.0
      dev 0000:14:00.0
      etc.
  }

  plugins {
	## Disable all plugins, selectively enable specific plugins
        ## YMMV, you may wish to enable other plugins (acl, etc.)
	plugin default { disable }
	plugin dpdk_plugin.so { enable }
	plugin nat_plugin.so { enable }
        ## if you plan to use the time-based MAC filter
	plugin mactime_plugin.so { enable }
  }

/etc/dhcp/dhcpd.conf::

 subnet 192.168.1.0 netmask 255.255.255.0 {
   range 192.168.1.10 192.168.1.99;
   option routers 192.168.1.1;
   option domain-name-servers 8.8.8.8;
 }

If you decide to enable the vpp dns name resolver, substitute
192.168.1.2 for 8.8.8.8 in the dhcp server configuration.

/etc/default/isc-dhcp-server::

  # On which interfaces should the DHCP server (dhcpd) serve DHCP requests?
  #	Separate multiple interfaces with spaces, e.g. "eth0 eth1".
  INTERFACESv4="lstack"
  INTERFACESv6=""

/etc/ssh/sshd_config::

 # What ports, IPs and protocols we listen for
 Port <REDACTED-high-number-port>
 # Change to no to disable tunnelled clear text passwords
 PasswordAuthentication no

For your own comfort and safety, do NOT allow password authentication
and do not answer ssh requests on port 22. Experience shows several
hack attempts per hour on port 22, but none (ever) on random
high-number ports.

vpp configuration (/setup.gate)::

  comment { This is the WAN interface }
  set int state GigabitEthernet3/0/0 up
  comment { set int mac address GigabitEthernet3/0/0 mac-to-clone-if-needed }
  set dhcp client intfc GigabitEthernet3/0/0 hostname vppgate

  comment { Create a BVI loopback interface}
  loop create
  set int l2 bridge loop0 1 bvi
  set int ip address loop0 192.168.1.1/24
  set int state loop0 up

  comment { Add more inside interfaces as needed ... }
  set int l2 bridge GigabitEthernet0/14/0 1
  set int state GigabitEthernet0/14/0 up

  comment { dhcp server and host-stack access }
  create tap host-if-name lstack host-ip4-addr 192.168.1.2/24 host-ip4-gw 192.168.1.1
  set int l2 bridge tap0 1
  set int state tap0 up

  comment { Configure NAT}
  nat44 add interface address GigabitEthernet3/0/0
  set interface nat44 in loop0 out GigabitEthernet3/0/0

  comment { allow inbound ssh to the <REDACTED-high-number-port> }
  nat44 add static mapping local 192.168.1.2 <REDACTED> external GigabitEthernet3/0/0 <REDACTED> tcp

  comment { if you want to use the vpp DNS server, add the following }
  comment { Remember to adjust the isc-dhcp-server configuration appropriately }
  comment { nat44 add identity mapping external GigabitEthernet3/0/0 udp 53053  }
  comment { bin dns_name_server_add_del 8.8.8.8 }
  comment { bin dns_name_server_add_del 68.87.74.166 }
  comment { bin dns_enable_disable }
  comment { see patch below, which adds these commands }
  service restart isc-dhcp-server

Systemd configuration
---------------------

In a typical home-gateway use-case, vpp owns the one-and-only WAN link
with a prayer of reaching the public internet. Simple things like
updating distro software requires use of the "lstack" interface
created above, and configuring a plausible upstream DNS name resolver.

Configure /etc/systemd/resolved.conf as follows.

/etc/systemd/resolved.conf::

  [Resolve]
  DNS=8.8.8.8
  #FallbackDNS=
  #Domains=
  #LLMNR=no
  #MulticastDNS=no
  #DNSSEC=no
  #Cache=yes
  #DNSStubListener=yes

Netplan configuration
---------------------

If you want to configure a static IP address on one of your
home-gateway Ethernet ports on Ubuntu 18.04, you'll need to configure
netplan. Netplan is relatively new. It and the network manager GUI and
can be cranky. In the configuration shown below,
s/enp4s0/<your-interface>/...

/etc/netplan-01-netcfg.yaml::

  # This file describes the network interfaces available on your system
  # For more information, see netplan(5).
  network:
    version: 2
    renderer: networkd
    ethernets:
      enp4s0:
        dhcp4: no
        addresses: [192.168.2.254/24]
        gateway4: 192.168.2.100
        nameservers:
          search: [my.local]
          addresses: [8.8.8.8]

/etc/systemd/network-10.enp4s0.network::

  [Match]
  Name=enp4s0

  [Link]
  RequiredForOnline=no

  [Network]
  ConfigureWithoutCarrier=true
  Address=192.168.2.254/24

Note that we've picked an IP address for the home gateway which is on
an independent unrouteable subnet. This is handy for installing (and
possibly reverting) new vpp software.

Installing new vpp software
---------------------------

If you're **sure** that a given set of vpp Debian packages will
install and work properly, you can install them while logged into the
gateway via the lstack / nat path. This procedure is a bit like
standing on a rug and yanking it. If all goes well, a perfect
back-flip occurs.  If not, you may wish that you'd configured a static
IP address on a reserved Ethernet interface as described above.

Installing a new vpp image via ssh to 192.168.1.2::

  # nohup dpkg -i *.deb >/dev/null 2>&1 &

Within a few seconds, the inbound ssh connection SHOULD begin to respond
again. If it does not, you'll have to debug the issue(s).

Testing new software
--------------------

If you frequently test new home gateway software, it may be handy to
set up a test gateway behind your production gateway. This testing
methodology reduces complaints from family members, to name one benefit.

Change the inside network (dhcp) subnet from 192.168.1.0/24 to
192.168.3.0/24, change the (dhcp) advertised router to 192.168.3.1,
reconfigure the vpp tap interface addresses onto the 192.168.3.0/24
subnet, and you should be all set.

This scenario nats traffic twice: first, from the 192.168.3.0/24
network onto the 192.168.1.0/24 network. Next, from the 192.168.1.0/24
network onto the public internet.

Patches
-------

You'll need this patch to add the "service restart" command::

  diff --git a/src/vpp/vnet/main.c b/src/vpp/vnet/main.c
  index 6e136e19..69189c93 100644
  --- a/src/vpp/vnet/main.c
  +++ b/src/vpp/vnet/main.c
  @@ -18,6 +18,8 @@
   #include <vlib/unix/unix.h>
   #include <vnet/plugin/plugin.h>
   #include <vnet/ethernet/ethernet.h>
  +#include <vnet/ip/ip4_packet.h>
  +#include <vnet/ip/format.h>
   #include <vpp/app/version.h>
   #include <vpp/api/vpe_msg_enum.h>
   #include <limits.h>
  @@ -400,6 +402,63 @@ VLIB_CLI_COMMAND (test_crash_command, static) = {

   #endif

  +static clib_error_t *
  +restart_isc_dhcp_server_command_fn (vlib_main_t * vm,
  +                                    unformat_input_t * input,
  +                                    vlib_cli_command_t * cmd)
  +{
  +  int rv __attribute__((unused));
  +  /* Wait three seconds... */
  +  vlib_process_suspend (vm, 3.0);
  +
  +  rv = system ("/usr/sbin/service isc-dhcp-server restart");
  +
  +  vlib_cli_output (vm, "Restarted the isc-dhcp-server...");
  +  return 0;
  +}
  +
  +/* *INDENT-OFF* */
  +VLIB_CLI_COMMAND (restart_isc_dhcp_server_command, static) = {
  +  .path = "service restart isc-dhcp-server",
  +  .short_help = "restarts the isc-dhcp-server",
  +  .function = restart_isc_dhcp_server_command_fn,
  +};
  +/* *INDENT-ON* */
  +


Using the time-based mac filter plugin
--------------------------------------

If you need to restrict network access for certain devices to specific
daily time ranges, configure the "mactime" plugin. Add it to the list
of enabled plugins in /etc/vpp/startup.conf, then enable the feature
on the NAT "inside" interfaces::

  bin mactime_enable_disable GigabitEthernet0/14/0
  bin mactime_enable_disable GigabitEthernet0/14/1
  ...

Create the required src-mac-address rule database. There are 4 rule
entry types:

* allow-static - pass traffic from this mac address
* drop-static - drop traffic from this mac address
* allow-range - pass traffic from this mac address at specific times
* drop-range - drop traffic from this mac address at specific times

Here are some examples::

  bin mactime_add_del_range name alarm-system mac 00:de:ad:be:ef:00 allow-static
  bin mactime_add_del_range name unwelcome mac 00:de:ad:be:ef:01 drop-static
  bin mactime_add_del_range name not-during-business-hours mac <mac> drop-range Mon - Fri 7:59 - 18:01
  bin mactime_add_del_range name monday-busines-hours mac <mac> allow-range Mon 7:59 - 18:01