Differences

This shows you the differences between two versions of the page.

--- en:bpi-r2:network:start [2020/08/29 17:14] – external edit 127.0.0.1
+++ en:bpi-r2:network:start [2023/07/05 10:33] – [Monitoring] frank
@@ Line 1: / Line 1: @@
+====== Network-Configuration ======
+ip-command needs package iproute2
+Configuration on this page is based on debian stretch, should work the same way with Ubuntu
+needs Kernel 4.14 or above (DSA-driver for Port-separation)
+in Kernel 4.14 eth0 is the connection between CPU and the Switch-Circuit (mt7530), on which the Ports wan and lan0-4 are connected. this connection have to be set to "up" first.
+{{ :bpi-r2:network:gmac.png?nolink |}}
+bringing up then cpu-port(s)
+  ip link set eth0 up
+  ip link set eth1 up
+or via /etc/network/interfaces
+<code>auto eth0
+iface eth0 inet manual
+  pre-up ip link set $IFACE up
+  post-down ip link set $IFACE down
+auto eth1
+iface eth1 inet manual
+  pre-up ip link set $IFACE up
+  post-down ip link set $IFACE down
+</code>
+the mapping of ports to gmac is defined in dts-file and can be shown with "ip a"
+With 4.14 >.52 on my repo gmac #2 (eth1) is added and wan is connected to this.
+by default each lan-port is separated and needs an own ip-configuration in different subnets
+most users like to use all lan-ports in 1 network-segment, so these can be [[#netbridge|bridged together]] to make only 1 ip-configuration for "LAN"
+my 6.3-rc brings some patches for re-introduce second gmac. by default port 6 (trgmii) is used and can be changed in userspace:
+  ip link set wan type dsa master eth1
+* requires iproute2 v6.1+
+add backports in sources.list:
+  deb http://deb.debian.org/debian bullseye-backports main contrib non-free
+install
+  apt update
+  apt -t bullseye-backports install iproute2
+===== MAC-Address =====
+The MAC-address can only be set for the GMAC (connection between Switch and CPU). In Kernel 4.14 only 1 GMAC is detected (eth0). There are 2 GMACs in Hardware.
+==== UDEV ====
+[[http://forum.banana-pi.org/t/bpi-r2-ethernet-mac-address/4361/23|here]]
+<code>
+$ cat /etc/udev/rules.d/00-static-mac-address.rules
+ACTION=="add", SUBSYSTEM=="net", KERNELS=="1b100000.ethernet", RUN+="/sbin/ip link set dev %k address ae:fc:de:ad:be:ef"
+</code>
+==== interfaces-file ====
+/etc/network/interfaces
+<code>
+iface lan0 inet static
+  address 192.168.0.10
+  netmask 255.255.255.0
+  gateway 192.168.0.5
+#  pre-up ip link set $IFACE up
+  pre-up ip link set $IFACE address 02:01:02:03:04:08 up
+</code>
+==== using systemd ====
+/etc/systemd/network/10-wan.link
+<code>
+[Match]
+OriginalName=wan
+[Link]
+MACAddress=XX:XX:XX:XX:XX:XX
+</code>
+http://forum.banana-pi.org/t/set-mac-address-on-boot/7224/7
+==== device-tree ====
+<code>
+local-mac-address = [00 0a 35 00 00 01];
+mac-address = [00 0a 35 00 00 01];
+</code>
+http://forum.banana-pi.org/t/set-mac-address-on-boot/7224/4
+this can also be used in devicetree-overlays
+==== set via uboot ====
+if devicetree (with mac-address property) is loaded separately (fdt), an alias for ethernet-node is defined and ethaddr-variable is set in uboot this is used in linux
+http://forum.banana-pi.org/t/set-mac-address-on-boot/7224/6
+===== interface-name =====
+Ubuntu 18.4+ (and debiaan 10+) using new interface names. Wifi devices are no more named like wlanX more like wlpXsY
+to avoid this, "net.ifnames=0" can be added to Kernel-Cmdline (uEnv.txt for uboot) and/or rename via udev
+/etc/udev/rules.d/70-persistent-net.rules
+  SUBSYSTEM=="net", ACTION=="add", ATTR{address}=="f8:62:aa:50:15:c8", NAME="wlan1"
+find attributes like this
+  udevadm info --attribute-walk /sys/class/net/<interface-name>
+to apply the rule(s) (but does not rename back):
+  udevadm control --reload-rules && udevadm trigger
+after reboot all works
+if driver is compiled as module it can be reloaded (after activating the udev-rules)
+  modprobe -r mt76x2e
+  modprobe mt76x2e
+===== IP =====
+[[https://access.redhat.com/sites/default/files/attachments/rh_ip_command_cheatsheet_1214_jcs_print.pdf|
+iproute2 cheatsheet]]
+==== permanent ====
+/etc/network/interfaces:
+  #first set the upstream-Port (NIC between CPU and MT7530-Switch) up
+  auto eth0
+  iface eth0 inet manual
+    pre-up ip link set $IFACE up
+    post-down ip link set $IFACE down
+  auto eth1
+  iface eth1 inet manual
+    pre-up ip link set $IFACE up
+    post-down ip link set $IFACE down
+  #then configure the lan-ports
+  auto lan0
+  iface lan0 inet static
+    hwaddress ether 08:00:00:00:00:00 # if you want to set MAC manually
+    address 192.168.0.10
+    netmask 255.255.255.0
+    gateway 192.168.0.5
+    pre-up ip link set $IFACE up
+    post-down ip link set $IFACE down
+=== systemd ===
+/etc/systemd/network/eth0.network:
+<code>
+[Match]
+Name=eth0
+[Network]
+DHCP=no
+LinkLocalAddressing=no
+ConfigureWithoutCarrier=true
+</code>
+/etc/systemd/network/wan.network
+<code>
+[Match]
+Name=wan
+[Network]
+BindCarrier=eth0
+#ConfigureWithoutCarrier=true
+#IPForward=yes
+#IPMasquerade=yes
+Address=192.168.0.18/24
+DNS=192.168.0.10
+Gateway=192.168.0.10
+</code>
+Is ConfigureWithoutCarrier set on wan-port, the default-route will not be set,because Address is invalid (Network is down at time of configuration). This should only be set if no default-route is needed.
+[[..:..:linux:systemd]]
+==== second Ethernet lane (gmac) ====
+Needs kernel-patch for eth1 + aux interfaces (currently only in 5.15)
+<code>
+- create a bridge for use for wan
+    /etc/systemd/network/11-wanbr.netdev
+    [NetDev]
+    Name=wanbr
+    Kind=bridge
+    [Bridge]
+    DefaultPVID=0 # should be different to other vlan-aware bridges (like lanbr)
+    VLANFiltering=1
+- map aux and wan to vlan-aware bridge
+- traffic will be tagged inside with vlan-id 99
+    /etc/systemd/network/12-wanbr-bind.network
+    [Match]
+    Name=wan aux
+    [Link]
+    RequiredForOnline=no
+    [Network]
+    BindCarrier=eth0
+    Bridge=wanbr
+    [BridgeVLAN]
+    VLAN=99
+    PVID=99
+    EgressUntagged=99
+- put wanbr up by default
+    /etc/systemd/network/13-wanbr.network
+    [Match]
+    Name=wanbr
+    [Network]
+    BindCarrier=eth0
+    ConfigureWithoutCarrier=true
+- configure eth1 as wan
+    /etc/systemd/network/15-wan.network
+    [Match]
+    Name=eth1
+    [Network]
+    BindCarrier=eth0
+    Address=192.168.0.18/24
+    Gateway=192.168.0.10
+    DNS=192.168.0.10
+    IPForward=yes
+</code>
+=== temporary way ===
+<code>
+brdev=gmacbr
+ip link add name $brdev type bridge
+ip link set dev $brdev up
+ip link set dev wan master $brdev
+ip link set dev aux master $brdev
+ip link set $brdev type bridge vlan_filtering 1
+ip a del 192.168.0.18/24 dev wan #remove ip from original interface
+ip a add 192.168.0.18/24 dev eth1
+ip link set eth1 up
+bridge vlan add vid 100 dev wan pvid untagged
+bridge vlan add vid 100 dev aux pvid untagged
+bridge vlan del vid 1 dev aux
+bridge vlan del vid 1 dev wan
+ip link set aux up
+ip link set wan up
+</code>
+how to check
+<code>
+bridge vlan
+ip a
+ping 192.168.0.21
+ethtool -S eth1 #traffic on this gmac?
+iperf3 -c 192.168.0.21 #throughput in one direction
+iperf3 -c 192.168.0.21 -R #throughput in the other direction
+</code>
+==== temporary ====
+  ifconfig lan0 192.168.0.10 netmask 255.255.255.0 broadcast 192.168.0.255
+  ip addr add 192.168.0.10/24 broadcast 192.168.0.255 dev lan0
+make sure only 1 port is in the specific subnet.
+  ip a
+  #or
+  ip addr show lan0
+==== DHCP ====
+=== Client ===
+/etc/network/interfaces:
+  auto lan3
+  allow-hotplug lan3
+  iface lan3 inet dhcp
+Renew ip via
+  sudo dhclient -v -r lan3
+=== Server ===
+/etc/dnsmasq.conf (activate line by removing # on begin of line)
+<code ini>
+conf-dir=/etc/dnsmasq.d
+</code>
+/etc/dnsmasq.d/interfaces.conf
+<code bash>
+interface=wlan1
+interface=ap0
+# DHCP-Server not active for Interface
+no-dhcp-interface=eth0
+no-dhcp-interface=eth1
+#dhcp-authoritative (interface+range+leasetime, default-gateway-ip as option 3)
+dhcp-range=ap0,192.168.10.100,192.168.10.150,255.255.255.0,48h
+dhcp-option=ap0,3,192.168.10.1
+dhcp-range=wlan1,192.168.11.100,192.168.11.150,255.255.255.0,48h
+dhcp-option=wlan1,3,192.168.11.1
+</code>
+{{ :bpi-r2:interfaces.conf | /etc/dnsmasq.d/interfaces.conf }}
+  service dnsmasq start
+more info here: [[dnsmasq]]
+===== IPv6 =====
+==== disabling ====
+https://www.thomas-krenn.com/de/wiki/IPv6_deaktivieren
+temporary
+  echo 1 > /proc/sys/net/ipv6/conf/all/disable_ipv6
+to make it permanent create file /etc/sysctl.d/01-disable-ipv6.conf with content:
+  net.ipv6.conf.all.disable_ipv6 = 1
+testing:
+  ip addr show | grep inet6
+===== NAT/Routing =====
+==== NAT ====
+to enable Network Adress Translation (net with private IPs behind one public IP)
+  ipt=/sbin/iptables
+  if_wan=wan
+  ${ipt} -t nat -A POSTROUTING -o ${if_wan} -j MASQUERADE
+=== HW-Nat ===
+HW-Nat is currently only available in LEDE (Kernel 4.9)
+i have merged the Lede-Patches to my 4.9-main and ported to 4.14 (4.14-hnat), see [[..:hwnat|HW-NAT]]
+==== Routing ====
+enable routing for IPv4
+  echo 1 > /proc/sys/net/ipv4/ip_forward
+alternative:
+<code bash>
+nano /etc/sysctl.conf
+#activate net.ipv4.ip_forward=1 and net.ipv6.conf.all.forwarding=1 by removing # at beginning of line
+sysctl -p /etc/sysctl.conf
+</code>
+manipulating default route:
+  ip route del default
+  ip route add default via 192.168.50.2
+show routing table
+  ip route show
+remember you need DNS-resolving (/etc/resolv.conf) for translating domains to ip-addresses
+=== adding static routes to other networks ===
+Pakets are sent to the default-gateway, if the net is not known (directly connected or route available). In normal home-networks there is only 1 router and in this the default-gateway is the Internet-interface and on client-PCs the default-gateway is this router.
+static routes are needed, if a net is not directly connected to a router and not accessable via its default-gateway
+{{ :bpi-r2:network:routing.png?direct&400 |}}
+   * in router #1 a static route must be added for net 10.0.3.0/24 with next-hop 10.0.2.2 (send pakets over lan#2)
+     * <code>ip route add 10.0.3.0/24 via 10.0.2.2</code>
+   * in router #2 a static route must be added for net 10.0.1.0/24 with next-hop 10.0.2.1 (send pakets over lan#1)
+     * <code>ip route add 10.0.1.0/24 via 10.0.2.1</code>
+example for net 192.168.50.x behind router with ip 192.168.0.10
+  ip route add 192.168.50.0/24 via 192.168.0.10
+===== DNS =====
+/etc/resolv.conf
+contains ip-adress to nameserver, e.g.
+  nameserver 192.168.0.10
+on newer debian/ubuntu this file is a symlink to
+/run/systemd/resolve/stub-resolv.conf
+===== Netbridge =====
+if 2 or more lan-ports should use same network-segment (configure only 1 IP-address for "LAN"), you can bridge ports together.
+  apt-get install bridge-utils
+/etc/network/interfaces:
+<code>
+auto lan1
+iface lan1 inet manual
+auto lan2
+iface lan2 inet manual
+auto br0
+iface br0 inet static
+    address 192.168.40.1
+    netmask 255.255.255.0
+    bridge_ports lan1 lan2
+    bridge_fd 5
+    bridge_stp no
+</code>
+==== temporary bridge ====
+<code>
+brctl addbr br0
+brctl addif br0 lan1
+brctl addif br0 lan2
+ip addr add 192.168.40.1/24 dev br0
+ip link set br0 up
+brctl show br0
+</code>
+Note:
+brctl is deprecated please use ip/bridge
+<code>
+ip link add name br0 type bridge
+ip link set dev br0 up
+ip link set dev lan0 master br0
+ip link set dev lan1 master br0
+#remove interface from bridge
+ip link set dev lan0 nomaster
+#remove bridge
+ip link del br0
+</code>
+https://unix.stackexchange.com/a/255489
+===== VLAN =====
+vlan on dsa-ports need {{ :en:bpi-r2:network:0001-net-dsa-enable-vlan-without-bridge-on-dsa-user-port.patch | additional Patch}}
+/etc/network/interfaces:
+  auto lan3.60
+  iface lan3.60 inet static
+    address 192.168.60.10
+    netmask 255.255.255.0
+==== temporary ====
+<code>
+#!/bin/bash
+netif=wan
+ip link set $netif up
+ip link add link $netif name vlan110 type vlan id 110
+ip link set vlan110 up
+ip addr add 192.168.110.1/24 dev vlan110
+#tcpdump -i $netif -nn -e vlan &
+</code>
+==== vlan aware bridge ====
+With 4.16 vlan aware bridge support was added.
+:!: vlan_filtering needs to be enabled before dsa-ports are added to the bridge, else all traffic (untagged too) is blocked after this setting.
+<code>
+#!/bin/bash
+BRIDGE=lanbr0
+netif=lan0
+vid=500
+vlanip=192.168.110.5/24
+#ip link add name ${BRIDGE} type bridge
+ip link add name ${BRIDGE} type bridge vlan_filtering 1 vlan_default_pvid 1
+ip link set ${BRIDGE} up
+ip link set $netif master ${BRIDGE}
+ip link set $netif up
+bridge vlan add vid $vid dev ${BRIDGE} self
+bridge vlan add vid $vid dev $netif
+#extract vlan from bridge to own netdev
+ip link add link ${BRIDGE} name vlan$vid type vlan id $vid
+ip a a $vlanip dev vlan$vid
+ip link set vlan$vid up
+</code>
+==== testing ====
+  sudo tcpdump -ei lan1 arp or icmp
+-e shows link-layer information like vlan
+  sudo tcpdump -XXi lan1 arp or icmp
+shows arp and icmp-packets as hex-dump on the interface
+offset 0x0c should show 8100 followed by hex-value of vlan-number (here vlan 500 = 0x01f4)
+:16:26.491644 IP 192.168.50.11 > frank-G5: ICMP echo reply, id 4294, seq 5, length 64
+x0000:  3c18 a003 c3a4 c63a 3897 5920 8100 01f4  <......:8.Y.....
+===== Firewall (iptables) =====
+[[iptables]]
+[[NFTables]]
+===== Monitoring =====
+  sudo tcpdump -i eth0 port not 22 > tcpdump.log
+  sudo tcpdump -XXi lan1 arp or icmp
+traceroute with tcp-port instead of icmp
+  sudo traceroute -n -T -p 443 domain
+===== PPPoE =====
+example creates a pppoe-connection over vlan 140 like my ISP
+==== Server ====
+<code>
+sudo apt install pppoe
+sudo ip link add link enx00e04c680683 name wan.140 type vlan id 140
+/etc/ppp/pap-secrets
+"bpi-r2"    *   "1234578"   *
+/etc/ppp/pppoe-server-options
+# PPP options for the PPPoE server
+# LIC: GPL
+debug
+#plugin /etc/ppp/plugins/rp-pppoe.so
+require-pap
+mtu 1492
+mru 1492
+ktune
+proxyarp
+lcp-echo-interval 10
+lcp-echo-failure 2
+nobsdcomp
+noccp
+novj
+noipx
+</code>
+<code>
+iptables -t nat -A POSTROUTING -s 192.168.1.0/24 -o enp3s0 -j MASQUERADE
+echo 1 > /proc/sys/net/ipv4/ip_forward
+pppoe-server -I wan.140 -L 192.168.1.1 -R 192.168.1.100 -F &
+</code>
+==== Client ====
+<code>
+apt install pppoeconf
+ip link add link wan name wan.140 type vlan id 140
+ip link set wan.140 up
+pppoeconf wan.140
+</code>
+/etc/ppp/peers/dsl-provider (should be created by pppoeconf)
+<code>
+# Minimalistic default options file for DSL/PPPoE connections
+noipdefault
+defaultroute
+replacedefaultroute
+hide-password
+#lcp-echo-interval 30
+#lcp-echo-failure 4
+noauth
+persist
+#mtu 1492
+#persist
+#maxfail 0
+#holdoff 20
+plugin rp-pppoe.so wan.140
+user "bpi-r2"
+usepeerdns
+</code>
+  pon dsl-provider
+i had to delete old route to my local lan-subnet which is used to connect my dns (then the default route through ppp is used).
+<code>
+root@bpi-r2:~# ping 192.168.0.10
+PING 192.168.0.10 (192.168.0.10) 56(84) bytes of data.
+^C
+--- 192.168.0.10 ping statistics ---
+packets transmitted, 0 received, 100% packet loss, time 12ms
+root@bpi-r2:~# cat /etc/resolv.conf
+nameserver 192.168.0.10
+root@bpi-r2:~# ip route
+default dev ppp0 scope link
+.168.0.0/24 dev wan proto kernel scope link src 192.168.0.12
+.168.1.1 dev ppp0 proto kernel scope link src 192.168.1.100
+.168.90.0/24 dev lan3 proto kernel scope
+root@bpi-r2:~# ip route del 192.168.0.0/24
+root@bpi-r2:~# ping 192.168.0.10
+PING 192.168.0.10 (192.168.0.10) 56(84) bytes of data.
+bytes from 192.168.0.10: icmp_seq=1 ttl=63 time=1.56 ms
+bytes from 192.168.0.10: icmp_seq=2 ttl=63 time=2.22 ms
+^C
+--- 192.168.0.10 ping statistics ---
+packets transmitted, 2 received, 0% packet loss, time 3ms
+rtt min/avg/max/mdev = 1.563/1.893/2.224/0.333 ms
+root@bpi-r2:~# ping www.google.de
+PING www.google.de (142.250.185.99) 56(84) bytes of data.
+bytes from fra16s49-in-f3.1e100.net (142.250.185.99): icmp_seq=1 ttl=120 time=7.57 ms
+bytes from fra16s49-in-f3.1e100.net (142.250.185.99): icmp_seq=2 ttl=120 time=7.48 ms
+^C
+--- www.google.de ping statistics ---
+packets transmitted, 2 received, 0% packet loss, time 2ms
+rtt min/avg/max/mdev = 7.483/7.526/7.570/0.097 ms
+root@bpi-r2:~# ping www.google.de
+PING www.google.de (142.250.185.99) 56(84) bytes of data.
+bytes from fra16s49-in-f3.1e100.net (142.250.185.99): icmp_seq=1 ttl=120 time=7.57 ms
+bytes from fra16s49-in-f3.1e100.net (142.250.185.99): icmp_seq=2 ttl=120 time=7.48 ms
+^C
+--- www.google.de ping statistics ---
+packets transmitted, 2 received, 0% packet loss, time 2ms
+rtt min/avg/max/mdev = 7.483/7.526/7.570/0.097 ms
+root@bpi-r2:~# traceroute 8.8.8.8
+traceroute to 8.8.8.8 (8.8.8.8), 30 hops max, 60 byte packets
+  192.168.1.1 (192.168.1.1)  0.594 ms  0.389 ms  0.278 ms
+  bpi-r2-emmc (192.168.0.10)  1.408 ms  1.327 ms  1.109 ms
+  me60.stadtnetz-bamberg.de (217.61.144.1)  4.962 ms  4.873 ms  4.789 ms
+</code>