| John DeNisco | 06dcd45 | 2018-07-26 12:45:10 -0400 | [diff] [blame] | 1 | .. _homegateway: |
| 2 | |
| 3 | .. toctree:: |
| 4 | |
| 5 | Using VPP as a Home Gateway |
| 6 | =========================== |
| 7 | |
| 8 | Vpp running on a small system (with appropriate NICs) makes a fine |
| 9 | home gateway. The resulting system performs far in excess of |
| 10 | requirements: a TAG=vpp_debug image runs at a vector size of ~1.1 |
| 11 | terminating a 90-mbit down / 10-mbit up cable modem connection. |
| 12 | |
| 13 | At a minimum, install sshd and the isc-dhcp-server. If you prefer, you |
| 14 | can use dnsmasq. |
| 15 | |
| 16 | Configuration files |
| 17 | ------------------- |
| 18 | |
| 19 | /etc/vpp/startup.conf:: |
| 20 | |
| 21 | unix { |
| 22 | nodaemon |
| 23 | log /var/log/vpp/vpp.log |
| 24 | full-coredump |
| 25 | cli-listen /run/vpp/cli.sock |
| 26 | startup-config /setup.gate |
| 27 | gid vpp |
| 28 | } |
| 29 | api-segment { |
| 30 | gid vpp |
| 31 | } |
| 32 | dpdk { |
| 33 | dev 0000:03:00.0 |
| 34 | dev 0000:14:00.0 |
| 35 | etc. |
| 36 | poll-sleep 10 |
| 37 | } |
| 38 | |
| 39 | isc-dhcp-server configuration:: |
| 40 | |
| 41 | subnet 192.168.1.0 netmask 255.255.255.0 { |
| 42 | range 192.168.1.10 192.168.1.99; |
| 43 | option routers 192.168.1.1; |
| 44 | option domain-name-servers 8.8.8.8; |
| 45 | } |
| 46 | |
| 47 | If you decide to enable the vpp dns name resolver, substitute |
| 48 | 192.168.1.2 for 8.8.8.8 in the dhcp server configuration. |
| 49 | |
| 50 | /etc/ssh/sshd_config:: |
| 51 | |
| 52 | # What ports, IPs and protocols we listen for |
| 53 | Port <REDACTED-high-number-port> |
| 54 | # Change to no to disable tunnelled clear text passwords |
| 55 | PasswordAuthentication no |
| 56 | |
| 57 | For your own comfort and safety, do NOT allow password authentication |
| 58 | and do not answer ssh requests on port 22. Experience shows several |
| 59 | hack attempts per hour on port 22, but none (ever) on random |
| 60 | high-number ports. |
| 61 | |
| 62 | vpp configuration:: |
| 63 | |
| 64 | comment { This is the WAN interface } |
| 65 | set int state GigabitEthernet3/0/0 up |
| 66 | comment { set int mac address GigabitEthernet3/0/0 mac-to-clone-if-needed } |
| 67 | set dhcp client intfc GigabitEthernet3/0/0 hostname vppgate |
| 68 | |
| 69 | comment { Create a BVI loopback interface} |
| 70 | loop create |
| 71 | set int l2 bridge loop0 1 bvi |
| 72 | set int ip address loop0 192.168.1.1/24 |
| 73 | set int state loop0 up |
| 74 | |
| 75 | comment { Add more inside interfaces as needed ... } |
| 76 | set int l2 bridge GigabitEthernet0/14/0 1 |
| 77 | set int state GigabitEthernet0/14/0 up |
| 78 | |
| 79 | comment { dhcp server and host-stack access } |
| Dave Barach | 5e36c3c | 2018-10-30 10:24:17 -0400 | [diff] [blame] | 80 | create tap host-if-name lstack host-ip4-addr 192.168.1.2/24 host-ip4-gw 192.168.1.1 |
| 81 | set int l2 bridge tap0 1 |
| 82 | set int state tap0 up |
| John DeNisco | 06dcd45 | 2018-07-26 12:45:10 -0400 | [diff] [blame] | 83 | |
| 84 | comment { Configure NAT} |
| 85 | nat44 add interface address GigabitEthernet3/0/0 |
| 86 | set interface nat44 in loop0 out GigabitEthernet3/0/0 |
| 87 | |
| 88 | comment { allow inbound ssh to the <REDACTED-high-number-port> |
| 89 | nat44 add static mapping local 192.168.1.2 <REDACTED> external GigabitEthernet3/0/0 <REDACTED> tcp |
| 90 | |
| 91 | comment { if you want to use the vpp DNS server, add the following } |
| 92 | comment { Remember to adjust the isc-dhcp-server configuration appropriately } |
| 93 | comment { nat44 add identity mapping external GigabitEthernet3/0/0 udp 53053 } |
| 94 | comment { bin dns_name_server_add_del 8.8.8.8 } |
| 95 | comment { bin dns_name_server_add_del 68.87.74.166 } |
| 96 | comment { bin dns_enable_disable } |
| 97 | comment { see patch below, which adds these commands } |
| 98 | service restart isc-dhcp-server |
| John DeNisco | 06dcd45 | 2018-07-26 12:45:10 -0400 | [diff] [blame] | 99 | |
| 100 | Patches |
| 101 | ------- |
| 102 | |
| Dave Barach | 5e36c3c | 2018-10-30 10:24:17 -0400 | [diff] [blame] | 103 | You'll need this patch to add the "service restart" command:: |
| John DeNisco | 06dcd45 | 2018-07-26 12:45:10 -0400 | [diff] [blame] | 104 | |
| 105 | diff --git a/src/vpp/vnet/main.c b/src/vpp/vnet/main.c |
| 106 | index 6e136e19..69189c93 100644 |
| 107 | --- a/src/vpp/vnet/main.c |
| 108 | +++ b/src/vpp/vnet/main.c |
| 109 | @@ -18,6 +18,8 @@ |
| 110 | #include <vlib/unix/unix.h> |
| 111 | #include <vnet/plugin/plugin.h> |
| 112 | #include <vnet/ethernet/ethernet.h> |
| 113 | +#include <vnet/ip/ip4_packet.h> |
| 114 | +#include <vnet/ip/format.h> |
| 115 | #include <vpp/app/version.h> |
| 116 | #include <vpp/api/vpe_msg_enum.h> |
| 117 | #include <limits.h> |
| 118 | @@ -400,6 +402,63 @@ VLIB_CLI_COMMAND (test_crash_command, static) = { |
| 119 | |
| 120 | #endif |
| 121 | |
| 122 | +static clib_error_t * |
| 123 | +restart_isc_dhcp_server_command_fn (vlib_main_t * vm, |
| 124 | + unformat_input_t * input, |
| 125 | + vlib_cli_command_t * cmd) |
| 126 | +{ |
| 127 | + int rv __attribute__((unused)); |
| 128 | + /* Wait three seconds... */ |
| 129 | + vlib_process_suspend (vm, 3.0); |
| 130 | + |
| 131 | + rv = system ("/usr/sbin/service isc-dhcp-server restart"); |
| 132 | + |
| 133 | + vlib_cli_output (vm, "Restarted the isc-dhcp-server..."); |
| 134 | + return 0; |
| 135 | +} |
| 136 | + |
| 137 | +/* *INDENT-OFF* */ |
| 138 | +VLIB_CLI_COMMAND (restart_isc_dhcp_server_command, static) = { |
| 139 | + .path = "service restart isc-dhcp-server", |
| 140 | + .short_help = "restarts the isc-dhcp-server", |
| 141 | + .function = restart_isc_dhcp_server_command_fn, |
| 142 | +}; |
| 143 | +/* *INDENT-ON* */ |
| 144 | + |
| Dave Barach | 5e36c3c | 2018-10-30 10:24:17 -0400 | [diff] [blame] | 145 | |
| John DeNisco | 06dcd45 | 2018-07-26 12:45:10 -0400 | [diff] [blame] | 146 | |
| 147 | Using the temporal mac filter plugin |
| 148 | ------------------------------------ |
| 149 | |
| 150 | If you need to restrict network access for certain devices to specific |
| 151 | daily time ranges, configure the "mactime" plugin. Enable the feature |
| 152 | on the NAT "inside" interfaces:: |
| 153 | |
| 154 | bin mactime_enable_disable GigabitEthernet0/14/0 |
| 155 | bin mactime_enable_disable GigabitEthernet0/14/1 |
| 156 | ... |
| 157 | |
| 158 | Create the required src-mac-address rule database. There are 4 rule |
| 159 | entry types: |
| 160 | |
| 161 | * allow-static - pass traffic from this mac address |
| 162 | * drop-static - drop traffic from this mac address |
| 163 | * allow-range - pass traffic from this mac address at specific times |
| 164 | * drop-range - drop traffic from this mac address at specific times |
| 165 | |
| 166 | Here are some examples:: |
| 167 | |
| 168 | bin mactime_add_del_range name alarm-system mac 00:de:ad:be:ef:00 allow-static |
| 169 | bin mactime_add_del_range name unwelcome mac 00:de:ad:be:ef:01 drop-static |
| 170 | bin mactime_add_del_range name not-during-business-hours mac <mac> drop-range Mon - Fri 7:59 - 18:01 |
| 171 | bin mactime_add_del_range name monday-busines-hours mac <mac> allow-range Mon 7:59 - 18:01 |
| 172 | |