GNU/Linux universally distinguishes between two types of network interfaces:
wlan0 .. always represent an actual connection between a computer system and a network such as a NIC or WNIC. As soon as the driver is loaded into the Kernel, one or more physical interfaces become available.
teql0, .. are NOT actual physical network devices. They are software representations with similar properties to physical connections but with more flexibility. They are generally associated with a physical interface such as eth0.1 or eth1.1 etc but can also associated with virtual ones. One exception is the loopback interface
A virtual network interface can be associated with a physical interface (eth1.1)or another virtual interface (eth1.1.1) or stand alone such as a loopback interface
A virtual network interface can also :
- have one or more aliases:
- be split into multiple (up to 4096) VLANs:
- be bridged with one another to form a bridged interface:
br-lan(the opposite of VLANs),
- be a tunnel interface and used to send packets over a tunneling protocol:
- be created automatically depending on the operating mode of a WNIC :
|The Linux wireless subsystem works a little differently. There is always one physical interface for each WNIC called the master interface. Then, depending on the mode the master interface is configured to, ad-hoc (IBSS), managed , AP , WDS, mesh point, monitor, different virtual interfaces are created. This is done automatically by default. When wifi is activated, there always will be the master interface and (at least) one virtual interface!|
UCI is a small utility designed to centralize configuration in OpenWRT.
|UCI creates an abstraction layer for configuring interfaces. In
OpenWrt does not but instead has each program packaged separately!
|net-tools and iproute2 are available as separate
|net-tools-arp||1.60-2||13829||Manipulate kernel's ARP cache. Add, delete an entry, or to dump the entire cache.|
|net-tools-dnsdomainname||1.60-2||net-tools-hostname||807||Reports the system's DNS domain name.|
|net-tools-domainname||1.60-2||net-tools-hostname||814||Reports the system's NIS/YP domain name.|
|net-tools-hostname||1.60-2||4446||Reports or sets the name of the current host system.|
|net-tools-ifconfig||1.60-2||17117||Configure network interfaces.|
|net-tools-ipmaddr||1.60-2||5690||Adds, deletes and shows an interface's multicast addresses.|
|net-tools-iptunnel||1.60-2||7006||Adds, changes, deletes and shows an interface's tunnels.|
|net-tools-mii-tool||1.60-2||6034||Checks or sets the status of a network interface's Media Independent Interface (MII) unit.|
|net-tools-nameif||1.60-2||4474||name network interfaces based on MAC addresses|
|net-tools-netstat||1.60-2||28420||Report network connections, routing tables, and interface statistics.|
|net-tools-nisdomainname||1.60-2||net-tools-hostname||791||Same as domainname.|
|net-tools-plipconfig||1.60-2||2866||Fine tune the PLIP device parameters, to improve its performance.|
|net-tools-rarp||1.60-2||5180||Manipulate the kernel's RARP table.|
|net-tools-route||1.60-2||14604||Manipulate the IP routing table.|
|net-tools-slattach||1.60-2||7127||Attaches a network interface to a serial line. This allows to use normal terminal lines for point-to-point links to other computers.|
|net-tools-ypdomainname||1.60-2||net-tools-hostname||799||Same as domainname.|
|ip||2.6.35||80215||Routing control utility. Configuration file:
To get a better grasp of the whole current Linux WLAN-Stack, check this pdf (page 6) by Johannes Berg. Basically mac80211 is framework analog to the Advanced Linux Sound Architecture but for drivers for SoftMAC WNICs.
For diverse reasons1 wireless devices have an API different from that of Ethernet devices.
|kmod-mac80211||kernel, kmod-crypto-core, kmod-crypto-arc4, kmod-crypto-aes, kmod-cfg80211||127474||Generic IEEE 802.11 Networking Stack (mac80211)|
|kmod-mac80211-hwsim||kernel, kmod-mac80211||10727||mac80211 HW simulation device|
|kmod-lib80211||kernel||12524||Kernel modules for 802.11 Networking stack Includes: - lib80211 - lib80211_crypt_wep - lib80211_crypt_tkip - lib80211_crytp_ccmp|
|kmod-acx-mac80211||kernel, kmod-mac80211||173176||Driver for acx111 cards (Mac80211 version)|
|kmod-cfg80211||kernel, wireless-tools, iw, crda||75422||cfg80211 is the Linux wireless LAN (802.11) configuration API.|
|iw||libnl-tiny||32100||cfg80211 interface configuration utility|
|crda||libnl-tiny||5989||This is the Central Regulatory Domain Agent for Linux. It serves one purpose: tell Linux kernel what to enforce. In essence it is a udev helper for communication between the kernel and userspace. You only need to run this manually for debugging purposes. For manual changing of regulatory domains use
|wireless-tools||23153||This package contains
1 For once the specifications of IEEE 802.11 regulate quite precisely the whole communications process, so it makes sense to NOT implement this requirements in each driver but only once for all drivers. Then there is the problem of the diverging frequency regulations world wide.
Before getting too far into the details, it's important to first comprehend what VLANs are and how they work:
A VLAN (Virtual LAN) is, in basic terms, a group of physical interfaces on a switch that behave as if they are a separate standalone switch. This allows us to use one physical switch, but partition it into multiple LANs, each one completely isolated from the others. The switch must support VLAN configurations - most cheap switches don't allow this, but high end manageable switches do, as does the internal switch on the OpenWrt.
VLANs are used when you need to separate traffic between groups of devices, but you only want to use one physical switch. For example you might want one VLAN outside your firewall, for public web/mail servers, and another VLAN for your internal machines such as desktops and boxes with private data. They can't be placed on the same LAN for security reasons, so you use VLANs to isolate the groups of ports.
Let's say we have a 10 port switch, and we configure ports 1-5 as VLAN1 and 6-10 as VLAN2. All devices which are plugged into ports 1 thru 5 behave as if they are on their own switch, and devices in ports 6-10 act as if they're in another switch. The main rule is that communication between ports on separate VLANs is blocked - even if you configure devices with the same subnet, they will not be reachable to devices in other VLANs.
And of course, it's also possible to configure it differently - if you later decide you need to put another device in VLAN1 and you've only used 4 ports in VLAN2, you can reconfigure _any_ of the VLAN2 ports into VLAN1 (not just port 6). So then you might end up with VLAN1 as ports 1-5 and 8, and VLAN2 as ports 6,7,9,10.
The number of VLANs that you can configure on any device (including OpenWrt) is limited to 4096 as the field for the VLAN tag has 12Bits for the VID (VLAN ID).
The subject of VLANs can get very complicated and extensive, but this quick summary covers what's needed for using VLANs on the OpenWrt platform.
If you have a switch with multiple VLANs, you may want to attach a device (such as another switch) that needs to talk to more than one VLAN. This could be a firewall, which will take packets from one VLAN, filter them, then pass them to another VLAN. Alternatively, you might have a second switch that has the same two VLANs on them, and you want the two switches to exchange packets between each other for both VLANs, whilst maintaining the separation.
Rather than wasting ports by using separate ports per VLAN, we use a process known as trunking. One port on the switch must be configured as a trunk port, and this port will have connectivity to all VLANS for which it's set to be a trunk port. If you have a switch with 3 VLANs, you can configure one (or more) trunk port(s) to have connectivity to all VLANs, or just a subset of the VLANs.
How does the switch maintain isolation with this port? This is done with "tagging". Every packet sent or received from the trunk port has a little tag attached to it, indicating what VLAN it is for or from. So a device receiving packets looks at the tag to see what VLAN that packet is from. When the device sends traffic to the switch, it will add a tag itself, and the switch will look at the tag and send the packet to the VLAN indicated.
In the example of an attached firewall, a packet coming in from the internal LAN will be sent out the trunk port to the firewall, tagged with the internal VLAN number. The firewall will process the packet, then send it back to the switch with a tag for the external VLAN, and the switch will look at this tag and send it to the outside device.
You can see that a device such as a firewall will see each separate VLAN as if it's a different network interface. The internal VLAN is like a NIC on the inside of the network, and the external interface behaves just like a NIC on the outside. Because of this, most hosts and firewalls that support VLAN tags are setup such that each VLAN tag is as if it was another separate network interface, even though it's the same physical wire.
In networking, a bridge is a link between two Ethernet interfaces in such a way as to link them together to the same LAN. If you have a box with two bridged Ethernet interfaces, then connect each interface to separate
switches, the two switches are effectively linked together as if they're connected with a cable. You can also link together a wired Ethernet interface with a wireless interface - the two are then linked together, much like a wireless AP or bridge.
One useful feature of bridging is that the Linux box which is doing the bridging can listen to and send its own traffic. It does this by creating another interface. If you link eth0 and eth1, they will be bound to an interface br0 (or br1, etc). You can then assign an IP address to br0 and it will behave like a normal network interface attached to this bridged network. You cannot configure an IP address on the bridge members (eth0 or eth1), it needs to be done on the bridge interface.
This knowledge of bridges is important below.
This wireless router is actually three devices in one - a Linux host, VLAN-configurable switch, and a wireless radio. The Linux host(eth0) and switch (port 5) are connected internally with a Gigabit Media Independent Interface. The external ethernet ports 0-4 also belong to the same switch. The diagram below shows the architecture.
By default, the switch is configured as two VLANs - vlan0 and vlan1.
- Ethernet ports 1-4 (labelled LAN 1-4) are configured to vlan0.
- Ethernet port 0 (labelled WAN) is configured to vlan1.
Any one of the individual external ports can actually be reassigned to either of the two pre-configured VLANs or even additional user-configured VLANs. The WAN port could be changed to a LAN port or vice-versa. The labels on the chassis simply reflect the default configuration.
|The native VLAN - vlan1 does not need to be configured. Only the second VLAN - vlan0 needs to be configured to tag its packets to separate the two data streams.|
The vlan0 interface is done a bit differently. By default, the wifi interface (eth2) is bridged to the LAN ports, ie any host associated on the wireless port is automatically in the same VLAN/subnet as hosts on the LAN ports. This is done with bridging (see above). As described above, when a bridge is created, a new logical interface is created, called br0, and also as above, this br0 interface is the one that needs to have any IP address configured. So, by default, vlan0 does not have an IP address configured, instead, the LAN interface address is configured on the br0 interface.
There's also another interface visible from the shell - "eth1". This doesn't appear to be linked to anything, and is probably an unused wire on the Ethernet controller, so it's ignored in all configuration. Pretend it doesn't exist. :) This is the case on the Asus WL-500gP, it may differ on other models
With a knowledge of how interfaces are partitioned, it's now easier to understand how to configure interfaces under OpenWrt.
The following block configures the physical ports into VLANS:
vlan0hwname=et0 vlan0ports="1 2 3 4 5*" vlan1hwname=et0 vlan1ports="0 5*"
The "hwname" part is always "et0". The device "et0" is the switch itself and tells the system which switch to configure with VLANS. As there's only one switch, this must always be set to "et0". If you do not include port 5 in the VLAN then the traffic will remain on the switch and will never be seen by the cpu.
The ports then are configured. The vlan0 (LAN) is configured with four ports, plus the internal tagged port, port 5. The vlan1 (WAN) is configured with only the one port, plus also the tagged port.
This configuration then gives us "vlan1", tied to the WAN port, and "vlan0" tied to the other ports. As mentioned earlier, you can change any other port to be the WAN port - just set the vlan1 port to be something else,
not that you really need to!
Vlan 1, which connections the WAN port to the CPU, is then configured with an IP address and mapped to the logical 'wan' interface name:
wan_ifname=vlan1 wan_ipaddr=a.b.c.d wan_netmask=255.255.255.0 wan_proto=static
Next the LAN side is configured. The bridge must be created and the IP address is assigned to the bridge not a vlan, but overall it's similar:
lan_ifname=br0 lan_ifnames="vlan0 eth2" lan_proto=static lan_ipaddr=w.x.y.z lan_netmask=255.255.255.0
The variable "lan_ifname", which sets the actual interface to configure the IP parameters with, should of course be br0 for a bridged interface.
Then the variable "lan_ifnames" actually sets the interfaces which are to be bound to the bridge interface, in this case the vlan0 interface and the wireless interface. The vlan0 ports were defined earlier as wired ports 1-4, so these plus the wireless interface are now one single logical LAN.
That's basically how the entire network device architecture is on this box. Below is an example of adding another VLAN.
If you're running some public servers and are security conscious, you'll probably want to make use of a DMZ (Demilitarized Zone). This is a third VLAN in a network, configured with different rules to the internal secure network. Generally the DMZ is configured to allow access to certain ports from the internet that wouldn't normally be allowed to inside hosts.
Under OpenWrt, a DMZ is easy to configure. A third VLAN is created, and one or more physical ports are mapped to this VLAN, then suitable firewall rules are created for this VLAN. The picture below shows how a DMZ
configuration would look inside the device:
The configuration lines that would be changed for this are:
vlan0ports="2 3 4 5*" vlan2hwname=et0 vlan2ports="1 5*" dmz_ifname=vlan2 dmz_proto=static dmz_ipaddr=192.168.1.22 dmz_netmask=255.255.255.0
This configuration firstly changes the vlan0 to exclude port 1 which will be our DMZ port. Then the DMZ vlan is created, with ports 1 and 5 (remember 5 is the internal tagged port). Then the logical interface 'dmz' is configured and attached to vlan2. To bring up the new interface, just run "ifup dmz". And of course do your firewall configuration.
You could even add more DMZ interfaces - you've got a total of six interfaces to play with (including the wireless port) so what we see is that this device is capable of some very impressive routing features - the limit is your imagination.
Provided by Trent W. Buck aka twb on #openwrt
Problem: server has room for only one physical NIC, but it needs access to the internet (i.e. an upstream network) as well as absolute dominion over two downstream networks: admin and prisoner.
To achieve this, we will create three VLAN on both the OpenWrt k7.09 and the Ubuntu 8.04 server. Further, all (or all but one) of the VLAN need to be tagged across the physical line between the OpenWrt and the Ubuntu server.
Use `robocfg show` to display VLAN status. It's probably better (more portable) to cat something in `/proc/switch/`, but I don't know what.
OpenWrt# uci show network.eth0 network.eth0=switch network.eth0.vlan0=1 5* network.eth0.vlan1=0 5 network.eth0.vlan2=1t 2 5 network.eth0.vlan3=1t 3 4 5
In this example port 0 is from WAN, port 1 goes to the server, port 2 and port 3 and 4 respectively go to the downstream networks. The * at 5* denotes PVID - default port vlan. This makes vlan0 the default for untagged packages from port 5. Packages leaving for port 5 (the CPU) are always implicitly tagged (in this notation). Port 1 (server port) services three vlans: 0, 2 and 3. Packages coming from vlan2 and 3 are explicitly tagged as they leave the switch through port 1 so the server may distinguish them - this is the '1t'. This means vlan0 packages leave untagged.
On the Ubuntu server (virtual) interfaces eth0, eth0.2 and eth0.3 are used as corresponding devices. Since vlan0 is untagged and the default 'native' vlan, there is no eth0.0. Vlan ID '0' cannot be used for tagging as it is a reserved value denoting this native vlan.
Note that we do not set up interfaces eth0.2 or eth0.3 with an IP address, because the OpenWrt MUST NOT be accessible (at the IP layer) from the admin and prisoner networks.
Ubuntu# cat /etc/network/interfaces auto lo eth0 eth0.2 eth0.3 iface lo inet loopback iface eth0 inet dhcp iface eth0.2 inet static address 192.168.67.1 network 192.168.67.0 netmask 255.255.255.0 broadcast 192.168.67.255 iface eth0.3 inet static address 192.168.68.1 network 192.168.68.0 netmask 255.255.255.0 broadcast 192.168.68.255
Note that the Ubuntu VLAN package says not to use vlan1, because it's generally reserved for… stuff. It seems to work for me here, probably because vlan1 is non-tagged.
doc/networking/network.interfaces.txt · Last modified: 2013/05/12 14:18 by ralfbergs