User Tools

Site Tools



This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revision Previous revision
Next revision
Previous revision
doc:networking:network.interfaces [2012/11/26 07:01]
doc:networking:network.interfaces [2013/09/13 23:22] (current)
lorema Documentation/networking/alias.txt
Line 1: Line 1:
-====== Network Interfaces ====== +====== ​Linux Network Interfaces ======
 ===== Types of network interfaces ===== ===== Types of network interfaces =====
-GNU/Linux universally distinguishes two types of network interfaces: +The [[wp>Linux kernel]] ​universally distinguishes ​between ​two types of software ​network interfaces:
-  * //physical interfaces//:​ ''​eth0'',​ ''​eth1'',​ ''​eth4'',​ ''​radio0'',​ ''​radio1'',​ ''​wlan0''​ ..\\ always represent an actual [[wp>​Network interface controller|NIC]] or [[wp>​Wireless network interface controller|WNIC]]. As soon as the [[wp>​Device driver|driver]] is loaded into the Kernel, one or more physical interface become available.+
-  * //virtual// (or //​logical//​) //​interfaces//:​ ''​lo'', ​''​eth0:1'',​ ''​eth0.1'',​ ''​vlan2'',​ ''​br0'',​ ''​pppoe-dsl'',​ ''​gre0'',​ ''​sit0''​ ''​tun0'',​ ''​imq0'',​ ''​teql0'',​ ..\\ are NOT a actual ​physical ​network ​devices but software representation with the same properties ​of a physical connection but more flexibility They are generally associated with a physical interface such as eth0.1 or eth1.1 etc. One exception ​is the loopback ​interface ​''​lo''​. Virtual/​Logical interfaces are a useful tool to those users willing to learn about their usage and configuration.+==== Physical Network Interfaces ==== 
 +''​eth0'',​ ''​eth8'',​ ''​radio0'',​ ''​wlan19'',​ .. always represent an actual network ​hardware device such as [[wp>​Network interface controller|NIC]],​ [[wp>​Wireless network interface controller|WNIC]] or some other kind of [[wp>​Modem]]As soon as the [[wp>​device driver]] ​is loaded into the Kernel a corresponding physical network ​interface ​becomes present ​and available.
 +Any physical network interface is a named software representation by the operating system to the user to enable him to configure the hardware network device and also to integrate it into programs and scripts.
-==== Types of physical software interfaces ​==== +==== Virtual Network Interfaces ​==== 
-One could distinguish between physical ​interfaces ​belonging ​to a NIC and ones belonging ​to a wireless NIC; due to diverging stacks, they behave slightly differently.+''​lo'',​ ''​eth0:​1'',​ ''​eth0.1'',​ ''​vlan2'',​ ''​br0'',​ ''​pppoe-dsl'',​ ''​gre0'',​ ''​sit0''​ ''​tun0'',​ ''​imq0'',​ ''​teql0'',​ .. are virtual network ​interfaces ​that do NOT represent an existent hardware device but are linked ​to one (otherwise they would be useless). Virtual network interfaces were invented ​to give the system administrator maximum flexibility when configuring ​Linux-based operating system. A virtual network interface is generally associated with a physical network interface (eth6) or another virtual interface (eth6.9) or be stand alone such as the [[wp>​Loopback#​Virtual_network_interface|loopback interface]] ''​lo''​
-==== Types of virtual network interfaces ​===+=== Types of Virtual Network Interfaces ​=== 
-A virtual network interface can be attached to a physical interface or to another virtual interface.  +  * <color maroon>​**//​aliases//​**</​color>:​ ''​eth4:5'',​ ''​eth4:6'',​ ..\\  IP-aliases are an obsolete way to manage multiple IP-addresses/​masks per interface. Newer tools such as iproute2 support multiple address/​prefixes per interface, but aliases are still supported for backwards compatibility. [[https://​​cgit/​linux/​kernel/​git/​stable/​linux-stable.git/​tree/​Documentation/​networking/​alias.txt|Documentation/​networking/​alias.txt]] 
- +  * <color maroon>​**//​VLANs//​**</​color>:​ ''​eth4.0'',​ ''​eth4.1'',​ ''​eth4.3'',​ ''​vlan0'',​ ..\\ are created ​to partition ​single layer 2 network into multiple virtual ones. The drivers all participating network cards must support [[wp>IEEE 802.1Q]] and be configured accordinglyThis standard allows for up to 4096 VLANs (12Bits). 
-A virtual network interface can also: +  * <color maroon>​**//​Stacked VLANs//​**</​color>:​ [[wp>IEEE 802.1ad]]-support was mainlined in [[​cgit/linux/kernel/git/torvalds/linux.git/commit/?id=8ad227ff89a7e6f05d07cd0acfd95ed3a24450ca|2013-04-19netvlan: add 802.1ad support]] Configuration ​is done using ''​ip link'':​<code bash> 
- +ip link add link eth0 eth0.1000 type vlan proto 802.1ad id 1000 
-  * have one or more <color maroon>​**//​aliases//​**</​color>:​ ''​eth4.5'',​ ''​eth4.6'',​ .. +ip link add link eth0.1000 eth0.1000.1000 type vlan proto 802.1q id 1000
-  * be split into multiple (up to 4096) <color maroon>​**//​VLAN//​**</​color>​s: ''​eth4.0'',​ ''​eth4.1'',​ ''​eth4.3'',​ ''​vlan0'',​ ..  +
-  * be bridged with one another ​to form <color maroon>**//bridged interface//​**</​color>:​ ''​br0'',​ ''​br-lan'', ​.. (the opposite of VLANs+
-  * be a <color maroon>​**//​tunnel interface//​**</​color> ​and be used to send packets over a [[wp>​tunneling protocol]]''​pppoe-dsl'',​ ''​tun0'',​ ''​vpn1'',​ .. +
-  * be spawned by daemon to manipulate incoming packages: ''​imq0'',​ ''​teql4'',​ .. See [[http://​​|imq]],​ [[http://​​howto/​lartc.loadshare.html|teql]],​ .. +
-  * be spawned dependent on the mode a WNICs is currently working in: ''​ath0'',​ ''​ath1'',​ ''​ath_monitor''​ +
- +
-Two network interfaces can also be bonded together (please see [[wp>Link aggregation]] and [[wp>​Channel bonding]] and [[http://​​Netzwerkkarten_b%C3%BCndeln|Ubuntu Wiki]]+
- +
-| {{:​meta:​icons:​tango:​dialog-information.png?​nolink}} | The [[​|Linux wireless subsystem]] behaves different: Like for the wired devices, there is always one //physical software interface// for each WNIC and it is called the //master interface//. Then, dependent on the mode the master interface is configured to\\ <​html><​div align="​center">​ad-hoc (IBSS) • managed • AP • WDS • mesh point • monitor</div></html>\\ different //virtual software interfaces//​ are spawned. The difference is, that in contrary to the wired devices, this is done by default. If you enable your wifi and set it in AP mode, there always will be the master interface __and__ compulsory (at least) one virtual interface! ​ | +
- +
- +
-===== OpenWrt UCI specific ===== +
-Please note the UCI creates another, additional abstraction layer for the interfaces. In ''​[[doc/​uci/​network|/​etc/​config/​network]]''​ you allocate a name like //lan// or //bob// or //alice// or //​whatever//​ to each ''​ifname''​-variable for every device and then this name is consistently used through the entire UCI configuration. But this can only be used in conjunction with UCI! +
- +
- +
-===== Internal Layout ===== +
--> [[doc:techref:internal.layout|Internal Layout]] provides some examples on how physical interfaces are connected to [[wp>​Computer port (hardware)|Computer ports]]. +
- +
- +
-===== Configuration ​===== +
--> ''​[[doc:​uci:​network|/​etc/​config/​network]]'' ​is the [[doc:techref:​UCI]] configuration file responsible for all network related adjustments made in OpenWrt.\\ +
--> ''​[[doc:​uci:​wireless|/​etc/​config/​wireless]]''​ is responsible for all wireless related adjustments made in OpenWrt+
- +
-If, for whatever reasons, you want to do stuff manually, here you can read about the available packages: +
- +
- +
-==== Switch Utilities ==== +
-A [[wp>​Network switch]] may be included on a separate Chip soldered on the PCB or be integrated into the [[doc:​hardware:​SoC]]In both cases OpenWrt needs drivers to manage that switchAdditionally there are userspace programs available to configure the switch: +
-<​code>​ +
 </​code>​ </​code>​
 +  * <color maroon>​**//​bridgeds//​**</​color>:​ ''​br0'',​ ''​br-lan''​ \\ are used to make multiple virtual or physical network interfaces act as if they were just one network interface (quasi the opposite of VLANs). Can also be used for VPN and bridged interfaces. The Linux Ethernet bridge can be used for connecting multiple Ethernet devices together. The connecting is fully transparent:​ hosts connected to one Ethernet device see hosts connected to the other Ethernet devices directly. ​ [[https://​​viewtopic.php?​id=45783|understanding how bridge-interfaces work]]
 +  * <color maroon>​**//​tunnel interfaces//​**</​color>:​ ''​pppoe-dsl'',​ ''​pppoa-dsl'',​ ''​tun0'',​ ''​vpn1'',​\\ used to send packets over a [[wp>​tunneling protocol]] such as [[wp>​Generic Routing Encapsulation|GRE]],​ [[wp>​IPsec]] ​ [[wp>​Point-to-point protocol over Ethernet|PPPoE]],​ etc.
 +  * <color maroon>​**//​special purpose//​**</​color>:​ ''​[[http://​​|imq0]],​ [[http://​​howto/​lartc.loadshare.html|teql3]]''​\\ used to change the order of outgoing network packets, or incoming network packet
 +  * <color maroon>​**//​wireless operating mode virtual interfaces//​**</​color>:​ ''​wlan0'',​ ''​wlan0_1'',​ ''​ath3'',​ ''​ath_monitor'',​ ..\\ [[doc:​howto:​wireless.overview|Linux wireless subsystem]]:​ There is always one //physical network interface// for each WNIC called the //master interface//​. The //master interface// is invisible. Then, depending on the wireless operating mode the master interface is configured to, //ad-hoc (IBSS), managed , AP , WDS, mesh point, monitor//, //wireless virtual network interfaces//​ with different properties are created. This is done automatically by default. When the WNIC driver is loaded, there always will be the master interface __and__ (at least) one virtual interface!
-A switch has Ethernet ports, and sometimes some IC capable of tagging (hardware tagging) but a switch does not contain/​incorporate a [[wp>​Network interface controller|NIC]]. So Linux will show no physical or virtual software interfaces! Do not confuse a simple //Ethernet port// with a full-blown //NIC//! 
-==== Wired Utilities ==== 
-Most GNU/Linux distributions offer two packages in their repositories,​ which contain a couple user space utilities to perform the configuration:​ //​net-tools//​ and //​[[wp>​iproute2]]//​ (see [[http://​​linux-network-configuration-for-home-users.albanianwizard|net-tools VS iproute2]]):​ 
-^ purpose ^                         ''​net-tools'' ​                     ^ ''​iproute2''​ ^ +Two network interfaces can also be bonded together (please see [[wp>Link aggregation]] and [[wp>​Channel bonding]] and [[|Ubuntu Wiki]]), [[|Documentation/networking/bonding.txt]]
-| Address and\\ link configuration ​ |  ''​[[http://​​man/​8/​ifconfig|ifconfig]]'' ​ |  ''​[[http://​​man/​8/​ip|ip]] addr'',​ ip link  | +
-| Routing tables ​                   |  ''​[[|route]]'' ​       |  ip route  | +
-| Neighbors ​                        ​| ​ ''​[[|arp]]'' ​           |  ip neigh  | +
-| Tunnels ​                          ​| ​ iptunnel ​ |  ip tunnel ​        | +
-| Multicast ​                        ​| ​ ipmaddr ​  ​| ​ ip maddr          | +
-| Statistics ​                       |  ''​[[http:​//​man/​8/​netstat|netstat]]'' ​  ​| ​ ''​[[http:​//​man/​8/​ss|ss]]'' ​ |+
 +| {{:​meta:​icons:​tango:​dialog-information.png?​nolink}} |[[doc:​techref:​UCI]] is a small C utility designed to centralize configuration in OpenWrt.\\ ''​[[doc:​uci:​network|/​etc/​config/​network]]''​ is the network configuration file.\\ ''​[[doc:​uci:​wireless|/​etc/​config/​wireless]]''​ is the wireless configuration file.\\ <color maroon>​**UCI creates an abstraction layer for configuring network interfaces**</​color>:​\\ In ''​[[doc/​uci/​network|/​etc/​config/​network]]''​ you allocate a name like //lan// or //​internet_wire//​ or //​whatever//​ to each ''​ifname''​-variable for every device and then this name is consistently used through the entire UCI configuration. But this can only be used in conjunction with UCI!|
-OpenWrt ​does not but instead has each program packaged separately!+===== OpenWrt ​default configuration ===== 
 +The OpenWrt default configuration is explained in ...
-| {{:​meta:​icons:​tango:​dialog-information.png?​nolink}}| //​net-tools//​ and //​iproute2//​ are available as separate ''​[[doc:​techref:​opkg]]''​-packages,​ core utilities like ''​ifconfig'',​ ''​route'',​ ''​netstat''​ and ''​[[http://​​man/​8/​vconfig|vconfig]]''​ are contained in ''​busybox''​ as applets. | 
-^ Name ^ Version ^ Depends ^ Size ^ Description ​ ^ +===== Current Utilities for Networking and Traffic Control ===== 
-| net-tools-arp            |  1.60-2 ​ |   ​| ​ 13829 | Manipulate kernel'​s ARP cache. Add, delete an entry, or to dump the entire cache. ​ | +Most GNU/Linux distributions offer various software packages in their repositories which contain standard Unix networking ​tools for controlling ​the network subsystem ​of the Linux kernel; they serve the task of configuring ​network interfaces, ​routing tablesmanaging the ARP table, and so onIn Debian multiple such tools are combined into packages, e.g[[http://​|net-tools]], [[http://​​jessie/​iproute2|iproute2]][[http://​​wheezy/​vlan|vlan]], [[http://​​jessie/​bridge-utils|bridge-utils]], [[http://​​jessie/​wireless-tools|wireless-tools]], [[|iw]] and some more.
-| ''​arp''​ is merely an alias to a shell function: ''​[ -x /sbin/arp ] || arp() { cat /​proc/​net/​arp;​ }''​ and not part of even ''​busybox'' ​ ||||| +
-| net-tools-dnsdomainname ​ |  1.60-2 ​ | net-tools-hostname ​ |  807 | Reports ​the system'​s DNS domain name.  | +
-| net-tools-domainname ​    ​| ​ 1.60-2 ​ | net-tools-hostname ​ |  814 | Reports ​the system'​s NIS/YP domain name.  | +
-| net-tools-hostname ​      ​| ​ 1.60-2 ​ |   ​| ​  4446 | Reports or sets the name of the current host system. ​ | +
-| net-tools-ifconfig ​      ​| ​ 1.60-2 ​ |   ​| ​ 17117 | Configure ​network interfaces.  | +
-| net-tools-ipmaddr ​       |  1.60-2 ​ |   ​| ​  5690 | Addsdeletes and shows an interface'​s multicast addresses. ​ | +
-| net-tools-iptunnel ​      ​| ​ 1.60-2 ​ |   ​| ​  7006 | Addschangesdeletes ​and shows an interface'​s tunnels  | +
-| net-tools-mii-tool ​      ​| ​ 1.60-2  |   ​| ​  6034 | Checks or sets the status of a network interface'​s Media Independent Interface (MII) unit | +
-| net-tools-nameif ​        ​| ​ 1.60-2  |   ​| ​  4474 | name network interfaces based on MAC addresses ​ | +
-| net-tools-netstat ​       |  1.60-2  |   ​| ​ 28420 | Report network connections,​ routing tables, and interface statistics. ​ | +
-net-tools-nisdomainname ​ |  1.60-2  ​| net-tools-hostname ​ |  791 | Same as domainname | +
-| net-tools-plipconfig ​    ​| ​ 1.60-2  ​  |   2866 | Fine tune the PLIP device parametersto improve its performance | +
-| net-tools-rarp ​          ​| ​ 1.60-2  ​  |   5180 | Manipulate the kernel'​s RARP table | +
-| net-tools-route ​         |  1.60-2  ​  |  14604 | Manipulate the IP routing table. ​ | +
-| net-tools-slattach ​      ​| ​ 1.60-2  |   ​| ​  7127 | Attaches a network interface to a serial lineThis allows to use normal terminal lines for point-to-point links to other computers. ​ | +
-| net-tools-ypdomainname ​   ​1.60-2 ​ | net-tools-hostname ​ |  799 | Same as domainname. ​ | +
-| ip                       ​| ​ 2.6.35 ​ |   ​| ​ 80215 | Routing control utility. Configuration file: ''​[[doc/howto/notuci.config#​etciproute2rt_tables|/etc/iproute2/​rt_tables]]''​ |+
 +The utilities contained in the “net-tools”-suite are old and deprecated. The ones contained in the "​iproute2"​-suite communicate with the Linux kernel via the (rt)netlink interface, providing advanced features not available through the legacy "​net-tools"​- commands ''​ifconfig''​ and ''​route''​. See e.g. [[wp>​iproute2]] or [[http://​​linux-network-configuration-for-home-users.albanianwizard|net-tools VS iproute2]]) for a comparison.
-==== Wireless Utilities ==== +| {{:​meta:​icons:​tango:​dialog-information.png?nolink}}In the OpenWrt software package repositories networking utilities are available as **separate ''​[[doc:techref:​opkg]]''​-packages** while core utilities like ''​ifconfig'',​ ''​route'',​ ''​netstat''​ and ''​vconfig''​ are also contained in ''​busybox''​ as applets''​busybox-ifconfig'',​ ''​busybox-route'',​ etc. |
-To get a better grasp of the whole current Linux WLAN-Stack, check this [[http://​​en/​developers/​Documentation/​mac80211?action=AttachFile&​do=get&​target=mac80211.pdf|pdf]] (page 6) by Johannes Berg. Basically ​[[http://​​en/​developers/​Documentation/​mac80211|mac80211]] is framework analog to the [[wp>​Advanced Linux Sound Architecture]] but for drivers for [[​en/​developers/​Documentation/​Glossary#​SoftMAC|SoftMAC]] WNICs.+
-^ purpose ​                         ​^ ''​wireless-tools''​ ^ ''​new''​ ^ +^ ''​utility'' ​            ​^ ''​invocation'' ​^ Purpose  ​
-Address and\\ link configuration ​ |  ''​[[|iwconfig]]'' ​ |  ''​[[​iw|iw]]'' ​ |+''​[[man>​ip(8)|ip]]'' ​   | ''​ip ​link'' ​      | network device ​configuration ​ | 
 +| :::                     | ''​ip addr'' ​      | protocol IPv4 or IPv6 address management on a device ​ 
 +| :::                     ​| ​''​ip addrlabel'' ​ | protocol address label management, label configuration for protocol address selection ​ | 
 +| :::                     | ''​ip l2tp'' ​      | establish static (aka unmanaged) L2TPv3 Ethernet tunnels.\\ For unmanaged tunnels, there is no L2TP control protocol so no userspace daemon is required - tunnels are manually created by issuing commands at a local system and at a remote peer.\\ L2TPv3 is suitable for Layer-2 tunneling. Static tunnels are useful to establish network links across IP networks when the tunnels are fixed. L2TPv3 tunnels can carry data of more than one session. Each session is identified by a session_id and its parent tunnel'​s tunnel_id. A tunnel must be created before a session can be created in the tunnel. \\ When creating an L2TP tunnel, the IP address of the remote peer is specified, which can be either an IPv4 or IPv6 address. The local IP address to be used to reach the peer must also be specified. This is the address on which the local system will listen for and accept received L2TP data packets from the peer.\\ L2TPv3 defines two packet encapsulation formats: UDP or IP. UDP encapsulation is most common. IP encapsulation uses a dedicated IP protocol value to carry L2TP data without the overhead of UDP. Use IP encapsulation only when there are no NAT devices or firewalls in the network path.\\ When an L2TPv3 Ethernet session is created, a virtual network interface is created for the session, which must then be configured and brought up, just like any other network interface. When data is passed through the interface, it is carried over the L2TP tunnel to the peer. By configuring the system'​s routing tables or adding the interface to a bridge, the L2TP interface is like a virtual wire ([[doc/​howto/​pseudowire]]) connected to the peer.\\ Establishing an unmanaged L2TPv3 Ethernet pseudowire involves manually creating L2TP contexts on the local system and at the peer. Parameters used at each site must correspond or no data will be passed. No consistency checks are possible since there is no control protocol used to establish unmanaged L2TP tunnels. Once the virtual network interface of a given L2TP session is configured and enabled, data can be transmitted,​ even if the peer isn't yet configured. If the peer isn't configured, the L2TP data packets will be discarded by the peer.\\ To establish an unmanaged L2TP tunnel, use\\ ''​ip l2tp add tunnel''​ and ''​l2tp add session''​ commands described in this document. Then configure and enable the tunnel'​s virtual network interface, as required.\\ Note that unmanaged tunnels carry only Ethernet frames. If you need to carry PPP traffic (L2TPv2) or your peer doesn'​t support unmanaged L2TPv3 tunnels, you will need an L2TP server which implements the L2TP control protocol. The L2TP control protocol allows dynamic L2TP tunnels and sessions to be established and provides for detecting and acting upon network failures.\\ See [[https://​​cgit/linux/​kernel/​git/​stable/​linux-stable.git/​tree/​Documentation/​networking/​l2tp.txt|Documentation/​networking/​l2tp.txt]] ​ | 
 +| :::                     | ''​ip neigh'' ​     | neighbour/​arp tables management, ARP or NDISC cache entry | 
 +| :::                     | ''​ip netconf'' ​   |network configuration monitoring\\ utility can monitor IPv4 and IPv6 parameters (see ''/​proc/​sys/​net/ipv[4|6]/conf/[all|DEV]/''​) like forwarding, rp_filter or mc_forwarding status. \\ ''​ip netconf show'' ​ | 
 +| :::                     | ''​ip netns'' ​     | process network namespace management\\ A network namespace is logically another copy of the network stack, with its own routes, firewall rules, and network devices. ​ | 
 +| :::                     | ''​ip ntable'' ​     | neighbour table configuration\\ controls the parameters for the neighbour tables | 
 +| :::                     | ''​ip route'' ​     | routing table management. Configuration files are:\\ ''/​etc/​iproute2/​ematch_map''​\\ ''/​etc/​iproute2/​group''​\\ ''/​etc/​iproute2/​rt_dsfield''​\\ ''/​etc/​iproute2/​rt_protos''​\\ ''/​etc/​iproute2/​rt_realms''​\\ ''/​etc/​iproute2/​rt_scopes''​\\ ''​[[doc/​howto/​notuci.config#​etciproute2rt_tables|/​etc/​iproute2/​rt_tables]]'' ​
 +| :::                     | ''​ip rule'' ​      | routing policy database management | 
 +| :::                     | ''​ip maddr'' ​     | multicast addresses management | 
 +| :::                     | ''​ip mroute'' ​    | multicast routing cache management | 
 +| :::                     | ''​ip tunnel'' ​    | tunnel over IP configuration ​ | 
 +| :::                     | ''​ip monitor'' ​   | state monitoring, see ''​rtmon'' ​ 
 +| :::                     | ''​ip xfrm'' ​      | setting xfrm, framework for IPsec protocol | 
 +| :::                     | ''​ip tcp_metrics'' ​ | used to manipulate entries in the Linux kernel that keep TCP information for IPv4 and IPv6 destinations. The entries are created when TCP sockets want to share information for destinations and are stored in a cache keyed by the destination address. The saved information may include values for metrics (initially obtained from routes), recent TSVAL for TIME-WAIT recycling purposes, state for the Fast Open feature, etc. For performance reasons the cache can not grow above configured limit and the older entries are replaced with fresh information,​ sometimes reclaimed and used for new destinations. The kernel never removes entries, they can be flushed only with this tool.\\ Type ''​ip tcp_metrics show''​ to show cached entries ​ | 
 +''​[[man>​rtmon(8)|rtmon]]'' ​  | | Listens to and monitors RTnetlink ​ | 
 +| ''​[[man>​nstat(8)|nstat]]'' ​  | | ''​nstat''​ and ''​rtacct''​ are simple tools to monitor kernel snmp counters and network interface statistics. | 
 +| ''​[[man>​rtacct(8)|rtacct]]''​ | | ::: | 
 +| ''​[[man>​routel(8)|routel]]''​ | | Set of helper ​//scripts// you can use instead of ''​ip''​-commands.\\ The ''​routel''​ script will list routes in a format that some might consider easier to interpret then the ip route list equivalent.\\ The ''​routef''​ script does not take any arguments and will simply flush the routing table down the drain. Beware! This means deleting all routes which will make your network unusable! | 
 +| ''​[[man>​routef(8)|routef]]''​ | | ::: | 
 +| ''​[[man>​ss(8)|ss]]'' ​   |  | utility to dump socket statistics. It allows showing information similar to the deprecated ''​netstat''​. ss can display more TCP and state informations than other tools. | 
 +| ''​[[man>​tc(8)|tc]]'' ​   |  | show / manipulate traffic control settings. tc is used to configure the [[doc/​howto/​packet.scheduler/​packet.scheduler|Network packet scheduler]] of the Linux kernel ​ | 
 +| ''​[[man>​lnstat(8)|lnstat]]''​\\ ''​[[man>​ctstat(8)|ctstat]]''​\\ ''​[[man>​rtstat(8)|rtstat]]'' ​ | | Unified Linux network statistics\\ A generalized and more feature-complete replacement for the old ''​rtstat''​-utilityIn addition to routing cache statistics, it supports any kind of statistics the Linux kernel exports via a file in ''​/proc/net/stat/''​. ​ | 
 +| ''​[[man>​arpd(8)|arpd]]'' ​ | | userspace arp daemon ​ | 
 +| ''​[[man>​vconfig(8)|vconfig]]'' ​ |  | VLAN (IEEE 802.1q) configuration program. Allows you to create and remove VLAN−devices on a VLAN enabled Linux kernel. VLAN−devices are virtual Ethernet devices which represents the virtual lans on the physical lan  | 
 +| ''​[[man>​brctl(8)|brctl]]'' ​  | | Linux Ethernet bridge administration ​ | 
 +| ''​[[man>​bridge(8)|bridge]]''​ | | show / manipulate bridge addresses and devices; ''​bridge''​ uses facilities added in Linux 3.0. Although the forwarding table is maintained on a per-bridge device basis the bridge device is not part of the syntax. This is a limitation of the underlying netlink neighbour message protocol. When displaying the forwarding table, entries for all bridges are displayed. Add/​delete/​modify commands determine the underlying bridge device based on the bridge to which the corresponding ethernet device is attached. ​ | 
 +^  [[doc:​howto/​wireless.utilities|wireless utilities]] ​ ^^^ 
 +| ''​[[man>​iw(8)|iw]]'' ​| | show / manipulate wireless devices and their configuration ​ | 
 +| ''​[[doc:​techref:​iwinfo]]''​ | | iwinfo is a CLI frontend to the library ''​libinfo'',​ which assembles information from various places ​ |
-For diverse reasons<​sup>​1</​sup>​ wireless devices have an API different from that of Ethernet devices. +===== Old and deprecated Utilities for Networking and Traffic Control ===== 
- +Purpose ​                                    ''​utility'' ​                    replaced with  ^ 
-Package ​Depends ​Size ^ Description ​ ^ +IPv4/IPv6 address\\ and link configuration ​ ​| ​''​[[man>​ifconfig(8)|ifconfig]]'' ​ ​| ​''​ip addr''​ and ''​ip link'' ​ | 
-**kmod-mac80211** ​  | kernel, kmod-crypto-core,​ kmod-crypto-arc4,​ kmod-crypto-aes,​ kmod-cfg80211 ​ ​| ​ ​127474 | Generic IEEE 802.11 Networking Stack (mac80211 | +Routing tables ​                             ​''​[[man>​route(8)|route]]'' ​          ''​ip route'' ​ | 
-| kmod-mac80211-hwsim ​ | kernel, kmod-mac80211 ​ ​| ​ 10727 | mac80211 HW simulation device ​ | +Manipulate the kernel's [[wp>​Address Resolution Protocol|ARP]] table. Adddelete an entry, or to dump the entire cache   ''​[[man>​arp(8)|arp]]'' ​              | ''​ip neigh'' ​ | 
-kmod-lib80211 ​  kernel ​ ​12524 ​Kernel modules for 802.11 Networking stack Includes: - lib80211 - lib80211_crypt_wep - lib80211_crypt_tkip - lib80211_crytp_ccmp ​ | +Addschangesdeletes and shows an interface'​s tunnels ​''​iptunnel'' ​  ''​ip tunnel'' ​ | 
-kmod-acx-mac80211 ​ | kernel, ​kmod-mac80211 ​ |  173176 ​Driver for acx111 cards (Mac80211 version)  | +Adds, deletes and shows an interface's multicast addresses ​| ''​ipmaddr'' ​''​ip maddr'' ​  ​
-**kmod-cfg80211** ​  | kernelwireless-toolsiw, crda  ​ ​75422 ​cfg80211 is the Linux wireless LAN (802.11) configuration API.  | +Report network connections,​ routing tables, and interface statistics ​| ''​[[man>​netstat(8)|netstat]]'' ​      | ''​ss'' ​ | 
-**iw** ​             | libnl-tiny ​   |  32100 | cfg80211 ​interface ​configuration utility  ​| +| Manipulate the kernel'​s ​[[wp>​Reverse Address Resolution Protocol|RARP]] table  | ''​[[man>rarp(8)|rarp]]'' ​  |   
-| crda            | libnl-tiny ​   |   5989 | This is the Central Regulatory Domain Agent for Linux. It serves one purpose: tell Linux kernel what to enforce. In essence it is a udev helper for communication between the kernel and userspace. You only need to run this manually for debugging purposes. For manual changing of regulatory domains use ''​iw'' ​(iw reg set) or ''​wpa_supplicant'' ​(feature yet to be added).  ​+| Name network interfaces based on MAC addresses ​  ​| ''​[[man>​nameif(8)|nameif]]'' ​        ​| ​  | 
-wireless-tools  ​               ​| ​ 23153 | This package contains ​''​[[http://​​man/8/iwconfig|iwconfig]]''​''​[[http://​​man/​8/​iwlist|iwlist]]''​ and ''​[[http://​​man/8/iwpriv|iwpriv]]'' ​whereas the latter two are merely symlinks to the first, tools for configuring wireless adapters implementing the "Linux Wireless Extensions"​ ake "​WE"​ aka "​WExt"​. Wext is the predecessor of mac80211 and is to be replaced by it! This is WIP.  ​+| Fine tune the PLIP device parameters, to improve its performance ​ | ''​[[man>plipconfig(8)|plipconfig]]''​ |   | 
- +| Attaches ​network interface to serial line. This allows to use normal terminal lines for point-to-point links to other computers ​| ​''​[[man>​slattach(8)|slattach]]'' ​    |   | 
- +| Checks ​or sets the status ​of a network interface'​s ​Media Independent Interface (MII) unit | ''​[[man>​mii-tool(8)|mii-tool]]'' ​    ​| ​  | 
-<​sup>​1</​sup>​ For once the specifications of IEEE 802.11 regulate quite precisely the whole communications process, so it makes sense to NOT implement this requirements in each driver but only once for all drivers. Then there is the problem of the diverging frequency regulations world wide. +| configure ​wireless ​network interface ​| ''​[[man>​iwconfig(8)|iwconfig]]''​ | ''​iw''​ | 
- +| Display Wireless Events generated by drivers ​and setting changes | ''​[[man>iwevent(8)|iwevent]]'' ​''​iw'' ​
-   ​[[doc:​howto/​wireless.utilities]] +| Report ESSIDNWID or AP/Cell Address of wireless network | ''​[[man>​iwgetid(8)|iwgetid]]'' ​''​iw''​ | 
- +| Get more detailed wireless information from wireless interface | ''[[man>iwlist(8)|iwlist]]'' ​  | ''​iw''​ | 
- +configure ​optionals (private) ​parameters of a wireless ​network ​interface ​| ''[[man>​iwpriv(8)|iwpriv]]'' ​  | ''​iw'' | 
- +| Get wireless ​statistics from specific nodes  ''​[[man>iwspy(8)|iwspy]]'' ​    | ''​iw'' ​|
-===== Understanding Network Interfaces ===== +
- +
-{{page>​meta:​infobox:​outdated&​noheader&​nofooter&​noeditbtn}} +
- +
-===== VLAN and bridging concepts ===== +
-==== Basics ==== +
-Before getting too far into the detailsit's important ​to first comprehend what VLANs are and how they work: +
-  [[wp>Virtual LAN]] and [[wp>​IEEE 802.1Q]] and [[http://​​1/​pages/​802.1Q.html]] and [[http://​​protocolVLAN.html]] +
- +
-A VLAN (Virtual LAN) is, in basic terms, ​group of physical interfaces on switch that behave as if they are a separate standalone switch. This allows ​us to use one physical switch, but partition it into multiple LANs, each one completely isolated from the others. The switch must support VLAN configurations ​most cheap switches don't allow this, but high end manageable switches do, as does the internal switch on the OpenWrt. +
- +
-VLANs are used when you need to separate traffic between groups of devices, but you only want to use one physical switch. For example you might want one VLAN outside your firewall, for public web/mail servers, and another VLAN for your internal machines such as desktops and boxes with private data. They can't be placed on the same LAN for security reasons, so you use VLANs to isolate the groups of ports. +
- +
-Let's say we have a 10 port switch, and we configure ports 1-5 as VLAN1 and 6-10 as VLAN2. All devices which are plugged into ports 1 thru 5 behave as if they are on their own switch, and devices in ports 6-10 act as if they'​re in another switch. The main rule is that communication between ports on separate VLANs is blocked - even if you configure devices with the same subnet, they will not be reachable ​to devices in other VLANs. +
- +
-And of course, it's also possible to configure it differently - if you later decide you need to put another device in VLAN1 and you've only used 4 ports in VLAN2, you can reconfigure _any_ of the VLAN2 ports into VLAN1 (not just port 6). So then you might end up with VLAN1 as ports 1-5 and 8, and VLAN2 as ports 6,7,9,10. +
- +
-The number of VLANs that you can configure on any device (including OpenWrtis limited to 4096 as the field for the VLAN tag has 12Bits for the VID (VLAN ID). +
- +
-The subject of VLANs can get very complicated and extensive, but this quick summary covers what's needed for using VLANs on the OpenWrt platform. +
- +
-==== VLAN Trunking ==== +
-If you have a switch with multiple VLANs, you may want to attach a device (such as another switch) that needs to talk to more than one VLAN. This could be a firewall, which will take packets from one VLAN, filter them, then pass them to another VLAN. Alternatively,​ you might have a second switch that has the same two VLANs on them, and you want the two switches to exchange packets between each other for both VLANs, whilst maintaining the separation. +
- +
-Rather than wasting ports by using separate ports per VLAN, we use a process known as trunking. One port on the switch must be configured as a trunk port, and this port will have connectivity to all VLANS for which it's set to be a trunk port. If you have a switch with 3 VLANs, you can configure one (or more) trunk port(s) to have connectivity to all VLANs, or just a subset of the VLANs. +
- +
-How does the switch maintain isolation with this port? This is done with "​tagging"​. Every packet sent or received from the trunk port has a little tag attached to it, indicating what VLAN it is for or from. So a device receiving packets looks at the tag to see what VLAN that packet is from. When the device sends traffic to the switch, it will add a tag itself, and the switch will look at the tag and send the packet to the VLAN indicated. +
- +
-In the example ​of an attached firewall, ​packet coming in from the internal LAN will be sent out the trunk port to the firewall, tagged with the internal VLAN number. The firewall will process the packet, then send it back to the switch with a tag for the external VLAN, and the switch will look at this tag and send it to the outside device. +
- +
-You can see that a device such as a firewall will see each separate VLAN as if it's a different ​network interface. The internal VLAN is like a NIC on the inside of the network, and the external interface behaves just like a NIC on the outside. Because of this, most hosts and firewalls that support VLAN tags are setup such that each VLAN tag is as if it was another separate network interface, even though it'​s ​the same physical wire. +
- +
-==== Bridging ==== +
-In networking, a bridge is a link between two Ethernet interfaces in such a way as to link them together to the same LAN. If you have a box with two bridged Ethernet interfaces, then connect each interface to separate  +
- +
-switches, the two switches are effectively linked together as if they're connected with a cable. You can also link together a wired Ethernet interface with a wireless interface ​the two are then linked together, much like a wireless AP or bridge. +
- +
-One useful feature of bridging is that the Linux box which is doing the bridging can listen to and send its own traffic. It does this by creating another interface. If you link eth0 and eth1, they will be bound to an interface br0 (or br1, etc). You can then assign an IP address to br0 and it will behave like normal ​network interface ​attached to this bridged network. You cannot configure an IP address on the bridge members ​(eth0 or eth1), it needs to be done on the bridge interface. +
- +
-This knowledge of bridges is important below. +
- +
- +
-===== Interfaces under OpenWrt ===== +
-==== Architecture ==== +
-An OpenWrt box is actually three devices in one. It consists of a VLAN-configurable switch, a wireless port, and a Linux host. The switch and host are connected by one internal "​wire"​ ([[wp>Gigabit Media Independent Interface]]), over which VLAN tagged packets are exchanged. All of the physical ethernet ports on the box are just ports on a single internal switch. VLANs are then used to separate the ports into groups. The diagram below shows the architecture. +
- +
-{{:​oldwiki:​openwrtdocs:​asus-internals-default-sm.png}} +
- +
-By default, the switch is partitioned into two VLANs. Port 0 is configured as VLAN1, and this is labeled on the case as WAN. Ports 1-4 are configured as VLAN0, labeled on the case as LAN1-4. If you wanted, you could actually configure the WAN port as a LAN port, and a LAN port as the WAN port - the label on the chassis simply shows the WAN port in the default configuration. \\  **See http://​​wiki/​IEEE_802.1Q#​Native_VLAN  +
- +
-The native vlan is not tagged. Only the second VLAN needs to be tagged to separate the two data streams.** +
- +
-There is an internal port, Port 5, which has a VLAN-tagged connection into the Linux internals. This port is linked to 'eth0' ​on the Asus WL-500gP. ​'eth0' ​is not configured with an IP address - the kernel takes the raw  +
- +
-packets from eth0 and using the VLAN tags, it sorts the packets from VLAN0 and VLAN1. Packets to/from VLAN1 are then mapped to a logical interface called ​'vlan1', ​and packets to/from VLAN0 are mapped to a logical interface called ​'vlan0'+
- +
-There is another channel that's not shown here, which is used to configure the switch itself. The link used to send this configuration is not shown, and is a separate logical device under Linux. +
- +
-Under OpenWrt, the vlan1 interface is then usually configured with the WAN IP address, and all configuration that applies to the WAN interface ​(e.g. iptables rules and routesare applied to the vlan1 interface. +
- +
-The vlan0 interface is done a bit differently. By default, the wifi interface (eth2) is bridged to the LAN ports, ie any host associated on the wireless port is automatically in the same VLAN/subnet as hosts on the LAN ports. This is done with bridging (see above). As described above, when a bridge is created, a new logical interface is created, called br0, and also as above, this br0 interface is the one that needs to have any IP address configured. So, by default, vlan0 does not have an IP address configured, instead, the LAN interface address is configured on the br0 interface. +
- +
-There's also another interface visible from the shell - "​eth1"​. This doesn't appear to be linked to anything, and is probably an unused wire on the Ethernet controller, so it's ignored in all configuration. Pretend it doesn't exist. :) **This is the case on the Asus WL-500gP, it may differ on other models** +
- +
-==== Interface configuration ==== +
-With knowledge of how interfaces are partitioned,​ it's now easier to understand how to configure interfaces under OpenWrt. +
- +
-The following block configures the physical ports into VLANS: +
- +
-<code> +
-vlan0hwname=et0 +
-vlan0ports="​1 2 3 4 5*" +
-vlan1hwname=et0 +
-vlan1ports="​0 5*" +
-</​code>​ +
- +
-The "​hwname"​ part is always "​et0"​. The device "​et0"​ is the switch itself and tells the system which switch to configure with VLANS. As there'​s only one switch, this must always be set to "​et0"​. If you do not include port 5 in the VLAN then the traffic will remain on the switch and will never be seen by the cpu. +
- +
-The ports then are configured. The vlan0 (LANis configured with four ports, plus the internal tagged port, port 5. The vlan1 (WAN) is configured with only the one port, plus also the tagged port. +
- +
-This configuration then gives us "​vlan1",​ tied to the WAN port, and "​vlan0"​ tied to the other ports. As mentioned earlier, you can change any other port to be the WAN port - just set the vlan1 port to be something else,  +
- +
-not that you really need to! +
- +
-Vlan 1, which connections the WAN port to the CPU, is then configured with an IP address and mapped to the logical ​'wan' ​interface name: +
- +
-<​code>​ +
-wan_ifname=vlan1 +
-wan_ipaddr=a.b.c.d +
-wan_netmask= +
-wan_proto=static +
-</​code>​ +
- +
-Next the LAN side is configured. The bridge must be created and the IP address is assigned to the bridge not a vlan, but overall it's similar: +
- +
-<​code>​ +
-lan_ifname=br0 +
-lan_ifnames="​vlan0 eth2"​ +
-lan_proto=static +
-lan_ipaddr=w.x.y.z +
-lan_netmask= +
-</​code>​ +
- +
-The variable "​lan_ifname",​ which sets the actual interface to configure ​the IP parameters ​with, should ​of course be br0 for bridged interface.  +
- +
-Then the variable "​lan_ifnames"​ actually sets the interfaces which are to be bound to the bridge interface, in this case the vlan0 interface and the wireless interface. The vlan0 ports were defined earlier as wired ports 1-4, so these plus the wireless interface are now one single logical LAN. +
- +
-That's basically how the entire network device architecture is on this box. Below is an example of adding another VLAN. +
- +
-==== DMZ ==== +
--> [[doc:​howto:​DMZ]] +
- +
-If you're running some public servers and are security conscious, you'll probably want to make use of a DMZ (Demilitarized Zone). This is a third VLAN in a network, configured with different rules to the internal secure network. Generally the DMZ is configured to allow access to certain ports from the internet that wouldn't normally be allowed to inside hosts. +
- +
-Under OpenWrt, a DMZ is easy to configure. A third VLAN is created, and one or more physical ports are mapped to this VLAN, then suitable firewall rules are created for this VLAN. The picture below shows how a DMZ  +
- +
-configuration would look inside the device: +
- +
-{{:​oldwiki:​openwrtdocs:​asus-internals-dmz.png}} +
- +
-The configuration lines that would be changed for this are: +
- +
-<​code>​ +
-vlan0ports="​2 3 4 5*" +
-vlan2hwname=et0 +
-vlan2ports="​1 5*" +
-dmz_ifname=vlan2 +
-dmz_proto=static +
-dmz_ipaddr= +
-dmz_netmask= +
-</​code>​ +
- +
-This configuration firstly changes the vlan0 to exclude port 1 which will be our DMZ port. Then the DMZ vlan is created, with ports 1 and 5 (remember 5 is the internal tagged port). Then the logical interface ​'dmz' ​is configured and attached to vlan2. To bring up the new interface, just run "ifup dmz". And of course do your firewall configuration. +
- +
-You could even add more DMZ interfaces - you've got a total of six interfaces to play with (including the wireless ​port) so what we see is that this device is capable of some very impressive routing features - the limit is your imagination. +
- +
-==== VLAN Trunking on one NIC ==== +
-Provided by //Trent W. Buck// aka //twb on #​openwrt//​ +
- +
-Problem: server has room for only one physical NIC, but it needs access to the internet (i.e. an upstream network) as well as absolute dominion over two //​downstream//​ networks: //admin// and //​prisoner//​. +
- +
-To achieve this, we will create three VLAN on both the OpenWrt k7.09 and the Ubuntu 8.04 server. ​ Further, all (or all but one) of the +
-VLAN need to be //tagged// across the physical line between the OpenWrt and the Ubuntu server. +
- +
-Use `robocfg show` to display VLAN status. ​ It's probably better (more portable) to cat something in `/​proc/​switch/​`,​ but I don't know what. +
- +
-<code> +
-    OpenWrt# uci show network.eth0 +
-    network.eth0=switch +
-    network.eth0.vlan0=1 5* +
-    network.eth0.vlan1=0 5 +
-    network.eth0.vlan2=1t 2 5 +
-    network.eth0.vlan3=1t 3 4 5 +
-</​code>​ +
- +
-In this example port 0 is from WAN, port 1 goes to the server, port 2 and port 3 and 4 respectively go to the downstream networks. The * at 5* denotes PVID - default port vlan. This makes vlan0 the default for untagged packages from port 5. Packages leaving for port 5 (the CPUare always implicitly tagged (in this notation). Port 1 (server port) services three vlans: 0, 2 and 3. Packages coming from vlan2 and 3 are explicitly tagged as they leave the switch //through port 1// so the server may distinguish them - this is the '1t'. This means vlan0 packages leave untagged. +
- +
-On the Ubuntu server (virtual) interfaces eth0, eth0.2 and eth0.3 are used as corresponding devices. Since vlan0 is untagged and the default ​'native' ​vlan, there is no eth0.0. Vlan ID '0' ​cannot be used for tagging as it is a reserved value denoting this native vlan.  +
- +
-Note that we do not set up interfaces eth0.2 or eth0.3 with an IP address, because the +
-OpenWrt MUST NOT be accessible (at the IP layer) from the admin and +
-prisoner networks. +
- +
-<​code>​ +
-    Ubuntu# cat /​etc/​network/​interfaces +
-    auto lo eth0 eth0.2 eth0.3 +
- +
-    iface lo inet loopback +
-    iface eth0 inet dhcp +
-    iface eth0.2 inet static +
-      address +
-      network +
-      netmask +
-      broadcast +
-    iface eth0.3 inet static +
-      address +
-      network +
-      netmask +
-      broadcast +
-</​code>​ +
- +
-Note that the Ubuntu //VLAN// package says not to use vlan1, because it's generally reserved for... stuff. ​ It seems to work for me here, probably because vlan1 is non-tagged.+
-See also: http://​​viewtopic.php?​id=5087 
doc/networking/network.interfaces.1353909668.txt.bz2 · Last modified: 2012/11/26 07:01 by grumbler_eburg