VPP/VPP Home Gateway

From fd.io
< VPP
Revision as of 05:02, 17 October 2019 by Pvinci (Talk | contribs)

Jump to: navigation, search

Introduction

Vpp running on a 10-watt Intel atom system makes a fine home gateway. The resulting system performs far in excess of requirements: a TAG=vpp_debug image runs at a vector size of ~1.1 terminating a 90-mbit down / 10-mbit up cable modem connection.

Hardware platform, Linux distro, installation hints

I've been using [a Netgate RCC-VE-4860] for experimentation. The device is not cheap, but it's perfectly capable of self-compiling a vpp image in a reasonable amount of time.

I installed Ubuntu 16.04 LTS on the platform. Follow the instructions [| here]. Don't bother trying to install directly from a normal Ubuntu distro bootable USB flash drive. It won't work.

Unetbootin worked perfectly - despite warnings to the contrary from the Ubuntu installer - as soon as I formatted the USB flash drive in the expected manner. Create a single FAT32 partition. Set the "bootable" flag on it. I used gparted to do that. Then, use Unetbootin to copy the contents of the Ubuntu 16.04 LTS server .iso to the flash key.

Until the home gateway is fully functional, you'd be well-advised to configure a static IP address on one of the interfaces. That way, the box will boot rapidly, regardless of whether the Linux stack port is connected to anything or not.

Build software

Clone e.g. vpp master/latest, and build software:

$ git clone http://gerrit.fd.io/r/vpp vpp-gate
$ cd vpp-gate
$ make install-dep
$ make dpdk-install-dev
$ cd dpdk
$ sudo dpkg -i *.deb
$ cd ../build-root
$ ./bootstrap.sh
$ make PLATFORM=vpp TAG=vpp_debug install-deb
$ sudo dpkg -i *.deb
$ sudo service vpp stop

Install additional packages

At a minimum, install sshd and the isc-dhcp-server. If you prefer, you can use dnsmasq but since I haven't tried it, YMMV.

$ apt-get install isc-dhcp-server sshd # keychain emacs vnc4server and so on if desired

vpp startup config

Edit /etc/vpp/startup.conf, approximately as follows. Note that some folks are paranoid about enabling telnet, even though it would be damned difficult to reach port 23.

unix {
  nodaemon
  log /var/log/vpp/vpp.log
  full-coredump
  cli-listen localhost:5002
  startup-config /home/userid/setup.gate
}

nat {
     max translations per user 500
}

isc-dhcp-server config

Define an inside subnet, about as follows. Note that 192.168.1.1 is the default gateway address, and 192.168.1.2 allows Linux host stack access.

subnet 192.168.1.0 netmask 255.255.255.0 {
  range 192.168.1.10 192.168.1.99;
  option routers 192.168.1.1;
  option domain-name-servers 8.8.8.8;
}

/etc/ssh/sshd_config

I configure sshd to listen on a high-numbered port, and to accept only public-key authentication:

# What ports, IPs and protocols we listen for
Port <REDACTED-high-number-port>

# Change to no to disable tunnelled clear text passwords
PasswordAuthentication no


vpp configuration

This configuration uses IRB and the snat plugin. I've changed the WAN interface MAC address to match my previous home gateway, so as to retain the ipv4 WAN address. Place the file in /home/userid/setup.gate, or wherever /etc/vpp/startup.conf points.

comment { bring the WAN interface up, then change the MAC address. Otherwise the rx filter will be misprogrammed! }

set int state GigabitEthernet3/0/0 up
set int mac address GigabitEthernet3/0/0 <desired-mac-address>
set dhcp client intfc GigabitEthernet3/0/0 hostname vppgate

comment { create the IRB loopback interface, give it the usual local network IP address }
loopback create
set int l2 bridge loop0 1 bvi
set int ip address loop0 192.168.1.1/24
set int state loop0 up

comment { add other inside addresses to the IRB bridge group }
set int l2 bridge GigabitEthernet4/0/0 1
set int state GigabitEthernet4/0/0 up 

set int l2 bridge GigabitEthernet0/14/0 1
set int state GigabitEthernet0/14/0 up 
 
set int l2 bridge GigabitEthernet0/14/1 1
set int state GigabitEthernet0/14/1 up 

set int l2 bridge GigabitEthernet0/14/2 1
set int state GigabitEthernet0/14/2 up 

comment { create a tap interface for dhcp server and host-stack access }
create tap host-if-name lstack host-ip4-address 192.168.1.2/24
  
set int l2 bridge tap0 1
set int state tap0 up
 
comment { Configure the nat plugin }
   
nat44 add interface address GigabitEthernet3/0/0
set interface nat44 in loop0 out GigabitEthernet3/0/0

comment { create static outside-to-inside port mappings }

comment { Send traffic received on the WAN interface DHCP address, <REDACTED-outside-port> to 192.168.1.xxx, <REDACTED-inside-port>
nat44 add static mapping local 192.168.1.xxx <REDACTED-inside-port> external GigabitEthernet3/0/0 <REDACTED-outside-port> tcp

comment { Enable the vpp DNS caching name resolver }

comment { nat44 add identity mapping external GigabitEthernet3/0/0 udp 53053  }
comment { bin dns_name_server_add_del 8.8.8.8 }
comment { bin dns_enable_disable }

To test name resolution

vpp# bin dns_resolve_name www.cisco.com
<wait a couple of seconds>
vpp# show dns cache verbose 2

or $ dig @192.168.1.1 www.cisco.com # from a Linux host