KPTree Wiki

This is an old revision of the document!

Debian Network - Server Interface Setup

As of Debian 10 (Buster) Debian still by default uses this interface Setup. It can be setup to use netplan inface.

Ubuntu (as of version 14.04) defaults to Predictable Network Interface Names, also see Systemd Docs. I have no problem with this. In any case, you should always check dev names and not assume names, such as “eth0”

To check available interfaces and names use: ip link, or the more verbose ip a.

The units 4 main port will be setup to look like a router with 1 WAN port and 3 LAN port. The WAN port will be setup on NIC1 with the LAN ports 1-3 will be on bridged NIC2-4.

Ensure the bridge utilities are loaded: sudo apt install bridge-utils.

Edit the network configuration file: /etc/network/interfaces as follows:

/etc/network/interfaces

  # This file describes the network interfaces available on your system
  # and how to activate them. For more information, see interfaces(5).
  
  source /etc/network/interfaces.d/*
  
  # The loopback network interface
  auto lo
  iface lo inet loopback

  # The WAN network interface
  auto eno1 eno1:0
  iface eno1 inet dhcp
  # dhcp for IP/DHCP WAN (static? for PPPOE)
  # set up static ip address to access modem web page on WAN NIC 
  iface eno1:0 inet static
    address 192.168.5.2/24
	
  # Then LAN networks are eno2 eno3 eno4 in bridged mode br1
  # on the 192.168.1.1 subnet
  auto br0
  iface br0 inet static
    bridge_ports eno2 eno3 eno4
    address 192.168.1.1/24
    dns-nameservers 192.168.1.14 192.168.1.2 9.9.9.9
    bridge_stp off  # disable Spanning Tree Protocol
    #bridge_fd 9  # forwarding delay  # use default?
    #bridge_hello 5  # use default?
    #bridge_maxage 60  # use default?

The following is a list of some stanza not used and why:

tl;dr;

The gateway directive is not required as any traffic to 192.168.1.1 not on subnet /24 will be Netfiltered and if accepted passed to WAN
  # gateway 192.168.1.1
  
auto eno2 and iface eno2 inet manual are not required as iface inet br1 will bring up the components assigned to it.
  # iface eno2 inet manual
  # iface eno3 inet manual
  # iface eno4 inet manual
  
The use of allow-hotplug eth1 is not used as normally these interfaces should be running. The br1 interface will be used for virtual machine access and must be running to allow correct VM startup. During initial boot this will cause delays as attempts are made to find network devices, particularly any not used. These delays are necessary for reliable start-up and operation.
  # allow-hotplug eno2
  # iface eno2 inet manual
    # pre-up ifconfig $IFACE up
    # pre-down ifconfig $IFACE down

Each Ethernet hardware connection has its own defined unique MAC number, no need to define another. If Ethernet bonding were being used there maybe a need to use this stanza.
  #hwaddress ether xx:xx:xx:xx:xx:xx

The "modern" way to specify static ip address as address 192.168.1.0/24'' this automatically assigns the network, netmask and broadcast addresses.

The old fashion way was to manual assign as follows:
address 192.168.1.32
network 192.168.1.0
netmask 255.255.255.0
broadcast 192.168.1.255
Perhaps this is still required in special cases?

Note:

Use ip a and ip r to analyse current network configuration
Use sudo journalctl -xeu networking to check any errors on networking

References:

NetworkConfiguration see section on Bridging
/ bookworm / bridge-utils / bridge-utils-interfaces(5)

Network - Netplan Setup

tl;dr;

Debian still defaults to the interface style network setup. It can be set up to use netplan. It is very importqant to remember after installing and setting up netplan to disable the interfaces setup. This can be simply done by deleting, renaming, empting or commenting out the interfaces setup file.

Ubuntu now (as of version 14.04) defaults to Predictable Network Interface Names, also see Systemd Docs. I have no problem with this. In any case, you should always check dev names and not assume names, such as “eth0”

To check available interfaces and names use: ip link, or the more verbose ip a.

Netplan references is a good reference for setting up and using Netplan.

The NIC back panel layout:

 IPMI_LAN
 DisplayPort   USB2-1    USB3-1   LAN3(eth2)   LAN4(eth3)
 HDMI          USB2-0    USB3-0   LAN1(eth0)   LAN2(eth1)   VGA

Due to difficulties with the ISP it 2 modems were attempted in bridge mode; a Netgear DM200 and Draytek Vigor130. The premium Vigor 130 was selected for final use.

It is possible to access the modem web page. The modem manual clearly states that the modem address is “http://192.168.5.1” when in bridge mode.

The network must start-up the WAN NIC to allow pppoe modem Ethernet access and also assign a IP address on this NIC for modem web page access. As the modem is using 192.168.5.1 the router would assign the next address, 192.168.5.2.

To access the router modem webpage the router firewall must also be appropriately configured.

The remaining 3 NICs are setup in bridge mode as router LAN ports. When setup in bridge mode the 3 ports effectively act as a switch with any able to access the router LAN on 192.168.1.1 .

See the Netplan configuration below:

sudo vim /etc/netplan/network.yaml|

network:
  #setup network interfaces
  version: 2
  renderer: networkd
  ethernets:
    eno1: #start for pppoe and setup modem IP access
      dhcp4: yes # yes for dhcp, no for pppoe
      dhcp6: yes # yes for dhcp, no for pppoe or not required
      addresses: 
         - [192.168.5.2/24] #Access to the modem web interface
    eno2:
      dhcp4: no
      dhcp6: no
      optional: true
    eno3:
      dhcp4: no
      dhcp6: no
      optional: true
    eno4:
      dhcp4: no
      dhcp6: no
      optional: true
  #Setup Bridge Interface
  bridges:
    br0:
      addresses:
        - 192.168.1.1/24 #IPv4
        - "2001:470:1f2c:20c::3/64" #IPv6
      interfaces: [eno2, eno3, eno4]
      nameservers:
        addresses: ["2001:470:1f2c:20c::3", 192.168.1.1, 9.9.9.9, 1.1.1.1]
      parameters:
        stp: off          # disable Spanning Tree Protocol
        forward-delay: 9  # forwarding delay
        hello-time: 2     # see netplan.io for definition
        max-age: 12       # see netplan.io for definition

  #Setup Tunnel Interfaces
  tunnels:
    he-ipv6:             # Hurricane Electric IPv6  tunnel
      mode: sit
      remote: 216.218.142.50
      local: 207.7.254.238
      addresses:
         - "2001:470:1f2c:10d::2/64"
      gateway6: "2001:470:1f2c:10d::1"

*''sudo netplan --debug apply'' To apply any changes to the network configuration. *''sudo netplan --debug generate'' To generate backend specific configuration files. *''sudo netplan try'' To try a new neplan configuration with automatic roll back. As this setup is for a router the gateway stanza must not be set "#gateway4: 192.168.1.1". The router is the gateway.\\ As the ipv6 tunnel uses the first to numerical ipv6/64 addresses; x:x:x:x::1 also the tunnel assigned gateway and x:x:x:x::2 the next simple ipv6 global static x:x:x:x::3 was used to identify the router. As this router has a DNS server the "nameserver:" stanza can be set to this routers address e.g.: "addresses: [192.168.1.1]" The use of the stanza "optional: true" on the LAN bridged NICs means during startup the system does not need to wait for these NICs to come up, potentially saving some boot time. The WAN NIC is required, so the optional sanza is not used here. It is important that the network/interfaces method is disable or strange difficult to diagnose network affect may happen. Basically ensure that all items in file /etc/network/interfaces are commented out. For example: ++++''sudo vim /etc/network/interfaces''

# This file describes the network interfaces available on your system
# and how to activate them. For more information, see interfaces(5).

#Using netplan.io, see /etc/netplan

#source /etc/network/interfaces.d/*

# The loopback network interface
#auto lo
#iface lo inet loopback

# The primary network interface
#allow-hotplug eno2
#iface eno2 inet dhcp

====ipv6 Hurricane Electric Setup notes==== I set up the router network tunnel 6in4 to HEipv6. I could IPv6 ping WAN from the router, but could not so ping WAN from elsewhere on the local area network (lan).\\ The main tunnel connection is set up in the main network configuration file(s).\\ My routing table had ''2001:470:1f2c:10d::/64 dev he-ipv6 proto kernel metric 256 pref medium'', I found that removing this from the routing table allowed remote lan access to function: The one off command to do this: ''sudo ip r del 2001:470:1f2c:10d::/64 dev he-ipv6''.\\ I looked for ways to adjust the netplan configuration, either to stop this line from being added, or increase its metric, but to no avail. So I created the following systemd service to perform this function on start-up after the network was up."\\ To create and edit the service: ''sudo systemctl edit --force --full ipv6_start.service'', ''man systemctl'' and search for ++++ipv6_start.service

[Unit]
Description=Remove route to he-ipv6
Wants=network.target
After=network-online.target

[Service]
Type=oneshot
ExecStart=:/bin/bash -c "ip r del 2001:470:1f2c:10d::/64 dev he-ipv6"

[Install]
WantedBy=multi.user.target default.target

The final command is used to enable the command to run at start-up: sudo systemctl enable ipv6_start.service.
This also needs to be performed after each time netplan apply is used: sudo systemctl start ipv6_start.service.

Router Configuration Network Setup

When I initially setup the router I want to use a different network setting. The following is my basic setup netplan yaml file.

''sudo vim /etc/netplan/50-cloud-init.yaml''

# This file is generated from information provided by
# the datasource.  Changes to it will not persist across an instance.
# To disable cloud-init's network configuration capabilities, write a file
# /etc/cloud/cloud.cfg.d/99-disable-network-config.cfg with the following:
# network: {config: disabled}

network:
    version: 2
    renderer: networkd
    ethernets:
      # eno1 is always reservered for WAN only
      eno2:
        dhcp4: no
        dhcp6: no
        optional: true
      eno3:
        dhcp4: no
        dhcp6: no
        optional: true
      eno4:
        dhcp4: no
        dhcp6: no
        optional: true
    #Setup Bridge Interface
    bridges:
      br0:
        dhcp4: no
        dhcp6: no
        addresses: [192.168.1.6/24]
        interfaces: [eno2, eno3, eno4]
        gateway4: 192.168.1.1
        nameservers:
          addresses: [192.168.1.1]
        parameters:
          stp: off
          forward-delay: 9s
          hello-time: 2s
          max-age: 12s

Currently Ubuntu (20.04) defaults to netplan.io, where as Debian 10 does not. So in Debian the /etc/network/interfaces need to be disabled, if using netplan. Where as in Ubuntu the auto configuration needs to be disabled.

I am using Debian 12 now and am moving back to /etc/network/interfaces for network configuration. As the DHCP and DNS server now run in a VM/Docker containers, this simplifies settings on the main router functions.

I wrote 2 scripts to switch between configuration:

''vim tononrouter.sh''

#systemctl disable bind9
#systemctl disable isc-dhcp-server
#systemctl disable nftables
#systemctl disable pppoe
#mv /etc/netplan/50-cloud-init.yaml.old /etc/netplan/50-cloud-init.yaml
#mv /etc/netplan/network.yaml /etc/netplan/network.yaml.old
ln -sf /etc/nftables.conf.orig /etc/nftables.conf
#ln -sf /etc/nftables.conf.router /etc/nftables.conf
ln -sf /etc/network/interfaces.orig /etc/network/interfaces
#ln -sf /etc/network/interfaces.router /etc/network/interfaces

Use sudo bash tononrouter.sh to move to non router configuration.

''vim torouter.sh''

#systemctl enable bind9
#systemctl enable isc-dhcp-server
#systemctl enable nftables
#systemctl enable pppoe
#mv /etc/netplan/50-cloud-init.yaml  /etc/netplan/50-cloud-init.yaml.old
#mv /etc/netplan/network.yaml.old  /etc/netplan/network.yaml
#mv /etc/netplan/50-cloud-init.yaml.old /etc/netplan/50-cloud-init.yaml
#mv /etc/netplan/network.yaml /etc/netplan/network.yaml.old
#ln -sf /etc/nftables.conf.orig /etc/nftables.conf
ln -sf /etc/nftables.conf.router /etc/nftables.conf
#ln -sf /etc/network/interfaces.orig /etc/network/interfaces
ln -sf /etc/network/interfaces.router /etc/network/interfaces

Use sudo bash tonrouter.sh to move to non router configuration.

VLAN Info

My ISP states that its setup uses VLAN ID=0. This is a bit ambiguous, does this mean VLAN 801.1q is not used, or priority tagging 801.1p is used, which uses the full VLAN tag frame and has an effective VLAN ID = 0, but is referred to as a priority tag not VLAN? The general online documentation on this matter is vague too. Look's like an experiment to see what works is the only option: 1. Ignore 801.q VLAN entirely, and 2. Attempt too use VLAN priority tagging.

Load the vlan module: sudo apt install vlan.

I tried a number of different configurations of VLAN using for example ip link add add link eno1 name eno1.1 vlan id 1 in the systemctl pppoe.service configuration. I found that my ISP did not seem to need the VLAN defined, so I have not used, and not investigated further.

Some useful links:

802.1Q VLAN implementation for Linux
Wireshark VLAN
Set VLAN CoS priority
Nixcraft How to configure VLAN
Wikipedia IEEE 802.1Q, IEEE P802.1p
vlan 0, 1, and 4095 are reserved for what?
This one talks about reliable network target with systemdRunning Services After the Network is up.

← Prev page

Start page

Next page →

Debian Server Network Setup

Debian Server Network Setup

Debian Network - Server Interface Setup

Network - Netplan Setup

Router Configuration Network Setup

VLAN Info