Ubuntu 16.04 Full Stack Configuration (with Bonding Config): Difference between revisions
(placeholder) |
No edit summary |
||
Line 1: | Line 1: | ||
= Preface = |
|||
These instructions are for setting up Ubuntu 16.04 specifically with an AAISP PPPoE (VDSL & ADSL) connection, and a functioning LAN, with additional instructions for bonding, a third WAN with policy based routing, and additional LAN services such as DHCP(v6) and RADVD. The instructions will likely be similar for other versions of Ubuntu and Debian, but may require some changes. |
|||
These instructions were built at least partly on: |
|||
* https://support.aa.net.uk/Router:Linux |
|||
* https://support.aa.net.uk/Router:Linux_-_Debian |
|||
* https://support.aa.net.uk/IPv6 |
|||
* https://support.aa.net.uk/Linux_upload_bonding_using_teql |
|||
= Initial System Setup = |
|||
Make sure the system is up to date and install some essentials: |
|||
apt-get update |
|||
apt-get upgrade -y |
|||
apt-get install -y pppoe ppp iproute2 iptables ip6tables |
|||
sed -i 's/#net\.ipv4\.ip_forward=1/net.ipv4.ip_forward=1/' /etc/sysctl.conf |
|||
sed -i 's/#net\.ipv6\.conf\.all\.forwarding=1/net.ipv6.conf.all.forwarding=1/' /etc/sysctl.conf |
|||
sysctl -p |
|||
= Networking Interface Information = |
|||
This is going to vary for everyone depending on how your “router” is setup. I’ll be referring to various network interfaces in the guide, and I’ll use the names defined here to reference them, where they are used, these names refer to the physical name of the device. You need to replace them with your own interface names in applicable config sections. |
|||
{| class="wikitable" |
|||
|- |
|||
! Interface Name Used !! Description |
|||
|- |
|||
| DEV_AA_WAN1 || Plugged into port marked LAN1 on HG612 for Line 1 (bridged connection used for PPPoE) |
|||
|- |
|||
| DEV_AA_WAN1_C || Plugged into port marked LAN2 on HG612 for Line 1 (HG612 has a static IP of 192.168.2.1 and subnet mask 255.255.255.0), used for accessing modem stats |
|||
|- |
|||
| DEV_AA_WAN2 || Plugged into port marked LAN1 on HG612 for Line 2 (bridged connection used for PPPoE) |
|||
|- |
|||
| DEV_AA_WAN2_C || Plugged into port marked LAN2 on HG612 for Line 2 (HG612 has a static IP of 192.168.3.1 and subnet mask 255.255.255.0), used for accessing modem stats |
|||
|- |
|||
| DEV_LAN || The interface on which the LAN is connected |
|||
|- |
|||
| DEV_VM_WAN || Plugged into Virgin Media modem in bridge mode |
|||
|} |
|||
== VLANs == |
|||
Note that on Ubuntu, support for VLANs is not enabled by default, so if you are intending to use VLANs you will need to do the following: |
|||
modprobe 8021q |
|||
echo "8021q" >> /etc/modules |
|||
You will then need to add your VLANs for use by doing: |
|||
vconfig add INTERFACE VLAN |
|||
For example: |
|||
vconfig add eth0 10 |
|||
You can then use the notation eth0.10 to reference this interface with VLAN. |
|||
= Setting Up PPP Connection(s) = |
|||
A lot of this part of the guide can be seen here: https://support.aa.net.uk/Router:Linux_-_Debian#Setting_up_pppd |
|||
== First Connection == |
|||
=== /etc/ppp/peers/aaisp_wan1 === |
|||
Edit this file with the following (don’t forget to replace DEV_AA_WAN1 with your interface over which PPP should be dialled): |
|||
user your-line1-username |
|||
plugin rp-pppoe.so DEV_AA_WAN1 |
|||
noipdefault |
|||
defaultroute |
|||
hide-password |
|||
lcp-echo-interval 1 |
|||
lcp-echo-failure 10 |
|||
noauth |
|||
persist |
|||
maxfail 0 |
|||
mtu 1492 |
|||
noaccomp |
|||
default-asyncmap |
|||
+ipv6 |
|||
ipv6cp-use-ipaddr |
|||
ifname pppoe-AA_1 |
|||
unit 0 |
|||
linkname aa_wan1 |
|||
Note the additional “unit” and “linkname” instructions from the linked guide, “unit” is in the index of the ppp connection created (ie. unit = 0 creates ppp0). |
|||
=== /etc/ppp/chap-secrets === |
|||
Edit this file and input your username and password in the format specified below. If you have a second connection you can also add the credentials for this one while you are here: |
|||
# Secrets for authentication using CHAP |
|||
# client server secret IP addresses |
|||
line1-username * YourLine1Password |
|||
line2-username * YourLine2Password |
|||
=== Testing === |
|||
Test you get some sort of response directly: |
|||
pppoe -I DEV_AA_WAN1 -A |
|||
If you do, then the connection will probably succeed, try firing up the connection: |
|||
pon aaisp_wan1 |
|||
It should connect and you should get a default IPv4 route. Now that we know it’s working we can disable it again: |
|||
poff aaisp_wan1 |
|||
== Second Connection (for Bonding) == |
|||
Only do this if you have a second PPPoE connection with AAISP for use for bonding. Make sure that your primary IPv4 address is routed to both lines, and make sure an IPv6 /64 block is routed to both lines. Multiple IPv4 addresses and IPv6 blocks are outside the scope of this guide. |
|||
=== /etc/ppp/peers/aaisp_wan2 === |
|||
Edit the file as shown for aaisp_wan1 but importantly, make sure the device is set to your DEV_AA_WAN2, and change the “ifname”, “unit” and “linkname” directives. |
|||
=== Testing === |
|||
Again, you can test in the same way as with aaisp_wan1. |
|||
=== Further Config Changes === |
|||
For bonding, it’s important now to go into both config files (/etc/ppp/peers/aaisp_wan1 & /etc/ppp/peers/aaisp_wan2), and to comment out the “defaultroute” directive. We don’t want either of these connections to become default routes as we will implement the bonding with a virtual interface later on. |
|||
= Configuring Network Interfaces = |
|||
Time to do some work on the network interfaces themselves, fire up your favourite text editor and edit the file '''/etc/network/interfaces''' |
|||
Most likely it’s populated with something like the following already: |
|||
# This file describes the network interfaces available on your system |
|||
# and how to activate them. For more information, see interfaces(5). |
|||
source /etc/network/interfaces.d/* |
|||
# The loopback network interface |
|||
auto lo |
|||
iface lo inet loopback |
|||
auto enp0s20f0 |
|||
iface enp0s20f0 inet dhcp |
|||
You’ll need to make sure that as you edit this file, you don’t define any interfaces a second time. |
|||
== VLANs == |
|||
Another note on VLANs, whenever you use one, you should always specify “vlan-raw-device” inside the interface definition, and there should always be a “manual” definition for the raw device itself as well. For example, assuming we have eth4, and the modem stats port is connected on VLAN 20, the definition would look like this: |
|||
auto eth4 |
|||
iface eth4 inet manual |
|||
auto eth4.20 |
|||
iface eth4.20 inet static |
|||
vlan-raw-device eth4 |
|||
address 192.168.2.2 |
|||
netmask 255.255.255.0 |
|||
You also need to make sure you have added this interface with vconfig as mentioned further up in the guide. |
|||
== LAN == |
|||
Firstly let’s define your LAN interface, this is where DHCP will operate and your LAN clients are connected to. Make sure to replace DEV_LAN with your physical device. |
|||
I’m using 192.168.1.0/24 as my LAN but feel free to use whatever you want. |
|||
For IPv6, assign the first address of your routed /64 block, so if your block is 2001:db8:b9:2041::/64, then assign 2001:db8:b9:2041::1. |
|||
# LAN Configuration |
|||
auto DEV_LAN |
|||
iface DEV_LAN inet static |
|||
address 192.168.1.1 |
|||
netmask 255.255.255.0 |
|||
iface DEV_LAN inet6 static |
|||
address 2001:db8:b9:2041::1 |
|||
netmask 64 |
|||
== First Connection == |
|||
We need to make 2 entries in the file for the connection, one for the physical interface itself and one to actually bring up PPP: |
|||
# AAISP WAN1 |
|||
auto DEV_AA_WAN1 |
|||
iface DEV_AA_WAN1 inet manual |
|||
# AAISP PPPoE 1 |
|||
auto aa_wan1 |
|||
iface aa_wan1 inet ppp |
|||
pre-up /sbin/ip link set DEV_AA_WAN1 up |
|||
provider aaisp_wan1 |
|||
I am not sure the pre-up is strictly necessary but it seems to have helped for me. |
|||
=== Control Interface === |
|||
If you have an HG612 with the IPs statically configured like I described, then you can also configure the modem stats interface: |
|||
# AAISP Modem Stats 1 |
|||
auto DEV_AA_WAN1_C |
|||
iface DEV_AA_WAN1_C inet static |
|||
address 192.168.2.2 |
|||
netmask 255.255.255.0 |
|||
== Second Connection (for Bonding) == |
|||
Configure this exactly as described in “First Connection” but with the correct interfaces and provider name. |
|||
== Testing == |
|||
In theory now you can “ifup” all of the interfaces you just configured. The PPP interfaces should connect and get both an IPv4 address and an IPv6 link-local address. |
|||
If you are not bonding, a default IPv4 route should have been added and connectivity should work. You should also be able to statically assign yourself an IP address in the range you specified for LAN, connect on that interface and the router should respond to ping. |
|||
= Fixing Routes = |
|||
== One Connection Only == |
|||
If you are not bonding, then you should already get a default IPv4 route, and we simply need to make it so that an appropriate IPv6 route is added when the PPP interface comes up. |
|||
Create a new file '''/etc/ppp/ipv6-up.d/set-route''' with the following: |
|||
/sbin/ip -6 route add default dev $1 |
|||
Then execute: |
|||
chmod 0755 /etc/ppp/ipv6-up.d/set-route |
|||
chmod +x /etc/ppp/ipv6-up.d/set-route |
|||
If you “'''ifdown'''” and “'''ifup'''” the interface, you should get an IPv6 default route now. You can check with “'''ip -6 route'''”. |
|||
== Two (or more) Connections Bonded == |
|||
If bonding, we need to enable the teql scheduler and set up some scripts to fix routing and bonding. |
|||
=== Enable the Scheduler === |
|||
modprobe sch_teql |
|||
echo "sch_teql" >> /etc/modules |
|||
=== Fixing the Routing === |
|||
Create a new file '''/etc/ppp/ip-up.d/fix-teql''' with the following contents (make sure to put in your IPv4 & first IPv6 address): |
|||
#!/bin/bash |
|||
/sbin/sysctl -w net.ipv4.conf.pppoe-AA_1.rp_filter=2 |
|||
/sbin/sysctl -w net.ipv4.conf.pppoe-AA_2.rp_filter=2 |
|||
/sbin/tc qdisc add dev pppoe-AA_1 root teql0 |
|||
/sbin/tc qdisc add dev pppoe-AA_2 root teql0 |
|||
/sbin/ip address add YOUR_IPV4_ADDRESS/32 dev teql0 |
|||
/sbin/ip address add YOUR_FIRST_IPV6_ADDRESS/64 dev teql0 |
|||
/sbin/ip link set teql0 up |
|||
/sbin/ip route replace default scope global dev teql0 |
|||
/sbin/ip -6 route replace default scope global dev teql0 |
|||
Then execute: |
|||
chmod 0755 /etc/ppp/ip-up.d/fix-teql |
|||
chmod +x /etc/ppp/ip-up.d/fix-teql |
|||
At this time, if your PPP connections are up from previous testing, you can manually run this script, and you should then get connectivity on both IPv4 & IPv6. You can also check “'''ip route'''” and “'''ip -6 route'''” and the teql0 device should be the default route for both. |
|||
= Firewalling = |
|||
You can use iptables to configure a firewall for your system and also to apply some features such as IPv4 NAT for LAN. |
|||
The rules are mostly taken from https://support.aa.net.uk/Router:Linux_-_Debian#Configuring_your_firewall and are commented so you can execute what you need. Also remember to replace your devices as before (although the PPP devices are named correctly if you followed the guide. |
|||
== IPv4 Rules == |
|||
Note that implementing these rules wipes your existing IPv4 rules if you have any. |
|||
# Wipe all existing rules |
|||
iptables -t filter -F |
|||
iptables -t nat -F |
|||
iptables -t mangle -F |
|||
iptables -t filter -X |
|||
iptables -t nat -X |
|||
iptables -t mangle -X |
|||
# Accept everything from localhost |
|||
iptables -A INPUT -i lo -m comment --comment "Accept all from localhost" -j ACCEPT |
|||
# Accept all ICMP |
|||
iptables -A INPUT -p icmp -m comment --comment "Accept all ICMP" -j ACCEPT |
|||
# Accept everything from LAN |
|||
iptables -A INPUT -i DEV_LAN -m comment --comment "Accept all from the LAN" -j ACCEPT |
|||
# Accept established connections from AAISP Line 1 |
|||
iptables -A INPUT -i pppoe-AA_1 -m state --state RELATED,ESTABLISHED -m comment --comment "Allow return traffic" -j ACCEPT |
|||
# Accept established connections from AAISP Line 2 (Bonding only) |
|||
iptables -A INPUT -i pppoe-AA_2 -m state --state RELATED,ESTABLISHED -m comment --comment "Allow return traffic" -j ACCEPT |
|||
# Reject anything else (not really needed as we will change default policy to drop later) |
|||
iptables -A INPUT -m comment --comment "Reject all remaining traffic" -j REJECT --reject-with icmp-port-unreachable |
|||
# AAISP Line 1 MSS Clamping |
|||
iptables -A FORWARD -o pppoe-AA_1 -p tcp -m tcp --tcp-flags SYN,RST SYN -m comment -- |
|||
comment "Clamp MSS for traffic going via PPP" -j TCPMSS --clamp-mss-to-pmtu |
|||
# AAISP Line 2 MSS Clamping (Bonding only) |
|||
iptables -A FORWARD -o pppoe-AA_2 -p tcp -m tcp --tcp-flags SYN,RST SYN -m comment --comment "Clamp MSS for traffic going via PPP" -j TCPMSS --clamp-mss-to-pmtu |
|||
# Allow traffic from LAN to AAISP Line 1 |
|||
iptables -A FORWARD -i DEV_LAN -o pppoe-AA_1 -m comment --comment "Allow traffic from LAN -> internet" -j ACCEPT |
|||
# Allow traffic from LAN to AAISP Line 2 (Bonding only) |
|||
iptables -A FORWARD -i DEV_LAN -o pppoe-AA_2 -m comment --comment "Allow traffic from LAN -> internet" -j ACCEPT |
|||
# Allow traffic from LAN to teql0 Bond (Bonding only) |
|||
iptables -A FORWARD -i DEV_LAN -o teql0 -m comment --comment "Allow traffic from LAN -> internet" -j ACCEPT |
|||
# Allow related traffic from AAISP Line 1 to LAN |
|||
iptables -A FORWARD -i pppoe-AA_1 -o DEV_LAN -m state --state RELATED,ESTABLISHED -m comment --comment "Allow return traffic from internet -> LAN" -j ACCEPT |
|||
# Allow related traffic from AAISP Line 2 to LAN (Bonding only) |
|||
iptables -A FORWARD -i pppoe-AA_2 -o DEV_LAN -m state --state RELATED,ESTABLISHED -m comment --comment "Allow return traffic from internet -> LAN" -j ACCEPT |
|||
# Allow traffic from LAN to AAISP Modem Stats 1 |
|||
iptables -A FORWARD -i DEV_LAN -o DEV_AA_WAN1_C -m comment --comment "Allow traffic from LAN -> Control" -j ACCEPT |
|||
# Allow related traffic back from AAISP Modem Stats 1 to LAN |
|||
iptables -A FORWARD -I DEV_AA_WAN1_C -o DEV_LAN -m state --state RELATED,ESTABLISHED -m comment --comment "Allow return traffic from Control -> LAN" -j ACCEPT |
|||
# Allow traffic from LAN to AAISP Modem Stats 2 (Bonding only) |
|||
iptables -A FORWARD -i DEV_LAN -o DEV_AA_WAN2_C -m comment --comment "Allow traffic from LAN -> Control" -j ACCEPT |
|||
# Allow related traffic back from AAISP Modem Stats 2 to LAN (Bonding only) |
|||
iptables -A FORWARD -I DEV_AA_WAN2_C -o DEV_LAN -m state --state RELATED,ESTABLISHED -m comment --comment "Allow return traffic from Control -> LAN" -j ACCEPT |
|||
# Allow NAT on AAISP Line 1 |
|||
iptables -t nat -A POSTROUTING -o pppoe-AA_1 -m comment --comment NAT -j MASQUERADE |
|||
# Allow NAT on AAISP Line 2 (Bonding only) |
|||
iptables -t nat -A POSTROUTING -o pppoe-AA_2 -m comment --comment NAT -j MASQUERADE |
|||
# Allow NAT on teql0 Bond (not sure this is necessary) (Bonding only) |
|||
iptables -t nat -A POSTROUTING -o teql0 -m comment --comment NAT -j MASQUERADE |
|||
# Allow NAT to get to AAISP Mode Stats Line 1 |
|||
iptables -t nat -A POSTROUTING -o DEV_AA_WAN1_C -m comment --comment NAT -j MASQUERADE |
|||
# Allow NAT to get to AAISP Mode Stats Line 2 (Bonding only) |
|||
iptables -t nat -A POSTROUTING -o DEV_AA_WAN2_C -m comment --comment NAT -j MASQUERADE |
|||
# Default drop everything from outside |
|||
iptables -P FORWARD DROP |
|||
iptables -P INPUT DROP |
|||
iptables -P OUTPUT ACCEPT |
|||
iptables -t nat -P OUTPUT ACCEPT |
|||
iptables -t nat -P PREROUTING ACCEPT |
|||
iptables -t nat -P POSTROUTING ACCEPT |
|||
== IPv6 Rules == |
|||
Note that implementing these rules wipes your existing IPv6 rules if you have any. |
|||
# Wipe all existing rules |
|||
ip6tables -F |
|||
ip6tables -X |
|||
# Accept everything from localhost |
|||
ip6tables -A INPUT -i lo -m comment --comment "Accept all from localhost" -j ACCEPT |
|||
# Accept all ICMP |
|||
ip6tables -A INPUT -p ipv6-icmp -m comment --comment "Accept all ICMP" -j ACCEPT |
|||
# Accept everything from LAN |
|||
ip6tables -A INPUT -i DEV_LAN -m comment --comment "Accept all from LAN" -j ACCEPT |
|||
# Accept established connections from AAISP Line 1 |
|||
ip6tables -A INPUT -i pppoe-AA_1 -m state --state RELATED,ESTABLISHED -m comment --comment "Accept related & return traffic" -j ACCEPT |
|||
# Accept established connections from AAISP Line 2 (Bonding only) |
|||
ip6tables -A INPUT -i pppoe-AA_2 -m state --state RELATED,ESTABLISHED -m comment --comment "Accept related & return traffic" -j ACCEPT |
|||
# Forward all ICMP |
|||
ip6tables -A FORWARD -p ipv6-icmp -m comment --comment "Forward all ICMP" -j ACCEPT |
|||
# Allow traffic from LAN to AAISP Line 1 |
|||
ip6tables -A FORWARD -i DEV_LAN -o pppoe-AA_1 -m comment --comment "Allow LAN -> internet" -j ACCEPT |
|||
# Allow traffic from LAN to AAISP Line 2 (Bonding only) |
|||
ip6tables -A FORWARD -i DEV_LAN -o pppoe-AA_2 -m comment --comment "Allow LAN -> internet" -j ACCEPT |
|||
# Allow traffic from LAN to teql0 Bond (Bonding only) |
|||
ip6tables -A FORWARD -i DEV_LAN -o teql0 -m comment --comment "Allow LAN -> internet" -j ACCEPT |
|||
# Allow related traffic from AAISP Line 1 to LAN |
|||
ip6tables -A FORWARD -i pppoe-AA_1 -o DEV_LAN -m state --state RELATED,ESTABLISHED -m comment --comment "Allow related & return traffic WAN -> LAN" -j ACCEPT |
|||
# Allow related traffic from AAISP Line 2 to LAN (Bonding only) |
|||
ip6tables -A FORWARD -i pppoe-AA_2 -o DEV_LAN -m state --state RELATED,ESTABLISHED -m comment --comment "Allow related & return traffic WAN -> LAN" -j ACCEPT |
|||
# Default drop everything from outside |
|||
ip6tables -P FORWARD DROP |
|||
ip6tables -P INPUT DROP |
|||
ip6tables -P OUTPUT ACCEPT |
|||
== Testing == |
|||
You should now be able to statically assign a computer an address in your LAN subnet, connect to the LAN port on this router and you should have IPv4 connectivity to the internet at least at this point. If you wish you can also test IPv6 in this way by assigning an address from your block. |
|||
== Final Steps == |
|||
We now need to install iptables-persistent to save the rules across reboots: |
|||
apt-get install iptables-persistent |
|||
In the prompts select that you wish to save the rules now. Note that if you change rules manually in the future you will need to issue the following command to persist them (but note that it will also persist any rules added for things like UPnP): |
|||
netfilter-persistent save |
|||
netfilter-persistent reload |
|||
= LAN Setup = |
|||
This section deals with setting up services for your LAN network. We will cover the following: |
|||
* BIND (DNS Forwarder with Caching) |
|||
* DHCP |
|||
* DHCPv6 |
|||
* RADVD |
|||
* UPnP |
|||
== BIND (DNS) == |
|||
BIND is relatively simple to setup in this way, firstly install it: |
|||
apt-get install bind9 |
|||
Now edit the file '''/etc/bind/named.conf.options''' and update it with the following. Note that you should replace '''192.168.1.1''' with the statically assigned IPv4 address on your LAN interface, and '''2001:db8:b9:2041::1''' with the statically assigned IPv6 address on your LAN. |
|||
acl goodclients { |
|||
191.168.1.0/24; |
|||
localhost; |
|||
localnets; |
|||
}; |
|||
options { |
|||
directory "/var/cache/bind"; |
|||
recursion yes; |
|||
allow-query { goodclients; }; |
|||
# Feel free to add your own DNS servers here |
|||
forwarders { |
|||
8.8.8.8; |
|||
8.8.4.4; |
|||
}; |
|||
dnssec-enable yes; |
|||
dnssec-validation yes; |
|||
auth-nxdomain no; |
|||
listen-on-v6 { 2001:db8:b9:2041::1; ::1; }; |
|||
listen-on { 192.168.1.1; 127.0.0.1; }; |
|||
}; |
|||
Issue: |
|||
systemctl enable bind9 |
|||
systemctl restart bind9 |
|||
It should now be possible to issue DNS requests to the local system: |
|||
root@ubuntu-router:/# dig +noauthority aaisp.net A @127.0.0.1 |
|||
; <<>> DiG 9.10.3-P4-Ubuntu <<>> +noauthority aaisp.net A @127.0.0.1 |
|||
;; global options: +cmd |
|||
;; Got answer: |
|||
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 54288 |
|||
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 13, ADDITIONAL: 1 |
|||
;; OPT PSEUDOSECTION: |
|||
; EDNS: version: 0, flags:; udp: 4096 |
|||
;; QUESTION SECTION: |
|||
;aaisp.net. IN A |
|||
;; ANSWER SECTION: |
|||
aaisp.net. 3420 IN A 81.187.30.81 |
|||
;; Query time: 0 msec |
|||
;; SERVER: 127.0.0.1#53(127.0.0.1) |
|||
;; WHEN: Wed May 03 14:54:36 BST 2017 |
|||
;; MSG SIZE rcvd: 262 |
|||
If you would like to force the local machine to use this caching server for lookups, but not change /etc/network/interfaces to do so, and also avoid messing with resolvconf, you can do the following, although it’s not the recommended method for doing so: |
|||
echo “nameserver 127.0.0.1” >> /etc/resolvconf/resolv.conf.d/head |
|||
== DHCP == |
|||
DHCP is relatively easy to setup for IPv4 but is going to require some manual tweaks for IPv6 (listed in the next section). |
|||
Install the ISC DHCP Server: |
|||
apt-get install isc-dhcp-server |
|||
Edit '''/etc/default/isc-dhcp-server''' and edit '''INTERFACES''' to add your LAN interface: |
|||
# Defaults for isc-dhcp-server initscript |
|||
# sourced by /etc/init.d/isc-dhcp-server |
|||
# installed at /etc/default/isc-dhcp-server by the maintainer scripts |
|||
# |
|||
# This is a POSIX shell fragment |
|||
# |
|||
# Path to dhcpd's config file (default: /etc/dhcp/dhcpd.conf). |
|||
#DHCPD_CONF=/etc/dhcp/dhcpd.conf |
|||
# Path to dhcpd's PID file (default: /var/run/dhcpd.pid). |
|||
#DHCPD_PID=/var/run/dhcpd.pid |
|||
# Additional options to start dhcpd with. |
|||
# Don't use options -cf or -pf here; use DHCPD_CONF/ DHCPD_PID instead |
|||
#OPTIONS="" |
|||
# On what interfaces should the DHCP server (dhcpd) serve DHCP requests? |
|||
# Separate multiple interfaces with spaces, e.g. "eth0 eth1". |
|||
INTERFACES="DEV_LAN" |
|||
Now you can edit '''/etc/dhcp/dhcpd.conf''' and update it for your use, a sample config is shown below: |
|||
ddns-update-style none; |
|||
default-lease-time 600; |
|||
max-lease-time 7200; |
|||
log-facility local7; |
|||
subnet 192.168.1.0 netmask 255.255.255.0 { |
|||
range 192.168.1.50 192.168.1.200; |
|||
option routers 192.168.1.1; |
|||
option domain-name-servers 192.168.1.1; |
|||
option broadcast-address 192.168.1.255; |
|||
} |
|||
Once that’s done, you can issue the following: |
|||
systemctl enable isc-dhcp-server |
|||
systemctl restart isc-dhcp-server |
|||
This should give you working DHCP for IPv4 on your LAN. |
|||
== DHCPv6 == |
|||
DHCPv6 is supported by isc-dhcp-server but requires us to make a new init script and change some configuration (credit: https://www.interlan.se/fix-isc-dhcp-server6-ubuntu-16-04/ ). I will assume you already did the DHCP setup mentioned previously. |
|||
Execute: |
|||
cp /etc/default/isc-dhcp-server /etc/default/isc-dhcp-server6 |
|||
Edit '''/etc/default/isc-dhcp-server6''' and change the options as follows: |
|||
# Defaults for isc-dhcp-server initscript |
|||
# sourced by /etc/init.d/isc-dhcp-server |
|||
# installed at /etc/default/isc-dhcp-server by the maintainer scripts |
|||
# |
|||
# This is a POSIX shell fragment |
|||
# |
|||
# Path to dhcpd's config file (default: /etc/dhcp/dhcpd.conf). |
|||
DHCPD_CONF=/etc/dhcp/dhcpd6.conf |
|||
# Path to dhcpd's PID file (default: /var/run/dhcpd.pid). |
|||
DHCPD_PID=/var/run/dhcpd6.pid |
|||
# Additional options to start dhcpd with. |
|||
# Don't use options -cf or -pf here; use DHCPD_CONF/ DHCPD_PID instead |
|||
OPTIONS="-6" |
|||
# On what interfaces should the DHCP server (dhcpd) serve DHCP requests? |
|||
# Separate multiple interfaces with spaces, e.g. "eth0 eth1". |
|||
INTERFACES="DEV_LAN" |
|||
Edit /etc/dhcp/dhcpd6.conf and populate it with your /64 block and a suitable range, a sample config is: |
|||
default-lease-time 2592000; |
|||
preferred-lifetime 604800; |
|||
option dhcp-renewal-time 3600; |
|||
option dhcp-rebinding-time 7200; |
|||
allow leasequery; |
|||
option dhcp6.name-servers 2001:db8:b9:2041::1; |
|||
option dhcp6.info-refresh-time 21600; |
|||
subnet6 2001:db8:b9:2041::/64 { |
|||
range6 2001:db8:b9:2041::100 2001:db8:b9:2041:ffff:ffff:ffff:ffff; |
|||
range6 2001:db8:b9:2041::/64 temporary; |
|||
} |
|||
Execute: |
|||
cp /etc/init.d/isc-dhcp-server /etc/init.d/isc-dhcp-server6 |
|||
sed -i s/isc-dhcp-server/isc-dhcp-server6/ /etc/init.d/isc-dhcp-server6 |
|||
sed -i s/dhcpd.conf/dhcpd6.conf/ /etc/init.d/isc-dhcp-server6 |
|||
sed -i s/dhcpd.pid/dhcpd6.pid/ /etc/init.d/isc-dhcp-server6 |
|||
systemctl enable isc-dhcp-server6 |
|||
systemctl start isc-dhcp-server6 |
|||
You should now get an IPv6 address, although you may not, and if you do, depending on the OS, it may not actually work properly until you’ve gone to the next section and setup RADVD. |
|||
== RADVD == |
|||
RADVD config is actually very easy with a simple config. Just install RADVD first: |
|||
apt-get install radvd |
|||
Then edit '''/etc/radvd.conf''' and update it with your interface and prefix, here is a sample config: |
|||
interface DEV_LAN |
|||
{ |
|||
AdvSendAdvert on; |
|||
prefix 2001:db8:b9:2041::/64 { |
|||
AdvOnLink on; |
|||
AdvAutonomous on; |
|||
}; |
|||
}; |
|||
Once done, execute: |
|||
systemctl enable radvd |
|||
systemctl restart radvd |
|||
This should give your LAN clients IPv6 addresses and connectivity. |
|||
== UPnP == |
|||
Coming soon. |
|||
= Bonus: Port based policy routing to a third WAN = |
|||
Coming soon. |
Revision as of 15:15, 3 Mayıs 2017
Preface
These instructions are for setting up Ubuntu 16.04 specifically with an AAISP PPPoE (VDSL & ADSL) connection, and a functioning LAN, with additional instructions for bonding, a third WAN with policy based routing, and additional LAN services such as DHCP(v6) and RADVD. The instructions will likely be similar for other versions of Ubuntu and Debian, but may require some changes. These instructions were built at least partly on:
- https://support.aa.net.uk/Router:Linux
- https://support.aa.net.uk/Router:Linux_-_Debian
- https://support.aa.net.uk/IPv6
- https://support.aa.net.uk/Linux_upload_bonding_using_teql
Initial System Setup
Make sure the system is up to date and install some essentials:
apt-get update apt-get upgrade -y apt-get install -y pppoe ppp iproute2 iptables ip6tables sed -i 's/#net\.ipv4\.ip_forward=1/net.ipv4.ip_forward=1/' /etc/sysctl.conf sed -i 's/#net\.ipv6\.conf\.all\.forwarding=1/net.ipv6.conf.all.forwarding=1/' /etc/sysctl.conf sysctl -p
Networking Interface Information
This is going to vary for everyone depending on how your “router” is setup. I’ll be referring to various network interfaces in the guide, and I’ll use the names defined here to reference them, where they are used, these names refer to the physical name of the device. You need to replace them with your own interface names in applicable config sections.
Interface Name Used | Description |
---|---|
DEV_AA_WAN1 | Plugged into port marked LAN1 on HG612 for Line 1 (bridged connection used for PPPoE) |
DEV_AA_WAN1_C | Plugged into port marked LAN2 on HG612 for Line 1 (HG612 has a static IP of 192.168.2.1 and subnet mask 255.255.255.0), used for accessing modem stats |
DEV_AA_WAN2 | Plugged into port marked LAN1 on HG612 for Line 2 (bridged connection used for PPPoE) |
DEV_AA_WAN2_C | Plugged into port marked LAN2 on HG612 for Line 2 (HG612 has a static IP of 192.168.3.1 and subnet mask 255.255.255.0), used for accessing modem stats |
DEV_LAN | The interface on which the LAN is connected |
DEV_VM_WAN | Plugged into Virgin Media modem in bridge mode |
VLANs
Note that on Ubuntu, support for VLANs is not enabled by default, so if you are intending to use VLANs you will need to do the following:
modprobe 8021q echo "8021q" >> /etc/modules
You will then need to add your VLANs for use by doing:
vconfig add INTERFACE VLAN
For example:
vconfig add eth0 10
You can then use the notation eth0.10 to reference this interface with VLAN.
Setting Up PPP Connection(s)
A lot of this part of the guide can be seen here: https://support.aa.net.uk/Router:Linux_-_Debian#Setting_up_pppd
First Connection
/etc/ppp/peers/aaisp_wan1
Edit this file with the following (don’t forget to replace DEV_AA_WAN1 with your interface over which PPP should be dialled):
user your-line1-username plugin rp-pppoe.so DEV_AA_WAN1 noipdefault defaultroute hide-password lcp-echo-interval 1 lcp-echo-failure 10 noauth persist maxfail 0 mtu 1492 noaccomp default-asyncmap +ipv6 ipv6cp-use-ipaddr ifname pppoe-AA_1 unit 0 linkname aa_wan1
Note the additional “unit” and “linkname” instructions from the linked guide, “unit” is in the index of the ppp connection created (ie. unit = 0 creates ppp0).
/etc/ppp/chap-secrets
Edit this file and input your username and password in the format specified below. If you have a second connection you can also add the credentials for this one while you are here:
# Secrets for authentication using CHAP # client server secret IP addresses line1-username * YourLine1Password line2-username * YourLine2Password
Testing
Test you get some sort of response directly:
pppoe -I DEV_AA_WAN1 -A
If you do, then the connection will probably succeed, try firing up the connection:
pon aaisp_wan1
It should connect and you should get a default IPv4 route. Now that we know it’s working we can disable it again:
poff aaisp_wan1
Second Connection (for Bonding)
Only do this if you have a second PPPoE connection with AAISP for use for bonding. Make sure that your primary IPv4 address is routed to both lines, and make sure an IPv6 /64 block is routed to both lines. Multiple IPv4 addresses and IPv6 blocks are outside the scope of this guide.
/etc/ppp/peers/aaisp_wan2
Edit the file as shown for aaisp_wan1 but importantly, make sure the device is set to your DEV_AA_WAN2, and change the “ifname”, “unit” and “linkname” directives.
Testing
Again, you can test in the same way as with aaisp_wan1.
Further Config Changes
For bonding, it’s important now to go into both config files (/etc/ppp/peers/aaisp_wan1 & /etc/ppp/peers/aaisp_wan2), and to comment out the “defaultroute” directive. We don’t want either of these connections to become default routes as we will implement the bonding with a virtual interface later on.
Configuring Network Interfaces
Time to do some work on the network interfaces themselves, fire up your favourite text editor and edit the file /etc/network/interfaces
Most likely it’s populated with something like the following already:
# This file describes the network interfaces available on your system # and how to activate them. For more information, see interfaces(5). source /etc/network/interfaces.d/* # The loopback network interface auto lo iface lo inet loopback auto enp0s20f0 iface enp0s20f0 inet dhcp
You’ll need to make sure that as you edit this file, you don’t define any interfaces a second time.
VLANs
Another note on VLANs, whenever you use one, you should always specify “vlan-raw-device” inside the interface definition, and there should always be a “manual” definition for the raw device itself as well. For example, assuming we have eth4, and the modem stats port is connected on VLAN 20, the definition would look like this:
auto eth4 iface eth4 inet manual auto eth4.20 iface eth4.20 inet static vlan-raw-device eth4 address 192.168.2.2 netmask 255.255.255.0
You also need to make sure you have added this interface with vconfig as mentioned further up in the guide.
LAN
Firstly let’s define your LAN interface, this is where DHCP will operate and your LAN clients are connected to. Make sure to replace DEV_LAN with your physical device.
I’m using 192.168.1.0/24 as my LAN but feel free to use whatever you want.
For IPv6, assign the first address of your routed /64 block, so if your block is 2001:db8:b9:2041::/64, then assign 2001:db8:b9:2041::1.
# LAN Configuration auto DEV_LAN iface DEV_LAN inet static address 192.168.1.1 netmask 255.255.255.0 iface DEV_LAN inet6 static address 2001:db8:b9:2041::1 netmask 64
First Connection
We need to make 2 entries in the file for the connection, one for the physical interface itself and one to actually bring up PPP:
# AAISP WAN1 auto DEV_AA_WAN1 iface DEV_AA_WAN1 inet manual # AAISP PPPoE 1 auto aa_wan1 iface aa_wan1 inet ppp pre-up /sbin/ip link set DEV_AA_WAN1 up provider aaisp_wan1
I am not sure the pre-up is strictly necessary but it seems to have helped for me.
Control Interface
If you have an HG612 with the IPs statically configured like I described, then you can also configure the modem stats interface:
# AAISP Modem Stats 1 auto DEV_AA_WAN1_C iface DEV_AA_WAN1_C inet static address 192.168.2.2 netmask 255.255.255.0
Second Connection (for Bonding)
Configure this exactly as described in “First Connection” but with the correct interfaces and provider name.
Testing
In theory now you can “ifup” all of the interfaces you just configured. The PPP interfaces should connect and get both an IPv4 address and an IPv6 link-local address.
If you are not bonding, a default IPv4 route should have been added and connectivity should work. You should also be able to statically assign yourself an IP address in the range you specified for LAN, connect on that interface and the router should respond to ping.
Fixing Routes
One Connection Only
If you are not bonding, then you should already get a default IPv4 route, and we simply need to make it so that an appropriate IPv6 route is added when the PPP interface comes up.
Create a new file /etc/ppp/ipv6-up.d/set-route with the following:
/sbin/ip -6 route add default dev $1
Then execute:
chmod 0755 /etc/ppp/ipv6-up.d/set-route chmod +x /etc/ppp/ipv6-up.d/set-route
If you “ifdown” and “ifup” the interface, you should get an IPv6 default route now. You can check with “ip -6 route”.
Two (or more) Connections Bonded
If bonding, we need to enable the teql scheduler and set up some scripts to fix routing and bonding.
Enable the Scheduler
modprobe sch_teql echo "sch_teql" >> /etc/modules
Fixing the Routing
Create a new file /etc/ppp/ip-up.d/fix-teql with the following contents (make sure to put in your IPv4 & first IPv6 address):
#!/bin/bash /sbin/sysctl -w net.ipv4.conf.pppoe-AA_1.rp_filter=2 /sbin/sysctl -w net.ipv4.conf.pppoe-AA_2.rp_filter=2 /sbin/tc qdisc add dev pppoe-AA_1 root teql0 /sbin/tc qdisc add dev pppoe-AA_2 root teql0 /sbin/ip address add YOUR_IPV4_ADDRESS/32 dev teql0 /sbin/ip address add YOUR_FIRST_IPV6_ADDRESS/64 dev teql0 /sbin/ip link set teql0 up /sbin/ip route replace default scope global dev teql0 /sbin/ip -6 route replace default scope global dev teql0
Then execute:
chmod 0755 /etc/ppp/ip-up.d/fix-teql chmod +x /etc/ppp/ip-up.d/fix-teql
At this time, if your PPP connections are up from previous testing, you can manually run this script, and you should then get connectivity on both IPv4 & IPv6. You can also check “ip route” and “ip -6 route” and the teql0 device should be the default route for both.
Firewalling
You can use iptables to configure a firewall for your system and also to apply some features such as IPv4 NAT for LAN.
The rules are mostly taken from https://support.aa.net.uk/Router:Linux_-_Debian#Configuring_your_firewall and are commented so you can execute what you need. Also remember to replace your devices as before (although the PPP devices are named correctly if you followed the guide.
IPv4 Rules
Note that implementing these rules wipes your existing IPv4 rules if you have any.
# Wipe all existing rules iptables -t filter -F iptables -t nat -F iptables -t mangle -F iptables -t filter -X iptables -t nat -X iptables -t mangle -X # Accept everything from localhost iptables -A INPUT -i lo -m comment --comment "Accept all from localhost" -j ACCEPT # Accept all ICMP iptables -A INPUT -p icmp -m comment --comment "Accept all ICMP" -j ACCEPT # Accept everything from LAN iptables -A INPUT -i DEV_LAN -m comment --comment "Accept all from the LAN" -j ACCEPT # Accept established connections from AAISP Line 1 iptables -A INPUT -i pppoe-AA_1 -m state --state RELATED,ESTABLISHED -m comment --comment "Allow return traffic" -j ACCEPT # Accept established connections from AAISP Line 2 (Bonding only) iptables -A INPUT -i pppoe-AA_2 -m state --state RELATED,ESTABLISHED -m comment --comment "Allow return traffic" -j ACCEPT # Reject anything else (not really needed as we will change default policy to drop later) iptables -A INPUT -m comment --comment "Reject all remaining traffic" -j REJECT --reject-with icmp-port-unreachable # AAISP Line 1 MSS Clamping iptables -A FORWARD -o pppoe-AA_1 -p tcp -m tcp --tcp-flags SYN,RST SYN -m comment -- comment "Clamp MSS for traffic going via PPP" -j TCPMSS --clamp-mss-to-pmtu # AAISP Line 2 MSS Clamping (Bonding only) iptables -A FORWARD -o pppoe-AA_2 -p tcp -m tcp --tcp-flags SYN,RST SYN -m comment --comment "Clamp MSS for traffic going via PPP" -j TCPMSS --clamp-mss-to-pmtu # Allow traffic from LAN to AAISP Line 1 iptables -A FORWARD -i DEV_LAN -o pppoe-AA_1 -m comment --comment "Allow traffic from LAN -> internet" -j ACCEPT # Allow traffic from LAN to AAISP Line 2 (Bonding only) iptables -A FORWARD -i DEV_LAN -o pppoe-AA_2 -m comment --comment "Allow traffic from LAN -> internet" -j ACCEPT # Allow traffic from LAN to teql0 Bond (Bonding only) iptables -A FORWARD -i DEV_LAN -o teql0 -m comment --comment "Allow traffic from LAN -> internet" -j ACCEPT # Allow related traffic from AAISP Line 1 to LAN iptables -A FORWARD -i pppoe-AA_1 -o DEV_LAN -m state --state RELATED,ESTABLISHED -m comment --comment "Allow return traffic from internet -> LAN" -j ACCEPT # Allow related traffic from AAISP Line 2 to LAN (Bonding only) iptables -A FORWARD -i pppoe-AA_2 -o DEV_LAN -m state --state RELATED,ESTABLISHED -m comment --comment "Allow return traffic from internet -> LAN" -j ACCEPT # Allow traffic from LAN to AAISP Modem Stats 1 iptables -A FORWARD -i DEV_LAN -o DEV_AA_WAN1_C -m comment --comment "Allow traffic from LAN -> Control" -j ACCEPT # Allow related traffic back from AAISP Modem Stats 1 to LAN iptables -A FORWARD -I DEV_AA_WAN1_C -o DEV_LAN -m state --state RELATED,ESTABLISHED -m comment --comment "Allow return traffic from Control -> LAN" -j ACCEPT # Allow traffic from LAN to AAISP Modem Stats 2 (Bonding only) iptables -A FORWARD -i DEV_LAN -o DEV_AA_WAN2_C -m comment --comment "Allow traffic from LAN -> Control" -j ACCEPT # Allow related traffic back from AAISP Modem Stats 2 to LAN (Bonding only) iptables -A FORWARD -I DEV_AA_WAN2_C -o DEV_LAN -m state --state RELATED,ESTABLISHED -m comment --comment "Allow return traffic from Control -> LAN" -j ACCEPT # Allow NAT on AAISP Line 1 iptables -t nat -A POSTROUTING -o pppoe-AA_1 -m comment --comment NAT -j MASQUERADE # Allow NAT on AAISP Line 2 (Bonding only) iptables -t nat -A POSTROUTING -o pppoe-AA_2 -m comment --comment NAT -j MASQUERADE # Allow NAT on teql0 Bond (not sure this is necessary) (Bonding only) iptables -t nat -A POSTROUTING -o teql0 -m comment --comment NAT -j MASQUERADE # Allow NAT to get to AAISP Mode Stats Line 1 iptables -t nat -A POSTROUTING -o DEV_AA_WAN1_C -m comment --comment NAT -j MASQUERADE # Allow NAT to get to AAISP Mode Stats Line 2 (Bonding only) iptables -t nat -A POSTROUTING -o DEV_AA_WAN2_C -m comment --comment NAT -j MASQUERADE # Default drop everything from outside iptables -P FORWARD DROP iptables -P INPUT DROP iptables -P OUTPUT ACCEPT iptables -t nat -P OUTPUT ACCEPT iptables -t nat -P PREROUTING ACCEPT iptables -t nat -P POSTROUTING ACCEPT
IPv6 Rules
Note that implementing these rules wipes your existing IPv6 rules if you have any.
# Wipe all existing rules ip6tables -F ip6tables -X # Accept everything from localhost ip6tables -A INPUT -i lo -m comment --comment "Accept all from localhost" -j ACCEPT # Accept all ICMP ip6tables -A INPUT -p ipv6-icmp -m comment --comment "Accept all ICMP" -j ACCEPT # Accept everything from LAN ip6tables -A INPUT -i DEV_LAN -m comment --comment "Accept all from LAN" -j ACCEPT # Accept established connections from AAISP Line 1 ip6tables -A INPUT -i pppoe-AA_1 -m state --state RELATED,ESTABLISHED -m comment --comment "Accept related & return traffic" -j ACCEPT # Accept established connections from AAISP Line 2 (Bonding only) ip6tables -A INPUT -i pppoe-AA_2 -m state --state RELATED,ESTABLISHED -m comment --comment "Accept related & return traffic" -j ACCEPT # Forward all ICMP ip6tables -A FORWARD -p ipv6-icmp -m comment --comment "Forward all ICMP" -j ACCEPT # Allow traffic from LAN to AAISP Line 1 ip6tables -A FORWARD -i DEV_LAN -o pppoe-AA_1 -m comment --comment "Allow LAN -> internet" -j ACCEPT # Allow traffic from LAN to AAISP Line 2 (Bonding only) ip6tables -A FORWARD -i DEV_LAN -o pppoe-AA_2 -m comment --comment "Allow LAN -> internet" -j ACCEPT # Allow traffic from LAN to teql0 Bond (Bonding only) ip6tables -A FORWARD -i DEV_LAN -o teql0 -m comment --comment "Allow LAN -> internet" -j ACCEPT # Allow related traffic from AAISP Line 1 to LAN ip6tables -A FORWARD -i pppoe-AA_1 -o DEV_LAN -m state --state RELATED,ESTABLISHED -m comment --comment "Allow related & return traffic WAN -> LAN" -j ACCEPT # Allow related traffic from AAISP Line 2 to LAN (Bonding only) ip6tables -A FORWARD -i pppoe-AA_2 -o DEV_LAN -m state --state RELATED,ESTABLISHED -m comment --comment "Allow related & return traffic WAN -> LAN" -j ACCEPT # Default drop everything from outside ip6tables -P FORWARD DROP ip6tables -P INPUT DROP ip6tables -P OUTPUT ACCEPT
Testing
You should now be able to statically assign a computer an address in your LAN subnet, connect to the LAN port on this router and you should have IPv4 connectivity to the internet at least at this point. If you wish you can also test IPv6 in this way by assigning an address from your block.
Final Steps
We now need to install iptables-persistent to save the rules across reboots:
apt-get install iptables-persistent
In the prompts select that you wish to save the rules now. Note that if you change rules manually in the future you will need to issue the following command to persist them (but note that it will also persist any rules added for things like UPnP):
netfilter-persistent save netfilter-persistent reload
LAN Setup
This section deals with setting up services for your LAN network. We will cover the following:
- BIND (DNS Forwarder with Caching)
- DHCP
- DHCPv6
- RADVD
- UPnP
BIND (DNS)
BIND is relatively simple to setup in this way, firstly install it:
apt-get install bind9
Now edit the file /etc/bind/named.conf.options and update it with the following. Note that you should replace 192.168.1.1 with the statically assigned IPv4 address on your LAN interface, and 2001:db8:b9:2041::1 with the statically assigned IPv6 address on your LAN.
acl goodclients { 191.168.1.0/24; localhost; localnets; }; options { directory "/var/cache/bind"; recursion yes; allow-query { goodclients; }; # Feel free to add your own DNS servers here forwarders { 8.8.8.8; 8.8.4.4; }; dnssec-enable yes; dnssec-validation yes;
auth-nxdomain no; listen-on-v6 { 2001:db8:b9:2041::1; ::1; }; listen-on { 192.168.1.1; 127.0.0.1; }; };
Issue:
systemctl enable bind9 systemctl restart bind9
It should now be possible to issue DNS requests to the local system:
root@ubuntu-router:/# dig +noauthority aaisp.net A @127.0.0.1 ; <<>> DiG 9.10.3-P4-Ubuntu <<>> +noauthority aaisp.net A @127.0.0.1 ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 54288 ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 13, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 4096 ;; QUESTION SECTION: ;aaisp.net. IN A ;; ANSWER SECTION: aaisp.net. 3420 IN A 81.187.30.81 ;; Query time: 0 msec ;; SERVER: 127.0.0.1#53(127.0.0.1) ;; WHEN: Wed May 03 14:54:36 BST 2017 ;; MSG SIZE rcvd: 262
If you would like to force the local machine to use this caching server for lookups, but not change /etc/network/interfaces to do so, and also avoid messing with resolvconf, you can do the following, although it’s not the recommended method for doing so:
echo “nameserver 127.0.0.1” >> /etc/resolvconf/resolv.conf.d/head
DHCP
DHCP is relatively easy to setup for IPv4 but is going to require some manual tweaks for IPv6 (listed in the next section).
Install the ISC DHCP Server:
apt-get install isc-dhcp-server
Edit /etc/default/isc-dhcp-server and edit INTERFACES to add your LAN interface:
# Defaults for isc-dhcp-server initscript # sourced by /etc/init.d/isc-dhcp-server # installed at /etc/default/isc-dhcp-server by the maintainer scripts # # This is a POSIX shell fragment # # Path to dhcpd's config file (default: /etc/dhcp/dhcpd.conf). #DHCPD_CONF=/etc/dhcp/dhcpd.conf # Path to dhcpd's PID file (default: /var/run/dhcpd.pid). #DHCPD_PID=/var/run/dhcpd.pid # Additional options to start dhcpd with. # Don't use options -cf or -pf here; use DHCPD_CONF/ DHCPD_PID instead #OPTIONS="" # On what interfaces should the DHCP server (dhcpd) serve DHCP requests? # Separate multiple interfaces with spaces, e.g. "eth0 eth1". INTERFACES="DEV_LAN"
Now you can edit /etc/dhcp/dhcpd.conf and update it for your use, a sample config is shown below:
ddns-update-style none; default-lease-time 600; max-lease-time 7200; log-facility local7; subnet 192.168.1.0 netmask 255.255.255.0 { range 192.168.1.50 192.168.1.200; option routers 192.168.1.1; option domain-name-servers 192.168.1.1; option broadcast-address 192.168.1.255; }
Once that’s done, you can issue the following:
systemctl enable isc-dhcp-server systemctl restart isc-dhcp-server
This should give you working DHCP for IPv4 on your LAN.
DHCPv6
DHCPv6 is supported by isc-dhcp-server but requires us to make a new init script and change some configuration (credit: https://www.interlan.se/fix-isc-dhcp-server6-ubuntu-16-04/ ). I will assume you already did the DHCP setup mentioned previously.
Execute:
cp /etc/default/isc-dhcp-server /etc/default/isc-dhcp-server6
Edit /etc/default/isc-dhcp-server6 and change the options as follows:
# Defaults for isc-dhcp-server initscript # sourced by /etc/init.d/isc-dhcp-server # installed at /etc/default/isc-dhcp-server by the maintainer scripts # # This is a POSIX shell fragment # # Path to dhcpd's config file (default: /etc/dhcp/dhcpd.conf). DHCPD_CONF=/etc/dhcp/dhcpd6.conf # Path to dhcpd's PID file (default: /var/run/dhcpd.pid). DHCPD_PID=/var/run/dhcpd6.pid # Additional options to start dhcpd with. # Don't use options -cf or -pf here; use DHCPD_CONF/ DHCPD_PID instead OPTIONS="-6" # On what interfaces should the DHCP server (dhcpd) serve DHCP requests? # Separate multiple interfaces with spaces, e.g. "eth0 eth1". INTERFACES="DEV_LAN"
Edit /etc/dhcp/dhcpd6.conf and populate it with your /64 block and a suitable range, a sample config is:
default-lease-time 2592000; preferred-lifetime 604800; option dhcp-renewal-time 3600; option dhcp-rebinding-time 7200; allow leasequery; option dhcp6.name-servers 2001:db8:b9:2041::1; option dhcp6.info-refresh-time 21600; subnet6 2001:db8:b9:2041::/64 { range6 2001:db8:b9:2041::100 2001:db8:b9:2041:ffff:ffff:ffff:ffff; range6 2001:db8:b9:2041::/64 temporary; }
Execute:
cp /etc/init.d/isc-dhcp-server /etc/init.d/isc-dhcp-server6 sed -i s/isc-dhcp-server/isc-dhcp-server6/ /etc/init.d/isc-dhcp-server6 sed -i s/dhcpd.conf/dhcpd6.conf/ /etc/init.d/isc-dhcp-server6 sed -i s/dhcpd.pid/dhcpd6.pid/ /etc/init.d/isc-dhcp-server6 systemctl enable isc-dhcp-server6 systemctl start isc-dhcp-server6
You should now get an IPv6 address, although you may not, and if you do, depending on the OS, it may not actually work properly until you’ve gone to the next section and setup RADVD.
RADVD
RADVD config is actually very easy with a simple config. Just install RADVD first:
apt-get install radvd
Then edit /etc/radvd.conf and update it with your interface and prefix, here is a sample config:
interface DEV_LAN { AdvSendAdvert on; prefix 2001:db8:b9:2041::/64 { AdvOnLink on; AdvAutonomous on; }; };
Once done, execute:
systemctl enable radvd systemctl restart radvd
This should give your LAN clients IPv6 addresses and connectivity.
UPnP
Coming soon.
Bonus: Port based policy routing to a third WAN
Coming soon.