If you have followed sequentially previous SOHO articles, you should have now a strong vanilla base in order to develop you home office network or you home network.
Requirement- Basic Linux/Unix knowledge
- Service provider networking knowledge
| |
Overview
In the previous article we enabled and checked IPv4 connectivity between RARE/freeRouter and ISP box using sdn1 interface within 192.168.0.0/24 network. But as stated in the previous post, I'd like:
- all people connected within 192.168.128.0/17
- to access the external world.
First step, let's:
- create an interface Loopback0 within 192.168.128.0/17, let's say 192.168.254.1/32
- and try to ping 8.8.8.8
At the present time, it seems that no one is able to reach outside world.
Article objective
In this article we will pursue the SOHO network appliance installation and enable IPv4 connectivity for all host connected within your internal network to the external world.
Diagrams
[ #003 ] - RARE/freeRouter DPDK SOHO installation
| Expand |
|---|
| title | Create router loopback in VRF inet |
|---|
|
First step, let's create an interface Loopback0 within 192.168.128.0/17, let's say 192.168.254.1/32 | Code Block |
|---|
| language | bash |
|---|
| theme | Midnight |
|---|
| title | ping 8.8.8.8 |
|---|
| sh run loopback0
interface loopback0
no description
vrf forwarding inet
ipv4 address 192.168.254.1 255.255.255.255
no shutdown
no log-link-change
exit
! |
|
| Expand |
|---|
|
First step, let's try to ping 8.8.8.8 | Code Block |
|---|
| language | bash |
|---|
| theme | Midnight |
|---|
| title | ping 8.8.8.8 |
|---|
| ping 8.8.8.8 /vrf inet /interface lo0
pinging 8.8.8.8, src=192.168.254.1, vrf=inet, cnt=5, len=64, tim=1000, ttl=255, tos=0, sweep=false
.....
result=0%, recv/sent/lost=0/5/5, rtt min/avg/max/total=10000/0/0/5003 |
Hey ! It seems that it's not working as expected ! At the present time, it seems that no one is able to reach outside world. Let's try to figure out why. | Tip |
|---|
| - It is a common best practice to dedicate a loopback to a router in a VRF
- Loopback are mostly used to identify a service proposed by the router
- Each services are bound to this Loopback in a specific VRF
|
|
| Expand |
|---|
| title | First troubleshooting action |
|---|
|
| Code Block |
|---|
| language | bash |
|---|
| theme | Midnight |
|---|
| title | traceroute 8.8.8.8 using looback0 as source address |
|---|
| traceroute 8.8.8.8 /vrf inet /interface lo0
tracing 8.8.8.8, src=192.168.254.1, vrf=inet, prt=0/33440, tim=1000, tos=0, len=64
1 192.168.254.1 time=0
2 null time=1000
3 null time=1000
4 null time=1000
5 null time=1000
6 null time=1000
7 null time=1000
8 null time=1000
9 null time=1000
10 null time=1000 |
This confirms the ping failures we observed previously. The output above indicate the packet does not even egress our SOHO router. What is the inet VRF says ? | Code Block |
|---|
| language | bash |
|---|
| theme | Midnight |
|---|
| title | routes inside VRF inet |
|---|
| show ipv4 route inet
typ prefix metric iface hop time
C 192.168.0.0/24 0/0 sdn1 null 14:30:07
LOC 192.168.0.90/32 0/1 sdn1 null 14:30:07
C 192.168.128.0/24 0/0 sdn999 null 14:30:13
LOC 192.168.128.1/32 0/1 sdn999 null 14:30:13
C 192.168.254.1/32 0/0 loopback0 null 14:30:15 |
So we have no default routes . Let's configure one then pointing towards ISP BOX gateway: | Code Block |
|---|
| language | bash |
|---|
| theme | Midnight |
|---|
| title | Default route configuration |
|---|
| conf t
ipv4 route inet 0.0.0.0 0.0.0.0 192.168.0.254 |
| Code Block |
|---|
| language | bash |
|---|
| theme | Midnight |
|---|
| title | routes inside VRF inet |
|---|
| show ipv4 route inet
typ prefix metric iface hop time
S 0.0.0.0/0 1/0 sdn1 192.168.0.254 14:30:07
C 192.168.0.0/24 0/0 sdn1 null 14:30:07
LOC 192.168.0.90/32 0/1 sdn1 null 14:30:07
C 192.168.128.0/24 0/0 sdn999 null 14:30:13
LOC 192.168.128.1/32 0/1 sdn999 null 14:30:13
C 192.168.254.1/32 0/0 loopback0 null 14:30:15 |
So at that point, packet send to 8.8.8.8 are sent to nexthop 192.168.0.254 via sdn1. | Code Block |
|---|
| language | bash |
|---|
| theme | Midnight |
|---|
| title | ping 8.8.8.8 |
|---|
| ping 8.8.8.8 /vrf inet /interface lo0
pinging 8.8.8.8, src=192.168.254.1, vrf=inet, cnt=5, len=64, tim=1000, ttl=255, tos=0, sweep=false
.....
result=0%, recv/sent/lost=0/5/5, rtt min/avg/max/total=10000/0/0/5003 |
But ping is still not not working. Let's figure out what's going on here. |
| Expand |
|---|
| title | Netwroking environment assumption |
|---|
|
As depicted in previous article: - ISP box has a demarcation point set to 192.168.0.254
- So ISP box at some point is configured to perform Network Address Translation from 192.168.0.0/24 → ISP public IPv4 interface
- When ISP box receives a ICMP ping from 192.168.254.1 which does not match any ISP box NAT rules → Packet is discarded
Therefore in order to have a working seamless networking environment from the ISP box point of view, traffic coming from 192.168.128.0/17 might need to be NAT(ed) into 192.168.0.0/24 network. Let's see If our guess is right. |
| Expand |
|---|
|
Let's configure IPv4 Network Address Translation specifically for Loopback0 | Code Block |
|---|
| language | bash |
|---|
| theme | Midnight |
|---|
| title | ping 8.8.8.8 |
|---|
| !
conf t
access-list ACL-NAT4
sequence 10 deny all 192.168.128.0 255.255.128.0 all 192.168.128.0 255.255.128.0 all
sequence 20 deny all any all 224.0.0.0 240.0.0.0 all
permit all 192.168.254.1 255.255.255.255 all any all
exit
!
ipv4 nat inet sequence 10 srclist ACL-NAT4 interface sdn1
! |
In the config stanza above we configure an access-list called ACL-NAT4 in VRF inet that would translate all incoming packet matching 192.168.254.1 going to anywhere to interface sdn1 IPv4. But we also don't NAT for inter-vlan traffic within 192.168.128.0/17 and also does not touch multicast traffic. | Code Block |
|---|
| language | bash |
|---|
| theme | Midnight |
|---|
| title | ping 8.8.8.8 |
|---|
| ping 8.8.8.8 /vrf inet /interface sdn1
pinging 8.8.8.8, src=192.168.0.90, vrf=inet, cnt=5, len=64, tim=1000, ttl=255, tos=0, sweep=false
!!!!!
result=100%, recv/sent/lost=5/5/0, rtt min/avg/max/total=3/3/4/16 |
Yahhoooo ! It works ... Our guess was good after all...  |
| Expand |
|---|
| title | Final NAT configuration and subnetting assumptions |
|---|
|
For the future we assume that the home network is subnetted as follow and are all inside VRF inet: - appliance port#1 @ sdn1: 192.168.0.0/24 (ISP subnet)
- appliance port#2 @ sdn2: 192.168.130.0/24
- appliance port#3 @ sdn3: 192.168.133.0/24
- appliance port#4 @ sdn4: 192.168.134.0/24 (unused)
- appliance port#5 @ sdn5: 192.168.135.0/24
- appliance port#6 @ sdn6: 192.168.136.0/24
- appliance integrated wifi @ sdn998: 192.168.129.0/24
- appliance loopback inet @ loopback0: 192.168.129.0/24
| Code Block |
|---|
| language | bash |
|---|
| theme | Midnight |
|---|
| title | ping 8.8.8.8 |
|---|
| !
conf t
access-list ACL-NAT4
sequence 10 deny all 192.168.128.0 255.255.128.0 all 192.168.128.0 255.255.128.0 all
sequence 20 deny all any all 224.0.0.0 240.0.0.0 all
sequence 30 permit all 192.168.128.0 255.255.255.0 all any all
sequence 40 permit all 192.168.129.0 255.255.255.0 all any all
sequence 50 permit all 192.168.130.0 255.255.255.0 all any all
sequence 60 permit all 192.168.133.0 255.255.255.0 all any all
sequence 70 permit all 192.168.135.0 255.255.255.0 all any all
sequence 80 permit all 192.168.136.0 255.255.255.0 all any all
sequence 90 permit all 192.168.254.1 255.255.255.255 all any all
exit
!
ipv4 nat inet sequence 10 srclist ACL-NAT4 interface sdn1
! |
In the config stanza above we configure an access-list called ACL-NAT4 in VRF inet that would translate all incoming packet matching 192.168.[128|129|130|133|135|136|254].0/24 going to anywhere. | Tip |
|---|
| Each time you modify ACL-NAT4 you will need to re-apply the NAT calls: | Code Block |
|---|
| language | bash |
|---|
| theme | Midnight |
|---|
| title | ping 8.8.8.8 |
|---|
| !
conf t
! modify access-list ACL-NAT4
!
no ipv4 nat inet sequence 10 srclist ACL-NAT4 interface sdn1
ipv4 nat inet sequence 10 srclist ACL-NAT4 interface sdn1
! |
Also notice that we are NAT(ing), 192.168.128.0/24 which is the OOBM subnet of the Linux appliance itself. This is needed during Debian system update/upgrade operation and also needed during the auto-upgrade feature that I'll describe in a next article. |
|
| Note |
|---|
IPv6 does need NAT in my specific case as my ISP has allocated me public IPv6 prefixes. We will see IPv6 configuration in the next articles. |
Verification
| Expand |
|---|
| title | Available NAT command verification |
|---|
|
| Code Block |
|---|
| language | bash |
|---|
| theme | Midnight |
|---|
| title | NAT show commands |
|---|
| !
show ipv4 nat ?
<vrf> - name of routing table
!
show ipv4 nat inet ?
statistics - list of configuration entries
translations - list of translation entries
! |
|
| Expand |
|---|
| title | Trigger NAT traffic translation |
|---|
|
| Code Block |
|---|
| language | bash |
|---|
| theme | Midnight |
|---|
| title | ping 8.8.8.8 in order to trigger NAT translation |
|---|
| ping 8.8.8.8 /vrf inet /interface lo0
pinging 8.8.8.8, src=192.168.254.1, vrf=inet, cnt=5, len=64, tim=1000, ttl=255, tos=0, sweep=false
!!!!!
result=100%, recv/sent/lost=5/5/0, rtt min/avg/max/total=2/3/4/16 |
|
| Expand |
|---|
| title | Check NAT translation |
|---|
|
| Code Block |
|---|
| language | bash |
|---|
| theme | Midnight |
|---|
| title | NAT translation verification |
|---|
| mjolnir#show ipv4 nat inet translations | i 192.168.254.1
1 8.8.8.8 4392 192.168.0.90 4392 8.8.8.8 4392 192.168.254.1 4392 00:00:01 00:00:01 00:05:00 1 64
1 192.168.254.1 4392 8.8.8.8 4392 192.168.0.90 4392 8.8.8.8 4392 00:00:01 00:00:01 00:05:00 1 64
1 8.8.8.8 4393 192.168.0.90 4393 8.8.8.8 4393 192.168.254.1 4393 00:00:01 00:00:01 00:05:00 1 64
1 192.168.254.1 4393 8.8.8.8 4393 192.168.0.90 4393 8.8.8.8 4393 00:00:01 00:00:01 00:05:00 1 64
1 8.8.8.8 4394 192.168.0.90 4394 8.8.8.8 4394 192.168.254.1 4394 00:00:01 00:00:01 00:05:00 1 64
1 192.168.254.1 4394 8.8.8.8 4394 192.168.0.90 4394 8.8.8.8 4394 00:00:01 00:00:01 00:05:00 1 64
1 8.8.8.8 4395 192.168.0.90 4395 8.8.8.8 4395 192.168.254.1 4395 00:00:01 00:00:01 00:05:00 1 64
1 192.168.254.1 4395 8.8.8.8 4395 192.168.0.90 4395 8.8.8.8 4395 00:00:01 00:00:01 00:05:00 1 64
1 8.8.8.8 4396 192.168.0.90 4396 8.8.8.8 4396 192.168.254.1 4396 00:00:01 00:00:01 00:05:00 1 64
1 192.168.254.1 4396 8.8.8.8 4396 192.168.0.90 4396 8.8.8.8 4396 00:00:01 00:00:01 00:05:00 1 64 |
|
Conclusion
In this article
- We finally have a router that enables connectivity for all hosts inside the home network to the outside world
- due to the ISP specific setup, our router had to translate inner home IP subnets to subnet that can be in turn NAT'ed by the ISP box.
- We have a consistent IPv4 addressing plan
- We now can add very exciting feature from now on. (In next articles !)
| Tip |
|---|
| title | RARE validated design: [ SOHO #004 ] - key take-away |
|---|
|
In this example we are proposing a basic connectivity scenario. However, keep in mind that depending on your location the configuration might be drastically different. But do not fear ! RARE/freeRouter has all the features need to enable connectivity ! - NAT64 is available. So in case you want to run a pure IPv6 network, freeRouter can NAT64 traffif for you.
- NAT46 is also available. In case you are desperate and don't want to implement a pure IPv6 home network and have an ISP running only IPv6, freeRouter can NAT46 your traffic for you !
- In the example described, we are lucky to have IPv6 public global IPv6 address. We will see IPv6 configuration in subsequent articles.
|
