Official NixOS Wiki

Networking: Difference between revisions

← Older edit
VisualWikitext
Onny (talk | contribs)
285 edits
Static IP for network adapter: Change example IPs to recommended IP addresses used in documentation
Yuannan (talk | contribs)
5 edits
 
(9 intermediate revisions by 5 users not shown)
Line 2: Line 2:


== Configuration ==
== Configuration ==
=== Wireless networks ===
See [[wpa_supplicant]] / [[Iwd]].


=== Static IP for network adapter ===
=== Static IP for network adapter ===
Line 46: Line 50:
<syntaxhighlight lang="nix">
<syntaxhighlight lang="nix">
networking = {
networking = {
  nftables = {
    enable = true;
    ruleset = ''
        table ip nat {
          chain PREROUTING {
            type nat hook prerouting priority dstnat; policy accept;
            iifname "ens3" tcp dport 80 dnat to 10.100.0.3:80
          }
        }
    '';
  };
   firewall = {
   firewall = {
     enable = true;
     enable = true;
Line 73: Line 66:
     ];
     ];
   };
   };
};
  # Previous section is equivalent to :
</syntaxhighlight>
 
For IPv6 port forwarding, the example would look like this. Icoming connections on the address <code>2001:db8::</code> and port <code>80</code> will be forwarded to <code>[fe80::1234:5678:9abc:def0]:80</code>.
 
<syntaxhighlight lang="nix">
networking = {
   nftables = {
   nftables = {
     enable = true;
     enable = true;
     ruleset = ''
     ruleset = ''
         table ip6 nat {
         table ip nat {
           chain PREROUTING {
           chain PREROUTING {
             type nat hook prerouting priority dstnat; policy accept;
             type nat hook prerouting priority dstnat; policy accept;
             iifname "ens3" ip6 daddr [2001:db8::] tcp dport 80 dnat to [fe80::1234:5678:9abc:def0]:80
             iifname "ens3" tcp dport 80 dnat to 10.100.0.3:80
           }
           }
         }
         }
     '';
     '';
   };
   };
};
</syntaxhighlight>
For IPv6 port forwarding, the example would look like this. Incoming connections on the address <code>2001:db8::</code> and port <code>80</code> will be forwarded to <code>[fe80::1234:5678:9abc:def0]:80</code>.
<syntaxhighlight lang="nix">
networking = {
   firewall = {
   firewall = {
     enable = true;
     enable = true;
Line 109: Line 103:
       }
       }
     ];
     ];
  };
  # Previous section is equivalent to :
  nftables = {
    enable = true;
    ruleset = ''
        table ip6 nat {
          chain PREROUTING {
            type nat hook prerouting priority dstnat; policy accept;
            iifname "ens3" ip6 daddr [2001:db8::] tcp dport 80 dnat to [fe80::1234:5678:9abc:def0]:80
          }
        }
    '';
   };
   };
};
};
</syntaxhighlight>
</syntaxhighlight>


= IPv6 =
=== Virtualization ===
Sometimes complex network configurations with VPNs or firewall rules you may need extra configurations in order for your VMs to have network access. It is recommended to use more granular control over the ports instead of simply allowing the entire interface.<syntaxhighlight lang="nix">networking = {
  firewall = {
    enable = true;
   
    # Allows the entire interface through the firewall.
    # trustedInterfaces = [
    #  "virbr0"
    # ];
 
    # Allows individual ports through the firewall.
    interfaces = {
      virbr0 = {
        allowedUDPPorts = [
          # DNS
          53
          # DHCP
          67
          # You may want to allow more ports such as ipv6 and other services here.
        ];
      };
    };
  };
  nat = {
    enable = true;
 
    internalInterfaces = [
      "virbr0"
    ];
  };
};</syntaxhighlight>
 
== IPv6 ==


== Prefix delegation with fixed DUID ==
=== Prefix delegation with fixed DUID ===


Sometimes the hosting provider manages IPv6 networks via a so-called ''DUID'' or ''clientid''. This snippet is required to make the network routable:
Sometimes the hosting provider manages IPv6 networks via a so-called ''DUID'' or ''clientid''. This snippet is required to make the network routable:
Line 155: Line 193:
</syntaxhighlight>
</syntaxhighlight>


= VLANs =
=== IPv6-mostly ===
 
For IPv6 mostly networks the situation in Linux is a little bit dire.
A 464XLAT CLAT implementation on the client device has to be running.
 
For example run clatd:
<syntaxhighlight lang="nix">
{
  services.clatd.enable = true;
}
</syntaxhighlight>
 
Caveats:
* disable IPv4 manually for DHCPv4 clients that do not accept Option 108 (IPv6-Only Preferred Option)
* set NAT64 prefix manually, if client doesn't support RA/PREF64 (RFC 8781) or DNS64 (RFC 7050):
<syntaxhighlight lang="nix">
{
  services.clatd.settings = {
    plat-prefix = "64:ff9b::/96";
  };
}
</syntaxhighlight>
* clatd needs to be restarted, if the network has changed
 
Sources:
* https://labs.ripe.net/author/ondrej_caletka_1/deploying-ipv6-mostly-access-networks/
* https://ripe85.ripe.net/presentations/9-RIPE85-Deploying_IPv6_mostly.pdf
* https://github.com/systemd/systemd/issues/23674
* https://github.com/toreanderson/clatd
* https://gist.github.com/oskar456/d898bf2e11b642757800a5ccdc2415aa
* https://fosdem.org/2024/schedule/event/fosdem-2024-1798-improving-ipv6-only-experience-on-linux/
* https://nlnet.nl/project/IPv6-monostack/
 
== VLANs ==


Refer to [https://nixos.org/manual/nixos/stable/options.html#opt-networking.vlans {{ic|networking.vlans}} in the manual].
Refer to [https://nixos.org/manual/nixos/stable/options.html#opt-networking.vlans {{ic|networking.vlans}} in the manual].
Line 197: Line 268:
     };
     };
</syntaxhighlight>
</syntaxhighlight>
== Link aggregation ==
[https://en.wikipedia.org/wiki/Link_aggregation '''Link aggregation'''], also known as '''bonding''' or '''trunking''' is the combining of multiple network links in parallel. This guide focuses on creating a Link Aggregation Group ('''LAG''', '''bond''', or '''trunk''') using LACP (Link Aggregation Content Protocol).
{| class="wikitable"
|+Bonding modes
! Bonding mode !! Description !! Switch configuration
|-
| <code>balance-rr</code> || '''Default'''. Transmit packets round-robin. || Requires static EtherChannel enabled, not LACP-negotiated.
|-
| <code>active-backup</code> || Recommended for fault tolerance when 802.3ad isn't available. Only one slave in the bond in active. If it fails, another one is picked to be active. || No configuration required on the switch.
|-
| <code>balance-xor</code> || Transmit packets based on the selected transmit hash policy. || Requires static EtherChannel enabled, not LACP-negotiated.
|-
| <code>broadcast</code> || Transmit everything on all slave interfaces. || Requires static EtherChannel enabled, not LACP-negotiated.
|-
| <code>802.3ad</code> || '''Recommended'''. IEEE 802.3ad Dynamic link aggregation. Transmits packets based on the selected transmit hash policy. || Requires LACP-negotiated EtherChannel enabled. In simpler terms, dynamic LACP.
|-
| <code>balance-tlb</code> || Adaptive transmit load balancing || No configuration required on the switch.
|-
| <code>balance-alb</code> || Adaptive load balancing || No configuration required on the switch.
|}
{{Expansion|Missing info about bonds specific to Open vSwitch (OVS) like balance-slb and balance-tcp.}}
=== NetworkManager ===
{{Warning|This has not been fully tested. I'm not sure if all the properties are required.}}
{{file|/etc/nixos/configuration.nix|nix|<nowiki>
  networking.networkmanager.ensureProfiles.profiles = {
    "Bond connection 1" = {
      bond = {
        miimon = "100"; # Monitor MII link every 100ms
        mode = "802.3ad";
        xmit_hash_policy = "layer3+4"; # IP and TCP/UDP hash
      };
      connection = {
        id = "Bond connection 1";
        interface-name = "bond0"; # Make sure this matches the controller properties
        type = "bond";
      };
      ipv4 = {
        method = "auto";
      };
      ipv6 = {
        addr-gen-mode = "stable-privacy";
        method = "auto";
      };
      proxy = { };
    };
    # No more automatically generated "Wired connection 1"
    "bond0 port 1" = {
      connection = {
        id = "bond0 port 1";
        type = "ethernet";
        interface-name = "enp2s0";
        controller = "bond0";
        port-type = "bond";
      };
    };
    "bond0 port 2" = {
      connection = {
        id = "bond0 port 2";
        type = "ethernet";
        interface-name = "enp3s0";
        controller = "bond0";
        port-type = "bond";
      };
    };
  };
</nowiki>}}
=== systemd-networkd and scripted networking ===
See [[Systemd/networkd#Bonding]] for more detailed configuration possibilities.
{{file|/etc/nixos/configuration.nix|nix|<nowiki>
  networking.bonds = {
    bond0 = {
      interfaces = [ "enp2s0" "enp3s0" ];
      driverOptions = {
        miimon = "100"; # Monitor MII link every 100ms
        mode = "802.3ad";
        xmit_hash_policy = "layer3+4"; # IP and TCP/UDP hash
      };
    };
  };
</nowiki>}}
=== Teaming ===
Using the teaming driver provides more configuration capabilities since more descision-making is done in userspace <ref>https://github.com/jpirko/libteam/wiki/Bonding-vs.-Team-features</ref>.
{{Expansion|Missing information about teaming.}}
== References ==
<references />


[[Category:Networking]]
[[Category:Networking]]
Retrieved from "https://wiki.nixos.org/wiki/Networking"