NixOS Wiki

Networking: Difference between revisions

← Older edit
VisualWikitext
imported>Fadenb
m Configuration: link to related pages
 
(27 intermediate revisions by 16 users not shown)
Line 1: Line 1:
This site provides snippets for configuring your network ''just right'' for the use case you are looking for. All configuration is for <code>configuration.nix</code>
Networking config always goes in your system configuration. This can be done declaratively as shown in the following sections or through non-declarative tools such as [[NetworkManager]].


= IPv6 =
== Configuration ==


== Prefix delegation with fixed DUID ==
=== Wireless networks ===


Sometimes the hosting provider manages ipv6 networks via a so-called ''DUID'' or ''clientid''. This snippet is required to make the network routable:
See [[wpa_supplicant]] / [[Iwd]].
 
=== Static IP for network adapter ===
 
The following example configures a static IPv4 and IPv6 address and a default gateway for the interface <code>ens3</code>
 
<syntaxhighlight lang="nix">
networking = {
  interfaces.ens3 = {
    ipv6.addresses = [{
      address = "2a01:4f8:1c1b:16d0::1";
      prefixLength = 64;
    }];
    ipv4.addresses = [{
      address = "192.0.2.2";
      prefixLength = 24;
    }];
  };
  defaultGateway = {
    address = "192.0.2.1";
    interface = "ens3";
  };
  defaultGateway6 = {
    address = "fe80::1";
    interface = "ens3";
  };
};
</syntaxhighlight>
 
=== Hosts file ===
 
To edit <code>/etc/hosts</code> just add something like this to your <code>configuration.nix</code>:
<syntaxhighlight lang="nix">
networking.hosts = {
  "127.0.0.2" = ["other-localhost"];
  "192.0.2.1" = ["mail.example.com" "imap.example.com"];
};
</syntaxhighlight>
 
=== Port forwarding ===
 
In this example we're going to forward the port <code>80</code> via NAT from our internal network interface <code>ens3</code> to the host <code>10.100.0.3</code> on our external interface <code>wg0</code>.
 
<syntaxhighlight lang="nix">
networking = {
  firewall = {
    enable = true;
    allowedTCPPorts = [ 80 ];
  };
  nat = {
    enable = true;
    internalInterfaces = [ "ens3" ];
    externalInterface = "wg0";
    forwardPorts = [
      {
        sourcePort = 80;
        proto = "tcp";
        destination = "10.100.0.3:80";
      }
    ];
  };
  # Previous section is equivalent to :
  nftables = {
    enable = true;
    ruleset = ''
        table ip nat {
          chain PREROUTING {
            type nat hook prerouting priority dstnat; policy accept;
            iifname "ens3" tcp dport 80 dnat to 10.100.0.3:80
          }
        }
    '';
  };
};
</syntaxhighlight>
 
For IPv6 port forwarding, the example would look like this. Incoming connections on the address <code>2001:db8::</code> and port <code>80</code> will be forwarded to <code>[fe80::1234:5678:9abc:def0]:80</code>.
 
<syntaxhighlight lang="nix">
networking = {
  firewall = {
    enable = true;
    allowedTCPPorts = [ 80 ];
  };
  nat = {
    enable = true;
    internalInterfaces = [ "ens3" ];
    externalInterface = "wg0";
    enableIPv6 = true;
    internalIPv6s = [ "2001:db8::/64" ];
    externalIPv6 = "fe80::1234:5678:9abc:def0";
    forwardPorts = [
      {
        sourcePort = 80;
        proto = "tcp";
        destination = "fe80::1234:5678:9abc:def0]:80";
      }
    ];
  };
  # Previous section is equivalent to :
  nftables = {
    enable = true;
    ruleset = ''
        table ip6 nat {
          chain PREROUTING {
            type nat hook prerouting priority dstnat; policy accept;
            iifname "ens3" ip6 daddr [2001:db8::] tcp dport 80 dnat to [fe80::1234:5678:9abc:def0]:80
          }
        }
    '';
  };
};
</syntaxhighlight>
 
== IPv6 ==
 
=== Prefix delegation with fixed DUID ===
 
Sometimes the hosting provider manages IPv6 networks via a so-called ''DUID'' or ''clientid''. This snippet is required to make the network routable:


<syntaxhighlight lang="nix">
<syntaxhighlight lang="nix">
Line 35: Line 153:
</syntaxhighlight>
</syntaxhighlight>
Source: [https://gist.github.com/gleber/9429ea43e6beb114250c3529b5c9d522 gleber gist for online.net IPv6 config in NixOS]
Source: [https://gist.github.com/gleber/9429ea43e6beb114250c3529b5c9d522 gleber gist for online.net IPv6 config in NixOS]
Note: Recent versions of dhcpcd move the duid file to /var/db/dcpcd/duid. For that to work, you have to replace the above environment.etc line with something like:
<syntaxhighlight lang="nix">
systemd.services.dhcpcd.preStart = ''
  cp ${pkgs.writeText "duid" "<ID>"} /var/db/dhcpcd/duid
'';
</syntaxhighlight>
=== IPv6-mostly ===
For IPv6 mostly networks the situation in Linux is a little bit dire.
A 464XLAT CLAT implementation on the client device has to be running.
For example run clatd:
<syntaxhighlight lang="nix">
{
  services.clatd.enable = true;
}
</syntaxhighlight>
Caveats:
* disable IPv4 manually for DHCPv4 clients that do not accept Option 108 (IPv6-Only Preferred Option)
* set NAT64 prefix manually, if client doesn't support RA/PREF64 (RFC 8781) or DNS64 (RFC 7050):
<syntaxhighlight lang="nix">
{
  services.clatd.settings = {
    plat-prefix = "64:ff9b::/96";
  };
}
</syntaxhighlight>
* clatd needs to be restarted, if the network has changed
Sources:
* https://labs.ripe.net/author/ondrej_caletka_1/deploying-ipv6-mostly-access-networks/
* https://ripe85.ripe.net/presentations/9-RIPE85-Deploying_IPv6_mostly.pdf
* https://github.com/systemd/systemd/issues/23674
* https://github.com/toreanderson/clatd
* https://gist.github.com/oskar456/d898bf2e11b642757800a5ccdc2415aa
* https://fosdem.org/2024/schedule/event/fosdem-2024-1798-improving-ipv6-only-experience-on-linux/
* https://nlnet.nl/project/IPv6-monostack/
== VLANs ==
Refer to [https://nixos.org/manual/nixos/stable/options.html#opt-networking.vlans {{ic|networking.vlans}} in the manual].
Below is a complete networking example showing two interfaces, one with VLAN trunk tagging and one without.
{{ic|enp2s1}} is a normal network interface at {{ic|192.168.1.2}} with no VLAN information.
{{ic|enp2s0}} is the virtual LAN trunk with two tagged VLANs, {{ic|vlan100}} and {{ic|vlan101}}.
{{ic|vlan100}} is in the {{ic|10.1.1.X}} network and {{ic|vlan101}} is in the {{ic|10.10.10.X}} network.
The {{ic|hostID}} should be unique among your machines, [https://nixos.org/manual/nixos/stable/options.html#opt-networking.hostId as mentioned in the manual].
Complete networking section example:
<syntaxhighlight lang="nix">
    networking = {
      hostId = "deadb33f";
      hostName = "nixos";
      domain = "example.com";
      dhcpcd.enable = false;
      interfaces.enp2s1.ipv4.addresses = [{
        address = "192.168.1.2";
        prefixLength = 28;
      }];
      vlans = {
        vlan100 = { id=100; interface="enp2s0"; };
        vlan101 = { id=101; interface="enp2s0"; };
      };
      interfaces.vlan100.ipv4.addresses = [{
        address = "10.1.1.2";
        prefixLength = 24;
      }];
      interfaces.vlan101.ipv4.addresses = [{
        address = "10.10.10.3";
        prefixLength = 24;
      }];
      defaultGateway = "192.168.1.1";
      nameservers = [ "1.1.1.1" "8.8.8.8" ];
    };
</syntaxhighlight>
== Link aggregation ==
[https://en.wikipedia.org/wiki/Link_aggregation '''Link aggregation'''], also known as '''bonding''' or '''trunking''' is the combining of multiple network links in parallel. This guide focuses on creating a Link Aggregation Group ('''LAG''', '''bond''', or '''trunk''') using LACP (Link Aggregation Content Protocol).
{| class="wikitable"
|+Bonding modes
! Bonding mode !! Description !! Switch configuration
|-
| <code>balance-rr</code> || '''Default'''. Transmit packets round-robin. || Requires static EtherChannel enabled, not LACP-negotiated.
|-
| <code>active-backup</code> || Recommended for fault tolerance when 802.3ad isn't available. Only one slave in the bond in active. If it fails, another one is picked to be active. || No configuration required on the switch.
|-
| <code>balance-xor</code> || Transmit packets based on the selected transmit hash policy. || Requires static EtherChannel enabled, not LACP-negotiated.
|-
| <code>broadcast</code> || Transmit everything on all slave interfaces. || Requires static EtherChannel enabled, not LACP-negotiated.
|-
| <code>802.3ad</code> || '''Recommended'''. IEEE 802.3ad Dynamic link aggregation. Transmits packets based on the selected transmit hash policy. || Requires LACP-negotiated EtherChannel enabled. In simpler terms, dynamic LACP.
|-
| <code>balance-tlb</code> || Adaptive transmit load balancing || No configuration required on the switch.
|-
| <code>balance-alb</code> || Adaptive load balancing || No configuration required on the switch.
|}
{{Expansion|Missing info about bonds specific to Open vSwitch (OVS) like balance-slb and balance-tcp.}}
=== NetworkManager ===
{{Warning|This has not been fully tested. I'm not sure if all the properties are required.}}
{{file|/etc/nixos/configuration.nix|nix|<nowiki>
  networking.networkmanager.ensureProfiles.profiles = {
    "Bond connection 1" = {
      bond = {
        miimon = "100"; # Monitor MII link every 100ms
        mode = "802.3ad";
        xmit_hash_policy = "layer3+4"; # IP and TCP/UDP hash
      };
      connection = {
        id = "Bond connection 1";
        interface-name = "bond0"; # Make sure this matches the controller properties
        type = "bond";
      };
      ipv4 = {
        method = "auto";
      };
      ipv6 = {
        addr-gen-mode = "stable-privacy";
        method = "auto";
      };
      proxy = { };
    };
    # No more automatically generated "Wired connection 1"
    "bond0 port 1" = {
      connection = {
        id = "bond0 port 1";
        type = "ethernet";
        interface-name = "enp2s0";
        controller = "bond0";
        port-type = "bond";
      };
    };
    "bond0 port 2" = {
      connection = {
        id = "bond0 port 2";
        type = "ethernet";
        interface-name = "enp3s0";
        controller = "bond0";
        port-type = "bond";
      };
    };
  };
</nowiki>}}
=== systemd-networkd and scripted networking ===
See [[Systemd/networkd#Bonding]] for more detailed configuration possibilities.
{{file|/etc/nixos/configuration.nix|nix|<nowiki>
  networking.bonds = {
    bond0 = {
      interfaces = [ "enp2s0" "enp3s0" ];
      driverOptions = {
        miimon = "100"; # Monitor MII link every 100ms
        mode = "802.3ad";
        xmit_hash_policy = "layer3+4"; # IP and TCP/UDP hash
      };
    };
  };
</nowiki>}}
=== Teaming ===
Using the teaming driver provides more configuration capabilities since more descision-making is done in userspace <ref>https://github.com/jpirko/libteam/wiki/Bonding-vs.-Team-features</ref>.
{{Expansion|Missing information about teaming.}}
== References ==
<references />
[[Category:Networking]]
Retrieved from "https://wiki.nixos.org/wiki/Networking"