NixOS Wiki

Networking: Difference between revisions

← Older edit
VisualWikitext
imported>Onny
Add IPv6 port forwarding example
m Configuration: link to related pages
 
(13 intermediate revisions by 8 users not shown)
Line 1: Line 1:
Networking config always goes in your system configuration.
Networking config always goes in your system configuration. This can be done declaratively as shown in the following sections or through non-declarative tools such as [[NetworkManager]].


== Configuration ==
== Configuration ==
=== Wireless networks ===
See [[wpa_supplicant]] / [[Iwd]].


=== Static IP for network adapter ===
=== Static IP for network adapter ===


The following example configures a static IPv6 address and a default gateway for the interface <code>ens3</code>
The following example configures a static IPv4 and IPv6 address and a default gateway for the interface <code>ens3</code>


<syntaxhighlight lang="nix">
<syntaxhighlight lang="nix">
networking = {
networking = {
   interfaces = {
   interfaces.ens3 = {
     ens3.ipv6.addresses = [{
     ipv6.addresses = [{
       address = "2a01:4f8:1c1b:16d0::";
       address = "2a01:4f8:1c1b:16d0::1";
       prefixLength = 64;
       prefixLength = 64;
     }];
     }];
    ipv4.addresses = [{
      address = "192.0.2.2";
      prefixLength = 24;
    }];
  };
  defaultGateway = {
    address = "192.0.2.1";
    interface = "ens3";
   };
   };
   defaultGateway6 = {
   defaultGateway6 = {
Line 26: Line 38:
To edit <code>/etc/hosts</code> just add something like this to your <code>configuration.nix</code>:
To edit <code>/etc/hosts</code> just add something like this to your <code>configuration.nix</code>:
<syntaxhighlight lang="nix">
<syntaxhighlight lang="nix">
networking.extraHosts = ''
networking.hosts = {
   127.0.0.2 other-localhost
   "127.0.0.2" = ["other-localhost"];
   10.0.0.1 server
   "192.0.2.1" = ["mail.example.com" "imap.example.com"];
'';
};
</syntaxhighlight>
</syntaxhighlight>


Line 38: Line 50:
<syntaxhighlight lang="nix">
<syntaxhighlight lang="nix">
networking = {
networking = {
  nftables = {
    enable = true;
    ruleset = ''
        table ip nat {
          chain PREROUTING {
            type nat hook prerouting priority dstnat; policy accept;
            iifname "ens3" tcp dport 80 dnat to 10.100.0.3:80
          }
        }
    '';
  };
   firewall = {
   firewall = {
     enable = true;
     enable = true;
Line 65: Line 66:
     ];
     ];
   };
   };
};
  # Previous section is equivalent to :
</syntaxhighlight>
 
For IPv6 port forwarding, the example would look like this. Icoming connections on the address <code>2001:db8::</code> and port <code>80</code> will be forwarded to <code>[fe80::1234:5678:9abc:def0]:80</code>.
 
<syntaxhighlight lang="nix">
networking = {
   nftables = {
   nftables = {
     enable = true;
     enable = true;
     ruleset = ''
     ruleset = ''
         table ip6 nat {
         table ip nat {
           chain PREROUTING {
           chain PREROUTING {
             type nat hook prerouting priority dstnat; policy accept;
             type nat hook prerouting priority dstnat; policy accept;
             iifname "ens3" ip6 daddr [2001:db8::] tcp dport 80 dnat to [fe80::1234:5678:9abc:def0]:80
             iifname "ens3" tcp dport 80 dnat to 10.100.0.3:80
           }
           }
         }
         }
     '';
     '';
   };
   };
};
</syntaxhighlight>
For IPv6 port forwarding, the example would look like this. Incoming connections on the address <code>2001:db8::</code> and port <code>80</code> will be forwarded to <code>[fe80::1234:5678:9abc:def0]:80</code>.
<syntaxhighlight lang="nix">
networking = {
   firewall = {
   firewall = {
     enable = true;
     enable = true;
Line 101: Line 103:
       }
       }
     ];
     ];
  };
  # Previous section is equivalent to :
  nftables = {
    enable = true;
    ruleset = ''
        table ip6 nat {
          chain PREROUTING {
            type nat hook prerouting priority dstnat; policy accept;
            iifname "ens3" ip6 daddr [2001:db8::] tcp dport 80 dnat to [fe80::1234:5678:9abc:def0]:80
          }
        }
    '';
   };
   };
};
};
</syntaxhighlight>
</syntaxhighlight>


= IPv6 =
== IPv6 ==


== Prefix delegation with fixed DUID ==
=== Prefix delegation with fixed DUID ===


Sometimes the hosting provider manages IPv6 networks via a so-called ''DUID'' or ''clientid''. This snippet is required to make the network routable:
Sometimes the hosting provider manages IPv6 networks via a so-called ''DUID'' or ''clientid''. This snippet is required to make the network routable:
Line 146: Line 160:
'';
'';
</syntaxhighlight>
</syntaxhighlight>
=== IPv6-mostly ===
For IPv6 mostly networks the situation in Linux is a little bit dire.
A 464XLAT CLAT implementation on the client device has to be running.
For example run clatd:
<syntaxhighlight lang="nix">
{
  services.clatd.enable = true;
}
</syntaxhighlight>
Caveats:
* disable IPv4 manually for DHCPv4 clients that do not accept Option 108 (IPv6-Only Preferred Option)
* set NAT64 prefix manually, if client doesn't support RA/PREF64 (RFC 8781) or DNS64 (RFC 7050):
<syntaxhighlight lang="nix">
{
  services.clatd.settings = {
    plat-prefix = "64:ff9b::/96";
  };
}
</syntaxhighlight>
* clatd needs to be restarted, if the network has changed
Sources:
* https://labs.ripe.net/author/ondrej_caletka_1/deploying-ipv6-mostly-access-networks/
* https://ripe85.ripe.net/presentations/9-RIPE85-Deploying_IPv6_mostly.pdf
* https://github.com/systemd/systemd/issues/23674
* https://github.com/toreanderson/clatd
* https://gist.github.com/oskar456/d898bf2e11b642757800a5ccdc2415aa
* https://fosdem.org/2024/schedule/event/fosdem-2024-1798-improving-ipv6-only-experience-on-linux/
* https://nlnet.nl/project/IPv6-monostack/


== VLANs ==
== VLANs ==
Line 189: Line 236:
     };
     };
</syntaxhighlight>
</syntaxhighlight>
== Link aggregation ==
[https://en.wikipedia.org/wiki/Link_aggregation '''Link aggregation'''], also known as '''bonding''' or '''trunking''' is the combining of multiple network links in parallel. This guide focuses on creating a Link Aggregation Group ('''LAG''', '''bond''', or '''trunk''') using LACP (Link Aggregation Content Protocol).
{| class="wikitable"
|+Bonding modes
! Bonding mode !! Description !! Switch configuration
|-
| <code>balance-rr</code> || '''Default'''. Transmit packets round-robin. || Requires static EtherChannel enabled, not LACP-negotiated.
|-
| <code>active-backup</code> || Recommended for fault tolerance when 802.3ad isn't available. Only one slave in the bond in active. If it fails, another one is picked to be active. || No configuration required on the switch.
|-
| <code>balance-xor</code> || Transmit packets based on the selected transmit hash policy. || Requires static EtherChannel enabled, not LACP-negotiated.
|-
| <code>broadcast</code> || Transmit everything on all slave interfaces. || Requires static EtherChannel enabled, not LACP-negotiated.
|-
| <code>802.3ad</code> || '''Recommended'''. IEEE 802.3ad Dynamic link aggregation. Transmits packets based on the selected transmit hash policy. || Requires LACP-negotiated EtherChannel enabled. In simpler terms, dynamic LACP.
|-
| <code>balance-tlb</code> || Adaptive transmit load balancing || No configuration required on the switch.
|-
| <code>balance-alb</code> || Adaptive load balancing || No configuration required on the switch.
|}
{{Expansion|Missing info about bonds specific to Open vSwitch (OVS) like balance-slb and balance-tcp.}}
=== NetworkManager ===
{{Warning|This has not been fully tested. I'm not sure if all the properties are required.}}
{{file|/etc/nixos/configuration.nix|nix|<nowiki>
  networking.networkmanager.ensureProfiles.profiles = {
    "Bond connection 1" = {
      bond = {
        miimon = "100"; # Monitor MII link every 100ms
        mode = "802.3ad";
        xmit_hash_policy = "layer3+4"; # IP and TCP/UDP hash
      };
      connection = {
        id = "Bond connection 1";
        interface-name = "bond0"; # Make sure this matches the controller properties
        type = "bond";
      };
      ipv4 = {
        method = "auto";
      };
      ipv6 = {
        addr-gen-mode = "stable-privacy";
        method = "auto";
      };
      proxy = { };
    };
    # No more automatically generated "Wired connection 1"
    "bond0 port 1" = {
      connection = {
        id = "bond0 port 1";
        type = "ethernet";
        interface-name = "enp2s0";
        controller = "bond0";
        port-type = "bond";
      };
    };
    "bond0 port 2" = {
      connection = {
        id = "bond0 port 2";
        type = "ethernet";
        interface-name = "enp3s0";
        controller = "bond0";
        port-type = "bond";
      };
    };
  };
</nowiki>}}
=== systemd-networkd and scripted networking ===
See [[Systemd/networkd#Bonding]] for more detailed configuration possibilities.
{{file|/etc/nixos/configuration.nix|nix|<nowiki>
  networking.bonds = {
    bond0 = {
      interfaces = [ "enp2s0" "enp3s0" ];
      driverOptions = {
        miimon = "100"; # Monitor MII link every 100ms
        mode = "802.3ad";
        xmit_hash_policy = "layer3+4"; # IP and TCP/UDP hash
      };
    };
  };
</nowiki>}}
=== Teaming ===
Using the teaming driver provides more configuration capabilities since more descision-making is done in userspace <ref>https://github.com/jpirko/libteam/wiki/Bonding-vs.-Team-features</ref>.
{{Expansion|Missing information about teaming.}}
== References ==
<references />
[[Category:Networking]]
Retrieved from "https://wiki.nixos.org/wiki/Networking"