[systemd-devel] How to set up virtual network interface cards (NIC) with systemd-networkd "The Right Way (tm)"?

Susant Sahani ssahani at gmail.com
Sat May 11 03:05:59 UTC 2019 

Real quick look at the conf. Multiple address should be moved to
[Address] sections else they will overwrite.

[Network]
IPForward=yes

[Address]
Address=192.168.1.98/24

[Address]
Address=192.168.2.98/24

Susant

On Thu, May 2, 2019 at 1:25 AM M. Buecher <maddes+systemd at maddes.net> wrote:
>
> Dear all,
>
> I read multiple articles on the internet about virtual interfaces via
> systemd-networkd, but most article just list the config files and do not
> explain why they did something this or that way.
> Most are using MACVLAN netdevs but I couldn't get them working
> correctly, although the ip addresses were available on the interfaces.
> In the docs, FAQ and mailing list I couldn't find anything related to
> it.
> I'm ok with most network topics, but unfortunately I'm not a network
> admin/expert, so please bear with me.
>
>
> * Goal
> A new mini pc shall become the gateway between all internal IP networks,
> DHCP server for the main internal IP network and the internal DNS server
> plus provide some additional DNS server instances for special cases.
> For the DNS server scenario multiple additional virtual network
> interfaces are needed on the real network interface card (NIC) with
> systemd-networkd.
> IP addresses on the real and virtual interfaces shall be reachable from
> other machines and from all real/virtual interfaces on the mini pc
> itself.
> Linux System is Debian GNU/Linux 9.9 (stretch) with kernel
> 4.9.0-3/4.9.30-2+deb9u5 and systemd 232 +PAM +AUDIT +SELINUX +IMA
> +APPARMOR +SMACK +SYSVINIT +UTMP +LIBCRYPTSETUP +GCRYPT +GNUTLS +ACL +XZ
> +LZ4 +SECCOMP +BLKID +ELFUTILS +KMOD +IDN
> The old "networking.service" (/etc/network/interface*) is disabled and
> "systemd-networkd.service" enabled.
>
> In the first step the solution shall be implemented in a pure IPv4
> scenario with no firewall on the mini pc itself, later in a dual stack
> scenario plus ip[6]tables firewall.
>
> The real NIC is named "ens192" and the virtual interfaces are named
> "dnsextra01" and "dnsextra02".
> IPv4 LAN #1 is 192.168.1.0/24 with default gateway 192.168.1.254 (via
> router device) to internet plus gateway 192.168.1.50 (mini pc) to IPv4
> LAN #2.
> IPv4 LAN #2 is 192.168.2.0/24 with gateway plus dns 192.168.2.1 (mini
> pc).
>
>
> * Detailed feature list
> a) "ens192" has the main IPv4 LAN #1 with 192.168.1.50/24 and secondary
> IPv4 LAN #2 with 192.168.2.1/24.
> For IPv4 LAN #2 it is also the gateway to IPv4 LAN #1 and the internet.
> It provides the main DNS server instance for both IPv4 LANs.
>
> b) "dnsextra01" (.98) has the main IPv4 LAN #1 with 192.168.1.98/24 and
> secondary IPv4 LAN #2 with 192.168.2.98/24.
> It provides a special case DNS server instance for some machines in both
> IPv4 LANs.
>
> c) "dnsextra02" (.99) has only the main IPv4 LAN #1 with 192.168.1.99/24
> It provides a special case DNS server instance for one machine in IPv4
> LAN #1.
>
> d) All machines in both IPv4 LANs should be able to ping all IP
> addresses of all real/virtual interfaces.
> ping -O -c 10
> <192.168.1.50|192.168.1.98|192.168.1.99|192.168.2.1|192.168.2.98>
>
> e) All real/virtual interfaces should be able to ping all IP addresses
> of all other real/virtual interfaces.
> ping -I ens192 -O -c 10 <192.168.1.98|192.168.1.99|192.168.2.98>
> ping -I dnsextra01 -O -c 10 <192.168.1.50|192.168.1.99|192.168.2.1>
> ping -I dnsextra01 -O -c 10
> <192.168.1.50|192.168.1.98|192.168.2.1|192.168.2.98>
>
>
> * My try
> The following setup allows to ping some IPv4 addresses from other
> machines, but only sometimes and then it also takes several seconds
> until a ping finally succeeds.
> Pinging the other interfaces on the mini pc itself does NOT work at all.
> If the netdevs via MACVLAN are disabled, then the mini pc reacts nearly
> instantly on network requests (e.g. ssh, ping) and forwarding from IPv4
> LAN #1 to LAN #2 works fine.
>
> a) /etc/sysctl.d/90_ipv4_filter.conf
> net.ipv4.conf.all.arp_filter=1
> net.ipv4.conf.all.rp_filter=1
>
> b) /etc/systemd/network/ens192.network
> [Match]
> Name=ens192
>
> [Network]
> IPForward=yes
> LinkLocalAddressing=ipv6
> IPv6AcceptRA=yes
> IPv6PrivacyExtensions=yes
>
> ## Virtual NICs on ens192
> MACVLAN=dnsextra01
> MACVLAN=dnsextra02
>
> Address=192.168.1.50/24
> Address=192.168.2.1/24
>
> Gateway=192.168.1.254
>
> c) /etc/systemd/network/dnsextra01.netdev
> [NetDev]
> Name=dnsextra01
> Kind=macvlan
>
> [MACVLAN]
> Mode=bridge
>
> d) /etc/systemd/network/dnsextra01.network
> [Match]
> Name=dnsextra01
>
> [Network]
> IPForward=yes
> Address=192.168.1.98/24
> Address=192.168.2.98/24
>
> e) dnsextra02 same as dnsextra01 just only 192.168.2.99/24
>
>
> What is wrong in this setup? How should this be done correctly via
> systemd-networkd?
> Is a newer version of systemd needed for this to work?
>
> Any help is greatly appreciated.
> Matthias "Maddes" Bücher
>
> _______________________________________________
> systemd-devel mailing list
> systemd-devel at lists.freedesktop.org
> https://lists.freedesktop.org/mailman/listinfo/systemd-devel



-- 
Susant

More information about the systemd-devel mailing list