Summary
- Assume we have a device that has four ethernet ports(eth0, eth1, eth2, eth3, respectively)
- For WAN, we will use eth0 facing modem to connect to ISP via PPP over Ethernet.
- We will use eth2 and eth3 to build a bonding interface, bond0, to do 802.3ad LACP.
- For LAN, we will use bond0.70 interface, which is based on bond0 interface.
- For management network, we use vrf-mgmt0 with kernel table id 10 as Management VRF, there will be bond0 and one WireGuard interface attached to it.
- For DN42 Network, we use vrf-dn42 with kernel table id 42 as DN42 VRF, there will be bond0.342 and several WireGuard interfaces for peering attached to it.
- Eth1 port is unused.
So this configuration file includes PPPoE, VRF, Bonding(802.3ad LACP), VLAN, WireGuard interface configuration.
And it is mainly taken from my own router configuration.
For WireGuard and PPPoE configuration file, please refer to their own manpages and documentations respectively.
/etc/network/interfaces
# Here begins Management LAN
## Management VRF
auto vrf-mgmt0
iface vrf-mgmt0
pre-up ip link add $IFACE type vrf table 10
up ip link set dev $IFACE up
## Management VPN to access it
auto vpn-mgmt0
iface vpn-mgmt0
requires vrf-mgmt0
wireguard-config-path /etc/wireguard/vpn-mgmt0.conf
address 10.114.51.1/24
pre-up ip link set $IFACE master vrf-mgmt0
mtu 1412
## Bring up eth2 nd eth3
auto eth2
iface eth2 inet manual
auto eth3
iface eth3 inet manual
## Attach bond0 to Management VRF.(it's untagged)
auto bond0
iface bond0
use bond
requires eth2 eth3 vrf-mgmt0
bond-members eth2 eth3
bond-mode 802.3ad
bond-xmit-hash-policy encap3+4
address 192.168.10.1/24
up ip link set $IFACE master vrf-mgmt0
# LAN setup with VLAN
auto bond0.70
iface bond0.70 inet static
address 192.168.70.1/24
# eth0 facing modem/wan
auto eth0
iface eth0 inet static
address 192.168.100.2/24
# PPPoE interface
auto ppp0
iface ppp0 inet ppp
requires bond0 bond0.70 eth0
pre-up /sbin/ip link set eth0 up
provider dsl-provider
# DN42 begins here
## VRF interface for DN42
auto vrf-dn42
iface vrf-dn42 inet manual
pre-up ip link add $IFACE type vrf table 42
up ip link set dev $IFACE up
## Dummy device carrying loopback address.
auto dummy1
iface dummy1 inet manual
pre-up ip link add $IFACE type dummy
pre-up ip link set $IFACE master vrf-dn42
up ip link set dummy1 up
address 172.22.180.97/32
address fd0b:da1a:9768:300::1/128
post-down ip link del dummy1
requires vrf-dn42
## DN42 Server LAN:
auto bond0.421 inet static
address 172.22.180.97/28
requires vrf-dn42 bond0
up ip link set $IFACE master vrf-dn42
auto bond0.421 inet6 static
post-up ip addr add fd0b:da1a:9768:301::1/64 dev $IFACE
## DN42 Peering:
auto dn42-someone
wireguard-config-path /etc/wireguard/dn42-someone.conf
address fe80::2032/64
pre-up ip link set $IFACE master vrf-dn42
post-up ip a a 172.22.180.97 peer 192.168.0.2/32 dev $IFACE
mtu 1412
## DN42 IBGP/IGP GRETAP Tunnel:
## If you are using OSPF with WireGuard tunnels then you will need to manually add link local IPv6 address to it.
## Personally I use GRETAP over IPSec for encryption.
auto dn42-somewhere
iface dn42-somewhere inet static
pre-up ip link add $IFACE type gretap local 192.168.50.1 remote 192.168.14.2 ttl 255
pre-up ip link set $IFACE master vrf-dn42
post-down ip link del $IFACE
mtu 1380
address 169.254.29.1/30
iface dn42-somewhere inet6 auto
address fd0b:da1a:9768:300::1/128
Footnotes
- Note that WireGuard configuration file has no
Address
,Table
,Post/Pre Up/Down
options, sincewg
tool only handles jobs setting config for WireGuard interfaces(that is, setting interface’s own privatekey, listenport, peer’s allowedips with its corresponding publickey, endpoints as well as presharedkey, if exists). - We assume that all WireGuard configuration files are in /etc/wireguard/
- PPPoE IPv6 configuration: It is feasible to put
dhcpcd ppp0
anddhcpcd ppp0 -k
to hook scripts in/etc/ppp/
.
That’s all. Thanks for your reading.