Develop Reference

How to set up a RaspberryPi & Nftables for masquerading between to interfaces?

I'm trying to set up a RaspberryPi running Nftables as a "router". It's running on RaspberryPi OS 64 bits with kernel 5.15.32-v8+ and Nftables v0.9.8 (E.D.S.). I would like it to allow traffic between the LAN it's connected to through its WiFi interface and an Android phone sharing it's cellular data connection through USB.
The RPi is connected to a LAN through it's WiFi interface. There is a DHCP server running on that LAN. It serves clients class C private addresses like 192.168.80.X/24. The RaspberryPi gets served as below. The network configuration allows for a range of IP addresses to be assigned manually, shall that be needed.
- RaspberryPi : interface wlan0
- IP address : 192.168.80.157
- Subnet : 255.255.255.0
- Gateway : 192.168.80.2
- DNS : 192.168.200.1 (firewall living an another VLAN) / 8.8.8.8
An Android phone is connected to the RaspberryPi through a USB cable and acts as a USB modem, sharing its cellular data. It assigns the RPi a class C private address like 192.168.X.Y/24. It changes each time I plug the Android phone in / reboot, and I can't tune the range of addresses served by the phone.
- RaspberryPi : interface usb0 (Android phone)
- IP address : 192.168.42.48 (at the moment)
- Subnet : 255.255.255.0
- Gateway : 192.168.42.105
- DNS : 192.168.42.105 (same as gateway)
I have enabled IP forwarding in the sysctl.conf
net.ipv4.ip_forward=1
Nftables is configured as follow (example from here :
table ip nat_antoine {
chain prerouting {
type nat hook prerouting priority dstnat; policy accept;
ip protocol icmp counter meta nftrace set 1
}
chain postrouting {
type nat hook postrouting priority srcnat; policy accept;
oifname "usb0" masquerade
}
}
I ran the following tests. I disabled nftables and SSH'd into the RPi through the wlan0 interface. If I configure the firewall at 192.168.200.1 to allow internet access to the RPi (and disconnect the Android phone "usb0"), it works : the RPi can ping / curl / ssh into the "outside" world.
Then I revoked the internet access through wlan0 and plugged the Android phone "usb0" in. Same : I can ping / curl / ssh into the "outside" world. I have made sure that the traffic is going through usb0 and not wlan0.
Issues arise when I enable nftables and try to access internet via the RPi through another client. I took another android phone, connected it to the 192.168.80.0/24 LAN and manually configured the gateway address to be the RPi's wlan0 interface address (DNS from Quad9). Best I can get is pinging the wlan0 interface on the RPi.
"nft monitor" output when pinging 192.168.80.157 from an Android client (client gets an answer) :
trace id 98bebc6f ip nat_antoine prerouting packet: iif "wlan0" ether saddr d0:1b:49:f1:01:29 ether daddr dc:a6:32:65:a2:f4 ip saddr 192.168.80.20 ip daddr 192.168.80.157 ip dscp cs0 ip ecn not-ect ip ttl 64 ip id 40158 ip length 84 icmp code net-unreachable icmp id 30 icmp sequence 1 #th,64,96 820786881435526521749372928
trace id 98bebc6f ip nat_antoine prerouting rule ip protocol icmp counter packets 1 bytes 84 meta nftrace set 1 (verdict continue)
trace id 98bebc6f ip nat_antoine prerouting verdict continue
trace id 98bebc6f ip nat_antoine prerouting policy accept
"nft monitor" output when pinging 192.168.42.48 from the same Android client (client gets no answer) :
trace id c59a6b89 ip nat_antoine prerouting packet: iif "wlan0" ether saddr d0:1b:49:f1:01:29 ether daddr dc:a6:32:65:a2:f4 ip saddr 192.168.80.20 ip daddr 192.168.42.48 ip dscp cs0 ip ecn not-ect ip ttl 64 ip id 29620 ip length 84 icmp code net-unreachable icmp id 31 icmp sequence 1 #th,64,96 56218603639456293821148039936
trace id c59a6b89 ip nat_antoine prerouting rule ip protocol icmp counter packets 1 bytes 84 meta nftrace set 1 (verdict continue)
trace id c59a6b89 ip nat_antoine prerouting verdict continue
trace id c59a6b89 ip nat_antoine prerouting policy accept
Can someone please help me / point me to the right direction for fixing this ?
Thank you very much.

Scapy traffic generator for DPDK L3FWD application

I am new to DPDK and trying to run L3FWD app using scapy to send traffic to it.
I have two Hosts. Host A(Ubuntu 4.15.0-154-generic) for Scapy to send the traffic. Host B (Ubuntu 5.11.0-25-generic) for DPDK(21.08.0) and Host B has vfio-pci module and two NICs (Ethernet Controller XXV710) binded to it.
I have huge pages inserted like below
mkdir -p /dev/hugepages
mountpoint -q /dev/hugepages || mount -t hugetlbfs nodev /dev/hugepages
echo 1024 > /sys/devices/system/node/node0/hugepages/hugepages-2048kB/nr_hugepages
echo 1024 > /sys/devices/system/node/node1/hugepages/hugepages-2048kB/nr_hugepages
I verified the connectivity between Hosts using Scapy on Host A and tcpdump on Host B. (Traffic is coming in from Host A to B)
I build the DPDK and its example apps. I am trying to run L3FWD with this arguments on Host B.
./dpdk-l3fwd -l 1,2 -n 4 -- -p 0x3 --config="(0,0,1),(1,0,2)"
And I tried many ways of sending the traffic from Host A to B using Scapy like below and still not able to see the output of L3FWD on Host B.
way 1)
sendp(Ether()/IP(src="1X.1X.2x.1x"), iface="enp25s0f0",count=1000)
using sendp command, I didn't see traffic on Host B with L3FWD running. Please note, for src ip add i have replaced numeric values with x here
way 2)
send(IP(src="1x.1x.2x.1x"), iface="enp25s0f0",count=1000)
using send command, I didn't see traffic on Host B with L3FWD running
way 3)>>
x = Ether(src='xc:xd:xe:a9:x9:x0', dst='xC:xx:xx:Ax:Bx:x1')
sendp(x, iface='enp25s0f0',count=10000)
This also didn't work
pls Note I have replaced above actual MAC and IP addr with few 'x'.
Output of L3FWD is as below
./build/examples/dpdk-l3fwd -l 1,2 -n 4 -- -p 0x3 --config="(0,0,1),(1,0,2)"
EAL: Detected 56 lcore(s)
EAL: Detected 2 NUMA nodes
EAL: Detected static linkage of DPDK
EAL: Multi-process socket /var/run/dpdk/rte/mp_socket
EAL: Selected IOVA mode 'PA'
**EAL: No available 1048576 kB hugepages reported**
EAL: VFIO support initialized
EAL: Using IOMMU type 8 (No-IOMMU)
EAL: Probe PCI driver: net_i40e (8086:158b) device: 0000:18:00.0 (socket 0)
EAL: Probe PCI driver: net_i40e (8086:158b) device: 0000:18:00.1 (socket 0)
**TELEMETRY: No legacy callbacks, legacy socket not created**
Neither LPM, EM, or FIB selected, defaulting to LPM
Initializing port 0 ... Creating queues: nb_rxq=1 nb_txq=2... Port 0 modified RSS hash function based on hardware support,requested:0xa38c configured:0x2288
Address:xx:xx:xx:xx:xx:xx, Destination:02:00:00:00:00:00, Allocated mbuf pool on socket 0
LPM: Adding route 198.18.0.0 / 24 (0)
LPM: Adding route 198.18.1.0 / 24 (1)
LPM: Adding route 2001:200:: / 64 (0)
LPM: Adding route 2001:200:0:1:: / 64 (1)
txq=1,0,0 txq=2,1,0
Initializing port 1 ... Creating queues: nb_rxq=1 nb_txq=2... Port 1 modified RSS hash function based on hardware support,requested:0xa38c configured:0x2288
Address:xx:xx:xx:xx:xx:xx, Destination:02:00:00:00:00:01, txq=1,0,0 txq=2,1,0
Initializing rx queues on lcore 1 ... rxq=0,0,0
Initializing rx queues on lcore 2 ... rxq=1,0,0
Checking link status........done
Port 0 Link up at 25 Gbps FDX Autoneg
Port 1 Link up at 25 Gbps FDX Autoneg
L3FWD: entering main loop on lcore 1
L3FWD: -- lcoreid=1 portid=0 rxqueueid=0
L3FWD: entering main loop on lcore 2
L3FWD: -- lcoreid=2 portid=1 rxqueueid=0
Output of L3FWD doesn't go forward after this point.
Can any of you please help me find out where i am going wrong. Or help me know how to send traffic from Host A to run L3FWD app on Host B.
Thanks for your responses.

[EDIT] the solution mentioned in the answer is tried and tested on both HOST and Virtual machines and it works.
There are a couple of ways to check if L3fwd is actually receiving and sending the matches rule traffic. One can check the statistics
using DPDK secondary application dpdk-procinfo for DPDK ports
checking the statistics at the HOST-B PF port via ethtool
checking stats at the sender (scapy) on Host-A
For your specific use cases there 2 factors to match
Since DPDK ports on Host-B is created via VF over single PF interface, you would at least have to send packets with VF-1 MAC address to allow the packet to be received in.
For packets to send out from VF-2, the mac address of the packet has to be modified to allow be forwarded out from Host-B PF to Host-A.
Note: If you were having 2 separate PF NIC on Host-B one need to configure ports on Host-A to promiscuous mode to receive with any MAC address.
Solution:
Program Scapy to send ETH-IP packet with MAC address of VF-1 (assuming MAC-VLAN is not enabled on PF) and Dest IP Address of LPM table entry as 198.18.X.X (where X stands for wild card byte value)
check with the dpdk secondary application for Port-0 (VF-1) and Port-1 (VF-2) to confirm packets are indeed received and transmitted out.
Check on Host-B statistics of PF using cat /proc/net/dev to see if packets are received, transmitted or dropped.
Note: the sample program can be easily edited with print and rte_pktmbuf_dump too.

Port with VLAN not working on Cisco switch [closed]

Closed. This question does not meet Stack Overflow guidelines. It is not currently accepting answers.
This question does not appear to be about a specific programming problem, a software algorithm, or software tools primarily used by programmers. If you believe the question would be on-topic on another Stack Exchange site, you can leave a comment to explain where the question may be able to be answered.
Closed 1 year ago.
Improve this question
I'm having issues with a cisco SG550X-24 switch.
The switch is showing 100U as an administrative VLAN but not an operation VLAN. I'm unsure why this is, and plugging into this port doesn't work. The switch functions normally and other ports work fine.
Screenshot of config page attached:
cisco vlan config
1 and 19 are configured exactly and same, port 19 works fine with 100U but port 1 doesn't.
Any ideas? Is there a setting I'm missing that disables the port or VLAN?
Thanks
config-file-header
CB-BR-Radon233
v2.5.5.47 / RTESLA2.5.5_930_364_286
CLI v1.0
file SSD indicator encrypted
#
ssd-control-start
ssd config
ssd file passphrase control unrestricted
no ssd file integrity control
ssd-control-end cb0a3fdb1f3a1af4e4430033719968c0
!
!
unit-type-control-start
unit-type unit 1 network gi uplink te
unit-type unit 2 network gi uplink te
unit-type unit 3 network gi uplink te
unit-type unit 4 network gi uplink te
unit-type unit 5 network gi uplink te
unit-type unit 6 network gi uplink te
unit-type unit 7 network gi uplink te
unit-type unit 8 network gi uplink te
unit-type-control-end
!
port jumbo-frame
vlan database
vlan 2,69,100,201
exit
voice vlan oui-table add 0001e3 Siemens_AG_phone________
voice vlan oui-table add 00036b Cisco_phone_____________
voice vlan oui-table add 00096e Avaya___________________
voice vlan oui-table add 000fe2 H3C_Aolynk______________
voice vlan oui-table add 0060b9 Philips_and_NEC_AG_phone
voice vlan oui-table add 00d01e Pingtel_phone___________
voice vlan oui-table add 00e075 Polycom/Veritel_phone___
voice vlan oui-table add 00e0bb 3Com_phone______________
link-flap prevention disable
no boot host auto-config
no boot host auto-update
bonjour interface range vlan 1
hostname IMS-CB-BR-Radon233
no passwords complexity enable
username root password encrypted 777f99c04f34de13899c397960ac60d7548cfeb4 privilege 15
username cisco password encrypted ffd1c8e37222f7a9f61aec3e1179e951695fdeba privilege 15
ip ssh server
snmp-server location CB-BR-Radon233
snmp-server contact
clock timezone J 0 minutes 0
!
interface vlan 1
ip address 192.168.1.233 255.255.255.0
no ip address dhcp
!
interface vlan 2
name Phone
!
interface vlan 69
name Dirty
!
interface vlan 100
name Admin
ip address 192.168.100.233 255.255.255.0
!
interface vlan 201
name Mocap
!
interface GigabitEthernet1/0/1
no switchport
switchport access vlan 100
switchport trunk native vlan 100
!
interface GigabitEthernet1/0/3
storm-control broadcast level 10
storm-control multicast level 10
port security max 10
port security mode max-addresses
port security discard trap 60
spanning-tree portfast
spanning-tree bpduguard enable
switchport mode trunk
switchport trunk allowed vlan 1
macro description ip_phone_desktop
!next command is internal.
macro auto smartport dynamic_type ip_phone_desktop
!
interface GigabitEthernet1/0/4
storm-control broadcast level 10
storm-control multicast level 10
port security max 10
port security mode max-addresses
port security discard trap 60
spanning-tree portfast
spanning-tree bpduguard enable
switchport mode trunk
switchport access vlan 2
switchport trunk allowed vlan 1
macro description ip_phone_desktop
!next command is internal.
macro auto smartport dynamic_type ip_phone_desktop
!
interface GigabitEthernet1/0/7
storm-control broadcast level 10
storm-control multicast level 10
port security max 10
port security mode max-addresses
port security discard trap 60
spanning-tree portfast
spanning-tree bpduguard enable
switchport mode trunk
switchport trunk allowed vlan 1
macro description ip_phone_desktop
!next command is internal.
macro auto smartport dynamic_type ip_phone_desktop
!
interface GigabitEthernet1/0/11
storm-control broadcast level 10
storm-control multicast level 10
port security max 10
port security mode max-addresses
port security discard trap 60
spanning-tree portfast
spanning-tree bpduguard enable
switchport mode trunk
switchport access vlan 2
switchport trunk allowed vlan 1
macro description ip_phone_desktop
!next command is internal.
macro auto smartport dynamic_type ip_phone_desktop
!
interface GigabitEthernet1/0/12
channel-group 1 mode auto
!
interface GigabitEthernet1/0/13
switchport mode trunk
switchport access vlan 100
switchport trunk allowed vlan none
!
interface GigabitEthernet1/0/19
switchport access vlan 100
switchport trunk native vlan 100
!
interface GigabitEthernet1/0/24
channel-group 1 mode auto
!
interface TenGigabitEthernet1/0/1
channel-group 2 mode auto
!
interface TenGigabitEthernet1/0/2
channel-group 2 mode auto
!
interface TenGigabitEthernet1/0/3
spanning-tree link-type point-to-point
switchport mode trunk
switchport trunk allowed vlan 1-2,69,100,201
macro description switch
!next command is internal.
macro auto smartport dynamic_type switch
!
interface Port-Channel1
description EthTrunk
spanning-tree link-type point-to-point
switchport mode trunk
switchport general allowed vlan add 2,69,100,201 tagged
switchport general allowed vlan add 1 untagged
macro description switch
!next command is internal.
macro auto smartport dynamic_type switch
!
interface Port-Channel2
description X1Trunk
switchport mode trunk
!
exit

assuming you're using the same device and the same ethernet-cable when connecting to port 1 and port 19, correct?
would you mind to SSH into the switch and collect a "show run" for port 1 and 19?
...ok, with the config provided:
this is weird, port 1 is configured as routed port but the vlan-settings are still there.
my first try would be:
(in the ssh shell)
conf t
interface GigabitEthernet1/0/1
switchport
end
that should fix the vlan-membership.
a good practice for end-user-facing interfaces would be to add:
conf t
interface GigabitEthernet1/0/1
spanning-tree portfast
spanning-tree bpduguard enable
end

SMA390 RPC port not responding for public facing IP

I have been working on CISCO's SMA390 and the RPC port for the device is not responsive when connected to a core switch.
1. The core switch is for public-facing IP/ CIMC IP of the device.
2. The IP's are configured and using ipmitool command.
3. The port is responding when tried to configure over a private network(laptop to device connection).
I have tried ping command after checking that the IP's are configured and its failing while the gateway is responding.
ipmitool lan print 1
ipmitool lan set 1 ipsrc static
ipmitool lan set 1 ipaddr 10.10.1.5
ipmitool lan set 1 netmask 255.255.255.0
ipmitool lan set 1 defgw ipaddr 10.10.1.1
ipmitool lan set 1 access on
ipmitool raw 0x36 0x52 0x0f
I want the ping and the ssh to be enabled.

I figured out after some more troubleshooting that CISCO x90 devices by default work on 100G bandwidth connection. The default provided on x95 devices is 1000G bandwidth connection. Hence the RPC port didn't respond.
If you face this issue, try
1. using a 100G connection.
2. change the default connection acceptance bandwidth of your device(i.e x90 here).

Configuring Ports on a Cisco Switch

I am very new to Cisco networking (haven't done any course either). I have been trying to learn a bit of networking myself and had no trouble in doing some of the basic stuff which i needed for my personal work. But i am planning to buy a new Cisco switch(a gigabit switch) and configure it to 2 different networks (1 being an internet and other being a separate network for a specific job). I want to configure the ports in such a way that the first few slots for normal internet and the rest for my other network. For example if its a Cisco 2950 48 port switch, the first 1-16 port for my local internet network and the ports from 17-32 for my other network. Can somebody give me a run down on how to achieve this? Sorry for such a long but basic question, i am just trying to save few $$ and learning something new. Any help would be appreciated. Cheers

You can just create the 2 different Vlans and Give the Access port to the 1st vlan with port 1 - 16 , And for Second vlan Give access port remaining Ports. As well you can also configure 2 different network on Single Switch .

Vlans can separate the network traffic away from each other. For Example
Int range gi 0/1 - 16
Desc Local Internet Network
Switchport access vlan 444
Switch port mode access
Int range gi 0/17 - 32
Desc Other Network
Switchport access vlan 555
Switch port mode access
Of course it depends on what you plug into the ports? depends on what type of switchport it is going to be.

Switch#configure terminal
Switch(config)#vlan 10
Switch(config-vlan)#name Local_Internet_Network
Switch(config-vlan)#exit
Switch(config)#vlan 20
Switch(config-vlan)#name my_other_network
Switch(config-vlan)#exit
Switch(config)#interface range gigabitEthernet 0/1-16
Switch(config-if-range)#switchport mode access
Switch(config-if-range)#switchport access vlan 10
Switch(config-if-range)#exit
Switch(config)#interface range gigabitEthernet 0/17-32
Switch(config-if-range)#switchport mode access
Switch(config-if-range)#switchport access vlan 20
Switch(config-if-range)#exit
Switch(config)#exit
Switch#write memory
and check on trunk

The 2950 switch was a L2 switch only last time I checked so it will not be able to route between the VLANs. You may want to consider a small firewall in order to provide the layer 3 element (routing) and block any internet traffic from hitting your LAN. You can then also utilise a switch with this topology.
The respective switch VLANs for Internet and LAN would be connected to the relevant Internet /LAN firewall ports and your servers would be connected to the LAN. The switch management port should also be on the trusted LAN network or a dedicated management VLAN.