Skip to content

Gateway

The gateway is responsible for forwarding the internet traffic. We use an Ubuntu server host as the basis for this setup.

Note

We will provide you with some sample configurations in this chapter. Keep in mind that you likely have to update these for sour specific setup depending on the number of VNIs you want to use and the IP space available to you.

Setting Up FRR

  1. Install frr on the gateway.

    sudo apt install frr
    
  2. Create the file sample-configs/gateway/frr.conf with the following content. Remember to insert the IP of the gateway and the route reflector.

    /etc/frr/daemons
    log syslog informational
    ip nht resolve-via-default
    ip6 nht resolve-via-default
    router bgp 65000
      bgp router-id <OWN-IP-ADDRESS>
      no bgp default ipv4-unicast
      neighbor fabric peer-group
      neighbor fabric remote-as 65000
      ! BGP sessions with route reflectors
      ! add one line per route reflector
      neighbor <IP-ADDRESS-OF-ROUTE-REFLECTOR> peer-group fabric
      !
      address-family l2vpn evpn
      neighbor fabric activate
      advertise-all-vni
      exit-address-family
      !
    !
    
  3. Create the file /etc/frr/daemons with the following content

    /etc/frr/daemons
    bgpd=yes
    ospfd=no
    ospf6d=no
    ripd=no
    ripngd=no
    isisd=no
    pimd=no
    ldpd=no
    nhrpd=no
    eigrpd=no
    babeld=no
    sharpd=no
    pathd=no
    pbrd=no
    bfdd=no
    fabricd=no
    vrrpd=no
    
    
    vtysh_enable=yes
    zebra_options="  -A 127.0.0.1 -s 90000000"
    bgpd_options="   -A 127.0.0.1"
    ospfd_options="  -A 127.0.0.1"
    ospf6d_options=" -A ::1"
    ripd_options="   -A 127.0.0.1"
    ripngd_options=" -A ::1"
    isisd_options="  -A 127.0.0.1"
    pimd_options="   -A 127.0.0.1"
    ldpd_options="   -A 127.0.0.1"
    nhrpd_options="  -A 127.0.0.1"
    eigrpd_options=" -A 127.0.0.1"
    babeld_options=" -A 127.0.0.1"
    sharpd_options=" -A 127.0.0.1"
    pbrd_options="   -A 127.0.0.1"
    staticd_options="-A 127.0.0.1"
    bfdd_options="   -A 127.0.0.1"
    fabricd_options="-A 127.0.0.1"
    vrrpd_options="  -A 127.0.0.1"
    
    1. Ensure these configuration files are owned by the frr user and group by running
    sudo chown -R frr:frr /etc/frr/
    
  4. Ensure that only the frr user has read and write permissions to the file and the frr group can read the file. All other users should not have any access. To achieve this, run

    sudo chmod 640 /etc/frr/*
    
  5. Restart frr by executing

    sudo systemctl restart frr
    

Setting Up VXLAN Interfaces and Bridges

We will use the Ubuntu tool netplan to set up and persist the required network devices. Check below for a method without the need for netplan.

  1. Overwrite the file /etc/netplan/00-installer-config.yaml with the following content. Remember to replace the interface name for your current internet connection and set the local IP address.

    /etc/netplan/00-installer-config.yaml
    network:
        ethernets:
            <UPLINK IF NAME>:
                dhcp4: true
        tunnels:
            vxlan1:
                mode: vxlan
                id: 1
                local: <GATEWAY IP>
                ttl: 10
                mac-learning: false
                port: 4789
    
            vxlan2:
                mode: vxlan
                id: 2
                local: <GATEWAY IP>
                ttl: 10
                mac-learning: false
                port: 4789
    
            vxlan3:
                mode: vxlan
                id: 3
                local: <GATEWAY IP>
                ttl: 10
                mac-learning: false
                port: 4789
    
        bridges:
            br1:
                interfaces:
                    - vxlan1
                parameters:
                    stp: false
                addresses:
                    - 10.1.2.1/24
            br2:
                interfaces:
                    - vxlan2
                parameters:
                    stp: false
                addresses:
                    - 10.1.3.1/24
            br3:
                interfaces:
                    - vxlan3
                parameters:
                    stp: false
                addresses:
                    - 10.1.4.1/24
    

    Warning

    This setup is for a very basic gateway. Please make sure you understand what it does and change it for your needs. Especially, you may want to increase the number of VNIs depending on what you set in the APs.

    Refer back to the parameters you chose for your setup.

  2. Restart the machine

    Tip

    In theory, using netplan apply should work. In our experience however, this did not give us the desired result so rebooting is the best way to go here.

Setting up VXLANs without netplan

As an alternative, you can also set up the interfaces using the ip command directly. Note that these interfaces will not persist on reboot so you have to run the following script on every boot:

#!/bin/bash
# Copied from Vincent Bernat's blog post:
for vni in {1..20}; do
    # Create VXLAN interface
    ip link add vxlan"${vni}" type vxlan
        id "${vni}" \
        dstport 4789 \
        nolearning
    # Create companion bridge
    brctl addbr br"${vni}"
    brctl addif br"${vni}" vxlan"${vni}"
    brctl stp br"${vni}" off
    ip link set up dev br"${vni}"
    ip a add 10.0."${vni}".1/24 dev br"${vni}"
    ip link set up dev vxlan"${vni}"
done

Enable IP Forwarding

  1. Open the file /etc/sysctl.conf in an editor of your choice with root permissions:
    sudo nano /etc/sysctl.conf
    
  2. Uncomment the line
    net.ipv4.ip_forward=1
    
    to enable IPv4 forwarding
  3. Uncomment the line

    net.ipv6.conf.all.forwarding=1
    
    to enable IPv6 forwarding

  4. Reload the configuration file by executing

    sudo sysctl -p
    

Setting Up Nftables

  1. Make sure you have nftables installed by running

    nft -v
    

    Tip

    nftables should come preinstalled with Ubuntu Server 22.04 and later

  2. Create/Update the file /etc/nftables.conf with root privileges and paste the following content. You may want to update the vxlans variable to match your setup and set the uplink interface correctly.

    /etc/nftables.conf
    #!/usr/sbin/nft -f
    
    # Setup for 3 VNI's
    define vxlans = { br1, br2, br3, }
    
    define uplink = <Uplink interface>
    
    flush ruleset
    
    # NAT for all VNIs
    
    table inet filter {
            chain input {
                    type filter hook input priority filter;
            }
            chain forward {
                    type filter hook forward priority filter; policy drop;
                    ct state established, related accept
                    iifname $vxlans oifname $uplink counter accept
            }
            chain output {
                    type filter hook output priority filter;
            }
            chain postrouting {
                    type nat hook postrouting priority 100; policy accept;
                    iifname $vxlans oifname $uplink masquerade
            }
    }
    
  3. Restart the system

Setting Up Dnsmasq

  1. Install dnsmasq as a DHCP server on the gateway.
    sudo apt install dnsmasq
    
  2. Update the file /etc/dnsmasq.conf with the following content. You likely need to add more entries for the correct IP ranges when you have more than 3 VNIs in use.

    Tip

    Refer back to the parameters you decided on for the IPv4 range for each VNI

    /etc/dnsmasq.conf
    interface=br1
    interface=br2
    interface=br3
    
    bind-interfaces
    no-resolv
    dhcp-authoritative
    
    dhcp-range=10.0.1.100,10.0.1.200,255.255.255.0,5m
    dhcp-range=10.0.2.100,10.0.2.200,255.255.255.0,5m
    dhcp-range=10.0.3.100,10.0.3.200,255.255.255.0,5m
    
  3. Restart dnsmasq

    sudo systemctl restart dnsmasq