Building a fault-tolerant firewall system with virtual machines: Network configuration using systemd


(0 comments)

Almost any network configuration can be done using commands in the iproute2 package. For example, you can run the command below to rename the enp0s2 interface to eth0:

sudo ip link set enp0s2 name eth0

This can be done automatically at machine startup by running a service with file contents like this:

[Unit]
Description=Naming interface
After=network.target

[Service]
Type=oneshot
ExecStart=/usr/sbin/ip link set enp0s2 name eth0
RemainAfterExit=yes

[Install]
WantedBy=multi-user.target


The commands below set up bridge br0 and display the vlan configuration information. This bridge can join vlan 100 with traffic including only tagged packets

sudo ip link add br0 up type bridge vlan_filtering 1
sudo bridge vlan add vid 100 pvid dev br0 self
sudo bridge vlan del vid 1 dev br0 self
sudo bridge vlan show



However, a convenient way is to use systemd. The firewall machine needs three network interfaces with different functions. There are six configuration files located in the directory /etc/systemd/network


The contents of the file 00-eth0.link are as follows:

[Match]
MACAddress=12:34:56:78:9a:01

[Link]
Name=eth0

Normally ethernet interfaces have names such as enp0s2. The above configuration file talks to systemd that we want the first interface with the mac address 12:34:56:78:9a:01 to be assigned the name eth0. The same goes for the files 00-eth1.link and 00-eth2.link. As a result we have interfaces eth0, eth1 and eth2. That makes it suitable for the design scheme and uniform in the tasks related to network interface names such as firewall work, HA system configuration, packet filtering tracking system configuration, network address translation. So all network interfaces need to define mac address when creating the virtual machine.

The contents of the file 10-eth0.network are as follows:

[Match]
Name=eth0

[Network]
DHCP=yes

The interface eth0 uses the DHCP service to assign IP address automatically.

The contents of the file 10-eth1.network are as follows:

[Match]
Name=eth1

[Network]
Address=192.168.2.1/24

The interface eth1 is assigned the static address 192.168.2.1. This interface is designed to be located at the default gateway (but not always) of the 192.168.2.0/24 network, ie that of the client. The term "client" here is in the context of the firewall system, not to be confused with client accessing remote virtual machine in the host-guest-client relationship.

The file 10-eth2.network is similar to the file 10-eth1.network:

[Match]
Name=eth2

[Network]
Address=192.168.100.100/24

The interface eth2 is used to synchronize information between two firewalls.

Currently unrated

Comments

There are currently no comments

New Comment

required

required (not published)

optional

required


What is 10 × 9?

required