Dummy Interface (virtual NIC)


(Andreas Schloegl) #1

A dummy interface is a virtual NIC for the server without a physical interface card.

Why could this be useful?

If you rent a root server you will typically get 1 physical NIC only (or pay more). As you only have one NIC, this will be on green role per design.


Let’s assume you plan to set up a VPN - LAN to LAN connection to a master server. To set it up you would like to have an internal IP range for your server on the green interface role and the physical NIC with the public IP should be bound to red role. This is a least the way I have done in the past and I know it’s working well.

So what do we need to make it working?

  1. add a file for your dummy interface in /etc/sysconfig/network-scripts/ let’s call it ifcfg-dummy0

  2. the kernel module dummy (which is need for dummy devices) is not loaded per default, so we need to add this during server start. Ceate a file dummy.conf inside /etc/modules-loaded.d. This file includes the word dummy only!
    If you reboot the server now, you will see theh result with e.g. ifconfig and you are able to ping yourself:

  3. You will recognize, that your new interafce dummy0 is still missing in WEB-GUI. Thanks to @jstammi I found the solution here: https://community.nethserver.org/t/virtual-network-interface-for-virtual-machines/7728
    I had to patch my /usr/libexec/nethserver/nic-info file. After my next server reboot the NIC is present in the dashboard and I could set up the correct green and red roles under Network. The final result:

Open question:
The MAC address for dummy0 will change on each reboot. See https://community.nethserver.org/t/virtual-network-interface-for-virtual-machines/7728 how to fix this, too. I have not tried this guidline yet and I’m not sure if I need it.
I have tried to use parameter HWADDR=… inside file ifcfg-dummy0 but this will end with an error and is not working.

So what do you think about it? Should it be implimented as an feature? Under WEB-GUI network you are able already to add a new logical interface. Could type dummy be included there?


Create a dummy interface when you only have 1 NIC available
Server manager accessible on red interface?
Nethserver on Proxmox
So, what are you working on? - 18 Dec 17
Neth on VPS - VPN
Block all traffic except some ports
(Markus Neuberger) #2

Interesting solution for servers where you don’t have access to the virtualization layer like proxmox. Did you try it on remote server? Does it work without loosing connection?

Here is an example for creating similar interface via proxmox:

https://wiki.nethserver.org/doku.php?id=ns_networking

@stephdl, what do you think about this, if you don’t need proxmox firewall it would be enough to have the dummy0 in nethserver or do you see any cons?


(Stéphane de Labrusse) #3

Excellent, the dummy0 is the way to easily protect all sensible services when you don’t have access to virtualisation. This way is used by SME Server to create a dummy nic and protect all the green services.

However I don’t know if it is really needed, proxmox is a common option now, at least it seems to me.


(Andreas Schloegl) #4

If I run on proxmox the logical way is to set up a second NIC interface, because this is much easier. But this time I am limited to what I get from the external provider! The next days I’m goning to use this NIC for my VPN with nethserver, but I have a similar installation on an ubuntu server and it’s working well. I assume this will work here, too.
And yes @stephdl,the possibility to enhance securtity this way is important, too!


(Andreas Schloegl) #5

VPN is now up via iPSEC LAN-LAN and working, let’s see if the connection remains stabel over the next days…


(Stéphane de Labrusse) #6

Do not be shy to add your network configuration to the wiki page @mrmarkuz showed , I would love to see this page growing.

Yes the dummy nic is an interesting way, maybe I could find time during this holiday, but I’m a bit busy on rspamd

same punition for you markus and other lurkers, this networking page must grow


(Davide Principi) #7

In a similar scenario I set up a VLAN interface for green. Please see the cloud-init script for details:


(Rob Bosch) #8

@asl Just a quick question: In a default NS7 instance, there is no /etc/sysconfig/network-interfaces/ How do I prceed to accomplish the dummy interface? Create the Network-interfaces directory?


(Andreas Schloegl) #9

You are right, the directory is called:

/etc/sysconfig/network-scripts/

an existing. I corrected my top post now!


(Rob Bosch) #10

Thnx @asl
That worked for me. Now I am struggling with the dummy interface to show up. How do I read the dif file in @jstammi 's post: Virtual network interface for virtual machines
What do I need to change to get the dummy interface in webgui?
Running at dirs that don’t seem to exist in default NS7


(Andreas Schloegl) #11

here is the patched version of nic-info:

#!/bin/bash

#
# Copyright (C) 2015 Nethesis S.r.l.
# http://www.nethesis.it - nethserver@nethesis.it
#
# This script is part of NethServer.
#
# NethServer is free software: you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation, either version 3 of the License,
# or any later version.
#
# NethServer is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with NethServer.  If not, see COPYING.
#

if [ "x${1}" == "x" ]; then
    cards=($(ls -A -1 /sys/class/net))
else
    cards=($1)
fi

for card in ${cards[@]}; do

    hwaddr=
    type=
    model=
    driver=
    speed=
    link=

    # Error on non-existing devices
    if ! [ -e "/sys/class/net/${card}" ]; then
	echo "[ERROR] nic-info: interface ${card} does not exist" 1>&2
	exit 1
    fi

    # Skip non-link elements:
    if ! [ -L "/sys/class/net/${card}" ]; then
	continue;
    fi	
    
    # Skip non-Ethernet physical devices (type=1)
    if [ "$(cat /sys/class/net/${card}/type)" != "1" ]; then
	continue
    fi

    #
    # FIXME: Skip virtual devices
    #        "device" links may not work in future kernel versions
    #
# start ASL change
#    if ! [ -e /sys/class/net/${card}/device ]; then
#	continue
#    fi
# end ASL

    # Skip bridge and tun/tap
    if [ -e /sys/class/net/${card}/brforward ] || [ -e /sys/class/net/${card}/tun_flags ]; then
        continue
    fi

    if [ -d /sys/class/net/${card}/master ] && [ ! -d /sys/class/net/${card}/brport ]; then
        link=`/bin/readlink  /sys/class/net/${card}/master`
        bond=`basename $link`
        hwaddr=`/usr/libexec/nethserver/bond-slave-mac ${bond} ${card}`
    else
        hwaddr=`cat /sys/class/net/${card}/address`
    fi
    
    # Skip if mac is not valid (00:00... or FF:FF...)
    if [ "${hwaddr}" == "00:00:00:00:00:00" ] || [ "${hwaddr}" == "ff:ff:ff:ff:ff:ff" ]; then
	continue
    fi

# start ASL change    
#    driver=`basename $(ls -l /sys/class/net/$card/device/driver | awk '{print$NF}' )`
#    type=`basename $(ls -l /sys/class/net/$card/device/subsystem | awk '{print$NF}' )`

    if [ -r /sys/class/net/$card/device/driver ]; then
	driver=`basename $(ls -l /sys/class/net/$card/device/driver | awk '{print$NF}' )`
    fi
    if [ -r /sys/class/net/$card/device/subsystem ]; then
	type=`basename $(ls -l /sys/class/net/$card/device/subsystem | awk '{print$NF}' )`
    fi
# end ASL
    
    # Default if not avaiable in /sys/class/net
    if [ "a$type" == "a" ]; then
	type="???"
    fi
    
    if [ "a$driver" == "a" ]; then
	driver="Unknown Network Interface ($card)"
    fi

    model=$type

    # Get more details for pci and usb devices
    if [ "$type" == "pci" ]; then
	model=`/sbin/lspci -s $(basename $(ls -l /sys/class/net/$card/device | awk '{print$NF}' )) | cut -d':' -f3 | cut -c 2-`
    fi
    
    if [ "$type" == "usb" ]; then
	bus=`grep DEVICE= /sys/class/net/$card/device/uevent | cut -d"/" -f5`
	dev=`grep DEVICE= /sys/class/net/$card/device/uevent | cut -d"/" -f6`
	# work around the base8 convert
	let bus=`echo 1$bus`-1000
	let dev=`echo 1$dev`-1000
	model=`/bin/lsusb -s $bus:$dev | cut -d':' -f3 | cut -c 6-`
    fi

    link=$(cat /sys/class/net/$card/carrier 2>/dev/null)
    if [ $? != 0 ]; then
	/sbin/ip link set $card up 2>/dev/null
	link=$(cat /sys/class/net/$card/carrier 2>/dev/null)
	speed=$(cat /sys/class/net/$card/speed 2>/dev/null)
	/sbin/ip link set $card down 2>/dev/null
    else
	speed=$(cat /sys/class/net/$card/speed 2>/dev/null)
    fi

    echo $card,${hwaddr//,/ },${type//,/ },${model//,/ },${driver//,/ },$speed,$link

done

(Rob Bosch) #12

@asl You rock!

Only thing that keeps changing at reboot is HW address of dummy interface. But since this is a VPS and the green subnet isn’t used by any clients, I doubt this will be a big problem.


(Andreas Schloegl) #13

Yes, MAC of dummy interafce is changing after reboot. Mine is used fo a VPN LAN to LAN connection and there is no side effect I can see so far.


(J. Stammi) #14

I tried to document in my posts how to get a static MAC, too (see the 2nd one below :slight_smile: ). The nominal CentOS way does not work as the scripts in /etc/sysconfig/network-scripts/ get overwritten with every change to networking config.

Just checked my installation again, it works for me. I did not document some steps that seemed obvious to me, like creation of the directory for the dummy0-init.service file. Or making the script being referenced there (/usr/local/sbin/dummy0-init.sh) executable.

You may check for the service status bwo systemctl status dummy0-init. It should show up with a green led indicator and telling of the service being enabled, having been started and exited with status SUCCESS … ?


(Dan) #15

Maybe I’m just a little slow on this, but I think I need a little advice on the details. I have a Neth 7.4 installation on a VPS, assigned one NIC with one IP address on eth0. I ultimately want to treat that interface as red. I’m setting up the server to persistently connect via OpenVPN to my home LAN, and I want to treat that connection/network as green.

My home LAN is 192.168.1.0/24. My pfSense router uses 192.168.3.0/24 for the VPN connection–when my Neth instance connects, the pfSense box will assign it an IP in that subnet. But when I set up dummy0 following these instructions, I assign it a static IP address–but in what network? Or does it matter?

Is the answer that I assign dummy0 any arbitrary (RFC1918) IP I want, configure that interface as green and eth0 as red, and separately add 192.168.1.0/24 and 192.168.3.0/24 as trusted networks under Security -> Trusted Networks?


(Rob Bosch) #16

The way VPN works is that you create a different internal subnet and create a static route from that subnet to your LAN subnet.


(HF) #17

Simply adding my findings for the archive. New VPS from Contabo, 1 NIC only.

  • Image provided by Contabo Centos 7 minimal with VNC and ssh access
  • SSH into the VPS and change root password
  • yum update ; yum install nano
  • nano -w /etc/sysconfig/modules/dummy0.modules

#!/bin/sh
/sbin/modprobe dummy
exec ip link set dummy0 address 10:00:01:02:03:04

db networks set dummy0 ethernet ipaddr 192.168.10.2 netmask 255.255.255.0 role green ; db networks setprop eth0 role red ; signal-event interface-update

  • reboot

Done. works for me.


(HF) #18

I took the liberty to document the process on the wiki. Please adjust where you see fit.

https://wiki.nethserver.org/doku.php?id=virtual_network_interface