UCI networking options cheatsheet

This is a cheatsheet for quick lookup of networking UCI options, useful for experienced users.

config interface 'lan'
        option type 'bridge'
        option ifname 'eth0.1'
        option proto 'static'
        option netmask '255.255.255.0'
        option ip6assign '60'
        option ipaddr '192.168.1.1'
 
config interface 'wan'
        option ifname 'eth0.2'
        option proto 'dhcp'
 
config interface 'wan6'
        option ifname 'eth0.2'
        option proto 'dhcpv6'

Name	Type	Required	Default	Description
`ifname`	interface name(s)	yes(*)	(none)	Physical interface name such as `eth0.1`, `eth2`, or `tun0` to assign to this section, list of interfaces if type bridge is set. () This option may be empty or missing if only a wireless interface references this network or if the protocol type is `pptp`, `pppoa` or `6in4`* As WLAN interface names may be dynamic or unpredictable, it is strongly recommended that they be assigned to bridges using the `network` option in UCI wireless configuration
`type`	string	no	(none)	If set to `bridge`, a bridge containing the given ifnames, and any wireless networks assigned using the `network` option in UCI wireless configuration, is created
`stp`	boolean	no	`0`	Only valid for type `bridge`, enables the Spanning Tree Protocol
`bridge_empty`	boolean	no	`0`	Only valid for type `bridge`, enables creating empty bridges
`igmp_snooping`	boolean	no	`0`	Only valid for type `bridge`, sets the multicast_snooping kernel setting for a bridge
`multicast_querier`	boolean	no	(takes over the value of igmp_snooping)	Only valid for type `bridge`, sets the multicast_querier kernel setting for a bridge
`macaddr`	mac address	no	(none)	Override MAC address of this interface. Example: 62:11:22:aa:bb:cc
`mtu`	number	no	(none)	Override the default MTU on this interface
`auto`	boolean	no	`0` for proto `none`, else `1`	Specifies whether to bring up interface on boot
`ipv6`	boolean	no	`1`	Specifies whether to enable (1) or disable (0) IPv6 on this interface (Barrier Breaker and later only)
~~`accept_ra`~~	~~boolean~~	no	~~`1` for protocol `dhcp`, else `0`~~	~~Specifies whether to accept IPv6 Router Advertisements on this interface~~ deprecated:
~~`send_rs`~~	~~boolean~~	no	~~`1` for protocol `static`, else `0`~~	~~Specifies whether to send Router Solicitations on this interface~~ deprecated:
`force_link`	boolean	no	`1` for protocol `static`, else `0`	Specifies whether ip address, route, and optionally gateway are assigned to the interface regardless of the link being active ('1') or only after the link has become active ('0'); when set to '1', carrier sense events do not invoke hotplug handlers
`disabled`	boolean	no	`0`	enable or disable the interface section
`ip4table`	string	no	(none)	IPv4 routing table for routes of this interface. E.g., when proto = dhcp, the dhcp client will add routes to that table
`ip6table`	string	no	(none)	IPv6 routing table for routes of this interface. E.g., when proto = dhcp6, the dhcp6 client will add routes to that table

See wan_interface_protocols for documentation on the protocol-specific options available for each WAN protocol.

The options _orig_ifname and _orig_bridge may be seen in /etc/config/network when managed by LuCI and were used to keep previous information across edits. They were moved out of ''/etc/config/network'' in March, 2018.

Name	Type	Required	Default	Description
`interface`	string	yes	(none)	Specifies the logical interface name of the parent (or master) interface this alias belongs to; must refer to one of the defined `interface` sections
`proto`	string	yes	(none)	Specifies the alias interface protocol
`ipaddr`	ip address	yes, if no `ip6addr` is set	(none)	alias IP address
`netmask`	netmask	yes, if no `ip6addr` is set	(none)	alias Netmask
`gateway`	ip address	no	(none)	Default gateway
`broadcast`	ip address	no	(none)	Broadcast address (autogenerated if not set)
`ip6addr`	ipv6 address	yes, if no `ipaddr` is set	(none)	IPv6 address (CIDR notation)
`ip6gw`	ipv6 address	no	(none)	IPv6 default gateway
`dns`	list of ip addresses	no	(none)	DNS server(s)
`layer`	integer	no	`3`	Selects the interface to attach to for stacked protocols (tun over bridge over eth, ppp over eth or similar). 3: attach to layer 3 interface (tun, ppp if parent is layer 3 else fallback to 2) 2: attach to layer 2 interface (br-* if parent is bridge else fallback to layer 1) 1: attach to layer 1 interface (eth, wlan)

please check if this is still true or not: At the time of writing, only the static protocol type is allowed for aliases.

config rule
        option mark   '0xFF'
        option in     'lan'
        option dest   '172.16.0.0/16'
        option lookup '100'
 
config rule6
        option in     'vpn'
        option dest   'fdca:1234::/64'
        option action 'prohibit'

Name	Type	Required	Default	Description
`in`	string	no	(none)	Specifies the incoming logical interface name
`out`	string	no	(none)	Specifies the outgoing logical interface name
`src`	ip subnet	no	(none)	Specifies the source subnet to match (CIDR notation)
`dest`	ip subnet	no	(none)	Specifies the destination subnet to match (CIDR notation)
`tos`	integer	no	(none)	Specifies the TOS value to match in IP headers
`mark`	mark/mask	no	(none)	Specifies the fwmark and optionally its mask to match, e.g. `0xFF` to match mark 255 or `0x0/0x1` to match any even mark value
`suppress_prefixlength`	integer	no	(none)	Reject routing decisions that have a prefix length less than or equal to the specified value
`invert`	boolean	no	`0`	If set to `1`, the meaning of the match options is inverted
`priority`	integer	no	(incrementing)	Controls the order of the IP rules, by default the priority is auto-assigned so that they are processed in the same order they're declared in the config file
`lookup`	routing table	at least one of	(none)	The rule target is a table lookup, the ID can be either a numeric table index ranging from `0` to `65535` or a symbolic alias declared in `/etc/iproute2/rt_tables`. The special aliases `local` (`255`), `main` (`254`) and `default` (`253`) are recognized as well
`goto`	rule index			The rule target is a jump to another rule specified by its `priority` value
`action`	string			The rule target is one of the routing actions outlined in the table below

config route 'net172'
        option interface 'lan'
        option target '172.16.1.0'
        option netmask '255.255.255.0'
        option gateway '10.1.1.1'

Name	Type	Required	Default	Description
`interface`	string	yes	(none)	Specifies the logical interface name of the parent (or master) interface this route belongs to; must refer to one of the defined `interface` sections
`target`	ip address	yes	(none)	Network address
`netmask`	netmask	no	(none)	Route netmask. If omitted, `255.255.255.255` is assumed which makes `target` a host address
`gateway`	ip address	no	(none)	Network gateway. If omitted, the `gateway` from the parent interface is taken if any, otherwise creates a `link` scope route; if set to `0.0.0.0` no gateway will be specified for the route
`metric`	number	no	`0`	Specifies the route metric to use
`mtu`	number	no	interface MTU	Defines a specific MTU for this route
`table`	routing table	no	`main`	Defines the table ID to use for the route. The ID can be either a numeric table index ranging from 0 to 65535 or a symbolic alias declared in /etc/iproute2/rt_tables. The special aliases local (255), main (254) and default (253) are recognized as well
`source`	ip address	no	(none)	The preferred source address when sending to destinations covered by the target
`onlink`	boolean	no	`0`	When enabled gateway is on link even if the gateway does not match any interface prefix (Barrier Breaker and later only)
`type`	string	no	`unicast`	One of the types outlined in the Routing Types table below (Barrier Breaker and later only)
`proto`	routing protocol	no	`static`	Defines the protocol ID to use for the route. The ID can be either a numeric value ranging from 0 to 255 or a symbolic alias declared in /etc/iproute2/rt_protos.

To disable a route quickly, the option enabled is not available. Just rewrite the route config section as disabled_route like:

config disabled_route 'name_your_route'
        ...lines...

and it will be recognized by the uci parser but not applied by the /etc/init.d/network script.

It seems that on openwrt 12.09 if a route is defined using a gateway in an address space where a gateway is already defined, it will be not added. Like the lan has the gateway 192.168.1.1 and we want to go to 1.2.3.4 over the gateway 192.168.1.5 within the interface lan, it will not be added. Could be added through ip route commands tough.

config route6 'default'
        option interface 'lan'
        option target '2008:a:a:c::/64'
        option gateway '2008:a:a:b::2'

Name	Type	Required	Default	Description
`interface`	string	yes	(none)	Specifies the logical interface name of the parent (or master) interface this route belongs to; must refer to one of the defined `interface` sections
`target`	ipv6 address	yes	(none)	IPv6 network address
`gateway`	ipv6 address	no	(none)	IPv6 gateway. If omitted, the `gateway` from the parent interface is taken
`metric`	number	no	`0`	Specifies the route metric to use
`mtu`	number	no	interface MTU	Defines a specific MTU for this route
`table`	routing table	no	`main`	Defines the table ID to use for the route. The ID can be either a numeric table index ranging from 0 to 65535 or a symbolic alias declared in /etc/iproute2/rt_tables. The special aliases local (255), main (254) and default (253) are recognized as well
`source`	ip address	no	(none)	The route source address in source-address dependent routes. It's called “from” in the ip command.
`onlink`	boolean	no	`0`	When enabled gateway is on link even if the gateway does not match any interface prefix (Barrier Breaker and later only)
`type`	string	no	`unicast`	One of the types outlined in the Routing Types table below (Barrier Breaker and later only)
`proto`	routing protocol	no	`static`	Defines the protocol ID to use for the route. The ID can be either a numeric value ranging from 0 to 255 or a symbolic alias declared in /etc/iproute2/rt_protos.

Type	Description
`unicast`	the route entry describes real paths to the destinations covered by the route prefix.
`local`	the destinations are assigned to this host. The packets are looped back and delivered locally.
`broadcast`	the destinations are broadcast addresses. The packets are sent as link broadcasts.
`multicast`	a special type used for multicast routing. It is not present in normal routing tables.
`unreachable`	these destinations are unreachable. Packets are discarded and the ICMP message host unreachable is generated. The local senders get an EHOSTUNREACH error.
`prohibit`	these destinations are unreachable. Packets are discarded and the ICMP message communication administratively prohibited is generated. The local senders get an EACCES error.
`blackhole`	these destinations are unreachable. Packets are discarded silently. The local senders get an EINVAL error.
`anycast`	the destinations are anycast addresses assigned to this host. They are mainly equivalent to local with one difference: such addresses are invalid when used as the source address of any packet.

Type	Description
`unicast`	the route entry describes real paths to the destinations covered by the route prefix.
`local`	the destinations are assigned to this host. The packets are looped back and delivered locally.
`broadcast`	the destinations are broadcast addresses. The packets are sent as link broadcasts.
`multicast`	a special type used for multicast routing. It is not present in normal routing tables.
`unreachable`	these destinations are unreachable. Packets are discarded and the ICMP message host unreachable is generated. The local senders get an EHOSTUNREACH error.
`prohibit`	these destinations are unreachable. Packets are discarded and the ICMP message communication administratively prohibited is generated. The local senders get an EACCES error.
`blackhole`	these destinations are unreachable. Packets are discarded silently. The local senders get an EINVAL error.
`anycast`	the destinations are anycast addresses assigned to this host. They are mainly equivalent to local with one difference: such addresses are invalid when used as the source address of any packet.

config interface 'wan6'
        option proto '6in4'
        option mtu '1424'                          # the IPv6 tunnel MTU (optional)
        option peeraddr '62.12.34.56'              # the IPv4 tunnel endpoint at the tunnel provider
        option ip6addr '2001:DB8:2222:EFGH::2/64'  # the IPv6 tunnel
        option ip6prefix '2001:DB8:1234::/48'      # Your routed prefix (required!)
        # configuration options below are only valid for HE.net tunnels. ignore them for other tunnel providers.
        option tunnelid '123456'     # HE.net tunnel id
        option username 'username'   # HE.net username used to login into tunnelbroker, not the User ID shown after login in.
        option password 'password'   # HE.net password if there is no updatekey for tunnel
        option updatekey 'updatekey' # HE.net updatekey instead of password, default for new tunnels
 
config interface 'lan'
        option proto 'static'
        option ip6assign '60'

Name	Type	Required	Default	Description
`ipaddr`	IPv4 address	no	Current WAN IPv4 address	Local IPv4 endpoint address
`peeraddr`	IPv4 address	yes	(none)	Remote IPv4 endpoint address
`ip6addr`	IPv6 address (CIDR)	yes	(none)	Local IPv6 address delegated to the tunnel endpoint
`ip6prefix`	IPv6 prefix	no	(none)	Routed IPv6 prefix for downstream interfaces (Barrier Breaker and later only)
`tunlink`	Logical Interface	no	(none)	Tunnel base interface
`defaultroute`	boolean	no	`1`	Whether to create an IPv6 default route over the tunnel
`ttl`	integer	no	`64`	TTL used for the tunnel interface
`tos`	string	no	(none)	Type Of Service : either “inherit” (the outer header inherits the value of the inner header) or an hexadecimal value. Also known as DSCP. (Chaos Calmer and later only)
`mtu`	integer	no	`1280`	MTU used for the tunnel interface
`tunnelid`	integer	no	(none)	HE.net global tunnel ID (used for endpoint update)
`username`	string	no	(none)	HE.net username which you use to login into tunnelbroker, not the User ID shows after you have login int (used for endpoint update)
`password`	string	no	(none)	~~md5sum of~~ HE.net password (used for endpoint update)
`updatekey`	string	no	(none)	HE.net updatekey, overrides password (used for endpoint update)
`metric`	integer	no	`0`	Specifies the default route metric to use

This protocol type does not need an ifname option set in the interface section. The interface name is derived from the section name, e.g. config interface sixbone would result in an interface named 6in4-sixbone.

HE.net has introduced updatekey as default for new tunnels in February 2014.

username, password and updatekey are all plaintext entries.

One of the ustream SSL Library variants (package libustream-*) should be installed for HE.net endpoint update to be performed over https. (optional for https: install packages ca-certificates and ca-bundle for server certificate validation.) Otherwise endpoint update will be performed over http.

Although ip6prefix isn't required, sourcefilter is enabled by default and prevents forwarding of packets unless ip6prefix is specified.

config interface 'wan6'
        option proto '6rd'
        option peeraddr '77.174.0.2'
        option ip6prefix '2001:838:ad00::'
        option ip6prefixlen '40'
        option ip4prefixlen '16'

Name	Type	Required	Default	Description
`peeraddr`	IPv4 address	yes	no	6rd - Gateway
`ipaddr`	IPv4 address	no	Current WAN IPv4 address	Local IPv4 endpoint address
`ip6prefix`	IPv6 prefix (without length)	yes	no	6rd-IPv6 Prefix
`ip6prefixlen`	IPv6 prefix length	yes	no	6rd-IPv6 Prefix length
`ip4prefixlen`	IPv6 prefix length	no	0	IPv4 common prefix
`defaultroute`	boolean	no	`1`	Whether to create an IPv6 default route over the tunnel
`ttl`	integer	no	`64`	TTL used for the tunnel interface
`tos`	string	no	(none)	Type Of Service : either “inherit” (the outer header inherits the value of the inner header) or an hexadecimal value (Chaos Calmer and later only)
`mtu`	integer	no	`1280`	MTU used for the tunnel interface
`iface6rd`	logical interface	no	(none)	Logical interface template for auto-configuration of 6rd
`mtu6rd`	integer	no	system default	MTU of the 6rd interface
`zone6rd`	firewall zone	no	system default	Firewall zone to which the 6rd interface should be added

This protocol type does not need an ifname option set in the interface section. The interface name is derived from the section name, e.g. config interface wan6 would result in an interface named 6rd-wan6.

Some ISP's give you the number of bytes you should use from your WAN IP to calculate your IPv6 address. ip4prefixlen expects the prefix bytes of your WAN IP to calculate the IPv6 address. So if your ISP gives you 14 bytes to calculate, enter 18 (32 - 14).

config interface '6pe'
        option proto 'l2tpv2'
        option server '<LNS address>'
        option username '<PPP username>'
        option password '<PPP password>'
        option keepalive '6'
        option ipv6 '1'
 
config interface 'wan6'
        option ifname '@6pe'
        option proto 'dhcpv6'

Most options are similar to protocol “ppp”.

Name	Type	Required	Default	Description
`server`	string	yes	(none)	L2TP server to connect to. Acceptable datatypes are hostname or IP address, with optional port separated by colon `:`. Note that specifying port is only supported recently and should appear in DD release
`username`	string	no	(none)	Username for PAP/CHAP authentication
`password`	string	yes if `username` is provided	(none)	Password for PAP/CHAP authentication
`ipv6`	bool	no	0	Enable IPv6 on the PPP link (IPv6CP)
`mtu`	int	no	`pppd` default	Maximum Transmit/Receive Unit, in bytes
`keepalive`	string	no	(none)	Number of unanswered echo requests before considering the peer dead. The interval between echo requests is 5 seconds.
`checkup_interval`	int	no	(none)	Number of seconds to pass before checking if the interface is not up since the last setup attempt and retry the connection otherwise. Set it to a value sufficient for a successful L2TP connection for you. It's mainly for the case that netifd sent the connect request yet xl2tpd failed to complete it without the notice of netifd
`pppd_options`	string	no	(none)	Additional options to pass to `pppd`

The name of the physical interface will be “l2tp-<logical interface name>”.

config interface 'wan6'
        option proto '6to4'
 
config interface 'lan'
        option proto 'static'
        option ip6assign '60'

Name	Type	Required	Default	Description
`ipaddr`	IPv4 address	no	Current WAN IPv4 address	Local IPv4 endpoint address
`defaultroute`	boolean	no	`1`	Whether to create an IPv6 default route over the tunnel
`ttl`	integer	no	`64`	TTL used for the tunnel interface
`tos`	string	no	(none)	Type Of Service : either “inherit” (the outer header inherits the value of the inner header) or an hexadecimal value
`mtu`	integer	no	`1280`	MTU used for the tunnel interface
`metric`	integer	no	`0`	Specifies the default route metric to use
~~`adv_interface`~~	~~string~~	no	~~`lan`~~	deprecated ~~The logical interface name of the network the subnet should be advertised on. Multiple interface names can be given.~~
~~`adv_subnet`~~	~~hex number~~	no	~~`1`~~	deprecated ~~A subnet ID between `1` and `FFFF` which selects the advertised /64 prefix from the mapped 6to4 space. The subnet ID is incremented by 1 for every interface specified in `adv_interface`.~~
~~`adv_valid_lifetime`~~	~~integer~~	no	~~`300`~~	deprecated ~~Overrides the advertised valid prefix lifetime, in seconds (used with radvd)~~
~~`adv_preferred_lifetime`~~	~~integer~~	no	~~`120`~~	deprecated ~~Overrides the advertised preferred prefix lifetime, in seconds (used with radvd)~~

This protocol type does not need an ifname option set in the interface section. The interface name is derived from the section name, e.g. config interface wan6 would result in an interface named 6to4-wan6.

~~If radvd is installed and enabled, the 6to4 scripts will add a temporary prefix and interface declaration to the radvd uci configuration and perform a daemon restart if required.~~ (deprecated)

config interface 'wan6'
        option ifname 'eth1'
        option proto 'dhcpv6'
 
config interface 'wan'
        option proto 'dslite'
        option peeraddr '2001:db80::1' # Your ISP's DS-Lite AFTR

Name	Type	Required	Default	Description
`peeraddr`	IPv6 address	yes	no	DS-Lite AFTR address
`ip6addr`	IPv6 address	no	Current WAN IPv6 address	Local IPv6 endpoint address
`tunlink`	Logical Interface	no	Current WAN interface	Tunnel base interface
`defaultroute`	boolean	no	`1`	Whether to create an IPv6 default route over the tunnel
`ttl`	integer	no	`64`	TTL used for the tunnel interface
`mtu`	integer	no	`1280`	MTU used for the tunnel interface

ds-lite operation requires that IPv4 NAT is disabled. You should adjust your settings in /etc/config/firewall accordingly.

This protocol type does not need an ifname option set in the interface section. The interface name is derived from the section name, e.g. config interface wan would result in an interface named dslite-wan.

config switch
        option name 'switch0'
        option reset '1'
        option enable_vlan '1'

Option Name	Type	Required	Default	Impact	Notes
`name`	string	yes	(none)	defines which switch to configure
`reset`	`0\|1`
`enable_vlan`	`0\|1`
`enable_mirror_rx`	`0\|1`	no	0	Mirror received packets from the `mirror_source_port` to the `mirror_monitor_port`
`enable_mirror_tx`	`0\|1`	no	0	Mirror transmitted packets from the `mirror_source_port` to the `mirror_monitor_port`
`mirror_monitor_port`	integer	no	0	Switch port to which packets are mirrored
`mirror_source_port`	integer	no	0	Switch port from which packets are mirrored
`arl_age_time`	integer	no	300	Adjust the address-resolution (MAC) table's aging time (seconds)	Default may differ by hardware
`igmp_snooping`	`0\|1`	no	0	Enable IGMP snooping	Unconfirmed if can be set. Unknown how it interacts with interface- or port-level IGMP snooping.
`igmp_v3`	`0\|1`	no	0		Unconfirmed if can be set. Unknown how it interacts with interface- or port-level IGMP snooping.

config switch_vlan
        option device 'switch0'
        option vlan '1'
        option ports '1 2 3 4 5t'
 
config switch_vlan
        option device 'switch0'
        option vlan '2'
        option ports '0 5t'

Option Name	Type	Required	Default	Impact	Notes
`device`	string	yes	(none)	defines which switch to configure
`vlan`	integer	yes	(none)	The vlan “table index” to configure	May be limited to 127 or another number. See the output of `swconfig dev <dev> help` for limit. Sets defaults for VLAN tag and PVID.
`vid`	integer	no	`vlan`	The VLAN tag number to use	See the output of `swconfig dev <dev> help` for limit. VLANs 0 and 4095 are often considered “special use”.
`ports`	string	yes	(none)	A string of space-separated port indicies that should be associated with the VLAN. Adding the suffix `t` to a port indicates that egress packets should be tagged, for example `'0 1 3t 5t`'	The suffixes `*` and `u` are referred to in docs:guide-user:network:switch with reference to certain Broadcom switches in the context of older releases.

config switch_port
        option device 'eth0'
        option port '3'
        option pvid '3'

Option Name	Type	Required	Default	Impact	Notes
`device`	string	yes	(none)	defines which switch to configure
`port`	integer	yes	(none)	The port index to configure
`pvid`	integer	no	†	Port PVID; the VLAN tag†† to assign to untagged ingress packets	†Typically defaults one of the VLAN tags associated with the port. Logic not clear when there are multiple VLANs on the port. '0' can occur. Certain values have been rejected; logic not clear on limitations. ††May refer to the VLAN “index” rather than the VLAN tag itself (unconfirmed).
`enable_eee`	`0\|1`	no	0	Enable “energy saving” features
`igmp_snooping`	`0\|1`	no	0	Enable IGMP snooping	Unconfirmed if can be set. Unknown how it interacts with interface- or switch-level IGMP snooping.
`igmp_v3`	`0\|1`	no	0		Unconfirmed if can be set. Unknown how it interacts with interface- or switch-level IGMP snooping.

UCI networking options cheatsheet

Options valid for all protocol types

Alias

IP Rules (for both rule and rule6)

IPv4 Routes

IPv6 Routes

Routing types

Routing types

Protocol 6in4 (IPv6-in-IPv4 Tunnel)

6rd tunnel (ISP-provided IPv6 transition)

6pe, L2TP tunnel (ISP-provided IPv6 transition)

Protocol 6to4 (IPv6-in-IPv4 Tunnel)

Protocol dslite (Dual-Stack Lite)

config switch

config switch_vlan

config switch_port