This page is not fully translated, yet. Please help completing the translation.
(remove this paragraph once the translation is finished)
Network configuration /etc/config/network
相关链接: IPv4 配置, IPv6 配置, 静态路由, WAN 接口协议, 编写网络 (Network) 脚本, 编写 DHCP 客户端脚本
概述
一个典型的,使用 OpenWrt 的家用路由器的默认网络栈结构大致如下:
| LuCI → Network | 说明 | 示例 | |||||||
|---|---|---|---|---|---|---|---|---|---|
| 防火墙(Firewall) | 不同 zone 之间的流量规则 | 转发规则, 流量(traffic)规则, 自定义规则 | |||||||
| 防火墙 / 接口 (Interfaces) | 网络 zone 配置 | WAN (Zone) | LAN (Zone) | ||||||
| 接口 → 接口 | IP 配置 | WAN | WAN6 | LAN | |||||
| 接口 → 设备(device) | 设备和桥接(bridge)配置 | eth0 | br-lan (bridge config) | ||||||
| 交换机 (Switch) / 无线 (Wireless) | VLAN 和无线 SSID | VLAN 2 (eth0.2) | VLAN 1 (eth0.1) | OpenWrt | OpenWrt | ||||
| 交换机 / 无线 | 内部插口 (jack) 标识和无线电 (radio) 标识 | WAN (Interface) | LAN 1 | LAN 2 | LAN 3 | LAN 4 | radio0 | radio1 | |
| - | 设备后部的制造商标识 (厂商贴的标记) | “Internet” | “1” | “2” | “3” | “4” | “n/ac” | “b/g/n” | |
不同的实际设备由于特性及编号规则的差异,可能与上面表格中的内容稍有不同。一个最简单的路由器网络配置通常包含至少两个接口 (lan 和 wan) 及相应的关联设备 (associated devices. br-lan 和 eth0) ,如果可用,还可能会有 switch 部分 。
注:WAN 和 LAN 标签在不同的语境下可能会有不同的涵义。
配置管理
OpenWrt 使用 UCI 网络子系统(UCI network subsystem)进行中心化的配置管理,配置都保存在文件 /etc/config/network 中。
该 UCI 子系统负责定义不同的交换机 VLAN、接口配置和网络路由。
在完成配置后,需要重新加载 (reload) 或重启 (restart) network 服务,新的配置才会生效。
network 服务使用 netifid 和 wifi 来分别对有线和无线网络进行管理。
用户可以通过 ifup 接口名 和 ifdown 接口名 来手动控制各个接口的开关。“接口名” 对应的是 config interface 部分中的逻辑接口名 (logical interface name) 。
提示:通常重启一个接口只需要执行 ifup 就可以了,因为 ifup 中已经包含了 ifdown 的操作。
需要注意的是,无线接口是由外部管理的 (managed externally),ifup 可能会打破这些接口和网桥的关联关系。
因此对无线接口的管理需要在运行 ifup 后再运行一次 wifi up,以重新建立与网桥的连接。
# 网络服务软重新加载 service network reload # 网络服务硬重启 service network restart # 重新连接接口 ifdown wan6 ifup wan6 # 重新加载无线接口 wifi down wifi up # 列出接口列表 ubus list network.interface.* # 状态信息 ifstatus wan6
配置示例
下面是 TL-WR1043ND 路由器的网络 UCI 子系统配置
config interface 'loopback' option device 'lo' option proto 'static' option ipaddr '127.0.0.1' option netmask '255.0.0.0' config globals 'globals' option ula_prefix 'fd27:70fa:5c1d::/48' config device 'lan_br' option name 'br-lan' option type 'bridge' list ports 'eth0.1' config interface 'lan' option device 'br-lan' option proto 'static' option netmask '255.255.255.0' option ip6assign '60' option ipaddr '192.168.1.1' config interface 'wan' option device 'eth0.2' option proto 'dhcp' config interface 'wan6' option device 'eth0.2' option proto 'dhcpv6' config switch option name 'switch0' option reset '1' option enable_vlan '1' config switch_vlan option device 'switch0' option vlan '1' option ports '1 2 3 4 5t' config switch_vlan option device 'switch0' option vlan '2' option ports '0 5t'
"globals" 部分
该部分包含接口无关(interface-independent)的、控制通用网络配置的选项。
config globals 'globals' option ula_prefix 'fd27:70fa:5c1d::/48'
| 名称 | 类型 | 是否必需 | 默认值 | 描述 |
|---|---|---|---|---|
ula_prefix | IPv6-prefix 或 auto | 否 | (无) | 该设备的 IPv6 ULA 前缀: auto - 表示自动生成一个新前缀 |
packet_steering | boolean | 否 | (无) | 是否用所有的 CPU 来处理数据包 |
"device" 部分
当 L2 和 L3 设备是同一个设备时 (即 MAC 和 IP 地址指同一个物理接口时),device 部分可以省略
config device 'lan_br' option name 'br-lan' option type 'bridge' list ports 'eth0.1'
在 eth2 接口上启用流控制(flow control) 的例子
config device
option name 'eth2'
option rxpause '1'
option txpause '1'
| 名称 | 类型 | 是否必需 | 默认值 | 描述 |
|---|---|---|---|---|
name | 字符串 | 是 | (无) | L3 设备名。需要对应的 interface 中的 device 名保持一致 |
macaddr | 字符串 | 否 | (无) | 覆盖设备默认 MAC 地址的地址。例如 62:11:22:aa:bb:cc |
type | 字符串 | 否 | (无) | 若设置为 bridge,则会创建一个名为 name 的网桥,该网桥会连接 ports 列表中的 L2 设备和无线配置中的无线接口 |
ifname | 字符串 | 否(*) | (无) | 当设备类型为 macvlan 时,下层的 L2 设备需要设置该值。若有需要,可安装 kmod-macvlan 软件包 |
ports | 列表 | 否 | (无) | L2 设备名称的列表 |
rxpause | 字符串 | 否 | (无) | 控制接收 (RX) 的流控制 (flow control) 。值为 1 启动 RX 暂停帧 (RX pause frames),允许接口在传入数据过多时向发送者发出暂停发送的信号 |
txpause | 字符串 | 否 | (无) | 控制传输 (TX) 的流控制。值为 1 时启动 TX 暂停帧,允许接口在收到接收者的过载信号时暂时暂停发送数据 |
autoneg | 字符串 | 否 | (无) | 值为 1 时启动自动协商 (auto-negotation) 功能,使接口能够自动与连接的设备协商最佳的链路参数 (速度、复用模式等) |
TODO: 将所有网桥、Layer 2 相关内容加到这里
"interface" 部分
interface 部分声明 (declare) 了一个逻辑网络所包含的 IP 地址设置、别名、路由、物理接口名称及防火墙规则 等属性 - 这些属性在 OpenWrt 配置中扮演着核心角色。
最简单的接口声明只需要下面几行配置:
config 'interface' 'wan' option 'proto' 'dhcp' option 'device' 'eth0.2'
wan: 一个逻辑接口名(logical interface name),该名称不能重复;dhcp: 指定接口协议(itnerface protocol),此处以 DHCP 为例;eth0.2: 与该部分相关联的物理接口(physical interface)。(译注:原文说的是物理接口,但实际上也可以是网桥)
Linux 内核限制物理接口名称长度的最大值为 14 个字符,包括为某些协议自动添加的前缀(如 6in4, pppoa-, pppoe-, gre4t-)或网桥(br-)。
根据协议类型的不同,逻辑接口名称最多可能只能由 8 个字符组成。
比如,abcde6789 这个名称对一个用 dhcp 协议的普通接口来说是可用的,但对 pppoe 接口来说就不行了——因为加上前缀之后的名称是 pppoe-abcde6789,总长度超过 14 字符。
如果使用 .VLAN 标记(notation),则可能还要额外再加 5 个字符,这样一来,使用某些协议的实际接口名最短可能就会变成3个字符了,比如 GRE 就需要让接口名称 abcde6789 变成 gre4t-abc.NNNN ,以确保总长度仍为 14 字符。
超长的接口名称会引起一些不会发生报错的错误(silent errors),导致接口创建或修改操作的失败。例如论坛中提到过(https://forum.openwrt.org/t/network-interface-warning-has-a-issue/182420/14)的使用 br- 及不同长度 .VLAN 标记导致的问题。
interface protocol 的可选项包括:
| 协议 | 描述 | 程序 |
|---|---|---|
static | 使用固定地址和子网掩码的静态配置 | ip/ifconfig |
dhcp | 由 DHCP 设置地址和子网掩码 | udhcpc (Busybox) |
dhcpv6 | 由 DHCPv6 设置地址和子网掩码 | odhcpc6c |
ppp | PPP 协议 - 拨号调制解调器链接 | pppd |
pppoe | PPP over Ethernet - DSL 宽带连接 | pppd + plugin rp-pppoe.so |
pppoa | PPP over ATM - 使用内置调制解调器的 DSL 连接 | pppd + plugin ... |
3g | 使用 AT-style 3G 调制解调器的 CDMA, UMTS 或 GPRS 连接 | comgt |
qmi | 使用 QMI 协议的 USB 调制解调器 | uqmi |
ncm | 使用 NCM 协议的 USB 调制解调器 | comgt-ncm + ? |
wwan | 带有协议自动检测的 USB 调制解调器 | wwan |
hnet | 自管理 (Self-managing) 的家庭网络 (HNCP) | hnet-full |
pptp | PPtP VPN 连接 | ? |
6in4 | 使用 Tunnel Brokers (如 HE.net) 的 IPv6-in-IPv4 隧道 | ? |
aiccu | Anything-in-anything 隧道 | aiccu |
6to4 | 无状态的 IPv6 over IPv4 传输 | ? |
6rd | IPv6 快速部署 (rapid deployment) | 6rd |
dslite | Dual-Stack Lite | ds-lite |
l2tp | PPP over L2TP Pseudowire Tunnel | xl2tpd |
relay | 中继 pseudo-bridge | relayd |
gre, gretap | GRE over IPv4 | gre + kmod-gre |
grev6, grev6tap | GRE over IPv6 | gre + kmod-gre6 |
vti | VTI over IPv4 | vti + kmod-ip_vti |
vtiv6 | VTI over IPv6 | vti + kmod-ip6_vti |
vxlan | 二层虚拟化的 VXLAN 协议,具体信息和配置示例详见 这里 | vxlan + kmod-vxlan + ip-full |
none | 未指定协议,会导致其他所有的接口设置无效(相当于不使配置生效) | - |
根据所用的接口协议的不同,interface 部分可能还会需要补充一些其他的选项。 下一节中会给出每个协议所对应的选项。 若一个协议对应的选项的 “必需” 列中标记为 “是” ,则必须在接口声明中定义该选项,否则可以忽略。
若接口部分没有定义协议(指连 none 都没写),则其他的所有设置都会被完全忽略。这也意味着如果该接口涉及到某个物理网络接口(如 eth0),也会导致该物理接口即使在插了网线的情况下也是 down 状态。(如果填了 “none” 则接口会是 up 的)。
通用选项
通用选项对所有的协议类型都有效。
| 名称 | 类型 | 是否必需 | 默认值 | 描述 |
|---|---|---|---|---|
device | string | yes(*) | (none) | L3 device name, such as eth0.1, eth2, tun0, br-lan, etc.Needs to match the name option of the respective device section. Do not specify wireless interfaces as their names and behavior can be dynamic and unpredictable, instead assign wireless interfaces to bridges using the network option in wireless configuration.This option may be empty or missing if only a wireless interface references this network or if the protocol is pptp, pppoa, 6in4, etc. |
mtu | number | no | (none) | Override the default MTU on this interface |
auto | boolean | no | 0 for proto none, else 1 | Specifies whether to bring up interface on boot |
ipv6 | boolean | no | 1 | Specifies whether to enable (1) or disable (0) IPv6 on this interface (Barrier Breaker and later only) |
force_link | boolean | no | 1 for protocol static, else 0 | Specifies whether ip address, route, and optionally gateway are assigned to the interface regardless of the link being active ('1') or only after the link has become active ('0'); when set to '1', carrier sense events do not invoke hotplug handlers |
disabled | boolean | no | 0 | enable or disable the interface section |
ip4table | string | no | (none) | IPv4 routing table for routes of this interface, see: ip rule show; ip route show table <ip4table> |
ip6table | string | no | (none) | IPv6 routing table for routes of this interface, see: ip -6 rule show; ip -6 route show table <ip6table> |
Bridge options
All bridge settings are optional.
| Name | Type | Default | Range | Description |
|---|---|---|---|---|
bridge_empty | boolean | 0 | 0, 1 | Enables creating empty bridges |
vlan_filtering | boolean | 0 | 0, 1 | Enables VLAN aware bridge mode |
igmp_snooping | boolean | 0 | 0, 1 | Enables IGMP snooping on the bridge, an optimization that only sends multicast traffic to ports with multicast clients or routers |
multicast_querier | boolean | (igmp_snooping setting) | 0, 1 | IGMP Enables the bridge as a multicast querier, which keeps the multicast group to port mappings current. Only one querier is elected per subnet |
query_interval | number | 12500 | - | IGMP Interval in 1/100 seconds between querier general queries (so default is 125 seconds) |
query_response_interval | number | 1000 | (less than query_interval) | IGMP Max time in 1/100 seconds responses to queries should be sent (increase to make IGMP less bursty) |
last_member_interval | number | 100 | - | IGMP Max time in 1/100s responses to queries after “leave group” messages (the leave latency) |
hash_max | number | 512 | - | IGMP Size of kernel multicast hash table (larger to avoid collisions that disable snooping) |
robustness | number | 2 | - | IGMP Sets Startup Query Count and Last Member Count. Also combined with query_interval and query_response_interval to calculate Group Membership Interval and “other querier” timeout (both other values must be set) |
stp | boolean | 0 | 0, 1 | Enables the Spanning Tree Protocol (STP) which prevents network loops (and resulting packet storms) |
forward_delay | number | 2 | 2 - 30 | STP Delay in seconds between port state transitions from Listening → Learning → Forwarding (i.e. bridge ports will be blocked for 2x this value when brought up) NOTE The default 2 is below the minimum 802.1D standard of 4, and STP will be ignored by conforming switches. Set to at least 4 to work with non-OpenWrt switches! |
hello_time | number | 2 | 1 - 10 | STP Seconds between STP packets |
priority | number | 32767 | 0 - 65535 | STP Bridge Priority. Lowest priority bridge becomes the Root of the Spanning Tree; most switches default to 32768 |
ageing_time | number | 300 | 10 - 1000000 | STP Expire in seconds for dynamic MAC entries in the Filtering DB |
max_age | number | 20 | 6 - 40 | STP After current Root Bridge absent this many seconds, attempt to become the Root Bridge (effects the speed a dead bridge is identified) |
Switch configuration (DSA / bridge-vlan)
This only applies to OpenWrt 21.02 and later, and only for targets that have switched to a DSA driver.
, see:
DSA networking
Switch configuration (legacy swconfig)
As of OpenWrt 21.02, swconfig is being phased out and is being replaced with DSA.
This guide applies to all versions of OpenWrt before 21.02. It also applies to non-DSA targets in OpenWrt 21.02.
For many users, the default switch configuration is sufficient.
Should the user need to configure the switch differently, LuCI, UCI, or direct editing of /etc/config/network may be used to achieve different configurations.
Prior to any reconfiguration of the switch, an understanding of the default configuration is important.
As an example, some devices have a single switch-connected interface, and other have two or more.
See also:
- Switch Documentation (Older content, but does give discuss single-interface configuration)
The identifier for the switch(es) may be obtained using:
# swconfig list
Found: switch0 - ag71xx-mdio.0
With the identifier known, the configuration can be viewed:
# swconfig dev switch0 show Global attributes: enable_vlan: 1 enable_mirror_rx: 0 enable_mirror_tx: 0 mirror_monitor_port: 0 mirror_source_port: 0 arl_age_time: 300 arl_table: address resolution table [...]
There are three types of switch-related configuration stanzas, switch, switch_vlan, and switch_port.
Not all options are available on all hardware.
Some limitations may be found with swconfig dev <dev> help.
After making changes, check the output of swconfig to determine if the configuration was accepted by the switch hardware.
: The list of options may be incomplete.
The details of each option need additional discovery and documentation, including checking of the underlying code.
The source of restrictions on value ranges has yet to be identified.
Valid values should be confirmed in the code.
Section "switch"
| Option Name | Type | Required | Default | Impact | Notes |
|---|---|---|---|---|---|
name | string | yes | (none) | defines which switch to configure | |
reset | boolean | 1 | |||
enable_vlan | boolean | 1 | Default may differ by hardware | ||
enable_mirror_rx | boolean | no | 0 | Mirror received packets from the mirror_source_port to the mirror_monitor_port | |
enable_mirror_tx | boolean | no | 0 | Mirror transmitted packets from the mirror_source_port to the mirror_monitor_port | |
mirror_monitor_port | integer | no | 0 | Switch port to which packets are mirrored | |
mirror_source_port | integer | no | 0 | Switch port from which packets are mirrored | |
arl_age_time | integer | no | 300 | Adjust the address-resolution (MAC) table's aging time (seconds) | Default may differ by hardware |
igmp_snooping | boolean | no | 0 | Enable IGMP snooping | Unconfirmed if can be set. Unknown how it interacts with interface- or port-level IGMP snooping. |
igmp_v3 | boolean | no | 0 | Unconfirmed if can be set. Unknown how it interacts with interface- or port-level IGMP snooping. |
Section "switch_vlan"
| Option Name | Type | Required | Default | Impact | Notes |
|---|---|---|---|---|---|
description | string | no | (none) | A human-readable description of the VLAN configuration | |
device | string | yes | (none) | defines which switch to configure | |
vlan | integer | yes | (none) | The vlan “table index” to configure | May be limited to 127 or another number. See the output of swconfig dev <dev> help for limit. Sets defaults for VLAN tag and PVID. |
vid | integer | no | vlan | The VLAN tag number to use | See the output of swconfig dev <dev> help for limit. VLANs 0 and 4095 are often considered “special use”. |
ports | string | yes | (none) | A string of space-separated port indicies that should be associated with the VLAN. Adding the suffix t to a port indicates that egress packets should be tagged, for example '0 1 3t 5t' | The suffixes * and u are referred to in docs:guide-user:network:switch with reference to certain Broadcom switches in the context of older releases. |
Section "switch_port"
| Option Name | Type | Required | Default | Impact | Notes |
|---|---|---|---|---|---|
device | string | yes | (none) | defines which switch to configure | |
port | integer | yes | (none) | The port index to configure | |
pvid | integer | no | † | Port PVID; the VLAN tag†† to assign to untagged ingress packets | †Typically defaults one of the VLAN tags associated with the port. Logic not clear when there are multiple VLANs on the port. '0' can occur. Certain values have been rejected; logic not clear on limitations. ††May refer to the VLAN “index” rather than the VLAN tag itself (unconfirmed). |
enable_eee | boolean | no | 0 | Enable “energy saving” features | |
igmp_snooping | boolean | no | 0 | Enable IGMP snooping | Unconfirmed if can be set. Unknown how it interacts with interface- or switch-level IGMP snooping. |
igmp_v3 | boolean | no | 0 | Unconfirmed if can be set. Unknown how it interacts with interface- or switch-level IGMP snooping. |