Topic: Enabling CONFIG_KERNEL_NET_NS=y

The content of this topic has been archived on 31 Mar 2018. There are no obvious gaps in this topic, but there may still be some posts missing at the end.

Page 1 of 1

Post #1

voltara

14 Oct 2014, 17:22

I have a configuration that depends on support Linux network namespaces (netns) in OpenWRT. The namespaces feature is unfortunately something that cannot be loaded as a module. Would this be a reasonable feature to enable in the official builds?

CONFIG_KERNEL_NAMESPACES=y
CONFIG_KERNEL_NET_NS=y

The specific case that netns solves is: I have two routers in master-slave configuration. Both routers are configured with the same IP address. The master (OpenWRT) gets its IP address via DHCP from the ISP, then offers the same IP via DHCP to the slave.

While (to the best of my knowledge) this is not normally possible with Linux, but it can be done with namespaces.

An example manual configuration might look like the following. The slave router in this example would be plugged into a switch port on VLAN 101. Inbound ports can be forwarded to the slave device by redirecting them to 192.168.101.2 in OpenWRT.

GATEWAY=9.8.7.1
PUBLIC_IP=9.8.7.123

# Create a namespace and enable forwarding
ip netns add fakewan
ip netns exec fakewan sysctl -w net.ipv4.ip_forward=1

# Create VLAN device on eth0, and create a VETH pair so we can route
# to and from the "fakewan" namespace
vconfig add eth0 101
ip link add slave0 type veth peer name slave1

# Move the VLAN and one of the VETH devices into the fakewan namespace
ip link set slave1 netns fakewan
ip link set eth0.101 netns fakewan

# Bring the interfaces up
ifconfig slave0 192.168.101.1 netmask 255.255.255.0 up
ip netns exec fakewan ifconfig slave1 192.168.101.2 netmask 255.255.255.0 up
ip netns exec fakewan ifconfig eth0.101 $GATEWAY netmask 255.255.255.0 up

# Set up default route and NAT rules
ip netns exec fakewan ip route add default via 192.168.101.1
ip netns exec fakewan iptables -t nat -A POSTROUTING -o slave1 -j SNAT --to 192.168.101.2
ip netns exec fakewan iptables -t nat -A PREROUTING -d 192.168.101.2 -j DNAT --to-destination $PUBLIC_IP

I have this set up and fully automated with scripts I uploaded to github (https://github.com/Voltara/openwrt-fakewan), but it depends on custom-building OpenWRT with the requisite namespaces support. Although I can take care of myself in that regard, it's a potential barrier for others who might find this useful (i.e. anybody who has followed this guide http://www.dslreports.com/faq/16710 and would love to remove an unnecessary device from their network.)

Post #2

_DS_

14 Oct 2014, 18:19

Not commenting your approach with namespaces, I has several problems with routers in past. Half of them was user misconfiguration, and other half - hardware problem. In all cases setting two devices in chain will not help at all..

Post #3

voltara

17 Oct 2014, 19:12

_DS_ wrote:

Not commenting your approach with namespaces, I has several problems with routers in past. Half of them was user misconfiguration, and other half - hardware problem. In all cases setting two devices in chain will not help at all..

This is one of those cases where it does help (and the solution I implemented has been working extremely well.)

The main issue is Verizon FiOS users need to use the ISP-supplied Wi-Fi router, or else certain TV features (channel guide, software updates, on screen caller ID, web DVR control) will not work. Their router supplies two necessary features: it acts as an Ethernet to MoCA bridge (their set-top boxes don't have a working Ethernet port), and it establishes a CWMP management session with the ISP (which allows it to negotiate which IPs and ports are used when the ISP needs to connect to the set-top boxes.)

If you're curious, there's a whole FAQ over at dslreports describing the various options we have for using our own router: http://www.dslreports.com/faq/16077 My setup is most similar to the "three router" configuration described in the FAQ, except I'm using OpenWRT and network namespaces instead of a physical device for the third "router". DHCP changes are handled automatically, and no manual reconfiguration is necessary.

I'd like to package up my scripts and share them, but since it currently requires building your own OpenWRT image (with namespaces support), I doubt there would be much, if any, uptake.

Post #4

ekarasin

13 Oct 2015, 23:58

I am unable to achieve the verification of ping from the fakewan network.

I recompiled OpenWrt Chaos Calmer 15.05 / LuCI 15.05-66-g66620f5 Release (git-15.286.36037-3e19939)-

Is there any way to assist in troubleshooting this - as I too am a FiOS customer, and want to only add 1 router to the solution.

Post #5

mazilo

14 Oct 2015, 01:07

voltara wrote:

Both routers are configured with the same IP address.

How is this possible?

Post #6

ekarasin

14 Oct 2015, 22:00

ekarasin wrote:

I am unable to achieve the verification of ping from the fakewan network.
I recompiled OpenWrt Chaos Calmer 15.05 / LuCI 15.05-66-g66620f5 Release (git-15.286.36037-3e19939)-
Is there any way to assist in troubleshooting this - as I too am a FiOS customer, and want to only add 1 router to the solution.

Does the router have to have a public IP in order for this to function properly?

The discussion might have continued from here.

Page 1 of 1