fastd L2TP Offloading on Supernodes - freifunk-gluon/gluon GitHub Wiki
In addition to the General Steps outlined in the docs here are some concrete examples how the Network config could be done.
Hooks and Scripts
- https://git.darmstadt.ccc.de/ffda/infra/salt/-/tree/master/fastd/files/hooks
- Peer interfaces are configured as isolated bridge ports in a bridge that is connected to a batman-adv switch
- This allows letting daemons like mesh-announce listen on the bridge instead of needing to do that on all interfaces.
- Expects the bridge to be preconfigured outside of fastd
- Establish hook (
up) expects bridge name as first argument
- Peer interfaces are configured as isolated bridge ports in a bridge that is connected to a batman-adv switch
systemd-networkd
FFRN Config
Within the fastd config on our Gateways the interface config option is set to dom0p-%k.
# grep %k /etc/fastd/dom0_1312/fastd.conf
interface "dom0p-%k";
dom{{ domain_id }}-bat
# cat /etc/systemd/network/45-bat-dom{{ domain_id }}.netdev
[NetDev]
Description=Netdev Config for Domain {{ domain_id }} B.A.T.M.A.N. Advanced interface
Name=dom{{ domain_id }}-bat
Kind=batadv
MACAddress={{ mac_address }}}
[BatmanAdvanced]
OriginatorIntervalSec=5
RoutingAlgorithm=batman-iv
GatewayMode=server
GatewayBandwidthDown=900M
GatewayBandwidthUp=900M
DistributedArpTable=True
HopPenalty=60
# cat /etc/systemd/network/45-bat-dom{{ domain_id }}.network
[Match]
Name=dom{{ domain_id }}-bat
[Network]
Description=Network Config for Domain {{ domain_id }} B.A.T.M.A.N. Advanced interface
IPv6AcceptRA=False
dom{{ domain_id }}p-peers
# cat /etc/systemd/network/75-dom{{ domain_id }}p-peers.netdev
[NetDev]
Description=Bridge for all fastd Domain {{ domain_id }} tap interfaces
Name=dom{{ domain_id }}p-peers
Kind=bridge
[Bridge]
STP=off
# cat /etc/systemd/network/75-dom{{ domain_id }}p-peers.network
[Match]
Name=dom{{ domain_id }}p-peers
Kind=bridge
[Network]
Description=Bridge for all fastd Domain {{ domain_id }} tap interfaces
IPv6AcceptRA=False
BatmanAdvanced=dom{{ domain_id }}-bat
[Link]
RequiredForOnline=False
dom{{ domain_id }}p-*
Match all Domain {{ domain_id }} tap interfaces and add them as isolated Interfaces to the dom{{ domain_id }}p-peers bridge.
# cat /etc/systemd/network/77-vpn-dom{{ domain_id }}-peer.network
[Match]
Name=dom{{ domain_id }}p-*
[Network]
Description=Network Config for all Domain {{ domain_id }} fastd tap interfaces
IPv6AcceptRA=False
Bridge=dom{{ domain_id }}p-peers
[Bridge]
Isolated=True
Monitoring
Tools:
- Prometheus
- fastd-exporter
- node-exporter
Rule to alert if a fastd connection was established but there isn't a coresponding interface:
- alert: FastdPeerInterfaceNotUp
expr: fastd_peer_info{fastd_instance=~"dom[0-9]+"} unless on (interface) label_join(node_network_carrier{device=~"dom[0-9]+p.*"}, "interface", "", "device")
for: 5m
labels:
severity: warning
annotations:
description: 'A fastd peer link is not up'
summary: 'Link {{ $labels.interface }} on {{ $labels.instance }} is down'
The Alert only works in conjunction will null@l2tp interfaces with fastd v23 and up (so not v22).