network interfaces

2022-04-17 ยท 10 min read

Wikipedia: https://www.wikiwand.com/en/Virtual_network_interface

Let's start with some basic definitions. A network interface is a software interface over some:

  1. phyiscal networking hardware, like a network interface card (NIC). You'll see these named like eth0, eth5, radio0, wlan3.
  2. virtual interface, like the "loopback" device or a WireGuard VPN tunnel.
    • Most virtual interfaces wrap a lower physical interface or another virtual interface. One exception is the loopback interface lo which stands alone.
    • We have virtual interfaces to maximise flexibility when configuring our system.
    • These will look like lo, eth0:1, eth0.1, vlan2, br-lan, pppoe-dsl, gre0, sit0, tun0, imq0, teql0.

Helpful Tip: Cloud machines will often present two virtual networking interfaces, one for public internet traffic and one for private VPC traffic.

Physical Network Interfaces #

Ex: eth0, eth4, radio0, wlan2

  • These interfaces always represent an actual hardware device such as an Ethernet or Wireless NIC.
  • Physical network interfaces are provided by the kernel and presented to the user for configuration and consumption.

Virtual Network Interfaces #

Loopback #

Ex: lo, lo0

  • The Loopback interface is provided by the kernel so applications can easily communicate with other local applications without any special code changes.
  • Any traffic sent to the loopback IP is immediately passed back up the network stack as if it had been received from another device.
  • The IPv4 range 127.0.0.1/8 and IPv6 address ::1/128 both represent the loopback device.
  • The DNS name localhost is also a special name that resolves to 127.0.0.1 or ::1.

VLANs #

Ex: eth4.0, eth4.1, eth4.2, vlan0

  • Virtual LANs let you partition a single link-layer (L2) network into multiple virtual L2 networks.
  • VLANs let you decouple a user's network location from their physical location.
  • VLANs let you separate and isolate network applications, despite sitting on the same physical network.
  • VLANs let you group hosts together even if they're not directly connected to same network switch, simplifying network design and deployment.
  • Cloud hosts often use VLANs to provide customers with a single VPC network spanning multiple regions. Multiple customers can use the same physical links yet remain safely isolated.
  • VLANs use the IEEE 802.1Q Ethernet frame header extension to "tag" each frame with its associated VLAN id. Since VLANs operate at L2, they let us support higher layers (L3+) transparently.

Stacked VLANs #

  • Create VLANs, inside VLANs, ..., inside VLANs : )
  • Uses IEEE 802.1ad to add multiple VLAN tags to ethernet frames.

Bridges #

Ex: br0, br-lan

  • Network Bridges make multiple physical or virtual network interfaces act as if they were just one network interface.
  • In some ways, bridges are the opposite of VLANs.
  • For example, my local OpenWRT router groups all LAN ethernet devices and wireless radios into one logical LAN interface, called br-lan. This way my phone and laptop can easily connect to my desktop, even though the first two connect over WiFi and the last connects over wired ethernet. From each device's perspective, the network looks like a single unified network.
  • See: Linux Foundation Wiki - bridge

Bonds #

Ex: bond0

  • Network Bonding allows you to combine multiple links into one big link for higher throughput or reliability.
  • For example, if you have two upstream eth interfaces that each support 50 Mbps throughput, you can bond them into one virtual eth interface with a maximum of 100 Mbps throughput.

Tunnels/Taps #

Ex: pppoe-dsl, wg0, tun0, tunl0, tap2, vpn1, sit0

  • Tunnels let you send L3 packets or L2 frames over a Tunneling Protocol, usually to a remote host.
  • For example, WireGuard is a secure VPN protocol that provides a secure wg0 tunnel interface.
    • It lets you send standard L4 TCP/UDP/whatever packets over the wg0 tunnel to configured remote WireGuard peers.
    • Data sent through the tunnel is wrapped, encrypted, and sent over WireGuard's UDP protocol to the destination peer.
    • WireGuard servers maintain a Cryptokey routing table that associates a pubkey and set of allowed source CIDRs for each peer.
  • Linux TUN/TAP lets userspace programs provide virtual software network interfaces at L3 (TUN, IP packets) or L2 (TAP, Ethernet frames).

Special Purpose #

Ex: icq0, teql0

(Deprecated) Aliases #

Ex: eth4:5, eth4:6

  • Back in the day, Linux only supported one IP+mask per interface. Aliases are a way to present an existing interface with more than one IP+mask. Aliases are no longer necessary, but exist for backwards-compatibility reasons.
  • See: Linux Networking Documentation > IP-Aliasing

Viewing the current network interfaces #

On a recent Linux kernel, you can easily view the available interfaces with ip addr. This command will list the current network interfaces along with their names, configuration, and CIDRs they're responsible for.

Quickly, before we dive in, the network topology in these examples looks like:

	      desktop
.------------------------.
|     vEth              eth                  eth        fiber
| WSL <---> Windows 11 <-|-> OpenWRT Router <---> Modem <---> ISP
|                        |
'------------------------'

Starting with my desktop WSL Linux VM, the interfaces are fairly simple.

# Desktop Computer, Linux running in WSL
$ ip addr

1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000

    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host
       valid_lft forever preferred_lft forever

2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP group default qlen 1000

    link/ether 00:12:34:77:55:aa brd ff:ff:ff:ff:ff:ff
    inet 172.20.114.28/20 brd 172.20.127.255 scope global eth0
       valid_lft forever preferred_lft forever
    inet6 fe80::215:5dff:fea9:713/64 scope link
       valid_lft forever preferred_lft forever

# plus some disabled interfaces: bond0, dummy0, tunl0, sit0

Here we have a local loopback (lo) interface and a virtual ethernet interface (eth0) to the Windows WSL virtual Ethernet adapter. Currently the WSL network interface is in NAT mode (as opposed to Bridge mode), so the WSL network is hidden from the outer LAN.

Underneath the WSL instance, we have the base Windows desktop machine. Here it's configured with a physical Ethernet interface to the local LAN OpenWRT router.

PS > ipconfig

Windows IP Configuration


Ethernet adapter Ethernet:

   Connection-specific DNS Suffix  . : lan
   IPv6 Address. . . . . . . . . . . : 2601:646:ca00:2fb5:dcb2:595c:1f81:cfc6
   IPv6 Address. . . . . . . . . . . : fd5b:7e09:2223::88e
   IPv6 Address. . . . . . . . . . . : fd5b:7e09:2223:0:dcb2:595c:1f81:cfc6
   Temporary IPv6 Address. . . . . . : 2601:646:ca00:b0e:7576:98bc:5e6c:7eb1
   Temporary IPv6 Address. . . . . . : fd5b:7e09:2223:0:7576:98bc:5e6c:7eb1
   Link-local IPv6 Address . . . . . : fe80::dcb2:596c:1f81:cfc6%5
   IPv4 Address. . . . . . . . . . . : 10.69.69.111
   Subnet Mask . . . . . . . . . . . : 255.255.255.0
   Default Gateway . . . . . . . . . : fe80::5249:e0ff:febc:3f60%5
                                       10.69.69.1

Ethernet adapter vEthernet (WSL):

   Connection-specific DNS Suffix  . :
   Link-local IPv6 Address . . . . . : fe80::49ef:174b:890:ef00%22
   IPv4 Address. . . . . . . . . . . : 172.20.112.1
   Subnet Mask . . . . . . . . . . . : 255.255.240.0
   Default Gateway . . . . . . . . . :

Or in a bit more detail (IPv4 at least)

PS > netsh interface ipv4 show config

Configuration for interface "Ethernet"
    DHCP enabled:                         Yes
    IP Address:                           10.69.69.111
    Subnet Prefix:                        10.69.69.0/24 (mask 255.255.255.0)
    Default Gateway:                      10.69.69.1
    Gateway Metric:                       0
    InterfaceMetric:                      25
    DNS servers configured through DHCP:  10.69.69.1
    Register with which suffix:           Primary only
    WINS servers configured through DHCP: None

Configuration for interface "Loopback Pseudo-Interface 1"
    DHCP enabled:                         No
    IP Address:                           127.0.0.1
    Subnet Prefix:                        127.0.0.0/8 (mask 255.0.0.0)
    InterfaceMetric:                      75
    Statically Configured DNS Servers:    None
    Register with which suffix:           Primary only
    Statically Configured WINS Servers:   None

Configuration for interface "vEthernet (WSL)"
    DHCP enabled:                         No
    IP Address:                           172.21.32.1
    Subnet Prefix:                        172.21.32.0/20 (mask 255.255.240.0)
    InterfaceMetric:                      5000
    Statically Configured DNS Servers:    None
    Register with which suffix:           None
    Statically Configured WINS Servers:   None

On my OpenWRT router, the configuration gets a bit crazy.

$ ip addr

1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host
       valid_lft forever preferred_lft forever

2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1508 qdisc mq state UP qlen 1024
    link/ether 34:f4:aa:91:ec:60 brd ff:ff:ff:ff:ff:ff
    inet6 fe80::5249:e0ff:febc:3f60/64 scope link
       valid_lft forever preferred_lft forever

3: lan4@eth0: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc noqueue master br-lan state LOWERLAYERDOWN qlen 1000
    link/ether 34:f4:aa:91:ec:60 brd ff:ff:ff:ff:ff:ff
4: lan3@eth0: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc noqueue master br-lan state LOWERLAYERDOWN qlen 1000
    link/ether 34:f4:aa:91:ec:60 brd ff:ff:ff:ff:ff:ff
5: lan2@eth0: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc noqueue master br-lan state LOWERLAYERDOWN qlen 1000
    link/ether 34:f4:aa:91:ec:60 brd ff:ff:ff:ff:ff:ff
6: lan1@eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master br-lan state UP qlen 1000
    link/ether 34:f4:aa:91:ec:60 brd ff:ff:ff:ff:ff:ff

7: wan@eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP qlen 1000
    link/ether 36:f4:aa:91:ec:60 brd ff:ff:ff:ff:ff:ff
    inet 69.312.42.96/22 brd 69.312.42.255 scope global wan
       valid_lft forever preferred_lft forever
    inet6 2001:547:6143:b9:905:61b9:2a3:6aff/128 scope global dynamic noprefixroute
       valid_lft 258008sec preferred_lft 258008sec
    inet6 fe80::5049:e0ff:febc:3f60/64 scope link
       valid_lft forever preferred_lft forever

10: mlan0: <BROADCAST,MULTICAST> mtu 1500 qdisc noop state DOWN qlen 1000
    link/ether 34:f4:aa:91:ec:63 brd ff:ff:ff:ff:ff:ff

14: br-lan: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP qlen 1000
    link/ether 34:f4:aa:91:ec:60 brd ff:ff:ff:ff:ff:ff
    inet 10.69.69.1/24 brd 10.69.69.255 scope global br-lan
       valid_lft forever preferred_lft forever
    inet6 2601:646:ca00:b0e::1/64 scope global dynamic noprefixroute
       valid_lft 258008sec preferred_lft 258008sec
    inet6 fd5b:7e09:2223::1/60 scope global noprefixroute
       valid_lft forever preferred_lft forever
    inet6 fe80::5249:e0ff:febc:3f60/64 scope link
       valid_lft forever preferred_lft forever

15: wlan0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq master br-lan state UP qlen 1000
    link/ether 34:f4:aa:91:ec:62 brd ff:ff:ff:ff:ff:ff
    inet6 fe80::5249:e0ff:febc:3f62/64 scope link
       valid_lft forever preferred_lft forever
16: wlan1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq master br-lan state UP qlen 1000
    link/ether 34:f4:aa:91:ec:61 brd ff:ff:ff:ff:ff:ff
    inet6 fe80::5249:e0ff:febc:3f61/64 scope link
       valid_lft forever preferred_lft forever

Just like the others, we still have a loopback.

TODO: explain what we're looking at : )