Skip to main content

Network Management

The network management has the task of creating the mapping between subnets and VLANs, and creating the configuration for the software WIFI access point and the DHCP server.

The network management comprises the following services:

  • Subnet service
  • RADIUS server
  • WIFI Software access point (AP) service
  • DHCP service

The Subnet service

This service creates subnets and maps VLAN IDs to a subnet IP range. It uses the Netlink protocol library suite to access network kernel functionality from the user space to setup network interfaces. In order to use the Netlink library, the user has to enable USE_NETLINK_SERVICE in CMake when compiling edgesec. If the Netlink library is not available the user can chose USE_GENERIC_IP_SERVICE, which uses the ip command to configure the network interfaces. Alternatively, on OpenWRT systems the user can enable USE_UCI_SERVICE, which uses the uci API to manage the settings for network, firewall, dhcp, etc.

The subnet configuration is given in config.ini as follows:

# Used on OpenWRT systems to define the bridge prefix
bridgePrefix = "br"
# The prefix for the interface name that corresponds to a VLAN,
# for instance for VLAN 2 and `interfacePrefix = "br"`
# the corresponding interface will be `br2`.
interfacePrefix = "br"
if0 = "0,,,"
if1 = "1,,,"
if2 = "2,,,"
if3 = "3,,,"
if4 = "4,,,"
if5 = "5,,,"
if6 = "6,,,"
if7 = "7,,,"
if8 = "8,,,"
if9 = "9,,,"
if10 = "10,,,"

where ifn key enumerates parameters for each interface that will be created by the subnet service, where all parameters are separated by commas. The first parameter is the VLAN ID, the second parameter is the gateway IP, the third parameter is the broadcast IP and the fourth parameter is the netmask. For instance given if8 = "8,,," and interfacePrefix = "br" the created interface br8 has the following parameters:

$ ip a show dev br8
13: br8: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UNKNOWN group default qlen 1000
link/ether ea:99:c5:cb:ee:c2 brd ff:ff:ff:ff:ff:ff
inet brd scope global br8
valid_lft forever preferred_lft forever
inet brd scope global noprefixroute br8
valid_lft forever preferred_lft forever
inet6 fe80::6913:be7d:9634:8360/64 scope link
valid_lft forever preferred_lft forever
inet6 fe80::e899:c5ff:fecb:eec2/64 scope link
valid_lft forever preferred_lft forever

The RADIUS server

The RADIUS server has the role of authorising devices that want to connect to software AP. The server uses the RADIUS protocol (RFC2865) to send access requests with specific VLAN configuration to receive an access/reject. For instance, when a device with the MAC address 11:22:33:44:55:66 wants to connect to the software WiFi AP, the radius server will return an Access-Accept code with the corresponding VLAN attribute. Subsequently, the software AP will assign the device with the MAC 11:22:33:44:55:66 the interface that has the corresponding VLAN given by the Access-Accept status code attribute.

The config.ini parameters for the RADIUS server are as follows:

# The UDP port for the RADIUS server
port = 1812
# The IP of the client (in our case it is the software AP)
# that will connect to the RADIUS server
clientIP = ""
# The netmask of the client
clientMask = 32
# The IP of the RADIUS server to which it binds to
serverIP = ""
serverMask = 32
# The key used to encrypt the communication between the
# client and RADIUS server
secret = "radius"

Software AP

The network management also has the role of creating the configuration for the WIFI software AP. The role of the AP is to create a WIFI communication channel between devices and the router. edgesec uses hostapd is its default software AP.

The config.ini parameters for the sofware AP are as follows:

# The absolute path to `hostapd` binary
apBinPath = "./hostapd"
# The absolute path to the generated `hostapd` configuration file
apFilePath = "/tmp/hostapd.conf"
# The absolute path to the `hostapd` log file
apLogPath = "/tmp/hostapd.log"
# The parameter correspoding to the interface assigned for the WIFI modem
interface = "wlan0"
device = "radio1"
vlanTaggedInterface = ""
ssid = "IOTH_TEST"
wpaPassphrase = "1234554321"
driver = "nl80211"
hwMode = "g"
channel = 11
wmmEnabled = 1
authAlgs = 1
wpa = 2
wpaKeyMgmt = "WPA-PSK"
rsnPairwise = "CCMP"
ctrlInterface = "/var/run/hostapd"
macaddrAcl = 2
dynamicVlan = 1
vlanFile = "/tmp/hostapd.vlan"
loggerStdout = -1
loggerStdoutLevel = 0
loggerSyslog = -1
loggerSyslogLevel = 0
ignoreBroadcastSsid = 0
wpaPskRadius = 2

where for OpenWRT systems apBinPath=/sbin/wifi points to the WIFI configuration script and device = "radio1" is the parameter denoting the index of the radio used to configure the WIFI modem. The name of the WIFI AP is given by the paremeter ssid. If generateSsid from config.ini is set ot true, the ssid parameter will be assign to the hostname of the router. The default encryption key for the WIFI is given by the parameter wpaPassphrase. This encryption key will be shared by all connected WIFI devices, if the RADIUS server doesn't assign a different encryption key for a specific device.

All the remaining parameters vlanTaggedInterface, hwMode, channel, wmmEnabled, authAlgs, wpa, wpaKeyMgmt, rsnPairwise, ctrlInterface, macaddrAcl, dynamicVlan, vlanFile, loggerStdout, loggerStdoutLevel, loggerSyslog , loggerSyslogLevel, ignoreBroadcastSsid and wpaPskRadius are similar to the ones defined for hostapd.conf.

DHCP service

The DHCP service allocates IP addreses from a given range to newly connected devices. Each IP address corresponds to a given configured subnet.

edgesec uses dnsmasq is its default DHCP server. For OpenWRT systems the DHCP server configuration is managed by the uci API. This is done by setting the USE_UCI_SERVICE option to ON.

The config.ini parameteres for the DHCP service are as follows:

# The absolute path to the dnsmasq executable
# (for OpenWRT systems this path is /etc/init.d/dnsmasq)
dhcpBinPath = "/usr/sbin/dnsmasq"
# The absolute path to the dnsmasq configuration file
# (for non OpenWRT this file is generated by edgesec)
dhcpConfigPath = "/tmp/dnsmasq.conf"
# The absolute path to the IP leases file
dhcpScriptPath = "/tmp/"
# The absolute path to the DHCP control script file, which has the role of
# sending the allocated IP address to the edgesec
dhcpLeasefilePath = "/tmp/dnsmasq.leases"
dhcpRange0 = "0,,,,24h"
dhcpRange1 = "1,,,,24h"
dhcpRange2 = "2,,,,24h"
dhcpRange3 = "3,,,,24h"
dhcpRange4 = "4,,,,24h"
dhcpRange5 = "5,,,,24h"
dhcpRange6 = "6,,,,24h"
dhcpRange7 = "7,,,,24h"
dhcpRange8 = "8,,,,24h"
dhcpRange9 = "9,,,,24h"
dhcpRange10 = "10,,,,24h"

where the dhcpRange* parameter configures the IP allocation settings for the DHCP server. The first setting denotes the VLAN index. The second and third settings the pool of IP addresses. The last setting denotes the lease time for the allocated IP address.

For dnsmasq the control script file is as follows:

str="SET_IP $1 $2 $3"

nccheck="$(nc -help 2>&1 >/dev/null | grep 'OpenBSD netcat')"
if [ -z "$nccheck" ]
echo "Using socat"
command="socat - UNIX-CLIENT:$sockpath"
echo "Using netcat"
command="nc -uU $sockpath -w2 -W1"

echo "Sending $str ..."

where the sockpath variable is the absolute path to the supervisor control socket. The above script is executed by the dnsmasq process with three input parameters: device MAC address, allocated IP address and allocation type. See dnsmasq.conf.example docs for more details for the parameters. The script sends the SET_IP command with the three parameters to the supervisor control socket using netcat or socat, whichever is installed.