swconfig The newer swconfig framework is intended to replace the legacy switch configuration.

The typical filepath for the config is /etc/config/network Swconfig based configurations have a different structure with one extra section per vlan. The example below shows a typical configuration:
config 'switch' 'eth0' option 'reset' '1' option 'enable_vlan' '1' config 'switch_vlan' 'eth0_1' option 'device' 'eth0' option 'vlan' '1' option 'ports' '0 1 2 3 5t' config 'switch_vlan' 'eth0_2' option 'device' 'eth0' option 'vlan' '2' option 'ports' '4 5t'

Common properties are defined within the switch section, vlan specific properties are located in additional switch_vlan sections linked to the switch section through the device option. The complete layout is explained in the switch documentation.

Interfaces
Sections of the type interface declare logical networks serving as container for ip address settings, aliases, routes, physical interface names and firewall rules - they play a central role within the OpenWrt configuration concept. A minimal interface declaration consists of the following lines:
config 'interface' 'wan' option 'proto' 'dhcp' option 'ifname' 'eth0.1' wan is a unique logical interface name dhcp specifies the interface protocol, DHCP in this example eth0.1 is the physical interface associated with this section

The interface protocol may be one of the following: Protocol

static dhcp

Description Program Static configuration with fixed address and netmask ip/ifconfig udhcpc (Busybox) Address and netmask are assigned by DHCP

ppp pppoe pppoa 3g pptp 6in4 6to4 none

PPP protocol - dialup modem connections PPP over Ethernet - DSL broadband connection PPP over ATM - DSL connection using a builtin modem CDMA, UMTS or GPRS connection using an ATstyle 3G modem Connection via PPtP VPN IPv6-in-IPv4 tunnel for use with Tunnel Brokers like HE.net Stateless IPv6 over IPv4 transport Unspecified protocol

pppd pppd + plugin rppppoe.so pppd

+ plugin

comgt

? ? ? -

Depending on the used interface protocol several other options may be required for a complete interface declaration. The corresponding options for each protocol are listed below. Options marked as "yes" in the "Required" column must be defined in the interface section if the corresponding protocol is used, options marked as "no" may be defined but can be omitted as well. Options valid for all protocol types Name Type Required Default Description Physical interface name to assign to this section, list of interfaces if type bridge is set. (*) This option may be empty or missing if only a wireless interface references this network or if the protocol type is pptp, pppoa or 6in4 If set to "bridge", a bridge containing the given ifnames is created Only valid for type "bridge", enables the Spanning Tree Protocol Override MAC address of this interface Override the default MTU on this interface Specifies whether to bring up interface on boot Specifies whether to accept IPv6 Router Advertisements on this interface Specifies whether to send Router Solicitations on this interface

ifname

interface name(s)

yes(*)

(none)

type stp macaddr mtu auto

string boolean mac address number boolean boolean

no no no no no no

(none)
0

(none) (none) 0 for proto none, else 1 1 for protocol dhcp, else 0 1 for protocol static, else
0

accept_ra

send_rs

boolean

no

Protocol "static" Name

ipaddr netmask gateway

Type ip address netmask ip address

(none) Default gateway Broadcast address (autogenerated if broadcast ip address no (none) not set) yes, if no ipaddr Assign given IPv6 address to this ip6addr ipv6 address (none) interface (CIDR notation) is set Assign given IPv6 default gateway to ip6gw ipv6 address no (none) this interface list of ip dns no (none) DNS server(s) addresses Specifies the default route metric to metric 0 integer no use Protocol "dhcp" Name
gateway broadcast hostname clientid vendorclass dns metric reqopts

Required yes, if no ip6addr is set yes, if no ip6addr is set no

Default (none) IP address (none) Netmask

Description

Type string boolean string string string list of ip addresses integer list of strings

Required Default no no no no no no no no (none)

0

(none) system default system default (none)

0

Description Supresses DHCP-assigned default gateway if set to 0.0.0.0 Enable the broadcast flag in DHCP requests, required for certain ISPs, e.g. Charter with DOCSIS 3 Hostname to include in DHCP requests Override client identifier in DHCP requests Override the vendor class in DHCP requests Override DHCP-assigned DNS server(s) Specifies the default route metric to use Specifies a list of additional DHCP options to request

(none)

Protocol "ppp" (PPP over Modem) The package ppp must be installed to use PPP. Name Type Required Default Description

device username password connect disconnect keepalive demand defaultroute peerdns dns ipv6 pppd_options

file path string string file path file path number number boolean boolean list of ip addresses boolean string

yes no(?) no(?) no no no no no no no no no

(none) (none) (none) (none) (none)

Modem device node Username for PAP/CHAP authentication Password for PAP/CHAP authentication Path to custom PPP connect script Path to custom PPP disconnect script Number of connection failures before (none) reconnect Number of seconds to wait before (none) closing the connection due to inactivity Replace existing default route on PPP 1 connect 1 Use peer-assigned DNS server(s) (none) Override peer-assigned DNS server(s) Enable IPv6 on the PPP link Additional command line arguments to (none) pass to the pppd daemon
0

Protocol "pppoe" (PPP over Ethernet) The package ppp-mod-pppoe must be installed to use PPPoE. Name
username password connect disconnect keepalive demand defaultroute peerdns dns ipv6 pppd_options

Type string string file path file path number number boolean boolean list of ip addresses boolean string

Required Default Description no(?) (none) Username for PAP/CHAP authentication no(?) (none) Password for PAP/CHAP authentication no (none) Path to custom PPP connect script no (none) Path to custom PPP disconnect script Number of connection failures before no (none) reconnect Number of seconds to wait before no (none) closing the connection due to inactivity Replace existing default route on PPP 1 no connect 1 no Use peer-assigned DNS server(s) no no no (none) Override peer-assigned DNS server(s) Enable IPv6 on the PPP link Additional command line arguments to (none) pass to the pppd daemon
0

Protocol "pppoa" (PPP over ATM AAL5)

The package ppp-mod-pppoa must be installed to use PPPoA. Name

vci vpi atmdev

Type number number number string string string file path file path number number boolean boolean list of ip addresses boolean string

encaps username password connect disconnect keepalive demand defaultroute peerdns dns ipv6 pppd_options

Required Default Description 35 no PPPoA VCI 8 no PPPoA VPI Specifies the ATM adapter number starting with 0. Most systems only have 0 no one ATM device and do not need this option PPPoA encapsulation mode: 'llc' (LLC) or llc no 'vc' (VC) no(?) (none) Username for PAP/CHAP authentication no(?) (none) Password for PAP/CHAP authentication no (none) Path to custom PPP connect script no (none) Path to custom PPP disconnect script Number of connection failures before no (none) reconnect Number of seconds to wait before closing no (none) the connection due to inactivity Replace existing default route on PPP 1 no connect 1 no Use peer-assigned DNS server(s) no no no (none) Override peer-assigned DNS server(s) Enable IPv6 on the PPP link Additional command line arguments to (none) pass to the pppd daemon
0

Protocol "3g" (PPP over EV-DO, CDMA, UMTS or GRPS) The package comgt must be installed to use 3G. Check 3gdongle for further help with that. Name
device service apn pincode maxwait username password

Type file path string string number number string string

Required Default Description yes (none) Modem device node umts 3G service type: cdma/evdo, umts yes yes (none) Used APN no (none) PIN code to unlock SIM card Number of seconds to wait for modem to 20 no become ready no(?) (none) Username for PAP/CHAP authentication no(?) (none) Password for PAP/CHAP authentication

keepalive demand defaultroute peerdns dns ipv6

number number boolean boolean list of ip addresses boolean

no no no no no no

Number of connection failures before reconnect Number of seconds to wait before (none) closing the connection due to inactivity Replace existing default route on PPP 1 connect 1 Use peer-assigned DNS server(s) (none) (none) Override peer-assigned DNS server(s)
0

Enable IPv6 on the PPP link

Protocol "pptp" (Point-to-Point Tunneling Protocol) The package pptp must be installed to use PPtP. There is a separate Howto for this: vpn.client.pptp Type Required Default Description ip server yes (none) Remote PPtP server address Interface protocol used to obtain IP connectivity ipproto dhcp string no before establishing PPtP tunnel username string no(?) (none) Username for PAP/CHAP authentication password string no(?) (none) Password for PAP/CHAP authentication Enables buffering and reordering of packets, 0 buffering boolean no 1 disables it (nobuffer) keepalive integer no ? Number of attempts to reconnect pptpName of the physical interface. Defaults to iface string no(?) vpn pptp-vpn no matter what you use Additionally all options defined for the corresponding ipproto can be specified Protocol "6in4" (IPv6-in-IPv4 Tunnel) The package 6in4 must be installed to use this protocol. Name
ipaddr peeraddr ip6addr

Name

Type IPv4 address IPv4 address IPv6 address (CIDR)

Required no yes yes

Default Description Current WAN Local IPv4 endpoint address IPv4 address (none) (none) Remote IPv4 endpoint address Local IPv6 address delegated to the tunnel endpoint

defaultroute ttl mtu wan_device tunnelid username password metric

boolean integer integer string integer string string integer

no no no no no no no no

1 64 1280

(none) (none) (none) (none)

0

Whether to create an IPv6 default route over the tunnel TTL used for the tunnel interface MTU used for the tunnel interface Interface from where client IPv4 endpoint address is derived (used for endpoint update) HE.net global tunnel ID (used for endpoint update) HE.net user ID (used for endpoint update) HE.net password (used for endpoint update) Specifies the default route metric to use

Note: This protocol type does not need an ifname option set in the interface section. The interface name is derived from the section name, e.g. config interface sixbone would result in an interface named 6in4-sixbone. Protocol "6to4" (IPv6-in-IPv4 Tunnel) The package 6to4 must be installed to use this protocol. Name
ipaddr

defaultroute ttl mtu

adv_interface adv_subnet

Type Required Default Description Current IPv4 WAN no Local IPv4 endpoint address address IPv4 address Whether to create an IPv6 1 boolean no default route over the tunnel TTL used for the tunnel 64 integer no interface MTU used for the tunnel 1280 integer no interface The logical interface name of the network the subnet should lan string no be advertised on. Multiple interface names can be given. 1 hex no A subnet ID between 1 and number FFFF which selects the advertised /64 prefix from the mapped 6to4 space. The subnet ID is incremented by 1 for

adv_valid_lifetime

integer no

300

adv_preferred_lifetime

integer no integer no

120

metric

every interface specified in adv_interface. Overrides the advertised valid prefix lifetime, in seconds (see also radvd prefix options) Overrides the advertised preferred prefix lifetime, in seconds (see also radvd prefix options) Specifies the default route metric to use

Note: This protocol type does not need an ifname option set in the interface section. The interface name is derived from the section name, e.g. config interface wan6 would result in an interface named 6to4-wan6. Note: If radvd is installed an enabled, the 6to4 scripts will add a temporary prefix and interface declaration to the radvd uci configuration and perform a daemon restart if required. Protocol "l2tp" (L2TP Pseudowire Tunnel) The package l2tpv3tun must be installed to use this protocol. This protocol is only supported on 2.6.35 and newer kernels. Name
localaddr

Type IPv4 address IPv4 address IPv6 address IPv6 address string

peeraddr local6addr peer6addr encap sport

Required Default yes, if no local6addr is (none) set yes, if no (none) peer6addr is set yes, if no (none) localaddr is set yes, if no (none) peeraddr is set no
udp 1701

Description Local IPv4 endpoint address Remote IPv4 endpoint address Local IPv6 endpoint address Remote IPv6 endpoint address L2TPv3 encapsulation mode, either ip or udp L2TPv3 source port, only applicable to UDP encapsulation L2TPv3 destination port, only applicable to UDP encapsulation Local L2TPv3 tunnel ID

port no number port no number integer no

dport tunnel_id

1701

Next unused

peer_tunnel_id session_id peer_session_id

integer integer integer

no no no

tunnel ID Value of

tunnel_id

Remote L2TPv3 tunnel ID Local L2TPv3 session ID Remote L2TPv3 session ID

Next unused session ID Value of

session_id

Additionally all options defined for the static protocol type can be specified Protocol "relay" (Relayd Pseudo Bridge) The package relayd must be installed to use this protocol. Name
network gateway expiry retry table forward_bcast

Type Required Default list of logical yes (none) interface names IPv4 address integer integer integer boolean boolean no no no no no no (network default)
30 5 16800 1

forward_dhcp

Description Specifies the networks between which traffic is relayed Override the gateway address sent to clients within DHCP responses Host expiry timeout in seconds Number of ARP ping retries before a host is considered dead Table ID for automatically added routes Enables forwarding of broadcast traffic, 0 disables it Enables forwarding of DHCP requests and responses, 0 disables it

ATM Bridges (Ethernet over ATM AAL5)

The package br2684ctl must be installed to use Ethernet over AAL5. ATM bridges use a special config section called atm-bridge. Each atm-bridge section maps the specified ATM curcuit an atm# pseudo ethernet device which can be used for example in conjunction with pppoe to establish a DSL connection to the ISP. A typical bridge section looks like this:
config atm-bridge option unit option vpi option vci '0' '8' '35'

Unit 0 will let br2684ctl create a nas0 pseudo device VPI 0 and VCI 35 specifies the circuit to bridge. Those values are ISP dependant.

The atm-bridge section allows the following options: Name

unit vci vpi atmdev encaps

Type Required Default number yes number no number no number no no no

string payload string

Description Specifies the br2684 interface number. If ommitted, 0 0 is assumed which would result in a nas0 pseudo interface. 35 PPPoA VCI 8 PPPoA VPI Specifies the ATM adapter number starting with 0. 0 Most systems only have one ATM device and do not need this option llc PPPoA encapsulation mode: 'llc' (LLC) or 'vc' (VC) bridged PPPoA forwarding mode: 'routed' or 'bridged'

Aliases
Alias sections can be used to define further IPv4 and IPv6 addresses for interfaces. They also allow combinations like DHCP on the main interface and a static IPv6 address in the alias, for example to deploy IPv6 on wan while keeping normal internet connectivity. Each interface can have multiple aliases attached to it. A minimal alias declaration consists of the following lines:
config 'alias' option option option option 'interface' 'lan' 'proto' 'static' 'ipaddr' '10.0.0.1' 'netmask' '255.255.255.0'

lan is the logical interface name of the parent static is the alias interface protocol 10.0.0.1 specifies the alias ip address 255.255.255.0 specifies the alias netmask

interface

At the time of writing, only the static protocol type is allowed for aliases. Defined options for alias sections are listed below. Name
interface proto

Type string string

Required yes yes

Description Specifies the logical interface name of the parent (or master) interface this alias is (none) belonging to, must refer to one of the defined interface sections (none) Specifies the alias interface protocol

Default

yes, if no ip address ip6addr is (none) set yes, if no netmask ip6addr is (none) netmask set gateway ip address no (none) broadcast ip address no (none) yes, if no ipv6 ip6addr (none) ipaddr is set address ipv6 ip6gw no (none) address list of ip dns no (none) addresses
ipaddr

IP address

Netmask Default gateway Broadcast address (autogenerated if not set) IPv6 address (CIDR notation) IPv6 default gateway DNS server(s) Selects the interface to attach to for stacked protocols (tun over bridge over eth, ppp over eth or similar). 3: attach to layer 3 interface (tun*, ppp* if parent is layer 3 else fallback to 2) 2: attach to layer 2 interface (br-* if parent is bridge else fallback to layer 1) 1: attach to layer 1 interface (eth*, wlan*)

layer

integer

no

IPv4 Routes
It is possible to define arbitary IPv4 routes on specific interfaces using route sections. As for aliases, multiple sections can be attached to an interface. A minimial example looks like this:
config 'route' option 'interface' 'lan' option 'target' '172.16.123.0' option 'netmask' '255.255.255.0' lan is the logical interface name of the parent interface 172.16.123.0 is the network address of the route 255.255.255.0 specifies the route netmask

Legal options for IPv4 routes are: Name

interface

Type string

Required Default yes (none)

Description Specifies the logical interface name of the parent (or master) interface this route is belonging to, must refer to one of the defined interface sections

target

ip yes address netmask no

(none) (none)

Network address Route netmask. If ommitted, 255.255.255.255 is assumed which makes target a host address Network gateway. If ommitted, the gateway from the parent interface is taken, if set to 0.0.0.0 no gateway will be specified for the route Specifies the route metric to use

netmask

gateway

ip no address number no number no

(none)
0

metric mtu

interface Define a specific MTU for this route MTU

IPv6 Routes
IPv6 routes can be specified as well by defining one or more route6 sections. A minimial example looks like this:
config 'route6' option 'interface' 'lan' option 'target' '2001:0DB8:100:F00:BA3::1/64' option 'gateway' '2001:0DB8:99::1' lan is the logical interface name of the parent interface 2001:0DB8:100:F00:BA3::1/64 is the routed IPv6 subnet in 2001:0DB8:99::1 specifies the IPv6 gateway for this route

CIDR notation

Legal options for IPv6 routes are: Name

interface

Type string

Required Default yes (none) (none) (none)

0

Description Specifies the logical interface name of the parent (or master) interface this route is belonging to, must refer to one of the defined interface sections IPv6 network address IPv6 gateway. If ommitted, the gateway from the parent interface is taken Specifies the route metric to use

target gateway metric mtu

ipv6 yes address ipv6 no address number no number no

interface Define a specific MTU for this route MTU

Examples

Below are a few examples for special, non-standard interface configurations.

Bridge without IP
config 'interface' 'example' option 'type' 'bridge' option 'proto' 'none' option 'ifname' 'eth0 eth1' option 'auto' '1'

DHCP without default gateway

config 'interface' 'example' option 'proto' 'dhcp' option 'ifname' 'eth0' option 'gateway' '0.0.0.0'

DHCP and IPv6

config 'interface' 'example' option 'proto' 'dhcp' option 'ifname' 'eth0' config 'alias' option 'interface' 'example' option 'proto' 'static' option 'ip6addr' '2001:0DB8:100:F00:BA3::1'

Static IP configuration and default gateway with non-zero metric

config 'interface' 'example' option 'proto' 'static' option 'ifname' 'eth0' option 'ipaddr' '192.168.1.200' option 'netmask' '255.255.255.0' option 'dns' '192.168.1.1' config 'route' option option option option option 'interface' 'target' 'netmask' 'gateway' 'metric' 'example' '0.0.0.0' '0.0.0.0' '192.168.1.1' '100'

PPtP-over-PPPoE internet connection

config 'interface' 'wan' option 'proto' option 'ifname' option 'username' option 'password' option 'timeout' 'pppoe' 'eth1' 'user' 'pass' '10'

config 'interface' 'vpn' option 'proto' option 'ifname' option 'username' option 'password' option 'server'

'pptp' 'vpn' 'vpnuser' 'vpnpass' 'vpn.example.org'

Additionally the "wan" firewall zone must include both interfaces in

/etc/config/firewall: config 'zone' option option option option option option

'name' 'network' 'input' 'forward' 'output' 'masq'

'wan' 'wan vpn' 'REJECT' 'REJECT' 'ACCEPT' '1'

# Important

Static IPv6-in-IPv4 tunnel

The example below illustrates a static tunnel configuration for the Hurricane Electric (he.net) broker. Option ipaddr specifies the local IPv4 address, peeraddr is the broker IPv4 address and ip6addr the local IPv6 address routed via the tunnel.
config 'interface' 'henet' option 'proto' option 'ipaddr' option 'peeraddr' option 'ip6addr' '6in4' '178.24.115.19' '216.66.80.30' '2001:0DB8:1f0a:1359::2/64'

To apply IPv6 firewall rules to the tunnel interface, add it to the "wan" zone in
/etc/config/firewall: config 'zone' option option option option option option

'name' 'network' 'input' 'forward' 'output' 'masq'

'wan' 'wan henet' 'REJECT' 'REJECT' 'ACCEPT' '1'

# Important

If you define a new, dedicated zone just for the tunnel interface, make sure to set option conntrack 1 in order to force enabling connection tracking, otherwise unidirectional forwarding rules will not work.

Dynamic IPv6-in-IPv4 tunnel (HE.net only)

The example below illustrates a dynamic tunnel configuration for the Hurricane Electric (he.net) broker with enabled IP update. The local IPv4 address is automatically determined and tunnelid, username and password are provided for IP update.
config 'interface' 'henet' option 'proto' option 'peeraddr' option 'ip6addr' option 'tunnelid' option 'username' option 'password' '6in4' '216.66.80.30' '2001:0DB8:1f0a:1359::2/64' '12345' '098f6bcd4621d373cade4e832627b4f6' 'secret'

To apply IPv6 firewall rules to the tunnel interface, add it to the "wan" firewall zone, see example above for details.

L2TPv3 Pseudowire bridged to LAN

This example establishes a Pseudowire Tunnel and bridges it to the LAN ports. The existing lan interface is reused with protocol l2tp instead of static.
config 'interface' 'lan' option 'proto' option 'type' option 'ifname' option 'ipaddr' option 'netmask' option 'localaddr' option 'peeraddr' option 'encap' option 'sport' option 'dport' 'l2tp' 'bridge' 'eth0' '192.168.1.1' '255.255.255.0' '178.24.154.19' '89.44.33.61' 'udp' '4000' '5410'

Relay between LAN and Wireless Station

This example setups a relayd pseudo bridge between a wireless client network and LAN, so that it works similar to the Broadcom Bridged Client mode. Wireless configuration (excerpt):
config wifi-iface option 'device' option 'mode' option 'ssid' option 'encryption' option 'key' option 'network' 'radio0' 'sta' 'Some Wireless Network' 'psk2' '12345678' 'wwan'

Network configuration (excerpt): Note that the LAN subnet must be different from the one used by wireless network's DHCP.
config 'interface' 'lan' option 'ifname' option 'proto' option 'ipaddr' option 'netmask' config 'interface' 'wwan' option 'proto' 'eth0.1' 'static' '192.168.1.1' '255.255.255.0' 'dhcp'

config 'interface' 'stabridge' option 'proto' 'relay' option 'network' 'lan wwan'

In contrast to true bridging, traffic forwarded in this manner is affected by firewall rules, therfore both the wireless client network and the lan network should be covered by the same LAN firewall zone with forward policy set to accept to allow traffic flow between both interfaces:
config 'zone' option option option option option 'name' 'network' 'input' 'forward' 'output' 'lan' 'lan wwan' 'ACCEPT' 'ACCEPT' 'ACCEPT'

# Important # Important

Network management
The complete network configuration can be re-applied by running /etc/init.d/network restart. Individual interfaces can be brought up with ifup name or down with ifdown name where name corresponds to the logical interface name of the corresponding config interface section. An ifup implies a prior ifdown so there is no need to invoke both when reloading an interface. Note that wireless interfaces are managed externally and ifup may break the relation to existing bridges. In such a case it is required to run wifi up after ifup in order to reestablish the bridge connection.

Determining Linux interface names

In order to derive a Linux interface name like eth1 from a logical network name like wan for use in scripts or tools like ifconfig and route the uci utility can be used like illustrated in the iptables example below which opens port 22 on the interface.
WANIF=$(uci -P/var/state get network.wan.ifname)

iptables -I INPUT -i $WANIF -p tcp --dport 22 -j ACCEPT

Back to top doc/uci/network.txt Last modified: 2011/08/07 15:30 by nbd