Create or Configure Loopback Interface

Loopbacks are not physical interfaces and as such cannot be attached to a firewall zone; firewall zone or policy rules must be created for whatever interface you are connecting over. Service translations can be created through the firewall/service_translation endpoint to change the source address of outbound packets to the loopback address.

To create a loopback, navigate to the physifs endpoint and set the media to loopback:

CREATE A LOOPBACK IN CONFIG SHELL

config: physif
config(physif): add loop
config(physif loop): media loopback
config(physif loop): enabled true
config(physif loop): apply
Creating entity physif item loop.

CREATE A LOOPBACK IN OGCLI

ogcli create physif << 'END'
device="loop"
enabled=true
media="loopback"
END

ADD AN ADDRESS TO A LOOPBACK INTERFACE

To add an address to a loopback interface, navigate to the conns endpoint and attach an ipv4 or ipv6 static address to the loopback (dhcp and ipv6_automatic are invalid for loopbacks):

ADD AN ADDRESS IN CONFIG SHELL

config: conn
config(conn): add new
config(conn new): mode static
config(conn new): physif loop
config(conn new): ipv4_static_settings
config(conn new ipv4_static_settings): address 10.0.0.1
config(conn new ipv4_static_settings): netmask 255.255.255.0
config(conn new ipv4_static_settings): apply
Creating entity conn item new.

ADD AN ADDRESS IN OGCLI

ogcli create conn << 'END'
mode="static"
physif="loop"
ipv4_static_settings.address="10.0.0.1"
ipv4_static_settings.netmask="255.255.255.255"
END

In the above example the physif is set to loop. Do not set the broadcast_address and gateway_address for loopback interfaces.

Create Source NAT Rules

Note: When referring to service translation rules, we refer to translating the source ip of traffic to a required source ip address. To change the source address of outbound packets for a particular service, a service_translation rule must be added, see the following example:

The following rule contains a list of outbound services along with the changed source address for the service packets. Navigating to the firewall/service_translation endpoint, you can add a new translation rule by using the add command. Note: Only services which use tcp or udp protocols are valid.

config(firewall/service_translation 10.0.0.1): show

Entity firewall/service_translation item 10.0.0.1

  address 10.0.0.1

  services (array)

     0 ssh

     1 https

If a service translation rule contains an address that does not exist on the box, a warning message is shown when creating the rule; however, it will not prevent these rules being created. See the following:

config(firewall/service_translation): add 10.0.0.2

  WARNING: The IP entered does not exist as a known IPv4 or IPv6 address.

  If this is expected, you can safely ignore this message.

If required, source NAT may be used for all tcp and udp traffic leaving the box by adding the service all-tcp-udp to the service list:

config(firewall/service_translation 10.0.0.1): show

Entity firewall/service_translation item 10.0.0.1

address 10.0.0.1

services (array)

0 all-tcp-udp

Notes:

  • There must be either a static or dynamic route to the loopback address from which you are connecting to the device.

  • Source NAT is not used for packets on the cell interface wwan0. A VPN can be set up over the cell interface if the loopback address is used over cell; dynamic routing must be configured over the VPN to share the route to the loopback address.
REST API

The firewall/service_translation endpoint is used to create nftables rules which configure source NATs for outgoing service traffic. This replaces the outgoing IP address of a service packet with the address given in the service_translation. This is done for all services within the service translation rule.

"service_translation" : {

   "address": "A.B.C.D"

   "services": []

}

The address can be ipv4 or ipv6 (no netmask required), and does not have to exist on the box (a warning is presented if the address does not exist).

The list of services is a list of strings of service names. The outbound services must already be defined on the box, either as a predefined firewalld service or as a custom user service.

Logging and Debugging

You can ping the loopback address like any other interface. You must have a static or dynamic route to the loopback in order to reach it.

  • Use the command ip a to display logging information.

  • Conman logs information about creating or deleting loopback interfaces, and connections attached to loopback interfaces, in /var/log/message.

  • When creating loopback interfaces, the generated files should be directed to /etc/config/conman.conf.

  • Use the command tcpdump on interfaces connected to the device to see source NAT traffic.

  • Source NAT rules can be found under /etc/nftables/og-service-snat/og-service-snat.conf, or use the command nft list ruleset to check for rules under the service SNAT tables.