What is Stelleri?
A software defined networking platform designed by Ravenhammer Research Inc:
-
Built on system calls/ioctl no popen/exec/subprocess.
-
Built on object oriented; available in "lite" and soon to be with NETCONF. Written for FreeBSD but designed with portability in mind.
-
Fluent, reproducible syntax; configuration from disk is 1:1 with configuration via command line
-
Interactive or one-shot; interactive features intellisense and auto-completion (of keywords, in context and also of IDs/names.) You can configure interfaces/routes manually, then export the configuration for reproduction.
-
Tabular and single interface summaries; view interfaces by type with specific columns or all information about a single interface. There is also a common interface table for viewing inet4/inet6 configuration, but for example, the bridge table lists all bridges, with verticals on columns like the bridge members.
-
Clean, readable interface and route table summaries.
Example Zimaboard router
Setting up a secure home router with Stelleri is easy, this first example uses a Zimaboard device with 2 1GBe ports:
FreeBSD specific configuration
set vrf fibs 255
Configure physical interface defaults
set interface name re0 mtu 1500 status up
set interface name re1 mtu 1500 status up
Configure a link aggregate interface
set interface name lagg0 type lagg member re0 member re1 status up
Configure VRF-lite
set vrf id 2 alias mgmt
set vrf id 3 alias wan
set vrf id 4 alias lan
set vrf id 5 alias wifi
Configure VLAN interfaces
set interface name lagg0.2 type vlan vrf mgmt vid 2 parent lagg0 status up
set interface name lagg0.3 type vlan vrf wan vid 3 parent lagg0 status up
set interface name lagg0.4 type vlan vrf lan vid 4 parent lagg0 status up
set interface name lagg0.5 type vlan vrf wifi vid 5 parent lagg0 status up
Configure VLAN addresses
set interface name lagg0.2 inet address 10.255.255.1/24
set interface name lagg0.3 inet dhcp
set interface name lagg0.4 inet address 10.1.0.1/18
set interface name lagg0.5 inet address 10.1.64.1/18
Configure VRF virtual links to core
set interface name epair0a type epair inet address 192.0.0.0/31
set interface name epair0b vrf mgmt inet address 192.0.0.1/31
set interface name epair1a type epair inet address 192.0.0.2/31
set interface name epair1b vrf wan inet address 192.0.0.3/31
set interface name epair2a type epair inet address 192.0.0.4/31
set interface name epair2b vrf lan inet address 192.0.0.5/31
set interface name epair3a type epair inet address 192.0.0.6/31
set interface name epair3b vrf wifi inet address 192.0.0.7/31
Routes
Routes that do not specify a VRF are configured in the default (core) routing table
WAN routes
set route protocol static dst 0.0.0.0/0 nh 192.0.0.3
set route protocol static dst 10.0.0.0/8 nh 192.0.0.2 vrf wan
LAN routes
set route protocol static dst 10.1.0.0/18 nh 192.0.0.5
set route protocol static dst 0.0.0.0/0 nh 192.0.0.4 vrf lan
WiFi routes
set route protocol static dst 10.1.64.0/18 nh 192.0.0.7
set route protocol static dst 0.0.0.0/0 nh 192.0.0.6 vrf wifi
NAT
First create prefix-lists for access control, we'll use nat_src_networks and nat_dest_networks:
Set default action for policy
set policy prefix-list name nat_src_networks default-action reject
set policy prefix-list name nat_dest_networks default-action allow
Prevent NAT destined for these networks
set policy prefix-list name nat_dest_networks prefix 0.0.0.0/8 action reject
set policy prefix-list name nat_dest_networks prefix 10.0.0.0/8 action reject
set policy prefix-list name nat_dest_networks prefix 100.64.0.0/10 action reject
set policy prefix-list name nat_dest_networks prefix 127.0.0.0/8 action reject
set policy prefix-list name nat_dest_networks prefix 169.254.0.0/16 action reject
set policy prefix-list name nat_dest_networks prefix 172.16.0.0/12 action reject
set policy prefix-list name nat_dest_networks prefix 192.0.0.0/24 action reject
set policy prefix-list name nat_dest_networks prefix 192.0.2.0/24 action reject
set policy prefix-list name nat_dest_networks prefix 192.88.99.0/24 action reject
set policy prefix-list name nat_dest_networks prefix 192.168.0.0/16 action reject
set policy prefix-list name nat_dest_networks prefix 198.18.0.0/15 action reject
set policy prefix-list name nat_dest_networks prefix 198.51.100.0/24 action reject
set policy prefix-list name nat_dest_networks prefix 203.0.113.0/24 action reject
set policy prefix-list name nat_dest_networks prefix 224.0.0.0/4 action reject
set policy prefix-list name nat_dest_networks prefix 233.252.0.0/24 action reject
set policy prefix-list name nat_dest_networks prefix 240.0.0.0/4 action reject
set policy prefix-list name nat_dest_networks prefix 255.255.255.255/32 action reject
Allow NAT from these networks
set policy prefix-list name nat_src_networks prefix 10.1.0.0/18 action accept
set policy prefix-list name nat_src_networks prefix 10.1.64.0/18 action accept
Source NAT rule
Create source NAT rule that uses our prefix lists for access control:
set nat source rule nr 1 outbound-interface lagg0.3 src prefix-list nat_src_networks dst prefix-list nat_dest_networks translation masquerade
IPv6 DHCP client options
Request prefix-delegation in the lease:
set interface lagg0.3 inet6 dhcp pd length 56
Banana Pi Router
This includes Banana Pi but is not limited to:
- Atheros AR8x16/AR8327
- Realtek RTL8366/RTL8367
- Marvell 88E61xx
- Netgate/ADI SoC Switches
You can configure ethernet switch hardware with Stelleri:
Configuring ports
set switch fabric 0 vlan id 2 name mgmt
set switch fabric 0 vlan id 3 name wan
set switch fabric 0 vlan id 4 name lan
set switch fabric 0 vlan id 5 name wifi
On FreeBSD, fabric 0 will correspond to cpsw0, mvneta0, or etherswitch0.
set switch fabric 0 port 0 pvlan mgmt
set switch fabric 0 port 1 pvlan wan
set switch fabric 0 port 2 pvlan lan
set switch fabric 0 port 3 pvlan wifi
Configure layer 3 for switch interfaces:
geGigabit ethernetxe10G ethernetaeAggregated ethernet (LAG)
Convention: type/fpc/pic/port.unit
set interface name ge/0/0/0 mtu 1500 inet address 10.255.255.1/24 vrf mgmt
set interface name ge/0/1/0 mtu 1500 inet dhcp vrf wan
set interface name ge/0/2/0 mtu 1500 inet address 10.1.0.0/18 vrf lan
set interface name ge/0/3/0 mtu 1500 inet address 10.1.64.0/18 vrf wifi
VPP
Vector Packet Processing (VPP) is a supported backend on FreeBSD; DPDK is available On FreeBSD. VPP is compatible with:
Using VPP with physical hardware
For FreeBSD, list compatible hardware:
show system hw
set system vpp enable
set system vpp pci-device id 1:0:2
set system vpp pci-device id 1:0:3
reboot
After the system has finished booting, VPP elligible interfaces will be enumerable in the
type/fpc/pic/port.unit convention.
Configure MPLS
Enable the MPLS stack, this will automatically create the default table:
set mpls enable
Configure the control plane:
set interface name mpls0 type mpls-control-plane parent ge/0/0/0
set interface name ge/0/0/0 mpls enable
Portability
Stelleri is written with portability in mind and a proof of concept port to Linux already exists.