Network Address Translation (NAT) and Tunneling

Docs
1

90 minutes; session 3 of 5

Creating GRE Tunnels with ip tunnel add

The ip tunnel add command allows creating GRE tunnels in Linux. GRE tunnels encapsulate traffic over an underlying network. Let’s look at setting up a basic GRE tunnel.

Introduction

GRE tunnels enable connecting separate networks over the internet or other transit networks. The tunnel encapsulates traffic, hiding the contents from intermediary hops.

Steps

Open Terminal

First, open a terminal window on your system.

Create GRE Tunnel

Use this command to create a GRE tunnel:

sudo ip tunnel add <name> mode gre remote <remote_ip> local <local_ip> ttl <ttl>

Where:

  • <name> is the tunnel name
  • <remote_ip> is the remote endpoint’s IP
  • <local_ip> is your endpoint’s IP
  • <ttl> limits max hops

For example:

sudo ip tunnel add gre_tunnel mode gre remote 203.0.113.5 local 198.51.100.2 ttl 64

Verify Tunnel

Check that the tunnel was created:

ip tunnel show

The new tunnel should be listed.

Delete and Recreate Tunnel

Tunnels can be temporarily brought down and restored like:

sudo ip tunnel del gre_tunnel
sudo ip tunnel add gre_tunnel mode gre remote 203.0.113.5 local 198.51.100.2 ttl 64

Test Connectivity

Try pinging remote side when tunnel is up. This validates encapsulated connectivity.

Summary

The ip tunnel add command allows creating GRE tunnels to bridge networks over transit networks. Tunnels encapsulate traffic, providing private connections.

Configuring IPIP Tunnels with ip tunnel add

The ip tunnel add command can create IPIP tunnels in Linux. IPIP tunnels encapsulate IP packets over IP networks. Let’s look at a basic example.

Introduction

IPIP tunnels allow you to encapsulate IP traffic over an IP network, such as the internet. This obscures the inner contents from intermediaries.

Steps

Open Terminal

First, open a terminal window on your system.

Create IPIP Tunnel

Use this command to create an IPIP tunnel:

sudo ip tunnel add <name> mode ipip <ipsec_params>

Where <name> is the desired tunnel name, and <ipsec_params> are optional IPsec params.

For example:

sudo ip tunnel add ipip_tunnel mode ipip

Verify Tunnel

Check that the new tunnel was created:

ip tunnel show

The IPIP tunnel should be listed.

Configure Routing

To enable connectivity, route traffic destined for the remote network over the tunnel interface.

For example:

sudo ip route add 192.168.2.0/24 dev ipip_tunnel

Test Connectivity

Ping remote network through the tunnel to validate encapsulated connectivity.

Summary

The ip tunnel add command allows creating IPIP tunnels to bridge network segments over IP networks. Proper routing configuration is essential for tunnel functionality.

Adding Neighbors with ip neigh add

The ip neigh add command manually inserts entries into the ARP cache in Linux. This publishes connections between IP and MAC addresses.

Introduction

Populating the ARP cache with static entries can be useful for testing or forcing traffic over specific interfaces.

Steps

Open Terminal

First, open a terminal window on your system.

Add Neighbor

Use this command to add a neighbor:

sudo ip neigh add <ip> lladdr <mac> dev <interface>

Where:

  • <ip> is the neighbor’s IP address
  • <mac> is their MAC address
  • <interface> is the interface they are connected to

For example:

sudo ip neigh add 192.168.1.10 lladdr 00:11:22:33:44:55 dev eth0

Verify Entry

Check that the entry exists in the ARP table:

ip neigh show

The static neighbor should be listed.

Delete Entry

To remove the static neighbor:

sudo ip neigh del <ip> dev <interface>

Summary

The ip neigh add command manually inserts static ARP entries, publishing IP to MAC mappings. This can direct traffic over specific interfaces.

Adding IPv6 Neighbors with ip -6 neigh add

The ip -6 neigh add command inserts IPv6 neighbor entries into the neighbor cache in Linux. This establishes mappings between IPv6 and MAC addresses.

Introduction

Populating the neighbor cache statically can be useful for testing or debugging IPv6 connectivity issues.

Steps

Open Terminal

First, open a terminal window on your system.

Add IPv6 Neighbor

Use this command to add an IPv6 neighbor:

sudo ip -6 neigh add <ipv6> lladdr <mac> dev <interface>

Where:

  • <ipv6> is the neighbor’s IPv6 address
  • <mac> is their MAC address
  • <interface> is the connecting interface

For example:

sudo ip -6 neigh add 2001:db8::1 lladdr 00:11:22:33:44:55 dev eth0

Verify Entry

Check that the entry exists:

ip -6 neigh show

The added static neighbor should appear.

Delete Entry

To remove the static neighbor:

sudo ip -6 neigh del <ipv6> dev <interface>

Summary

The ip -6 neigh add command inserts static IPv6 neighbor entries, mapping IPv6 addresses to MAC addresses. This can help debug IPv6 network connectivity.