Translation(s): English - Español - Français - Italiano - Português (Brasil) - 简体中文
See the official manual: Debian Reference Manual - Chapter 5. Network setup
Reader Prerequisites: To get the most from this article, understand the following concepts before reading: basic unix command line tools, text editors, DNS, TCP/IP, DHCP, netmask, gateway
Table of Contents
Contents
- 4 ways to configure the network
- Setting up an Ethernet Interface
- Defining the (DNS) Nameservers
- Bridging
- Firewall
- Howto use vlan
- Howto create fault tolerant bonding with vlan
- Multiple IP addresses on one Interface
4 ways to configure the network
- The interfaces configuration file at /etc/network/interfaces (this page): for basic or simple configurations (e.g. workstation)
NetworkManager: This is the default for Laptop configuration
Systemd: Debian reference Doc Chapter 5
Setting up an Ethernet Interface
The majority of network setup can be done via the interfaces configuration file at /etc/network/interfaces. Here, you can give your network card an IP address (or use dhcp), set up routing information, configure IP masquerading, set default routes and much more.
Remember to add interfaces that you want brought up at boot time to the 'auto' line.
See interfaces for more options.
Starting and Stopping Interfaces
Interfaces configured with /etc/network/interfaces can be brought up and down with the ifup and ifdown commands. For example, with an interface named enp7s0:
sudo ifdown enp7s0
sudo ifup enp7s0
Some outdated guides claim you need to restart the networking service to apply changes to /etc/network/interfaces. This was deprecated because it is possible that not all interfaces will be restarted.
Reinitialize new network setup
If you make more fundamental network changes to /etc/network/interfaces (e.g. adding new virtual interfaces like a bridge), you can reinitialize the network configuration by restarting the networking daemon:
sudo systemctl status networking
sudo systemctl restart networking
Network Interface Names
See NetworkInterfaceNames. Since Stretch, old-style interface names (eth0, wlan1 etc.) have been replaced by names based on hardware location (enp0s31f6, wlp1s7 etc.). For USB dongles, these can even include the MAC address: enx2c56ac39ec0d).
You can list interfaces with: ls /sys/class/net
{i} Replace eno1 with your default interface name in the examples below.
Upgrading and Network Interface Names
Buster still supports the old naming system as long as the file /etc/udev/rules.d/70-local-persistent-net.rules exists, but Bullseye users need to switch.
Using DHCP to automatically configure the interface
If you're just using DHCP, all you need is something like:
auto eno1 allow-hotplug eno1 iface eno1 inet dhcp
For IPv6 with DHCPv6, append the following:
iface eno1 inet6 dhcp
Or for IPv6 with stateless address autoconfiguration ("SLAAC"), append the following:
iface eno1 inet6 auto
See also IPv6PrefixDelegation.
Configuring the interface manually
If you configure the interface manually, use something like this to set the default gateway (network, broadcast and gateway are optional):
auto eno1 iface eno1 inet static address 192.0.2.7/24 gateway 192.0.2.254
If you want to add an IPv6 address too, append something like:
iface eno1 inet6 static address 2001:db8::c0ca:1eaf/64 gateway 2001:db8::1ead:ed:beef
See interfaces for more options.
Make sure to disable all DHCP services, e.g. dhcpcd.
Mixing manual and automatic configuration is also possible, e.g. to use IPv6 SLAAC for internet connectivity and static addresses within the network:
# manual unique local address iface eno1 inet6 static address fdc3:cafe::3/64 # use SLAAC to get global IPv6 address from the router # we may not enable ipv6 forwarding, otherwise SLAAC gets disabled autoconf 1 accept_ra 2
Setting the speed and duplex
/!\ Autonegotiation repeatedly failing is often a symptom of faulty cabling - investigate physical matters before assuming that the interfaces' autonegotiation algorithms are incompatible.
If you turn off autonegotiation and set speed and duplex manually, the partner interface at the other end of the cable will assume that the absence of autonegotiation indicates a speed of 10Mbps and a duplex of half. For error-free operation when setting speed and duplex manually, set exactly the same speed and duplex for the devices at both ends of the cable.
If you set your interface's speed and duplex by hand, some trial and error may be required. Here are the basic steps:
install ethtool and net-tools, so that you have the ethtool and mii-tool programs
- one or both of these might work for your interface
- have a way to login to the system in case the network interface becomes nonfunctional
an SSH connection could be disrupted, so you need a fallback strategy
identify the interface in question (often eno1)
- adjust the remainder of these instructions accordingly
- try to determine what its current speed and duplex settings are...
try sudo ethtool eno1 and see whether the "Speed:" and "Duplex:" lines look right
if not, ethtool may not be supported by your device
try sudo mii-tool -v eno1 and see whether its output looks right
if not, mii-tool may not be supported by your device
- if neither is supported, you may have to set parameters directly on the kernel driver module:
identify which driver module you're using by reading the output of dmesg and lsmod
try modinfo MODULENAME to see what parameters it accepts, if any (you can use modinfo even on modules that are not loaded, for comparison)
ToDo: where does one set kernel module parameters?
- try to change the settings of the interface with one of these (assuming 100 Mbps and full duplex):
sudo ethtool -s eno1 speed 100 duplex full autoneg off
sudo mii-tool -F 100baseTx-FD eno1
- re-check to see whether the interface settings actually changed
- try sending some data in and out of the system to see whether the NIC is operating correctly
put the successful command in /etc/network/interfaces so it runs when you bring the interface up (e.g. at boot time)
- some drivers begin autonegotiation when they're loaded, so you may need to delay the command a few seconds until autonegotiation finishes
iface eno1 inet static address .../... gateway ... up sleep 5; ethtool -s eno1 ...
- reboot the machine to make sure it comes up correctly
- be prepared to intervene manually (e.g. Ctrl-Alt-Del and then boot into single-user mode from GRUB or LILO)
Bringing up an interface without an IP address
To create a network interface without an IP address at all, use the manual method and the pre-up and post-down commands:
iface eno1 inet manual pre-up ifconfig $IFACE up post-down ifconfig $IFACE down
If the interface is a VLAN interface, the up/down commands must be executed after/before the vlan hooks. You also have to install the vlan package.
iface eno1.99 inet manual post-up ifconfig $IFACE up pre-down ifconfig $IFACE down
Note: If you create the VLAN interface only to put it in a bridge, there is no need to define the VLAN interface manually. Just configure the bridge, and the VLAN interface will be created automatically when creating the bridge (see below).
Defining the (DNS) Nameservers
Before a computer can connect to an external network resource (e.g. a web server), it must have a means of resolving domain names used by people (e.g. wiki.debian.org) to numeric network addresses used by routers (e.g. 140.211.166.4). Here is an example /etc/resolv.conf file that tells your computer to do that with Cloudflare's nameserver and Google's nameserver:
nameserver 1.1.1.1 nameserver 8.8.8.8
See resolv.conf for details.
DNS configuration for NetworkManager
NetworkManager normally manages /etc/resolv.conf, even if you've configured DNS in /etc/dhcp/dhclient.conf. You can get an idea of NetworkManager's settings by running nmcli on the command line.
You can configure these settings graphically:
run nm-connection-editor
- "Advanced Network Configuration") in the menu system
- Choose a connection and click the cog button to edit
- Click on the IPv4 Settings tab
- Choose 'Automatic (DHCP) addresses only' instead of just 'Automatic (DHCP)'.
Enter the DNS servers in the "DNS servers" field, separated by spaces (e.g. 208.67.222.222 for OpenDNS).
- Click "Save"
NetworkManager saves these settings in /etc/NetworkManager/system-connections/name-of-connection. For example:
[802-3-ethernet]
duplex=full
mac-address=XX:XX:XX:XX:XX:XX
[connection]
id=Wired connection 1
uuid=xxx-xxxxxx-xxxxxx-xxxxxx-xxx
type=802-3-ethernet
timestamp=1385213042
[ipv6]
method=auto
[ipv4]
method=auto
dns=208.67.222.222;
ignore-auto-dns=true
Run nmcli again to check NetworkManager now has the right idea of how your DNS should be resolved.
Using systemd-resolved for DNS resolution
systemd-resolved is not installed by default. It runs a local caching dns resolver that can be integrated with NetworkManager and systemd-networkd:
apt install systemd-resolved
Enabling systemd-resolved
systemd-resolved is disabled by default. To enable it:
systemctl enable systemd-resolved ln -sf /run/systemd/resolve/resolv.conf /etc/resolv.conf
Also for glibc apps using nss, you need to edit /etc/nsswitch.conf so the hosts line looks like:
hosts: mymachines resolve [!UNAVAIL=return] files dns myhostname
This will use nss-resolve(8) for resolution.
Note that resolved supports /etc/hosts so should to go before the files entry.
Checking the status and flushing the cache in systemd-resolved
You can check the status of systemd-resolved with resolvectl:
resolvectl
You can flush the cache that resolved has with:
resolvectl flush-cache
Managing systemd-resolved settings
General settings for systemd-resolved are managed in /etc/systemd/resolved.conf - see resolved.conf.
Configuring dhclient
If you have disabled NetworkManager etc., the last remaining daemon which overwrites resolv.conf may be dhclient(8) (from isc-dhcp-client). If so, you can change resolv.conf by configuring this service.
Modifying /etc/dhcp/dhclient.conf
If you just want to override specific values from the DHCP server, edit /etc/dhcp/dhclient.conf:
supersede domain-name "example.com"; supersede domain-search "example.com"; supersede domain-name-servers 127.0.0.1;
Another option is to remove "domain-name, domain-name-servers, domain-search" from the request line. However, this only works on some networks. If the DHCP server sends unsolicited domain-name-servers (et al.) responses, dhclient will still heed them, and will still overwrite the resolv.conf file.
Stop dhclient from modifying /etc/resolv.conf
If you don't want dhclient to change the file at all, do:
echo 'make_resolv_conf() { :; }' > /etc/dhcp/dhclient-enter-hooks.d/leave_my_resolv_conf_alone
chmod 755 /etc/dhcp/dhclient-enter-hooks.d/leave_my_resolv_conf_alone
The execute bit is required because dhclient-script uses run-parts(8) to decide which files to read. For that same reason, the filename must not contain anything but letters, digits, underscores and hyphens.
According to dhclient-script(8):
- When it starts, the client script first defines a shell function, make_resolv_conf , which is later used to create the /etc/resolv.conf file. To override the default behaviour, redefine this function in the enter hook script.
Setting additional DNS Servers
Example: dhclient3 uses /etc/dhcp/dhclient.conf. The setting you want is:
supersede domain-name-servers 12.34.56.78, 12.34.56.79;
or perhaps
prepend domain-name-servers 12.34.56.78, 12.34.56.79;
Setting additional search domains
Adding search domains for VPNs or local virtual networks:
append domain-name " virt vpn";
Note the leading space since the string is literally appended to the search domain provided by other configurations.
See the dhclient.conf for details.
Configuring resolvconf (or a workalike)
resolvconf programs keep track of system information about the currently available nameservers. They should not be confused with the configuration file /etc/resolv.conf, which unfortunately has a nearly identical name. There was originally only one resolvconf package, but now you can choose one of the other packages providing resolvconf. These commands let you add settings without them being overwritten by other commands.
A resolvconf program acts as an intermediary between programs that supply nameserver information (e.g. dhcp clients) and programs that use nameserver information (e.g. resolver). If you have more than one program modifying /etc/resolv.conf, this stops them from overwriting each others' configuration.
These packages replace /etc/resolv.conf with a symbolic link to /etc/resolvconf/run/resolv.conf, which is generated dynamically.
These packages include various configuration files for other packages (such as isc-dhcp-client). For example, resolvconf includes a file which modifies the make_resolv_conf shell function used by dhclient-script(8).
To manually define the nameservers (as with a static interface), add a line like the following to the interfaces configuration file at /etc/network/interfaces:
dns-nameservers 12.34.56.78 12.34.56.79
Place the line indented within an iface stanza, e.g., right after the gateway line. Enter the IP addresses of the nameservers you need to use after dns-nameservers. Put all of them on one line separated by spaces. Don't forget the "s" on the end of dns-nameservers.
openresolv lets you tell it to do nothing whenever some daemon tries to modify resolv.conf, by putting resolvconf=NO in the /etc/resolvconf.conf file. (Note: this is not the /etc/resolv.conf file!)
See /usr/share/doc/resolvconf/README for more information.
Making /etc/resolv.conf immutable
You can make /etc/resolv.conf immutable, so it cannot be changed by any package:
rm -f /etc/resolv.conf
editor /etc/resolv.conf
chattr +i /etc/resolv.conf
Obviously, you will need to put the appropriate content into the file before setting the immutable bit. Any time you wish to change the file, you will have to remove the bit, make your change, and then restore the bit.
dhclient-script may clutter /etc with temporary files when it fails to write to them - see 860928. You may need to periodically clean these files out of /etc.
Bridging
Bridging puts multiple interfaces into the same network segment. This is very popular for virtualization, and for connecting a server to multiple switches for high availability.
See BridgeNetworkConnections for more information.
Firewall
See nftables or ufw for more information.
Howto use vlan
An IEEE_802.1Q VLAN lets you split a single physical LAN into multiple virtual LANs. This lets network administrators do some configuration at layer 2 that would otherwise need to be done at the IP layer.
Add this to /etc/modules:
8021q
Then add a section to /etc/network/interfaces like:
auto eno1.222 iface eno1.222 inet static address 10.10.10.1/24
See vlan-interfaces for more information.
Bridges and VLANs
If you create VLAN interfaces only to put them into a bridge, there is no need to define the VLAN interfaces manually. Just config the bridge, and the VLAN interface will be created automatically when creating the bridge, e.g:
auto br1 iface br1 inet manual bridge_ports eno1.99 eno2.99 up /usr/sbin/brctl stp br1 on
Howto create fault tolerant bonding with vlan
To "bond" two Ethernet connections together to create an auto failover interface, see Bonding.
Network config
Cisco switch interface example config:
interface GigabitEthernet1/2 description eno2 switchport switchport trunk encapsulation dot1q switchport trunk allowed vlan 10,20,30 switchport mode trunk no ip address no cdp enable spanning-tree portfast trunk
bonding with active backup
Create a file /etc/modprobe.d/bonding.conf containing:
alias bond0 bonding options bonding mode=active-backup miimon=100 downdelay=200 updelay=200 primary=eno2
/etc/network/interfaces
# The loopback network interface auto lo iface lo inet loopback # The primary network interface auto bond0 iface bond0 inet manual up ifconfig bond0 0.0.0.0 up slaves eno2 eno1 auto vlan10 iface vlan10 inet static address 10.10.10.12/24 vlan-raw-device bond0 gateway 10.10.0.1 dns-search hup.hu dns-nameservers 10.10.0.2 auto vlan20 iface vlan20 inet static address 10.20.10.12/24 vlan-raw-device bond0 auto vlan30 iface vlan30 inet static address 10.30.10.12/24 vlan-raw-device bond0
In Debian Buster, you must use interface names for VLANs in the form of: bond0.10, bond0.20, and bond0.30 instead of vlan10, vlan20, vlan30
https://www.kernel.org/doc/Documentation/networking/bonding.txt - Linux kernel documentation on bonding
How to set the MTU (Max transfer unit / packet size) with VLANS over a bonded interface
MTU needs to be configured on the bonding interface and slave interfaces after the reset of the configuration has been applied to the bonding interfaces. This is done using a post-up line in the bonding interface configuration.
auto bond0 iface bond0 inet manual up ifconfig lacptrunk0 0.0.0.0 up slaves eno1 eno2 # bond-mode 4 = 802.3ad bond-mode 4 bond-miimon 100 bond-downdelay 200 bond-updelay 200 bond-lacp-rate 1 bond-xmit-hash-policy layer2+3 post-up ifconfig eno1 mtu 9000 && ifconfig eno2 mtu 9000 && ifconfig bond0 mtu 9000 #vlan devices will use the MTU set on bond0 device auto vlan101 iface vlan101 inet static address 10.101.60.123/24 gateway 10.155.60.1 vlan-raw-device bond0 auto vlan151 iface vlan151 inet static address 192.168.1.1/24 vlan-raw-device bond0
Multiple IP addresses on one Interface
{i} if you just need your web server to respond to two domain names, virtual hosts are a better solution than multiple addresses.
{X} Interface aliases are deprecated and should not really be used anymore. (citation needed)
The link may fail to come up if no labels are assigned to the alias interfaces!
This issue may be driver/hardware-specific. It has been seen on Wheezy and Jessie with an RTL8111/8168/8411 PCI Express Gigabit Ethernet Controller (rev 01) auto-negotiating to 10/full. A similar warning from another person exists in the history of this page.
This /etc/network/interfaces example assigns multiple IP addresses to eno1.
auto eno1 allow-hotplug eno1 iface eno1 inet static address 192.168.1.42/24 gateway 192.168.1.1 up /sbin/ip addr add 192.168.1.43/24 dev $IFACE label $IFACE:0 down /sbin/ip addr del 192.168.1.43/24 dev $IFACE label $IFACE:0 up /sbin/ip addr add 192.168.1.44/24 dev $IFACE label $IFACE:1 down /sbin/ip addr del 192.168.1.44/24 dev $IFACE label $IFACE:1 up /sbin/ip addr add 10.10.10.14/24 dev $IFACE label $IFACE:2 down /sbin/ip addr del 10.10.10.14/24 dev $IFACE label $IFACE:2 iface eno1 inet6 static address 2001:db8:1234::1/64 gateway fe80::1 up /sbin/ip address add 2001:db8:1234:5678::1/64 dev $IFACE down /sbin/ip address del 2001:db8:1234:5678::1/64 dev $IFACE