8.2. 組態網路

基本必要的網路概念 (Ethernet、IP 位址、次網路、廣播)

Most modern local networks use the Ethernet protocol, where data is split into small blocks called frames and transmitted on the wire one frame at a time. Data speeds vary from 10 Mb/s for older Ethernet cards to 100 Gb/s in the newest cards (with the most common rate currently growing from 100 Mb/s to 10 Gb/s). The most widely used cables are called 10BASE-T, 100BASE-T, 1000BASE-T, 10GBASE-T and 40GBASE-T, depending on the throughput they can reliably provide (the T stands for “twisted pair”); those cables end in an RJ45 connector. There are other cable types, used mostly for speeds of 10 Gb/s and above.

IP 位址是一組數字用於辨識電腦在地區網路或網際網路的介面。最常用的是 IP 版本是 (IPv4)，此組數字由 32 位元編成，通常以句點區隔的 4 個數字表示 (如 192.168.0.1)，使用 0 至 255 之間的數字 (含在內，對應於 8 位元的資料)。通信協定的下個版本是 IPv6，採用 128 位元表示一個位址，其位址以 16 進位表示，用冒號區隔 (如，2001:0db8:13bb:0002:0000:0000:0000:0020，或 2001:db8:13bb:2::20 簡版表示)。

次網路遮罩 (網路遮罩) 設定對應於網路的 IP 位址二進位代碼，其餘的則有機器指定。在前述的固定 IPv4 位址中，次網路遮罩，255.255.255.0 (以 2 進位表示，就是 24 個 “1” 之後接著 8 個 “0”) 表示 IP 位址前 24 位元對應至網路位址，且其餘 8 個則指向機器。在 IPv6 裡，為了方便閱讀，祗表示數字 “1”；IPv6 網路的網路遮罩可以是 64。

網路位址是一個 IP 位址，描述機器的號碼是 0。IPv4 位址的範圍是完成的網路以此語法表示，a.b.c.d/e，a.b.c.d 是網路位址，而 e 是被影響的位元數。因此，此網路可寫成：192.168.0.0/24。在 IPv6 的類似語法為：2001:db8:13bb:2::/64。

路由器用於連結多個網路。進入路由器的資訊被引導至正確的網路。所以，路由器分析進來的封包，根據其目的位址轉送至其他地方。路由器通常稱為閘道器；協助進入在地網路以外的地方 (網際網路之類的外部網路)。

特定的廣播位址連結網路內所有的站台。幾乎不曾 “發送”，祗在網路內發送問題。就是說，經由廣播發送的資料封包不會通常路由器。

本章祗討論 IPv4 位址，現在最常見的。IPv6 協定的詳情在節 10.6, “IPv6”，其概念是一樣的。

The network is automatically configured during the initial installation. If Network Manager gets installed (which is generally the case for full desktop installations), then it might be that no configuration is actually required (for example, if you rely on DHCP on a wired connection and have no specific requirements). If a configuration is required (for example, for a WiFi interface), then it will create the appropriate file in /etc/NetworkManager/system-connections/.

NOTE NetworkManager

If Network Manager is particularly recommended in roaming setups (see 節 8.2.5, “網路自動組態漫遊使用者”), it is also perfectly usable as the default network management tool. You can create “System connections” that are used as soon as the computer boots either manually with a .ini-like file in /etc/NetworkManager/system-connections/ or through a graphical tool (nm-connection-editor). If you were using ifupdown, just remember to deactivate the entries in /etc/network/interfaces that you want Network Manager to handle.

→ https://wiki.gnome.org/Projects/NetworkManager/SystemSettings

→ https://developer.gnome.org/NetworkManager/1.30/ref-settings.html

If Network Manager is not installed, then the installer will configure ifupdown by creating the /etc/network/interfaces file. A line starting with auto gives a list of interfaces to be automatically configured on boot by the networking service. When there are many interfaces, it is good practice to keep the configuration in different files inside /etc/network/interfaces.d/ as described in sidebar 基本結尾是 .d 的資料夾名稱.

In a server context, ifupdown is thus the network configuration tool that you usually get. That is why we will cover it in the next sections. For more information about the syntax of the configuration file please read interfaces(5).

8.2.1. Ethernet 介面

電腦使用 Ethernet 網路卡時，必須以下列的方法之一組態 IP 網路。最簡單的方式是以 DHCP 動態組態，需要在地網路的 DHCP 伺服器。可以使用與下例 hostname 設定的主機名稱。DHCP 伺服器就會送出組態設定給適當的網路。

範例 8.1. DHCP 組態

auto enp0s31f6
iface enp0s31f6 inet dhcp
  hostname arrakis

IN PRACTICE Names of network interfaces

By default, the kernel attributes generic names such as eth0 (for wired Ethernet) or wlan0 (for WiFi) to the network interfaces. The number in those names is a simple incremental counter representing the order in which they have been detected. With modern hardware, that order (at least in theory) might change for each reboot and thus the default names are not reliable.

Fortunately, systemd and udev are able to rename the interfaces as soon as they appear. The default name policy is defined by /lib/systemd/network/99-default.link (see systemd.link(5) for an explanation of the NamePolicy entry in that file). In practice, the names are often based on the device's physical location (as guessed by where they are connected) and you will see names starting with en for wired ethernet and wl for WiFi. In the example above, the rest of the name indicates, in abbreviated form, a PCI (p) bus number (0), a slot number (s31), a function number (f6). Thus the name becomes predictable.

Obviously, you are free to override this policy and/or to complement it to customize the names of some specific interfaces. You can find out the names of the network interfaces in the output of ip addr (or as filenames in /sys/class/net/).

In some corner cases it might be necessary to disable the predictable naming of network devices as described above. Besides changing the default udev rule it is also possible to boot the system using the net.ifnames=0 (restores the default kernel behavior) and biosdevname=0 kernel parameters to achieve that.

The predecessor of the predictable name scheme was called “persistent name scheme”. It was done using a udev rule to assign the device name based on the MAC address. This scheme has been abandoned and with the release of Debian 10 Buster users have been encouraged to migrate to predictable network device names.

→ https://www.debian.org/releases/buster/amd64/release-notes/ch-information.en.html#migrate-interface-names

“靜態” 組態必須以固定方式指明網路設定。至少包括 IP 網址及次網路遮罩；有時也列出網路及廣播位址。必須以閘道指出連結外部的路由器。

範例 8.2. 靜態組態

auto enp0s31f6
iface enp0s31f6 inet static
  address 192.168.0.3/24
  broadcast 192.168.0.255
  network 192.168.0.0
  gateway 192.168.0.1

說明多位址

It is possible not only to associate several interfaces to a single, physical network card, but also several IP addresses to a single interface. To assign them, just create several iface entries for the same device. Remember also that an IP address may correspond to any number of names via DNS, and that a name may also correspond to any number of numerical IP addresses.

如您所想，組態可以極為複雜，不過祗限於極為特殊的例子。此處引用的例子都是一般常見的組態。

8.2.2. Wireless Interface

Getting wireless network cards to work can be a bit more challenging. First of all, they often require the installation of proprietary firmwares which are not installed by default in Debian. Then wireless networks rely on cryptography to restrict access to authorized users only, this implies storing some secret key in the network configuration. Let's tackle those topics one by one.

8.2.2.1. Installing the required firmwares

First you have to enable the non-free repository in APT's sources.list file: see 節 6.1, “寫入 sources.list 檔案” for details about this file. Many firmware are proprietary and are thus located in this repository. You can try to skip this step if you want, but if the next step doesn't find the required firmware, retry after having enabled the non-free section.

Then you have to install the appropriate firmware-* packages. If you don't know which package you need, you can install the isenkram package and run its isenkram-autoinstall-firmware command. The packages are often named after the hardware manufacturer or the corresponding kernel module: firmware-iwlwifi for Intel wireless cards, firmware-atheros for Qualcomm Atheros, firmware-ralink for Ralink, etc. A reboot is then recommended because the kernel driver usually looks for the firmware files when it is first loaded and no longer afterwards.

8.2.2.2. Wireless specific entries in `/etc/network/interfaces`

ifupdown is able to manage wireless interfaces but it needs the help of the wpasupplicant package which provides the required integration between ifupdown and the wpa_supplicant command used to configure the wireless interfaces (when using WPA/WPA2 encryption). The usual entry in /etc/network/interfaces needs to be extended with two supplementary parameters to specify the name of the wireless network (aka its SSID) and the Pre-Shared Key (PSK).

範例 8.3. DHCP configuration for a wireless interface

auto wlp4s0
iface wlp4s0 inet dhcp
  wpa-ssid Falcot
  wpa-psk ccb290fd4fe6b22935cbae31449e050edd02ad44627b16ce0151668f5f53c01b

The wpa-psk parameter can contain either the plain text passphrase or its hashed version generated with wpa_passphrase SSID passphrase. If you use an unencrypted wireless connection, then you should put a wpa-key-mgmt NONE and no wpa-psk entry. For more information about the possible configuration options, have a look at /usr/share/doc/wpasupplicant/README.Debian.gz.

At this point, you should consider restricting the read permissions on /etc/network/interfaces to the root user only since the file contains a private key that not all users should have access to.

8.2.3. 經由 PSTN 數據機的 PPP 連結

點對點 (PPP) 連結建立斷續的連結；這是電話數據機最常見的連結方式 (“PSTN 數據機”，經由公共交換電話網路)。

電話數據機需要帳號才能連結，包括電話號碼、使用者名稱、密碼、以及認證協定。這種連結 Debian 同名套件內的使用 pppconfig 工具。預設使用的名稱是 提供者 (做為網際網路服務提供者)。對認證協定有疑義時，選擇 PAP：大多數網際網路服務提供者使用它。

組態之後，就可以使用 pon 命令 (提供者 的預設值不適用時，將連結的名稱當成參數)。以 poff 命令斷線。這兩個令可以被根使用者執行，或位在 dip 群組的其他使用者。

8.2.4. 以 ADSL 數據連結

“ADSL 數據機” 一辭包括不同功能的多種設備。使用 Linux 的數據機有 Ethernet 介面 (不祗是 USB 介面)。這是極為普遍的數據機；大部份的 ADSL 網際網路服務商出借 (或出租) 一個含 Ethernet 介面的 “盒子”。視其類型而有不同的設定。

8.2.4.1. 支援 PPPOE 的數據機

部份 Ethernet 數據機使用 PPPOE 協定 (乙太網上的對等協定，Point to Point Protocol over Ethernet)。pppoeconf 工具 (位於同名套件內) 將組態其連結。修改 /etc/ppp/peers/dsl-provider 檔案內容時，採用 /etc/ppp/pap-secrets 與 /etc/ppp/chap-secrets 檔案的內容。建議全盤接納所有的提議。

組態完成之後，以命令 pon dsl-provider 開啟 ADSL 連結，並以命令 poff dsl-provider 斷線。

秘訣啟動 ppp 於開機時

PPP 在 ADSL 上的連結，其本意是斷斷續續的。因為不是依照連線時間收費，所以不必隨時打開它。標準的方法是使用 init 系統。

With systemd, adding an automatically restarting task for the ADSL connection is a simple matter of creating a “unit file” such as /etc/systemd/system/adsl-connection.service, with contents such as the following:

[Unit]
Description=ADSL connection

[Service]
Type=forking
ExecStart=/usr/sbin/pppd call dsl-provider
Restart=always

[Install]
WantedBy=multi-user.target

設定這個 unit file 之後，還需以 systemctl enable adsl-connection 命令啟動它。然後以手動方式，啟動此命令 systemctl start adsl-connection 迴圈；然後就可在開機時自動啟動。

未使用 systemd 命令的系統 (包括 Wheezy 及更早的 Debian 版本)，可使用標準的 SystemV init。在這種系統裡，祗需在 /etc/inittab 檔案加入一行字；然後，在斷線之後，執行 init 就可重新連線。

adsl:2345:respawn:/usr/sbin/pppd call dsl-provider

撥接後自動斷線的 ADSL，這種方法減少中斷的次數。

8.2.4.2. 支援 PPTP 的數據機

PPTP (點對點隧道協議，Point-to-Point Tunneling Protocol) 協定由微軟創製。在 ADSL 的初期就已布置，取代 PPPOE。若被強迫使用此協定，參見節 10.3.4, “PPTP”。

8.2.4.3. 支援 DHCP 數據機

以 Ethernet 纜線 (跳線) 連線電腦的數據機，可以在電腦以 DHCP 組態網路連結；數據機自動成為閘道且執行路由的功能 (就是管理電腦與網際網路的流量)。

基本直接連結 Ethernet 的跳線

電腦網路卡經由特定纜線接收資料，也從同樣的管道送出資料。電腦連上地區網路後，通常以纜線 (直接連線或跳線) 連結網路上與中繼器或交換器。若想直接連結兩部電腦 (不經過交換器或中繼器)，必須經由網路卡送出資料至接收端的另個網路卡，反之亦然。這就是跳線的作用，以及使用它的原因。

Note that this distinction has become almost irrelevant over time, as modern network cards are able to detect the type of cable present and adapt accordingly, so it won't be unusual that both kinds of cable will work in a given location.

大部份的 “ADSL 路由器” 也能這麼做，網際網路服務供應商提供的 ADSL 數據機也具有此功能。

8.2.5. 網路自動組態漫遊使用者

Falcot 公司的工程師擁有專業用的筆電，同時也在家裡使用它。根據使用場所的不同，網路有不同的組態方式。在家裡，可能使用 WiFi 網路 (以 WPA 鑰保護)，在工作場合則使用較安全與頻寬更充足的固接網路。

為了避免人工連結與斷線對應的網路介面，管理者在漫遊機器安裝 network-manager 套件。此軟體可以讓使用者從圖形桌面的小圖示，在多個網路間切換。按下此圖示即顯示可用的網路 (固接與無線)，藉以選擇其中之一。此程式儲存曾連結網路的組態，斷線時自動選擇最佳的網路。

為了達到這個目的，程式分為兩個部份：在根部執行後台進程並組態網路介面與使用者介面控制該後台進程。PolicyKit 處理必要的權限以控制此程式，然後由 Debian 組態 PolicyKit 讓 netdev 群組成員可以新增或修改 Network Manager 的連結。

Network Manager knows how to handle various types of connections (DHCP, manual configuration, local network), but only if the configuration is set with the program itself. This is why it will systematically ignore all network interfaces in /etc/network/interfaces and /etc/network/interfaces.d/ for which it is not suited. Since Network Manager doesn't give details when no network connections are shown, the easy way is to delete from /etc/network/interfaces any configuration for all interfaces that must be managed by Network Manager.

在初始安裝階段選擇 “桌面環境”的工作，就能夠預設安裝此程式。