Chapter 5. Network setup

Table of Contents

5.1. The basic network infrastructure
5.1.1. The hostname resolution
5.1.2. The network interface name
5.1.3. The network address range for the LAN
5.1.4. The network device support
5.2. The modern network configuration for desktop
5.2.1. GUI network configuration tools
5.3. The modern network configuration without GUI
5.4. The low level network configuration
5.4.1. Iproute2 commands
5.4.2. Safe low level network operations
5.5. Network optimization
5.5.1. Finding optimal MTU
5.5.2. WAN TCP optimization
5.6. Netfilter infrastructure
[Tip] Tip

For modern Debian specific guide to the networking, read The Debian Administrator's Handbook — Configuring the Network.

[Tip] Tip

Under systemd, networkd may be used to manage networks. See systemd-networkd(8).

Let's review the basic network infrastructure on the modern Debian system.

Table 5.1. List of network configuration tools

packages popcon size type description
network-manager V:373, I:444 15443 config::NM NetworkManager (daemon): manage the network automatically
network-manager-gnome V:130, I:374 5345 config::NM NetworkManager (GNOME frontend)
ifupdown V:590, I:988 218 config::ifupdown standardized tool to bring up and down the network (Debian specific)
isc-dhcp-client V:220, I:982 686 config::low-level DHCP client
pppoeconf V:0, I:7 192 config::helper configuration helper for PPPoE connection
wpasupplicant V:340, I:508 3431 , , client support for WPA and WPA2 (IEEE 802.11i)
wpagui V:0, I:2 796 , , Qt GUI client for wpa_supplicant
wireless-tools V:178, I:242 297 , , tools for manipulating Linux Wireless Extensions
iw V:252, I:483 294 , , tool for configuring Linux wireless devices
iproute2 V:696, I:945 3248 config::iproute2 iproute2, IPv6 and other advanced network configuration: ip(8), tc(8), etc
iptables V:302, I:959 2521 config::Netfilter administration tools for packet filtering and NAT (Netfilter)
iputils-ping V:211, I:997 113 test test network reachability of a remote host by hostname or IP address (iproute2)
iputils-arping V:6, I:87 55 test test network reachability of a remote host specified by the ARP address
iputils-tracepath V:3, I:49 72 test trace the network path to a remote host
ethtool V:95, I:264 627 test display or change Ethernet device settings
mtr-tiny V:5, I:53 160 test::low-level trace the network path to a remote host (curses)
mtr V:4, I:43 214 , , trace the network path to a remote host (curses and GTK)
gnome-nettool V:1, I:34 2110 , , tools for common network information operations (GNOME)
nmap V:28, I:234 4509 , , network mapper / port scanner (Nmap, console)
zenmap V:0, I:5 2939 , , network mapper / port scanner (GTK)
tcpdump V:18, I:196 1330 , , network traffic analyzer (Tcpdump, console)
wireshark I:52 148 , , network traffic analyzer (Wireshark, GTK)
tshark V:2, I:31 501 , , network traffic analyzer (console)
tcptrace V:0, I:2 401 , , produce a summarization of the connections from tcpdump output
snort V:0, I:1 2206 , , flexible network intrusion detection system (Snort)
ntopng V:1, I:1 969 , , display network usage in web browser
dnsutils V:44, I:443 272 , , network clients provided with BIND: nslookup(8), nsupdate(8), dig(8)
dlint V:0, I:6 53 , , check DNS zone information using nameserver lookups
dnstracer V:0, I:1 60 , , trace a chain of DNS servers to the source

The hostname resolution is currently supported by the NSS (Name Service Switch) mechanism too. The flow of this resolution is the following.

  1. The "/etc/nsswitch.conf" file with stanza like "hosts: files dns" dictates the hostname resolution order. (This replaces the old functionality of the "order" stanza in "/etc/host.conf".)

  2. The files method is invoked first. If the hostname is found in the "/etc/hosts" file, it returns all valid addresses for it and exits. (The "/etc/host.conf" file contains "multi on".)

  3. The dns method is invoked. If the hostname is found by the query to the Internet Domain Name System (DNS) identified by the "/etc/resolv.conf" file, it returns all valid addresses for it and exits.

For example, "/etc/hosts" looks like the following.

127.0.0.1 localhost
127.0.1.1 host_name

# The following lines are desirable for IPv6 capable hosts
::1     localhost ip6-localhost ip6-loopback
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters

Each line starts with a IP address and it is followed by the associated hostname.

The IP address 127.0.1.1 in the second line of this example may not be found on some other Unix-like systems. The Debian Installer creates this entry for a system without a permanent IP address as a workaround for some software (e.g., GNOME) as documented in the bug #719621.

The host_name matches the hostname defined in the "/etc/hostname".

For a system with a permanent IP address, that permanent IP address should be used here instead of 127.0.1.1.

For a system with a permanent IP address and a fully qualified domain name (FQDN) provided by the Domain Name System (DNS), that canonical host_name.domain_name should be used instead of just host_name.

The "/etc/resolv.conf" is a static file if the resolvconf package is not installed. If installed, it is a symbolic link. Either way, it contains information that initialize the resolver routines. If the DNS is found at IP="192.168.11.1", it contains the following.

nameserver 192.168.11.1

The resolvconf package makes this "/etc/resolv.conf" into a symbolic link and manages its contents by the hook scripts automatically.

For the PC workstation on the typical adhoc LAN environment, the hostname can be resolved via Multicast DNS (mDNS, Zeroconf) in addition to the basic files and dns methods.

  • Avahi provides a framework for Multicast DNS Service Discovery on Debian.

  • It is equivalent of Apple Bonjour / Apple Rendezvous.

  • The libnss-mdns plugin package provides host name resolution via mDNS for the GNU Name Service Switch (NSS) functionality of the GNU C Library (glibc).

  • The "/etc/nsswitch.conf" file should have stanza like "hosts: files mdns4_minimal [NOTFOUND=return] dns mdns4".

  • Host names ending with the ".local" pseudo-top-level domain (TLD) are resolved.

  • The mDNS IPv4 link-local multicast address "224.0.0.251" or its IPv6 equivalent "FF02::FB" are used to make DNS query for a name ending with ".local".

The hostname resolution via deprecated NETBios over TCP/IP used by the older Windows system can be provided by installing the winbind package. The "/etc/nsswitch.conf" file should have stanza like "hosts: files mdns4_minimal [NOTFOUND=return] dns mdns4 wins" to enable this functionality. (Modern Windows system usually use the dns method for the hostname resolution.)

[Note] Note

The expansion of generic Top-Level Domains (gTLD) in the Domain Name System is underway. Watch out for the name collision when chosing a domain name used only within LAN.

Network interfaces are typically initialized in "networking.service" for the lo interface and "NetworkManager.service" for other interfaces on modern Debian desktop system under systemd.

Debian can manage the network connection via management daemon software such as NetworkManager (NM) (network-manager and associated packages).

  • They come with their own GUI and command-line programs as their user interfaces.

  • They come with their own daemon as their backend system.

  • They allow easy connection of your system to the Internet.

  • They allow easy management of wired and wireless network configuration.

  • They allow us to configure network independent of the legacy ifupdown package.

[Note] Note

Do not use these automatic network configuration tools for servers. These are aimed primarily for mobile desktop users on laptops.

These modern network configuration tools need to be configured properly to avoid conflicting with the legacy ifupdown package and its configuration file "/etc/network/interfaces".

Official documentations for NM on Debian are provided in "/usr/share/doc/network-manager/README.Debian".

Essentially, the network configuration for desktop is done as follows.

  1. Make desktop user, e.g. foo, belong to group "netdev" by the following (Alternatively, do it automatically via D-bus under modern desktop environments such as GNOME and KDE).

    $ sudo adduser foo netdev
  2. Keep configuration of "/etc/network/interfaces" as simple as in the following.

    auto lo
    iface lo inet loopback
  3. Restart NM by the following.

    $ sudo systemctl restart network-manager
  4. Configure your network via GUI.

[Note] Note

Only interfaces which are not listed in "/etc/network/interfaces" are managed by NM to avoid conflict with ifupdown.

[Tip] Tip

If you wish to extend network configuration capabilities of NM, please seek appropriate plug-in modules and supplemental packages such as network-manager-openconnect, network-manager-openvpn-gnome, network-manager-pptp-gnome, mobile-broadband-provider-info, gnome-bluetooth, etc.

Under systemd, the network may be configured in /etc/systemd/network/ instead. See systemd-resolved(8), resolved.conf(5), and systemd-networkd(8).

This allows the modern network configuration without GUI.

A DHCP client configuration can be set up by creating "/etc/systemd/network/dhcp.network". E.g.:

[Match]
Name=en*

[Network]
DHCP=yes

A static network configuration can be set up by creating "/etc/systemd/network/static.network". E.g.:

[Match]
Name=en*

[Network]
Address=192.168.0.15/24
Gateway=192.168.0.1

For the low level network configuration on Linux, use the iproute2 programs (ip(8), …) .

Generic network optimization is beyond the scope of this documentation. I touch only subjects pertinent to the consumer grade connection.


The Maximum Transmission Unit (MTU) value can be determined experimentally with ping(8) with "-M do" option which sends ICMP packets with data size starting from 1500 (with offset of 28 bytes for the IP+ICMP header) and finding the largest size without IP fragmentation.

For example, try the following

$ ping -c 1 -s $((1500-28)) -M do www.debian.org
PING www.debian.org (194.109.137.218) 1472(1500) bytes of data.
From 192.168.11.2 icmp_seq=1 Frag needed and DF set (mtu = 1454)

--- www.debian.org ping statistics ---
0 packets transmitted, 0 received, +1 errors

Try MTU=1454 instead of MTU=1500

You see ping(8) succeed with MTU=1454.

If MTU is not 1500, you may want to configure MTU settings in NM.

This process is Path MTU (PMTU) discovery (RFC1191) and the tracepath(8) command can automate this.

[Tip] Tip

The above example with PMTU value of 1454 is for my previous FTTP provider which used Asynchronous Transfer Mode (ATM) as its backbone network and served its clients with the PPPoE. The actual PMTU value depends on your environment, e.g., 1500 for the my new FTTP provider.


In addtion to these basic guide lines, you should know the following.

  • Any use of tunneling methods (VPN etc.) may reduce optimal MTU further by their overheads.

  • The MTU value should not exceed the experimentally determined PMTU value.

  • The bigger MTU value is generally better when other limitations are met.

The maximum segment size (MSS) is used as an alternative measure of packet size. The relationship between MSS and MTU are the following.

  • MSS = MTU - 40 for IPv4

  • MSS = MTU - 60 for IPv6

[Note] Note

The iptables(8) (see Section 5.6, “Netfilter infrastructure”) based optimization can clamp packet size by the MSS and is useful for the router. See "TCPMSS" in iptables(8).

The TCP throughput can be maximized by adjusting TCP buffer size parameters as described in "TCP Tuning Guide" and "TCP tuning" for the modern high-bandwidth and high-latency WAN. So far, the current Debian default settings serve well even for my LAN connected by the fast 1G bps FTTP service.

Netfilter provides infrastructure for stateful firewall and network address translation (NAT) with Linux kernel modules (see Section 3.8.1, “The kernel module initialization”).


Main user space program of netfilter is iptables(8). You can manually configure netfilter interactively from shell, save its state with iptables-save(8), and restore it via init script with iptables-restore(8) upon system reboot.

Configuration helper scripts such as shorewall ease this process.

See documentations at http://www.netfilter.org/documentation/ (or in "/usr/share/doc/iptables/html/").

[Tip] Tip

Although these were written for Linux 2.4, both iptables(8) command and netfilter kernel function apply for Linux 2.6 and 3.x kernel series.