Difference between revisions of "Open5gs: Konfigurasi Awal"

From OnnoWiki
Jump to navigation Jump to search
Line 171: Line 171:
  
  
==Tambahkan Router Untuk UE ke WAN / Internet==
+
==Setup TUN device (not persistent)==
 +
 
 +
Buat TUN device dengan nama interface ogstun.
 +
 
 +
sudo ip tuntap add name ogstun mode tun
 +
sudo ip addr add 10.45.0.1/16 dev ogstun
 +
sudo ip addr add 2001:db8:cafe::1/48 dev ogstun
 +
sudo ip link set ogstun up
 +
 
 +
Tip: script ini tersedia di $GIT_REPO/misc/netconf.sh yang akan memudahkan kita dapat mengkonfigurasi TUN device: 
 +
 
 +
sudo ./misc/netconf.sh
 +
 
 +
 
 +
==Tambahkan Route Untuk UE ke WAN / Internet==
  
 
Agar ada bridge antara PGWU/UPF dan WAN (Internet), kita perlu meng-enable IP forwarding dan NAT rule di IP Tables.
 
Agar ada bridge antara PGWU/UPF dan WAN (Internet), kita perlu meng-enable IP forwarding dan NAT rule di IP Tables.
Line 209: Line 223:
 
### Replace x.x.x.x/y with the VNFs IP/subnet
 
### Replace x.x.x.x/y with the VNFs IP/subnet
 
$ sudo iptables -I FORWARD -s 10.45.0.0/16 -d x.x.x.x/y -j DROP
 
$ sudo iptables -I FORWARD -s 10.45.0.0/16 -d x.x.x.x/y -j DROP
 
  
 
==Referensi==
 
==Referensi==
  
 
* https://open5gs.org/open5gs/docs/guide/02-building-open5gs-from-sources/
 
* https://open5gs.org/open5gs/docs/guide/02-building-open5gs-from-sources/

Revision as of 10:25, 23 July 2023

Sumber: https://open5gs.org/open5gs/docs/guide/02-building-open5gs-from-sources/


Catatan PLMN

  • Internasional Test Network PLMN 001/01
  • Internasional Private Network PLMN 999/99


5G Core

Modifikasi /etc/open5gs/amf.yaml untuk set NGAP IP address, PLMN ID, TAC dan NSSAI.

cd /usr/local/src/open5gs/install/etc/open5gs

kalau install dari binary cd ke folder

cd /etc/open5gs
cp amf.yaml amf.yaml.old
vi amf.yaml

Pastikan

amf:
    sbi:
      - addr: 127.0.0.5
        port: 7777
    ngap:
      #      - addr: 127.0.0.5
      - addr: 10.10.0.5
    metrics:
      - addr: 127.0.0.5
        port: 9090
    guami:
      - plmn_id:
        #          mcc: 999
        #          mnc: 70
          mcc: 001
          mnc: 01
        amf_id:
          region: 2
          set: 1
    tai:
      - plmn_id:
        #          mcc: 999
        #          mnc: 70
          mcc: 001
          mnc: 01
        tac: 1
    plmn_support:
      - plmn_id:
        #          mcc: 999
        #          mnc: 70
          mcc: 001
          mnc: 01
        s_nssai:
          - sst: 1
    security:
        integrity_order : [ NIA2, NIA1, NIA0 ]
        ciphering_order : [ NEA0, NEA1, NEA2 ]
    network_name:
        full: Open5GS
    amf_name: open5gs-amf0


Modify install/etc/open5gs/upf.yaml untuk set GTP-U dan PFCP IP address.

cd /usr/local/src/open5gs/install/etc/open5gs

kalau install dari binary cd ke folder

cd /etc/open5gs
cp upf.yaml upf.yaml.old
vi upf.yaml

Pastikan

upf:
    pfcp:
      - addr: 127.0.0.7
    gtpu:
      #      - addr: 127.0.0.7
      - addr: 10.11.0.7
    subnet:
      - addr: 10.45.0.1/16
      - addr: 2001:db8:cafe::1/48
    metrics:
      - addr: 127.0.0.7
        port: 9090

Restart Open5GS,

sudo systemctl restart open5gs-amfd
sudo systemctl restart open5gs-upfd


4G/ 5G NSA Core

Modify install/etc/open5gs/mme.yaml untuk set S1AP IP address, PLMN ID, dan TAC.

cd /usr/local/src/open5gs/install/etc/open5gs

kalau install dari binary cd ke folder

cd /etc/open5gs
cp mme.yaml mme.yaml.old
vi mme.yaml

Pastikan

mme:
    freeDiameter: /etc/freeDiameter/mme.conf
    s1ap:
      #      - addr: 127.0.0.2
      - addr: 10.10.0.2
    gtpc:
      - addr: 127.0.0.2
    metrics:
      - addr: 127.0.0.2
        port: 9090
    gummei:
      plmn_id:
        #        mcc: 999
        #        mnc: 70
        mcc: 001
        mnc: 01
      mme_gid: 2
      mme_code: 1
    tai:
      plmn_id:
        #        mcc: 999
        #        mnc: 70
        mcc: 001
        mnc: 01
      tac: 1
    security:
        integrity_order : [ EIA2, EIA1, EIA0 ]
        ciphering_order : [ EEA0, EEA1, EEA2 ]
    network_name:
        full: Open5GS

Modify install/etc/open5gs/sgwu.yaml untuk set GTP-U IP address.

cd /usr/local/src/open5gs/install/etc/open5gs

kalau install dari binary cd ke folder

cd /etc/open5gs
cp sgwu.yaml sgwu.yaml.old
vi sgwu.yaml

Pastikan,

sgwu:
    pfcp:
      - addr: 127.0.0.6
    gtpu:
      #      - addr: 127.0.0.6
      - addr: 10.11.0.6

Restart,

sudo systemctl restart open5gs-mmed
sudo systemctl restart open5gs-sgwud

Jika kita compile open5gs, kemungkinan script untuk systemctl belum ada. Ini akan menimbulkan ERROR.




Setup TUN device (not persistent)

Buat TUN device dengan nama interface ogstun.

sudo ip tuntap add name ogstun mode tun
sudo ip addr add 10.45.0.1/16 dev ogstun
sudo ip addr add 2001:db8:cafe::1/48 dev ogstun
sudo ip link set ogstun up

Tip: script ini tersedia di $GIT_REPO/misc/netconf.sh yang akan memudahkan kita dapat mengkonfigurasi TUN device:

sudo ./misc/netconf.sh


Tambahkan Route Untuk UE ke WAN / Internet

Agar ada bridge antara PGWU/UPF dan WAN (Internet), kita perlu meng-enable IP forwarding dan NAT rule di IP Tables.

Untuk mengaktifkan forwarding dan NAT rule, ketik,

### Enable IPv4/IPv6 Forwarding
sudo sysctl -w net.ipv4.ip_forward=1
sudo sysctl -w net.ipv6.conf.all.forwarding=1
### Add NAT Rule
sudo iptables -t nat -A POSTROUTING -s 10.45.0.0/16 ! -o ogstun -j MASQUERADE
sudo ip6tables -t nat -A POSTROUTING -s 2001:db8:cafe::/48 ! -o ogstun -j MASQUERADE


Konfigurasi firewall dengan benar.

Configure the firewall correctly. Some operating systems (Ubuntu) by default enable firewall rules to block traffic.

$ sudo ufw status Status: active $ sudo ufw disable Firewall stopped and disabled on system startup $ sudo ufw status Status: inactive Optionally, you may consider the settings below for security purposes.

      1. Ensure that the packets in the `INPUT` chain to the `ogstun` interface are accepted

$ sudo iptables -I INPUT -i ogstun -j ACCEPT

      1. Prevent UE's from connecting to the host on which UPF is running

$ sudo iptables -I INPUT -s 10.45.0.0/16 -j DROP $ sudo ip6tables -I INPUT -s 2001:db8:cafe::/48 -j DROP

      1. If your core network runs over multiple hosts, you probably want to block
      2. UE originating traffic from accessing other network functions.
      3. Replace x.x.x.x/y with the VNFs IP/subnet

$ sudo iptables -I FORWARD -s 10.45.0.0/16 -d x.x.x.x/y -j DROP

Referensi