Difference between revisions of "Open5gs: Konfigurasi Awal"

From OnnoWiki
Jump to navigation Jump to search
Line 169: Line 169:
  
  
 +
 +
 +
==Tambahkan Router Untuk UE ke WAN / Internet==
 +
 +
Agar ada bridge antara PGWU/UPF dan WAN (Internet), kita perlu meng-enable IP forwarding dan NAT rule di IP Tables.
 +
 +
Untuk mengaktifkan forwarding dan NAT rule, ketik,
 +
 +
### Enable IPv4/IPv6 Forwarding
 +
sudo sysctl -w net.ipv4.ip_forward=1
 +
sudo sysctl -w net.ipv6.conf.all.forwarding=1
 +
 +
### Add NAT Rule
 +
sudo iptables -t nat -A POSTROUTING -s 10.45.0.0/16 ! -o ogstun -j MASQUERADE
 +
sudo ip6tables -t nat -A POSTROUTING -s 2001:db8:cafe::/48 ! -o ogstun -j MASQUERADE
 +
 +
 +
Konfigurasi firewall dengan benar.
 +
 +
Configure the firewall correctly. Some operating systems (Ubuntu) by default enable firewall rules to block traffic.
 +
 +
$ sudo ufw status
 +
Status: active
 +
$ sudo ufw disable
 +
Firewall stopped and disabled on system startup
 +
$ sudo ufw status
 +
Status: inactive
 +
Optionally, you may consider the settings below for security purposes.
 +
 +
### Ensure that the packets in the `INPUT` chain to the `ogstun` interface are accepted
 +
$ sudo iptables -I INPUT -i ogstun -j ACCEPT
 +
 +
### Prevent UE's from connecting to the host on which UPF is running
 +
$ sudo iptables -I INPUT -s 10.45.0.0/16 -j DROP
 +
$ sudo ip6tables -I INPUT -s 2001:db8:cafe::/48 -j DROP
 +
 +
### If your core network runs over multiple hosts, you probably want to block
 +
### UE originating traffic from accessing other network functions.
 +
### Replace x.x.x.x/y with the VNFs IP/subnet
 +
$ sudo iptables -I FORWARD -s 10.45.0.0/16 -d x.x.x.x/y -j DROP
  
  

Revision as of 09:42, 23 July 2023

Sumber: https://open5gs.org/open5gs/docs/guide/02-building-open5gs-from-sources/


Catatan PLMN

  • Internasional Test Network PLMN 001/01
  • Internasional Private Network PLMN 999/99


5G Core

Modifikasi /etc/open5gs/amf.yaml untuk set NGAP IP address, PLMN ID, TAC dan NSSAI.

cd /usr/local/src/open5gs/install/etc/open5gs

kalau install dari binary cd ke folder

cd /etc/open5gs
cp amf.yaml amf.yaml.old
vi amf.yaml

Pastikan

amf:
    sbi:
      - addr: 127.0.0.5
        port: 7777
    ngap:
      #      - addr: 127.0.0.5
      - addr: 10.10.0.5
    metrics:
      - addr: 127.0.0.5
        port: 9090
    guami:
      - plmn_id:
        #          mcc: 999
        #          mnc: 70
          mcc: 001
          mnc: 01
        amf_id:
          region: 2
          set: 1
    tai:
      - plmn_id:
        #          mcc: 999
        #          mnc: 70
          mcc: 001
          mnc: 01
        tac: 1
    plmn_support:
      - plmn_id:
        #          mcc: 999
        #          mnc: 70
          mcc: 001
          mnc: 01
        s_nssai:
          - sst: 1
    security:
        integrity_order : [ NIA2, NIA1, NIA0 ]
        ciphering_order : [ NEA0, NEA1, NEA2 ]
    network_name:
        full: Open5GS
    amf_name: open5gs-amf0


Modify install/etc/open5gs/upf.yaml untuk set GTP-U dan PFCP IP address.

cd /usr/local/src/open5gs/install/etc/open5gs

kalau install dari binary cd ke folder

cd /etc/open5gs
cp upf.yaml upf.yaml.old
vi upf.yaml

Pastikan

upf:
    pfcp:
      - addr: 127.0.0.7
    gtpu:
      #      - addr: 127.0.0.7
      - addr: 10.11.0.7
    subnet:
      - addr: 10.45.0.1/16
      - addr: 2001:db8:cafe::1/48
    metrics:
      - addr: 127.0.0.7
        port: 9090

Restart Open5GS,

sudo systemctl restart open5gs-amfd
sudo systemctl restart open5gs-upfd


4G/ 5G NSA Core

Modify install/etc/open5gs/mme.yaml untuk set S1AP IP address, PLMN ID, dan TAC.

cd /usr/local/src/open5gs/install/etc/open5gs

kalau install dari binary cd ke folder

cd /etc/open5gs
cp mme.yaml mme.yaml.old
vi mme.yaml

Pastikan

mme:
    freeDiameter: /etc/freeDiameter/mme.conf
    s1ap:
      #      - addr: 127.0.0.2
      - addr: 10.10.0.2
    gtpc:
      - addr: 127.0.0.2
    metrics:
      - addr: 127.0.0.2
        port: 9090
    gummei:
      plmn_id:
        #        mcc: 999
        #        mnc: 70
        mcc: 001
        mnc: 01
      mme_gid: 2
      mme_code: 1
    tai:
      plmn_id:
        #        mcc: 999
        #        mnc: 70
        mcc: 001
        mnc: 01
      tac: 1
    security:
        integrity_order : [ EIA2, EIA1, EIA0 ]
        ciphering_order : [ EEA0, EEA1, EEA2 ]
    network_name:
        full: Open5GS

Modify install/etc/open5gs/sgwu.yaml untuk set GTP-U IP address.

cd /usr/local/src/open5gs/install/etc/open5gs

kalau install dari binary cd ke folder

cd /etc/open5gs
cp sgwu.yaml sgwu.yaml.old
vi sgwu.yaml

Pastikan,

sgwu:
    pfcp:
      - addr: 127.0.0.6
    gtpu:
      #      - addr: 127.0.0.6
      - addr: 10.11.0.6

Restart,

sudo systemctl restart open5gs-mmed
sudo systemctl restart open5gs-sgwud

Jika kita compile open5gs, kemungkinan script untuk systemctl belum ada. Ini akan menimbulkan ERROR.




Tambahkan Router Untuk UE ke WAN / Internet

Agar ada bridge antara PGWU/UPF dan WAN (Internet), kita perlu meng-enable IP forwarding dan NAT rule di IP Tables.

Untuk mengaktifkan forwarding dan NAT rule, ketik,

### Enable IPv4/IPv6 Forwarding
sudo sysctl -w net.ipv4.ip_forward=1
sudo sysctl -w net.ipv6.conf.all.forwarding=1
### Add NAT Rule
sudo iptables -t nat -A POSTROUTING -s 10.45.0.0/16 ! -o ogstun -j MASQUERADE
sudo ip6tables -t nat -A POSTROUTING -s 2001:db8:cafe::/48 ! -o ogstun -j MASQUERADE


Konfigurasi firewall dengan benar.

Configure the firewall correctly. Some operating systems (Ubuntu) by default enable firewall rules to block traffic.

$ sudo ufw status Status: active $ sudo ufw disable Firewall stopped and disabled on system startup $ sudo ufw status Status: inactive Optionally, you may consider the settings below for security purposes.

      1. Ensure that the packets in the `INPUT` chain to the `ogstun` interface are accepted

$ sudo iptables -I INPUT -i ogstun -j ACCEPT

      1. Prevent UE's from connecting to the host on which UPF is running

$ sudo iptables -I INPUT -s 10.45.0.0/16 -j DROP $ sudo ip6tables -I INPUT -s 2001:db8:cafe::/48 -j DROP

      1. If your core network runs over multiple hosts, you probably want to block
      2. UE originating traffic from accessing other network functions.
      3. Replace x.x.x.x/y with the VNFs IP/subnet

$ sudo iptables -I FORWARD -s 10.45.0.0/16 -d x.x.x.x/y -j DROP


Referensi