Difference between revisions of "Open5gs: Konfigurasi Awal"
Onnowpurbo (talk | contribs) |
Onnowpurbo (talk | contribs) |
||
Line 169: | Line 169: | ||
+ | |||
+ | |||
+ | ==Tambahkan Router Untuk UE ke WAN / Internet== | ||
+ | |||
+ | Agar ada bridge antara PGWU/UPF dan WAN (Internet), kita perlu meng-enable IP forwarding dan NAT rule di IP Tables. | ||
+ | |||
+ | Untuk mengaktifkan forwarding dan NAT rule, ketik, | ||
+ | |||
+ | ### Enable IPv4/IPv6 Forwarding | ||
+ | sudo sysctl -w net.ipv4.ip_forward=1 | ||
+ | sudo sysctl -w net.ipv6.conf.all.forwarding=1 | ||
+ | |||
+ | ### Add NAT Rule | ||
+ | sudo iptables -t nat -A POSTROUTING -s 10.45.0.0/16 ! -o ogstun -j MASQUERADE | ||
+ | sudo ip6tables -t nat -A POSTROUTING -s 2001:db8:cafe::/48 ! -o ogstun -j MASQUERADE | ||
+ | |||
+ | |||
+ | Konfigurasi firewall dengan benar. | ||
+ | |||
+ | Configure the firewall correctly. Some operating systems (Ubuntu) by default enable firewall rules to block traffic. | ||
+ | |||
+ | $ sudo ufw status | ||
+ | Status: active | ||
+ | $ sudo ufw disable | ||
+ | Firewall stopped and disabled on system startup | ||
+ | $ sudo ufw status | ||
+ | Status: inactive | ||
+ | Optionally, you may consider the settings below for security purposes. | ||
+ | |||
+ | ### Ensure that the packets in the `INPUT` chain to the `ogstun` interface are accepted | ||
+ | $ sudo iptables -I INPUT -i ogstun -j ACCEPT | ||
+ | |||
+ | ### Prevent UE's from connecting to the host on which UPF is running | ||
+ | $ sudo iptables -I INPUT -s 10.45.0.0/16 -j DROP | ||
+ | $ sudo ip6tables -I INPUT -s 2001:db8:cafe::/48 -j DROP | ||
+ | |||
+ | ### If your core network runs over multiple hosts, you probably want to block | ||
+ | ### UE originating traffic from accessing other network functions. | ||
+ | ### Replace x.x.x.x/y with the VNFs IP/subnet | ||
+ | $ sudo iptables -I FORWARD -s 10.45.0.0/16 -d x.x.x.x/y -j DROP | ||
Revision as of 09:42, 23 July 2023
Sumber: https://open5gs.org/open5gs/docs/guide/02-building-open5gs-from-sources/
Catatan PLMN
- Internasional Test Network PLMN 001/01
- Internasional Private Network PLMN 999/99
5G Core
Modifikasi /etc/open5gs/amf.yaml untuk set NGAP IP address, PLMN ID, TAC dan NSSAI.
cd /usr/local/src/open5gs/install/etc/open5gs
kalau install dari binary cd ke folder
cd /etc/open5gs cp amf.yaml amf.yaml.old vi amf.yaml
Pastikan
amf: sbi: - addr: 127.0.0.5 port: 7777 ngap: # - addr: 127.0.0.5 - addr: 10.10.0.5 metrics: - addr: 127.0.0.5 port: 9090 guami: - plmn_id: # mcc: 999 # mnc: 70 mcc: 001 mnc: 01 amf_id: region: 2 set: 1 tai: - plmn_id: # mcc: 999 # mnc: 70 mcc: 001 mnc: 01 tac: 1 plmn_support: - plmn_id: # mcc: 999 # mnc: 70 mcc: 001 mnc: 01 s_nssai: - sst: 1 security: integrity_order : [ NIA2, NIA1, NIA0 ] ciphering_order : [ NEA0, NEA1, NEA2 ] network_name: full: Open5GS amf_name: open5gs-amf0
Modify install/etc/open5gs/upf.yaml untuk set GTP-U dan PFCP IP address.
cd /usr/local/src/open5gs/install/etc/open5gs
kalau install dari binary cd ke folder
cd /etc/open5gs cp upf.yaml upf.yaml.old vi upf.yaml
Pastikan
upf: pfcp: - addr: 127.0.0.7 gtpu: # - addr: 127.0.0.7 - addr: 10.11.0.7 subnet: - addr: 10.45.0.1/16 - addr: 2001:db8:cafe::1/48 metrics: - addr: 127.0.0.7 port: 9090
Restart Open5GS,
sudo systemctl restart open5gs-amfd sudo systemctl restart open5gs-upfd
4G/ 5G NSA Core
Modify install/etc/open5gs/mme.yaml untuk set S1AP IP address, PLMN ID, dan TAC.
cd /usr/local/src/open5gs/install/etc/open5gs
kalau install dari binary cd ke folder
cd /etc/open5gs cp mme.yaml mme.yaml.old vi mme.yaml
Pastikan
mme: freeDiameter: /etc/freeDiameter/mme.conf s1ap: # - addr: 127.0.0.2 - addr: 10.10.0.2 gtpc: - addr: 127.0.0.2 metrics: - addr: 127.0.0.2 port: 9090 gummei: plmn_id: # mcc: 999 # mnc: 70 mcc: 001 mnc: 01 mme_gid: 2 mme_code: 1 tai: plmn_id: # mcc: 999 # mnc: 70 mcc: 001 mnc: 01 tac: 1 security: integrity_order : [ EIA2, EIA1, EIA0 ] ciphering_order : [ EEA0, EEA1, EEA2 ] network_name: full: Open5GS
Modify install/etc/open5gs/sgwu.yaml untuk set GTP-U IP address.
cd /usr/local/src/open5gs/install/etc/open5gs
kalau install dari binary cd ke folder
cd /etc/open5gs cp sgwu.yaml sgwu.yaml.old vi sgwu.yaml
Pastikan,
sgwu: pfcp: - addr: 127.0.0.6 gtpu: # - addr: 127.0.0.6 - addr: 10.11.0.6
Restart,
sudo systemctl restart open5gs-mmed sudo systemctl restart open5gs-sgwud
Jika kita compile open5gs, kemungkinan script untuk systemctl belum ada. Ini akan menimbulkan ERROR.
Tambahkan Router Untuk UE ke WAN / Internet
Agar ada bridge antara PGWU/UPF dan WAN (Internet), kita perlu meng-enable IP forwarding dan NAT rule di IP Tables.
Untuk mengaktifkan forwarding dan NAT rule, ketik,
### Enable IPv4/IPv6 Forwarding sudo sysctl -w net.ipv4.ip_forward=1 sudo sysctl -w net.ipv6.conf.all.forwarding=1
### Add NAT Rule sudo iptables -t nat -A POSTROUTING -s 10.45.0.0/16 ! -o ogstun -j MASQUERADE sudo ip6tables -t nat -A POSTROUTING -s 2001:db8:cafe::/48 ! -o ogstun -j MASQUERADE
Konfigurasi firewall dengan benar.
Configure the firewall correctly. Some operating systems (Ubuntu) by default enable firewall rules to block traffic.
$ sudo ufw status Status: active $ sudo ufw disable Firewall stopped and disabled on system startup $ sudo ufw status Status: inactive Optionally, you may consider the settings below for security purposes.
- Ensure that the packets in the `INPUT` chain to the `ogstun` interface are accepted
$ sudo iptables -I INPUT -i ogstun -j ACCEPT
- Prevent UE's from connecting to the host on which UPF is running
$ sudo iptables -I INPUT -s 10.45.0.0/16 -j DROP $ sudo ip6tables -I INPUT -s 2001:db8:cafe::/48 -j DROP
- If your core network runs over multiple hosts, you probably want to block
- UE originating traffic from accessing other network functions.
- Replace x.x.x.x/y with the VNFs IP/subnet
$ sudo iptables -I FORWARD -s 10.45.0.0/16 -d x.x.x.x/y -j DROP