Setting Up a Point-to-Point Network Connection

Peter Boy Versio all up to F38 Last review: 2023-04-18

This configuration is a special case for environments with specific security requirements, where the connection of network nodes to each other is subject to limitation and control.

How it works

Typically, a server (or desktop) is directly connected to a local network and all devices can connect directly to each other. In some environments, this is exactly what is not desired. Instead, each server (or desktop) is limited to connect directly only to a network access device, which can filter, block, or allow the data stream according to a variety of criteria. Typical use cases are high-security environments or data centers that offer collocation or dedicated, self-administered servers. In the latter case, the aim is simply to prevent administrators from inadvertently "hijacking" other customer’s IP addresses by typing errors.

The limiting is handled exclusively in the network connection device mimicking an ordinary switch, bridge or router, completely uninfluenced by and independent of the individual servers or desktops. On the surface, they use a completely normal IP network structure.

In a IPv4 network, a server unaware of the underlying limitation tries to establish connections as usual and fails at destinations within the same subnet. Instead, the IPv4 address of the server must be configured as a /32 address, i.e. a network with only one node. However, the gateway is then located outside of the own network and must be configured explicitly in order to be reachable. If the other nodes of the own subnet do not need to be reachable, a usual network configuration can be used.

For an IPv6 configuration, it is sufficient to specify the link address of the gateway.

Configuration of current Fedora releases

Given an interface enp1s0 with IPv4 address of 192.168.133.100 and the gateway 192.168.133.1 you may configure the interface

[…]# nmcli con mod enp1s0 ipv4.method manual ipv4.addresses '192.168.133.100/32' \
     ipv4.gateway '192.168.133.1' ipv4.dns '192.172.1.1'

This will result in a configuration file like

[…]# less /etc/NetworkManager/system-connections/enp1s0.nmconnection
[connection]
id=enp1s0
uuid=xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx
type=ethernet
interface-name=enp1s0
timestamp=1671717608

[ethernet]

[ipv4]
address1=192.168.133.100/32,192.168.133.1
dns=192.172.1.1
method=manual

[ipv6]
addr-gen-mode=eui64
address1=2a01:4f8:xxx:yyyy::2/64,fe80::1
dns=2a01:4f8:xxx:yy::zzz:1010;
method=manual

[proxy]

An alternative notation for the IPv4 part is

[ipv4]
address1=192.168.133.100/32
method=manual
route1=0.0.0.0/0,192.168.133.1

In any case you get a

[…]# ip r
default via 192.168.133.1 dev enp1s0 proto static metric 100
192.168.133.1 dev enp1s0 proto static scope link metric 100

Pre Fedora 35 configuration

These Fedora releases used ifcfg-IF_NAME files in /etc/sysconfig/network-scripts/. This method dates back to the time before NetworkManager was introduced and network connections were managed with a collection of shell scripts. The shell scripts disappeared with the introduction of NetworkManager, but the configuration files if cfg-NAME was retained as the default configuration method in Release 36 for backward compatibility.

Usually, you configure the interface using a text editor, eg given the above example

[…]# vim /etc/sysconfig/network-scripts/ifcfg-enp1s0
DEVICE=enp1s0
ONBOOT=yes
BOOTPROTO=none
IPADDR=192.168.133.100
PREFIX=32
SCOPE="peer 192.168.133.1"
DEFROUTE=yes

IPV6INIT=yes
IPV6ADDR=2a01:4f8:xxx:yyyy::2/64
IPV6_DEFAULTGW=fe80::1
IPV6_DEFROUTE=yes
IPV6_DEFAULTDEV=enp1s0

Additionally you need a routing table.

[…]# vim /etc/sysconfig/network-scripts/route-enp1s0
ADDRESS0=0.0.0.0
NETMASK0=0.0.0.0
GATEWAY0=192.168.133.1

Both variants result again in a

[…]# ip r
default via 192.168.133.1 dev enp1s0 proto static metric 100
192.168.133.1 dev enp1s0 proto static scope link metric 100

Using systemd-networkd

Some server administrators might prefer systemd-network over NetworkManager. Many of the NetworkManager features are very useful for desktops and laptops, but rather superfluous for servers. The configuration tool is a plain text editor.

[…]# vim /etc/systemd/network/10-public.network
[Match]
MACAddress=12:34:56:78:9a:bc # or another identifier

[Network]
Gateway=192.168.133.1

[Address]
Address=192.168.133.100/32  #  /32 suffix is optional here
Peer=192.168.133.1/32       # Gateway, /32 suffix mandatory here

Configuration of IPv6 is done as usual by specifying the address and the gateway.