Linux Networking Mastery Series Part 8: Advanced Networking Features

Welcome back to Linux Networking Mastery!
We have now covered the essentials through practical services and visibility:

• Part 1 – network stack basics and inspection tools
• Part 2 – interface and IP configuration (temporary + persistent via Netplan, nmcli, systemd-networkd)
• Part 3 – routing tables, static/policy routing, namespaces, simple router setup
• Part 4 – name resolution, systemd-resolved, per-link/global DNS, troubleshooting
• Part 5 – firewalls with nftables, firewalld, ufw, stateful rules
• Part 6 – services (hardened SSH, Nginx basics, NFS/Samba shares, DHCP with dnsmasq)
• Part 7 – monitoring (ss, tcpdump, iperf3, iftop), troubleshooting workflows

In this installment we move into more sophisticated link-layer and tunneling capabilities that are common in production environments, virtualization hosts, high-availability setups, and secure remote access.

We'll cover:

• Interface bonding (for redundancy and bandwidth aggregation)
• VLAN tagging (802.1Q segmentation)
• Software bridges (Layer-2 switching in software)
• Modern tunneling with a deep focus on WireGuard (the dominant choice in 2026 for new deployments) and a brief comparison to OpenVPN

These features frequently appear together (e.g., VLANs over bonds, bridges for VMs/containers).

1. Interface Bonding / Teaming

Bonding combines multiple physical interfaces into one logical interface (bond0) for failover (redundancy) or increased throughput.

Common modes (2026 best practices):

• mode=1 (active-backup) – simple failover
• mode=4 (802.3ad / LACP) – dynamic link aggregation (requires switch support)
• mode=0 (balance-rr) – round-robin load balancing (no switch config needed, but can cause out-of-order packets)

Modern configuration (using ip + systemd-networkd or NetworkManager):

Using systemd-networkd (recommended for servers):

Create /etc/systemd/network/20-bond.netdev:

[NetDev]
Name=bond0
Kind=bond

[Bond]
Mode=802.3ad
MIIMonitorSec=100ms
LACPTransmitRate=fast

Then /etc/systemd/network/25-bond0.network:

[Match]
Name=bond0

[Network]
Address=192.168.10.10/24
Gateway=192.168.10.1
Bond=enp1s0 enp2s0

Enable slaves in separate .network files or use [Link] sections.

Using nmcli (Fedora/RHEL desktops/servers):

sudo nmcli con add type bond ifname bond0 mode 802.3ad
sudo nmcli con add type ethernet ifname enp1s0 master bond0
sudo nmcli con add type ethernet ifname enp2s0 master bond0
sudo nmcli con mod bond0 ipv4.method manual ipv4.addresses 192.168.10.10/24 ipv4.gateway 192.168.10.1
sudo nmcli con up bond0

Verify:

cat /proc/net/bonding/bond0
ip link show bond0

2. VLAN Configuration (802.1Q)

VLANs segment traffic at Layer 2 without separate physical switches.

Create VLAN interface on top of physical or bond:

sudo ip link add link enp0s3 name enp0s3.10 type vlan id 10
sudo ip addr add 192.168.10.5/24 dev enp0s3.10
sudo ip link set enp0s3.10 up

Persistent (systemd-networkd):

/etc/systemd/network/30-vlan10.netdev:

[NetDev]
Name=enp0s3.10
Kind=vlan

[VLAN]
Id=10

/etc/systemd/network/35-vlan10.network:

[Match]
Name=enp0s3.10

[Network]
Address=192.168.10.5/24

For VLAN-aware bridge (common in virtualization) → see bridges below.

3. Bridge Interfaces

Bridges act as virtual Layer-2 switches, forwarding frames based on MAC addresses. Essential for VMs, containers, KVM/libvirt, or multi-homed setups.

Create simple bridge:

sudo ip link add name br0 type bridge
sudo ip link set enp1s0 master br0
sudo ip link set enp2s0 master br0
sudo ip link set br0 up

Add IP to bridge (not ports):

sudo ip addr add 192.168.50.1/24 dev br0

VLAN-aware bridge (recommended 2026 practice):

sudo ip link add name br0 type bridge vlan_filtering 1
sudo bridge vlan add vid 1-4094 dev br0 self pvid untagged   # default VLAN
sudo bridge vlan add vid 10 dev enp1s0 pvid untagged         # access port VLAN 10
sudo bridge vlan add vid 20 dev enp2s0                       # trunk port

Persistent via systemd-networkd or libvirt Network XML.

4. Tunneling: WireGuard (Primary in 2026) & OpenVPN Intro

WireGuard is overwhelmingly preferred in 2026 for new setups: kernel-integrated (since Linux 5.6), ~4,000 lines of code, extremely fast (often 3-4× OpenVPN), low latency, simple config, strong modern crypto (ChaCha20-Poly1305, Curve25519), excellent mobile roaming.

OpenVPN still used for: TCP/443 firewall traversal, very granular options, legacy compatibility, bridging (Layer-2 VPN).

WireGuard quick setup (point-to-point or road-warrior):

Install: sudo apt install wireguard or sudo dnf install wireguard-tools

Server config /etc/wireguard/wg0.conf:

[Interface]
Address = 10.66.66.1/24
PrivateKey = <server_private_key>
ListenPort = 51820

[Peer]
PublicKey = <client_pub_key>
AllowedIPs = 10.66.66.2/32

Generate keys:

wg genkey | tee private.key | wg pubkey > public.key

Start:

sudo wg-quick up wg0
sudo systemctl enable wg-quick@wg0

Firewall: allow udp 51820

Client config similar (swap keys, endpoint = server_ip:51820).

OpenVPN (brief): Use community edition or easy-rsa for certs; config files in /etc/openvpn/server.conf; more complex but supports TCP fallback.

Hands-On Exercises

1. Create an active-backup bond with two interfaces; simulate failure (down one NIC) and verify failover with ping.
2. Add a VLAN interface on a physical NIC; assign IP and ping across VLANs (requires switch config).
3. Build a simple bridge, enslave two ports, move IP to bridge; test connectivity.
4. Set up a basic WireGuard tunnel between two VMs; route traffic and measure speed with iperf3 (compare to un-tunneled).

Warning: Bonding and bridges can disrupt connectivity—use console/VM snapshots.

What's Next?

In Part 9 we tackle wireless networking: configuring Wi-Fi clients with nmcli/wpa_supplicant/iw, troubleshooting signal issues, and turning a Linux box into a Wi-Fi access point with hostapd.