Service Function Chain
Version 2.0
Virtual Network Functions (VNFs) are used to construct Service Function Chains (SFC) so that network packets can sequentially pass through VNFs on the SFC.
VNF chain could improve the deployment efficiency via using lower system resources.
Additionally, service providers could quickly implement their VNF functionalities to equipment without modifying the code.
The Service Function Chain page provides two modes: Virtual WAN (vWAN) and virtual bridge (vBridge).
In vWAN mode, one or more containers can be connected. Network packets can flow sequentially from container 1 to container 2 to container N.
The vBridge mode allows connections between VLANs through containers. 
Create vWAN
Step 1. Go to Networking > Forwarding > Service Function Chain.
Step 2. Click Add button.
Step 3. Type Chain name.
Step 4. Select vWAN mode.
Step 5. Type vWAN IP.
Step 6. Type Gateway and Netmask.
Step 7. Click “Add VNF Node” to add container to service function chain.
Step 8. Click Apply button.
Service Function Chain example – OpenVPN
With the OpenVPN container on the equipment, CPE’S client devices can connect to the VPN server without setting VPN.
Step 1. Add OpenVPN template then install OpenVPN App by App store.
Step 2. Go to Application > Information > Container page.
Step 3. Click OpenVPN App Action icon, select Edit icon. Pop-up “Edit Container” dialog box.
Step 4. Select Egress WAN Interface
Note:
OpenVPN server site’s network is company’s network. Egress WAN Interface should not setup as company network’s interface.
Step 5. Add Command for typing OpenVPN’s Account and password.
Step 6. Add Device /dev/net/tun. Click Apply button.
Step 7. Go to Application > Volume page.
Step 8. Select Volume as OpenVPN-0318_OpenVPN_vpn.
Step 9. Click upload icon to upload XXX.ovpn file for establishing VPN connection. 
Step 10. Go to Networking > Forwarding> Service Function Chain page.
Step 11. Click Add button.
Step 12. Type Chain name.
Step 13. Select vWAN mode.
Step 14. Type IP.
Step 15. Type Gateway and Netmask.
Step 16. Click “Add VNF Node” to add container to service function chain.
Step 17. Click Apply button.
Step 18. Go to Networking > Forwarding > Service Function Chain page.
Step 19. Click OpenVPN App Action icon, select Start icon. To start service function chain.
Step 20. Go to Networking > Forwarding > WAN Binding page.
Step 21. Select OpenVPN WAN from Available WAN to In Use WAN.
Step 22. Click Apply button.
Step 23. Use laptop to associate SSID in LAN site. Ping OpenVPN server site’s gateway to ensure the VPN is established successfully.
Test results could connect to the company network.
Service Function Chain example – Adguard
Adguard is an ad-blocking Application that blocks pop-ups, banners, and video ads, even on YouTube.
It can also delete cookies and track requests. To use it as a Service Function Chain (SFC) VNF node,
you need to deploy an Alpine container with DNAT in front of Adguard's container that will redirect DNS query traffic to Adguard.
Step 1. Go to Application > Template> Container > Add Template page.
Step 2. Add Apline container template with DANT iptables rule.
Step 3. Setup App Information. Type App Name and App Description. Upload App icon.
Step 4. Setup Service.
Type Service Name: Alpine
Select Registry: hub.docker.com (hub.docker.com)
Type Image Name: alpine
Type Image Tag: 3.13
Select Resource Limitation: Low: 0.2 Cores CPU+128 MB Memory
Select Network Endpoint: bridge (bridge)
Select Egress WAN Interface: Default (Highest Priority WN)
Select Add Device: /dev/net/tun
Note:
Add device /dev/net/tun to authorize "NET_ADMIN", "NET_RAW", which will allow user to use iptables tools.
Step 5. Click Apply button.
Step 6. Go to Application > Template> Container > Add Template page.
Step 7. Add Adguard container template.
Type App Name: Adguard
Type App Description: Network-wide ads & trackers blocking DNS server.
Upload App Icon
Type Service Name: Adguard
Select Registry: hub.docker.com (hub.docker.com)
Type Image Name: adguard/adguardhome
Type Image Tag: latest
Select Resource Limitation: Medium: 0.5 Cores CPU+512 MB Memory
Select Network Endpoint: bridge (bridge)
Select Egress WAN Interface: Mobile Network (internet)
Add Environment Variable
Type Name: PATH
Type value: /usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
Add Port Binding
Protocol: TCP
Type Public Port: 3000
Type Private Port: 3000
HTTP(s) Port: Yes
Step 8. Click Apply button
Note 1: Egress WAN Interface
Egress WAN interface must be setup, and cannot be selected as Default, because the Adguard is the last container (Egress VNF) on the service function chain.
Note 2: Add device /dev/net/tun
Devices add/dev/net/tun to authorize "NET_ADMIN", "NET_RAW", which will allow users to use iptables tools.
Step 9. Go to Application > App Store > Application > Container page.
Step 10. Install Alpine and Adguard.
Step 11. Go to Application > Information > Container page.
Step 12. Click Adguard port mApping link. Link to Adguard by http://CPE IP Address:3000.
Step 13. Click Apline Action icon, click Console icon. To add iptables rule to change the destination IP of all DNS query traffic on Port 53 to Adguard IP.
Execute command:
apk upgate
apk add iptables
iptables -t nat -A PREROUTING -p udp --dport 53 -j DNAT --to-destination Adguard IP:53 
Step 14. Go to Networking > Forwarding > Service Function Chain page.
Step 15. Click Add button, pop-up “Add Service Function Chain” dialog box.
Step 16. Type Chain Name.
Step 17. Select vWAN mode.
Step 18. Type IP, Gateway and Netmask.
Step 19. Click “Add VNF Node”. Add Alpine as Container 1.
Step 20. Click “Add VNF Node”. Add Adguard as Container 2.
Step 21. Click Apply button.
Step 22. Click Actin icon to Start Adgurad service function chain.
Step 23. Go to Networking > Forwarding > WAN Binding page.
Step 24. Click Bind icon. Pop-up “WAN Binding” dialog box. Select Adguard interface from available WAN to in used WAN.
Redirect traffic from LAN devices to Adguard that LAN devices can use the Adguard functionality.
Step 25. Use LAN devices to open Youtube.
Step 26. Go to Application > Information > Container page.
Step 27. Click Adguard port mApping link. Link to Adguard by http://CPE IP Address:3000. 
Step 28. Go to Filter page to enable block Youtube function.
Step 29. Ping Youtube no response and Youtube is blocked.
vBridge example
vBridge establish connectivity via containers between two VLANs.
Step 1. Go to Networking > Forwarding > Port Type page.
Move eth1 and eth2 from WAN to LAN. 
Step 2. Go to Networking > LAN > VLAN page. Add VLAN 10 and 20.
Step 3. Go to Networking > LAN > VLAN page. Edit eth1 bind access VLAN 10. Edit eth2 bind access VLAN 20.
Step 4. Laptop1 connects to eth1. Setup Laptop1 IP address as 192.168.10.10.
Step 5. Laptop2 connects to eth2. Setup Laptop2 IP address as 192.168.10.20.
Step 6. Go to Application > App Store page.
Step 7. Install nginx and python.
Step 8. Go to Networking > Forwarding > Service Function Chain page.
Step 9. Add SFC. Pop-up “Add Service Function Chain” dialog box.
Step 10. Setup Mode as vBridge, type Chain Name.
Step 11. Click “Add VNF Node”. Select nginx then select python.
Step 12. Setup Lef VLAN as 10. Setup Right VLAN as 10. 
Step 14. Start SFC. 
Step 15. Laptop1 ping Laptop2 IP. Get response.
Step 16. Laptop2 ping Laptop1 IP. Get response.
