Adventures In Packet Filter

 Networking  Comments Off on Adventures In Packet Filter
Jan 292010
 

Or How I learned to stop worrying and love my dual WAN with routed subnet and policy based routing pf firewall

One of the reasons I continue to use FreeBSD for my gateway/router/firewall is the pf firewall. My routing needs are way more elaborate than anything a pre-cooked router package like DD-WRT or even pfSense can do, so I have to roll my own firewall. Currently I have two DSL connections, through two different companies. I have a dynamic IP connection from my employer, Primus Canda, and I have a static IP connection with a routed /30 subnet from TekSavvy.

My setup needs to satisfy the following requirements:

  • The Primus connection is used for all local LAN traffic
  • The TekSavvy connection is used for all traffic to and from the routed subnet
  • Connections from the local LAN to the routed subnet do not traverse the internet
  • Traffic shaping on both connections, with different rulesets for each connection
  • UPnP support, using miniupnpd

For the connection for the LAN, the traffic shaping needs to do the following:

  1. SSH and DNS traffic need high priority
  2. Traffic to and from my workplace VPN needs priority
  3. VoIP traffic needs high priority
  4. HTTP and regular web traffic should feel fast and responsive
  5. Anything left over goes to P2P and other uncategorized traffic

For the connection with the routed subnet, the requirements are a little different:

  1. SSH and DNS need high priority
  2. Inbound FTP control traffic (ie, not the actual data but just the control connection) needs priority
  3. Traffic originating from the routed subnet needs priority (this mostly just amounts to DNS requests and package updates
  4. FTP data traffic needs to fill in whatever is left over

This is all possible with pf, and I find the pf.conf format to be far more readable and thus less prone to errors than an iptables config file. To accomplish this I use packet tagging to label packets, and then use policy based routing to direct and control the traffic.

Continue reading »

FreeBSD and Multilink PPP

 Networking  Comments Off on FreeBSD and Multilink PPP
Jan 192010
 

I’ve been running Multilink PPP with FreeBSD for several years now. Multilink PPP (sometimes called MLPPP) is a subset of the PPP protocol that allows you to bond multiple PPP tunnels and treat them as one much larger tunnel. Several DSL providers (particularly TekSavvy in Canada) support Multilink PPP on their DSL networks, allowing users to bond multiple DSL lines into one large pipe.

The technical details of Multilink PPP are pretty simple, though it can be configured in either a packet splitting or round robin fashion. When configured for packet splitting, a router that is about to transmit a packet down an MLPPP link will first split the packet in half, then add a 6KB MLPPP header (really just a sequence number) to each half of the packet, and send the half-packets down each link. On the other end of the MLPPP link, the receiving router will take the two halves (identified by the matching MLPPP headers) and reconstitute the original packet. In round robin mode the MLPPP header is added to the whole packet (meaning the MTU of the link is 6KB smaller or else packet fragmentation will occur) and sent out the links in a round robin fashion.

In FreeBSD it’s easy to setup just about any Multilink PPP configuration you want. I’ve run it with three DSL lines (total usable throughput: 15 megabits). Presently I’m running over one DSL line but with two PPPoE tunnels first multiplexed at the DSL frame level and then bonded at the PPP level. The purpose of this is to circumvent Bell Canada’s throttling, which they apply to both their own residential customers and to their third-party wholesale partners, like TekSavvy.

Continue reading »

Hello world!

 Blog  Comments Off on Hello world!
Jan 142010
 

Welcome to the inaugural post for my online presence. The default wordpress headline for the first post seems relatively fitting, so it stays. I purchased mmacleod.ca a while ago with the desire to carve out my own little space on the web but the post After Branding by Tim Bray really drove home the need to actually do something about it. Just like with other homes when you first move in I suspect I’m going to be moving stuff around and playing around with stuff for a while before I’m happy. I’ll probably discuss my adventures in computing, telecoms, and whatever else I happen to want to write about.

I think that’s enough for now. I’m going to go explore the settings panels in wordpress now.

 Posted by at 10:14 PM