Source Based Routing With FreeBSD Using Multiple Routing Tables

 Networking  Comments Off on Source Based Routing With FreeBSD Using Multiple Routing Tables
Jun 212011
 

Something has been bugging me for several years now. In that time I have usually had access to multiple WAN connections, owing to my participation in the telecom industry. However, I’ve never been able to get SSHD to behave the way I wanted it to. I wanted to be able to connect to the SSH daemon on my (FreBSD) router from whichever WAN connection I wanted. Unfortunately, SSHD is stuborn about always routing its response to the default gateway of the router, which breaks an SSH connection coming in from the secondary WAN connection.

I have finally, at long last, found the solution.
Continue reading »

Bufferbloat: Finally It Has A Name

 Networking  Comments Off on Bufferbloat: Finally It Has A Name
Jan 092011
 

I’ve seen an explosion of discussion in the last couple of days regarding something called Bufferbloat. It seems that Bell Labs’ Jim Gettys has been investigating poor network performance at his house, and has stumbled onto a network phenomenon that he’s termed bufferbloat. Essentially, bufferbloat is when networks are configured with excessive buffers which leads (perhaps counter-intuitively) to poor network performance.

Jim has written a series of blog posts as he has investigated this problem. You can find them all here. He freely admits that he’s not the first to have stumbled across this problem, though he certainly seems to have successfully coined the best term for it. Bufferbloat has in fact long been identified as an issue by those who build their own routers. I remember reading about the phenomenon years ago (though it did not have a name at the time) and avoiding bufferbloat has in fact been the cornerstone of my own home network configurations for over five years now.

Continue reading »

Adventures In Packet Filter

 Networking  Comments Off on Adventures In Packet Filter
Jan 292010
 

Or How I learned to stop worrying and love my dual WAN with routed subnet and policy based routing pf firewall

One of the reasons I continue to use FreeBSD for my gateway/router/firewall is the pf firewall. My routing needs are way more elaborate than anything a pre-cooked router package like DD-WRT or even pfSense can do, so I have to roll my own firewall. Currently I have two DSL connections, through two different companies. I have a dynamic IP connection from my employer, Primus Canda, and I have a static IP connection with a routed /30 subnet from TekSavvy.

My setup needs to satisfy the following requirements:

  • The Primus connection is used for all local LAN traffic
  • The TekSavvy connection is used for all traffic to and from the routed subnet
  • Connections from the local LAN to the routed subnet do not traverse the internet
  • Traffic shaping on both connections, with different rulesets for each connection
  • UPnP support, using miniupnpd

For the connection for the LAN, the traffic shaping needs to do the following:

  1. SSH and DNS traffic need high priority
  2. Traffic to and from my workplace VPN needs priority
  3. VoIP traffic needs high priority
  4. HTTP and regular web traffic should feel fast and responsive
  5. Anything left over goes to P2P and other uncategorized traffic

For the connection with the routed subnet, the requirements are a little different:

  1. SSH and DNS need high priority
  2. Inbound FTP control traffic (ie, not the actual data but just the control connection) needs priority
  3. Traffic originating from the routed subnet needs priority (this mostly just amounts to DNS requests and package updates
  4. FTP data traffic needs to fill in whatever is left over

This is all possible with pf, and I find the pf.conf format to be far more readable and thus less prone to errors than an iptables config file. To accomplish this I use packet tagging to label packets, and then use policy based routing to direct and control the traffic.

Continue reading »

FreeBSD and Multilink PPP

 Networking  Comments Off on FreeBSD and Multilink PPP
Jan 192010
 

I’ve been running Multilink PPP with FreeBSD for several years now. Multilink PPP (sometimes called MLPPP) is a subset of the PPP protocol that allows you to bond multiple PPP tunnels and treat them as one much larger tunnel. Several DSL providers (particularly TekSavvy in Canada) support Multilink PPP on their DSL networks, allowing users to bond multiple DSL lines into one large pipe.

The technical details of Multilink PPP are pretty simple, though it can be configured in either a packet splitting or round robin fashion. When configured for packet splitting, a router that is about to transmit a packet down an MLPPP link will first split the packet in half, then add a 6KB MLPPP header (really just a sequence number) to each half of the packet, and send the half-packets down each link. On the other end of the MLPPP link, the receiving router will take the two halves (identified by the matching MLPPP headers) and reconstitute the original packet. In round robin mode the MLPPP header is added to the whole packet (meaning the MTU of the link is 6KB smaller or else packet fragmentation will occur) and sent out the links in a round robin fashion.

In FreeBSD it’s easy to setup just about any Multilink PPP configuration you want. I’ve run it with three DSL lines (total usable throughput: 15 megabits). Presently I’m running over one DSL line but with two PPPoE tunnels first multiplexed at the DSL frame level and then bonded at the PPP level. The purpose of this is to circumvent Bell Canada’s throttling, which they apply to both their own residential customers and to their third-party wholesale partners, like TekSavvy.

Continue reading »

 Newer Entries