Adventures in Internet Routing Part I

As I may have mentioned before, a friend and colleague at work introduced me to DN42, which stands for Decentralized Network 42. DN42 is really a collection of point to point VPN tunnels running over the internet. In other words, it is a complete network running on top of the internet. DN42 is a place to learn and experiment with internet routing where you’re encouraged to play around and break things – well, within reason at any rate. By now, I may have lost most of my readers and I apologize for that. This particular post is aimed at documentation for network engineers and systems admins that may be curious.

The creators of DN42 have designed a registry for numbering and their own .dn42 TLD. Participants register for their own private IPv4 and ULA IPv6 address space. The network uses BGP to exchange routing information. Here is what I registered.

AS: 4242421764
Domain Name: blackcat.dn42
IPv4: 172.20.165.192/27
IPv6: fd0b:7449:62d2::/48
Primary Name Server: 172.20.165.194
                     fd0b:7449:62d2::3
Secondary Name Server: 172.20.165.195
                       fd0b:7449:62d2::4

Once I was approved and assigned the above, I could begin thinking about what I would do for a router because I was using a cheap Tenda WiFi router that I bought off of Amazon. My friend recommended that I purchase a used Dell OptiPlex 7050 and a half-height dual port network card for it. I already had a Netgear Pro Safe GS116v2 switch laying around unused. It’s just a dumb switch so it has no layer 3 capabilities, but for all intents and purposes, it will work for now.

Once my new toy arrived, I initially decided to try using OPNsense because my friend recommended it. OPNsense is basically a distribution of FreeBSD with a very nicely laid out GUI for configuring it. However, I found it frustrating for anything beyond a simple network router. I am a command line guy and much prefer working with text files so I decided on my favorite operating system, OpenBSD. My 2nd cousin who was quite a bit older than me introduced me to Unix via OpenBSD back in 1998 and I’ve used it for all matter of sysadmin projects but never networking. Sadly he is no longer alive but I hope he’s smiling down on me.

Step 1 was deciding how I would design my network and some real thought had to be put into this. Since the purpose of this project is learning and I would be playing in the wild wild west of networking, security is clearly important. If I might work from home one day, I’d like to ensure that my work-issued laptop will only be able to access the WiFi segment and out to the internet. At no time should the WiFi segment be able to access the LAN and vice versa. I decided that I would segment my network. I decided on this:

LAN: 172.20.165.193/27 
     fd0b:7449:62d2::/48
WiFi: 10.100.0.0/24

After a basic design is roughed out, it’s time to configure big iron router. In this first stage, I just set up DHCP, the interfaces, and a really basic firewall. I have not yet established tunnel connections to DN42. In the implementation phase, it’s time to turn my OpenBSD machine into a router.

# sysctl net.inet.ip.forwarding=1
# sysctl net.inet6.ip6.forwarding=1
# sysctl net.inet.gre.allow=1 

The next step is configure and bring the interfaces up administratively. Unfortunately, my ISP does not offer static IP addresses to residential customers so I have to contend with a dynamic IP. If I can keep my connection busy, hopefully my IP won’t change too often. Right now the IP address lease is only 2 hours long.

# cat /etc/hostname.em0     # WAN interface
up
inet autoconf

# cat /etc/hostname.em1     # LAN interface
up
inet 172.20.165.193 255.255.255.224 NONE
inet6 alias fd0b:7449:62d2::1/48

!route sourceaddr -inet -ifp em1
!route sourceaddr -inet6 -ifp em1

# cat /etc/hostname.em2     # WiFi interface
up
inet 10.100.0.1 255.255.255.0 NONE

Now it’s time to test to see if we have a network connection and functioning DNS capabilities.

# ping google.com
PING google.com (142.250.80.14): 56 data bytes
64 bytes from 142.250.80.14: icmp_seq=0 ttl=119 time=5.015 ms
64 bytes from 142.250.80.14: icmp_seq=1 ttl=119 time=5.725 ms
64 bytes from 142.250.80.14: icmp_seq=2 ttl=119 time=5.727 ms
64 bytes from 142.250.80.14: icmp_seq=3 ttl=119 time=5.712 ms
^C
--- google.com ping statistics ---
4 packets transmitted, 4 packets received, 0.0% packet loss
round-trip min/avg/max/std-dev = 5.015/5.545/5.727/0.306 ms

Once we have verified that we are getting out to the internet directly from the router, we have to set up some basic network services like DHCP, firewall, and DNS. Since I tend to be security-minded, I am going to set up the basic firewall first.

# cat /etc/pf.conf
set skip on lo

block in
pass out

# Interfaces
wan_if = "em0"
lan_if = "em1"
wifi_if = "em2"

# Networks
lan_if_net4 = "172.20.165.192/27"
lan_if_net6 = "fd0b:7449:62d2::/48"
wifi_if_net = "10.100.0.0/24"

# Services
icmp4_types = "{echoreq, unreach}"
icmp6_types = "{unreach, echoreq, echorep, routersol, routeradv,\
                neighbrsol, neighbradv}"

table <bogons> {10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16,\
                127.0.0.0/8}
block in quick on $wan_if from <bogons>

# Rules for WAN
match out on $wan_if from !($wan_if:network) to any nat-to \
     ($wan_if:0)
pass in on $wan_if inet proto icmp icmp-type $icmp_types
pass in on $wan_if inet proto tcp from any to port ssh \
     flags S/SA keep state

# Rules for LAN
pass in on $lan_if inet from !$wifi_if_net \
     flags S/SA keep state (if-bound)
pass in on $lan_if inet6 flags S/SA keep state (if-bound)

# Rules for WiFi
pass in on $wifi_if inet from !$lan_if_net4 \
     flags S/SA keep state (if-bound)

The firewall rules above basically dictate the policy that no traffic originating from the LAN interface will get to the WiFi one and vice versa. I have also implemented NAT just like most home routers do so that all of my machines can access the internet at large.

Since everything is working from the router out to the internet and we have a basic firewall implemented, we are going to need DHCP and DNS. Below is the configuration that I used for DHCP. This is just a simple setup for now which will get more complex later. I am just interested in getting everything functioning basically.

# cat /etc/dhcpd.conf
subnet 172.20.165.192 netmask 255.255.255.224 {
        option domain-name "blackcat.dn42";
        option domain-name-servers 192.0.2.1, 192.0.2.2
        option routers 172.20.165.193;

        range 172.20.165.198 172.20.165.222;
}

subnet 10.100.0.0 netmask 255.255.255.0 {
        option domain-name "blackcat.lan";
        option domain-name-servers 192.0.2.1, 192.0.2.2;
        option routers 10.100.0.1;

        range 10.100.0.100 10.100.0.200;

        host static-client {
                hardware ethernet 50:0f:f5:3f:f9:20;
                fixed-address 10.100.0.100;
                option host-name "Tenda";
        }
}
# rcctl enable dhcpd
# rcctl start dhcpd

This completes the basic services needed to replace that cheapie consumer router that I had. As the journey progresses, you will start to see things get more complex so getting the basics running first is important. In the next part, we will implement our own DNS servers.


Posted

in

,

Tags:

Comments

Leave a Reply

Your email address will not be published. Required fields are marked *