Network Configuration Upgrade at House for Covid

Due to covid, my network usage increased more than before. I am and also my parents make more phone calls over the internet. While on call, I also download or upload something to the internet to do my work. In a pure non-optimized network, this is a collision for real-time connections such as Whatsapp calls or Discord chat.

QoS is good to eliminate such problems but when I enabled it on my modem, I faced some speed drops.

My network configuration is a bit different from regular users. Layer 3 interface is not on the modem, it’s on my single board computer (SBC) to make some tweaks and measurements. To access the PPPoE connection from my SBC, I bridge the ISP connection to my local net. This is common when the customer wants to use their own router on DOCSIS or GPON connection in Turkey.

With the bridge, someone from ISP can also be able to access my home network. Of course, no one wants to sit at the router and try to access the customer network, but if something happens on the xDSL network configuration, it is possible to create a network loop, conflict or unwanted access.

In the past, I wrote a panel to control outgoing IP and location via the web interface but nowadays, I don’t want to control this with a web panel, it is easier with selecting a different SSID (your Wi-Fi name) for different locations like a separating guests network.

But my SBC only has one ethernet interface, there is no Wi-Fi adapter or second ethernet. I have to move my router’s Wi-Fi interfaces into the SBC. My modem/router is capable of VLAN configuration but only very basic scenarios can be done with the web interface.

If you have root access you can write your own configuration with Linux network command but in my case, my router does not give root access by default from telnet. So I did some research and I found an exploit on the internet to gain root access. With code injection vulnerability, I execute a network configuration script that is stored in USB on my router.

In the configuration script, I remove the interfaces which are 2.4GHz, 5GHz, eth0, xDSL and guest Wi-Fi interface from the default bridge adapter br0.

brctl delif br0 eth0    # ETH0
brctl delif br0 ptm0.35 # xDSL vlan 35
brctl delif br0 ra0     # 5GHz Wi-Fi
brctl delif br0 ra1     # 5GHz guest Wi-Fi
brctl delif br0 wlan0   # 2.4GHz Wi-Fi
brctl delif br0 wlan0.0 # 2.4GHz guest Wi-Fi

My router has a 4 port but the OS only sees one eth0 interface. They make a port separation by adding VLAN id from incoming packet and on the OS side, the system recognizes the physical interfaces with Linux VLAN interfaces. This configuration breaks my custom VLAN configuration due to different numbers not understandable from the built-in switch. With the disabling port separation on the web interface, the built-in switch in router does not care about VLAN ID and my packets are starting to arrive at the router eth0 interface.

For the PPPoE connection, layer 2 transportation is required from SBC to SSG (Service Selective Getaway) over the modem/router. This Layer 2 connection is done with creating a VLAN interface on SBC and router side which is the same VLAN number and the given VLAN interface is mastered to bridge interface which contains ISP’s xDSL interface at router side. Now the PPPoE connection can be established and every packet is isolated from my main LAN.

#router
brctl addbr ptm-eth35
ip link add link eth0 name eth0.35 type vlan id 35
brctl addif ptm-eth35 ptm0.35
brctl addif ptm-eth35 eth0.35
ifconfig ptm-eth35 up
ifconfig eth0.35 up
ifconfig ptm0.35 up
#SBC
ip link add link eth0 name isp type vlan id 35

Every SSID has a different interface on my router. I create different VLANs for each of them on both sides, at the SBC side now incoming connections are ready to detect which packet comes from which SSID. The commands are similar to the previous one.

At that moment, my router only allows two main SSID for 2.GHz, 5GHz and one SSID for guest networks which can be only 2.4GHz or 5GHz. With having root access, I enable both interfaces but this time, they are not used for the guest purpose.

Before completing the configuration on the router side, I flushed every Netfilter rules on the router.

End of the router setup, I add an additional ip address to the router for detecting if the setup is done at the router. Because code injection request is made on SBC and the request made if the additional ip address is not reachable from the SBC.

At the beginning of this article, I mentioned that QoS on the router, which is used for limiting upload speed to prevent latency spikes due to low bandwidth available at the uplink side, does not work properly and causes speed drops. To solve this, first I made a speed limit on the interface with the tc command which is connected to the ISP.

tc qdisc del dev isp root    
tc qdisc del dev isp ingress
tc qdisc add dev isp root handle 1: htb default 20
tc class add dev isp parent 1: classid 1:1 htb rate 7900kbit burst 6k
tc class add dev isp parent 1:1 classid 1:10 htb rate 7900kbit burst 6k prio 1
tc class add dev isp parent 1:1 classid 1:20 htb rate $[9*7900/10]kbit burst 6k prio 2
tc qdisc add dev isp parent 1:10 handle 10: sfq perturb 10
tc qdisc add dev isp parent 1:20 handle 20: sfq perturb 10

Sometimes I also play on DHCP configuration to prevent all home networks, I seperate the their dhcps for each interface.


docker run -d -it --rm --network host --privileged --name ra0.test.ahmet.engineer ahmetozer/dnsmasq \
--dhcp-option=6,10.0.0.53,10.0.0.54 -5 --dhcp-option=option6:dns-server,[fd::53],[fd::54] \
--dhcp-ttl=120 --enable-ra -I lo --dhcp-client-update -R --bind-interfaces \
--enable-ra --dhcp-range=::1,constructor:ra0,ra-names,ra-advrouter,off-link,15m \
--quiet-dhcp --quiet-dhcp6 --quiet-ra \
--interface=ra0 --domain=ra0.2812308c5578.dlm.bbn.ahmet.engineer \
--dhcp-range=10.0.1.20,10.0.1.255,15m

docker run -d -it --rm --network host --privileged --name ra1.test.ahmet.engineer ahmetozer/dnsmasq \
--dhcp-option=6,10.0.0.53,10.0.0.54 -5 --dhcp-option=option6:dns-server,[fd::53],[fd::54] \
--dhcp-ttl=120 --enable-ra -I lo --dhcp-client-update -R --bind-interfaces \
--enable-ra --dhcp-range=::1,constructor:ra1,ra-names,ra-advrouter,off-link,15m \
--quiet-dhcp --quiet-dhcp6 --quiet-ra \
--interface=ra1 --domain=ra1.2812308c5578.dlm.bbn.ahmet.engineer \
--dhcp-range=10.0.2.20,10.0.2.255,15m

Due to some bandwidth performance issues, I allocated one of the SSID for layer 4 proxying. The requests are forwarded to my server and the server forwards packets to the real destination. Uplink transported by Cogent and downlink transported from Turk Telekom. I don’t have any issue with this path when we compare the other server locations such as s3 at EU or something like that.

This solution also creates new issues. The speed test results are very impressive at first look because every web connection is an over optimized network but at that moment, if we look at other metrics, the connection does not have stable latency. The reason is my server is too aggressive for sending packets and this creates a bottleneck between modem and DSLAM (which is VDSL connection).
L4 proxying is done in a container and it has its own veth (Virtual Ethernet) interface. Like a previous upload limitation, these commands are reused for container interface uplink limition, because when we limit the container uplink this is downlink for SBC.

Now the network is more secure, reliable and fast in the house. Thank you for reading, take care of yourself, see you next time.


© 2021 All rights reserved.

Powered by Hydejack v7.5.0