content.md 19.8 KB
Newer Older
JackV's avatar
JackV committed
1
### Table of Contents
JackV's avatar
JackV committed
2

JackV's avatar
JackV committed
3
* Networking & NFtables basics
JackV's avatar
JackV committed
4
5
* How to debug network problems
* Wireguard: easy to setup vpn
JackV's avatar
JackV committed
6
* Ansible: how to manage many computers
JackV's avatar
JackV committed
7
* Why have servers running at home
JackV's avatar
JackV committed
8
* Internet connection technologies
JackV's avatar
JackV committed
9
* How to build a linux home router
JackV's avatar
JackV committed
10

JackV's avatar
JackV committed
11
12
13
14
15
16
17
18
19
20
21
22
23
---

## Expected end result
![](assets/talosiannn.jpg)

---

## Enough joking

A lot of what we are going to
cover today has been done in depth
in previous Linux courses  
(links in the relevant sections)  
JackV's avatar
JackV committed
24
This talk will focus more on how
JackV's avatar
JackV committed
25
all these topics can come together
JackV's avatar
JackV committed
26
27
28

----

JackV's avatar
JackV committed
29
30
31
32
33
34
# Networking

---

## First, a microshot of Networking basics

JackV's avatar
JackV committed
35
36
37
38
39
40
[Slides](https://slides.poul.org/2019/corsi-linux/3a_networking/)  
[Video](https://youtu.be/jSZSIM4sRuU)

---

<img src="assets/tcpip_stack.png" style="min-height: 90%" />
JackV's avatar
JackV committed
41
42
43

---

JackV's avatar
JackV committed
44
## Network Layer
JackV's avatar
JackV committed
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67

Transmits the actual 1s and 0s over the wire,
has routing but it is mostly Point-to-Point

Main technologies: Ethernet (802.3) and WiFi (802.11)  
Addressing information: MAC address  
Software Stack: ARP & NDP - `ip neigh`  

---

## Internet Layer

Deals mainly with routing packets and managing fragmentation

Main technologies: IPv4 & IPv6  
Addressing information: IP address  
Software stack: `ip {address,route}`

---

## Transport Layer

Works to provide a usable implementation (socket) to the
JackV's avatar
JackV committed
68
program, it provides important feature such as:  
JackV's avatar
JackV committed
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91

* Ports
* Packet reliability

Main technologies: TCP & UDP  
Addressing information: Port

---

## Application Layer

Everything above __Transport__ is application-specific

Main technologies: HTTP, HTTPS, IMAP, gRPC

---

## What is important to remember

* Every computer needs an **IP address** to communicate to
  other computers
* IPs have a __subnet mask__ that indicates which other IPs
  can be contacted directly through the link layer
JackV's avatar
JackV committed
92
93
  * Computers use ARP/NDP to have a **IP <-> MAC** translation
  * Also there is a ARP/NDP record that tells us
JackV's avatar
JackV committed
94
95
96
97
    the **MAC address** relative to the IP we want to contact

---

JackV's avatar
JackV committed
98
<h2 style="min-width: 110%">What is important to remember /2</h2>
JackV's avatar
JackV committed
99

JackV's avatar
JackV committed
100
101
* For any other IP (eg. `176.31.102.216`) we need to have
  a **default gateway** to which we deliver our IP packets to have
JackV's avatar
JackV committed
102
103
104
  them sent to the Internet
* Computers that act as default gateways are called **routers**
  (since they **route** packets) and usually take the form of
JackV's avatar
JackV committed
105
  those boxes that ISPs give to you
JackV's avatar
JackV committed
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145

---

## How to retrieve ARP information

```bash
$ ip neigh
192.168.0.1 dev wlp2s0 lladdr c4:6d:1f:fa:41:a0 REACHABLE
^ ip            ^ device      ^ MAC address     ^ status
```

Can we manually add entries? yes, with `ip neigh add` but if you have
to do that then you might have some network problems that need to be fixed

---

## How to retrieve IP-related information

```bash
$ ip address show
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 <clipped>
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host
       valid_lft forever preferred_lft forever
2: enp4s0: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 <clipped>
    link/ether d8:cb:8a:ef:80:44 brd ff:ff:ff:ff:ff:ff
3: wlp2s0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 <clipped>
    link/ether 9c:b6:d0:06:87:35 brd ff:ff:ff:ff:ff:ff
    inet 192.168.0.103/24 brd 192.168.0.255 scope global
       valid_lft 6028sec preferred_lft 6028sec
    inet6 fe80::b3b6:2ab6:2dcf:3b42/64 scope link noprefixroute
       valid_lft forever preferred_lft forever
```

---

## Important information

JackV's avatar
JackV committed
146
```bash
JackV's avatar
JackV committed
147
148
149
150
151
152
153
154
155
156
3: wlp2s0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500
```

* **wlp2s0**: network interface name
* **UP**: we (or our network manager) have turned the interface on
* **LOWER_UP**: the interface is actually working
* **mtu 1500**: max packet size before we need to fragment

---

JackV's avatar
JackV committed
157
158
## Important information /2

JackV's avatar
JackV committed
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
```bash
link/ether 9c:b6:d0:06:87:35
```

Our interface's MAC address

```bash
inet 192.168.0.103/24
inet6 fe80::b3b6:2ab6:2dcf:3b42/64
```

Our interface's IP addresses

---

JackV's avatar
JackV committed
174
175
## Important information /3

JackV's avatar
JackV committed
176
177
178
179
180
181
182
183
184
185
186
187
188
```bash
$ ip route show
default via 192.168.0.1 dev wlp2s0 <clipped>
192.168.0.0/24 dev wlp2s0 <clipped>
```

* Second line: if we want to contact a `192.168.0.X` ip we need to
  do an ARP request, and then send our packet to that MAC address
* First line: if we want to send the packet elsewhere we need to send
  it to `192.168.0.1` and it will take care of delivering it for us

----

JackV's avatar
JackV committed
189
190
# NFtables

JackV's avatar
JackV committed
191
(Partially overlaps with Iptables)  
JackV's avatar
JackV committed
192
[Slides](https://slides.poul.org/2019/corsi-linux/3b_firewall/)  
JackV's avatar
JackV committed
193
194
[Video](https://youtu.be/ut50w2q6VEw)

JackV's avatar
JackV committed
195
196
---

JackV's avatar
JackV committed
197
## What is NFtables?
JackV's avatar
JackV committed
198

JackV's avatar
JackV committed
199
200
NFtables is a program that allows us to control Linux's internal
packet filter (firewall) allowing us to block out unwanted traffic
JackV's avatar
JackV committed
201

JackV's avatar
JackV committed
202
203
---

JackV's avatar
JackV committed
204
<h2 style="min-width: 110%">NFtables vs IPtables vs firewalld (& co.)</h2>
JackV's avatar
JackV committed
205
206
207

* **iptables**: frontend for `xt_*` kernel modules, old (1998)
* **nftables**: frontend for `nf_*` kernel modules, "new" (2014)
JackV's avatar
JackV committed
208
209
* **firewalld & co.**: allow easier configuration, under the hood 
  they all use iptables
JackV's avatar
JackV committed
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243

---

## Overview of Linux packet filtering

<img src="assets/Netfilter-packet-flow.svg" style="background-color: white; min-width: 100%" />

Source: [Wikipedia](https://commons.wikimedia.org/wiki/File:Netfilter-packet-flow.svg)

---

## How to read this graph

<img src="assets/nf-hook-cell.png" style="background-color: white; min-width: 100%" />

---

## How to read this graph /2

<img src="assets/nf-logic-cell.svg" style="min-width: 30%" />

* **Bridge check**: check if the packet needs to be routed on a bridged interface
* **Routing decision**: decide if we want a program to receive the packet (input)
  or if we need to __forward__ it to somewhere else
* **Conntrack**: linux checks if this packet is related to others (eg. TCP connection)

---

### Important things to know

* **bridging**: we instruct the linux kernel to forward MAC packets between
  2 separate interfaces (like a switch)
* The **routing decision** step is also what decides the output interface,
  the __forward__ hook is the first to know the output interface
JackV's avatar
JackV committed
244
* There are **4** chains: **filter** and **nat** (common), `mangle` and `raw` (rarely used)
JackV's avatar
JackV committed
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
* There are **5** hooks:
  * filter: **input**, **forward**, **output**
  * nat: **prerouting**, **postrouting**

---

## nftables hierarchy

* **Rule**: some form of filtering based on the packet (eg. source ip)
* **Chain**: a collection of rules that are applied to a **hook** with
  optionally a default policy (default open)
* **Table**: collects chains together, determines the **family** to use
  * families: **ip** (IPv4), **ip6** (IPv6), **inet** (IPv4&6),
    **arp** (ARP), **bridge** (MAC)

---

## Getting started with nftables

```bash
# nft add table inet my_table
# nft add chain inet my_table my_chain \
    '{ type filter hook input priority 0; policy accept; }'
# nft add rule inet my_table my_chain iifname eth0 tcp dport 22 drop
```

1. we create a table **my_table**
2. we add a chain **my_chain** that uses the **input** hook in 
   the **filter** chain, by default we **accept** packets
3. we add a rule that if a packet comes from **eth0** and has
   destination port **22** we drop it

---

## Do I need to use the CLI?

No, nft natively supports loading and saving rules to a file,
the example in the previous slide can be written as

```
table inet my_table {
    chain my_chain {
        type filter hook input priority 0; policy accept;
        iifname eth0 tcp dport 22 drop
    }
}
```

---

## Some important filtering rules

* `{iifname|oifname} <name>`: input/output interface name
* `{tcp|udp} {sport|dport} <number>`: TCP/UDP source/destination port
* `ip {saddr|daddr} <ip>`: source/destination ip
* `ct state {new|established|related|invalid}`: conntrack status
JackV's avatar
JackV committed
301
302
303

----

JackV's avatar
JackV committed
304
# Debug network problems
JackV's avatar
JackV committed
305

JackV's avatar
JackV committed
306
---
JackV's avatar
JackV committed
307

JackV's avatar
JackV committed
308
309
310
311
312
313
314
315
316
317
## You can't connect to the Internet, now what?

When setting up a network it might happen that everything
breaks, we will go through some tools that might help debug
network configuration problems

---

### Network checklist

JackV's avatar
JackV committed
318
* Can the network route to another address?
JackV's avatar
JackV committed
319
320
* Does the network resolve domain names?
* Are response packets coming back?
JackV's avatar
JackV committed
321
* Is everything ok in upper layers?
JackV's avatar
JackV committed
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339

---

### Quick routing check: ping & traceroute

* **ping** is useful to check that we have working routing
  a quick `ping 1.1.1.1` can tell us if we can reach a known
  ip (in this case cloudflare DNS)

* **traceroute** can help with identifying routing
  nodes that are dropping packets

---

### DNS check: ping (again) & dig

* Again **ping** can be used to quickly check if DNS resolution
  is working as intended, `ping poul.org` will return an ip
JackV's avatar
JackV committed
340
  address if DNS is working
JackV's avatar
JackV committed
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357

* **dig** can help to check more complex problems,
  using `dig poul.org` will tell us if the system DNS
  (found in `/etc/resolv.conf`) is working, whereas
  `dig @1.1.1.1 poul.org` will tell us if there is some
  external problem related to DNS

---

### Checking for responses

* Tools like **tcpdump** and **Wireshark** can help debug
  problems related to responses not coming back, just point to
  the right interface and filter for the traffic (usually __icmp__)

* Only have ssh but want to have a gui? No problem!<br>
  ```
JackV's avatar
JackV committed
358
  ssh root@<ip> "tcpdump -i eth0 -s0 -w - 'not port 22'" | wireshark -k -i -
JackV's avatar
JackV committed
359
360
361
362
363
364
365
366
367
368
369
370
371
372
  ```

---

### Upper Layer Problems

So far we only talked about L1-3 problems, but there can be just as many
in L4-7, however these usually require specific tools to debug

* **curl** can be used to detect a [TCP Blackhole](https://en.wikipedia.org/wiki/Path_MTU_Discovery#Problems) and a whole other lot of problems
  ```
  curl -vv https://example.org
  ```

JackV's avatar
JackV committed
373
----
JackV's avatar
JackV committed
374

JackV's avatar
JackV committed
375
376
# Wireguard
[Link to Slides](https://slides.poul.org/2019/corsi-linux/3c_wireguard.pdf)  
JackV's avatar
JackV committed
377
[Link to Video](https://youtu.be/Ppw6XxbmlWA)
JackV's avatar
JackV committed
378

JackV's avatar
JackV committed
379
---
JackV's avatar
JackV committed
380

JackV's avatar
JackV committed
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
### What is a VPN?

A VPN is a piece of software that allows us to access a **Network**
that is not publicly available (**Private**) and which we have
no physical connection to (**Virtual**)

---

### Wireguard

Project started in 2016 to replace OpenVPN, in terms
of security and ease of configuration

Strong Points:
* Minimal codebase, ~40000 loc (originally 4000) vs 600000 for OpenVPN
* Minimal configuration
* Fail-open behavior, if misconfigured no packets are routed

---

### Step 1: Generating a key pair

```bash
wg genkey > privatekey
cat privatekey | wg pubkey > publickey
```

This needs to be done for every __host__ that wants to join the vpn

---

### Write server configuration

```
[Interface]
Address = 192.168.10.1/24
ListenPort = 51820
PrivateKey = kIbuAUUbNZeC18onuKDtUui2Oa+l4/RrsU/sjcVKgmU=

PostUp = nft add rule ip filter FORWARD iifname %i counter accept
PostUp = nft add rule ip nat POSTROUTING oifname eth0 counter masquerade
PostDown = nft del rule ip filter FORWARD iifname %i counter accept
PostDown = nft del rule ip nat POSTROUTING oifname eth0 counter masquerade

[Peer]
PublicKey = yL4ajtwU9a2zP9vyVa5hdB5cSl/deLXv0Ldck1Y/FSU=
AllowedIPs = 192.168.10.2/32
```

---

### Write client configuration

```
[Interface]
Address = 192.168.10.2/24
PrivateKey = CCSq5ngQcIGjKS3qu5woC7tYVQM2zJhJVR4jQ9xrXUY=
DNS = 192.168.10.1

[Peer]
PublicKey = xopK6ZfGT0CAS8g8SXmEZf4Ppp3al5XkDJPCYl5Z8So=
AllowedIPs = 0.0.0.0/0, ::/0
Endpoint = <server public ip>:51820
```

---

```
JackV's avatar
JackV committed
449
wg-quick up server.conf
JackV's avatar
JackV committed
450
451
452
```

```
JackV's avatar
JackV committed
453
wg-quick up client.conf
JackV's avatar
JackV committed
454
455
456
457
458
459
460
461
462
463
464
```

---

# Done!

---

## Well not so fast

Due to the fail-open nature, it is sometimes difficult to debug
JackV's avatar
JackV committed
465
466
Some debugging techniques are shown in the previous sections.  
Ping tends to report an error if wireguard is misconfigured.  
JackV's avatar
JackV committed
467
468
469
The linked slides offer a more in-depth explaination of the
configuration that might help to debug problems.

JackV's avatar
JackV committed
470
471
----

JackV's avatar
JackV committed
472
473
# Ansible
[Link to Slide](https://slides.poul.org/2019/corsi-linux/4b_ansible/)  
JackV's avatar
JackV committed
474
[Link to Video](https://youtu.be/Cc396Em2BuM)
Roberto Bochet's avatar
Roberto Bochet committed
475

JackV's avatar
JackV committed
476
---
Roberto Bochet's avatar
Roberto Bochet committed
477

JackV's avatar
JackV committed
478
479
480
481
482
483
484
485
## What is Ansible?  

Ansible is a declarative configuration managment tool

Strong points:  
* Only Python and SSH need to be installed to have a machine
  be controlled by Ansible
* Idempotent (multiple runs have the same result as one)
JackV's avatar
JackV committed
486
487
* Declarative/Stateless - what is on the config files dictates the end result,
  not how to get there
JackV's avatar
JackV committed
488
489
490
491
492
493

---

## What can you do with ansible?

* Maintain consistent configurations across machines
JackV's avatar
JackV committed
494
* Have set of installed packages on all your machines
JackV's avatar
JackV committed
495
496
497
498
499
500
501
502
503
504
505
506
* Manage installation/upgrade of services in a reproducible way

---

## Basic ansible terms

* **inventory**: defines hosts and their grouping
* **playbook**: describes what operations to do on the hosts
* **task**: defines the single operation to execute

---

JackV's avatar
JackV committed
507
## Anatomy of an inventory
JackV's avatar
JackV committed
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541

```ini
[webservers]
web.example.org
web[1-4].example.org

[motd]
192.168.0.1

[motd:children]
webservers
```

---

## Anatomy of a task

```yaml
name: "Install webserver"
apk:
  name: lighttpd
  state: latest
```

---

## Anatomy of a playbook

```yaml
---
- hosts: webservers
  remote_user: root
  tasks:
  - name: install webserver
JackV's avatar
JackV committed
542
    package:
JackV's avatar
JackV committed
543
544
545
546
547
548
549
550
551
      name: lighthttpd
      state: latest
  - name: start webserver
    service:
      name: lighthttpd
      state: started
      enabled: yes
```

Roberto Bochet's avatar
Roberto Bochet committed
552
553
----

JackV's avatar
JackV committed
554
555
556
# Beyond the cloud

----
JackV's avatar
JackV committed
557

JackV's avatar
JackV committed
558
## Why have a server at home?
JackV's avatar
JackV committed
559

JackV's avatar
JackV committed
560
---
JackV's avatar
JackV committed
561

JackV's avatar
JackV committed
562
563
564
565
566
567
568
569
570
571
### Server@Home

* We have full control on the hardware
* Advanced setups possible
* Is better suited in some scenarios (eg. backup)
* Usually cheaper than a server __*__  
  (eg. storage)

---

JackV's avatar
JackV committed
572
### Cloud Server
JackV's avatar
JackV committed
573

JackV's avatar
JackV committed
574
* Usually has better uptime (much closer to 100%)
JackV's avatar
JackV committed
575
* Storage has magic underneath
JackV's avatar
JackV committed
576
* Usually has higher network bandwidth
JackV's avatar
JackV committed
577
578
579

---

JackV's avatar
JackV committed
580
### What to consider to do cost/benefit-wise
JackV's avatar
JackV committed
581
582
583
584
585
586
587
588

* On cloud servers the entire infrastructure
  is redundant, and if a component breaks the
  cloud provider replaces it free of charge,
  at home you have to pay for replacements
* Magic ratio `kWh/Wy` -> `8.76`
    * High power consumption can lead to an
      expensive bill
JackV's avatar
JackV committed
589
590
591

----

JackV's avatar
JackV committed
592
593
594
595
596
597
# How to pick the hardware

---

### Storage technologies summary

JackV's avatar
JackV committed
598
599
600
|   | €/GB | R/W Speed | Lifetime |
| - |:---- |:--------- |:-------- |
| HDD | Low | Medium | Medium<br>(3-5 years) |
JackV's avatar
JackV committed
601
| SSD | Medium | High | High<br>(10+ years) |
JackV's avatar
JackV committed
602
| SD/eMMC | High | Medium-Low | Short<br>(1-2 years)|
JackV's avatar
JackV committed
603
604
| Bluray | Low | Medium (RO) | Extreme (100+ years) |
| Cloud | - | Depends* | Infinite* |
JackV's avatar
JackV committed
605
606
607

---

JackV's avatar
JackV committed
608
## ARM SBC/Router
JackV's avatar
JackV committed
609

JackV's avatar
JackV committed
610
611
612
613
614
<div style="display: block; margin: 0 auto">
    <img src="assets/rpi4.jpg" style="max-width: 27%">
    <img src="assets/tinkerboard.png" style="max-width: 30%">
    <img src="assets/rockpro64.png" style="max-width: 25%">
</div>
JackV's avatar
JackV committed
615
616
617

* Cost: 20-100€
* Computing power: Medium-Low
JackV's avatar
JackV committed
618
* Storage: scarce/decent
JackV's avatar
JackV committed
619
* Power consumption: 5-15W
JackV's avatar
JackV committed
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636

---

## Things to consider before buying

* Ethernet maximum speed (100 vs 1000)
* How the ethernet chip is connected to the SoC
* How the USB ports are connected to the SoC
* CPU computing power
* RAM quantity
* Bootable storage (SD/eMMC vs USB 3/SATA)
* Mainline linux support

---

## Why you shouldn't buy a RPi

JackV's avatar
JackV committed
637
* 1-3 have usb ports behind a hub
JackV's avatar
JackV committed
638
* 1-3 have ethernet behind an usb adapter<br>(guess where it is attached?)
JackV's avatar
JackV committed
639
* Wifi/BT share an antenna, better result achievable with
JackV's avatar
JackV committed
640
  an u.FL connector and a proper antenna
JackV's avatar
JackV committed
641
* Computing power is generally lower than
JackV's avatar
JackV committed
642
643
  competitors for the same price point
* RPi linux distributions tend to come with
JackV's avatar
JackV committed
644
645
  a lot of proprietary broadcom blobs
* Generally poor power supply circuitry
JackV's avatar
JackV committed
646
647
648
649
650

---

## Laptop/Entry-level desktop

JackV's avatar
JackV committed
651
652
653
654
<div style="display: block; margin: 0 auto">
    <img src="assets/laptop_n.jpg" style="max-width:40%" />
    <img src="assets/comp_antisgamo.jpg" style="max-width:40%" />
</div>
JackV's avatar
JackV committed
655
656
657

* Cost: 50-200€
* Computing power: Medium-High
JackV's avatar
JackV committed
658
* Storage: usually quite decent
JackV's avatar
JackV committed
659
* Power consumption: 20-50W
JackV's avatar
JackV committed
660
661
662
663
664

---

## High-End Desktop/Server

JackV's avatar
JackV committed
665
666
667
668
<div style="display: block; margin: 0 auto">
    <img src="assets/server_1.png" style="max-width:15%" />
    <img src="assets/server_2.png" style="max-width:35%" />
</div>
JackV's avatar
JackV committed
669
670
671

* Cost: 100-2000€
* Computing power: High
JackV's avatar
JackV committed
672
* Storage: sufficent-plenty (NAS)
JackV's avatar
JackV committed
673
* Power Consuption: 200-2000W
JackV's avatar
JackV committed
674
* Pros: [no house heating costs](https://hardware.slashdot.org/story/17/09/13/002250/french-company-plans-to-heat-homes-offices-with-amd-ryzen-pro-processors)
JackV's avatar
JackV committed
675
676
677
678
679
680
681
682
683

---

## I need to crunch numbers, what should I do?

* Use a low-power device to trigger [Wake on LAN](https://en.wikipedia.org/wiki/Wake-on-LAN) for a more powerful device
* Use a combination of Home+Cloud
* Use spot/preemptible cloud VMs<br>(this depends on the workload)

JackV's avatar
JackV committed
684
685
---

JackV's avatar
JackV committed
686
# Is there such a thing as too much hardware?
JackV's avatar
JackV committed
687
688
689
690
691
692
693
694
695
696

---

# NO

<div style="display: block; margin: 0 auto">
    <img src="assets/rack_1.png" style="max-width:35%" />
    <img src="assets/rack_2.jpg" style="max-width:22%" />
</div>

JackV's avatar
JackV committed
697
698
699
700
701
702
703
704
705
706
707
708
709
710
711
712
713
714
----

# Internet connection technologies

---

How do we connect to the internet?  

3 main technologies:  

* *DSL
* GPON (fiber)
* Ethernet

---

## *DSL

JackV's avatar
JackV committed
715
<img src="assets/RJ11.jpg" style="max-height: 30%" />
JackV's avatar
JackV committed
716
717
718
719
720
721
722
723
724
725
726
727
728
729
730
731
732

* Encompasses various technologies (ADSL/VDSL/VDSL2)
* All of them use a copper medium (telephone line) to transmit data
* Phone line length and EMF interference *matter* on transmission speed

---

## Router options for *DSL

* Lantiq-based routers ( [list](https://openwrt.org/docs/techref/targets/lantiq) )
* No one else since the DSL chipset is usually custom-made and manufacturers don't relase the source code
* Some routers allow enough configuration to be ISP-neutral, but that comes at a
  cost of old software
* In theory _Modem Libero_ should allow the use of old ISP routers, but I wouldn't hold my breath on that

---

JackV's avatar
JackV committed
733
## GPON (fiber)
JackV's avatar
JackV committed
734

JackV's avatar
JackV committed
735
<img src="assets/fiber.jpg" style="max-height: 30%" />
JackV's avatar
JackV committed
736

JackV's avatar
JackV committed
737
* New technology used for FTTH (1 Gb/s internet)
JackV's avatar
JackV committed
738
739
740
741
742
743
744
745
* There is a direct optical link between the end user and the ISP
* Since the transmission is optical, no interference!
* Optic fiber crimping has some tooling costs (~200€)

---

## ONTs

JackV's avatar
JackV committed
746
747
748
749
<div style="display: block; margin: 0 auto">
    <img src="assets/ont.jpg" style="max-width:40%" />
    <img src="assets/sfp_ont.jpg" style="max-width:40%" />
</div>
JackV's avatar
JackV committed
750
751
752

A ONT is a device that bridges a fiber link to ethernet  
(allowing us to use any device we want as a router)  
JackV's avatar
JackV committed
753
There are only couple of ONTs with WIP OpenWRT support
JackV's avatar
JackV committed
754
755
756
757
758

---

## Raw Ethernet

JackV's avatar
JackV committed
759
<img src="assets/ethernet.jpg" style="max-height: 30%" />
JackV's avatar
JackV committed
760

JackV's avatar
JackV committed
761
Some providers (eg. Eolo) use alternative transmission mediums,
JackV's avatar
JackV committed
762
763
764
usually these will have an ordinary ethernet cable attached
to a mundane wifi router

JackV's avatar
JackV committed
765
766
767
768
769
770
771
772
773
774
775
776
777
778
779
780
781
782
----

# Deploying a FOSS router at home

---

## Materials needed:

* A device to interface with your internet
* Some ethernet cables (crimping tools recommended)
* A device with 2+ ethernet ports (1 works on some setups but don't)
* WiFi device

---

## Small digression: Modem Libero

At the end of 2018 the AGCOM (italian telecomunications agency) approved
JackV's avatar
JackV committed
783
a set of rules that forces ISPs to provide appropiate means to allow consumers
JackV's avatar
JackV committed
784
to choose their own router (ONTs are still considered part of the ISP's network)  
JackV's avatar
JackV committed
785
786
787
788
789
790
791
792
793
794
795
796
797
798
799
800
801
802
803
804
805
806
807
808
809
810
811
812
813
814
815
816
817
818
Obtaining the various settings for connecting to the ISP's network varies
by difficulty and amount of call centers you have to contact based on the ISP you pick  
_(there was also a clause that allowed consumers to have a vendor-neutral firmware
at the end of the contract, but everyone seems to have forgotten about that)_

---

## Connecting to the ISP

There are 2 main ways in which you connect to ISPs

* PPPoE over VLAN: used by basically everyone
* DHCP over raw ethernet: used only by Fastweb

Obviously neither methods is within spec, both use some *slight*
change in protocol parameters, which may need some fiddling

---

## IPv6

Currently (April 2020), only 2 ISPs provide IPv6 connectivity

* Fastweb: via [6rd](https://en.wikipedia.org/wiki/IPv6_rapid_deployment)
* Telecom Italia: via a separate PPPoE connection

However do note that both these tunnels might not support the full bandwidth

---

## What software to use?

* ppp for connecting to PPPoE
* Systemd-networkd for managing connections  
JackV's avatar
JackV committed
819
  (It is the only network manager that supports most ISPs configurations fully)
JackV's avatar
JackV committed
820
821
822
823
824
825
826
827
828
829

----

## Special Thanks to

* Federico Amedeo Izzo for NAND info
* Nicolo Izzo for his [original talk](https://slides.poul.org/2017/corsi-linux-avanzati/servers/) and images
* Davide Depau for help with NFtables and photos
* Lorenzo Ribis for some photos
* POuL members in general for being always helpful