Broadband – Frank Leonhardt's Blog

FreeBSD/Linux as Fibre Broadband router

British Telecom, bless them, has decided that copper telephone lines have to go and is forcing everyone onto fibre Internet and VoIP. Except rural customers currently connected to the Internet using a wet piece of string if they’re lucky, of course.

Incidentally, “Fibre Broadband” is a nonsense in a technical sense but the battle is lost – the public believes Broadband is any Internet connection to the home that isn’t dial-up.

Although I’ve written about routing on FreeBSD before, I thought it was time for an update. Why route on FreeBSD? Because unlike the cheap and nasty “routers” supplied by domestic (and some commercial) ISPs, it doesn’t crash. You don’t have to turn it off and on again. And it does what it’s told, with great diagnostics. You can also run plenty of other services on the same box if it’s powerful enough, or your throughput is modest.

Most of this should work fine on Linux, although the networking is generally considered less efficient than the real thing. However, at less than 1Gbps on a single line this isn’t going to matter, if it matters at all. With Linux you get less of the nuts and bolts built in to the base system so you may have to install extra packages depending on which distribution you are using. But this is all standard stuff so shouldn’t be too difficult. It’s the settings that matter, and probably the reason you’re reading this!

In this first article I’ll just consider a gateway router with NAT, and leave DNS, DHCP and other options until later.

Setting up PPPoE using user-ppp

First off, your WAN connection. With FTTC and FTTP this is normally a little white box – either a VDSL modem or an ONT. It connects to the phone line or fibre cable on one end, and has an RJ45 on the other that looks like Ethernet, because it is Ethernet. I’m going to call them Ethernet Modems, as they’re treated the same for our purpose. However, being Ethernet won’t do you much good as it’s just talking a protocol called PPPoE – or Point-to-Point Protocol over Ethernet.

PPP is an old protocol for making an Internet connection using dial-up, but it’s evolved (or suffered mission creep) and it’s now rather complicated thanks to all the baggage. Fortunately you can ignore the baggage and concentrate on the PPPoE stuff, once you know which is which. And that’s always the trick.

You’ll need a host (i.e. computer) with two Ethernet ports unless you want a complicated life. If you’re using an old PC with just one you can get away with a USB3 Ethernet adapter, but having a couple of server-grade NICs on the motherboard or add-on cards is the best way to go. Very generally, Intel or Broadcom are good choices, Realtek is at the low end.

You need to connect your Ethernet Modem to one port on your host and the other port goes to the LAN.

If you Ethernet Modem and the host you’re planning to use as a router are in different places you can connect them using a VLAN. It’s proper Ethernet and can be switched. Without a VLAN it’s not so simple, so plug it in using a direct cable.

PPP is built in (to FreeBSD etc) in the base system. Type ppp (as root) and it’ll start up in interactive mode. If it doesn’t, you’re not using BSD and therefore lack a base system and will have to install it as a package. You might like to start here: https://tldp.org/HOWTO/PPP-HOWTO/

Although you can compile PPP support into the kernel, the ppp we’re talking about is a program written by Toshiharu OHNO and Brian SOMERS in the early 1990s, and part of BSD since FreeBSD and OpenBSD 2. It’s the normal straightforward way of doing things.

ppp has a simple config file in /etc/ppp/ppp.conf. It can contain profiles for multiple services in sections, with the service name being arbitrary, and ending in a colon (“:”). You specify the service when you run it, and stuff in other sections is ignored. This is a hangover from the days when people had multiple dial-up connections.

Here’s a service definition for Cloudscape, one of my favourite ISPs, but other UK FTTP services will be similar or identical. UK FTTC and SoGEA modems are pretty much the same too.

cloudscape:
  delete default                # May already have a
                                # default route configured elsewhere
  set device PPPoE:bge1
  set authname user-name-supplied-by-ISP
  set authkey password-supplied-by-ISP
  set dial
  set login
  set lcp
  set mru 1492
  set mtu 1492
  disable ipv6cp              # Turn off IPv6
  enable ipcp                 # Turn on IPv4 (default)
#  enable lqr                 # Turn on Link Quality Requests
                              #   (detect dropped line)
  enable echo                 # Enable echo for LQR
  iface name wan0
  add default HISADDR

The ppp program was originally used for serial PPP connections to dial-up ISPs or organisations, but here we’re just using it for PPPoE. In support of switching ISPs it can add stuff to config files like resolv.conf and the routing table, which in the old days tended to be dynamic.

Feel free to read the manual that explains what the options above do, but briefly I’m starting by deleting the default route, which probably won’t exist unless you’ve configured it (possibly using DHCP), but if it does will cause problems when ppp adds another.

  set device PPPoE:bge1

This says we’re using PPPoE over the bge1 Ethernet card. Obviously set this to the Ethernet card to which your Ethernet Modem (e.g. ONT) is attached.

  set authname user-name-supplied-by-ISP
  set authkey password-supplied-by-ISP

This is the user-name and password supplied by your ISP. These tend to be low security, but are needed for the protocol for historic reasons.

  set dial
  set login
  set lcp

This will cause ppp to dial, log in and get details using LCP. Some people will try to tell you that internet lines are configured with DHCP – that’s for LANs. LCP (Link Control Protocol) provides the same function, such as what your IP address is and which DNS servers to use, over a point-to-point connection.

  set mru 1492
  set mtu 1492

There are eight bytes of protocol data added to every standard 1500 byte Ethernet frame so won’t fit 1:1 with a PPPoE packet. Reducing the MTU to 1492 gets around this and avoids fragmentation, which is a good thing. LCP might suggest or force a lower MTU but there’s no harm in specifying it.

  disable ipv6cp              # Turn off IPv6
  enable ipcp                 # Turn on IPv4 (default)
#  enable lqr                 # Turn on Link Quality Requests
                              #  (detect dropped line)
  enable echo                 # Enable echo for LQR

This disables IPv6 and enables IPv4 (which is on by default anyway). If you want to use IPv6 your service provider needs to support it, and most don’t.

LQR is probably not going to be necessary for our purposes and generates warnings, so I’ve left the line in but commented it out for now. The enable echo therefore has no effect.

  iface name wan0

By default, ppp will name its connections as tun0, tun1 and so on (tun being Tunnel). This means that you never know what the interface is going to be called, as other tunnels may exist before you start this one. We’re going to be referring to the interface in the PF firewall, so it helps to be sure what its name will be. The line above sets the name manually, and I’ve called in wan0, which is logical. You may, of course, have multiple WAN connections including dial-up backups, so giving them a sensible name is, er, sensible. You can call it anything you like if you’re nuts.

  add default HISADDR

This is an example of ppp messing with your system configuration – in this case it’s taking the IP address supplied by LCP, represented by the macro HISADDR, and adding it as the default route. If you have a static IP address you might want to set it statically in the normal way.

Likewise, if you add the line “enable dns” it will take the DNS servers offered by LCP and add them to resolv.conf. It won’t remove them, and may well end up messing up whatever local DNS arrangements you have, so I prefer to do this manually.

Once you’ve edited ppp.conf you can test it out interactively with “ppp cloudscape” and see what happens. Type “dial” and it should make the connection, and wan0 should appear in your list of network interfaces. Use netstat -r to see if the new default route has appeared.

Setting up the pf firewall

ppp-user is a large program that tries to do everything, including NAT and being a firewall. This isn’t very UNIX-like in philosophy, but you can use these facilities if you like. I prefer to have a dedicated standard firewall, PF, and leave that to do everything firewall-like.

If you’re setting up a router you’re probably going to need asymmetric NAT. Your /etc/pf.conf file will look something like this:

scrub in all
WAN=wan0
WANIP=1.2.3.4
nat pass on $WAN from 192.168.1.0/24 to any -> $WANIP
#rdr pass on $WAN proto tcp from any to $WANIP port 80 -> 192.168.1.123

The WAN IP comes from your ISP, although you will be able to see it using “ifconfig wan0:” if you don’t have it. I’m assuming your LAN is 192.168.1.0/24 – just set this to whatever you’re using. And that’s about it.

As a bonus, the commented out example line at the end would external port 80 to a web server on LAN address 192.168.1.123 – an open port. Peter Hansteen has written an excellent book on PF, called “The Book of PF”, which will tell you everything you need to know, and it’s well documented in various online handbooks and man pages, unlike ppp-user’s built in firewall.

The only reason for using user-ppp for NAT is if you’re on a dynamic IP address, in which case and “enable nat” and add ppp_nat=yes to /etc/rc.conf

Kicking it all off

First you need to enable routing:

 sysctl net.inet.ip.forwarding=1

This will work until reboot, and you can turn it off again by setting it to zero if something bad happens, like your NIC catching fire. Then dial your ISP (Cloudscape in this example)

ppp -ddial cloudscape

You should now have a connection to the Internet on the BSD box. Now enable PF for NAT.

service pf start (or onestart)

Of it it’s running, use “service pf reload” to load the new config. At this point every machine on the LAN should be able to use your LAN IP address as a gateway.

When you’re happy it works, to make this kick off automatically on boot, modify /etc/rc.conf:

sysrc ppp_enable=yes
sysrc ppp_mode=ddial
sysrc ppp_profile="cloudscape"
sysrc pf_enable=yes
sysrc gateway_enable=yes

Optionally “sysrc ppp_nat=yes” if you’re not using PF for NAT. Or if you’re editing rc.conf directly:

pf_enable=yes
gateway_enable=yes

ppp_enable="YES"
ppp_mode="ddial"
#ppp_nat="YES"	# We let PF do NAT
ppp_profile="name_of_service_provider"

I will do a part two to this post explaining how to configure DNS and DHCP, although there’s no reason these need to be on the same host you’re using as a router. In fact it’s good practice to separate them and have more than one DHCP and DNS server if you have the resources.

I hope you found it useful – any questions add a comment below.

25-January-1619-January-21

Grant Shapps – need for speed?

People (e.g. the Guardian) are clearly out to get Grant Shapps MP, and given their bias you can see why. But he’s not helping with the publication of his recent report, which he and British Infrastructure Group of MPs have wittly titled “Broadbad” (PDF format).

It’s calling for Openreach to be made independent of the remainder of BT, in order for the public to get the “super-fast” broadband we need if we’re not to revert to the stone-age. They claim that BT has wasted 1.7Bn on rolling out this technological artery to rural areas, yet 5.7M household’s don’t have the “minimum required” speed of 10Mb.

I say wrong, wrong and wrong.

First off, Openreach hasn’t received 1.7Bn for the rural broadband project. It’s only received about a third of that, and it’s a project in progress.

Secondly, I’d dispute that 5.7M households have yet to be connected. This is based on an old Ofcom report using figures available before the project got under way.

Thirdly, the case for 10Mb+ Internet connections to homes h as not been met. It’s justified because the UK will “lag behind” countries like Japan and South Korea. So what?

The UK lags behind the USA in gun crime; should we therefore relax restrictions on firearms ownership? “Lagging behind” per se does not matter a jot. Their justification as to why we need higher speeds amounts to “Ofcom have shown that as consumers get better download speeds, they consume more data”. No sh*t, Sherlock!

So what is this data people are consuming? Basically Netflix. Only video has the “need” for high throughput Internet connection, and although this might help the bottom line of OTT media providers, it’s hard to see any other economic benefits to anyone.

According to the report, Spain also has faster connections than our unlucky punters; so if they’re trying to correlate domestic broadband speeds with economic virility, they’ve shot their fox.

As I’ve said before, the whole concept is insane. Streaming video requires about 2Mbps. How many streams does a household need?

Most other high-usage domestic customers are, basically, pirating media. They need fast upload speeds for that, which aren’t really mentioned in the report. Why should the public purse be subsidising either OTT operators or pirates?

A few weeks ago I tackled someone from the Home Office about this crazy idea, and the reasoning behind it was more cynical than I thought. It’s only one civil servant’s opinion, but my contact has a pretty good idea about how government really works.

Consider all the infrastructure projects we could be working on; things that would benefit the country. There’s road and rail networks (HS2 is a drop in the ocean), the national grid, water supply and sewers. How about a sustainable transport network, as it’s a certainty we’re going to need one. All these cost serious money, with the exchequer hasn’t got. But the government has to be seen to be investing in infrastructure. The cheap option is to roll out mad-speed Internet. They can claim it’s needed for business; voters have no idea what a megabit of data can actually be used for. And the public want it. They don’t need it, but that’s not the point. They want it.

If you tell Mondeo Man his broadband is lagging behind the Spaniards, he’ll want something done about it. (If you tell him to wire up the house properly instead of using WiFi, it’d be in one ear and out the other.)

So, by making a fuss about broadband speeds and then demanding action from BT, and throwing relatively little money about, the government can look like it’s dealing decisively with a pressing issue.

As for Mr Shapps, he claims to have been in the Internet business before becoming an MP. He should know better, but it turns out he had a web development company so probably doesn’t know the difference between a kilobit and a megabit either. If only he’d asked.

23-October-1523-October-15

No talk from TalkTalk

Charles Dunston’s budget ISP TalkTalk has been hacked again. Yawn. This time it’s big news on TV; the headline story in fact. Their website has been KOed for a couple of days, but it’s back online with a front page showing a different news agenda. They get their feed from AOL (also part of the Carphone Warehouse family), who probably just missed the kerfuffle; there’s no celebrity connection after all. Not yet, anyway.

If you’re a TalkTalk retail customer (or possibly a business customer – who knows how their systems interrelate and what data’s been pilfered), and you’ve used the same password with TalkTalk as any other sites, change your password on those sites NOW. The popular media is full of speculation as to what’s been compromised but they’re not mentioning passwords, presumably because TalkTalk will have told them that any passwords would have been encrypted. But if the criminals have got hold of the hashes, which is likely, it’s only a matter of time before they crack them.

How worried should customers of other ISPs be? Pretty worried, as on the serious side of the business they’re known as Opal Telecom, a significant LLU operator providing the link between the last time and the data centre for a large number of Broadband providers.

I can, of course, only speculate as to why this keeps happening to them. One reason might be related to several conversations I’ve had with people from ISPs TalkTalk has taken over along the way. Apparently they really don’t like hard stuff like UNIX/Linux, and within months of a takeover they force a switch to Microsoft before making all the UNIX people redundant. Any fool can use Microsoft – low levels of technical understanding are required, meaning cheap engineers and lower costs. But do their Microsofties actually know what they’re doing? I dare say that some of them do, and some of them don’t. But the bar for a point-and-click Microsoft house going to be lower.

7-September-127-September-12

Government “boosts” broadband at everyone’s expense

The government has moved to further line the pockets of telecommunications companies by relaxing planning laws requiring council approval before installing communications cabinets on public land. According to the new Culture Secretary, Maria Miller this sweeps away the red tape holding the country back. Ms Miller’s background as a advertising executive has obviously primed her well for a proper understanding of the issues involved in the telecommunications business.

The government’s aim, inherited from the previous lot it has to be said, is to wire up the country for “superfast broadband”, whatever that means. They reckon domestic users need at least 24Mbps for the UK to extract itself from the dark ages, and 80Mbps would be better. But does the Culture Secretary, or anyone else in government, know what 80Mbps means? Well in real terms, if you’re going to abuse the internet by streaming live high-definition video across it, you might use up 2Mbps of data rate. that’s 1/40th of an 80Mbps line. Okay – if you reckon that celebrity TV shows to people’s homes over the net is important to the country’s future this is still massive overkill. Video calls will use up about 1Mbps at worst and nothing much else comes close apart from downloading entertainment media.

Rt Hon Maria Miller MP, Culture Secretary

I’m not saying that the people of the UK should be denied the chance to download music and video content at high speed if they want to it. I do question the government’s imperative for those who don’t want it to share in the cost of paying for it. If some people want high speed file downloads, those people can decide whether the cost is worth it and stump up the cash. If there’s a subsidy going it should be to promote 100% availability of a reliable 2Mbps service to rural areas – the data rate needed for business. We want to make it easier for rural business to do work, not city dwellers to watch TV all day.

Relaxing the planning laws is undoubtedly going to make it cheaper for the telecoms companies to install infrastructure but it’s also going to make it impossible for local residents to object to unsightly and badly placed street furniture. You may feel this isn’t a big problem now, but this is simply because they’re going to think through the idea properly before submitting it to the local council in order to avoid delays if the council objects.

According to BT, it takes currently takes between four and eight weeks for councils to approve new boxes. this is not unreasonable. Are telecoms company planners turning up for work on a Monday morning, deciding to install a new cable somewhere and then having to sit around for a month while waiting for approval? I hardly think so; these things need to be planned well ahead of time and thought through properly. There’d be something very funny going on if the planning application was on the critical path.

In May this year, Kensington and Chelsea council did deny BT”s request to install most of the 108 new cabinets it applied for. The council’s reason was that the new cabinets were unsightly and that BT had made no effort to re-use existing locations or place them in inconspicuous locations (a move which would probably have cost BT money). The council cited the historic character of the proposed sights; BT’s bullying response was to declare that the residents of the borough would therefore have to put up with “historic” broadband speeds – it then packed up its little vans and announced it was going to install fibre in other boroughs until the Council came around to their way of thinking. Other cable operators have been able to install high-speed internet lines in the borough, so BT’s argument is very thin indeed.

Our new culture secretary’s first act appears to be putting the interests of bullying big business ahead of local democracy.