Temporary ISP setup (LAN Party)


#1

Hi, I’m helping to setup the network at a local LAN Party with a couple of hundred participants.
We have 1Gbit uplink from our ISP, and two C classes of IP’s.
x.x.213.0/24 and x.x.214.0/23

I am wishing to setup a local router to handle most stuff, but I’m not that familiar with VyOS (or ISP grade networking for that matter) that I can manage without some expertise.

What I’m wishing to accomplish is:
Every participant connecting with wire to our switches gets a public ip address (x.x.214.0/23).
Every participant connecting with wireless to our access points get a private ip address (172.16.x.x/20).

Our ISP has the uplink at VLAN 1649, and we were planning to use VLAN 20 for participants on wire, and VLAN 30 for participants on wireless.
The ISP has established a x.x.213.1/30 and x.x.214.1/30 route for us to use.

It’s the that comes now I’m not familiar with. How to setup the VyOS to be fully transparent on the public domain, and have a firewall for the VLAN 30 with NAT.

I tried to setup a eth0.1649 with x.x.213/214.2/30 and eth0.20 with x.x.213.3/24 and x.x.214.3/23 and with dhcp servers. The dhcp server delivers ip addresses, but I’m not sure at all if this is going to work…

I don’t have the opportunity to test this live until wednesday (11th February) and it would be really nice if someone could help me out get the details right before friday (13th February) when the LAN Party starts.

Included simplified network schema: https://www.dropbox.com/s/ag5s166s9z8k1u2/2015-02-07%2002_11_45-VyOS%2C%20VLAN%20and%20interconnections_%20Lucidchart.png?dl=0

Thanks in advance!
fiLLLip


#2

Not sure I’m correctly interpreting the address space, but normally you’d get a single /30 for the uplink. You were allocated two /24s, but one subnet has a /23 mask?


#3

Maybe I explained it wrong. I’m totally new to carrier grade networking with routing.

I haven’t actually got the /30 yet, but I was guessing it was on the same range, so that may be totally wrong. We have the x.x.213.0/24 and x.x.214/23. So our total IP range would be x.x.213.0-x.x.215.255.

They normally just set up a gateway for us at x.x.213.1 and x.x.214.1, but this time we want to route the traffic ourselves since we also are going to use the private ip range for wlan.

I can contact my ISP again and ask for what /30 I would be given, but let’s say it’s at x.x.212.1/30 in the mean time (they don’t reply fast).

fiLLLip


#4

Here is my current config. Will this work?

interfaces {
     ethernet eth0 {
         address dhcp
         description "NO VLAN"
         hw-id 00:0c:29:83:4f:1b
         vif 20 {
             address x.x.214.1/23
             description PUBLICINET
         }
         vif 30 {
             address 172.16.0.1/20
             description PRIVATEWLAN
         }
         vif 1649 {
             address x.x.212.2/30
             description MIMER
         }
     }
     loopback lo {
     }
 }
 nat {
     source {
         rule 300 {
             destination {
             }
             outbound-interface eth0.1649
             source {
                 address 172.16.0.0/20
             }
             translation {
                 address masquerade
             }
         }
     }
 }
 protocols {
     static {
         route 0.0.0.0/0 {
             next-hop x.x.212.1 {
                 distance 1
             }
         }
         route 10.0.0.0/8 {
             blackhole {
                 distance 254
             }
         }
		 route 172.16.0.0/12 {
			 blackhole {
				 distance 254
			 }
		 }
         route 192.168.0.0/16 {
             blackhole {
                 distance 254
             }
         }
     }
 }
 service {
     dhcp-server {
         disabled false
         shared-network-name PRIVATEWLAN {
             subnet 172.16.0.0/20 {
                 default-router 172.16.0.1
				 dns-server 172.16.0.1
                 domain-name wlan.x.local
                 lease 86400
                 start 172.16.0.2 {
                     stop 172.16.15.254
                 }
             }
         }
         shared-network-name PUBLICINET {
             authoritative disable
             subnet x.x.214.0/23 {
                 default-router x.x.214.1
                 dns-server x.x.214.1
                 domain-name lan.x.org
                 lease 86400
                 start x.x.214.2 {
                     stop x.x.215.254
                 }
             }
         }
     }
     dns {
         forwarding {
             cache-size 0
             listen-on eth0.20
             listen-on eth0.30
             name-server 8.8.8.8
             name-server 8.8.4.8
         }
     }
     ssh {
         port 22
     }
 }
 system {
     config-management {
         commit-revisions 20
     }
     console {
         device ttyS0 {
             speed 9600
         }
     }
     domain-name lan.x.org
     login {
         user vyos {
             authentication {
                 encrypted-password xxxx
             }
             level admin
         }
     }
     ntp {
         server 0.pool.ntp.org {
         }
         server 1.pool.ntp.org {
         }
         server 2.pool.ntp.org {
         }
     }
     package {
         repository community {
             components main
             distribution helium
             url http://packages.vyos.net/vyos
         }
     }
     syslog {
         global {
             facility all {
                 level notice
             }
             facility protocols {
                 level debug
             }
         }
     }
 }

EDIT: Changed the x.x.213.2/30 to x.x.212.2/30


#5

That looks like a start.

Do you need a static range for servers, and does the outside need to be able to initiate connections to the inside (i.e. someone from the Internet connects to a server at the LAN party)?


#6

Nice, glad to hear I’m not completely on the wrong track.
I was planning that the outside would have full access to all participants on the PUBLICINET range. I will also have a static range of servers on the x.x.213.0/24 (I see that I wrote x.x.213.2/30 on the /30, but it should be x.x.212.2/30 as I don’t know what /30 we will get at this point) also fully exposed.
On the PRIVATEWLAN range it should be fully blocked from the outside, i.e. no incoming connections, only outgoing.


#7

Just curious if you got this going yet?


#8

Yes, I have it up and running now! I will post final config when it gets less busy here :slight_smile:


#9

Good deal!


#10

I’m really surprised on how well this configuration worked out. I was really skeptic on the fact that the gateway would become a bottleneck in our system, but it turns out that it is the best performing setup compared to all the other systems.

I checked the system monitor when we had around 800 (300-400 heavy users and 4-500 mobile) clients connected, and it only used about 1-200MB og RAM and was very low on cpu usage.

I summary, I would recommend VyOS to everyone setting up gateways for this kind of events!

As promised, I included the config :slight_smile:

firewall { all-ping enable broadcast-ping disable config-trap disable ipv6-receive-redirects disable ipv6-src-route disable ip-src-route disable log-martians enable receive-redirects disable send-redirects enable source-validation disable syn-cookies enable twa-hazards-protection disable } interfaces { ethernet eth0 { address dhcp description "NO VLAN" duplex auto hw-id 00:0c:29:83:4f:1b smp_affinity auto speed auto vif 20 { address x.x.214.1/23 description PUBLICINET } vif 30 { address 172.16.0.1/20 description PRIVATEWLAN } vif 40 { address x.x.213.1/24 description CREWINET } vif 1649 { address x.x.211.150/30 description MIMER } } loopback lo { } } nat { source { rule 300 { outbound-interface eth0.1649 source { address 172.16.0.0/20 } translation { address x.x.213.193-x.x.213.254 } } rule 310 { description "NAT Reflection: PRIVATEWLAN" destination { address 172.16.0.0/20 } outbound-interface eth0.30 source { address 172.16.0.0/20 } translation { address masquerade } } } } protocols { static { route 0.0.0.0/0 { next-hop x.x.211.149 { } } route 10.0.0.0/8 { blackhole { distance 254 } } route 192.168.0.0/16 { blackhole { distance 254 } } } } service { dhcp-server { disabled false global-parameters "option unifi-address code 43 = string;" shared-network-name CREWINET { subnet x.x.213.0/24 { default-router x.x.213.1 dns-server x.x.213.1 domain-name lan.lanparty.org subnet-parameters "option unifi-address 01:04:D5:B8:D5:C0;" } } shared-network-name PRIVATEWLAN { authoritative disable subnet 172.16.0.0/20 { default-router 172.16.0.1 dns-server 172.16.0.1 domain-name wlan.lanparty.local lease 86400 start 172.16.0.2 { stop 172.16.15.254 } } } shared-network-name PUBLICINET { authoritative enable subnet x.x.214.0/23 { default-router x.x.214.1 dns-server x.x.214.1 domain-name lan.lanparty.org lease 86400 start x.x.214.2 { stop x.x.215.254 } subnet-parameters "option unifi-address 01:04:D5:B8:D5:C0;" } } } dns { forwarding { cache-size 0 listen-on eth0.20 listen-on eth0.30 listen-on eth0.40 name-server 8.8.8.8 name-server 8.8.4.8 } } ssh { port 22 } } system { config-management { commit-revisions 20 } console { device ttyS0 { speed 9600 } } domain-name lan.lanparty.org host-name vyos login { user vyos { authentication { encrypted-password 1234hehe } level admin } } ntp { server 0.pool.ntp.org { } server 1.pool.ntp.org { } server 2.pool.ntp.org { } } package { auto-sync 1 repository community { components main distribution helium password "" url http://packages.vyos.net/vyos username "" } } syslog { global { facility all { level notice } facility protocols { level debug } } } time-zone UTC }


#11

Glad everything worked out.

They do run well, I have a couple pushing 600-700mbps across a few thousand users - don’t break a sweat.