tpyo kingg
Posts: 809
Joined: Mon Apr 09, 2018 5:26 pm
Location: N. Finland

Need advice - practical networking tutoring

Sat Jan 11, 2020 6:36 am

I've been doing a series of small, introductory, 12-hour tutorials spread out over half a dozen sessions, each at a pre-college level, which have included use of the Raspberry Pi. I'm thinking about doing one on packet filtering and would like advice on the content. What I have so far is an outline for five parts, but wonder what I should have for the sixth part and what have I missed (or can remove) from the first five 2-hour blocks?

1. LAN versus WAN
+ ping
+ traceroute
+ nmap
+ tcpdump
+ dig

2. UDP, TCP, ICMP
+ 7 OSI layers
+ ports: well-known, registered
+ connection states
+ apache2 reinstallation
+ netstat

3. Basics of filtering with IPTables
+ iptables-save
+ at
+ iptables-restore
+ iptables-persist

4. Simple router
+ masquerade
+ dnsmasq
+ ethernet

5. Wi-fi Access Point
+ 802.11: versions, 5GHz/2.4GHz
+ forwarding again
+ dnsmasq again
+ hostapd

6. ???????

The prerequisites are being able to install Apache2 and set up two vhosts, something an earlier tutorial covered, but otherwise little to no computer knowledge required.

epoch1970
Posts: 5021
Joined: Thu May 05, 2016 9:33 am
Location: Paris, France

Re: Need advice - practical networking tutoring

Sat Jan 11, 2020 3:05 pm

I surely don't qualify as an educator but I'll say this:
- OSI presentation is good, but I wonder if your target audience would be receptive. Perhaps "layer-2 stays on the LAN, layer-3 and above is routable" would be sufficient?
- In the AP section, please mention the WiFi alliance decided bridging a client interface was forbidden. Should save everybody plenty of time in the future ;) (I've never seen an official statement as to why, but the potential for DoS seems obvious in this scenario).

Also, I could think of contemporary topics, I don't know if they are too "advanced" for the audience:
- Tunnelling (vpn, sdn). Perhaps you want to demystify these 2 buzzwords.
- Mesh networking (peer discovery, route election). Some consumer devices use mesh networking already, will be standard practice someday. (A talk by Juliusz Chroboczek, a professor, and creator of the Babel protocol)
"S'il n'y a pas de solution, c'est qu'il n'y a pas de problème." Les Shadoks, J. Rouxel

tpyo kingg
Posts: 809
Joined: Mon Apr 09, 2018 5:26 pm
Location: N. Finland

Re: Need advice - practical networking tutoring

Sun Jan 12, 2020 3:05 pm

Thanks. That was about the level of detail I was planning for the OSI model. It is good to have confirmation of that.

As for the bridging, can you point to any discussion or documentation from the WiFi alliance, or on the problem in general? Even unofficial notes would help as a reference. I was planning to have dnsmasq listening on the WiFi interface and use NAT instead of IPv6. My network is still on IPv4 until I rewrite a massive, convoluted, home-made router configuration.

incognitum
Posts: 479
Joined: Tue Oct 30, 2018 3:34 pm

Re: Need advice - practical networking tutoring

Tue Jan 14, 2020 12:54 pm

tpyo kingg wrote:
Sat Jan 11, 2020 6:36 am
3. Basics of filtering with IPTables
Would not teach legacy stuff like iptables, but go straight for nft instead.

tpyo kingg
Posts: 809
Joined: Mon Apr 09, 2018 5:26 pm
Location: N. Finland

Re: Need advice - practical networking tutoring

Sun Jan 26, 2020 3:11 pm

incognitum wrote:
Tue Jan 14, 2020 12:54 pm
Would not teach legacy stuff like iptables, but go straight for nft instead.
Thanks for the nudge, I've been meaning to look beyond iptables for a while and have looked at nftables now and see that it is quite different than iptables and ipchains. ipchains could be learned in an afternoon and iptables took more work but could still be learned rather quickly. nftables seems more like scripting and is quite complex but allegedly offers some performance boosts, which may or may not come into play on the Raspberry Pi.

As an initial followup regarding nftables here are some notes. I'll write more in a couple of months once I've made the tutorial, but for now I took more than a few hours to start to get familiar with it and its administrative front end utility, nft. The manual page for nft is harder to decipher and works better as a reminder for parts once they are familiar. The wiki helps a lot: https://wiki.nftables.org/wiki-nftables ... 10_minutes

It takes a lot of reading to get going with nftables. So here are some notes, if it can help bootstrap use of nftables for others.

In Raspbian,

Code: Select all

sudo apt update
sudo apt install nftables
sudo reboot; # maybe

sudo cp -p /etc/nftables.conf /etc/nftables.conf.orig
sudoedit /etc/nftables.conf
What actually goes into /etc/nftables.conf is harder to figure out and takes a lot of experimenting since the syntax is non-obvious and little confusing. I built up some IPv4 and IPv6 tables using nft add ..., which is portable across distros, and then appended the output into /etc/nftables.conf, which seems not to be portable. I made generous use of "nft flush ruleset"

epoch1970
Posts: 5021
Joined: Thu May 05, 2016 9:33 am
Location: Paris, France

Re: Need advice - practical networking tutoring

Sun Jan 26, 2020 10:04 pm

tpyo kingg wrote:
Sun Jan 12, 2020 3:05 pm
As for the bridging, can you point to any discussion or documentation from the WiFi alliance, or on the problem in general?
As I wrote, no I did not find any statement that spelled out the reasons for that. I didn't look too hard.
But the DoS issue is too big to ignore. Imagine a busy router that channels the traffic of a thousand hosts behind it; add a wifi client interface to the router, authenticate as client to the AP, then bridge the wifi interface to the ethernet interface. AP down in seconds, guaranteed.
"S'il n'y a pas de solution, c'est qu'il n'y a pas de problème." Les Shadoks, J. Rouxel

Taikuh
Posts: 8
Joined: Sun Mar 01, 2020 8:12 pm

Re: Need advice - practical networking tutoring

Thu Mar 12, 2020 1:39 pm

epoch1970 wrote:
Sat Jan 11, 2020 3:05 pm
- In the AP section, please mention the WiFi alliance decided bridging a client interface was forbidden.
Epoch, you mean something like the following diagram isn't allowed? (where the Router's WLAN AP serves the RPi's WLAN Client, which is bridged to the RPi's WLAN AP, which in turn serves the Laptop's WLAN Client)

Code: Select all

                                         +- RPi -------+
                                     {{{-+ WLAN Client |
                                         | Bridge      |
                                         | WLAN AP     +-)))
                                         | 192.168.1.2 |         +- Laptop ----+
                                         +-------------+     (((-+ WLAN Client |
                 +- Router ----+                                 | 192.168.1.5 |
                 | WLAN AP     +-}}}                             +-------------+
                 | Firewall    |         +- PC#2 ------+
(Internet)---WAN-+ DHCP server +-LAN-+---+ 192.168.1.3 |
                 | 192.168.1.1 |     |   +-------------+
                 +-------------+     |
                                     |   +- PC#1 ------+
                                     +---+ 192.168.1.4 |
                                         +-------------+

epoch1970
Posts: 5021
Joined: Thu May 05, 2016 9:33 am
Location: Paris, France

Re: Need advice - practical networking tutoring

Thu Mar 12, 2020 5:38 pm

Taikuh wrote:
Thu Mar 12, 2020 1:39 pm
... you mean something like the following diagram isn't allowed? ...

Code: Select all

                 ++ Router +---+         ++ RPi +------+
                 | WLAN AP     ++}}} {{{++ WLAN Client |
                 | Firewall    |         | Bridge      |         ++ Laptop +---+
(Internet)+-+WAN++ DHCP server |         | WLAN AP     ++))) (((++ WLAN Client |
                 | 192.168.1.1 |         | 192.168.1.2 |         | 192.168.1.3 |
                 +-------------+         +-------------+         +-------------+
Indeed, this is not possible under WiFi®
What is allowed/accepted is WDS mode, with 2 APs or an AP and a Repeater. (2 or more. WDS itself is not a standard, so cross-brand compatibility is not guaranteed)

The underlying reason is that a wifi frame needs 2 MAC addresses to identify the wireless sender/receiver, and for bridging to happen, up to 2 more MACs are required, identifying the initial sender/end receiver (over ethernet or wifi).
Unless in WDS mode, WiFi drivers will send/receive only 3 MAC addresses. The 3 MAC addresses are such that bridging an AP works, but bridging a STA won't.

A very nice summary here: https://unix.stackexchange.com/a/555676
Examples here: https://mrncciew.com/2014/09/28/cwap-ma ... addresses/
"S'il n'y a pas de solution, c'est qu'il n'y a pas de problème." Les Shadoks, J. Rouxel

Taikuh
Posts: 8
Joined: Sun Mar 01, 2020 8:12 pm

Re: Need advice - practical networking tutoring

Thu Mar 12, 2020 6:09 pm

Thanks as always, for the informative rundown :mrgreen:

Berry Nice
Posts: 1
Joined: Thu Apr 02, 2020 3:15 pm

Re: Need advice - practical networking tutoring

Thu Apr 02, 2020 3:18 pm

Thanks for the valuable information.

Return to “Staffroom, classroom and projects”