For some time I've been a serious promoter of free internet everywhere. Nobody can deny how practical it is to take your laptop/phone and be able to browse the web without extra UMTS/3G connection.

Being from the principle that you can't get what you don't give I share my internet for a few years. For simplicity and laziness I did it the dirty way: Two wireless SSIDs , WPA2 and unencrypted, connected to the same LAN. My own traffic being fully encrypted from the laptop to the AP, but anonymous people would have full access to my network. It was not something I really liked.

As I just moved in and have brand new internet it was time to configure this correctly.
The plan is the following:

• Create two networks: one private, one public
• The networks should not be able to communicate
• Don't buy extra hardware (aka use only my Linksys)

Change firmware to DD-WRT

I did this a long time ago, but if you didn't do it yet check out the official DD-WRT website for the firmware and manuals.

The two SSIDs

In the Wireless > Basic Settings page click on Add in the Virtual Interfaces section. Your newly created interface will have the name wl0.1. The primary wireless is still called wl0.

Don't forget to configure encryption on your primary wireless in the Wireless > Wireless Security page.

Splitting the private and public network

On the Setup > Networking page create a bridge called br2. Enter the IP address of the router in that network. (this should be a different network than your private net.). Apply Settings.

In the Assign to Bridge section of the same page click on Add and choose br2 then wl0.1. Apply Settings.

Activating a DHCP on the public network

At the bottom of the Wireless > Basic Settings page you can add another DHCP server. Make sure it's connected to the br2 interface.

Firewall changes

We need to add a few rules to our firewall to allow and block traffic.
To make sure this is executed at boot I added the following rules in Administration > Commands of the webinterface.

iptables -F INPUT
iptables -F OUTPUT
iptables -F FORWARD
iptables -I FORWARD -i br2 -o ppp0 -s 192.168.107.0/24 -j ACCEPT
iptables -I FORWARD -i br0  -j ACCEPT
iptables -I INPUT -i br2 -p udp --dport 67:68 --sport 67:68 -j ACCEPT
iptables -I INPUT -i br2 -p udp --dport 53 -j ACCEPT
iptables -I INPUT -i br0 -j ACCEPT
iptables -I OUTPUT -j ACCEPT
iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -P OUTPUT DROP
iptables -P INPUT DROP
iptables -P FORWARD DROP

Now is the time to test everything. Try to connect to your private network, browse the web. Now join the free-internet SSID and try the same. Try connecting to a host in your private-net, this shouldn't work.
It's not a bad idea to reboot your router once more, just to be certain everything is set correctly the day you have a power outage.

Consequences

There are a few consequences by opening your internet connection to outsiders. Here's an exhaustive incomplete list:

• Limited download: a visitor can download a ton of traffic on your account. Make sure you don't have to low limits. I've never had issues with this.
• Limited speed: someone else can slow down your internet. I've never had issues with this. You could solve this with the QoS features of DD-WRT.
• Illegal behavior: people could use your connection for illegal activities

To protect myself from the illegal activities I plan to set up a portal page using the NoCatSplash feature of DD-WRT. I also plan to log every mac-address that connect to my wireless and the timestamp.

Normally, to configure IPv6 (and v4) forwarding on a Linux system you should edit the /etc/sysctl.conf file and change the lines like this:

# Uncomment the next line to enable packet forwarding for IPv4
net.ipv4.ip_forward=1

# Uncomment the next line to enable packet forwarding for IPv6
net.ipv6.ip_forward=1

This way your kernel will load the forwarding parameters on next reboot.
To activate the feature without rebooting do:

# echo 1 > /proc/sys/net/ipv4/conf/all/forwarding 
# echo 1 > /proc/sys/net/ipv6/conf/all/forwarding

But suddenly you get the following error with ipv6:

# echo 1 > /proc/sys/net/ipv6/conf/all/forwarding 
-bash: /proc/sys/net/ipv6/conf/all/forwarding: Permission denied

In my setup I run Linux as guest in OpenVZ. It seemed my OpenVZ wasn't fully configured to allow IPv6. (I run it trough Proxmox). To enable full IPv6 support I edited the /etc/vz/vz.conf file and set IPV6="yes".

This still didn't solve the problem, even after rebooting the server completely.
Currently I couldn't find a way to get it working correctly, so I created a fully virtualized machine with bridged networking.
I hope to find a way to get ipv6 forwarding working correctly in OpenVZ soon, a post with the solution will follow then.

Don't start debugging your radvd if your Virtual Guest doesn't work correctly with IPv6. All the VMware products have a problem with IPv6 route advertisements over a briged network connection going over a wireless link.
Your virtual machine will get an IPv6, but will not get the IPv6 gateway.

To disable IPv6 in Ubuntu add the following line blacklist ipv6 in the /etc/modprobe.d/blacklist file. If you don't want to reboot you can try to remove the IPv6 kernel module with the sudo rmmod command. But that failed with me as the module was in use.

VMWare filed this as bug #26078, communities forum link

To force Firefox to use IPv4 DNS resolution instead of IPv6 go in your about:config tab and change the value network.dns.disableIPv6 to true

The little story: Last week-end I started the migration of my private network from IPv4 to IPv6. As I'm temporarily back at my parents place I do have to maintain a certain internet-availability.
An IPv4 to IPv6 migration is not that easy, especially when your ISP is still speaking IPv4. This means I have to tunnel all my IPv6 traffic to a tunneling service.

All this means quite some complex configurations as I want to do all the intelligence on the Linksys WRT54GL v1.1. This device is a little limited in memory and is giving me some issues with the DD-WRT firmware and the extra software I need for this. Well, it just takes more time than expected. So having a mixed (working) IPv4 and (not working) IPv6 internet gave me an unexpected problem: Firefox will use IPv6 name resolution if available. If your IPv6 packets don't reach further than your router, you just can't access all the sites anymore...that's why forcing IPv4 in Firefox can be useful.

If you're busy with networking or security the following paper is certainly a good lecture. Understanding the protocols can lead to finding possible attacks. Reading about possible attacks can sometimes motivate people to learn more about the protocols...

Exploiting Tomorrow's Internet Today: Penetration testing with IPv6

This paper illustrates how IPv6-enabled systems with link-local and auto-configured addresses can be compromised using existing security tools. While most of the techniques described can apply to "real" IPv6 networks, the focus of this paper is to target IPv6-enabled systems on the local network.

This paper is written by H D Moore, he's the main author behind Metasploit and was invited at FOSDEM in 2007.

My colleague Niels created a syntax highlighting script for VIM.
Like he says:

Read the full article here.

Kris recently pointed me to Vyatta and XORP. I did a little evaluation and test of this Vyatta open source software router.

I do like their 'eval kit'.
It contains a guide to start using Vyatta in 30 minutes. It follows the same principle of the O'Reilly Developer Notebook series. In this fast growing IT world we don't really have the time to start reading 396 page-manuals before starting working on something. Discovering something without a manual is something we often do, but it has the disadvantage of loosing much time by figuring the stuff out. So having such a 14 pages quick-start manual is great!

Things I like:

• The CLI (code completion, ? for help, ...)
• The webGUI (fast to do some things)
• Changes you make are not applied live. You must first issue the commit statement.
• When someone else commits changes you see it in your terminal
• Package manager for updates, and apt-get as root for full package management
• Last but not least: It's Open Source

Things I don't like:

• I couldn't find support for cflow/sflow/...(and it isn't in the roadmap)
• My company won't see the advantage of this.

There are 3 editions:

1. Community Edition (Free): Patches and bug fixes every 6 months only, no access to Vyatta support
2. Professional Edition (starting at $647 US): All patches, bug fixes and enhancements and web-based support
3. Enterprise Edition (starting at $897 US): All professional services plus phone support and priority case management

I think these software-based network-devices will become more and more important with the constant evolution towards virtualization. It's certainly something we should keep an eye on.
But why do big companies don't see such benefits in open source? And prolly no benefit in such software based routers/firewalls?

I'd also like to find a table with performance comparisons and scaling info. What kind of hardware will get what kind of routing troughput and delay? (something more than this review)