Network

What is NAT-Traversal??

Hi All, been awhile since my last post, however I believe this to be a good one!. So…the question arose the other day regarding NAT-Traversal. What is that? Why do we have it? What does it do? Most network engineers have heard of NAT-traversal before when configuring their Firewalls and VPN Clients, etc. But, I wanted to take a minute to explain where NAT-Traversals (NAT-T) need came from and the reason we still use it.

In order to understand NAT-Traversal, we need to understand two Networking concepts. First we need to understand “The Network Flow”. HOw do two hosts on a Network maintain a communication session. The second, is Network Address Translation. Yes NAT’ing, is a big part of IPv4 networks, they are so common place that you are probably using NAT’ing right now when reading this article.

The Network Flow.

So in a typical end-to-end connectivity the network traffic flow is maintained by 4 main parameters.

  1. Destination IP
  2. Destination Port
  3. Source IP
  4. Source Port

These 4 parameters provide a seamless flow of packets back and forth to each end-to-end device within a communication. It is how packets carrying your data arrive at their destination and it is how a return response knows how to get back to the requesting device. The IP requirement is usually pretty straight forward, it’s like the address of a house. You have to know the TO and FROM fields when sending a mail letter. So where does this port information come into play?? So Port number is like a sub-address of where the mailbox is located on a house. Usually a home will only have one mailbox, but imagine the same scenario with an apartment building or housing complex..Many mailboxes at a single address. Now depending on where you live you may need to prepend or add a apartment number to the address. Translate this same concept to port numbers. If my address is 123 North St and I am sending to 789 South St. My courier knows how to drive to each destination, but it doesn’t know where to put the actual mail envelopes since it is an apartment building with hundreds of apartments. This is where the port number comes in. So if on my envelope I put 123 North St. Apt#100 and I am sending to 789 South St. Apt#201. My mail will be delivered not only to the correct address but the correct mailbox.

I like using the apartment analogy, because it makes us think about Address and Ports being used together to deliver mail. An address and port combination is called a Socket in the networking world.

Now in a typical request scenario, a client forms the TCP/IP datagram. A Client’s machine fills in the destination IP and Destination Port based on the target and application type generating the request. For example, when you type http:// in your browser, the browser application knows to use port 80 as the Destination Port. The client then fills in it’s own IP address for the Source IP, and the OS chooses a Source Port at random. We call this random Source Port, the Ephemeral Port.

A typical TCP/IP communication header.

Sent Packet:

Dst IP Dst Port Src IP Src Port
192.168.10.10 80 192.168.1.100 49152

Return Packet:

Dst IP Dst Port Src IP Src Port
192.168.1.100 49152 192.168.10.10 80

Continue reading…

Creating a Public DNS Server and advertising an Authoritative Domain

Hi All, so you’ve probably heard of goDaddy.com to register DNS names publicly. However have you ever done a dig or nslookup on your registered name? It probably returns the name you queryied and the IP address just as you expected, however this is because dig is by default recusive. This means that it will ask it’s known DNS server if it knows the DNS resolution for your query, if not, forward it on and on and on until it is found through the DNS hiearchy or it times out. See the diagram below.

DNS Hierarchy

Let’s walk through this.

  • TLD (Top-Level Domains) — These are the highest level on the DNS hierarchy. You can find a list here.
  • SLD (Secondary Level Domains) — These are they domain names you are most familary with, like google.com, slashdot.org, thejimmahknows.com. Notice each of there suffix’s
  • Sub Domains — Logically grouped resources, such as mail.google.com and linux.slashdot.org. Can have multiple prefix subdomains (i.e. a.b.c.d.google.com)
  • Resource Records — There are several different types. The most common are A reocrds, MX records, and CNAME records.

Continue reading…

Squid Proxy — Splash Page

Hi All! So after my last article regarding securing a guest network web access with Squid and SquidGuard, I wanted to share how I came about creating a Splash Page for Guest users of my Free WiFi hotspot. My goal was to present new Guests with a splash page identifying certain Terms of Usage, etc. Basically we will need a HTML or PHP Splash Page, an ACL identifying the Guests by IP, an external ACL program (squid_session), and a Deny with Information (deny_info).
Continue reading…

Squid Proxy — Caching Proxy with SSL with Squid3.1

Hello, hello! Recently I posted a two part article on creating a Guest wireless network using OpenWRT, VLANs, and Firewall rules. Now we left things kinda open from a security standpoint. WE gave our Guest users full Internet access with no restrictions on sites, bandwidth usage, or ports!! Yikes! For this article I am going to walk you through the steps to close those gaps. We are going to first configure a Web Proxy server that will proxy outbound Internet connections. This allows us to check where and what are Guests are trying to get their hands on. Good and bad. We will also force Guests to connect to this Web Proxy server transparently. What I mean by that is the Guests will not be required to do anything on their side to connect, our firewall will take care of that. And lastly, I want only allow limited bandwidth of HTTP traffic. You will see later on how we can accomplish this. I’ve expanded upon this article of mine that uses squid proxy to filter Ads.
Continue reading…

Inter-VLAN routing with Linux & PowerConnect 5324

I recently purchased a 24-port Gigabit Layer 2 Switch that supports VLAN tagging and trunking. Dell PowerConnect 5324, see here, has 24 Ethernet ports and is capable of tagging and untagging Frames at wire speed. It is a discontinued model, however doing some googling I found a updated firmware and IOS image!

Physical Topology

The topology is pretty typical of “routing-on-a-stick” for Multiple VLANs. I have a Linux server running Ubuntu 12.04 with a single NIC and the Dell PowerConnect switch.

Port configuration:
Network 1 = g1 – g16
Network 2 = g17 -g23

802.1q Information:
Switch Trunk Port = g24
Router Trunk Port = eth1

Logical Topology

I have a single LAN I want logically separated using a single switch. The VLAN IDs are 100 & 200. The VLAN subnets and ports will be as follows;

Subnets:
VLAN 100 = 192.168.1.1/24
VLAN 200 = 192.168.2.1/24

VLAN Access Ports:
VLAN 100 = g1 – g16
VLAN 200 = g17 -g23

Continue reading…

OpenVPN — Creating a Client VPN Setup

Before we begin I want to clearly identify the scope of this tutorial. There are different types of VPN, we will be creating a Client VPN which implies a many to one relationship. We will have multiple clients connecting via VPN to a single OpenVPN server. This OpenVPN server will assign IP addresses to each successfully authenticated client. Using this IP Address, client’s may, depending on your network security, access devices on a private network. Effectively appearing as if the Client was directly tied into the Private Network. If you are looking for a site-to-site VPN tunnel via IPSEC this is out of the scope of this tutorial.

Our Simple Client VPN Topology


Continue reading…

F5 BIGIP — Determine the Healthcheck Source Address

I was discussing some F5 LTM Healthcheck Monitor capabilities with a colleague of mine at work the other day, when he brought up a great question.

What does an F5 LTM use for a source IP address when connecting to pool members for the healthcheck monitor service? Especially on a Multi-Network setup.

To answer this question we have to consider the typical LTM cluster set up . Usually set up in pairs of two(2), one acting as an Active unit and the other as Standby unit. Each unit has it’s own Self IP for each “network leg” it is attached to.  The Active and Standby unit also share a “Floating IP address”, which is used for the backend traffic to pool members. But back to the question, let’s use the following example:

Continue reading…

HAProxy — HTTP Load Balancing HAProxy1.4

I’ve posted a few articles on load balancing with the use of BIGIP F5 hardware appliances. However, there are also a few alternatives available, some even free! HAProxy is a popular load balancing application that has a robust collection of features.

HAProxy is  “The Reliable, High Performance TCP/HTTP Load Balancer”, taken right from the title of their web page. It has many different uses available, for this article I am going to focus on the HTTP load balancing functionality of it. Our scenario is as follows:

Continue reading…

Linux — IPTABLES NAT, Dynamic NAT, NAT Overloading/Masquerade

If you have had experience with NATs via Cisco Routers or read about them in your CCNA studies, there are 3 Network Address Translation(NAT) types. Technically, two, see here, plus a third special case.

  • Static NAT, one-to-one mapping
  • Dynamic NAT, pool-to-pool mapping
  • Dynamic NAT with PAT Overload, many-to-one mapping

So as you can see the two types are static NAT and Dynamic NAT, with the special case of Dynamic NAT with PAT overload.

Continue reading…

SquidProxy — Network Adblocking using Squid1.4

I originally discovered Adblock Plus when I first downloaded Firefox many years ago. Since then I’ve installed the Adblock plugin right after Firefox, etc. It’s become so standard that I almost think Firefox should just bundle them together. Including it in it’s default install exe.

Adblock Plus works as if it were a local content policy,  filtering each request you make with Firefox. Each URL, each domain, each link you navigate to is check based on a static blacklist of expressions and URLs. If a match is found, Adblock Plus simply discards the content from rendering. The discarding and allowing content to load is managed by the Content Policy engine within Firefox. Adblock Plus simply utilizes this in order to block the unwanted contents. Or at least this is my comprehension of how it works. :-p

Setting up your own Network wide Adblocker

The purpose of this guide and tutorial is to instruct you on how to set up your own network based adblocker. Expections after completion is every client browser on the network will benefit from adblocking. I will include as much as possible, and feel free to ping me with questions or comment down below.

You will need:

  1. Computer that will be running the Web Proxy. (For this article, see specs below)
  2. OS that will host the Proxy Software. (For this article, Ubuntu 12.04 32-bit Server)
  3. Proxy software that allows rewrite engines/programs. (squidGuard)
  4. Content-Control-Software or URL Redirect Application(This will consume your blacklists)
  5. URL and RegExp Blacklists consumable by your Content-Control-Software (Here are some free ones)
  6. Optional: ipTables for transparent proxy redirection
  7. Patients and enthusiasm :-p

Continue reading…