Kitz Forum
Computers & Hardware => Networking => Topic started by: niemand on September 22, 2018, 05:34:47 PM
-
Folks,
This is a bit of a placeholder thread that will be added to as I go on and might be interesting for those so inclined.
My home network is, intentionally, relatively simple right now. I'm about to blur the distinction between my MSc lab, my work lab and the home network.
What's about to happen is:
Replace Virgin Media Business with 2 x VDSL lines.
Build an SD-WAN using full IKE-less IPSEC across those two carriers to an SD-WAN instance running in AWS. The edge of my network will be an SD-WAN appliance, with VDSL modems on its two WAN ports. The AWS instance will be the hub of the network.
Along with this having a hardware appliance coming on the road with me as I travel for business that will also be part of the fabric.
Have 4 virtual SD-WAN appliances, with public IPs on one WAN port and private addressing on the other to simulate MPLS, each with a single Linux VM behind them as a virtual client machine.
A wireless access point will of course be present.
The 4 publicly addressed SD-WAN VMs will actually use an L2TP tunnel so that they are logically outside the LAN of the edge SD-WAN appliance. It will just see a stream of L2TP which it will be required not to send to AWS.
As part of the build SSL decryption will be used, zone-based security, DPI firewalling and proprietary application identification.
There will then be various attacks on provisioning process and externally to try and spoof nodes, DoS them or compromise their communication.
Might make an interesting thread.
-
Should make an interesting read. :)
But before you get going may I ask a quick question to satisfy my own curiosity or fill in on something I may have missed. I saw you mention it in another thread too, but don't want to derail things too much, so a one liner will do as to why you are doing this.
>> Replace Virgin Media Business with 2 x VDSL lines.
-
Hmm . . . Yes, it does look interesting. So I shall be watching (https://elrepo.org/people/ajb/I_Am_Watching_You.png). :)
-
Should make an interesting read. :)
But before you get going may I ask a quick question to satisfy my own curiosity or fill in on something I may have missed. I saw you mention it in another thread too, but don't want to derail things too much, so a one liner will do as to why you are doing this.
>> Replace Virgin Media Business with 2 x VDSL lines.
Sure!
My home office is not so much a home office as it is a branch office. It holds lab facilities that I and others in my team use. It also runs all the applications a 'power user' runs, as well as being my VPN back home to my content.
I was told higher uploads were on the way in 2016 and would arrive on business tiers first. They were trialed in 2015. They don't seem any closer. 20Mb is not enough to run home, branch office and road warrior services. For the same price I can get 38Mb out of 2 VDSL lines so sayonara VM, and may your complacency and arrogance bite you in the future if the competition catch up leaving you scampering to upgrade and release the products you haven't bothered to, preferring (allegedly) executive compensation.
-
CarlT - will be watching with interest. Some links to reading matter for remedial and relatively geriatric users such as myself appreciated.
-
As a Network Engineer, I shall be watching with interest too. I've not seen much in the way of real SD-WAN out there, so this will be one to follow, for sure.
-
As a Network Engineer, I shall be watching with interest too. I've not seen much in the way of real SD-WAN out there, so this will be one to follow, for sure.
I'm not on commission so will save the sales pitches for the folks that are ;D
-
CarlT - will be watching with interest. Some links to reading matter for remedial and relatively geriatric users such as myself appreciated.
Hmm reading matter. Umm my thesis is going to be a good part of it. If I find quality sources I will share them. It's an emerging field and has had relatively little academic work done on it.
Nightmare for referencing.
-
Work in progress. Cut over once VMB is disconnected in a month.
As an aside: https://community.virginmedia.com/t5/Speed/Higher-upload-speeds/m-p/3839697#M197426
-
Typical rip off Britain, I only went with Vivid 350 to get a decent upload speed.
-
I'm not on commission so will save the sales pitches for the folks that are ;D
Phew, I like gory technical details, please.
-
I took the opportunity to take a poke at Virgin Media Business on Twitter.
Mwahaha.
https://twitter.com/CarlTSpeak/status/1047467820093771776
-
Will this SD-WAN setup allow you to effectively bond two internet connections that could be from two different providers?
I use pfSense that just does outbound load-balancing - it's very nice if I am performing transfers where I can make multiple connections at once, but it falls on it's face when, for example, I recently had to pay my road fund license for my car - and the gov.uk website did not like me load balancing in that manner and I had to revert to using a single connection in order to make it through, I guess the entire "flow" or the session needed to originate from one ISP.
-
I can bond anything from any provider, and not per-flow, per-packet. It'll be as noted 2 x VDSL lines with LTE/4G as a fallback if those both drop offline.
I can control how individual domains, types of traffic, classes of traffic, etc, flow and whether I want traffic to go out to AWS via tunnels and be SNATed there as with a VPN solution, meaning full load balancing, or let it go straight out of a connection direct to net and not be bonded.
-
OK - how much effort is this to setup, and is there anything I can do to aid you with this?
I have 2 VDSL lines, admittedly from two different providers. Not bothered about LTE backup as I've got 2 cell phones that can deliver 60Mbit over 4G at home so if I'm desperate I can tether a laptop off that.
However, I am very keen to explore this solution some more.
-
No aid at all required, it's pretty easy. The only finicky bit is all the virtual branch offices I'm building for my lab. To actually get this going is very simple.
As long as you don't mind the inevitable sales pitches after you can have a play with a virtual lab at https://www.silver-peak.com/sd-wan-interactive-demo
-
Thanks for the link! I will take a look..
-
So that's buggered any shreds of anonymity I may have had left on here :lol:
-
You linked your Twitter feed somewhere - so that's long gone... :lol:
-
Never been difficult to find anyway. Everyone who cares to knows who I am ;D
I'm about done here I'm pleased to say. Just awaiting confirmation from new suppliers of activation days.
-
Sorry missed out on the question there. Simple enough design, what level of detail would you like?
-
Dual-WAN duly emulated thanks to AAISP.
Have a /29 from them via L2TP and the single sticky dynamic from VMB. Main branch / home Edge Connect installed but monitoring only.
Spinning up AWS over the weekend and will build hub and spoke overlay network with AWS as hub.
I then install certificates to allow for HTTPS proxy to be used to allow deduplication of SaaS sites.
Lastly I add my virtual branches and Edge Connects to complete hub and spoke, then build a real time traffic full mesh.
-
Those of you able to see the source IP of this post should have an idea that the AWS instance is working. :)
-
Yes, indeed. :)
-
Please see attachment. Got fed up waiting for VM to release a higher tier and to update to capacity in this area - both upstream and downstream are too heavy for release of it.
Moving office in September. I have zero confidence in VM's ability to fix the issues and deliver. VM Business don't know their arse from their elbow as far as cable modems go. The level of support has been non - existent, the only thing that's happened is my wasting time talking with them.
Crap product with delivery managed in Manilla, pointless tech support there too.
<censored> this company. If you want broadband save a few quid and go residential.
-
Please see attachment.
I have taken a copy and expanded it locally. I assume that screen-scrape is showing the current status from some device . . . but I cannot decide what device. Would you care to enlighten a curious-kitteh, please?
-
Sure: https://www.silver-peak.com/products/unity-edge-connect
-
Having gotten bored senseless of waiting for VM Business to produce better services as noted on another thread I've DIY'd it.
[youtube]https://www.youtube.com/watch?v=drZZhHlrBEM[/youtube]