2018-06-13

This, Jen, is "The Internet"

It was a classic from The IT Crowd when they presented Jen (their boss) with "The Internet". We even have one of these boxes with flashing red LED in our office.

I have been looking at some kit to work with WiFi which you may find in a public hot spot of some sort, or, for example, a cruise ship.

Obviously, the simple answer is just point your phone or laptop WiFi at the service. But sadly, in spite of net neutrality in the EU, it is not always that simple. Some times the service will have loads of things blocked. Not just web sites, but ports and protocols so making things like IPsec unavailable. Of course, if you are being really special you may have something that does not have WiFi such as a VoIP PoE desk phone, which Simon has been using!

The answer is to bring along The Internet. I am far from the first to do this, as a friend of mine (Kev) had a cunning set up with a FireBrick and two access points strapped together, and (if I recall correctly) a way they ran off one power supply. To be fair, it is more compact than what I have done.

Mikrotik mAP light

The first solution used a FireBrick and the tiny Mirotik mAP light which can literally stick to the lid of the FireBrick. Powered by the USB on the FireBrick (which worked, to our surprise). However, not enough juice to power two of them. It did, however, have a cunning mode where it could be a client WiFi, and on the same channel it can be an AP as well. This is not perfect but I have to say it is very clever. The result is very small and neat. I did, however, have a Mikrotik die on me, and I found it very fiddly to configure. But well worth a try.

HPE/Aruba 501

I have now found a rather curious device that is a dedicated WiFi client bridge, the Aruba 501. I would have to say it is much more industrial than the Mikrotik (which matters to some customers, obviously), and it even has DIN rail mounting.

It has all the bells and whistles - multiple antennae, 2.4GHz and 5GHz, 802.11a/b/g/n/ac, roaming, etc. It is intended to allow a device that does not have WiFi to effectively have WiFi via Ethernet.

It even goes a tad further and even has an old school serial port which you can configure to connect to an IP address and port to pass serial data. This is ideal for old PoS (Point of Sale) terminals and things like console ports.

However, the big thing for me was that it can do "MAC cloning". This is where it connects on the WiFI using a MAC address of your choice, and passes packets to/from the device with that MAC on the Ethernet connection. The only down side is it stops answering ARPs for its internal IP when in that mode. Thankfully if you have the ARP cached you can still talk to it, but it does seem an oddity.

The reason this is important is that a lot of public access points are locked down so that only the MAC of the WiFi/radio side is allowed to send or receive packets. The MAC cloning allowed me to make the FireBrick appear as the WiFi device.

Where the FireBrick comes in to play

The reason for a FireBrick, apart from how cool they are, is that they are very good at being an endpoint on the WiFi and working in a variety of ways - such as NAT out to the Internet for locally connected devices on Ethernet, but also as an endpoint for various tunnels. These can include standard things like IPsec (which, as I say, may be blocked), or things like L2TP (not blocked) or even custom FB105 tunnel protocol, which can be configured on any UDP port.

It is even set up to flash its LED red if no connection, and solid green when L2TP is up, which is handy as you navigate a fjord.

The end result...

Actually, Jen, this is The Internet!

  • Top left: Aruba 501 WiFi Bridge Client
  • Bottom left: Aruba 305 WiFi AP
  • Top: Aruba 2580 PoE switch
  • Top right: FireBrick FB2900

The switch was mainly for simplicity - the FireBrick has enough ports, but the Aruba 501 and 305 are both PoE. But I also used a Snom on PoE off the switch as well.

Why the fibre: Well, just because - this is all testing stuff, and it was interesting as the switch would initially not talk to it. I had to find a CLI command to not check the manufacturer of the SFP. It was expecting it to be "genuine hp" and not a Flexoptics unconfigured SFP. But that worked. Fibre to the ship :-)

So now we have a LAN here, and WiFi, on fixed IPv4 and IPv6 addresses, all working. We ended up using L2TP with lower MTU as the tunnel solution that worked. And when we had some people we met come round for drinks they were saying "wow, this is way better than the ship wifi", which sort of makes no sense as it is the ship wifi!!!

And just to clarify, this is not some nasty hack too use WiFi for which we have not paid! We have paid for the premium WiFi 24/7 for the whole cruise which is listed as "unlimited" and allows streaming. In practice, it is around 2Mb/s up/down with 800ms latency. But this works, even for VoIP.

Obviously, as above, there are less "industrial" solutions to this. But I like "industrial", and some people demand it, so always useful to understand what is possible even if it is rather overkill for a holiday.

16 comments:

  1. I've had a lot of fun working on my companies appliances in situations where I've got a link of that sort of quality.

    A tuneable TCP proxy which has the right congestion control algorithms for high latency / background packetloss can do a lot of good for throughput. Well, as long as only a small fraction of the clients are more or less ignoring packet loss as a congestion indicator anyway ;)

    ReplyDelete
  2. I guess you could take a leaf out of Virgin Media's book and advertise to your shipmates as "Fibre broadband to your cabin"!

    ReplyDelete
    Replies
    1. Yes, with speeds of "up to 300Mbps". Even if you get 2Mbps, you can say it's still "less than 300Mbps so consistent with the advertising". Hee hee!

      Delete
  3. Mikrotik hAP AC2 are great for this. Dual radio... One to bridge to the hotel WiFi, another to provide your private WiFi. The mAP is nowhere near as flexible as single radio.

    ReplyDelete
  4. Perhaps you can build something like gunrun's backpack . https://www.gunrun.tv/backpack/ It's primarily to deliver decent bandwidth video in the middle of nowhere, but I can't see why it wouldn't work for a laptop as well.

    ReplyDelete
  5. This is why the Firebrick needs SSL VPN support, it's much less commonly blocked and works better over satellite than IPsec/l2tp.

    ReplyDelete
    Replies
    1. SSL VPNs are certainly blocked less often on TCP/443, but I'm not sure why you think the performance is better? TCP tunneled over TCP has all sorts of horrid implications, especially on a high latency / lossy network (You do things like send retransmits on the inner layer before the tunnel does it's own retransmits of the original payload.). From a performance point of view IPsec and L2TP are considerably better

      (Aside: Our boxes also do UDP DTLS after initial negotiation over TCP TLS, which is a very useful performance optimisation - but that's also likely to get killed off at the firewall. I guess you couldn't argue you're no worse off if this is configured yet blocked, as IPSEC wouldn't work at all)

      Delete
  6. I have used a couple of TP-Link "pocket routers" for years to allow me to use the wireless at hotels and the like on my devices, one advantage is you just configure the router to connect to the hotel AP and then it broadcasts over its own wireless signal as well as to Ethernet, meaning you don't have to reconfigure all the other devices.

    ReplyDelete
    Replies
    1. Doesn't everyone just connect their iPhone to the hotel wifi these days then set it up as a mobile hotspot?

      Delete
    2. Mobile hotspot only provides access to a mobile/cell network, not to another WiFi network - if I understand rightly.

      Delete
  7. I use a SSH tunnel to my home server for e-mail mostly, but I have used it to control stuff in the house, and even on one occasion WWW would only work properly over a tunnel to a squid proxy on my home server. Only rarely has SSH been blocked, especially as I use a high port.

    ReplyDelete
  8. # I am the linesman of the cruise ship...

    https://www.youtube.com/watch?v=4qoymGCDYzU

    ReplyDelete
  9. Apologies, could you clarify the point about MAC cloning? Is the ship’s wi-fi locking its service down to one registered MAC address only then ?

    ReplyDelete
    Replies
    1. I may be wrong but the mac cloning here would appear to do the opposite, present each device to the ships AP as their own MAC. I assume to get past the per device bandwidth restriction.

      Delete
    2. That is the default, but the ship - like many hot spots I believe - locks to the Mac used for Wi-Fi itself so other macs do not work. This made Wi-Fi work as FireBrick Mac

      Delete
  10. As the other guy said a Mikrotik Hap ac or ac2 are great little boxes for this purpose. I carry a Hap ac in my bag and take it everywhere.

    1 Radio for HotSpot, 1 for local WiFi
    NAT, DHCP, Firewall, mangling etc
    VPN (SSTP, IPsec, OpenVPN, PPTP & EoIP, L2TP Tunnels)
    Ethernet access
    Various network diagnostic tools
    Runs of a wide Voltage range plus POE in/out
    The list goes on.

    I find SSTP has been the best at getting me through even the most stubborn restrictions.

    I run a CHR version of RouterOS on an ESXI VM for my VPN endpoints and have OSPF setup to give me full access to my networks.

    From there I can even setup L2 Tunnels to a remote network which can be bridged to Ethernet or a WiFi SSID to give me access as if I was there in person.

    They're still my favourite Swiss army knife for networks

    ReplyDelete

Comments are moderated purely to filter out obvious spam, but it means they may not show immediately. Also, Blogger seems to be a bit broken so I am having to manually check and hence comments may some times take days to show.