Some History ● 80’s: “PCs invade the home” ● 90’s: – Cheaper networking equipment – Cheaper PCs – Rise of popular games: Quake, Age of Empires, Warcraft, Unreal Tournament, … ● 20xx: – Online gaming: League of Legends, World of Warcraft, PUBG, Fortnite, Runscape,...
Router NAT Makes packets leaving through your uplink use the public IP of the router so that replies can return to it. – iptables -t nat -A POSTROUTING -j MASQUERADE -o or – iptables -t nat -A POSTROUTING -j SNAT -o --to
Router NAT SNAT – Requires you to pass the IP of your public interface – Keeps track of connections when interface is brought down and back up MASQUERADE – You just need to pass the name of the public interface – Handy when using DHCP and you don't know your public IP beforehand or if it might change over time – Overhead with respect to SNAT as the IP of the device needs to be looked up every packet
Open vSwitch Create a bridge ovs-vsctl add-br internal_br Create fake bridges with vlan tags ovs-vsctl add-br management_br internal_br 10 ovs-vsctl add-br lan_br internal_br 20 ovs-vsctl add-br wifi_br internal_br 30 Create a bond device with physical interfaces and attach it to the bridge ovs-vsctl add-bond internal_br bond0 enp0s9 enp0s10 lacp=active Add interface to the bridge ovs-vsctl add-port interal_br enp0s3
Open vSwitch Bonding – combining multiple nics ● LACP – Requires LACP protocol on both ends – OVS falls back to active-backup ● Active Backup – Only 1 NIC is active, fallback to secondary ● SLB – Allows some limited form of loadbalancing – Use this with dumb switches ● balance-tcp
DHCP dnsmasq Pro: – Small and simple – DNS included Con: – More geard towards desktop (dns caching) and small networks isc-dhcp-server Pro: – The go-to industry standard – Highly configurable Con (?): – Dynamic DNS decoupled
DHCP dnsmasq # Set domain domain=zanzi.lan # Upstream DNS servers server=8.8.8.8 server=8.8.4.4 # Prevent non-routable private addresses from being forwarded bogus-priv # Prepend domain to all hosts expand-hosts # Do not read /etc/hosts no-hosts # Read hosts.dnsmasq for hosts entries addn-hosts=/etc/hosts.dnsmasq # Read /etc/ethers for static mac to ip entries read-ethers # Only bind to interfaces that it's listening on bind-interfaces # Be authoritative and barge in when a machine wakes up and broadcasts's a dhcp request dhcp-authoritative
DHCP dnsmasq # Set listening interface, dhcp range and lease time dhcp-range=lan_vlan,192.168.20.6,192.168.20.254,8h # Pass default gateway dhcp-option=lan_vlan,3,192.168.20.1 # Pass DNS server dhcp-option=lan_vlan,6,192.168.20.1,192.168.20.2 # Pass search domain dhcp-option=lan_vlan,119,zanzi.lan # Pass NTP server dhcp-option=lan_vlan,42,192.168.20.1,192.168.20.2
DNS dnsmasq Pro: – Small and simple – DNS included with Dynamic Hosts Con: – More geard towards desktop (dns caching) and small networks bind9 Pro: – The go-to industry standard – Highly configurable Con (?): – Dynamic DNS decoupled – Harder to configure
DNS dnsmasq # Set domain domain=zanzi.lan # Upstream DNS servers server=8.8.8.8 server=8.8.4.4 # Prevent non-routable private addresses from being forwarded bogus-priv # Prepend domain to all hosts expand-hosts # Do not read /etc/hosts no-hosts # Read hosts.dnsmasq for hosts entries addn-hosts=/etc/hosts.dnsmasq # Read /etc/ethers for static mac to ip entries read-ethers # Only bind to interfaces that it's listening on bind-interfaces # Be authoritative and barge in when a machine wakes up and broadcasts's a dhcp request dhcp-authoritative
Squid People will need to accept your CA Certificate so that the on- the-fly signed certs produced by Squid are accepted by the OS and browser. Captive Portal?
Caching Games DNS # Steam address=/.cs.steampowered.com/192.168.10.3 address=/.steamcontent.com/192.168.10.3 address=/content1.steampowered.com/192.168.10.3 ….. zone "steampowered.com" IN { type master; file "steam"; };
Caching Games Nginx ● Requests are sent through Nginx ● Will check on disk if it already has the same requested data ● If not, acts as a caching forwarding proxy (like Squid) ● Saves terabytes of data passing through your uplink
Multiple Uplinks ● DHCP client by default requests on all connected interfaces – Will override the default gateway – Will override your configured nameserver in /etc/resolv.conf – Last connected uplink becomes the primary/default ● We only want enough information for routing Write custom dhcp hooks / Use correct flags for your interface
Multiple Uplinks Don’t forget your other local networks! ip route add 192.168.10.0/24 dev management_vlan table isp1 ip route add 192.168.20.0/24 dev lan_vlan table isp1 ip route add 192.168.30.0/24 dev wifi_vlan table isp1 ip route add 192.168.10.0/24 dev management_vlan table isp2 ip route add 192.168.20.0/24 dev lan_vlan table isp2 ip route add 192.168.30.0/24 dev wifi_vlan table isp2
Traffic Shaping TC – Traffic Control Avoid Bufferbloat by artificially lowering your Download and Upload Dropping packets is GOOD (tcp self regulation)
Recomendations ● Do a speedtest at the beginning to set a baseline ● Keep an eye on ping latency ● Structure iptables rules for legibility ● Place Game server VMs in the same vlan (if broadcast auto discovery) ● Have fun