Damion Brown's Blog

0x7F1F27C3C19D9B74

Virtualisation Part 2 (Routers, Gateways, Propagations)


  • Wed 17 June 2020
  • Tech

There was always supposed to be a part two to the previous article. Headless linux KVM and VLANs combined with Layer 2 bridging and tap devices is fantastic. Further, utilizing BGP one can propogate address space across multiple gateways.

There is a company that offers this as a software-as-a-service solution: AWS

But if you own the hardware and have sufficient bandwidth and skill, there is nothing stopping you from implementing a similar architecture yourself. Pfsense as a core edge device gives you fine control over interfaces, vlans, firewalls, and routing. Linux has netfilter, which provides iptables and NAT. Debian has openvpn and bird.

What's really really damn nice, is when done properly, you can have split DNS! Working private DNS space attached to private IP address space working in tandem with global DNS/IP space.

Take a HTTP conversation, it's really a stateful session wrapped in TLS. That TLS stream is assured by TCP, which is encased in IP. The IP packet is encoded in a Ethernet frame. Ethernet frames are broadcast on the link layer, which is usually a physical medium.

In the case of a residential ISP connection, this is usually a modem (modulator-demodulator). You could think of it like a radio, it takes ethernet frames in on one port and modulates them onto a carrier signal. The carrier signal waveform is then transmitted on the twisted pair (typically RJ11) port.

When transmit from your computer, before it gets to the modem, it goes via the router. This would be the part where your computer puts the IP address of the target server in the IP packet, but then encodes the MAC address in the Ethernet frame as the default gateway's (resolved via ARP). The default gateway, being a router, receives this packet and forwards it to it's default gateway. A router can take the IP packet, change the source adddress to the "WAN" interface's IP address, and send it out on that port. This technology is called, NAT.

When a router changes the source IP address it takes ownership of the communication channel. It's impersonating the source IP address to operating on-behalf of another host. There's a trust relationship here. An attack vector to exploit this is known as an ARP Poison. True IP routing does not involve spoofing the source address, NAT is technically a hack. (By exploiting the trust relationship of layer 2 links.)

If you're familiar with all of the above, chances are you probably already know how to manipulate them to your needs. And if you don't... hopefully this helped illustrate the mechanisms and their interoperability.

If you're just wondering how this ties back to the previous article? On the hypervisor side, bind the vm interface to a bridge and bind that to a vlan subinterface. Then on your pfsense core, bind the vlan subinterface to a tap device connected to a remote system. Then on that remote system, use iptables to nat traffic out as required. You'll also need to setup BGP to push the routes for the return traffic to the remote system. Don't forget to set firewall rules on the bridge component interfaces to allow traffic.


These "ddos" maps are kind of a scam

Linux for Retards

but they make for great attention grabbing panels.