Rahu Network Access Server
Rahu Network Access Server Neutron Soutmun
[email protected] RahuNAS Core Team
September 27, 2009 Debian MiniDebConf 2009, Taiwan
Rahu Network Access Server Introduction What is RahuNAS ?
What is RahuNAS ?
Words combination Rahu : The daemon that swallows the sun or the moon NAS : Network Access Server
Rahu Network Access Server Introduction What is RahuNAS ?
What is RahuNAS ?
Words combination Rahu : The daemon that swallows the sun or the moon NAS : Network Access Server Short description RahuNAS is an extended ipset (iptables/netfilter extension) with daemon and helper scripts which provides the web-based network authentication system or the captive portal like
Rahu Network Access Server Introduction Where is RahuNAS in the network ?
Where is RahuNAS in the network ?
Rahu Network Access Server Software Goals
Software Goals
Fast not too much delay the packets forwarding. more Stable available whenever users request. Trafic control has a capability to control the users’ bandwidth Scalable has a capablility to handle multiple networks.
Rahu Network Access Server System Requirements
System Requirements Debian GNU/Linux 5.0 (Lenny) Server OS iptables/netfilter with ipset + RahuNAS patch included with mainstream kernel ipset with RahuNAS patch special firewalls FreeRADIUS AAA (Authentication Authorization Accounting) PostgreSQL database to store users information DHCP, DNS Server
Rahu Network Access Server Existing captive portal softwares
Existing captive portal softwares
chillispot open source Linux daemon CoovaChilli open source software access controller, based on chillispot captivator-gw open source perl based written by Dale W.Carder at University of Wisconsin Board of Regents etc.
Rahu Network Access Server Existing captive portal softwares Review existing software
Review existing software chillispot Advantages Well known, world wide used. Disadvantages The daemon is not stable enough when running in high load. The project is seems to be abandoned. It’s not well scalable, may or may not run multiple networks on single server. Some overheads over the tunneling interface (tunX, tapX), sometimes it’s a bottle neck.
Rahu Network Access Server Existing captive portal softwares Review existing software
Review existing software
CoovaChilli Advantages Project still alive. More documents and tools than chillispot. Less problems when migrating from chillispot. Disadvantages The major disadvantages is as same as chillispot.
Rahu Network Access Server Existing captive portal softwares Review existing software
Review existing software
captivator-gw Advantages Simple. Scalable, capable to handle multiple networks. Disadvantages Simple firewall technic, more users more rules added (slow down in theoretical assumption)
Rahu Network Access Server Why RahuNAS was born ?
Why RahuNAS was born ? Problem As mentioned before, none of any existing softwares are actually match our software goals
Rahu Network Access Server Why RahuNAS was born ?
Why RahuNAS was born ? Problem As mentioned before, none of any existing softwares are actually match our software goals Solution A. Seeking for another softwares ? or B. Construct it by myself ?
Rahu Network Access Server Why RahuNAS was born ?
Why RahuNAS was born ? Problem As mentioned before, none of any existing softwares are actually match our software goals Solution A. Seeking for another softwares ? or B. Construct it by myself ? Answer B. Construct it by myself ← RahuNAS was born here
Rahu Network Access Server How to meet the software goals ?
How to meet the software goals ?
If our software meets the 4 major goals
Rahu Network Access Server How to meet the software goals ?
How to meet the software goals ?
If our software meets the 4 major goals meet Fast
Rahu Network Access Server How to meet the software goals ?
How to meet the software goals ?
If our software meets the 4 major goals meet Fast meet more Stable
Rahu Network Access Server How to meet the software goals ?
How to meet the software goals ?
If our software meets the 4 major goals meet Fast meet more Stable meet Traffic control
Rahu Network Access Server How to meet the software goals ?
How to meet the software goals ?
If our software meets the 4 major goals meet Fast meet more Stable meet Traffic control meet Scalable
Rahu Network Access Server How to meet the software goals ?
How to meet the software goals ?
If our software meets the 4 major goals meet Fast meet more Stable meet Traffic control meet Scalable it’s enough for our simple authentication system.
Rahu Network Access Server How to meet the software goals ? meet Fast
meet Fast Most wanted We need the special firewalls Special firewalls High number of rules: Fast matching algorithms. Often changed rules: Storage structures which can be changed fast. Low RAM machines: Memory optimized storage structures. Reference: J´ ozsef Kadlecsik - 6th Netfilter workshop Paris 29.09.2008
Rahu Network Access Server How to meet the software goals ? meet Fast
meet Fast
Special firewalls: iptables ? High number of rules: slow Linear evaluation. Often changed rules: slow Between kernel-userspace are passed back and forth at adding/deleting a single rule. Rules are stored in a blob. Medium RAM requirements. Reference: J´ ozsef Kadlecsik - 6th Netfilter workshop Paris 29.09.2008
Rahu Network Access Server How to meet the software goals ? meet Fast
meet Fast
Special firewalls: nf-hipac ? nf-hipac: http://www.hipac.org/ High number of rules: fast Complex matching algorithms. Often changed rules: fast Just the new/to be deleted rule passed; hashes, trees. Memory requirements ? Reference: J´ ozsef Kadlecsik - 6th Netfilter workshop Paris 29.09.2008
Rahu Network Access Server How to meet the software goals ? meet Fast
meet Fast
Special firewalls: ipset ? ipset: http://ipset.netfilter.org/ High number of rules: fast Simple algorithms. Often changed rules: fast Just the new/to be deleted rule passed; arrays, hashes, trees. Memory requirements can be low. Reference: J´ ozsef Kadlecsik - 6th Netfilter workshop Paris 29.09.2008
Rahu Network Access Server How to meet the software goals ? meet Fast
meet Fast
Reference: J´ ozsef Kadlecsik - 6th Netfilter workshop Paris 29.09.2008
Rahu Network Access Server How to meet the software goals ? meet Fast
meet Fast Choices A. nf-hipac B. ipset Choosing B. ipset ← a good choice, more simple than nf-hipac. Then hack hack: reason: why: todo:
macipmap → rahunas conventional of authentication system using IP address and MAC address to identify users. needs to state each users’ idle time for idle timeout checking. add the code to state the users’ idle timeout
Rahu Network Access Server How to meet the software goals ? meet Fast
meet Fast
Before # ipset -nL Name: rahunasnet Type: macipmap References: 4 Default binding: Header: from: 192.168.1.0 to: 192.168.1.255 Members: 192.168.1.13:00:AA:BB:CC:DD:EE Bindings:
Rahu Network Access Server How to meet the software goals ? meet Fast
meet Fast
After # ipset -nL Name: rahunasnet Type: rahunas References: 4 Default binding: Header: from: 192.168.1.0 to: 192.168.1.255 Members: 192.168.1.13:00:AA:BB:CC:DD:EE ==> idle 81 seconds Bindings:
Rahu Network Access Server How to meet the software goals ? meet Fast
meet Fast
How to state the idle time ? Idle time reset condition 192.168.1.13:00:AA:BB:CC:DD:EE ==> idle 81 seconds
Rahu Network Access Server How to meet the software goals ? meet Fast
meet Fast
How to state the idle time ? Idle time reset condition 192.168.1.13:00:AA:BB:CC:DD:EE ==> idle 81 seconds Authenticated User’s packet → RahuNAS → Internet Authenticated User’s packet ← RahuNAS ← Internet
Rahu Network Access Server How to meet the software goals ? meet Fast
meet Fast
How to state the idle time ? Idle time reset condition 192.168.1.13:00:AA:BB:CC:DD:EE ==> idle 81 seconds Authenticated User’s packet → RahuNAS → Internet Authenticated User’s packet ← RahuNAS ← Internet 192.168.1.13:00:AA:BB:CC:DD:EE ==> idle 0 seconds
Rahu Network Access Server How to meet the software goals ? meet more Stable
meet more Stable
RahuNAS daemon Keep it simple and stupid, does not try to handle any complex tasks. Provides internal state database powered by sqlite3, it will be resume the operation in case of accidents such as power lost or daemon crash.
Rahu Network Access Server How to meet the software goals ? meet more Stable
meet more Stable
RahuNAS daemon Written in C. License GPL-2, 100% open source GLib libgnet (XML-RPC Server/Client)
Rahu Network Access Server How to meet the software goals ? meet more Stable
meet more Stable
RahuNAS daemon security Listen on localhost (127.0.0.1) only. web-based login page is running on the same host TODO: do some encryption between XML-RPC Server/Client needed if we want to run RahuNAS and web-based login page on different host.
Rahu Network Access Server How to meet the software goals ? meet more Stable
meet more Stable
Web-based login iptables rule setting to intercept unauthenticated connections and redirecting to web-based login page Apache2 and PHP5 to serve the users’ login request PHP PEAR for FreeRADIUS and XML-RPC communicating
Rahu Network Access Server How to meet the software goals ? meet Traffic control
meet Traffic control
RahuNAS daemon To keep it simple, it does not handle the tc itself but left to iproute (tc). BitTorrent blocking is optional (layer 7 filter extension needed)
Rahu Network Access Server How to meet the software goals ? meet Scalable
meet Scalable
RahuNAS daemon Provides the capability of multiple networks authentication VLAN, two or more NICs could handle in single server
Rahu Network Access Server RahuNAS in action
RahuNAS in action
Proof of Concept code test For every hack and some coding from scratch, we finally have the simple authentication system which meets the 4 major goals. Now, need to test.
Rahu Network Access Server RahuNAS in action
RahuNAS login page
Rahu Network Access Server RahuNAS performance
RahuNAS performance more than 2000 concurrent users
Site refernece Khon Kaen University, Thailand
Rahu Network Access Server RahuNAS performance
RahuNAS performance A whole week
Site refernece Khon Kaen University, Thailand
Rahu Network Access Server RahuNAS performance
RahuNAS performance Bandwidth status
Site refernece Khon Kaen University, Thailand
Rahu Network Access Server Additional tools in RahuNAS project
Additional tools in RahuNAS project
Additional tools RahuNAS Drupal module RahuNAS Drupal theme (based on RootCandy) RahuNAS Cacti plugin
Rahu Network Access Server Additional tools in RahuNAS project RahuNAS Drupal module
RahuNAS Drupal module
Description The RahuNAS Drupal module is the simple FreeRADIUS account manager, it’s a Drupal 6 module and it takes the advantages from Drupal well design. It also include simple users’ access data report and graphs. Written by Suriya Soutmun (RahuNAS Core Team)
Rahu Network Access Server Additional tools in RahuNAS project RahuNAS Drupal module
RahuNAS Drupal module and theme
Rahu Network Access Server Additional tools in RahuNAS project RahuNAS Cacti plugin
RahuNAS Cacti plugin
Description RahuNAS Cacti plugin is the additional function added into Cacti such as RahuNAS clients monitoring and configuration settings, Cacti plugin architecture is needed (need patch). Cacti is a good RRD-Tools based monitoring web-based software.
Rahu Network Access Server Additional tools in RahuNAS project RahuNAS Cacti plugin
RahuNAS Cacti plugin
Rahu Network Access Server Who are using (testing) RahuNAS ?
Who are using (testing) RahuNAS ? Khon Kaen University, Thailand Now running 4 servers, service for more than 6000 concurrent users MahaThai Sueksa, North Eastern School, Khon Kaen, Thailand Now running 1 server, service at least 150 concurrent users Siridhon School, Surin, Thailand Now running 1 server, service at least 200 concurrent users Streesiriket School, Sisaket, Thailand Now running 1 server, service at least 120 concurrent users Manchakiri Hospital - Khon Kaen, Samrongthap Hospital - Surin Hopefully, if it useful will be more in the future
Rahu Network Access Server Debian Package
Debian Package
git-buildpackage RahuNAS and additional tools source code is in git repository (http://git.rahunas.org) and using the awesome tool, git-buildpackage to maintain the Debian package. RahuNAS Debian Package status Local experimental. Uploaded to the local repository only.
Rahu Network Access Server Debian Package
deb deb ftp://ftp.rahunas.org/rahunas unstable main packages list rahunas - RahuNAS daemon and helper scripts rahunas-weblogin - RahuNAS web-based login support files netfilter-extensions - netfilter extensions which ipset and RahuNAS patched included rahunas-config-freeradius - autogenerated config files and database preparation for FreeRADIUS to support RahuNAS linux-image-*+rahunas - the customized kernel build with layer 7 filter and multi-path routing patched drupal6-mod-rahunas - RahuNAS Drupal module drupal6-theme-rahunas+rootcandy - RahuNAS Drupal theme based on RootCandy written by Marek Sotak
Rahu Network Access Server Who is sponsoring RahuNAS ?
Who is sponsoring RahuNAS ?
Gold sponsor: Khon Kaen University, Thailand Give a fund for RahuNAS research and development, also the facilities for testing.
Rahu Network Access Server Who is sponsoring RahuNAS ?
Who is sponsoring RahuNAS ?
Gold sponsor: Plawan Central Log, Thailand Give a fund for RahuNAS research and development. Now considered to integrate RahuNAS into their software and distribute in free/open source software culture.
Rahu Network Access Server Special Thanks
Special Thanks
Special thanks: Software Liberty Association of Taiwan Give a great opportunity to me to talk at Debian MiniDebConf 2009.
Rahu Network Access Server Follow RahuNAS
Follow RahuNAS
Official Website: http://www.rahunas.org Debian package: ftp://ftp.rahunas.org/rahunas Git repository: http://git.rahunas.org