Rahu Network Access Server

Rahu Network Access Server Neutron Soutmun [email protected] RahuNAS Core Team

September 27, 2009 Debian MiniDebConf 2009, Taiwan

Rahu Network Access Server Introduction What is RahuNAS ?

What is RahuNAS ?

Words combination Rahu : The daemon that swallows the sun or the moon NAS : Network Access Server

Rahu Network Access Server Introduction What is RahuNAS ?

What is RahuNAS ?

Words combination Rahu : The daemon that swallows the sun or the moon NAS : Network Access Server Short description RahuNAS is an extended ipset (iptables/netfilter extension) with daemon and helper scripts which provides the web-based network authentication system or the captive portal like

Rahu Network Access Server Introduction Where is RahuNAS in the network ?

Where is RahuNAS in the network ?

Rahu Network Access Server Software Goals

Software Goals

Fast not too much delay the packets forwarding. more Stable available whenever users request. Trafic control has a capability to control the users’ bandwidth Scalable has a capablility to handle multiple networks.

Rahu Network Access Server System Requirements

System Requirements Debian GNU/Linux 5.0 (Lenny) Server OS iptables/netfilter with ipset + RahuNAS patch included with mainstream kernel ipset with RahuNAS patch special firewalls FreeRADIUS AAA (Authentication Authorization Accounting) PostgreSQL database to store users information DHCP, DNS Server

Rahu Network Access Server Existing captive portal softwares

Existing captive portal softwares

chillispot open source Linux daemon CoovaChilli open source software access controller, based on chillispot captivator-gw open source perl based written by Dale W.Carder at University of Wisconsin Board of Regents etc.

Rahu Network Access Server Existing captive portal softwares Review existing software

Review existing software chillispot Advantages Well known, world wide used. Disadvantages The daemon is not stable enough when running in high load. The project is seems to be abandoned. It’s not well scalable, may or may not run multiple networks on single server. Some overheads over the tunneling interface (tunX, tapX), sometimes it’s a bottle neck.

Rahu Network Access Server Existing captive portal softwares Review existing software

Review existing software

CoovaChilli Advantages Project still alive. More documents and tools than chillispot. Less problems when migrating from chillispot. Disadvantages The major disadvantages is as same as chillispot.

Rahu Network Access Server Existing captive portal softwares Review existing software

Review existing software

captivator-gw Advantages Simple. Scalable, capable to handle multiple networks. Disadvantages Simple firewall technic, more users more rules added (slow down in theoretical assumption)

Rahu Network Access Server Why RahuNAS was born ?

Why RahuNAS was born ? Problem As mentioned before, none of any existing softwares are actually match our software goals

Rahu Network Access Server Why RahuNAS was born ?

Why RahuNAS was born ? Problem As mentioned before, none of any existing softwares are actually match our software goals Solution A. Seeking for another softwares ? or B. Construct it by myself ?

Rahu Network Access Server Why RahuNAS was born ?

Why RahuNAS was born ? Problem As mentioned before, none of any existing softwares are actually match our software goals Solution A. Seeking for another softwares ? or B. Construct it by myself ? Answer B. Construct it by myself ← RahuNAS was born here

Rahu Network Access Server How to meet the software goals ?

How to meet the software goals ?

If our software meets the 4 major goals

Rahu Network Access Server How to meet the software goals ?

How to meet the software goals ?

If our software meets the 4 major goals meet Fast

Rahu Network Access Server How to meet the software goals ?

How to meet the software goals ?

If our software meets the 4 major goals meet Fast meet more Stable

Rahu Network Access Server How to meet the software goals ?

How to meet the software goals ?

If our software meets the 4 major goals meet Fast meet more Stable meet Traffic control

Rahu Network Access Server How to meet the software goals ?

How to meet the software goals ?

If our software meets the 4 major goals meet Fast meet more Stable meet Traffic control meet Scalable

Rahu Network Access Server How to meet the software goals ?

How to meet the software goals ?

If our software meets the 4 major goals meet Fast meet more Stable meet Traffic control meet Scalable it’s enough for our simple authentication system.

Rahu Network Access Server How to meet the software goals ? meet Fast

meet Fast Most wanted We need the special firewalls Special firewalls High number of rules: Fast matching algorithms. Often changed rules: Storage structures which can be changed fast. Low RAM machines: Memory optimized storage structures. Reference: J´ ozsef Kadlecsik - 6th Netfilter workshop Paris 29.09.2008

Rahu Network Access Server How to meet the software goals ? meet Fast

meet Fast

Special firewalls: iptables ? High number of rules: slow Linear evaluation. Often changed rules: slow Between kernel-userspace are passed back and forth at adding/deleting a single rule. Rules are stored in a blob. Medium RAM requirements. Reference: J´ ozsef Kadlecsik - 6th Netfilter workshop Paris 29.09.2008

Rahu Network Access Server How to meet the software goals ? meet Fast

meet Fast

Special firewalls: nf-hipac ? nf-hipac: http://www.hipac.org/ High number of rules: fast Complex matching algorithms. Often changed rules: fast Just the new/to be deleted rule passed; hashes, trees. Memory requirements ? Reference: J´ ozsef Kadlecsik - 6th Netfilter workshop Paris 29.09.2008

Rahu Network Access Server How to meet the software goals ? meet Fast

meet Fast

Special firewalls: ipset ? ipset: http://ipset.netfilter.org/ High number of rules: fast Simple algorithms. Often changed rules: fast Just the new/to be deleted rule passed; arrays, hashes, trees. Memory requirements can be low. Reference: J´ ozsef Kadlecsik - 6th Netfilter workshop Paris 29.09.2008

Rahu Network Access Server How to meet the software goals ? meet Fast

meet Fast

Reference: J´ ozsef Kadlecsik - 6th Netfilter workshop Paris 29.09.2008

Rahu Network Access Server How to meet the software goals ? meet Fast

meet Fast Choices A. nf-hipac B. ipset Choosing B. ipset ← a good choice, more simple than nf-hipac. Then hack hack: reason: why: todo:

macipmap → rahunas conventional of authentication system using IP address and MAC address to identify users. needs to state each users’ idle time for idle timeout checking. add the code to state the users’ idle timeout

Rahu Network Access Server How to meet the software goals ? meet Fast

meet Fast

Before # ipset -nL Name: rahunasnet Type: macipmap References: 4 Default binding: Header: from: 192.168.1.0 to: 192.168.1.255 Members: 192.168.1.13:00:AA:BB:CC:DD:EE Bindings:

Rahu Network Access Server How to meet the software goals ? meet Fast

meet Fast

After # ipset -nL Name: rahunasnet Type: rahunas References: 4 Default binding: Header: from: 192.168.1.0 to: 192.168.1.255 Members: 192.168.1.13:00:AA:BB:CC:DD:EE ==> idle 81 seconds Bindings:

Rahu Network Access Server How to meet the software goals ? meet Fast

meet Fast

How to state the idle time ? Idle time reset condition 192.168.1.13:00:AA:BB:CC:DD:EE ==> idle 81 seconds

Rahu Network Access Server How to meet the software goals ? meet Fast

meet Fast

How to state the idle time ? Idle time reset condition 192.168.1.13:00:AA:BB:CC:DD:EE ==> idle 81 seconds Authenticated User’s packet → RahuNAS → Internet Authenticated User’s packet ← RahuNAS ← Internet

Rahu Network Access Server How to meet the software goals ? meet Fast

meet Fast

How to state the idle time ? Idle time reset condition 192.168.1.13:00:AA:BB:CC:DD:EE ==> idle 81 seconds Authenticated User’s packet → RahuNAS → Internet Authenticated User’s packet ← RahuNAS ← Internet 192.168.1.13:00:AA:BB:CC:DD:EE ==> idle 0 seconds

Rahu Network Access Server How to meet the software goals ? meet more Stable

meet more Stable

RahuNAS daemon Keep it simple and stupid, does not try to handle any complex tasks. Provides internal state database powered by sqlite3, it will be resume the operation in case of accidents such as power lost or daemon crash.

Rahu Network Access Server How to meet the software goals ? meet more Stable

meet more Stable

RahuNAS daemon Written in C. License GPL-2, 100% open source GLib libgnet (XML-RPC Server/Client)

Rahu Network Access Server How to meet the software goals ? meet more Stable

meet more Stable

RahuNAS daemon security Listen on localhost (127.0.0.1) only. web-based login page is running on the same host TODO: do some encryption between XML-RPC Server/Client needed if we want to run RahuNAS and web-based login page on different host.

Rahu Network Access Server How to meet the software goals ? meet more Stable

meet more Stable

Web-based login iptables rule setting to intercept unauthenticated connections and redirecting to web-based login page Apache2 and PHP5 to serve the users’ login request PHP PEAR for FreeRADIUS and XML-RPC communicating

Rahu Network Access Server How to meet the software goals ? meet Traffic control

meet Traffic control

RahuNAS daemon To keep it simple, it does not handle the tc itself but left to iproute (tc). BitTorrent blocking is optional (layer 7 filter extension needed)

Rahu Network Access Server How to meet the software goals ? meet Scalable

meet Scalable

RahuNAS daemon Provides the capability of multiple networks authentication VLAN, two or more NICs could handle in single server

Rahu Network Access Server RahuNAS in action

RahuNAS in action

Proof of Concept code test For every hack and some coding from scratch, we finally have the simple authentication system which meets the 4 major goals. Now, need to test.

Rahu Network Access Server RahuNAS in action

RahuNAS login page

Rahu Network Access Server RahuNAS performance

RahuNAS performance more than 2000 concurrent users

Site refernece Khon Kaen University, Thailand

Rahu Network Access Server RahuNAS performance

RahuNAS performance A whole week

Site refernece Khon Kaen University, Thailand

Rahu Network Access Server RahuNAS performance

RahuNAS performance Bandwidth status

Site refernece Khon Kaen University, Thailand

Rahu Network Access Server Additional tools in RahuNAS project

Additional tools in RahuNAS project

Additional tools RahuNAS Drupal module RahuNAS Drupal theme (based on RootCandy) RahuNAS Cacti plugin

Rahu Network Access Server Additional tools in RahuNAS project RahuNAS Drupal module

RahuNAS Drupal module

Description The RahuNAS Drupal module is the simple FreeRADIUS account manager, it’s a Drupal 6 module and it takes the advantages from Drupal well design. It also include simple users’ access data report and graphs. Written by Suriya Soutmun (RahuNAS Core Team)

Rahu Network Access Server Additional tools in RahuNAS project RahuNAS Drupal module

RahuNAS Drupal module and theme

Rahu Network Access Server Additional tools in RahuNAS project RahuNAS Cacti plugin

RahuNAS Cacti plugin

Description RahuNAS Cacti plugin is the additional function added into Cacti such as RahuNAS clients monitoring and configuration settings, Cacti plugin architecture is needed (need patch). Cacti is a good RRD-Tools based monitoring web-based software.

Rahu Network Access Server Additional tools in RahuNAS project RahuNAS Cacti plugin

RahuNAS Cacti plugin

Rahu Network Access Server Who are using (testing) RahuNAS ?

Who are using (testing) RahuNAS ? Khon Kaen University, Thailand Now running 4 servers, service for more than 6000 concurrent users MahaThai Sueksa, North Eastern School, Khon Kaen, Thailand Now running 1 server, service at least 150 concurrent users Siridhon School, Surin, Thailand Now running 1 server, service at least 200 concurrent users Streesiriket School, Sisaket, Thailand Now running 1 server, service at least 120 concurrent users Manchakiri Hospital - Khon Kaen, Samrongthap Hospital - Surin Hopefully, if it useful will be more in the future

Rahu Network Access Server Debian Package

Debian Package

git-buildpackage RahuNAS and additional tools source code is in git repository (http://git.rahunas.org) and using the awesome tool, git-buildpackage to maintain the Debian package. RahuNAS Debian Package status Local experimental. Uploaded to the local repository only.

Rahu Network Access Server Debian Package

deb deb ftp://ftp.rahunas.org/rahunas unstable main packages list rahunas - RahuNAS daemon and helper scripts rahunas-weblogin - RahuNAS web-based login support files netfilter-extensions - netfilter extensions which ipset and RahuNAS patched included rahunas-config-freeradius - autogenerated config files and database preparation for FreeRADIUS to support RahuNAS linux-image-*+rahunas - the customized kernel build with layer 7 filter and multi-path routing patched drupal6-mod-rahunas - RahuNAS Drupal module drupal6-theme-rahunas+rootcandy - RahuNAS Drupal theme based on RootCandy written by Marek Sotak

Rahu Network Access Server Who is sponsoring RahuNAS ?

Who is sponsoring RahuNAS ?

Gold sponsor: Khon Kaen University, Thailand Give a fund for RahuNAS research and development, also the facilities for testing.

Rahu Network Access Server Who is sponsoring RahuNAS ?

Who is sponsoring RahuNAS ?

Gold sponsor: Plawan Central Log, Thailand Give a fund for RahuNAS research and development. Now considered to integrate RahuNAS into their software and distribute in free/open source software culture.

Rahu Network Access Server Special Thanks

Special Thanks

Special thanks: Software Liberty Association of Taiwan Give a great opportunity to me to talk at Debian MiniDebConf 2009.

Rahu Network Access Server Follow RahuNAS

Follow RahuNAS

Official Website: http://www.rahunas.org Debian package: ftp://ftp.rahunas.org/rahunas Git repository: http://git.rahunas.org