• HowSwansWorks

Overview

[paraphrased from a discussion with DonaldGordon]

Old-style SWANS was a virtual ethernet network.

• there is an ethernet interface on burns that counts as being SWANS
  • part of a bridge device that counts as being SWANS
  • There's a physical "swans" network in the cupboard with the rack
    • Marge is probably plugged in to this
• vtun is used to extend this out to other locations (like the access point(AP))
  • vtun gives ethernet interfaces on a pair of machines which are connected together by a tunnel over an IP network
  • the AP has a bridge device on it bridging its wifi and LAN ports
    • when it boots up, vtun tries to bring up a tunnel between it and burns
  • endpoint virtual ethernet devices are added to the bridge devices on both machines when they come up

Detail

burns does all the routing, NAT. HTTP is transparently proxied through the MCS proxy (via squid on unibus). See /etc/init.d/firewall

Address range in use is 10.73.0.0/16.

• .0/24: fixed machines, infrastructure (unibus / smithers / people with GRE / APs / etc)
• .2/24: DHCP
• .3/24: PPTP

There are three ways you can get SWANS service currently:

• Layer2 -- delivered over a vtun tunnel bridged to the SWANS layer2, or over eth1 on unibus. Used for the wifi AP, etc
  • Access control is via the list of mac addresses in /etc/swans/mac; scripts in /etc/swans can be used to add new ones
  • vtun is slow
  • There may still be a few machines on vtun connections which haven't been migrated to GRE tunnels (playground?)
• PPTP -- the "new" service for ordinary users, when it works it lets you bring up a tunnel to unibus, which has the same access as layer2.

  • Access control is yuckier than it could be. See VpnSettings. Basically, you have a user account on smithers, and this lets you get to a webpage with an autogenerated password. At least it ensures users have secure passwords.

  • The Linux PPTP server is unreliable, alas

• GRE -- used for fixed machines hiding around the place such as smithers and DonaldGordon's random hardware. Statically configured tunnels from unibus; see /etc/network/interfaces.

  • GRE is kernelspace and MUCH faster than vtun; I've seen old-unibus happily forwarding packets at 70Mbps over it between smithers and citylink.

Traffic is monitored via iptables, perl, and rrdtool: http://interface.org.nz/~don/rrd/external.cgi