mystifying guest traffic tunneling switching with stellar AP's

Post Reply
dsdwn
Member
Posts: 7
Joined: 09 Feb 2011 18:19

mystifying guest traffic tunneling switching with stellar AP's

Post by dsdwn » 30 Aug 2019 17:00

It may or may not be of interest ... , but after I found myself ice-bucket-challenged in an Omni-Vista/Stellar-project not so long ago, I had to learn really fast, how to make use of the equipment.
Since the first versions of OmVi which introduced stellar support showed a - in my opinion - kind of megalomaniac appraoch to simply put a SSID into the air, I really made my peace with that piece of software now (specially with v4.3.3 & v4.4.1).

Project ongoing, beginning to think you know what you're doing, you find yourself vlan-tagging through a "managed-by-[many*]-network"

... you begin to dream to left all the ugly vlan-tagging-work behind (which is the work of a sissyphus in a "managed-by-[many*]-network").

And your dream come true !!

!!! GTTS !!!

Simply tunnel the traffic over the heap and let many network-managers be many network-managers 8 )

BUT !

... you have to learn fast (again):

- it's effin expensive
- and it's effin expensive

to elitify yourself from your fellow network-managers : |

The vendor-intended switch is a 6860(E?) which is a nice piece of metal ... but we have to admit: not the cheapest one !
And while your sales-manager gives you the thumbs down you begin to brood for freedom and revenge !

And ... young spartacus-gtts-adepts of the galaxy ! ... it's easy done.

#######################################################################

When you lay a merciful eye with your preferred network-sniffer onto the protocol, you learn:

- the vendor is using a standard protocol to realize the l2 tunneling over the heap: "gretap"
... l2-transport-version of cisco GRE-implementation with RFC-blessing
(of course, stellar-ap's running a customized version of OpenWRT, so using a standard protocol
makes sense and keeps the own hardware tidy for the future [ which we all know, nobody knows and we appriciate that *2])

- the vendor is using gre-keys between ap's and it's standard-protocol-using somewhat expensive GTTS-switch
so ... a while later, after I made some investigations (and no Stanford- or MIT-Skills were needed ... ),
I found out the gre-keys used for the communication between the Stellar-AP and a probable remote-device
are an addition from the tunnel-id wich is configured in OmVi and a "Flow-ID" which is taken from the last octect
of the client-mac-address which is connected to the respective SSID (... and therefore tunnel-id)

... when google'ing "switch & gretap" one of the resulting link will point you to -> OVS

#######################################################################

than .. of course ... you have to do the OVS-thing (for me it took three days)

#######################################################################

Code: Select all

                                               Please view in a fixed-width font such as Courier.


                                                                                             AP17
                                                                                            +------------+
           +-----------------------------------------------------+                          |    ----    |
           | Debian-VM                                           |                          |  /      \  |
           |                                                     |                       g2 | |        | |   SSID-Y  OmniV-ID 11 [0xB]
          +++        +-------+                +-------+          |         +----------------+-+        | |
          | |        |       o----------------o       |         +++        |                |  \      /  |   each 255 flows   0xB00-0xBFF
          | |        | br11  | 1101       101 |       |         | |        |  192.168.222.17|    ----    |
          | o--------o       |                |       |         | |        |                |    ----    |
          | |     20 |       |                |       o---------+-+--------+                |  /      \  |
          | |        |       | 1102           |       |         | |               +---------+-+        | |   SSID-X  OmniV-ID 12 [0xC]
          | |        |       o-----+          |       |         | |               |      g1 | |        | |
          +-+        +-------+     |      102 |       |         | |               |         |  \      /  |   each 255 flows   0xC00-0xCFF
     ens256|                       |    +-----o       o---------+-+---------------+         |    ----    |
           |                       |    |     |       |         | |                         +------------+
           |                       |    |     |  br0  |    1    | |192.168.100.82
           |                       |    |     |       |         | |                         +------------+
           |                       +----+-----o       o---------+-+---------------+         |    ----    |
          +++        +-------+          | 103 |       |         | |               |         |  /      \  |
          | |        |       o----------+     |       |         | |               |      g2 | |        | |   SSID-Y  OmniV-ID 11 [0xB]
          | |        | br12  | 1201           |       |         | |               +---------+-+        | |
          | |     10 |       |                |       o---------+-+--------+                |  \      /  |   each 255 flows   0xB00-0xBFF
          | o--------o       |                |       |         | |        |                |    ----    |
          | |        |       | 1202       104 |       |         | |        |  192.168.222.16|    ----    |
          | |        |       o----------------o       |         +++        |                |  /      \  |
          +-+        +-------+                +-------+          |ens192   +----------------+-+        | |   SSID-X  OmniV-ID 12 [0xC]
     ens224|                                                     |                       g1 | |        | |
           |                                                     |                          |  \      /  |   each 255 flows   0xC00-0xCFF
           +-----------------------------------------------------+                          |    ----    |
                                                                                            +------------+
                                                                                             AP16

                                                                                                   Tunnel-ID=[(OmniV-ID)(LastClient-MAC-Octett)]

######### and some config-data ###########

Code: Select all

###################################################

apt-get update
apt-get install aptitude
aptitude install bridge-utils
aptitude install ebtables
aptitude install vlan
aptitude install net-tools
aptitude install openvswitch-switch openvswitch-ipsec openvswitch-test

###################################################

ovs-vsctl add-br br0
ovs-vsctl add-br br11
ovs-vsctl add-br br12

ip link set ens224 up
ip link set ens256 up
ip link set br0 up
ip link set br11 up
ip link set br12 up

ovs-vsctl add-port br0     allgretap -- set interface allgretap ofport_request=1 type=gre options:remote_ip=flow options:key=flow options:mtu=1500
ovs-vsctl add-port br0     br0p1 -- set interface br0p1 type=patch options:peer=br11p1 ofport_request=101
ovs-vsctl add-port br0     br0p2 -- set interface br0p2 type=patch options:peer=br12p1 ofport_request=102
ovs-vsctl add-port br0     br0p3 -- set interface br0p3 type=patch options:peer=br11p2 ofport_request=103
ovs-vsctl add-port br0     br0p4 -- set interface br0p4 type=patch options:peer=br12p2 ofport_request=104

ovs-vsctl add-port br11    br11p1 -- set interface br11p1 type=patch options:peer=br0p1 ofport_request=1101
ovs-vsctl add-port br11    br11p2 -- set interface br11p2 type=patch options:peer=br0p3 ofport_request=1102
ovs-vsctl add-port br11    ens256 -- set interface ens256 ofport_request=20

ovs-vsctl add-port br12    br12p1 -- set interface br12p1 type=patch options:peer=br0p2 ofport_request=1201
ovs-vsctl add-port br12    br12p2 -- set interface br12p2 type=patch options:peer=br0p4 ofport_request=1202
ovs-vsctl add-port br12    ens224 -- set interface ens224 ofport_request=10


ovs-ofctl add-flow br0 "priority=100, in_port=101, actions=set_tunnel:3071, set_field:192.168.222.17->tun_dst, output:1"
ovs-ofctl add-flow br0 "priority=100, in_port=102, actions=set_tunnel:3327, set_field:192.168.222.17->tun_dst, output:1"
ovs-ofctl add-flow br0 "priority=100, in_port=103, actions=set_tunnel:3071, set_field:192.168.222.16->tun_dst, output:1"
ovs-ofctl add-flow br0 "priority=100, in_port=104, actions=set_tunnel:3327, set_field:192.168.222.16->tun_dst, output:1"

ovs-ofctl add-flow br0 "priority=101, in_port=1, tun_src=192.168.222.17, tun_id=0x0B00/0xFF00 actions=101"
ovs-ofctl add-flow br0 "priority=101, in_port=1, tun_src=192.168.222.17, tun_id=0x0C00/0xFF00 actions=102"
ovs-ofctl add-flow br0 "priority=101, in_port=1, tun_src=192.168.222.16, tun_id=0x0B00/0xFF00 actions=103"
ovs-ofctl add-flow br0 "priority=101, in_port=1, tun_src=192.168.222.16, tun_id=0x0C00/0xFF00 actions=104"

ovs-ofctl add-flow br0 "priority=10, actions=drop"

ovs-ofctl add-flow br11 "priority=100 in_port=1101, actions=20"
ovs-ofctl add-flow br11 "priority=100 in_port=1102, actions=20"
ovs-ofctl add-flow br11 "priority=100 in_port=20, actions=normal"

ovs-ofctl add-flow br11 "priority=10, actions=drop"

ovs-ofctl add-flow br12 "priority=100 in_port=1201, actions=10"
ovs-ofctl add-flow br12 "priority=100 in_port=1202, actions=10"
ovs-ofctl add-flow br12 "priority=100 in_port=10, actions=normal"

ovs-ofctl add-flow br11 "priority=10, actions=drop"

ip link set ens224 up
ip link set ens256 up
ip link set br0 up
ip link set br11 up
ip link set br12 up

######################

ovs-appctl fdb/show brX


#####################################################################################
#####################################################################################

*(abled and disabled)

*2 I mean: using standard-protocols
Last edited by dsdwn on 30 Aug 2019 17:55, edited 1 time in total.

dsdwn
Member
Posts: 7
Joined: 09 Feb 2011 18:19

Re: mystifying guest traffic tunneling switching with stellar AP's

Post by dsdwn » 30 Aug 2019 17:40

one last thing !

When you study the setup profoundly, you will mention, that my setup is sending all traffic back to the AP with the last possible flow-id (which is FF).
And this is accepted by the stellar-ap that way ... I've tested ... from the client-side ... everything worked without flaws.
(the AP accepts every flow-id, as long you're in range with the "master-OmVi-ID")

Since I am not in the posession of on 6860E, I don't know if my setup breaks a "by-the-book-implementation"; it would be nice to have trace from an original GTTS-Setup.

Often OVS is used to tap traffic-data for analyzing.
... it is highly probable, that the stellar/OpenWRT-Side has also an OVS-setup, which is used to grab traffic-data for analysis and doing the flow-id'ing-job.
... so blind sending to FF could maybe falsify flow-data seen in OmVi ?!

There's no way looking into the stellar-ap-side, than the support account ... there is only one tunnel-interface per ssid (you can do an ifconfig)
... so the per-flow-keying is done by a proprietary-driver OR with OVS 8 |

... it seems that is possible to work with variables inside a flow in OVS (haven't figured yet ... lack of stanford-skills and examples : )
... what I mean ... inside a flow, it seems possible to take notice of client-mac ... and alter the gre-key accordingly ... but ... I couldn't say or guess how that is done until now. I see some tools and handles in the OVS-Cli ... but unsure how to use.

but: an original GTTS-Trace would spare me sleepless nights ( ... or make it worth)

okay ... there's yet really a last thing:
in couple of days I got back my 10G/40G testequipment back from the field ... will have some hardware-perf-tests with that setup ... and will keep you updated

Post Reply

Return to “OmniAccess Stellar Enterprise”