Forwarding bonded connection to local network through stateful firewal

mlouala · 2020-07-31 22:28:44

Hi there,

I'm setting up a firewall for a school which will stream each classes' video to students at home, so I need a strong and safe connection,
that's why I was thinking about bonding multiple connections to increase stability and stream's bandwidth, I have a TP-Link TL-SG1016PE and it doesn't supports IEEE 802.3ad Dynamic link aggregation, so I choosed to set my bonding setup to the balance-tlb mode.

All these methods are very new to me so please enlight me if something's wrong in my plan.

So my physical configuration is the following :

Following these instructions and few others I achieved to set up my stateful firewall which allows me to share connection to a local network, and that's working perfectly with iptables and port forwarding and dnsmasq.

Here is the output for the ip a when connection forwarding is working fine :

1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host
       valid_lft forever preferred_lft forever
2: enp0s20u1: <BROADCAST,MULTICAST> mtu 1500 qdisc noop state DOWN group default qlen 1000
    link/ether 36:cd:92:83:53:c0 brd ff:ff:ff:ff:ff:ff
3: enp0s20u4: <BROADCAST,MULTICAST> mtu 1500 qdisc noop state DOWN group default qlen 1000
    link/ether 42:4b:12:8f:33:9d brd ff:ff:ff:ff:ff:ff
4: home0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP group default qlen 1000
    link/ether 00:e8:a6:68:6b:00 brd ff:ff:ff:ff:ff:ff
    inet 192.168.1.0/24 scope global home0
       valid_lft forever preferred_lft forever
    inet6 fe80::2e8:a6ff:fe68:6b00/64 scope link
       valid_lft forever preferred_lft forever
5: net0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP group default qlen 1000
    link/ether 00:e8:a6:68:6b:01 brd ff:ff:ff:ff:ff:ff
    inet 192.168.0.35/24 brd 192.168.0.255 scope global dynamic noprefixroute net0
       valid_lft 42678sec preferred_lft 37278sec
    inet6 2a01:e0a:258:c2d0:c55f:7102:5bea:a7a1/64 scope global dynamic mngtmpaddr noprefixroute
       valid_lft 86391sec preferred_lft 86391sec
    inet6 fe80::a304:76bf:a944:3a76/64 scope link
       valid_lft forever preferred_lft forever
6: wifi0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
    link/ether 70:77:81:69:5f:1d brd ff:ff:ff:ff:ff:ff
    inet6 fe80::7277:81ff:fe69:5f1d/64 scope link
       valid_lft forever preferred_lft forever

and what is in my iptables.conf (same in the ip6tables.conf except that ip address are in ip6's format) (I need the multiport lines to allow the WEBRTC protocol to work seemlessly)

# Generated by iptables-save v1.8.4 on Fri Jul 31 01:49:07 2020
*nat
:PREROUTING ACCEPT [0:0]
:INPUT ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
-A POSTROUTING -s 192.168.1.0/24 -o net0 -j MASQUERADE
COMMIT
# Completed on Fri Jul 31 01:49:07 2020
# Generated by iptables-save v1.8.4 on Fri Jul 31 01:49:07 2020
*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [0:0]
:TCP - [0:0]
:UDP - [0:0]
:fw-interfaces - [0:0]
:fw-open - [0:0]
-A INPUT -s 192.168.1.0/24 -p tcp -m tcp --dport 22 -j ACCEPT
-A INPUT -s 192.168.1.0/24 -p tcp -m tcp --dport 53 -j ACCEPT
-A INPUT -s 192.168.1.0/24 -p udp -m udp --dport 53 -j ACCEPT
-A INPUT -s 192.168.1.0/24 -p tcp -m multiport --dports 3478,5349,8443,8888,19305,19307 -j ACCEPT
-A INPUT -s 192.168.1.0/24 -p udp -m multiport --dports 3478,5349,8443,8888,19305,19307 -j ACCEPT
-A INPUT -s 192.168.1.0/24 -p tcp -m tcp --dport 49152:65535 -j ACCEPT
-A INPUT -s 192.168.1.0/24 -p udp -m udp --dport 49152:65535 -j ACCEPT
-A INPUT -i net0 -p udp -m udp --dport 67 -j ACCEPT
-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -p ipv6 -j ACCEPT
-A INPUT -m conntrack --ctstate INVALID -j DROP
-A INPUT -p icmp -m icmp --icmp-type 8 -m conntrack --ctstate NEW -j ACCEPT
-A INPUT -p udp -m conntrack --ctstate NEW -j ACCEPT
-A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m conntrack --ctstate NEW -j ACCEPT
-A INPUT -p udp -j REJECT --reject-with icmp-port-unreachable
-A INPUT -p tcp -j REJECT --reject-with tcp-reset
-A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -j fw-interfaces
-A FORWARD -j fw-open
-A FORWARD -j REJECT --reject-with icmp-host-unreachable
-A TCP -p tcp -m tcp --dport 22 -j ACCEPT
-A TCP -p tcp -m tcp --dport 53 -j ACCEPT
-A TCP -p tcp -m multiport --dports 3478,5349,8443,8888,19305,19307 -j ACCEPT
-A TCP -p tcp -m tcp --dport 49152:65535 -j ACCEPT
-A UDP -p udp -m multiport --dports 3478,5349,8443,8888,19305,19307 -j ACCEPT
-A UDP -p udp -m udp --dport 49152:65535 -j ACCEPT
-A UDP -p udp -m udp --dport 53 -j ACCEPT
-A fw-interfaces -i home0 -j ACCEPT
COMMIT
# Completed on Fri Jul 31 01:49:07 2020

and the dnsmasq.conf output

interface=home0
dhcp-range=192.168.1.10,192.168.1.250,12h
dhcp-option=6,10.202.0.1,1.1.1.1

So, like I said before I set up my bond in mode 5 using the netctl method and it seems to works, with 2 phones, ethernet and wifi I got this output for

$ cat /proc/net/bonding/bond0

Ethernet Channel Bonding Driver: v3.7.1 (April 27, 2011)

Bonding Mode: transmit load balancing
Primary Slave: None
Currently Active Slave: enp0s20u1
MII Status: up
MII Polling Interval (ms): 100
Up Delay (ms): 0
Down Delay (ms): 0
Peer Notification Delay (ms): 0

Slave Interface: net0
MII Status: up
Speed: 1000 Mbps
Duplex: full
Link Failure Count: 0
Permanent HW addr: 00:e8:a6:68:6b:01
Slave queue ID: 0

Slave Interface: wifi0
MII Status: down
Speed: Unknown
Duplex: Unknown
Link Failure Count: 0
Permanent HW addr: 70:77:81:69:5f:1d
Slave queue ID: 0

Slave Interface: enp0s20u1
MII Status: up
Speed: Unknown
Duplex: Unknown
Link Failure Count: 0
Permanent HW addr: 36:cd:92:83:53:c0
Slave queue ID: 0

Slave Interface: enp0s20u4
MII Status: up
Speed: Unknown
Duplex: Unknown
Link Failure Count: 0
Permanent HW addr: 42:4b:12:8f:33:9d
Slave queue ID: 0

So I'd like to forward this connection bond0 to my home network, I have attempted three naive approaches to make it works ;

First I tried to replace every mentions of net0 in the iptables by bond0, it didn't worked,

I tried also to add all my outputs, namely "wifi0, net0, bond0, etc " with this line
```
-A INPUT -i net0 -p udp -m udp --dport 67 -j ACCEPT
```
in my iptables.conf file, didn't worked

Finally I tried... to simply change the name of my working output interface in the connection forwarding set-up, I named it "internet0" and I named my bond connection to the name of the previously working output "net0", yeah it sounds dumb... Well surprisingly it didn't worked neither..

So my questions are :

Is bonding mode 5 will be of any utility in my classroom streaming project ? The description in the doc seems to match with my concerns the outgoing traffic is distributed according to the current load (computed relative to the speed) on each slave. looks great
If the answer to the first question is "yes", so how can I achieve to correctly forward the connection to the bond interface

Well, I hope everything's clear, sorry if no let me know what's missing to help you helping me :-)
Have a great day,
Peace,

Last edited by mlouala (2020-07-31 22:49:57)

Arch Linux

#1 2020-07-31 22:28:44

Forwarding bonded connection to local network through stateful firewal

Board footer