 I'm Mary and I'm a tripscape. So that's why I'm here to talk about how to over-complicate a home network without spending too much money. And yeah, part of my presentation style, I can never get anything pretty, so I just don't try. So when I'm being a complicated network, I don't really mean this. Yeah, that's what VLAN stuff is for, you don't need all that. And you certainly don't need all this either, which is what I had a while ago. I hope you guys can see that from back there. So why do I want to complicate a home network? Well, I want to run a service and I have a housemate. So separation between service and quality of service are pretty high on my list of priorities. And until I get on the national board, but no yes, Control. The problem was it was explaining too much. So control alt. Control shift. If we do that and then maximise it, maybe we can... Yeah, that looks better. Can we get rid of one of the tabs and then... Okay, there you go. That's okay. Let's just close one of them. Okay. Okay, that looks better. Except I can't throw in this. Technology. So yeah, yep. So until I get on the national board by network with unlimited quota, my housemate is going to have to live with traffic-shaping. And... Hey, at the beginning of the year, I said to him, well, do you want to go house on the internet or shall I reserve the right to pull a comcast on you? And he picked the latter, so... Yeah. Public IP address is actually quite cheap nowadays. I'm paying about $130 a year for block of slash 29. So which is quite cheap, which I use for my service. So this is a list of my hardware components. My OpenBSD router comes to about $170, which is cheaper than most of your second-hairs Cisco gear. And I have a Linksys modem. It's quite a big chunk of change in there, but it's not useful at the moment because I just have it in bridge mode. It was good back in the days because it has 64 megs of RAM and 16 megs of flash, which is pretty good for BitTorrent. See, the modem doesn't die after like two days. And I also have a managed switch. This re-badged Linksys, I know this is Cisco, but it's actually re-badged Linksys. I actually got it for under $100. I thought it was a pretty good deal for a gigabit switch which was 8 ports, although I think right now it's around $150. So in total, it's only a bit over $300, which is actually a lot cheaper than my second-hand Cisco. 1841. So this is what it looks like, logical-wise. So there's a pointer. So that's my DSL modem here. It just runs in bridge mode nowadays. And down here I have my OpenBSD router. It does PPP over Ethernet session to my ISP, which is TPG. And we all love IPv6. So I have an IPv6 tunnel. And this is the most central part of my network. It has all the VLANs configured. So I get my separation between all the hosts. I have a dumb switch here. It doesn't really do much at the moment, and it's a pretty cheap thing, but I have it there because I prefer to use WIDE for my laptop and I don't really want to run a 30-meter Ethernet cable between my room, which is where this is, and this thing's in the living room. And this is an wireless access point, which is where my housemate uses to get online, and obviously the phone and the Wii connects to it. And this thing here is my Linux desktop. It runs VMware server and has all the VLANs configured, so I have this pretty little virtual switch there. So why OpenBSD? Well, packet filter is so damn awesome. It was a lot better than IP chains when I first started to use it, and it has nice out-of-the-box features like traffic shaper, load balancer, and stuff like that, which I know you can get modules for IT tables nowadays if it's not already built in, but if it ain't broken, I ain't fixing it. And it's also really stable between releases. I started using it when it's 3.2 or something, and the really big change I've noticed, well, the only one rather, was between 4.6 and 4.7 where they changed the syntax of the packet filter rules. And I love that last one. Only two remote holes. That makes me really warm and fuzzy inside. So VLANs, complex networks, need complex separation. So what I've done is I've mapped each VLAN to a public address and an IPv6 subnet, which is a Static64. So I've created trunks to the router and from the VMware server, which is pretty easy, just clicky-clicky on the links switch. And obviously, I need to do interval and routing on the OpenBSD router. So on OpenBSD, it's this file here. You just first configure the IPv4 stuff. So the address subnet, this is the broadcast mask, non-mix just derived from NetMask and also the VLAN stuff. And since I use IPv6, I just alias an IPv6 address on tour and prefix lens of 64. And on Linux, I just do pretty much the same thing to create the VLAN interface. I know most people prefer using the vconfig command, but apparently that's defecated according to what Google says. And that, this is my favorite part because I have so many IP addresses. This is packet filter config under OpenBSD. So I have my definitions up here of my various public copy addresses. And then I make the VLAN definitions as well. So each VLAN is a slash 24. And then I have the NAT rules for each VLAN. And notice how here I have the static port settings for this VLAN. This is because Nintendo Wi-Fi connection is really anal. And the static port setting tells packet filter not to translate the source and destination. Wait, no, just a source port for TCP and UDP packets. And without that, I figured that all TCP dump actually says a lot of UDP port originals and yeah, Nintendo Wi-Fi doesn't work. And by the way, this is OpenBSD 4.7 syntax. IPv6. Well, obviously we're running out of IPv4 addresses apparently. And IPv6 is also really fun to play with. So I got an IPv6 tunnel from iNet via the broker service. I had a slash 48 back in the days, but I forgot my password. So a slash 56 is still pretty good nowadays. So what I've done is I've assigned a slash 64 for each VLAN, which is just enough on this slash 56. And I quite like doing that because Stateless Autoconfig needs to have a slash 64 for the prefix length in order to work. Although I don't really do that on all of my VLANs because Stateless Autoconfig can be kind of evil because it sticks to your MAC address in there. That applies for most of the Linux implementations and also for all Cisco devices. So yeah. I'm kind of paranoid in case you haven't noticed. The IPv lens gave that away. Well, but you still did get the MAC addresses if you're outside my network. So yeah, firewall, that's really fun because complex network comes with complex firewall rules. So a lot of the stuff depends on the firewall rules that applies to inter-VLAN routing. So like I mentioned before, I want separation between our servers. So the hard part is that our server needs to be able to talk to the internet but not to each other unless they explicitly allow it to. So I also need rules for both IPv4 and IPv6 because Autoconfig is so nice and easy to use. I have quite a few of my Windows virtual machines that are directly connected to the internet via IPv6. And yeah, too paranoid for that as usual. So here's a snippet of my firewall config. So I have definitions up here and definitions for VLANs. And here are some examples. This one says allow pings from these VLANs to each other and this VLAN can connect to SSH and this VLAN here has some freedom with IPv6 traffic. And obviously down here I have a default block call. And here's my Linux desktop specs. I'm running on time so I won't go through that. But it's a quite beefy box that I built a few years ago because I knew I was going to run some virtual machines. VMWare server. I love VMWare server even though it's only free as in bare not free as in openness. But it's quite nice because management wise it's really nice with the clicky clicky stuff which I like. And I don't really like virtual box because it doesn't let me do a lot of things like reverting snapshots while it's powered on. And I quite like this interface because I can change VLAN associations just with the drop down menu and I can do that while the host is powered on. And here's my list of encountered issues and yeah I've spent many weekends geeking out trying to figure things out. So the first problem was pretty easy to fix free as in bare software doesn't get maintained very well. So this problem here was the VLAN tag because VMWare grabs the tag by the frame off the wire before the tag gets stripped. So simple changing code. Tell it there's the VLAN header. It's okay. Just deal with it. And then it works. And problem two. I actually didn't notice this problem for a while. What happened was I kind of noticed my traffic going out one way which is E0 and then coming back from E1 I'm like well that's not supposed to happen because my default gateway is set to E0 so it turns out that Linux has this art filter turned off by default so that my router actually had the wrong MAC address in this up cache. So after I turned the filter on it was all good. And the third problem I spent ages on I just had no idea why VLAN tagging wasn't working and the moral of the story is it's because I was using ancient software. That installation of OpenBSD had been dd'd across three hard drives and two physical boxes. Yeah so I had an excuse to upgrade. And to-do list my SP office IPTV so I got to set that up sometimes. And then I want to put SE Linux on all my public-facing servers because I've recently gained an appreciation for it. It's actually quite nice, although complicated. And notice how I didn't put the cost of a hard disk in for my router. It's because I plan to pixie boot it anyway so it's going to be a disk list system. And lastly I want to set up my Linux box the one that runs VMware server wireless access point because Google is kind of evil. Sorry to the Google employees here because I don't really feel warm and fuzzy inside knowing that my wireless router's MAC address can be associated with my location down to like 200 meters radius. And I noticed also that having a hidden SSID doesn't help. So yeah, that's why I want to bridge the wireless interface to one of the VLANs. And then at least on the Linux I can soft change the MAC address easily. And my favorite MAC address is dead-beath-dead. And yeah, I really need a term for all that. So yeah, there we go. That's the end of our talk. Thanks.