Peplink as home gateway/firewall!

Peplink as home gateway/firewall!

I’m a big fan of routers and firewalls, love the idea of running pfSense back in the days, before m0n0wall/pfSense, I used to run a custom FreeBSD firewall!!

Do you remember m0n0wall ??
Yes, the father of pfSense and some may say that m0n0wall is the father of opnSense!

Since a year ago, I decided in a branded router/firewall for the home, just because one feature. Yes, only one feature made me buy this Peplink Balance 20X.

SpeedFusion

Peplink’s patented SpeedFusion technology powers enterprise VPNs that tap into the bandwidth of multiple low-cost cable, DSL, 3G/4G/LTE, and other links connected anywhere on your corporate or institutional WAN. Whether you’re transferring a few documents or driving real-time POS data, video feeds, and VoIP conversations, SpeedFusion pumps all your data down a single bonded data-pipe that’s budget-friendly, ultra-fast, and easily configurable to suit any networking environment.

This is the description that comes from the official website of Peplink [ https://www.peplink.com/technology/speedfusion-bonding-technology/ ]

A diagram of a network

Description automatically generated

There are free alternatives to SpeedFusion, but none of them works so seamlessly that sometimes I just forget about the SpeedFusion thing.

In my case, I have two Internet connections, one with CLARO (300/75) and a second one with OrbitCable (10/5). Why the second Internet connections? Well, is cheap and in case CLARO has issues, I can be online and read emails or even do a Teams Call.
A year ago I was running OpnSense with Dual Wan and was Ok, got my hand on an old Balance 20 (a previous model of the 20X and slower), play a little bit with SpeedFusion, at that moment I was convinced that this solutions is better for multiple internet connection with the bonding options, the failover is transparent because the IP of the VM hosting the other side of the SpeedFusion tunnel is the one being used for stablishing connections.

It looks like this (almost…):

A diagram of a network

Description automatically generated

My drawing skills are dead.

A screenshot of a computer screen

Description automatically generated

Traceroute from a machine with policy rules the sent traffic via SpeedFusion tunnel. A few machines are using this policy and going out to the internet using the bonded tunnel.

A screenshot of a computer program

Description automatically generated

Traceroute from a machine without route policy rule, going out via CLARO. This is the normal behavior for the entire network, if CLARO goes down, the traffic moves over to Orbit.

What are the advantages of this?

  • Using the SpeedFusion tunnel, the remote connections doesn’t see my real WAN IP, so in case one of the WAN goes down, the connection doesn’t reset.
  • The classic Dual Wan/Load Balance is available, using policies you can manage how the WANs are being used inside the tunnel.
  • You can publish internal services using the SpeedFusion VM WAN IP Address and only need to open ports on that VM hosted in the remote Data Center.

Any disadvantages?

  • Yes, some sites detect my connections as bot/crawlers, and I need to complete captchas to get into some sites (Cloudflare, eBay and others).
  • Slow, the bandwidth available inside the VPN is 100Mbps, this is a hardware limitation of the Balance 20X.
  • Price, for this model, I need to pay for the 2nd WAN, it only has one Ethernet WAN and need to create a Virtual WAN which cost $49/y, the Balance 20 have two Ethernet WANs, I wasn’t aware of this until I got my hands on the 20X.

Special Use Case?

I’ve been running an ASN enable network for almost 6 years. big part of this network is connecting different Linux VMs with BGP via GRE/Wireguard tunnels to able to route to internet using a /24 of Public Routable IPv4 and a /40 of IPv6 Addresses.

There is a Mikrotik RB3011 connected directly to the Peplink, using this connection a GRE Tunnel is formed with another Mikrotik (CHR) running in the same virtual network as the SpeedFusion VM, the CHR is receiving a default route from a Debian VM with BGP Sessions to BuyVM routers, a lot of configurations in place. Before of this setting, there were two Wireguard Tunnels to different places to form the BGP Sessions, now I only need one, which is running on top of the two WANs.

A black screen with white text

Description automatically generated

Is cleaner, I think… this a topic for an upcoming post!

 

Cilium BGP Lab with LoadBalancing and more!

 

At this point, we know how to install Cilium and create a BGP peering with our routers. Now we need to let the outside world reach our Kubernetes apps.

If you don’t have the KinD cluster with Cilium go to https://arielantigua.com/weblog/2024/07/cilium-bgp-lab-locally/

When using Cilium you can reach an application using the Pod IP address or using a LoadBalance IP assigned to a Service. In the previous article we only advertised the Pod Address to our BGP neighbors, lets add more stuff so we can be close to a real deployment.

If you already have cloned the repo, go and do a pull so you can get the new config files and other stuff in the Makefile, or better yet, go and do a new clone of the repo and start from scratch, that’s the idea of the repo!

Continuar leyendo «Cilium BGP Lab with LoadBalancing and more!»

pathvector – herramienta para configurar BIRD!

pathvector – herramienta para configurar BIRD!

Hace tiempo que estoy usando BIRD para convertir esos servidores Linux en routers con BGP/OSPF y tener enrutamiento dinámico. Uno de los obstáculos iniciales con BIRD era la sintaxis, muy diferente a Cisco y a Quagga (Ahora FRR), sentirme a gusto me tomo tiempo, pero se logro.

De ese cambio ya hace mucho tiempo, el segundo paso luego de usar BIRD es lo fácil que se puede automatizar su configuración, algo que hice en los primeros días era tener los archivos de configuración en Git para así poder versionarlos, luego usaba un contenedor Docker el cual generaba las configuraciones finales, lamentablemente cada herramienta o metodología tenia sus propios problemas y terminaba haciendo configuraciones manuales fuera de la herramienta que intentaba adoptar.

Continuar leyendo «pathvector – herramienta para configurar BIRD!»

Seguridad de Enrutamiento, como estamos y como debemos estar.

Nota: Esto es un post que esta publicado en el portal de ISCO-Dominicana, he decidido publicarlo aqui tambien y asi poder relacionarlo con otros proyectos que tengo en lista.

Seguridad de Enrutamiento, como estamos y como debemos estar.

Cada día la infraestructura de Internet es atacada de formas que no imaginamos, en los últimos años hemos visto como personas y/o organizaciones buscan la manera de lucrarse aprovechando las debilidades en la infraestructura de Internet ya sea apoderándose de recursos o haciendo que estos recursos no estén disponibles para los usuarios.

Muchos sabemos el origen de Internet, en sus primeros años nadie imagino que esta plataforma seria lo que es hoy y por esto, muchos de los protocolos que son pilares de Internet no cuentan con la seguridad necesaria para prevenir que un atacante pueda causar daños a la infraestructura que lo forma. Aunque en sus inicios estos protocolos no tenían esa seguridad que deseamos no quiere decir que no se han creado las medidas para protegerlos.

Continuar leyendo «Seguridad de Enrutamiento, como estamos y como debemos estar.»

VRF en Linux con BIRD para OSPF/BGP

VRF en Linux con BIRD para OSPF/BGP.

Desde hace mucho tiempo estoy jugando con BGP, inicialmente tenía BGP en pfSense, algo sencillo y con solo algunas rutas, eso fue en los tiempos de dn42.

En el 2016 encontré una comunidad de varios entusiastas de redes al nivel de Internet y pude conseguir un ASN registrado en RIPE.

Muchas cosas han cambiado desde esos días, he aprendido y experimentado, aprender es la razón de ser de aaNetworks. Lo complicado de mi red con direcciones IP Publicas y ASN es que localmente en mi casa no hay forma posible de tener una sesión BGP y publicar los prefijos desde ahí (imagínate que CLARO te permita hacer un túnel L2TP a un router con BGP!), dependo de VPS con Linux y BIRD.

Continuar leyendo «VRF en Linux con BIRD para OSPF/BGP»