On Jul 23, 2011, at 3:38 PM, Randy Bush wrote:
> netflix streaming is not allowed to japan where we live. i can tunnel
> to a server in one of my racks in the states. the tokyo border is a
> soekris running FreeBSD 8. it will kinda look like
>
> .------------------------------.
> | |
> | b --wlan0| ...... Apple TV
> | r |
> WAN IIJ | i --- vr1|
> PPP/NAT ---|vr0[PPPoE][ppp]tun0--d | 192.168.0.0/24
> Public IP Addr | g --- vr2| LAN hosts,
> | e | DHCP Clients
> | 0 --- vr3| ...
> | |
> `------------------------------'
>
> ---
>
> % cat /etc/ppp/ppp.conf
> iij:
> set device PPPoE:vr0
> set MRU 1454
> set MTU 1454
> accept CHAP
> enable lqr
> add default HISADDR
> nat enable yes
> nat port tcp 192.168.0.33:51332 51332
> nat port udp 192.168.0.33:51332 51332
> nat port tcp 192.168.0.12:22 42022
> set authname foo
> set authkey bar
>
> ---
>
> there seem to be at least two sets of problems
>
> o what are the ip addys and ports involved in netflix streaming set-up
> and delivery?
>
> o how to tunnel just those to/from a server in the states?
>
> anyone with suggestions?
I use my FreeBSD router at home for similar purposes from time to time (getting
past draconian firewalls, working around various types of broken-ness in public
WiFi networks, etc). I don't have many specific comments on your setup outlined
above, but I hope that outlining my approach will give you some ideas.
On the side with "good" (unrestricted, etc) connectivity (home, in my case):
FreeBSD router w/ public IP.
NAT - I use IPFW but any solution should work
OpenVPN running as a TCP server on port 443 (for maximum chance of being
reachable through draconian firewalls). Other VPN / tunneling solutions should
work here. For some types of traffic (like streaming video) TCP is not ideal so
if you don't have firewall issues use UDP and a more standard port.
NAT should be configured to work with VPN traffic.
On the restricted/broken side:
Any computer/OS that supports OpenVPN or whatever VPN/tunneling solution you
use (FreeBSD, Linux, Mac, Windows, jailbroken iPhone...). This can be set up on
a single device (laptop, etc) or on a router/gateway machine so the whole
network benefits.
For somewhat restrictive but otherwise decent networks:
Establish VPN connection
Add static route(s) for restricted IP's using VPN server internal IP
For really broken networks, route ALL traffic through VPN:
Use IP (not DNS name) for server in VPN config)
Establish VPN connection
Add static route using local gateway for VPN server external IP
Delete existing (local) default gateway
Add VPN server internal IP as default gateway
Use VPN server or other known good server for DNS
There are some in-between combinations as well; just make sure to think about
DNS and leave a working route for your VPN packets to follow.
Works like a charm, but keep in mind that the VPN download speed is the server
side's upload speed. More of an issue for my home connection than for a
datacenter link I imagine. To get your questions answered I would suggest
setting up a general solution (get the VPN/tunnel and NAT working between your
two gateways) and then do some experimenting. You could maybe start by
forwarding all traffic from the LAN over the tunnel, start tcpdump on your
local gateway, and fire up a show on the Apple TV. Then analyze the result--pay
attention to the DNS requests as well as the actual data streams. Probably
easiest just to identify the IP's being used then use whois to extrapolate them
to IP blocks. Add static routes that use your tunnel for the IP ranges you
identify. Repeat as needed.
If you want to be more specific than that (route based on LAN source IP or
specific IP/port combinations) you should look in to using setfib and friends
(possibly within your firewall ruleset).
HTH,
JN
_______________________________________________
[email protected] mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-net
To unsubscribe, send any mail to "[email protected]"
