Serious home internet connectivity upgrade

The main connection will be upgraded from consumer grade 100M/10M to enterprise grade 100M/100M in near future.

This will affect the Tor service in positive way, such that as it now runs on my secondary 10M/10M best-effort line, it will be upgraded probably to some 70M/70M of which 50M/50M would be guaranteed and the rest best-effort.

Tor won’t still be running exit because that is too dangerous, but hopefully the relay will use all the bandwidth allocated to it.

Current Tor dedicated secondary line will either become another Tor relay or will stay idle as reserve line.

These two lines are from different providers so if one of them has problems in their networks the otherone should still work. They use same fibres so in case something there goes catastrophically wrong then there is nothing to be done.

But this would cost me 150 € a month so I still need to think about it. I can afford it but it is still quite a bit of money if there will be no proper usage for it. 100M/20M would be 100 € but that’s so small it makes no difference to my current 100M/10M.

 

Heavy load on my Tor relay

It has been busy day, looking at these bandwidth graphs:

graph_image (4)

Which is excellent news, because this 10M symmetric line is 100% dedicated to Tor network.

My latency from Finnish Central Internet Exchange (FICIX) is about 3.40ms so this relay will add less than 7ms of delay.

The rest of the Europe and Russia is also very close. Saint Petersburg about 9ms, Amsterdam 25ms and Germany perhaps 17ms.

Routing about 70GB of traffic each day.

So support your local Tor network.

Using real PCI devices on QEMU guest

I have Tor relay which uses virtual network card and is bridged via two machines to my internet connection, but it seems it would be possible to dump all that and simply hook it directly with a cable to the host’s Ethernet card and then use that in guest.

https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Virtualization_Host_Configuration_and_Guest_Installation_Guide/chap-Virtualization_Host_Configuration_and_Guest_Installation_Guide-PCI_Device_Config.html

Would definitely make the configuration that much easier. Would also decrease the latency by one or two milliseconds.

But apparently this requires hardware support from CPU which I don’t have. Intel Xeon X5550 for instance has that support so at least it wouldn’t cost too much to get it. HP ProLiant DL360 G6 goes for about 370 €. And can be upgraded to 12 cores. Would be nice upgrade.

Tor traffic amount increasing

More traffic witnessed:

graph_image.php

Consensus weight has gone up from 600 a week ago to 2000 today. Consensus weight is traffic observed by network. The more traffic you have, the more traffic you will get.

Also chance for being selected as middle hop for any route has increased a lot:

snap237

And with 4.20Mbps daily average we would get 21.2Tb traffic per month total. I can have upto 300Mbps in but upload speeds suck.

I have requested an offer for 100/100 with /26 IPv4 and /48 IPv6 but it would probably cost hundreds of euros. They already have the tehcnology so 100/100 does not cost any extra; IPv4 is scarce but few euros per IP would settle that; IPv6 is plentiful; and my current SLA is perfectly fine.

Yet still they would charge me hundreds of euros just because people generally don’t understand how cheap and easy it is. In the olden days we paid once-off sum of money and then monthly fee. Say they must configure this for me that I would happily pay, but after that the only real cost is the bandwidth and not much else.

200 € / month I might be willing to pay but the price is more likely to be near 800 euros.

And I have 100/20 or thereabouts from competitor for 19.90 € a month so ten times that to get the extra 80Mbit towards upload and the IP addresses I don’t believe to be too much to ask. Some sales clerk is going to call me so I just need to tell him that I won’t get anything unless he gives me good deal and drops all the fancy pants and just sells me a raw connection for good price.

nfsen & 1 day of TOR bridge

Summary: total flows: 6222, total bytes: 13628702, total packets: 29649, avg bps: 1392, avg pps: 0, avg bpp: 459
Time window: 2014-11-30 20:06:00 - 2014-12-01 18:19:37
Total flows processed: 1046211, Blocks skipped: 0, Bytes read: 54434292
Sys: 0.444s flows/second: 2356331.1  Wall: 0.928s flows/second: 1127324.2

Approx. 1 day worth of Tor bridge. Quite nice statistics.

nfsen SELinux apache audit2allow

Copy audit logs to audit.log

$ cat audit.log
type=AVC msg=audit(1417369961.979:419728): avc:  denied  { connectto } for  pid=18348 comm="php-fpm" path="/data/nfsen/var/run/nfsen.comm" scontext=unconfined_u:system_r:httpd_t:s0 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=unix_stream_socket
type=AVC msg=audit(1417370738.841:419844): avc:  denied  { write } for  pid=1964 comm="php-fpm" name="nfsen.comm" dev="dm-1" ino=1317402 scontext=unconfined_u:system_r:httpd_t:s0 tcontext=unconfined_u:object_r:default_t:s0 tclass=sock_file

generate SELinux policy allow/dontaudit rules from logs

$ cat audit.log | audit2allow -m nfsen > nfsen.te

Compile the module

$ checkmodule -M -m -o nfsen.mod nfsen.te

Create the package

$ semodule_package -o nfsen.pp -m nfsen.mod

Load the module into the kernel

$ semodule -i nfsen.pp

My module rules

module nfsen 1.0;

require {
        type unconfined_t;
        type httpd_t;
        type default_t;
        class sock_file write;
        class unix_stream_socket connectto;
}

#============= httpd_t ==============
allow httpd_t default_t:sock_file write;
allow httpd_t unconfined_t:unix_stream_socket connectto;

Material

https://wiki.gentoo.org/wiki/SELinux/Tutorials/Where_to_find_SELinux_permission_denial_details
https://www.mail-archive.com/nfdump-discuss@lists.sourceforge.net/msg00839.html
https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Security-Enhanced_Linux/sect-Security-Enhanced_Linux-Fixing_Problems-Allowing_Access_audit2allow.html

snap122

Sadly very poor tool in terms of usability plus I already found one bug where the system mistakes time for being in 12 hour format instead of what in reality is 24 hour clock. Tries to load nfcapd file from this morning when I need a file for 12 hours later time which is now.

But I will run it for now since I want to log the traffic with nfdump and this does that and draws those graphs and has the front-end if I ever come in terms with these two. But first impression is this isn’t very professional system.

At least I am able to get graphs with powerful filters like this one showing traffic from the Tor:

snap123

Verified by existing graph from the interface:

graph_image.php

Gigabit switch

Cheap 87 € including P&P from UK.

 

 

9924t_front_pg

Allied Telesyn AT-9924T

[pdf]http://www.alliedtelesis.fi/media/fount/datasheet/at-9900_datasheet_revO.pdf[/pdf]

I am also trying to get secondary 10Mbit connection so that I can do some more routing.

I also have one public wlan idea in my mind which I would like to try. I could dedicate the 10Mbit for that.

And the traffic would be routed through VPN or Tor so that it would stay that way.