Is there any Network Address Translator Simulator exist to test P2P softwares ?
Currently I am working on a P2P softwares for Devices, and facing the issues to to test my software in different-2 type of NATs e.g; - Clients behind same NAT (same Private Network), Different NAT (Different Private Networks) , on Different Global Network , Different Nat Levels
-- Do I need to physically set-up the test environment e.g; Nodes behind NAT
OR
-- Is there any Network Address Translator Simulator exist to test P2P softwares ?
Virtualization software such as VirtualBox will allow you to connect multiple guest VMs (Virtual Machines) together via NAT rather than use direct connections.
The built in NAT provided by Virtualbox is unrealistically 'peer-to-peer friendly' though when compared to common home and ISP level NATing routers. Virtualbox's NAT seems to be 'full cone NAT' which makes NAT traversal techniques (UDP/TCP hole punching) unrealistically easy (see this Wikipedia article for explanation) whereas a lot of router NAT is either 'symmetric NAT' or some form of 'restricted cone NAT' based on source port and/or address restrictions.
So one way to simulate multiple hosts communicating over realistic NAT would be to use virtualization tools such as Virtualbox and connect them together via Linux based 'router' VMs that perform the routing and NAT using the built in netfilter functions in the Linux kernel. The iptables command would allow you to set up netfilter rules to achieve the various NAT behaviours (as detailed in the above Wikipedia article), e.g. full cone NAT using iptables..
See this how-to for general information on setting up netfilter/IP-masquerading (required for NAT):
http://www.ibiblio.org/pub/linux/docs/howto/other-formats/html_single/IP-Masquerade-HOWTO.html
You could of course bind your P2P software to various local interfaces (within 127.0.0.0/24 range or use an IPv6 subnet) and configure the routing tables and netfilter rules on a single machine to do this without virtualisation. I'm not sure which approach would be easier for you though, if you have the machine resources the virtualisation approach may turn out to be easier to keep track of.
Related
I do not trust anything, so I want to write my own firewall. I'm not satisfied with the application firewalls in Linux and Windows and the distro firewalls are not adequate for my purposes. I'm frustrated with distro firewalls, most of them like pfSense, OPN Sense, ipfire just seem to give illusion of firewall but all they do is packet filtering. I'm unable to block everything and only allow few websites with it, I have created a rule to block DNS requests, applied that rule and rebooted the firewall distro but it doesn't seem to have any effect. I either have to block everything or allow everything, both of which are undesirable. The sc*mbags seemed to have deliberately made the interface unintuitive to sell service, they claim their firewalls are free but made the interface obtuse, so that they can steal money by selling service.
I'm thinking of writing my own firewall, one of this will be an application which will run on the client system and the other would be standalone distro, both will run together to allow better management. The application on the client will create a special packet signed with the hash of the application, OS, etc and the intermediary firewall distro will check this hash and allow rules and policies to be created based on this hash. Does the TCP/IP protocol allow this?
I have searched the net for resources about network API on Linux, and there are three resources about writing my own firewall, two are questions here and one is netfilter. I don't know anything about TCP/IP protocol, so I don't know if I can use the packets made TCP/IP to achieve this or I have to creatively find a way to create a special packet.
I am trying to make a OSPF protocol simulation in Mac or Linux. So, basically I want to run many binary OSPF binaries and they should be able to speak to each other and should be able to use pseudo interface to run OSPF on it. So, if they share the pseudointerface I should be able to assign the same subnet interface on different interfaces.
For example, R1 - OSPF Sim1 has 3 pseudo networking interface. The pseudo networking interface IP is en0 - 192.168.2.1/24 and en1 is 111.111.10.1/24.
The loopback is 1.1.1.1
now, I have R2 - OSPF sim2 has two pseudo networking interface. The pseudo networking interface is en0 - 192.168.2.1/24 and loopback is 2.2.2.2
Now, I have R3 - OSPF sim3 has two pseudo networking interface. The pseudo networking interface is en1 - 111.111.10.2/24 and loopback is 3.3.3.3
I want to simulate in such a way that those are in the subnet can ping each other and rest not. Any idea? Also, I want them to install routes so that kernel is aware of it.
I would suggest to use VirtualBox to create three identical linux virtual machines, each one running its own quagga packages.
To do so, I would use Alpine Linux as base (it is a extremely compact and functional linux distribution, which has quagga packages available). To create Alpine-based VM, there is a detailed instruction here
There are several examples of OSPF testbeds, this one seems particularly relevant to what you want to achieve.
Hope it help!
Trying to understand the advantage and use case of Docker Macvlan network driver.
Can someone explain in detail if possible with some examples about what the following statement mean, referred from docs.
The Linux implementations are extremely lightweight because rather
than using the traditional Linux bridge for isolation, they are simply
associated to a Linux Ethernet interface or sub-interface to enforce
separation between networks and connectivity to the physical network.
I have some basic understanding on the default networking provided by Docker, answered here.
Macvlan network driver is used for cases where we need containers to be part of the local network of the host directly. This approach can allow containers to use the same dhcp server as what the host would use, this would mean same ip address pool as host. Typical bridge network has more overhead because NAT and vxlan adds overhead in the communication. Macvlan has very less overhead since its directly connected to underlay network.
For more details, pls refer to my blogs(https://sreeninet.wordpress.com/2016/05/29/macvlan-and-ipvlan/, https://sreeninet.wordpress.com/2016/05/29/docker-macvlan-and-ipvlan-network-plugins/)
I am trying to create a setup for testing network equipment, and would like to use multiple (3) NICs in a single PC to produce traffic through an external device, i.e. a network switch. From one interface to another.
All of the tests are for IPv6 and ethernet. All NICs have link local and global IPv6 addresses with the same network/subnet prefix.
Atm. all packets are routed internally and never use the physical wire.
I see a lot of threads solving the problem for IPv4 using the net.ipv4.conf.all.accept_local parameter together with some routing table fixes. But I can't find a solution for IPv6.
Anyone know of a solution?
Need a basic direction in the following project.
There is a linux based controller doing some industrial control stuff.
The box is equipped with cellular modem and is capable to get online through cellular carrier. Cellular communication is used because controller is mostly installed where no cables or short range radio is available. Places where sun don't normally shine :)
The task is to allow internet clients to connect directly to the box for some basic control/monitoring stuff. The problem is connectivity - how clients will discover the box? - I'd like to have the box act as a server (if possible). Assuming that cellular carrier allows the box to get online doesn't necessarily mean that the box will get public IP so that anyone would be able to get connected. To my understanding the cellular network acts as a gateway from those who are working inside of it, and reaching someone in that network from outside isn't possible. Am I wrong? We are looking for a generic solution, not a solution around particular cellular provider. The controller is installed in different countries, we need to find the standard way to "webify" it.
The software (and hardware) in the box is ours, we can basically do anything, but I am looking for the right way to do it in order to avoid surprises with different providers later. BTW, the solution doesn't necessarily have to be technical, may be it's possible to buy a permanent IP's per box, or setup VPNs.. Which way should I dig to? What questions to ask?
Your ideas are welcome!
Your summary of the problem is basically correct. I've implemented several systems that do this, and the odds of success are good.
The way you tackle this will depend on the number of remote units you expect a single user to interact with. If each user will handle only one or two devices, it's plausible to implement the web server on the remote device. If each user handles many devices, consider centralising as much administration as possible. I've implemented this using Zenoss for data logging, and a custom control server.
If the web server sits on the remote device, you can either buy a SIM with a static IP, or use a proxy server. I recommend setting up a proxy server unless the number of devices is very small.
There are three options for SIMs:
Static IP with an address on the public Internet will be expensive, and negotiating the deal with each provider in each country will be irksome. No proxy server is required.
Private APN SIMs will give you the option of a static address, but in a private address range. Negotiation with the mobile network is still required, and you will require a proxy server to sit between the public Internet and the private address range,
Standard data SIMs will connect to the Internet through NAT. You can use these to host your service by opening a VPN connection (we used openvpn) to your server. You can now reach the devices directly by connecting to the same VPN, or through a proxy server.
If you use openvpn, here are some more tips:
Give each unit a public serial number, and a private key. Store these in the firmware of the unit, and in a central database. Put the public serial number on the outside of the unit. You can use an openvpn login script to ensure that a particular unit always appears at the correct IP address, which keeps the proxy configuration static.
You can control openvpn's bandwidth usage by adjusting its keepalive behaviour, and how often it renegotiates. Measure and tune this before a large deployment.
The NAT timeouts in the mobile networks are generally between 5 and 15 minutes. The device must send a packet to the server often enough to keep NAT alive.
Cheap SIM deals may be web only with limited ports.
Other tips:
GPRS modem firmware can (rarely) crash internally. If your hardware supports it, provide software with the ability to power cycle the modem.
Test your box in areas with poor coverage in your own country before you send out international shipments.
This is a typical problem with "mobile agent" appearing in different places or using different providers (in this case just one provider, but it's almost the same). Usually it's solved using some kind of home agent - a server that the mobile connects to and gives details about how to reach it or if it can't be reached directly then the home agent acts as a proxy.
Client always contact the home agent first and then if it is possible they contact the mobile or if it's not they use the server as a proxy.
In some cases dynamic dns might be sufficient in other you need real proxy/ façade.
There's a good book: Andrew S. Tanenbaum & Maarten van Steen :"Distributed Systems: Principles and Paradigms"
You can ask cellular provider to give you a SIM card with internet access and fixed IP address. Then you can host any server you like. Do not forget that you are dealing with limited bandwidth.