Technical setup
The following text is for readers with a technical understanding, who are interested in the setup K-Net is running.
There are around 2500 users on K-Net. They are all connected via ethernet equipment. We have the public IPv4 subnet 82.211.192.0/19 (8192 addresses). We do not have any IPv6 addresses yet.
Like all other ISP's in Denmark, the Danish law "logningsbekendtgørelsen" requires us to log all traffic flows together with the responsible user identity (see the law text here). We therefore have firewall setups allowing us to distinguish between traffic from different users in a non-spoofable way. Currently we are running two of such setups:
- A firewall box on K-Net premise that require users to authenticate via a utility called "K-Net Utility". This setup uses the Authpf mechanism in FreeBSD.
- A firewall box on K-Net premise that is transparent to the users, not requiring any login. This setup relies on the edge switches being set up with a seperate VLAN for each user.
Would you like to be part of improving our exciting setup? Read more about volunteering.
Authpf based firewall
This setup was created in 2005 when the law "logningsbekendtgørelsen" was introduced.
The system consists of a server with FreeBSD with a PF setup. Each client must authenticate with the server using SSH ("K-Net Utility" is a simple front end for convenience). Authpf inserts the relevant firewall rules allowing internet access for the IP of an authenticated SSH user. When the SSH connection is no longer live, the relevant firewall rules are removed.
Users are fully blocked from using the internet if they exceed the fair use limit in number of gigabytes transfered during running 30 days. They are unblocked again when the sum of gigabytes transferred in the past 30 days from the current day is less than the fair use limit.
In the beginning of 2011 this setup began having serious scalability issues. The root cause was the network driver on the firewall server raising an interrupt for every packet, causing the kernel to make a huge number of context switches when traffic is high. Apparently the amount of traffic people were generating around the beginning of 2011 was the tipping point for what the CPU in the firewall server could handle. Newer versions of FreeBSD use polling when the number of packets per second exceeds a certain limit.
There was also an ongoing critique of the fact that users have to authenticate with SSH, making it impractical to use devices such as game consoles, phones and tablets.
The scalability issue could theoretically be solved by upgrading to the newest version of FreeBSD. An attempt to install a replacement server with the newest software versions was made, but was unsuccessful. Focus was instead put on creating a new setup.
Transparent firewall using VLANs
This setup was created in 2011-2012 because of the scalability issues with the Authpf based solution, and the user demand to not have to authenticate via SSH.
When the setup is fully deployed, all edge switches in the dorms are set up so that each port leading to a room tags traffic with a seperate VLAN. All traffic must then go through a firewall server running Linux, where a VLAN interface is set up for each user. This enables true layer 3 seperation between all users, and allows for the legally required flow logging.
WiFi users are handled by a RADIUS server which supplies a VLAN ID that the access point must tag traffic from the wireless client with.
We have to possibility to throttle users to a lower (but still very usable) internet speed if they exceed the fair use limit in number of gigabytes transfered during running 30 days. The speed limit is removed again when the sum of gigabytes transferred in the past 30 days from the current day is less than the fair use limit. The traffic control features of Linux were used to achieve this bandwidth throttling. However, it was decided to experimentally disabled this the fair use max limit as there is enough bandwidth currently.
Note
Currently all 2500 users have been moved to the transparent firewall setup, though some are still required to use K-Net Utility to login on their dormitory wireless solution. The different dormitorys are working on a solutions to upgrade wireless to the new system as well.
The following diagram illustrates the architecture of the VLAN based transparent firewall setup:
