The following text is for readers with a technical understanding, who are interested in the setup K-Net is running.
There are around 2500 users on K-Net. They are all connected via ethernet equipment. We have the public IPv4 subnet 18.104.22.168/19 (8192 addresses). We do not have any IPv6 addresses yet.
Like all other ISP's in Denmark, the Danish law "logningsbekendtgørelsen" requires us to log all traffic flows together with the responsible user identity (see the law text here). We therefore have a firewall setup that allows us to distinguish between traffic from different users in a non-spoofable way.
Would you like to be part of improving our exciting setup? Read more about volunteering.
This setup was created in 2011-2012 because of scalability issues with the Authpf based solution, and the user demand to not have to authenticate via SSH.
When the setup is fully deployed, all edge switches in the dorms are set up so that each port leading to a room tags traffic with a seperate VLAN. All traffic must then go through a firewall server running Linux, where a VLAN interface is set up for each user. This enables true layer 3 seperation between all users, and allows for the legally required flow logging.
WiFi users are handled by a RADIUS server which supplies a VLAN ID that the access point must tag traffic from the wireless client with.
We have to possibility to throttle users to a lower (but still very usable) internet speed if they exceed the fair use limit in number of gigabytes transfered during running 30 days. The speed limit is removed again when the sum of gigabytes transferred in the past 30 days from the current day is less than the fair use limit. The traffic control features of Linux were used to achieve this bandwidth throttling. However, it was decided to experimentally disabled this the fair use max limit as there is enough bandwidth currently.
The following diagram illustrates the architecture of the VLAN based transparent firewall setup: