URI: 

       LRN: APRIL 11, 2024
       
       This is my first entry into a series of logs used to track progress
       towards my learning objectives. I envision these logs as a learning
       and accountability tool. I can use a log like a very neat and tidy
       notebook: summarizing and reciting knowledge gained, or documenting
       what I've done and what's standing in the way (barriers can be
       emotional, even). How logs are written may change. But the basic
       constant is they become something that is written to accompany a
       session, or written retrospectively to reflect a session.
       
       
       OpenBSD router and firewall
       ----------------------------------------------------------------------
       I have been making attempts to replace my ISP's router and firewall
       with my own. It has been a big fucking challenge. I didn't realize
       just how little I know about the physical and data link layers of
       networking. Simultaneously gathering half-bits of information and then
       trying to apply this towards my objective has not worked
       well. Fuck. Anyways, below is a summary of what I've
       half-learned. It's probably full of mistakes.
       
       
       Configuration
       ......................................................................
       Fibre comes directly into my abode through a fibre optic cable. The
       cable plugs into a transceiver that plugs into the ISP's device. The
       device runs OpenWRT. It is a router and a firewall.
       
       My OpenBSD machine is an old Acer with 4GB RAM and a Pentium 4 CPU. I added two network interface cards into its only PCIe slots: a card with two ethernet ports[1], a card with a single SPF+ port[2]. My efforts documented herein disregard the ethernet ports.
       
       The SPF+ card shows up as interface "ix0" in OpenBSD. If the ISP's
       transceiver is plugged hot into the machine, a reboot is required
       otherwise the interface will forever say "Carrier: none". I don't know
       why this is so.
       
       The ISP uses VLANs to transmit the internet and its other services
       over the fibre connection. I don't quite understand VLANs. I think
       they encapsulate certain types of traffic in a network. Like, wrap a
       tag around a frame and then move that frame around according to the
       tag. For my ISP, VLAN 35 contains the internet, VLAN 36 TV. To create
       a VLAN and "tag" it with the correct traffic segment(?) I used
       `ifconfig'. Configuration of the interfaces was persisted as
       `hostname.if' configurations.
       
       `hostname.ix0', the SPF+ card:
       
       ,----
       | inet -autoconf
       | mtu 1492
       | up
       | description "WAN"
       `----
       
       `hostname.vlan35', the VLAN:
       
       ,----
       | vnetid 35 parent ix0
       | mtu 1492
       | up
       | inet autoconf
       | description "internet" 
       `----
       
       Order of these rules can be important, especially for the VLAN. The
       VLAN's parent interface needs to be set before it begins asking for an
       IP lease.
       
       In my region, the ISP uses DHCP to assign a customer an IP. In other
       regions, it is necessary to authenticate using PPPoE. If I had to use
       PPPoE, I'd need my user/pass credentials for the ISP. I'd create a
       `pppoe' configuration file and somehow hook it into the 35 tagged VLAN
       I created.
       
       After a reboot, the `ix0' and `vlan35' interfaces were active. But no
       IP was being assigned. I made sure the firewall was turned off. I ran
       `sh /etc/netstart'. Nothing still. So I started `tcpdump' to capture
       packets. Then I tried to manually invoke DHCP with `dhcpleasectl
       vlan35' and `dhcpleasectl ix0'. (I'd not sure which interface should
       request the IP, but I suspect it's the VLAN.) Nothing still.
       
       Inspecting the captured packets was interesting. I saw that they are
       part of the BOOTP protocol, which is some old thing used before (and
       now alongside) DHCP.
       
       ,----
       | 18:30:56.707442 IP 0.0.0.0.bootpc > 255.255.255.255.bootps: BOOTP/DHCP, Request from 90:e2:ba:39:0f:36 (oui Unknown), length 300
       `----
       
       There's never any response. So that could mean the request is
       malformed, or the request isn't leaving the machine. I do wonder about
       the MTU attribute, and whether I have that correct. I have read some
       ISP customers using 1492 and 1472. I did try 1500, too. I read that 8
       bits need to be reserved for the tag, hense a value of 1492. But I
       actually don't know what an MTU attribute is, anyways.
       
       I wonder about the use of `dhcpleasectl' to get the client's IP. I
       also tried `!dhclient \$if' in my `hostname.vlan35' configuration, to
       no avail.
       
       I wonder if there's something wrong with routes. But I don't know much
       about routes except seeing them with `route show'.
       
       I have also tinkered with `/etc/rc.conf.local', adjusting one line to
       read `dhcpd_flags=vlan35', whereas previously it was
       `dhcpd_flags=em0'. I think this is a mistake, because `dhcpd' is the
       daemon for acting as a DHCP server.
       
       
       Learning gaps
       ......................................................................
       I don't know enough about:
       
       - BOOTP/DHCP
       - VLANs
       - VLAN tagging
       - Routes
       
       
       Next steps
       ......................................................................
       When I return to this endeavor I'm going to repeat all the above steps
       but in pfsense. The advantage here is that other ISP customers who
       have documented their steps removing the ISP router from their network
       do so using pfsense. I wish I could figure this out in OpenBSD but my
       skills are just not sufficient for me to troubleshoot all n factors
       contributing to my failure.
       
       
       pfsense router and firewall
       ----------------------------------------------------------------------
       After work I installed pfsense on the Acer and configured it as per
       above. Still, the DHCPclient requests were failing to solicit a
       response. So at this point I suspect the issue is the SPF+ card. This
       means I need to swap the card for another card, or acquire a media
       converted. Alternatively, I can achieve a compromise by keeping the
       ISP device and putting the router/firewall into the device's DMZ.
       
       
       Next steps
       ......................................................................
       Research how people have used the device's DMZ to build a home
       network. I must also map out what I'm trying to achieve with my
       network, roughly speaking.
       
       
       Footnotes
       ----------------------------------------------------------------------
       
       
       
       Footnotes
       _________
       
       [1] From Amazon: "1.25G Gigabit Ethernet Converged Network Adapter (NIC) for Intel 82576 Chip, Dual RJ45 Copper Ports, PCI Express 2.0 X1, Compare to Intel E1G42ET."
       
       [2] From Amazon: "10Gb Network Card Single SFP+ Port PCIE Ethernet Server for Intel X520-DA1 82599EN Chip Support Windows 7/8/10/11/Visa,Server/Linux/VMware"