Paul L. Snyder on 8 Oct 2012 18:11:27 -0700

[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

Re: [PLUG] VPN design for home use

Thanks very much to everyone who made suggestions on this.  Sorry that I
haven't responded FiOS experience has been a nightmare, thus
far.  The techs were back out for the /sixth/ time on Friday to figure out
why the connection was dropping every half-hour or so.  At the last report,
they were able to make some captures while my connection was done, which
have been sent off to the ONT vendor for analysis...I am not the only
customer experiencing these issues, though I was apparently in the

It seems to be some weird backend interaction between the ONT and OLT when
the connection between the ONT and the router is running over MoCA.  As a
temporary workaround (which is, in fact, keeping the problem at bay) I'm
running off an Ethernet cable strung out my office window, around the
house, and through the garage into the basement until they can sort out
the hardware issues with the vendor.

The horribly slow speeds and packet loss turned out to be a completely
separate problem related to a bad gateway somewhere in Verizon's network.
Now that that's been resolved, I'm seeing more than satisfactory 58/30
speeds (for a connection that's theoretically 50/25).

On the plus side, the techs I've interacted with have been mostly very
good (though some of the phone staff is a bit clueless).  The only bad
experience has been with the extremely rude manager of the local office,
who called me to berate me for opening another ticket about the routing
issues after the tech had told me that there was nothing further he could
do about them.

Specific responses are inline below.

On Sun, 23 Sep 2012, Michael Dur wrote:

> Regarding hardware options I recommend (and use) a pcengines Alix board
> running pfsense.  They use the same geode processor in the cisco 55xx
> firewalls.  Pfsense offers support for various vpn's (I use openvpn when
> travelling), and is a great firewall and can provide other services as
> well.  You could also run it on an older pc.  Search on ebay for pfsense
> to see a variety of devices you can use.

Interesting...I'll look into pricing, compared to the cost of keeping an
old PC powered up.

On Fri, 21 Sep 2012, Julien Vehent wrote:

> >Thus, the time has come to look into a VPN provider. I've been considering
> >this for some time, but lack of trust for my new ISP has pushed me
> >over the
> >edge. #plug pointed me to this review of several services:
> >
> >
> Quite frankly, I wouldn't bother with any of those providers. I'd get a
> VPS or a small server (, OVH, ...) and route the
> VPN through. I personally have a dedibox (a small atom dedicated server)
> from a free ISP, hosted in Paris, that I use for that kind of stuff. It
> has a 1gbps connection and cost me ~18euros/month.

That's definitely something worth considering.  Do you get charged for
bandwidth used?

> Meh. If your firewall rules are clean, and your NAT properly done, you can
> probably live without the DMZ. That's not "state of the art", but
> good enough for a residential.

Well, that's more or less what I've been telling myself, but as someone's
who's worked IT security, I feel vaguely guilty every time I SSH in. It's
probably good enough for now, but I'll be doing it properly at some point.

> >Most of the VPN providers offer multiple exit points, and I'd like to be
> >able to adjust those on the fly, or direct particular types of traffic
> >through particular exit nodes. I'd also like to be able to direct some
> >traffic to not use the VPN when very low latency is desirable (such as
> >for gaming).
> That's done on your gateway. I believe you can use
> iptables/netfilter to mark
> packets and direct them to a specific routing table. I haven't done
> it myself
> but if you figure it out, please post about it.

I'm going for quick and dirty at the moment, but once I get this all sorted
out I'll do a talk sometime next year.
> It's all doable. As of VPN providers, I'd strongly insist that you do it
> yourself. Now, if you just want to poke around before deciding, I'd be
> happy to set you up with an openvpn access to my server in Paris, so you
> can play with the latency a bit.

Thanks for this offer! When I have a bit of time, I'll be in touch

On Fri, 21 Sep 2012, Lee H. Marzke wrote:

> There is no way your going to get FIOS speeds with a small consumer
> appliance router like the WRT-54...

The WRT doesn't do 802.11n, anyway, so it was about at the end of its
useful life.  Anyone have a rec for an n-capable router that can run

> What I have done lately is run ALL of this on one VMware host.
> - About a dozen servers ( Linux, Solaris, Windows )
> - pfSense firewall/router/vpn - all connected via vSwitches or VLAN's to a physical switch
> - Nexenta ZFS storage ( converts 6 local SATA disks to a SAN )
>   free version limited to 18TB
> - vCenter management server

Very interesting! If I can scrape up a bit more RAM for the box hosting my
server, this might be the way to go...

> I was considering presenting a talk about a "Data Center in a box" because
> I think it's really impressive that all this can run on one physical host.
> Actually it's a half-height rack with a Dell 2970 server, Cisco switch, and UPS
> and NAS backup device.
> Would anyone be interested in this talk ?   I can also talk about
> how to use VLAN's to run unlimited number of isolated Ethernet
> networks over one or two (redundant) connections.   

Yes please!  I, for one, would definitely be interested.

On Fri, 21 Sep 2012, Andrew Tsen wrote:

> On Fri, Sep 21, 2012 at 1:39 PM, Paul L. Snyder <>
> wrote:
> > do or look at on the Internet. I've also just discovered that they're
> > hijacking failed DNS lookups, a heinous practice that I had mistakenly
> > thought was throughly discredited in the industry.
> Did you look into if they are profiling your activities via DNS?  They
> seem to use openDNS or something similar to it.  If you set your DNS
> server to be something else, like or, does the failed DNS
> request still redirect to their custom page?
> If they are only using DNS to profile you, then the solution might just
> be not to use their DNS servers.

They actually document that they are doing this on their help pages, and
provide a "workaround"...if you take the DNS servers they're assigning via
DHCP and change them from .12 to .14, the .14 servers don't do the NXDOMAIN
hijacking.  It's still a loathsome practice, and I think that is to let
them drain off the anger from the people who think this is an awful thing
to do, so they can keep doing it to the less-savvy market segments with


P.S. Apologies, it looks like my MTA dumped an extra copy of my original
message in this thread to the list at some point during my network
Philadelphia Linux Users Group         --
Announcements -
General Discussion  --