Setting up Satellite Internet Connection
Satellite Internet Connection HOW-TO
Introduction
This document briefly explains Satellite technology, how it works, what you need, configuration, and how to share it between several clients. The main focus is an Internet connection, i.e. satellite TV is not covered.
How does it work?
So first we make the request (using land Internet connection) to the Sat-Server usually via a tunnel, after it will retrieve out info from Internet and it will send it to Satellite; in the end we would receive data from the it to our home using a parabolic antenna and a Sat Card.
Satellite works very well with protocols, which have a little request data and a much bigger answer size. Although, a big time of answer is the biggest problem of satellite connection that may prevent using interactive services such as VoIP. The delay of answer may be considered basing on that a typical Sat distance is like 36.000 km, so an average overall delay time is 300-400 ms.
To install the little satellite system we need:
- DVB-S Card
- Parabolic Antenna (Satellite Dish)
- LNB Digital Converter
Technical Information
A satellite link as a classical Wireless link is very different from Wired link. It may cause some additional problems to solve, such as reachability, privacy problems and so on. Also there could be weather problems, particularly in snow or rain conditions.
Antenna / Converter
A parabolic antenna gives a very high gain in RX. A frequency that is being received from the satellite transponder is from 11GHz up to 12.7 GHz. The Digital Converter transforms it to 1-2 GHz and send signal to the DVB-S card receiver through the coax cable up to 30-40m. This documents assumes that your parabolic antenna is properly mounted and calibrated as well as proper converter (usually Ku-band) is used.
DVB-S Receiver Card
DVB-S card receives analog signals via coax cable and converts it to digital signals pretty like Ethernet card, after that the OS transforms it to a TCP/IP packets.
DVB Setup
Install DVB-S Card and check if system recognized it
Please note, that in most cases you need PCI version 2.1 or higher (check DVB card specifications). In practice it is Pentium-III or later systems.
lspci
Make sure that kernel modules are loaded
You have to use Alpine 1.7.10 release or higher that should load appropriate kernel modules for DVB card on startup. You may check if DVB devices are installed.
ls -la /dev/dvb*
Install LinuxTV Applications
apk_add linuxtv-dvb-apps
Create and edit file channels.conf
This file contains settings for each Satellite you are using. For example the satellite Sirius-4 Nordic Beam has the following parameters:
- Freq - 12322Mhz
- Polarization - vertical
- Symbol Rate - 27.654711Ms/s
- FEC -7/8.
Anyway, all parameters you have to receive from ISP or find in the Internet. Please look at Satellite Parameters and SES SIRIUS.
The following example is for "Sirius-4 Nordic Beam":
echo "Sirius4-Nord:12322:v:0:27500:0:0:0" >> /etc/channels.conf
Tune DVB Receiver
Check configured channels:
szap -c /etc/channels.conf -q
Tune the channel number 001:
szap -c /etc/channels.conf -n 1
In some cases you may need to run this command permanently in background because of a bug in kernel modules for some dvb cards.
- Option A:
szap -c /etc/channels.conf -n 1 > /dev/null 2>&1 &
- Option B:
start-stop-daemon --start --background --exec /usr/bin/szap -- -c /etc/channels.conf -n 1
Set up DVB network interface
Your ISP provides you the PID, which is used for select a transmission between many signal from same frequency.
dvbnet -a 0 -p $PID
ifconfig dvb0_0 hw ether $MAC ifconfig dvb0_0 $IP netmask 255.255.255.255 up
Here $IP is any IP address, which does not match with any other adrres in your network. The $MAC you specify here is usually the MAC address of your DVB card, in some cases ISP calculates MAC address for you. In any case ISP sends data only for registered MAC addresses.
Due to nature of satellite connection, the dvb interface receives packets, which have been originated from other sources, actually ether from land internet connection interface or, in most cases, from virtual tunnel device. So in order to allow receiving such packets the source validation should be disabled on dvb0_0 interface.
echo "0" > /proc/sys/net/ipv4/conf/dvb0_0/rp_filter
Another way to achieve that is to allow the shorewall to control that using ROUTE_FILTER and routefilter parameters.
Test if satellite interface is receiving data
You should see many packets for other clients of your ISP.
apk add tcpdump
tcpdump -n -i dvb0_0
Authentication with ISP
Before you receive your data via satellite your ISP should authenticate you as their registered client. There are several common techniques could be used:
- Some ISPs use the "Proxy Authentication", when you used their proxy, you also need to give login and password to continue the request. Once done, the ISP use your IP address to calculate your MAC address, to which send the answer.
- Some other ISPs require you make a VPN connection (using your login and password) first, then they will control your registration account (where they retrieve your MAC address) and will send data to your card (your MAC address).
- If you have static public IP, perhaps, the most convenient way is when ISPs suggest making a GRE/IPIP tunnel, which is used to sent authenticated requests to ISP satellite server. Consequently ISP sends back answers via satellite you are connected to.
Here is an example of setting up GRE tunnel with a ISP:
Make static routes
All queries to DNS servers of your land ISP should go via land line.
route add $DNS1 gw $DEFAULT_LAND_GATEWAY
route add $DNS2 gw $DEFAULT_LAND_GATEWAY
GRE packets should always go via land default gateway.
route add $SAT_ISP_GRE_IP gw $DEFAULT_LAND_GATEWAY
It is assumed that $DEFAULT_LAND_GATEWAY is default gateway given by the land ISP, $DNSx are your DNS servers provided by the land ISP and $SAT_ISP_GRE_IP is remote IP of GRE tunnel of the satellite ISP.
Changes of default route will be made after a tunnel interface is created.
Make GRE tunnel and setup tunnel interface
apk_add iproute2
modprobe ip_gre
modprobe tun
ip tunnel add tun0 mode gre local $MY_STATIC_IP remote $SAT_ISP_GRE_IP ttl 250
ifconfig tun0 $LOCAL_TUN_IP pointopoint $REMOTE_TUN_IP up
Parameters of a tunnel such as $SAT_ISP_GRE_IP, $LOCAL_TUN_IP, $REMOTE_TUN_IP are provided by the satellite ISP.
Now make new default route that goes via tunnel interface. So most requests will go via GRE tunnel to satellite ISP with source IP as $LOCAL_TUN_IP. Answers expected via dvb interface for destination IP as $LOCAL_TUN_IP.
route del default
route add default dev tun0
Test satellite internet connectivity
ping wiki.alpinelinux.org
tcpdump -n -i tun0
tcpdump -n -i dvb0_0 host $LOCAL_TUN_IP
Sharing Satellite Internet Connection
It is assumed that we need to share the satellite internet with clients in a local network that already is connected via second Ethernet interface to satellite internet machine. This requires enabling IP forwarding, set up simple SNAT masquerading and traffic filtering rules. The easiest way is to use Shorewall for that purpose.
Install shorewall
apk add shorewall
Set up shorewall.conf
IP_FORWARDING=yes ROUTE_FILTER=No CLAMPMSS=Yes # See RFC2923
Set up zones
inet ipv4 loc ipv4 tun ipv4 dvb ipv4
Set up interfaces
loc eth1 detect routefilter inet eth0 detect norfc1918,routefilter tun tun0 - norfc1918,routefilter dvb dvb0_0 -
Set up policy
loc all REJECT info dvb all REJECT info all all DROP info
Set up SNAT masquerading in masq
tun0 eth1
Set up params
#This IP address are provided by the satellite ISP SAT_ISP_GRE_IP= LOCAL_TUN_IP=
Set up rules
SECTION ESTABLISHED REJECT dvb fw:!$LOCAL_TUN_IP
SECTION RELATED REJECT dvb fw:!$LOCAL_TUN_IP SECTION NEW DNS/ACCEPT fw inet Ping/ACCEPT fw inet
#Allow Web/FTP queries via GRE tunnel to ISP # Answers come as RELATED/ESTABLISHED traffic via DVB Web/ACCEPT fw tun Web/ACCEPT loc tun FTP/ACCEPT fw tun FTP/ACCEPT loc tun Ping/ACCEPT fw tun Ping/ACCEPT pr tun
Set up tunnels
gre inet $SAT_ISP_GRE_IP
Conclusion
This document reviewed just basic ideas how to setup and share satellite internet connection. Further releases of Alpine Linux will include start up and configuration scripts (see Mailing Lists). Note, that more advanced traffic routing is beyond of scope of this document.
Another advanced topic that is beyond of scope is how to use remote proxy/VPN services to protect/encrypt your Satellite traffic against grabbers. This configuration may protect HTTP/POP3 and other types of data against unauthorized grabbing with attempts to sniff personal mail, electronic addresses and other information.