Setting up Satellite Internet Connection
Satellite Internet Connection HOW-TO
Introduction
This document briefly explains Satellite technology, how it works, what you need, configuration, and how to share it between several clients. The main focus is an Internet connection, i.e. satellite TV is not covered.
How does it work?
First we make the request (using a land Internet connection) to the Sat-Server usually via a tunnel. It will retrieve our info from the Internet and send it to the Satellite. Ultimately, we'll receive data from the satellite to our home using a parabolic antenna and a Sat Card.
Satellite works very well with protocols which have a small request data size and a much larger answer size. Large response delay is the biggest problem with satellite internet service. That may prevent using interactive services such as VoIP. The delay is caused by the distance the satellite is from the earth's surface, typically 36000 km. Average overall delay time is 300-400 ms.
To install the satellite system we need:
- DVB-S Card
- Parabolic Antenna (Satellite Dish)
- LNB Digital Converter
Technical Information
A satellite link as is very different from Wired link. It may cause additional problems such as reachability, privacy, etc. There could also be weather related problems, particularly in snow or rain conditions.
Antenna / Converter
A parabolic antenna has a very high gain. The satellite transponder frequency is from 11 GHz to 12.7 GHz. The Digital Converter translates it to 1-2 GHz and sends the signal to a DVB-S card receiver through as much as 30-40 km of coaxial cable. This document assumes your parabolic antenna is properly mounted and boresighted as well as the proper converter (usually Ku-band) is used.
DVB-S Receiver Card
DVB-S card receives analog signals via coax cable and converts them to digital signals similar to those found on an Ethernet. After that, the OS transforms it to TCP/IP packets.
DVB Setup
Install DVB-S Card and check if system recognized it
Note: in most cases you need PCI version 2.1 or later (check your DVB card specifications) i.e. a Pentium-III or newer system.
lspci
Make sure that kernel modules are loaded
You must use Alpine 1.7.10 release or newer that should load appropriate kernel modules for DVB card on startup. To check if DVB devices are installed, run:
ls -la /dev/dvb*
Install LinuxTV Applications
apk_add linuxtv-dvb-apps
Create and edit file channels.conf
channels.conf contains settings for each Satellite you are using. For example the satellite Sirius-4 Nordic Beam has the following parameters:
- Freq - 12322Mhz
- Polarization - vertical
- Symbol Rate - 27.654711Ms/s
- FEC -7/8.
You'll need to get the parameters from your ISP or find them on the Internet. The following example is for "Sirius-4 Nordic Beam":
echo "Sirius4-Nord:12322:v:0:27500:0:0:0" >> /etc/channels.conf
Tune DVB Receiver
Check configured channels:
szap -c /etc/channels.conf -q
Tune to channel number 001:
szap -c /etc/channels.conf -n 1
In some cases you may need to run this command permanently in the background because of a bug in the kernel modules for some dvb cards.
- Option A:
szap -c /etc/channels.conf -n 1 > /dev/null 2>&1 &
- Option B:
start-stop-daemon --start --background --exec /usr/bin/szap -- -c /etc/channels.conf -n 1
Set up DVB network interface
Your ISP provides you the PID, which is used for select a particular transmission from many signals on the same frequency.
dvbnet -a 0 -p $PID
ifconfig dvb0_0 hw ether $MAC ifconfig dvb0_0 $IP netmask 255.255.255.255 up
Here $IP is any IP address, which does not match any address on your network. The $MAC you specify here is usually the MAC address of your DVB card, in some cases ISP supplies MAC address for you. In any case, the ISP sends data only for registered MAC addresses.
Due to the nature of a satellite connection, the DVB interface receives packets, which have originated from other sources, usually from either a land internet connection or, in most cases, from a virtual tunnel device. In order receive such packets, the source validation should be disabled on the dvb0_0 interface.
echo "0" > /proc/sys/net/ipv4/conf/dvb0_0/rp_filter
Another way to achieve that is to allow shorewall to control it using ROUTE_FILTER and routefilter parameters.
Test if satellite interface is receiving data
You should see many packets for other clients of your ISP.
apk add tcpdump
tcpdump -n -i dvb0_0
Authentication with ISP
Before you receive your data via satellite, your ISP should authenticate you as their registered client. There are several common techniques in use:
- Some ISPs use "Proxy Authentication." When you use their proxy, you also need to supply a login name and password to continue the request. Once done, the ISP uses your IP address to calculate your MAC address, to which it sends the answer.
- Other ISPs require you to make a VPN connection (using your login and password) first, then they will control your registration account (where they retrieve your MAC address) and will send data to your card (your MAC address).
- If you have a static public IP, perhaps the most convenient way is when ISPs suggest making a GRE/IPIP tunnel which is used to send authenticated requests to the ISP's satellite server. Subsequently, the ISP sends replies via the satellite you are connected to.
Here is an example of setting up GRE tunnel with an ISP:
Make static routes
All queries to DNS servers of your land ISP should go via land line.
route add $DNS1 gw $DEFAULT_LAND_GATEWAY
route add $DNS2 gw $DEFAULT_LAND_GATEWAY
GRE packets should always go via land default gateway.
route add $SAT_ISP_GRE_IP gw $DEFAULT_LAND_GATEWAY
It is assumed that $DEFAULT_LAND_GATEWAY is the default gateway given by the land ISP, $DNSx are your DNS servers provided by the land ISP and $SAT_ISP_GRE_IP is the remote IP of the satellite ISP's GRE tunnel.
Changes of default route will be made after a tunnel interface is created.
Make GRE tunnel and set up the tunnel interface
apk_add iproute2
modprobe ip_gre
modprobe tun
ip tunnel add tun0 mode gre local $MY_STATIC_IP remote $SAT_ISP_GRE_IP ttl 250
ifconfig tun0 $LOCAL_TUN_IP pointopoint $REMOTE_TUN_IP up
Tunnel Parameters, such as $SAT_ISP_GRE_IP, $LOCAL_TUN_IP and $REMOTE_TUN_IP are provided by the satellite ISP.
Now make a new default route that uses the tunnel interface. Most requests will go to the satellite ISP via the GRE tunnel with a source IP of $LOCAL_TUN_IP. Answers are expected via the DVB interface for the destination IP $LOCAL_TUN_IP.
route del default
route add default dev tun0
Test satellite internet connectivity
ping wiki.alpinelinux.org
tcpdump -n -i tun0
tcpdump -n -i dvb0_0 host $LOCAL_TUN_IP
Sharing a Satellite Internet Connection
It is assumed we need to share the satellite internet with clients in a local network connected via a second Ethernet interface to a satellite internet machine. This requires enabling IP forwarding and setting up simple SNAT masquerading and traffic filtering rules. The easiest way is to use Shorewall for that purpose.
Install shorewall
apk add shorewall
Set up shorewall.conf
IP_FORWARDING=yes ROUTE_FILTER=No CLAMPMSS=Yes # See RFC2923
Set up zones
inet ipv4 loc ipv4 tun ipv4 dvb ipv4
Set up interfaces
loc eth1 detect routefilter inet eth0 detect norfc1918,routefilter tun tun0 - norfc1918,routefilter dvb dvb0_0 -
Set up policy
loc all REJECT info dvb all REJECT info all all DROP info
Set up SNAT masquerading in masq
tun0 eth1
Set up params
#This IP address are provided by the satellite ISP SAT_ISP_GRE_IP= LOCAL_TUN_IP=
Set up rules
SECTION ESTABLISHED REJECT dvb fw:!$LOCAL_TUN_IP
SECTION RELATED REJECT dvb fw:!$LOCAL_TUN_IP SECTION NEW DNS/ACCEPT fw inet Ping/ACCEPT fw inet
#Allow Web/FTP queries via GRE tunnel to ISP # Answers come as RELATED/ESTABLISHED traffic via DVB Web/ACCEPT fw tun Web/ACCEPT loc tun FTP/ACCEPT fw tun FTP/ACCEPT loc tun Ping/ACCEPT fw tun Ping/ACCEPT pr tun
Set up tunnels
gre inet $SAT_ISP_GRE_IP
Conclusion
This document reviewed just basic ideas how to setup and share satellite internet connection. Further releases of Alpine Linux will include start up and configuration scripts (see Mailing Lists). Note, that more advanced traffic routing is beyond of scope of this document.
Another advanced topic that is beyond of scope is how to use remote proxy/VPN services to protect/encrypt your Satellite traffic against grabbers. This configuration may protect HTTP/POP3 and other types of data against unauthorized grabbing with attempts to sniff personal mail, electronic addresses and other information.