Setting up Satellite Internet Connection

From Alpine Linux

Satellite Internet Connection HOW-TO

Introduction

This document briefly explains Satellite technology, how it works, what you need, configuration, and how to share it between several clients. The main focus is an Internet connection, i.e. satellite TV is not covered.

How does it work?

First we make the request (using a land Internet connection) to the Sat-Server usually via a tunnel. It will retrieve our info from the Internet and send it to the Satellite. Ultimately, we'll receive data from the satellite to our home using a parabolic antenna and a Sat Card.

Satellite works very well with protocols which have a small request data size and a much larger answer size. Large response delay is the biggest problem with satellite internet service. That may prevent using interactive services such as VoIP. The delay is caused by the distance the satellite is from the earth's surface, typically 36000 km. Average overall delay time is 300-400 ms.

To install the satellite system we need:

  • DVB-S Card
  • Parabolic Antenna (Satellite Dish)
  • LNB Digital Converter

Technical Information

A satellite link as is very different from Wired link. It may cause additional problems such as reachability, privacy, etc. There could also be weather related problems, particularly in snow or rain conditions.

Antenna / Converter

A parabolic antenna has a very high gain. The satellite transponder frequency is from 11 GHz to 12.7 GHz. The Digital Converter translates it to 1-2 GHz and sends the signal to a DVB-S card receiver through as much as 30-40 km of coaxial cable. This document assumes your parabolic antenna is properly mounted and boresighted as well as the proper converter (usually Ku-band) is used.

DVB-S Receiver Card

DVB-S card receives analog signals via coax cable and converts them to digital signals similar to those found on an Ethernet. After that, the OS transforms it to TCP/IP packets.

DVB Setup

Install DVB-S Card and check if system recognized it

Note: in most cases you need PCI version 2.1 or later (check your DVB card specifications) i.e. a Pentium-III or newer system.

lspci

Make sure that kernel modules are loaded

You must use Alpine 1.7.10 release or newer that should load appropriate kernel modules for DVB card on startup. To check if DVB devices are installed, run:

ls -la /dev/dvb*

Install LinuxTV Applications

apk_add linuxtv-dvb-apps

Create and edit file channels.conf

channels.conf contains settings for each Satellite you are using. For example the satellite Sirius-4 Nordic Beam has the following parameters:

  • Freq - 12322Mhz
  • Polarization - vertical
  • Symbol Rate - 27.654711Ms/s
  • FEC -7/8.

You'll need to get the parameters from your ISP or find them on the Internet. See Satellite Parameters and SES SIRIUS.

The following example is for "Sirius-4 Nordic Beam":

echo "Sirius4-Nord:12322:v:0:27500:0:0:0" >> /etc/channels.conf

Tune DVB Receiver

Check configured channels:

szap -c /etc/channels.conf -q

Tune to channel number 001:

szap -c /etc/channels.conf -n 1

In some cases you may need to run this command permanently in the background because of a bug in the kernel modules for some dvb cards.

  • Option A:

szap -c /etc/channels.conf -n 1 > /dev/null 2>&1 &

  • Option B:

start-stop-daemon --start --background --exec /usr/bin/szap -- -c /etc/channels.conf -n 1

Set up DVB network interface

Your ISP provides you the PID, which is used for select a transmission between many signal from same frequency.

dvbnet -a 0 -p $PID

ifconfig dvb0_0 hw ether $MAC ifconfig dvb0_0 $IP netmask 255.255.255.255 up

Here $IP is any IP address, which does not match with any other adrres in your network. The $MAC you specify here is usually the MAC address of your DVB card, in some cases ISP calculates MAC address for you. In any case ISP sends data only for registered MAC addresses.

Due to nature of satellite connection, the dvb interface receives packets, which have been originated from other sources, actually ether from land internet connection interface or, in most cases, from virtual tunnel device. So in order to allow receiving such packets the source validation should be disabled on dvb0_0 interface.

echo "0" > /proc/sys/net/ipv4/conf/dvb0_0/rp_filter

Another way to achieve that is to allow the shorewall to control that using ROUTE_FILTER and routefilter parameters.

Test if satellite interface is receiving data

You should see many packets for other clients of your ISP.

apk add tcpdump

tcpdump -n -i dvb0_0

Authentication with ISP

Before you receive your data via satellite your ISP should authenticate you as their registered client. There are several common techniques could be used:

  • Some ISPs use the "Proxy Authentication", when you used their proxy, you also need to give login and password to continue the request. Once done, the ISP use your IP address to calculate your MAC address, to which send the answer.
  • Some other ISPs require you make a VPN connection (using your login and password) first, then they will control your registration account (where they retrieve your MAC address) and will send data to your card (your MAC address).
  • If you have static public IP, perhaps, the most convenient way is when ISPs suggest making a GRE/IPIP tunnel, which is used to sent authenticated requests to ISP satellite server. Consequently ISP sends back answers via satellite you are connected to.

Here is an example of setting up GRE tunnel with a ISP:

Make static routes

All queries to DNS servers of your land ISP should go via land line.

route add $DNS1 gw $DEFAULT_LAND_GATEWAY

route add $DNS2 gw $DEFAULT_LAND_GATEWAY

GRE packets should always go via land default gateway.

route add $SAT_ISP_GRE_IP gw $DEFAULT_LAND_GATEWAY

It is assumed that $DEFAULT_LAND_GATEWAY is default gateway given by the land ISP, $DNSx are your DNS servers provided by the land ISP and $SAT_ISP_GRE_IP is remote IP of GRE tunnel of the satellite ISP.

Changes of default route will be made after a tunnel interface is created.

Make GRE tunnel and setup tunnel interface

apk_add iproute2

modprobe ip_gre

modprobe tun

ip tunnel add tun0 mode gre local $MY_STATIC_IP remote $SAT_ISP_GRE_IP ttl 250

ifconfig tun0 $LOCAL_TUN_IP pointopoint $REMOTE_TUN_IP up

Parameters of a tunnel such as $SAT_ISP_GRE_IP, $LOCAL_TUN_IP, $REMOTE_TUN_IP are provided by the satellite ISP.

Now make new default route that goes via tunnel interface. So most requests will go via GRE tunnel to satellite ISP with source IP as $LOCAL_TUN_IP. Answers expected via dvb interface for destination IP as $LOCAL_TUN_IP.

route del default

route add default dev tun0

Test satellite internet connectivity

ping wiki.alpinelinux.org

tcpdump -n -i tun0

tcpdump -n -i dvb0_0 host $LOCAL_TUN_IP

Sharing Satellite Internet Connection

It is assumed that we need to share the satellite internet with clients in a local network that already is connected via second Ethernet interface to satellite internet machine. This requires enabling IP forwarding, set up simple SNAT masquerading and traffic filtering rules. The easiest way is to use Shorewall for that purpose.

Install shorewall

apk add shorewall

Set up shorewall.conf

 IP_FORWARDING=yes
 ROUTE_FILTER=No
 CLAMPMSS=Yes # See RFC2923

Set up zones

  inet ipv4
  loc  ipv4
  tun  ipv4
  dvb  ipv4

Set up interfaces

  loc   eth1    detect   routefilter
  inet  eth0    detect   norfc1918,routefilter
  tun   tun0    -        norfc1918,routefilter
  dvb   dvb0_0  -     

Set up policy

  loc   all  REJECT  info
  dvb   all  REJECT  info
  all   all  DROP    info

Set up SNAT masquerading in masq

  tun0  eth1

Set up params

  #This IP address are provided by the satellite ISP
  SAT_ISP_GRE_IP=
  LOCAL_TUN_IP=

Set up rules

  SECTION ESTABLISHED
  REJECT        dvb  fw:!$LOCAL_TUN_IP
  SECTION RELATED
  REJECT        dvb  fw:!$LOCAL_TUN_IP
 
  SECTION NEW
  DNS/ACCEPT    fw   inet
  Ping/ACCEPT   fw   inet
  #Allow Web/FTP queries via GRE tunnel to ISP
  # Answers come as RELATED/ESTABLISHED traffic via DVB
  Web/ACCEPT    fw   tun
  Web/ACCEPT    loc  tun            
  FTP/ACCEPT    fw   tun           
  FTP/ACCEPT    loc  tun            
  Ping/ACCEPT   fw   tun           
  Ping/ACCEPT   pr   tun

Set up tunnels

  gre  inet   $SAT_ISP_GRE_IP

Conclusion

This document reviewed just basic ideas how to setup and share satellite internet connection. Further releases of Alpine Linux will include start up and configuration scripts (see Mailing Lists). Note, that more advanced traffic routing is beyond of scope of this document.

Another advanced topic that is beyond of scope is how to use remote proxy/VPN services to protect/encrypt your Satellite traffic against grabbers. This configuration may protect HTTP/POP3 and other types of data against unauthorized grabbing with attempts to sniff personal mail, electronic addresses and other information.

More information