Saturday, January 29, 2022

WiFi 6E Packet Capture

I wanted to use the Intel AX210 WiFi-6E adapter that supports the new 6GHz channels to capture traffic once I was able to setup communications between an Extreme AP4000u AP and a Windows 11 PC with the same Intel AX210 adapter. I could tell the Windows system was using 6GHz channels via netsh commands, but wanted to check the traffic via monitor mode.

My Linux capture platform is

    user@system:~$ cat /etc/debian_version
    11.1


running kernel

user@system:~$ uname -a
Linux system 5.14.0-0.bpo.2-amd64 #1 SMP Debian 5.14.9-2~bpo11+1 (2021-10-10) x86_64 GNU/Linux

which is a Debian 11 backports kernel.  The adapters on this system include:

user@system:~$ sudo interfaces.sh
 Ndx Iface  Phy  Driver    Mode    Up? Channel      Width Center   Packets
 0   wlan1  phy3 rt2800usb monitor Y    1 (2412MHz) 20MHz 2412 MHz 1298
 1   wlan6  phy2 rt2800usb monitor Y    6 (2437MHz) 20MHz 2437 MHz 1407
 2   wlan11 phy4 rt2800usb monitor Y   11 (2462MHz) 20MHz 2462 MHz 3462
 3   wlancu phy1 mt76x2u   managed N                                  0
 4   wlp1s0 phy0 iwlwifi   managed Y   36 (5180MHz) 80MHz 5210 MHz 2270


The AX210 wireless adapter is phy0 here and shows up in lspci as:

    01:00.0 Network controller: Intel Corporation Device 2725 (rev 1a)

with capabilities:
user@system:~$ iw phy phy0 info
    <cut>
        Frequencies:
            * 5955 MHz [1] (disabled)
            * 5975 MHz [5] (disabled)
            * 5995 MHz [9] (disabled)
            * 6015 MHz [13] (disabled)
            * 6035 MHz [17] (disabled)
            <cut>


Notice that the 6GHz channels are all ‘disabled’?  That doesn’t bode well for trying to capture on these channels.

This is what I had to go through to get the adapter to correctly assess that it was in an FCC region, and that it could actually use these 6GHz channels. Though the regulatory domain is correct for the system, it does not much matter when the adapter does not respect the system setting:


user@system:~$ iw reg get
 global
 country US: DFS-FCC
 (2400 - 2483 @ 40), (N/A, 30), (N/A)
 (5150 - 5250 @ 80), (N/A, 23), (N/A), AUTO-BW
 (5250 - 5350 @ 80), (N/A, 23), (0 ms), DFS, AUTO-BW
 (5470 - 5730 @ 160), (N/A, 23), (0 ms), DFS
 (5730 - 5850 @ 80), (N/A, 30), (N/A)
 (57240 - 71000 @ 2160), (N/A, 40), (N/A)
 phy#0 (self-managed)
 country 00: DFS-UNSET
 (2402 - 2437 @ 40), (6, 22), (N/A), AUTO-BW, NO-HT40MINUS, NO-80MHZ, NO-160MHZ
 (2422 - 2462 @ 40), (6, 22), (N/A), AUTO-BW, NO-80MHZ, NO-160MHZ
 (2447 - 2482 @ 40), (6, 22), (N/A), AUTO-BW, NO-HT40PLUS, NO-80MHZ, NO-160MHZ
 (5170 - 5190 @ 160), (6, 22), (N/A), NO-OUTDOOR, AUTO-BW, IR-CONCURRENT, NO-HT40MINUS, PASSIVE-SCAN
 (5190 - 5210 @ 160), (6, 22), (N/A), NO-OUTDOOR, AUTO-BW, IR-CONCURRENT, NO-HT40PLUS, PASSIVE-SCAN
 (5210 - 5230 @ 160), (6, 22), (N/A), NO-OUTDOOR, AUTO-BW, IR-CONCURRENT, NO-HT40MINUS, PASSIVE-SCAN
 (5230 - 5250 @ 160), (6, 22), (N/A), NO-OUTDOOR, AUTO-BW, IR-CONCURRENT, NO-HT40PLUS, PASSIVE-SCAN
 (5250 - 5270 @ 160), (6, 22), (0 ms), DFS, AUTO-BW, NO-HT40MINUS, PASSIVE-SCAN
 (5270 - 5290 @ 160), (6, 22), (0 ms), DFS, AUTO-BW, NO-HT40PLUS, PASSIVE-SCAN
 (5290 - 5310 @ 160), (6, 22), (0 ms), DFS, AUTO-BW, NO-HT40MINUS, PASSIVE-SCAN
 (5310 - 5330 @ 160), (6, 22), (0 ms), DFS, AUTO-BW, NO-HT40PLUS, PASSIVE-SCAN
 (5490 - 5510 @ 240), (6, 22), (0 ms), DFS, AUTO-BW, NO-HT40MINUS, PASSIVE-SCAN
 (5510 - 5530 @ 240), (6, 22), (0 ms), DFS, AUTO-BW, NO-HT40PLUS, PASSIVE-SCAN
 (5530 - 5550 @ 240), (6, 22), (0 ms), DFS, AUTO-BW, NO-HT40MINUS, PASSIVE-SCAN
 (5550 - 5570 @ 240), (6, 22), (0 ms), DFS, AUTO-BW, NO-HT40PLUS, PASSIVE-SCAN
 (5570 - 5590 @ 240), (6, 22), (0 ms), DFS, AUTO-BW, NO-HT40MINUS, PASSIVE-SCAN
 (5590 - 5610 @ 240), (6, 22), (0 ms), DFS, AUTO-BW, NO-HT40PLUS, PASSIVE-SCAN
 (5610 - 5630 @ 240), (6, 22), (0 ms), DFS, AUTO-BW, NO-HT40MINUS, PASSIVE-SCAN
 (5630 - 5650 @ 240), (6, 22), (0 ms), DFS, AUTO-BW, NO-HT40PLUS, PASSIVE-SCAN
 (5650 - 5670 @ 80), (6, 22), (0 ms), DFS, AUTO-BW, NO-HT40MINUS, NO-160MHZ, PASSIVE-SCAN
 (5670 - 5690 @ 80), (6, 22), (0 ms), DFS, AUTO-BW, NO-HT40PLUS, NO-160MHZ, PASSIVE-SCAN
 (5690 - 5710 @ 80), (6, 22), (0 ms), DFS, AUTO-BW, NO-HT40MINUS, NO-160MHZ, PASSIVE-SCAN
 (5710 - 5730 @ 80), (6, 22), (0 ms), DFS, AUTO-BW, NO-HT40PLUS, NO-160MHZ, PASSIVE-SCAN
 (5735 - 5755 @ 80), (6, 22), (N/A), AUTO-BW, IR-CONCURRENT, NO-HT40MINUS, NO-160MHZ, PASSIVE-SCAN
 (5755 - 5775 @ 80), (6, 22), (N/A), AUTO-BW, IR-CONCURRENT, NO-HT40PLUS, NO-160MHZ, PASSIVE-SCAN
 (5775 - 5795 @ 80), (6, 22), (N/A), AUTO-BW, IR-CONCURRENT, NO-HT40MINUS, NO-160MHZ, PASSIVE-SCAN
 (5795 - 5815 @ 80), (6, 22), (N/A), AUTO-BW, IR-CONCURRENT, NO-HT40PLUS, NO-160MHZ, PASSIVE-SCAN
 (5815 - 5835 @ 40), (6, 22), (N/A), AUTO-BW, IR-CONCURRENT, NO-HT40MINUS, NO-80MHZ, NO-160MHZ, PASSIVE-SCAN

What I had to do is bring up the adapter in managed mode, add a secondary monitor interface to this phy, and then perform a scan:

user@system:~$ sudo ip link set wlp1s0 down
 user@system:~$ sudo iw dev wlp1s0 set type managed
 user@system:~$ sudo ip link set wlp1s0 up
user@system:~$ sudo iw phy phy0 interface add mon0 type monitor
user@system:~$ sudo ip link set mon0 up

Execute the scan on the primary managed interface:

user@system:~$ sudo iw dev wlp1s0 scan
 <cut>

Check the domain again:

 user@system:~$ iw reg get
 global
 country US: DFS-FCC
 <cut>
 phy#0 (self-managed)
 country US: DFS-UNSET
 <cut>

Check the channel listing - consistent with the updated domain, the 6GHz channels are now available for client or monitor mode use (we still could not create an AP on these channels):

user@system:~$ iw phy phy0 info
 <cut>
     Frequencies:
         * 5955 MHz [1] (22.0 dBm) (no IR)
         * 5975 MHz [5] (22.0 dBm) (no IR)
         * 5995 MHz [9] (22.0 dBm) (no IR)
         * 6015 MHz [13] (22.0 dBm) (no IR)
         * 6035 MHz [17] (22.0 dBm) (no IR)
         <cut>


Disable the managed interface:

user@system:~$ ip link set wlp1s0 down


Set a 6GHz channel and use your favorite capture system (tcpdump, dumpcap, wireshark, etc) to capture monitor mode on 6GHz:

user@system:~$ sudo iw mon0 set freq 6935 160 6985


Posted by at No comments:

Saturday, March 21, 2020

Network-in-a-box with Mikrotik

I had a recent need to create some small, functional, networks for colleagues to work at home and still be able to connect their wired and wireless devices for testing.  I thought I would document for future use as though the Mikrotik devices are relatively inexpensive and feature-full, configuration can be challenging when attempting to configure even basic things like VLANs, etc.  Also note that for my purposes, there was a U-APSD defect that prevented some of my needed wireless devices from working correctly.  However, this was fixed last year:

 https://mikrotik.com/download/changelogs/

What's new in 6.45.3 (2019-Jul-29 12:11):*) wireless - improved U-APSD (WMM Power Save) support for 802.11e

 I also choose to use the HAPac for a number of reasons for this:

  1. It's relatively inexpensive
  2. It has two 802.11 radios, one for 2.4GHz and one for 5GHz and both can be used simultaneously
  3. It's wireless 3 spatial stream capable
  4. It has a enough wired ports for small configurations, but is extendable with other low-cost products
  5. It gives me almost everything in a small package - L3 routing/DHCP/DNS/NTP/IGMP querier/vlans/wireless/WPA2-Enterprise radius server/firewall/traffic generator/mirror port/etc; think Swiss army knife for networks.

Many other devices from this vendor will be similar, but not all.  When you move into the CRS switches, for example, they have more capable switch chips so some of the configuration would be different.  Note that the throughput requirements for this project are relatively low so I do not need line rate Ethernet (L2) switching.
   

Design 1



Goal: Implement Mikrotik HAPac device to implement this configuration. Two wireless networks (separate SSIDs) are needed, one for unicast devices, and the other for multicast based devices. The unicast devices are in 802.11 powersave mode to preserve battery so multicast/broadcast traffic needs to be controlled (i.e. excluded) as much as possible from this network (vlan 30) .

1. On Port1, provide for DHCP client so device can be managed out of band as needed:

/ip dhcp-client
add disabled=no interface=ether1

2. Create bridge1 interface to contain the wireless and wired interfaces:

/interface bridge
add igmp-snooping=yes name=bridge1 protocol-mode=none vlan-filtering=yes

3. Add vlan interfaces (SVI):

/interface vlan
add interface=bridge1 name=vlan22 vlan-id=22
add interface=bridge1 name=vlan30 vlan-id=30

4. Create wireless subsystem including adding second set of two virtual interfaces. This includes LWAPV7 SSID using EAP-TLS with the device acting as RADIUS authenticator and LWAPV8 SSID using WPA2-Personal with a psk. Root, client, and server X.509 certificates were created off device and client root/server+key were imported through a manual operation not documented here.

/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik

add authentication-types=wpa2-psk eap-methods="" group-key-update=1h \
management-protection=allowed mode=dynamic-keys name=PSK \
supplicant-identity="" wpa2-pre-shared-key=<super secret goes here>

add authentication-types=wpa2-eap eap-methods=eap-tls group-key-update=1h \
management-protection=allowed mode=dynamic-keys name=EAPTLSLocal \
supplicant-identity="" tls-certificate=TLS_server.crt_0 tls-mode=\
verify-certificate

/interface wireless
set [ find default-name=wlan1 ] band=2ghz-g/n country="united states" \
disabled=no frequency=2437 mode=ap-bridge security-profile=EAPTLSLocal ssid=\
LWAPV7 vlan-id=30 vlan-mode=use-tag wireless-protocol=802.11 wmm-support=\
enabled

add disabled=no keepalive-frames=disabled mac-address=E6:8D:FF:FF:FF:FF \
master-interface=wlan1 multicast-buffering=disabled name=wlan1_1 \
security-profile=PSK ssid=LWAPV8 vlan-id=22 vlan-mode=use-tag \
wds-cost-range=0 wds-default-cost=0 wps-mode=disabled

set [ find default-name=wlan2 ] band=5ghz-a/n/ac country="united states2" \
disabled=no frequency=5825 mode=ap-bridge security-profile=EAPTLSLocal \
ssid=LWAPV7 vlan-id=30 vlan-mode=use-tag

add disabled=no keepalive-frames=disabled mac-address=E6:8D:FF:FF:FF:FF \
master-interface=wlan2 multicast-buffering=disabled name=wlan2_1 \
security-profile=PSK ssid=LWAPV8 vlan-id=22 vlan-mode=use-tag \
wds-cost-range=0 wds-default-cost=0 wps-mode=disabled

5. Add interfaces to the bridge:

/interface bridge port
add bridge=bridge1 interface=wlan1
add bridge=bridge1 interface=wlan2
add bridge=bridge1 interface=wlan1_1
add bridge=bridge1 interface=wlan2_1
add bridge=bridge1 hw=no interface=ether2
add bridge=bridge1 hw=no interface=ether3 pvid=22
add bridge=bridge1 hw=no interface=ether4 pvid=30
add bridge=bridge1 hw=no interface=ether5

6. Configure VLANs on the bridge:

/interface bridge vlan
add bridge=bridge1 tagged=bridge1,ether5,wlan1_1,wlan2_1 untagged=ether3 \
vlan-ids=22
add bridge=bridge1 tagged=bridge1,ether5,wlan1,wlan2 untagged=ether4 \
vlan-ids=30

7. Add IP addresses to the various interfaces:

/ip address
add address=192.168.11.1/24 interface=bridge1 network=192.168.11.0
add address=192.168.22.1/24 interface=vlan22 network=192.168.22.0
add address=192.168.30.1/24 interface=vlan30 network=192.168.30.0

8. For convenience, add DHCP capability for each supported VLAN:

/ip pool
add name=pool1 ranges=192.168.11.200-192.168.11.240
add name=pool22 ranges=192.168.20.200-192.168.22.240
add name=pool30 ranges=192.168.30.200-192.168.30.240

/ip dhcp-server
add address-pool=pool1 disabled=no interface=bridge1 lease-time=1d name=\
server1
add address-pool=pool22 disabled=no interface=vlan22 lease-time=1d name=\
server22
add address-pool=pool30 disabled=no interface=vlan30 lease-time=1d name=\
server30

/ip dhcp-server config
set store-leases-disk=immediately

/ip dhcp-server network
add address=192.168.11.0/24 gateway=192.168.11.1
add address=192.168.22.0/24 gateway=192.168.22.1
add address=192.168.30.0/24 gateway=192.168.30.1

9. Set WMM priority for 802.11 frames as they are transmitted from this device over WiFi (optional)

/interface bridge filter
add action=set-priority chain=forward in-bridge=bridge1 mac-protocol=vlan \
new-priority=6 passthrough=yes vlan-id=30

10. Manage IGMP snooping: enable PIM to activate an IGMPv2 querier:

/routing pim interface
add interface=vlan22

For WPA2-Enterprise configuration, XCA tool (http://hohnstaedt.de/xca) was used to create the following, all using RSA keys due to specific product limitations in use:

  1. Server key pair and self-signed server certificate. Once both imported as PEM format, separately, cert first, it is named TLS_server.crt_0. Since this is self-signed, it must be placed on each device, i.e. using certificate pinning.
  2. Root key pair and self-signed rootCA for client signing. Since server is self-signed, this is not needed for validating the server certificate but is used to verify client certs. Import just the root X.509 certificate to the box so the clients can be authenticated.
  3. On factory reset of device, even though I have the config file, I found I need to import the X.509 certificates first before wireless configuration will import.

If enterprise authentication on WiFi is not needed, just use a psk with WPA2-Personal. Choose this profile when setting up the wlan configurations (for this example, this is the PSK profile).


As is often the case, the same SSID is available on either 2.4 or 5GHz bands (i.e. b/g/n or a/n/ac). Also two separate networks are needed for different device types here so they are bridged to separate vlans. If this box is uplinked, a trunk port is provided (so other side must be configured to trunk as well) or for very small implementations that just need separate networks and some unicast routing across vlans, use the access ports provided on ports 3 & 4.

Configuration 2: Only access ports for VLAN22



Presume that we only need Access ports on VLAN22, so ether2/3/4 are all on this VLAN now. Changes would be:

5. Add interfaces to the bridge:

/interface bridge port
add bridge=bridge1 interface=wlan1
add bridge=bridge1 interface=wlan2
add bridge=bridge1 interface=wlan1_1
add bridge=bridge1 interface=wlan2_1
add bridge=bridge1 hw=no interface=ether2 pvid=22
add bridge=bridge1 hw=no interface=ether3 pvid=22
add bridge=bridge1 hw=no interface=ether4 pvid=22
add bridge=bridge1 hw=no interface=ether5

6. Configure VLANs on the bridge:

/interface bridge vlan
add bridge=bridge1 tagged=bridge1,ether5,wlan1_1,wlan2_1 untagged=ether2,\
ether3,ether4 vlan-ids=22
add bridge=bridge1 tagged=bridge1,ether5,wlan1,wlan2 vlan-ids=30

Performance

I know this design will cause switched frames to be handled by CPU, so for high data traffic, this may not be the best design (there are other solutions like using the switch chip directly).  What can this do?

With bridge set to vlan filtering, CPU does all forwarding at layer 2 & 3; this can make it difficult to get full line rate from switching. A look at performance of the system with two wired iperf clients on vlan22. We can see that we are getting about 1GBps (basically full line rate) for one connection at a cost of most of the CPU.




















To support more devices on VLAN22, we can add a managed L2 switch with IGMP snooping, with or without VLANs.





Posted by at No comments:
Subscribe to: Posts (Atom)