Ethernet Device

Hi there,

For modern designs it worth considering a microcontroller with ethernet interface. For example, you can use Cortex-M3 chip from LuminaryMicro

(it come with example code, device driver code, etc)

It doesn't have USB, but the board has a USB to serial converter so you can transfer data via a virtual COM port on your PC.

Despite you are using 100M ethernet, the required speed of the processor / microcontroller depends on the actual data bandwidth. The transfer rate is handled by the ethernet interface of the microcontroller, not by the processor core inside the chip. So if you are not sending or receiving large amount of data, almost all

32-bit processor core can cope with you 100M ethernet application.

regards Joseph

I want to make a "network infiltrator". Here's a description of it:

Let's say there are two Ethernet networks separated by a router; let's call them LAN1 and LAN2.

Let's say that there's a host known as "StorageServer" on LAN2 that has samba file-sharing, except it only takes requests from hosts on its own network. (This can be achieved via a firewall which will block port

445 unless the request is from within the same network).

A host on LAN1 needs to access the file shares on StorageServer, but the only way it can do this is to somehow send a frame on LAN2 which contains a packet whose source IP address and source MAC address corresponds to the LAN2 network.

The router won't send such a frame... and I don't think the Internet would last very long if it did :-D

Therefore I want to make a device which will connect into the hub on LAN2. This device will take in all frames on the network, wrap them in an IP packet and set them out to the host on LAN1. (It will be sending out a frame which contains a packet which contains a frame). Also, it will receive packets from the host on LAN1 and send them out as frames on LAN2, giving my device's IP address and MAC address as the source address.

The end result of all this will be that the host on LAN1 will be able to behave exactly as if it were sitting on LAN2.

On the software side of the project, I'll have to write a program for the host on LAN1, and also I'll have to write a program for the micrcontroller in my device.

So basically I need a microcontroller setup that will allow me to recieve frames, analyse them, and send out frames.

Anyone got suggestions for hardware? (Also if you could give a ball- park figure of the price, that would be handy)

One more thing: If possible, I'd like to make the circuit board not bigger than the size of a credit card. I don't think that would be too impossible considering the small size of chips such as those in the PIC family.

The patent is pending. (Really it's just a project for myself but my project advisor helped me out with a patent just in case it turns out to be something that people want to buy).

--
Tomás Ó hÉilidhe

Hi Toms,

How does an 8052 running TCP/IP over a $2.00 ISA NIC sound?

Not sure about the complication on the protocol, but for the hardware you are trying to do, it looks like you do really need a fast processor if you want to transfer these packets across two networks in real time. (I am not sure if this is the right thing to do, especially if both networks are quite busy). For these kind of applications, maybe you should have a look at "network processors", which are specially designed for this kind of applications.

Joseph

[Description Snipped]

The AVR32 NGW100 development bord should be able to do this. It is quite well priced, but is a bit bigger than your target size. It is of course possible to make it the size you require, but in small quantities this would be very expensive. I doubt whether you would find anything cheaper that the AVR32 dev kit.

Regards Anton Erasmus

Your are going to build a VPN appliance. Congratulations. Such beasts are readily available.

Have a look at OpenVPN

especially the section on Ethernet bridging Unix/Linux and Windows versions available for free.

For the hardware visit

and buy:

- gumstix connex 400xm: 129$

- netDUO-MMC: 94$

It comes with a small linux system pre-installed, so you only need to cross-compile openvpn for Arm Linux and install&configure it, and you are done.

Seems to be a nice project for a long weekend.

If you like you can do a hardware redesign afterwards. You'll get the complete schematics. But beware - the processor board is a 6 layer multilayer, and you are expected to handle BGA packages!

And stop reinventing wheels.

Mit freundlichen Grüßen

Frank-Christian Krügel

just a thought about prior art.

In what ways does this differ from NAT? (Network Address Translation) is it because you are targetting specifically SAMBA services?

Ed

Frank-Christian Kruegel wrote in comp.arch.embedded:

I didn't realise. Do they do *exactly* what I'm intending to do? (i.e. do they make it look as if a WAN host is sitting on the LAN?)

It'll probably take me a few weeks or months.

Contrary to your condescending tone, I'm not in the business of inventing anything. The purposes of this project are:

• To demonstrate my embedded systems ability to the people who will be giving me my degree

• To learn from the project

• To take enjoyment from the project

I don't care if there's five trillion of these devices out there already, I'll still be making my own.

And you'll find that the whole wheel analogy breaks down when you move on to more complicated stuff... because there's almost always a better way of doing it.

--
Tomás Ó hÉilidhe

On Thu, 20 Dec 2007 13:04:21 GMT, I said, "Pick a card, any card" and "Tomás Ó hÉilidhe" instead replied:

Try the WIZ810MJ. Very low cost for evaluation kit and extras.

They have specs and manuals there. Good luck with your project.

-- Ray

Ed Prochak wrote in comp.arch.embedded:

Sorry I don't know anything about NAT.

The idea behind this device is that if you have access to the hub/switch on the LAN in question, you'll be able to access the LAN's services from the WAN irrespective of whether the particular LAN was designed to not provide services outside of the LAN.

It can be used by network administrators for testing and so forth.

--
Tomás Ó hÉilidhe

Tom:

There is a difference between NAT and VPN:

A VPN takes the local network packets and packs them into the WAN protocol packets. There are VPN's using TCP or UDP for the transport of packets, as are also special protocols for VPN tunneling. Usually the VPN packets are also encrypted to preserve the privacy of the LAN's.

In a TCP/IP over Ethernet network the VPN tunneled packets can be the IP packets or the Ethernet frames, each method has its own advantages and drawbacks.

For the Microsoft SMB protocol, there are certain advantages to do the tunneling at the Ethernet level, as the basic SMB is not designed to be routed.

A NAT simply preserves the IP pakets but changes the addresses in them to suit the transport connection.

HTH

--

Tauno Voipio
tauno voipio (at) iki fi

Yes. Just try out Openvpn. It's free.

The list above shouldn't take months. Start easy and use a Linux PC for the first setup.

Ok. I'd change the project for that purpose a bit:

- Leave out the wirespeed requirement. A proof of concept is enough for a student project. Using 10 MBit interfaces and slower controllers will enable you to use simpler, cheaper chips that don't need expensive equipment to handle.

- Use existing protocols and PC software. Both microcontroller and PC client development might be simply too much work, and if you look at the OpenVPN source you may image how may hours people have spent on it. Plenty, I say. Not to mention the amount of work for a Windows kernel mode driver, which is more then enough as an assignment on it's own.

Mit freundlichen Grüßen

Frank-Christian Krügel

So we have two seperte LANs in the same organisation, connected by a router that may or may not be running a bridging function.

So whereabouts is the firewall on the Samba Server, the router or even a different place?

If the router is truely between two LANs and not a LAN and a WAN, and is sufficiently good, there should already exist various mechanisms even for SMB protocol bridging/routing/VPN in the router that have been disabled for the purposes of your scenario.

If the router is between a LAN and a WAN there already exists the ability for VPN or even for other protocols Port Forwarding in the router anyway. Port Forwarding ensures that all traffic for a particular port (eg HTTP for Web is forwarded to a specific port or port on a specifc machine). A lot of places run Port forwarding to specific machines, so that multiple supposed servers at one public (WAN) IP address are actually different machines on a DMZ private address range.

That is part of the router's function, when being a Router, Gateway or Bridge. Whether other encapsulation is also needed depends on the protocol used, and where it needs to be put in. These functions already exist.

If these functions of changing MAC and IP address did not already exist, quite a lot of routing to the internet would not work.

That very much depends on the router configuration, and remember the most common port to block on a router is 135, 139 for File/Printer sharing in Microsoft Netwroks and they are often attempted from the Internet to hack into systems!

So you want to create a device to bypass a router to add the functions that have been disbaled! Most serious network admins would want to shoot you as a potential security threat!

Which is what Routing and Bridging (with or without encapsulation) is all about.

Get a router that does not have a WAN interface and that is your complete system.

See above about getting an existing router to start with.

Do some research on network Bridges and Routers, and see what people do for accessing servers from LAN to LAN, and even LANs seperated by a WAN connection looking up VPN, SSH and the like.

If you must do this as your project, get a PC and insert a second network card user various ethernet analyser tools to examine what is going on first. Then find the smallest router that you can play with, there are various

I doubt you could get a PIC to operate two LANs at 100Mb, and would struggle doing 10Mb. Let alone the amount of RAM required to buffer packets between the two networks (both ways simultaneously as all have to be inspected).

As to the size, how do you expect to power it?

Once you have put two RJ45 connectors (even with built in magnetics) on the credit card size board, there will be a LOT of space lost!

If a Patent gets granted it will show how bad the validity of Patents is getting.

--
Paul Carpenter          | paul@pcserviceselectronics.co.uk
    PC Services
              GNU H8 & mailing list info
             For those web sites you hate

It will if you configure it to do so.

You think wrong.

What you're trying to do could be accomplished with an off-the-shelf $50 firewall/router and either NAT or VPN. Either would work, but they would work in slightly different ways.

You could also do it with ssh and port-forwarding.

I've done _exactly_ what you're describing using both a PPPoE VPN connection and using ssh/port-forwarding. Both work fine.

Then you're advisor is an idiot. You're a student, so one might not be surprised that you're re-inventing the wheel as an educational excercise. But, if your advisor doesn't know that wheels already exist and thinks you're going to patent the wheel, then I wouldn't take anything he says very seriously.

--
Grant Edwards                   grante             Yow! Here I am in 53
                                  at               B.C. and all I want is a
                               visi.com            dill pickle!!

Frank-Christian Kruegel wrote in comp.arch.embedded:

I've had a little think about this.

On the WAN host that wants access to the LAN, I would like for there to be a "virtual" NIC which corresponds to the host's presence on the LAN being infiltrated. This virtual NIC would be exactly like a real NIC, e.g. you can use ipconfig for it on Windows, or ifconfig for it on Linux.

Ideally for this virtual NIC, I'd like to have a driver which will work on Windows, Linux and the Mac... but I don't think that's doable without writing three separate drivers.

The driver would be something like as follows. Firstly, you'd have to provide it with the following info:

• The IP address of the infiltrator * The NIC via which packets will be sent to and received from the infiltrator

It would then do the following:

• When the OS wants to send a frame via the virtual NIC, the driver wraps the frame in a packet and sends it out via the designated NIC to the infiltrator. * When a packet is received to the designated NIC from the infiltrator, it takes the wrapped frame out of the packet and gives it to the OS.

Looks like I'll have to come up with my own little protocol as well for sending and receiving packets from the infiltrator.

Does it really sound like a mammoth of a task? Is there any way I could write a single driver that will work on all systems... ? I was thinking that this might be achievable if I were to create a second device which connects to the WAN host via USB. This second device would identify as a very common NIC so that the OS would use its own drivers for it. The actual driver code would then go on a microcontroller on the second device... but that might leave me having to put a NIC in the second device too.

Obviously the "software driver" would be preferable over the "hardware driver" because you can copy software.

Any thoughts?

--
Tomás Ó hÉilidhe

Yes, that's how a VPN connection works. This has all been invented already and is included in Windows, MacOS, and every flavor of Unix/Linux out there.

You don't have to write anything. It's been done. It's all _there_ already in the OS that's on your PC right now. The drivers are already in both Linux and Windows and MacOS. There are already free, open source servers (and clients). You can buy a $50 firewall, connect it to the LAN and configure a VPN connection from the WAN host.

Or you can just add a second NIC to any PC on the LAN and configure the OS to terminate incoming VPN connections from "wan hosts".

Or you find a junked 486 PC with two NICs and install a Linux firewall/router Linux distro on it and turn it into a firewall/router that can handle VPN connections

Pick any of the options above and then configure either a PPTP or IPsec VPN connection from the WAN host. That will create a "virtual NIC" on the WAN host that appears to be on the LAN.

There are already several such protocols. PPTP and IPSec are the two most popular:

There are servers and clients for Windows,Linux/Unix, and MacOS. Microsoft's PPTP implementation has security issues (big surprise there), but the open-source PPTP implementations are secure.

Nobody's saying you can't design your own tunneling protocol, design server hardware/software, and write drivers for Windows, Linux, and MacOS. But, you're talking about a _lot_ of work. I would guess it would take a team of 2-3 people a a year or two (full-time) to get something usable.

We just want you to know that what you're talking about is very common and is already included in every firewall/router and OS (that has network support) on the market.

You can buy dozens of different small single-board computers that can run linux and have two NICs[1]. Any of them can be configured to do what you want it under an hour. Somebody already posted a link to Gumstix.

Here's a nice little IA32 box that would work swimmingly:

[1] Actually, you don't even need two NICs. A single NIC and an Ethernet switch with VLAN capability will also work (that's how many of the consumer-grade firewalls work).

--
Grant Edwards                   grante             Yow!  Can you MAIL a BEAN
                                  at               CAKE?
                               visi.com