Shorewall users - Jul 2003 - Help request: Shorewall + PPPOE + Masquerading

Hello,

I am trying to get Shorewall to provide masquerading over my PPPoE
interface.  I''ve looked through the Shorewall docs and archives, and
can''t
find an example that quite matches my situation.

I have a PPPoE session connected to the interface ppp0.  This interface has
an address in network 10.  ppp0 is physically connected to eth0 which has an
address in the 12.x.x.x/28 range.  eth1 is connected to my internal network,
which uses the 172.16.0/24 range.

I have placed ppp0 in my interfaces file, and static NAT works --

12.x.x.x   ppp0            172.16.0.59     Yes                     No

-- however, a similar approach to masquerading doesn''t work --

ppp0    eth1

-- and also --

eth0    eth1

-- give nothing.

I''m not 100% sure this is a Shorewall problem.  I say that because once
my
PPPoE interface is up, I can''t ping off the firewall unless I use
source
routing.  That is --

ping www.aol.com 

-- gives no results.  BUT if I source route using the IP address bound to
eth0 --

ping -I 12.x.x.x www.aol.com

-- ping works.

My current thinking is that when I turn on masquerading, my outgoing traffic
is getting the source IP address of the ppp0 interface.  That address is in
network 10, so it is unroutable and my traffic is dropped by the far side of
my PPPoE connection.

Similarly, if I don''t specifically tell the ping command to source
route my
traffic using a valid IP address, it defaults to the interface which faces
my default route (again, ppp0) and my packets end up with a source address
back in network 10.

Any advice on how to correct this problem?
 
Thanks,
David.

On Thu, 2003-07-24 at 08:39, David Casti wrote:
> Hello,
> 
> I am trying to get Shorewall to provide masquerading over my PPPoE
> interface.  I''ve looked through the Shorewall docs and archives,
and can''t
> find an example that quite matches my situation.
> 
> I have a PPPoE session connected to the interface ppp0.  This interface has
> an address in network 10.  ppp0 is physically connected to eth0 which has
an
> address in the 12.x.x.x/28 range.  eth1 is connected to my internal
network,
> which uses the 172.16.0/24 range.
> 
> I have placed ppp0 in my interfaces file, and static NAT works --
> 
> 12.x.x.x   ppp0            172.16.0.59     Yes                     No
> 
> -- however, a similar approach to masquerading doesn''t work --
> 
> ppp0    eth1
> 
> -- and also --
> 
> eth0    eth1
> 
> -- give nothing.
> 
> I''m not 100% sure this is a Shorewall problem.  I say that because
once my
> PPPoE interface is up, I can''t ping off the firewall unless I use
source
> routing.
With your pppoe interface started, what does "ip route ls" show?

-Tom
-- 
Tom Eastep    \ Shorewall - iptables made easy
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net

On Thu, 2003-07-24 at 08:39, David Casti wrote:
> Hello,
> 
> I am trying to get Shorewall to provide masquerading over my PPPoE
> interface.  I''ve looked through the Shorewall docs and archives,
and can''t
> find an example that quite matches my situation.
> 
> I have a PPPoE session connected to the interface ppp0.  This interface has
> an address in network 10.  ppp0 is physically connected to eth0 which has
an
> address in the 12.x.x.x/28 range.
If eth0 has a public address, why do you need PPPoE -- with PPPoE, the
ethernet interface usually has *NO* ip address.

-Tom
-- 
Tom Eastep    \ Shorewall - iptables made easy
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net

On 7/24/03 12:38 PM, "Tom Eastep" <teastep@shorewall.net> wrote:
> If eth0 has a public address, why do you need PPPoE -- with PPPoE, the
> ethernet interface usually has *NO* ip address.
It is true that the PPPoE session works fine without a public IP, or any IP
bound to eth0.  However, to get the source routing thing to work, I had to
bind a public IP address to eth0.  Perhaps this just shows that I''m
thinking
about the problem in the wrong way.  I''ve removed the public IP space
from
eth0, and just bound 10.0.0.1 for now.  If it will simplify this debugging
process, I can remove all IP addresses from eth0.
> With your pppoe interface started, what does "ip route ls" show?
10.2.56.9 dev ppp0  proto kernel  scope link  src 10.2.56.10
172.16.0.0/24 dev eth1  scope link
10.0.0.0/8 dev eth0  proto kernel  scope link  src 10.0.0.1
127.0.0.0/8 dev lo  scope link
default via 10.2.56.9 dev ppp0

Thanks,
David.

On 24 Jul 2003 at 15:38, David Casti wrote:
> On 7/24/03 12:38 PM, "Tom Eastep" <teastep@shorewall.net>
wrote:
> 
> > If eth0 has a public address, why do you need PPPoE -- with 
PPPoE,
> > the ethernet interface usually has *NO* ip address.
> 
> It is true that the PPPoE session works fine without a public IP, 
or
> any IP bound to eth0.  However, to get the source routing thing to
> work, I had to bind a public IP address to eth0.  Perhaps this just
> shows that I''m thinking about the problem in the wrong way. 
I''ve
> removed the public IP space from eth0, and just bound 10.0.0.1 for
> now.  If it will simplify this debugging process, I can remove all 
IP
> addresses from eth0.
In two different releases of SuSE the recommendation on attaching
an IP to the nic used for PPPoE changed from Don''t Assign any (SuSE 
7.1-7.3) to Assign any PRIVATE Static IP (SuSE 8.1-8.2).

This whole area is a huge mystery to me, and I suspect PPPoE works
via some shady dodge that no one wants to document. ;-)

-- 
______________________________________
John Andersen
NORCOM / Juneau, Alaska
http://www.screenio.com/
(907) 790-3386

._______________________________________
John S. Andersen
NORCOM  mailto:JAndersen@norcomsoftware.com
Juneau, Alaska
http://www.screenio.com/

On Thu, 2003-07-24 at 12:38, David Casti wrote:
> On 7/24/03 12:38 PM, "Tom Eastep" <teastep@shorewall.net>
wrote:
> 
> > If eth0 has a public address, why do you need PPPoE -- with PPPoE, the
> > ethernet interface usually has *NO* ip address.
> 
> It is true that the PPPoE session works fine without a public IP, or any IP
> bound to eth0.  However, to get the source routing thing to work, I had to
> bind a public IP address to eth0.  Perhaps this just shows that
I''m thinking
> about the problem in the wrong way.  I''ve removed the public IP
space from
> eth0, and just bound 10.0.0.1 for now.  If it will simplify this debugging
> process, I can remove all IP addresses from eth0.
> 
> > With your pppoe interface started, what does "ip route ls"
show?
> 
> 10.2.56.9 dev ppp0  proto kernel  scope link  src 10.2.56.10
> 172.16.0.0/24 dev eth1  scope link
> 10.0.0.0/8 dev eth0  proto kernel  scope link  src 10.0.0.1
> 127.0.0.0/8 dev lo  scope link
> default via 10.2.56.9 dev ppp0

I would remove the IP from eth0 entirely to avoid any confusion over
overlapping routes.

Since your firewall deals with nothing but RFC 1918 addresses, be sure
that ''norfc1918'' isn''t specified on any of your
interfaces.

Start your PPPOE, "shorewall clear" and verify that you can access the
internet from your firewall box. 

Now start shorewall:

a) Can you access the internet from the firewall box?
b) Can you access the internet from systems behind the firewall?

-Tom
-- 
Tom Eastep    \ Shorewall - iptables made easy
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net

On 7/24/03 4:29 PM, "Tom Eastep" <teastep@shorewall.net> wrote:
> Since your firewall deals with nothing but RFC 1918 addresses, be sure
> that ''norfc1918'' isn''t specified on any of your
interfaces.
Verified.  "norfc1918" is not present on any interface in the
interfaces
file.
> Start your PPPOE, "shorewall clear" and verify that you can
access the
> internet from your firewall box.
I cannot.

However, I did more research into iptables, and once I have shorewall
running, if I bind a static IP address to eth0 and then issue the command --

iptables -t nat -A nat_out -j SNAT --to-source 12.x.x.x

-- everything works properly through the firewall.

How can I configure Shorewall to issue the equivalent of this iptables
command at the end of the NAT process?

Thanks,
David.

On Thu, 24 Jul 2003 20:26:08 -0400, David Casti <david@neosynapse.net> 
wrote:

>
>> Start your PPPOE, "shorewall clear" and verify that you can
access the
>> internet from your firewall box.
>
> I cannot.
Then your PPPoE environment is screwed up -- fix that.
>
> However, I did more research into iptables, and once I have shorewall
> running, if I bind a static IP address to eth0 and then issue the command 
> --
>
> iptables -t nat -A nat_out -j SNAT --to-source 12.x.x.x
>
Where does this mysterious 12.x.x.x address come from?
> -- everything works properly through the firewall.
>
> How can I configure Shorewall to issue the equivalent of this iptables
> command at the end of the NAT process?
There is something terribly wrong with your PPPoE setup -- I''m not
going to
help you put a bandaid on it via Shorewall because you will just run into 
other problems later.

-Tom
-- 
Tom Eastep    \ Shorewall - iptables made easy
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net

On 7/24/03 8:30 PM, "Tom Eastep" <teastep@shorewall.net> wrote:
>> iptables -t nat -A nat_out -j SNAT --to-source 12.x.x.x
>> 
> 
> Where does this mysterious 12.x.x.x address come from?
I have a block of static IP addresses from my PPPoE provider, in the 12
network.  My apologies if my earlier messages were unclear on that point.
> There is something terribly wrong with your PPPoE setup
I thought this problem might fall outside of the scope of the Shorewall
discussion group.  Thank you for your responses today.

David.

On Thu, 2003-07-24 at 18:06, David Casti wrote:
> > There is something terribly wrong with your PPPoE setup
> 
> I thought this problem might fall outside of the scope of the Shorewall
> discussion group.  Thank you for your responses today.
If you hit a dead-end trying to get PPPoE to assign one of your public
IPs to the ppp device then let me know and we''ll see if we can hack
around the problem.

-Tom
-- 
Tom Eastep    \ Shorewall - iptables made easy
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net