I am setting up to migrate to providing my own PPPoE router, and I am starting (information wise) pretty much from scratch. My ISP says that once he configs the ADSL router to bridge mode, my router (running Centos 5.2 btw) will need to use pppoe to connect and get the IPv4 address block and IPv6 prefix. I am NOT suppose to configure any addresses for the ethernet interface connected to the bridge, those addresses (v4 and v6) will be assigned during the PPPoE negotiation. Further I am going to set up static IPv4 routes for the internal interface. Shorewall''s part in all of this is to set up the IPv4 iptables to protect the router from connections and to stop basic nonsense attacks. IPv6 will be done separately. The lack of an IP address on the pppoe interface should not be a problem, correct? The interface file just refers to the inferface name (e.g.eth0) and I can stay away from IP addresses in the rules. ------------------------------------------------------------------------- Sponsored by: SourceForge.net Community Choice Awards: VOTE NOW! Studies have shown that voting for your favorite open source project, along with a healthy diet, reduces your potential for chronic lameness and boredom. Vote Now at http://www.sourceforge.net/community/cca08
Normally, when a provider gives you a router in bridge mode, there is no need to use pppoe due to the fact, that there is no need to dial, but to connect static with a given ip address. Your neigbor will me the provider edge instead of the customer premises equipment. When you do pppoe, your wan interface should be ppp0 instead of eth0, but is has to be connected to an eth interface. If there is no ip address configured on your wan interface, it is - from my side - not really possible to route or to establish a default route. I am working with a internet provider in Europe and I do not know any European country where you get a provier´s bridge configured router and have a need to configure another (own) router with pppoe client. If it is really as you say, you will (normally) get an ip address assigned to your ppp interface. In this case shorewall has to know it. For example net ppp0 This is an example for your Shorewall/interfaces. -----Ursprüngliche Nachricht----- Von: shorewall-users-bounces@lists.sourceforge.net [mailto:shorewall-users-bounces@lists.sourceforge.net] Im Auftrag von Robert Moskowitz Gesendet: Mittwoch, 2. Juli 2008 21:24 An: Shorewall Users Betreff: [Shorewall-users] Setting up shorewall and PPPoE I am setting up to migrate to providing my own PPPoE router, and I am starting (information wise) pretty much from scratch. My ISP says that once he configs the ADSL router to bridge mode, my router (running Centos 5.2 btw) will need to use pppoe to connect and get the IPv4 address block and IPv6 prefix. I am NOT suppose to configure any addresses for the ethernet interface connected to the bridge, those addresses (v4 and v6) will be assigned during the PPPoE negotiation. Further I am going to set up static IPv4 routes for the internal interface. Shorewall''s part in all of this is to set up the IPv4 iptables to protect the router from connections and to stop basic nonsense attacks. IPv6 will be done separately. The lack of an IP address on the pppoe interface should not be a problem, correct? The interface file just refers to the inferface name (e.g.eth0) and I can stay away from IP addresses in the rules. ------------------------------------------------------------------------- Sponsored by: SourceForge.net Community Choice Awards: VOTE NOW! Studies have shown that voting for your favorite open source project, along with a healthy diet, reduces your potential for chronic lameness and boredom. Vote Now at http://www.sourceforge.net/community/cca08 _______________________________________________ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users ------------------------------------------------------------------------- Sponsored by: SourceForge.net Community Choice Awards: VOTE NOW! Studies have shown that voting for your favorite open source project, along with a healthy diet, reduces your potential for chronic lameness and boredom. Vote Now at http://www.sourceforge.net/community/cca08
Thanks for responding. Michael Weickel - iQom Business wrote:> Normally, when a provider gives you a router in bridge mode, there is no > need to use pppoe due to the fact, that there is no need to dial, but to > connect static with a given ip address. Your neigbor will me the provider > edge instead of the customer premises equipment. >But it won''t be static. I have to get his negotiation for the IP address for that interface: "Basically you start pppoe, I give you the username and password for it, and then I set the router to passthrough modem mode, and you initiate the PPPoE session directly with my LNS back here. You''ll get a dynamic IP on the dsl side (which is normal) and then you just set up your static routes in the linux box as normal. My LNS automatically routes your traffic to the IP it randomly assigns to the DSL link. Once we verify that IP6CP is up, I can assign you a /48 and you can rock out" with that however you want.> When you do pppoe, your wan interface should be ppp0 instead of eth0, but is > has to be connected to an eth interface. >That is just an alias change in modprobe.conf, correct?> If there is no ip address configured on your wan interface, it is - from my > side - not really possible to route or to establish a default route. >See quote from my ISP, above.> I am working with a internet provider in Europe and I do not know any > European country where you get a provier´s bridge configured router and have > a need to configure another (own) router with pppoe client. > > If it is really as you say, you will (normally) get an ip address assigned > to your ppp interface. In this case shorewall has to know it. For example > > net ppp0 > > This is an example for your Shorewall/interfaces. >I got that for the interfaces file.> > -----Ursprüngliche Nachricht----- > Von: shorewall-users-bounces@lists.sourceforge.net > [mailto:shorewall-users-bounces@lists.sourceforge.net] Im Auftrag von Robert > Moskowitz > Gesendet: Mittwoch, 2. Juli 2008 21:24 > An: Shorewall Users > Betreff: [Shorewall-users] Setting up shorewall and PPPoE > > I am setting up to migrate to providing my own PPPoE router, and I am > starting (information wise) pretty much from scratch. > > My ISP says that once he configs the ADSL router to bridge mode, my > router (running Centos 5.2 btw) will need to use pppoe to connect and > get the IPv4 address block and IPv6 prefix. I am NOT suppose to > configure any addresses for the ethernet interface connected to the > bridge, those addresses (v4 and v6) will be assigned during the PPPoE > negotiation. > > Further I am going to set up static IPv4 routes for the internal interface. > > Shorewall''s part in all of this is to set up the IPv4 iptables to > protect the router from connections and to stop basic nonsense attacks. > IPv6 will be done separately. > > The lack of an IP address on the pppoe interface should not be a > problem, correct? The interface file just refers to the inferface name > (e.g.eth0) and I can stay away from IP addresses in the rules. > > > > ------------------------------------------------------------------------- > Sponsored by: SourceForge.net Community Choice Awards: VOTE NOW! > Studies have shown that voting for your favorite open source project, > along with a healthy diet, reduces your potential for chronic lameness > and boredom. Vote Now at http://www.sourceforge.net/community/cca08 > _______________________________________________ > Shorewall-users mailing list > Shorewall-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/shorewall-users > > > ------------------------------------------------------------------------- > Sponsored by: SourceForge.net Community Choice Awards: VOTE NOW! > Studies have shown that voting for your favorite open source project, > along with a healthy diet, reduces your potential for chronic lameness > and boredom. Vote Now at http://www.sourceforge.net/community/cca08 > _______________________________________________ > Shorewall-users mailing list > Shorewall-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/shorewall-users > >------------------------------------------------------------------------- Sponsored by: SourceForge.net Community Choice Awards: VOTE NOW! Studies have shown that voting for your favorite open source project, along with a healthy diet, reduces your potential for chronic lameness and boredom. Vote Now at http://www.sourceforge.net/community/cca08
In your case the provider router did not act as a bride, but as a modem. For that you have to use pppoe. If it is a bridge it have to be normal routing. The ppp interface is regularly assigned by your ppp daemon. It depends on you linux distribution - sometimes it is already included, sometimes you have to get it. PPP will negotiate an ip address which will be dynamically assigned to your ppp0. If you ever want to get connected from the internet to your ADSL, you have to connect to that ip address. If you go outside, this will be your source address. So if you have already set up your Shorewall/interfaces, go on with masq, policy, zones, Shorewall.conf and maybe rules and you can start to connect to the www. All what you have to do else is to setup your pppoe client. Sometimes you have to drop down your standard mtu from 1500 to a less value to work correct with dsl. 1456 will be a good value if you have any problems with 1500. -----Ursprüngliche Nachricht----- Von: shorewall-users-bounces@lists.sourceforge.net [mailto:shorewall-users-bounces@lists.sourceforge.net] Im Auftrag von Robert Moskowitz Gesendet: Mittwoch, 2. Juli 2008 22:29 An: Shorewall Users Betreff: Re: [Shorewall-users] Setting up shorewall and PPPoE Thanks for responding. Michael Weickel - iQom Business wrote:> Normally, when a provider gives you a router in bridge mode, there is no > need to use pppoe due to the fact, that there is no need to dial, but to > connect static with a given ip address. Your neigbor will me the provider > edge instead of the customer premises equipment. >But it won''t be static. I have to get his negotiation for the IP address for that interface: "Basically you start pppoe, I give you the username and password for it, and then I set the router to passthrough modem mode, and you initiate the PPPoE session directly with my LNS back here. You''ll get a dynamic IP on the dsl side (which is normal) and then you just set up your static routes in the linux box as normal. My LNS automatically routes your traffic to the IP it randomly assigns to the DSL link. Once we verify that IP6CP is up, I can assign you a /48 and you can rock out" with that however you want.> When you do pppoe, your wan interface should be ppp0 instead of eth0, butis> has to be connected to an eth interface. >That is just an alias change in modprobe.conf, correct?> If there is no ip address configured on your wan interface, it is - frommy> side - not really possible to route or to establish a default route. >See quote from my ISP, above.> I am working with a internet provider in Europe and I do not know any > European country where you get a provier´s bridge configured router andhave> a need to configure another (own) router with pppoe client. > > If it is really as you say, you will (normally) get an ip address assigned > to your ppp interface. In this case shorewall has to know it. For example > > net ppp0 > > This is an example for your Shorewall/interfaces. >I got that for the interfaces file.> > -----Ursprüngliche Nachricht----- > Von: shorewall-users-bounces@lists.sourceforge.net > [mailto:shorewall-users-bounces@lists.sourceforge.net] Im Auftrag vonRobert> Moskowitz > Gesendet: Mittwoch, 2. Juli 2008 21:24 > An: Shorewall Users > Betreff: [Shorewall-users] Setting up shorewall and PPPoE > > I am setting up to migrate to providing my own PPPoE router, and I am > starting (information wise) pretty much from scratch. > > My ISP says that once he configs the ADSL router to bridge mode, my > router (running Centos 5.2 btw) will need to use pppoe to connect and > get the IPv4 address block and IPv6 prefix. I am NOT suppose to > configure any addresses for the ethernet interface connected to the > bridge, those addresses (v4 and v6) will be assigned during the PPPoE > negotiation. > > Further I am going to set up static IPv4 routes for the internalinterface.> > Shorewall''s part in all of this is to set up the IPv4 iptables to > protect the router from connections and to stop basic nonsense attacks. > IPv6 will be done separately. > > The lack of an IP address on the pppoe interface should not be a > problem, correct? The interface file just refers to the inferface name > (e.g.eth0) and I can stay away from IP addresses in the rules. > > > > ------------------------------------------------------------------------- > Sponsored by: SourceForge.net Community Choice Awards: VOTE NOW! > Studies have shown that voting for your favorite open source project, > along with a healthy diet, reduces your potential for chronic lameness > and boredom. Vote Now at http://www.sourceforge.net/community/cca08 > _______________________________________________ > Shorewall-users mailing list > Shorewall-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/shorewall-users > > > ------------------------------------------------------------------------- > Sponsored by: SourceForge.net Community Choice Awards: VOTE NOW! > Studies have shown that voting for your favorite open source project, > along with a healthy diet, reduces your potential for chronic lameness > and boredom. Vote Now at http://www.sourceforge.net/community/cca08 > _______________________________________________ > Shorewall-users mailing list > Shorewall-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/shorewall-users > >------------------------------------------------------------------------- Sponsored by: SourceForge.net Community Choice Awards: VOTE NOW! Studies have shown that voting for your favorite open source project, along with a healthy diet, reduces your potential for chronic lameness and boredom. Vote Now at http://www.sourceforge.net/community/cca08 _______________________________________________ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users ------------------------------------------------------------------------- Sponsored by: SourceForge.net Community Choice Awards: VOTE NOW! Studies have shown that voting for your favorite open source project, along with a healthy diet, reduces your potential for chronic lameness and boredom. Vote Now at http://www.sourceforge.net/community/cca08
Michael Weickel - iQom Business wrote:> In your case the provider router did not act as a bride, but as a modem. >It will be functioning as an IEEE 802.1 bridge (I work on 802 standards). Otherwise, PPPoE traffic would not traverse it.> For that you have to use pppoe. If it is a bridge it have to be normal > routing. >Well being a standards guy, bridging is at layer 2, IEEE 802.1. No routing is done at layer 2, only forwarding (802.1D and good old spanning bridges). Routing is at the IP layer (layer 3), and that we are turning off, as the box he has to use does not support IPv6 (not much of a supprise there!).> The ppp interface is regularly assigned by your ppp daemon. It depends on > you linux distribution - sometimes it is already included, sometimes you > have to get it. >Centos 5.2. It is there. Supposedly all I have to do is run pppoe and have it involk pppd for me.> PPP will negotiate an ip address which will be dynamically assigned to your > ppp0. If you ever want to get connected from the internet to your ADSL, you > have to connect to that ip address. If you go outside, this will be your > source address. >Well, not quite. I get a /26 allocation in IPv4. No NATing for me (so speaks one of the RFC 1918 authors).> So if you have already set up your Shorewall/interfaces, go on with masq, > policy, zones, Shorewall.conf and maybe rules and you can start to connect > to the www. All what you have to do else is to setup your pppoe client. >No masq. everything else I am working on.> Sometimes you have to drop down your standard mtu from 1500 to a less value > to work correct with dsl. 1456 will be a good value if you have any problems > with 1500. >I see this for the pppoe.conf file setup up.> -----Ursprüngliche Nachricht----- > Von: shorewall-users-bounces@lists.sourceforge.net > [mailto:shorewall-users-bounces@lists.sourceforge.net] Im Auftrag von Robert > Moskowitz > Gesendet: Mittwoch, 2. Juli 2008 22:29 > An: Shorewall Users > Betreff: Re: [Shorewall-users] Setting up shorewall and PPPoE > > Thanks for responding. > > Michael Weickel - iQom Business wrote: > >> Normally, when a provider gives you a router in bridge mode, there is no >> need to use pppoe due to the fact, that there is no need to dial, but to >> connect static with a given ip address. Your neigbor will me the provider >> edge instead of the customer premises equipment. >> >> > > But it won''t be static. I have to get his negotiation for the IP > address for that interface: > > > "Basically you start pppoe, I give you the username and password for it, > and then I set the router to passthrough modem mode, and you initiate > the PPPoE session directly with my LNS back here. You''ll get a dynamic > IP on the dsl side (which is normal) and then you just set up your > static routes in the linux box as normal. My LNS automatically routes > your traffic to the IP it randomly assigns to the DSL link. Once we > verify that IP6CP is up, I can assign you a /48 and you can rock out" > with that however you want. > > > >> When you do pppoe, your wan interface should be ppp0 instead of eth0, but >> > is > >> has to be connected to an eth interface. >> >> > > That is just an alias change in modprobe.conf, correct? > > >> If there is no ip address configured on your wan interface, it is - from >> > my > >> side - not really possible to route or to establish a default route. >> >> > > See quote from my ISP, above. > > >> I am working with a internet provider in Europe and I do not know any >> European country where you get a provier´s bridge configured router and >> > have > >> a need to configure another (own) router with pppoe client. >> >> If it is really as you say, you will (normally) get an ip address assigned >> to your ppp interface. In this case shorewall has to know it. For example >> >> net ppp0 >> >> This is an example for your Shorewall/interfaces. >> >> > I got that for the interfaces file. > >> -----Ursprüngliche Nachricht----- >> Von: shorewall-users-bounces@lists.sourceforge.net >> [mailto:shorewall-users-bounces@lists.sourceforge.net] Im Auftrag von >> > Robert > >> Moskowitz >> Gesendet: Mittwoch, 2. Juli 2008 21:24 >> An: Shorewall Users >> Betreff: [Shorewall-users] Setting up shorewall and PPPoE >> >> I am setting up to migrate to providing my own PPPoE router, and I am >> starting (information wise) pretty much from scratch. >> >> My ISP says that once he configs the ADSL router to bridge mode, my >> router (running Centos 5.2 btw) will need to use pppoe to connect and >> get the IPv4 address block and IPv6 prefix. I am NOT suppose to >> configure any addresses for the ethernet interface connected to the >> bridge, those addresses (v4 and v6) will be assigned during the PPPoE >> negotiation. >> >> Further I am going to set up static IPv4 routes for the internal >> > interface. > >> Shorewall''s part in all of this is to set up the IPv4 iptables to >> protect the router from connections and to stop basic nonsense attacks. >> IPv6 will be done separately. >> >> The lack of an IP address on the pppoe interface should not be a >> problem, correct? The interface file just refers to the inferface name >> (e.g.eth0) and I can stay away from IP addresses in the rules. >> >> >> >> ------------------------------------------------------------------------- >> Sponsored by: SourceForge.net Community Choice Awards: VOTE NOW! >> Studies have shown that voting for your favorite open source project, >> along with a healthy diet, reduces your potential for chronic lameness >> and boredom. Vote Now at http://www.sourceforge.net/community/cca08 >> _______________________________________________ >> Shorewall-users mailing list >> Shorewall-users@lists.sourceforge.net >> https://lists.sourceforge.net/lists/listinfo/shorewall-users >> >> >> ------------------------------------------------------------------------- >> Sponsored by: SourceForge.net Community Choice Awards: VOTE NOW! >> Studies have shown that voting for your favorite open source project, >> along with a healthy diet, reduces your potential for chronic lameness >> and boredom. Vote Now at http://www.sourceforge.net/community/cca08 >> _______________________________________________ >> Shorewall-users mailing list >> Shorewall-users@lists.sourceforge.net >> https://lists.sourceforge.net/lists/listinfo/shorewall-users >> >> >> > > ------------------------------------------------------------------------- > Sponsored by: SourceForge.net Community Choice Awards: VOTE NOW! > Studies have shown that voting for your favorite open source project, > along with a healthy diet, reduces your potential for chronic lameness > and boredom. Vote Now at http://www.sourceforge.net/community/cca08 > _______________________________________________ > Shorewall-users mailing list > Shorewall-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/shorewall-users > > > ------------------------------------------------------------------------- > Sponsored by: SourceForge.net Community Choice Awards: VOTE NOW! > Studies have shown that voting for your favorite open source project, > along with a healthy diet, reduces your potential for chronic lameness > and boredom. Vote Now at http://www.sourceforge.net/community/cca08 > _______________________________________________ > Shorewall-users mailing list > Shorewall-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/shorewall-users > >------------------------------------------------------------------------- Sponsored by: SourceForge.net Community Choice Awards: VOTE NOW! Studies have shown that voting for your favorite open source project, along with a healthy diet, reduces your potential for chronic lameness and boredom. Vote Now at http://www.sourceforge.net/community/cca08
Robert Moskowitz wrote:> I am setting up to migrate to providing my own PPPoE router, and I am > starting (information wise) pretty much from scratch. > > My ISP says that once he configs the ADSL router to bridge mode, my > router (running Centos 5.2 btw) will need to use pppoe to connect and > get the IPv4 address block and IPv6 prefix. I am NOT suppose to > configure any addresses for the ethernet interface connected to the > bridge, those addresses (v4 and v6) will be assigned during the PPPoE > negotiation. > ... > The lack of an IP address on the pppoe interface should not be a > problem, correct? The interface file just refers to the inferface name > (e.g.eth0) and I can stay away from IP addresses in the rules.>From the way you''ve described things, it sounds to me like you will, infact, have an IP address on the PPPoE interface (pppX or dslX as it is on SUSE), just not on the Ethernet interface (ethX). I ran my firewalls like this for quite some time and Shorewall had no issues with it, although i eventually found that it was more convenient to run an RFC1918 IP address on the Ethernet interface so that i could configure the modem. The trick is to ensure that any traffic coming in on the Ethernet interface is treated just like any coming in on the PPP interface, which you can handle in the hosts file. Paul ------------------------------------------------------------------------- Sponsored by: SourceForge.net Community Choice Awards: VOTE NOW! Studies have shown that voting for your favorite open source project, along with a healthy diet, reduces your potential for chronic lameness and boredom. Vote Now at http://www.sourceforge.net/community/cca08
Paul Gear wrote:> Robert Moskowitz wrote: > >> I am setting up to migrate to providing my own PPPoE router, and I am >> starting (information wise) pretty much from scratch. >> >> My ISP says that once he configs the ADSL router to bridge mode, my >> router (running Centos 5.2 btw) will need to use pppoe to connect and >> get the IPv4 address block and IPv6 prefix. I am NOT suppose to >> configure any addresses for the ethernet interface connected to the >> bridge, those addresses (v4 and v6) will be assigned during the PPPoE >> negotiation. >> ... >> The lack of an IP address on the pppoe interface should not be a >> problem, correct? The interface file just refers to the inferface name >> (e.g.eth0) and I can stay away from IP addresses in the rules. >> > > >From the way you''ve described things, it sounds to me like you will, in > fact, have an IP address on the PPPoE interface (pppX or dslX as it is > on SUSE), just not on the Ethernet interface (ethX). >Duh. It all makes sense now. And considering the years that I worked on these standards, to actually have to configure them myself, that sure took long enough :)> I ran my firewalls like this for quite some time and Shorewall had no > issues with it, although i eventually found that it was more convenient > to run an RFC1918 IP address on the Ethernet interface so that i could > configure the modem. The trick is to ensure that any traffic coming in > on the Ethernet interface is treated just like any coming in on the PPP > interface, which you can handle in the hosts file. >I would ASSuME that there will be no IP traffic on eth0 to worry about IP addresses. Shouldn''t be, it will all be PPP dataframes. Of course. And all the IP traffic is coming within PPP and thus define ppp0 as the external interface in Shorewall. In fact, I SHOULD have an eth0 interface configured for Shorewall, along with the ppp0 interface. And any IP traffic it intercepts is badness from my ISP. Shorewall just maintains IPtables, not also NETtables (there is such a thing?). And I DO have rfc1918 addresses around. For the family computers, for my VoIP devices (talking to my PBX that has an rfc1918 interface and a public addressed interface), for infrastructure devices, and for some test gear. I have passed 20 systems here in my home. If I add all the special units with addresses it goes over 30. ------------------------------------------------------------------------- Sponsored by: SourceForge.net Community Choice Awards: VOTE NOW! Studies have shown that voting for your favorite open source project, along with a healthy diet, reduces your potential for chronic lameness and boredom. Vote Now at http://www.sourceforge.net/community/cca08