Shorewall users - Sep 2011 - Multiple public IPs, same IP in LAN and PPPoE client ?

Possibly OT since this may or may not involve Shorewall - it largely 
depends on what I can get to work !

I need to setup a router on an ASDL line where multiple IPs are 
provided by the ISP.

Hardware wise, we''d probably use a Linksys WRT54GL running OpenWRT 
and a Draytek Vigor 120 modem - we''ve used these before, but hardware 
is largely "whatever will do the job". But, the IP provided by the 
ISP to the PPPoE client is one of those AND all the connected devices 
must be on public IPs - so I need some sort of "bridged" setup.

Eg, the customers allocation is 192.0.2.0/27, 192.0.2.1 is given to 
the PPP client by the ISP, and the attached devices must be on 
192.0.2.2/27 and so on (each device is a router/firewall itself). The 
end result we need is that we present an ethernet port where the 
attached devices only need to know that 192.0.2.1/27 is the gateway.

This seems to be the most common setup supplied by UK ADSL providers. 
It''s not been a problem where everything is NATted, but we''re
really
struggling to find a setup that works reliably without NAT.

AFAICT, because the upstream is a PPP link, bridges and proxy-ARP are out.


-- 
Simon Hobson

Visit http://www.magpiesnestpublishing.co.uk/ for books by acclaimed
author Gladys Hobson. Novels - poetry - short stories - ideal as
Christmas stocking fillers. Some available as e-books.

------------------------------------------------------------------------------
Special Offer -- Download ArcSight Logger for FREE!
Finally, a world-class log management solution at an even better 
price-free! And you''ll get a free "Love Thy Logs" t-shirt
when you
download Logger. Secure your free ArcSight Logger TODAY!
http://p.sf.net/sfu/arcsisghtdev2dev

> Possibly OT since this may or may not involve Shorewall - it largely
> depends on what I can get to work !
>
> I need to setup a router on an ASDL line where multiple IPs are
> provided by the ISP.
>
> Hardware wise, we''d probably use a Linksys WRT54GL running OpenWRT
> and a Draytek Vigor 120 modem - we''ve used these before, but
hardware
> is largely "whatever will do the job". But, the IP provided by
the
> ISP to the PPPoE client is one of those AND all the connected devices
> must be on public IPs - so I need some sort of "bridged" setup.
>
> Eg, the customers allocation is 192.0.2.0/27, 192.0.2.1 is given to
> the PPP client by the ISP, and the attached devices must be on
> 192.0.2.2/27 and so on (each device is a router/firewall itself). The
> end result we need is that we present an ethernet port where the
> attached devices only need to know that 192.0.2.1/27 is the gateway.
>
> This seems to be the most common setup supplied by UK ADSL providers.
> It''s not been a problem where everything is NATted, but
we''re really
> struggling to find a setup that works reliably without NAT.
>
> AFAICT, because the upstream is a PPP link, bridges and proxy-ARP are out.
I''m afraid I don''t really understand all details and also I
don''t have any
experience with ADSL/PPPoE stuff. But I have something using Cable here
which looks a bit similar so maybe you could try like so:

on the firewall:
ppp0 is 192.0.2.1/32
eth0 is 192.168.1.1/24
default gw is via ppp0 (don''t know exactly how this looks like with
ppp)

then do proxyarp with shorewall on the firewall:
192.0.2.2  eth0  ppp0
192.0.2.3  eth0  ppp0
192.0.2.4  eth0  ppp0

now connect clients to eth0 and configure them like this (yes, I know
"ip"
is there...):

ifconfig eth0:
eth0      Link encap:Ethernet  HWaddr 00:5C:A4:4D:81:5A
          inet addr:192.0.2.2  Bcast:192.0.2.2  Mask:255.255.255.255
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1

route -n:
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
0.0.0.0         0.0.0.0         0.0.0.0         U     0      0        0 eth0


Sorry if this is completely nonsense for what you try to do :)

Simon


------------------------------------------------------------------------------
Special Offer -- Download ArcSight Logger for FREE!
Finally, a world-class log management solution at an even better 
price-free! And you''ll get a free "Love Thy Logs" t-shirt
when you
download Logger. Secure your free ArcSight Logger TODAY!
http://p.sf.net/sfu/arcsisghtdev2dev

Simon Matter wrote:
>I''m afraid I don''t really understand all details and also
I don''t have any
>experience with ADSL/PPPoE stuff. But I have something using Cable here
>which looks a bit similar so maybe you could try like so:
>
>on the firewall:
>ppp0 is 192.0.2.1/32
>eth0 is 192.168.1.1/24
>default gw is via ppp0 (don''t know exactly how this looks like with
ppp)
>
>then do proxyarp with shorewall on the firewall:
>192.0.2.2  eth0  ppp0
>192.0.2.3  eth0  ppp0
>192.0.2.4  eth0  ppp0
>
>now connect clients to eth0 and configure them like this (yes, I know
"ip"
>is there...):
>
>ifconfig eth0:
>eth0      Link encap:Ethernet  HWaddr 00:5C:A4:4D:81:5A
>           inet addr:192.0.2.2  Bcast:192.0.2.2  Mask:255.255.255.255
>           UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
>
>route -n:
>Kernel IP routing table
>Destination     Gateway         Genmask         Flags Metric Ref    Use
Iface
>0.0.0.0         0.0.0.0         0.0.0.0         U     0      0        0 eth0
>
>Sorry if this is completely nonsense for what you try to do :)
Yes it''s what I''m trying to do, but from the reading
I''ve done I''m
not sure it''ll work - and there''s another restriction that
comes into
play as well.

The first issue is whether proxyarp works over a PPP link - I''m 
guessing on your cable connection you just get IP packets over 
ethernet ? From what I''ve found, proxy-arp only works on 
ethernet-like interfaces, not PPP which doesn''t have MAC addresses.

The other restriction is that we cannot (in the specific case I''m 
needing to solve at the moment) change the config on some of the 
clients. Some of them are secure gateways, and getting even a simple 
change done requires change management procedures and a new security 
audit.

Lastly, if done as you suggest, does this allow clients to talk to 
each other ? Eg, can 192.0.2.2 and 192.0.2.3 communicate using those 
addresses ?


-- 
Simon Hobson

Visit http://www.magpiesnestpublishing.co.uk/ for books by acclaimed
author Gladys Hobson. Novels - poetry - short stories - ideal as
Christmas stocking fillers. Some available as e-books.

------------------------------------------------------------------------------
Special Offer -- Download ArcSight Logger for FREE!
Finally, a world-class log management solution at an even better 
price-free! And you''ll get a free "Love Thy Logs" t-shirt
when you
download Logger. Secure your free ArcSight Logger TODAY!
http://p.sf.net/sfu/arcsisghtdev2dev

On Tue, 2011-09-06 at 12:45 +0100, Simon Hobson wrote:
> Simon Matter wrote:
> 
> >I''m afraid I don''t really understand all details and
also I don''t have any
> >experience with ADSL/PPPoE stuff. But I have something using Cable here
> >which looks a bit similar so maybe you could try like so:
> >
> >on the firewall:
> >ppp0 is 192.0.2.1/32
> >eth0 is 192.168.1.1/24
> >default gw is via ppp0 (don''t know exactly how this looks like
with ppp)
> >
> >then do proxyarp with shorewall on the firewall:
> >192.0.2.2  eth0  ppp0
> >192.0.2.3  eth0  ppp0
> >192.0.2.4  eth0  ppp0
> >
> >now connect clients to eth0 and configure them like this (yes, I know
"ip"
> >is there...):
> >
> >ifconfig eth0:
> >eth0      Link encap:Ethernet  HWaddr 00:5C:A4:4D:81:5A
> >           inet addr:192.0.2.2  Bcast:192.0.2.2  Mask:255.255.255.255
> >           UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
> >
> >route -n:
> >Kernel IP routing table
> >Destination     Gateway         Genmask         Flags Metric Ref    Use
Iface
> >0.0.0.0         0.0.0.0         0.0.0.0         U     0      0        0
eth0
> >
> >Sorry if this is completely nonsense for what you try to do :)
> 
> Yes it''s what I''m trying to do, but from the reading
I''ve done I''m
> not sure it''ll work - and there''s another restriction
that comes into
> play as well.
> 
> The first issue is whether proxyarp works over a PPP link
It does not.
> I''m guessing on your cable connection you just get IP packets over
> ethernet ? From what I''ve found, proxy-arp only works on 
> ethernet-like interfaces, not PPP which doesn''t have MAC
addresses.
> 
> The other restriction is that we cannot (in the specific case I''m 
> needing to solve at the moment) change the config on some of the 
> clients. Some of them are secure gateways, and getting even a simple 
> change done requires change management procedures and a new security 
> audit.
> 
> Lastly, if done as you suggest, does this allow clients to talk to 
> each other ? Eg, can 192.0.2.2 and 192.0.2.3 communicate using those 
> addresses ?
> 
Simon (Hobson),

The ISP is going to route all of the addresses via the pppoe address. So
simply use that same address as the firewall''s local LAN address
(assuming that it is in the same IP network) and you''re all set.
You''re
making this harder than it really is.

-Tom
-- 
Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________



------------------------------------------------------------------------------
Special Offer -- Download ArcSight Logger for FREE!
Finally, a world-class log management solution at an even better 
price-free! And you''ll get a free "Love Thy Logs" t-shirt
when you
download Logger. Secure your free ArcSight Logger TODAY!
http://p.sf.net/sfu/arcsisghtdev2dev

Tom Eastep wrote:
>The ISP is going to route all of the addresses via the pppoe address. So
>simply use that same address as the firewall''s local LAN address
>(assuming that it is in the same IP network) and you''re all set.
Ah, so there''ll be no problem having eth0 as 192.0.2.1 AND ppp0 as 
the same address ?
>You''re making this harder than it really is.
Very probably ! But then everything I find seems to make it look so :(

I''ll give it a whirl when the spare box arrives, no matter how many 
we buy, they will keep selling the spare :-/

-- 
Simon Hobson

Visit http://www.magpiesnestpublishing.co.uk/ for books by acclaimed
author Gladys Hobson. Novels - poetry - short stories - ideal as
Christmas stocking fillers. Some available as e-books.

------------------------------------------------------------------------------
Special Offer -- Download ArcSight Logger for FREE!
Finally, a world-class log management solution at an even better 
price-free! And you''ll get a free "Love Thy Logs" t-shirt
when you
download Logger. Secure your free ArcSight Logger TODAY!
http://p.sf.net/sfu/arcsisghtdev2dev

> Simon Matter wrote:
>
>>I''m afraid I don''t really understand all details and
also I don''t have
>> any
>>experience with ADSL/PPPoE stuff. But I have something using Cable here
>>which looks a bit similar so maybe you could try like so:
>>
>>on the firewall:
>>ppp0 is 192.0.2.1/32
>>eth0 is 192.168.1.1/24
>>default gw is via ppp0 (don''t know exactly how this looks like
with ppp)
>>
>>then do proxyarp with shorewall on the firewall:
>>192.0.2.2  eth0  ppp0
>>192.0.2.3  eth0  ppp0
>>192.0.2.4  eth0  ppp0
>>
>>now connect clients to eth0 and configure them like this (yes, I know
>> "ip"
>>is there...):
>>
>>ifconfig eth0:
>>eth0      Link encap:Ethernet  HWaddr 00:5C:A4:4D:81:5A
>>           inet addr:192.0.2.2  Bcast:192.0.2.2  Mask:255.255.255.255
>>           UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
>>
>>route -n:
>>Kernel IP routing table
>>Destination     Gateway         Genmask         Flags Metric Ref    Use
>> Iface
>>0.0.0.0         0.0.0.0         0.0.0.0         U     0      0        0
>> eth0
>>
>>Sorry if this is completely nonsense for what you try to do :)
>
> Yes it''s what I''m trying to do, but from the reading
I''ve done I''m
> not sure it''ll work - and there''s another restriction
that comes into
> play as well.
>
> The first issue is whether proxyarp works over a PPP link - I''m
> guessing on your cable connection you just get IP packets over
> ethernet ? From what I''ve found, proxy-arp only works on
> ethernet-like interfaces, not PPP which doesn''t have MAC
addresses.
What I meant is that the arp entry used for the proxyarp is set on the
eth0 interface.
>
> The other restriction is that we cannot (in the specific case I''m
> needing to solve at the moment) change the config on some of the
> clients. Some of them are secure gateways, and getting even a simple
> change done requires change management procedures and a new security
> audit.
>
> Lastly, if done as you suggest, does this allow clients to talk to
> each other ? Eg, can 192.0.2.2 and 192.0.2.3 communicate using those
> addresses ?
Yes, at least it works for me.

Simon


------------------------------------------------------------------------------
Special Offer -- Download ArcSight Logger for FREE!
Finally, a world-class log management solution at an even better 
price-free! And you''ll get a free "Love Thy Logs" t-shirt
when you
download Logger. Secure your free ArcSight Logger TODAY!
http://p.sf.net/sfu/arcsisghtdev2dev

On Tue, 2011-09-06 at 14:50 +0100, Simon Hobson wrote:
> Tom Eastep wrote:
> 
> >The ISP is going to route all of the addresses via the pppoe address.
So
> >simply use that same address as the firewall''s local LAN
address
> >(assuming that it is in the same IP network) and you''re all
set.
> 
> Ah, so there''ll be no problem having eth0 as 192.0.2.1 AND ppp0 as
> the same address ?
None at all -- I do that regularly.
> 
> >You''re making this harder than it really is.
> 
> Very probably ! But then everything I find seems to make it look so :(
> 
> I''ll give it a whirl when the spare box arrives, no matter how
many
> we buy, they will keep selling the spare :-/
> 
-Tom

-- 
Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________



------------------------------------------------------------------------------
Special Offer -- Download ArcSight Logger for FREE!
Finally, a world-class log management solution at an even better 
price-free! And you''ll get a free "Love Thy Logs" t-shirt
when you
download Logger. Secure your free ArcSight Logger TODAY!
http://p.sf.net/sfu/arcsisghtdev2dev

Tom Eastep wrote:
>The ISP is going to route all of the addresses via the pppoe address. So
>simply use that same address as the firewall''s local LAN address
>(assuming that it is in the same IP network) and you''re all set.
You''re
>making this harder than it really is.
Yup - got to test this out, and it does indeed "just work" :-/

Strange that everywhere I looked, all I could find were "complicated"
setups !

-- 
Simon Hobson

Visit http://www.magpiesnestpublishing.co.uk/ for books by acclaimed
author Gladys Hobson. Novels - poetry - short stories - ideal as
Christmas stocking fillers. Some available as e-books.

------------------------------------------------------------------------------
Why Cloud-Based Security and Archiving Make Sense
Osterman Research conducted this study that outlines how and why cloud
computing security and archiving is rapidly being adopted across the IT 
space for its ease of implementation, lower cost, and increased 
reliability. Learn more. http://www.accelacomm.com/jaw/sfnl/114/51425301/