On Thu, 2008-10-16 at 04:43 -0700, Jeremy Chadwick wrote:
> On Thu, Oct 16, 2008 at 09:29:04PM +1000, Da Rock wrote:
> > 
> > On Thu, 2008-10-16 at 06:54 -0400, Michael Powell wrote:
> > > Da Rock wrote:
> > > 
> > > [snip] 
> > > > I'm assuming the problem with double nat'ing is the confusion in packet
> > > > traffic. So if the OP is using his ADSL modem to connect to the net,
> > > > then it could be safe to assume the public IP would be to the modem
> > > > itself, and not his box (barring the possible use of USB), so then the
> > > > nat'ing would already be done. Therefore, the best and easiest way would
> > > > be to simply bridge his interfaces- correct? Less overheads, etc, plus
> > > > simplicity of setup.
> > > >
> > > 
> > > There is another option, a variant of which I use. My el cheapo deluxe DSL
> > > modem has really crappy broken firewall and DNS implementations. Wireshark
> > > showed Windows Messenger service spam leaking past and as soon as I saw
> > > that I assumed it was probably the tip of the iceberg.
> > > 
> > > You can also bridge the modem (disabling it's NAT as well). In a fully
> > > bridged configuration your FreeBSD gateway will have to perform PPPoE
> > > handshake and login as well. 
> > > 
> > 
> > Setting up the modem itself this way can be tricky at times, depending
> > on the model and the service. One gotcha with this method can be if your
> > ISP is using heartbeat, and so you'll have to either script yourself or
> > find one that suits.
> > 
> > > I use a second option called split-bridge, which they have named "IP
> > > Passthrough". This allows the DSL modem to be responsible for the PPPoE
> > > session. It works by passing the WAN public IP to the Internet facing NIC
> > > in my FreeBSD box via DHCP. So, while my interior LAN NIC is static, my
> > > outside NIC is ifconfig_xl0="DHCP". It gets assigned whatever IP Verizon
> > > sends.
> > > 
> > 
> > Is this also called IP spoofing?
> No, this is **NOT** IP spoofing.
> What Michael's describing is a feature many DSL modems offer.  There is
> no official term for what it is, since DSL modems are supposed to be
> bridges (layer 2 devices), but in fact this feature causes the modem to
> act like something that sits between layer 2 and layer 3 -- yet is not a
> router.  Different modems call it something different.
> If you enable this feature, what happens is this:
> The modem requires you to access its administrative web page.  You
> insert your PPPoE Username and Password (which it saves to
> NVRAM/EEPROM), and click Connect.  The DSL modem then continues to do
> the PPPoE encapsulation, so that your FreeBSD box, Windows box, or
> whatever (that's connected to the DSL modem on the LAN port) does not
> have to.
> The modem is given an IP address as part of the PPPoE hand-off.  That IP
> address is, of course, a public Internet IP.  The modem also enables use
> of a DHCP server, so that a machine connect to its LAN port can do a
> DHCP request and get an IP address -- but here's the kicker.
> The IP address the modem returns to the machine on the LAN is the
> public IP address the ISP gave the modem via PPPoE.
> "So how does this work?"  All network I/O between the LAN port and
> the modem itself is done at layer 2 past that point -- meaning, the
> modem acts "almost purely" as a bridge from that point forward: but
> it still does the PPPoE encapsulation for you.  So, like I said,
> the modem acts like a device that sits between layer 2 and layer 3.
> Does this make more sense?
> The reason this feature is HIGHLY desired is because not all PPPoE
> implementations are compatible with an ISPs implementation.  It is
> *always* best to use whatever equipment they give you or guarantee
> works with them; using your own, or some other PPPoE daemon/method,
> can result in lots of trouble.
> I've personally used this method, I might add.  I can give you
> reference material on how to set it up and use it, over at
> dslreports.com.  Lots of DSL modems these days offer said feature.

Ok, that explains it. The IP spoofing term comes from the Alcatel
SpeedTouch systems used by Telstra in Oz. If there is no official term
for it then thats why they've decided to call it that- right or wrong.
They use firmware updates to enable this feature or others, and can be
botched easily so for reference copy the original firmware as a backup
if possible!

It certainly would save trouble with their equipment because of the
heartbeat feature. Sounds very cool...

freebsd-questions@freebsd.org mailing list
To unsubscribe, send any mail to "[EMAIL PROTECTED]"

Reply via email to