OK, the subject says a lot... but, I have been fooling around with
this special setup for a few weeks and I am running
out of hair (to pull out).
I am trying to run four (4) simultaneous PPPoE sesssions
that each get a fixed Public IP - and NAT translated each
to a distinct Inside NIC port. This will allow me to
isolate each inside Network (via NAT) to a unique
Public IP.
------------------
I have a DSL Line into a building near here, running
at 5Mbs down / 640kbs up and it works fine.
I have an OpenBSD 4.0 (i386) running as a well functioning PPPoE
Gateway and it does a nice job on each PPPoE *INDIVIDUAL* session
that I bring up (e.g., ppp -ddial pppoe0, ..1, ..2, ..3, etc.)
from /etc/rc.local, or manually right now while testing.
Each of the pppoe entries in my /etc/ppp/ppp.conf file have
unique usernames and are associated with unique (FixedIP) address
that have been assigned. I can cause each pppoe instance to
authenticate and give me an IP (with Gateway & DNS assigned
as expected) to each tun(n) device - starting
with tun0...through tun3. Again, as expected.
-------- Here is almost exactly what I have in the ppp.conf
(Obviously I have modified the username/password & such.)
pppoe0:
set device "!/usr/sbin/pppoe -n Any -i xl0"
disable acfcomp protocomp
deny acfcomp
set mtu max 1492
set speed sync
enable lqr
set lqrperiod 5
set cd 5
set dial
set login
set timeout 0
set authname [EMAIL PROTECTED]
set authkey XXXXXXXXXXXX
add! default HISADDR
enable dns
enable mssfixup
pppoe1:
set device "!/usr/sbin/pppoe -n Any -i xl0"
disable acfcomp protocomp
deny acfcomp
set mtu max 1492
set speed sync
enable lqr
set lqrperiod 5
set cd 5
set dial
set login
set timeout 0
set authname [EMAIL PROTECTED]
set authkey XXXXXXXXXXXX
# add! default HISADDR
enable dns
enable mssfixup
pppoe2:
. same as above, but different username
. to get a different public (fixed) IP
.
ppp0e3:
. as previous, but different username
. to get a different public (fixed) IP
.
------------------------- end of ppp.conf example
The above ppp.conf entries are activated from /etc/rc.local
(at the beginning) with this kind of entry (below)
for each instance:
-----------------------
echo -n ' PPPoE0 - '
ppp -ddial pppoe0
sleep 20
echo
.
.
.
# ...until all four (4) have completed.
# (This works, of course)
---------------
What I can't grok is just how to cleanly and correctly
convince 'pf' to NAT each of these tun(n) connections
through to their companion (inside Net) NICs. These
are on a 4-Port DFE-570 card, working fine...with each
port ifconfig'd to have a unique NAT addr range. E.g.,
Port0(dc0) gets 192.168.0.1/24
Port1(dc1) gets 192.168.1.1/24
Port2(dc2) gets 192.168.2.1/24
and
Port3(dc3) gets 192.168.3.1/24
as desired NAT ranges on the Inside.
I need to be able to have all four (4) of these NICs
*translating and routing* to/from the public IP's that
are assigned to each tun(n) resulting from the pppoe(n)
sessions.
I can get any one of them to work, transferring data fine
(I'm using it right now), but the other three just don't
offer a route to / or through the Public IP that is
assigned to subsequent tun(n)'s ... via pppoe.
-------------------------------------------------------
Here is (hopefully) a helpful illustration...
(ZyXel 660, Bridge Mode)
GIANT_TELCO_DSL --> DSL_MODEM_BRIDGE -------+
|
OpenBSD/PPPoE machine + ExtNIC (xl0) <---+
|
+--------+
+
+ (session a) --------------------------------------------
+ pppoe0 OK, gets IP addr fine, attached to tun0
+ System uses the Gateway addr. on this
+ tun as the 'default' route.
+ Int NIC0
+------ dc0 OK, at 192.168.0.1/24, NAT translated via pf
+ works like a champ.
+
+ (session b) --------------------------------------------
+ - pppoe1 Connects OK, and gets PublicIP, attached to
+ tun1 NAT rules in place to translate between
+ tun1 (assigned addr)
+ and the 192.168.1.1/24 LAN on Port1(dc1)
+ Int NIC1
+------ dc1 OK, at 192.168.1.1/24, NAT translated via pf
+ does NOT route any data, but I can see
+ the OpenBSD machine on this Net.
+
+ (session c) ---------------------------------------------
+ - pppoe2 Connects OK, and gets PublicIP, attached to tun2
+ NAT rules in place to translate between tun1
+ (assigned addr)and the 192.168.2.1/24 LAN
+ on Port1(dc1)
+ Int NIC2
+------ dc2 OK, at 192.168.1.1/24, NAT translated via pf
+ does NOT route any data, but I can see the
+ OpenBSD machine from any client on this Net.
+
+ (session d) ---------------------------------------------
+ - pppoe3 Connects OK, and gets PublicIP, attached to tun3
+ NAT rules in place to translate between tun1
+ (assigned addr) and the 192.168.3.1/24 LAN on
+ Port1(dc1)
+ Int NIC3
+------ dc3 OK, at 192.168.3.1/24, NAT translated via pf
does NOT route any data, but I can see the
OpenBSD machine on this Net.
Clearly there are NO routes established to the outside world on
these three (3) remaining NAT'd Nets. I realize that... Really.
-------------- some config data --------
An excerpt from the /etc/pf.conf, relating to NAT rules:
#
nat on $Ext0 from 192.168.0.0/24 to any -> $Ext0
# nat on $Ext1 from 192.168.1.0/24 to any -> $Ext1
# nat on $Ext2 from 192.168.2.0/24 to any -> $Ext2
# nat on $Ext3 from 192.168.3.0/24 to any -> $Ext3
#
---------------
...where $Ext0, $Ext1, $Ext2 and $Ext3 are macros that represent
a tun device entry established from the ppp (pppoe) login sessions.
Each of these critters have the correctly assigned Public IP, and
I have carefully examined the /var/log/ppp.log to assure myself
that the correct IP's, Gateway and DNS values are being passed
back from the upstream connection server(s).
---------------
What I need is an *example setup* (pf.conf, hostname.dcN entries,
etc.) that will set up routes for each of these three remaining
NAT'd Nets and let me use them like the first one which, by the
way, works great.
Incidentally, I checked to be sure the DSL_MODEM_BRIDGE would
allow multiple PPPoE sessions and it does. I used some WalMart
(el cheapo)NR041 Routers on a HUB connected directly to it to
prove the setup. Because OpenBSD 'pf' has the BEST
features, and will allow me to run squid, an eMail 'mta' and
a host of other much needed tools, I must get this to work.
Good ideas and examples are most welcome.
Thanks,
Randy @ RTMX
[demime 1.01d removed an attachment of type APPLICATION/DEFANGED which had a
name of randy.20304DEFANGED-vcf]
