Re: pppoe, binat and netopia router: apache virtual hosting
On Mon, May 08, 2006 at 02:43:38PM -0500, Jacob Yocom-Piatt wrote: this raises another question i've had on my mind for quite some time: what, if any, are the advantages of doing pppoe using openbsd, as opposed to using a hardware router of some sort? You get to use OpenBSD as your sole firewall rather than relying on a cut down Linux install or VxWorks with no real memory management. Take note of the bug in the SPI of Netgear routers which caused the modem to drop its connection. What other bugs lurk in some propriority software. Advantages being all those security enhancement which come along with with OpenBSD. If it's a firewall and you don't need to rely on ports then it might be worth enabling guard pages. Check malloc(3) for details. Since enabling it by default would break far too many 3rd party ports. If you have a block of IPs then having one firewall can save you wasting IPs. I'm sure there's some scrub ttl hack you could do to hide the second firewall. In my opinion the OpenBSD kernel pppoe device is very reliable and far better than the average cheap consumer ADSL modem/router. Since there were complaints of no real docs in Google on using the kernel land pppoe driver for a pppoa connection with a bridged ADSL modem doing the ATM work. I have recently written http://compsoc.dur.ac.uk/~djw/pppoa.html on the matter. A word of warning is that I've only just thrown it together, but may be useful to others who can't get their firewall to do what they want it to do. I'm not opposed to feedback, as long as it's constructive ;) Dan
Re: advantages/disadvantages of kernel pppoe(4) vs userland pppoe(8)?
On Fri, Apr 21, 2006 at 02:30:00PM +0200, Jonathan Thornburg wrote: I already have the (external) DSL modem, and from talking to other Unix-savvy customers of my ISP (arcor.de), their setup is that the DSL modem talks pppoe to me (in this case to my firewall/router/nat box). From looking at the FAQ section 6, it seems I have two basic options available doing this in OpenBSD: pppoe(4) in the kernal, and pppoe(8) in userland. My question is, what are the relative advantages/disadvantages of these? I've used pppoe(4) since 3.8, and I've never had an issues with it. It's been really stable and seems to be more reliable than any hardware ADSL router I've use. Looks like you're planning the same setup as I have. I can't comment at 6Mbit line speeds via the pppoe device. I do know that with a realtek network card it seems to top the CPU out with interupt at about 22Mbit of internal traffic. Dan
Re: PPPoA and OpenBSD
On Sun, Apr 09, 2006 at 07:03:36PM +1000, Dave Harrison wrote: Stuart Henderson wrote: On 2006/04/09 17:43, Dave Harrison wrote: I'm searching high and low for some documentation on setting up a PPPoA link (yes, it's for the UK and it's definitely PPPoA _not_ PPPoE) under OpenBSD in-tree: ueagle(4) otherwise: iirc there are some USB Speedtouch drivers Is it not possible to configure in a way similar to a ppp PPPoE setup ?? I have a modem that I'm connecting to via ethernet, then it plugs into the phone line. Can I drive PPPoA with the ppp daemon ?? If you're using a ADSL router which you plug your OpenBSD box into via ethernet I see two ways of connecting. Either get your ADSL modem to do the PPPoA connection, or make your OpenBSD box do PPPoE and your ADSL modem to do a bridge connection using ATM. I've posted on the list of how I get my OpenBSD box to do the PPP connection (last month if you look though the archives for PPPoA). I may as well turn last months email into html since it seems to be a common question and there's little on the subject using Google. Dan
Re: ADSL with pppoa (over ATM)
On Fri, Mar 31, 2006 at 09:16:23AM +0200, Luca Losio wrote: My ADSL connection is PPPoA only, which is just PPPoE with ATM. They work at different layers so if you bridge your adsl modem and handle only the ATM part, then openbsd pppoe can do the rest. So this means your ADSL modem will have no public facing IP and reconnecting to it may be tricky once you have set it up. So be careful how you set it up. Can you please post your ppp configuration file? Assuming that you're wanting to user the kernel pppoe driver, which has been in OpenBSD since 3.7. Look at # man 4 pppoe for details, compare with man 8 pppoe which is the userland pppoe version and has been in OpenBSD since 2.8. The kernel pppoe network device only really become stable in 3.8. So on the Dlink modem all you just did was to set it on bridge mode. Why it shouldn't work with the 1-port version? I have this (300t) :-( but I upgraded the firmware I don't know for sure. I have the DSL-504T. Looking at the Setup, DSL Setup config of it, I have it setup as a Bridge with the approiate; Encapsulation, VPI, VCI, and QoS setting given by my ISP. On the WAN Setup they is no layer 3 setting, ie IP setting, since I want my OpenBSD box to do that bit. There's no point choosing DHCP since you still have to authenicate via PPP. If you don't have a bridge setup then DHCP looks like it'll work, although it's not needed. Obivously try it if you have no other option. Looking at the LAN setup I have disabled DHCP since I wanted to use dhcpd on my OpenBSD box. I have disabled the DNS relay function. Again I do that on another box since I maintain internal DNS for my RFC 1918 IPs, aka Private IPs 10/8, 172.16/12, 192.168/16. Then I changed the management IP to a different subnet, matching the IP of my ethernet card used by the pppoe network device. I have to use ssh port forwarding to access my D-link router, but then until today I hadn't connected to it since September 2005. And quite frankly I'd much prefer managing my adsl connection via my OpenBSD box than a web interface. So as for the OpenBSD box I have # cat /etc/hostname.pppoe0 pppoedev rl1 !/usr/sbin/spppcontrol \$if myauthproto=chap myauthname=username \ myauthkey=password !/sbin/ifconfig \$if inet 0.0.0.0 0.0.0.1 !/sbin/route add default 0.0.0.1 up Where username and password are set to what you ISP has given you for your PPPoA setting. # cat /etc/hostname.rl1 inet 192.168.10.100 255.255.255.0 In /etc/pf.conf I have scrub out on pppoe0 max-mss 1440 It's all in the man page, except I have given the physical network card an IP. If you were doing pure pppoe to your ISP, then you would do as the man page reads. You may also want to take note about setting the MTU as per the man page. If things are working nicely you'll see something like the following: # ifconfig pppoe0 pppoe0: flags=8851UP,POINTOPOINT,RUNNING,SIMPLEX,MULTICAST mtu 1492 dev: rl1 state: session sid: 0xcf8 PADI retries: 14 PADR retries: 0 time: 17d 15:03:41 groups: pppoe egress inet 10.10.10.10 -- 0.0.0.1 netmask 0xff00 inet6 fe80::260:8ff:dead:beef%pppoe0 - prefixlen 64 scopeid 0x9 Where 10.10.10.10 is the IP your ISP assigns you. I ususally find that on first booting the pppoe device takes a while to authenication but once up it's really stable. Seems better than most customer ADSL modems and also seems to cope with DSLAM reboots at the exchange very well. I've not had any complaints about it. As for the other side of my OpenBSD router I have quite a complicated setup which is probably overkill for most peoples needs. If you're just doing NAT on a single NIC then that should be pritty straight forward via /etc/pf.conf It was a pain to setup, but I'm glad of it now. Especially when there's DoS exploits in Netgear ADSL routers using IRC DCC commands when SPI is turned of. I'd much rather trust my OpenBSD than VxWorks or Linux based modem. Usually they're accessively slimed down and missing a lot of features OpenBSD has to offer. If you find this information useful I may be inclined to write some online docs for it. Since it'll possible help others if you didn't find much in Google. So let me know how you get one. Dan
Re: ADSL with pppoa (over ATM)
On Fri, Mar 31, 2006 at 11:52:27AM +0100, Craig Skinner wrote: Luca Losio wrote: My ADSL connection is PPPoA only, which is just PPPoE with ATM. They work at different layers so if you bridge your adsl modem and handle only the ATM part, then openbsd pppoe can do the rest. So this means your ADSL modem will have no public facing IP and reconnecting to it may be tricky once you have set it up. So be careful how you set it up. Can you please post your ppp configuration file? So on the Dlink modem all you just did was to set it on bridge mode. Why it shouldn't work with the 1-port version? I have this (300t) :-( but I upgraded the firmware Please review this as you have already been given the answer: http://archive.netbsd.se/?ml=openbsd-misca=2006-03m=1864140 This thread is closed. That depends on if Luca really wants to do that. Then again he may not. I think we should let him decide if this thread is closed. snip These routers are designed to be no brainers for windows users, yet there are no windows drivers, therefore it uses conventional networking. Personally I didn't want a point and drool interface, I wanted more control of my connection. The router does PPPoA, this is a superior technology as the PPP session sits directly on top of the telco's ATM system. PPPoE is PPP over ethernet, over ATM: an extra layer that is not needed. Read RFC 1661, RFC 2516 and RFC 2364 iirc. PPP, ethernet and ATM are all layer 2 of the OSI Seven Layer model. IP is in layer 3. ATM and ethernet are data links which tunnel the PPP data. PPP does the authenication and various other thing just like with dial up modems. It's not a case of tunneled PPP in ethernet in ATM. The ADSL modem deals with changing the wrapper to tunnel PPP from ethernet to ATM. ATM deal with getting the PPP data from my ADSL modem to the DSLAMs at the exchange. Ethernet deals with getting the PPP data from my OpenBSD box to my ADSL modem. I seriously doubt my exchange would understand me firing ethernet data at it or maybe I'm wasting bytes in my segments in unnecessary overheads. I'll admit this is not a normal setup but as far as I know OpenBSD doesn't have PPPoA support directly in the kernel, and I can't see why it would since most ADSL PCI cards are primaryly driven by software usually in the form of BLOBs. Maybe you fancy reverse engineering some of these cards and get them working in OpenBSD. Dan
Re: ADSL with pppoa (over ATM)
On Wed, Mar 29, 2006 at 03:16:38AM +0100, Daniel Walrond wrote: On Tue, Mar 21, 2006 at 08:21:40PM +0100, Luca Losio wrote: I read the faq searching for info about pppoa (http://www.openbsd.org/faq/faq6.html) : The main software interface to PPPoE/PPPoA on OpenBSD is pppoe(8), which is a userland implementation (in much the same way that we described ppp(8), above) but I can't figure out how to configure it for a ppp over ATM connection. Anyone can help? I don't want to have a double NAT, one from the adsl modem and one from the OpenBSD gateway... I have a Dlink 4-port ADSL modem, I forget the the product code. IIRC it won't work with the 1-port version. I use the pppoe kernel driver and my modem does the ATM part. It works very well, I've been running it since september 2005. My ADSL connection is PPPoA only, which is just PPPoE with ATM. That should have read ...PPP with ATM. If I have confused people. Dan
Re: UKUUG Spring Conference 2006: photo-reportage
On Sun, Mar 26, 2006 at 06:10:55PM +0100, Constantine A. Murenin wrote: I trust everyone had a lot of fun at the recent UKUUG LISA conference! Yep :) I've depicted some of this fun in the photographs, and here you can see what you have missed if you have not attended: URL:http://mojo.ru/uk/uug/2006-03/ Some more photos for people: http://photos.djw.org.uk/ukuug200603/ Dan
Re: ADSL with pppoa (over ATM)
Hello, On Tue, Mar 21, 2006 at 08:21:40PM +0100, Luca Losio wrote: I read the faq searching for info about pppoa (http://www.openbsd.org/faq/faq6.html) : The main software interface to PPPoE/PPPoA on OpenBSD is pppoe(8), which is a userland implementation (in much the same way that we described ppp(8), above) but I can't figure out how to configure it for a ppp over ATM connection. Anyone can help? I don't want to have a double NAT, one from the adsl modem and one from the OpenBSD gateway... I have a Dlink 4-port ADSL modem, I forget the the product code. IIRC it won't work with the 1-port version. I use the pppoe kernel driver and my modem does the ATM part. It works very well, I've been running it since september 2005. My ADSL connection is PPPoA only, which is just PPPoE with ATM. They work at different layers so if you bridge your adsl modem and handle only the ATM part, then openbsd pppoe can do the rest. So this means your ADSL modem will have no public facing IP and reconnecting to it may be tricky once you have set it up. So be careful how you set it up. Then you can setup your openbsd box to suit your needs removing a potentially buggy adsl modem firewall out of the loop. Now if you've got a block of IPs and your running them on red and dmz segments things can get very messy if you don't want to waste IPs. Running a bridge on the internal interfaces seems to do the job best, you can't include the pppoe device, and including the underlying ethernet card isn't going to work as one might expect. But the pppoe device and the bridge seem to interact fine. Enjoy :) Dan
