Grant <> wrote:

> I've been using shorewall for awhile with net0 on the WAN and net1 on
> the LAN.  I just switched to PPPoE so now I have ppp0 in addition to
> net0 and net1.  I've replaced net0 with ppp0 everywhere in my
> shorewall config and added net0 as a second interface in the loc zone
> along with net1.  Everything seems to be working fine.  Does it sound
> like I've made any glaring errors?
> I read that CLAMPMSS=Yes is usually required when using PPPoE.  Do I
> need it if things are working fine without it?
> Are there any other config changes to consider when switching from
> DHCP to PPPoE?

I wouldn't put net1 in the loc zone - I've put it in a separate zone, not that 
I do anything on that interface as the current modem doesn't have an accessible 
management interface until I get round to unlocking it ;-) It shouldn't matter, 
but it is on the outside of your firewall.

>From my interfaces file :
int     ethint          detect          tcpflags,routeback,nosmurfs,dhcp
fttc    ethfttc         detect          tcpflags,nosmurfs
dsl     ppp10           detect          

I would set CLAMPMSS, or what you find is that it looks like it's working, but 
you get strange failures. Everything works as long as no packet you send is 
larger than 1492* bytes - I think the other end takes care of dealing with MSS 
on your inbound traffic. So web browsing seems to work fine, you can access you 
email, etc. Then you find you can't send an email, and certain web sites fail 
(eg when sending a form or uploading a file).

* 1492 is the normal MSS of 1500 bytes for an ethernet frame, less the 8 byte 
overhead for PPPoE. I think I must have been a bit tired when I put 1450 in my 
config and couldn't be bothered to look it up. It doesn't do any harm at 1450 
bytes - it just means large transfers take a few more frames.

Shorewall-users mailing list

Reply via email to