Thread: tun device
View Single Post
Old 22nd September 2008
robbak's Avatar
robbak robbak is offline
Real Name: Robert Backhaus
VPN Cryptographer
Join Date: May 2008
Location: North Queensland, Australia
Posts: 366

Hmm, difficult. See, pppoe takes the packets that arrive on tun0 (having been through any queues that you applied with "out on tun0" rules), wraps them in ppp headers, and sends them out on ... Well, I'll have to admit, I'm a little shady on what ppp does here. I think it injects them as ppp packets onto the ethernet, or does it wrap the ppp packets in new IP headers? In any case, they will then go back out, as completely new packets, via the correct interfaces, and through your "out on $LAN" rules.

What this means is that, as far as a firewall is concerned, the ppp packets are not the same as the original ip packets. You would need some form of deep packet inspection to recognize them.

What I would do is to run tcpdump (a very useful tool you need to learn) on the physical interface to see what these ppp packets look like. Then you may see how to handle them in your ip config.

Edit: this also works in reverse: The ppp client will receive inbound packets from $LAN (after being through "in on $LAN" rules and queues), strip the ppp headers, and dump them onto tun0, where they will be touched by "in on tun0" rules
The only dumb question is a question not asked.
The only dumb answer is an answer not given.

Last edited by robbak; 22nd September 2008 at 11:32 PM. Reason: Additional info, correcting "in" and "out". You'd thing Sesame Street would have taught me the difference before now!
Reply With Quote