|
|||
Modem PPPoE vs OpenBSD PPPoE
Looking at this page from the OpenBSD website:
http://www.openbsd.org/faq/faq6.html ================================================= PPPoE/PPPoA The Point to Point Protocol over Ethernet (PPPoE) is a method for sending PPP packets in Ethernet frames. The Point to Point Protocol over ATM (PPPoA) is typically run on ATM networks, such as those found in the UK and Belgium. Typically this means you can establish a connection with your ISP using just a standard Ethernet card and Ethernet-based DSL modem (as opposed to a USB-only modem). If you have a modem which speaks PPPoE/PPPoA, it is possible to configure the modem to do the connecting. Alternatively, if the modem has a `bridge' mode, it is possible to enable this and have the modem "pass through" the packets to a machine running PPPoE software (see below). The main software interface to PPPoE/PPPoA on OpenBSD is pppoe(8), which is a userland implementation (in much the same way that we described ppp(8), above). A kernel PPPoE implementation, pppoe(4), has been incorporated into OpenBSD. ================================================= With reference to the bolded paragraph above, is it more secure to allow OpenBSD to handle PPPoE authentication etc. (by setting modem to bridge mode), or is it better to allow the ADSL router/modem to handle all the PPPoE authentication stuff? |
|
|||
Inase of NAT, dialing from modem is more secure cause it will be assigned live ip and your machine will be on private ip, behind nat.
usually pppoe dialing from machines/devices is more stable than dialing from cheap adsl modems. unless you have some modem like Speedtouch/Alcatel. I work in a broadband ISP and many times we configure adsl modems in bridge mode and sometimes even we dont use any authentication method, cause alot of modems/devices/routers have not much good pppoe implementation. |
|
|||
Quote:
and this is the best reason to do it. openbsd's kernel pppoe implementation is considerably more robust than most modems. |
|
|||
thanks for the suggestions osman and reuteler.
do you think security would be (slightly) improved if the openbsd box was behind the modem's NAT, with PF further protecting openbsd box? sorry if that sounded confusing - what i meant was would having the openbsd box sitting behind the modem's NAT provide a second layer of security since the openbsd box isn't allocated an external IP address? so in effect, the internal LAN would be behind a "double-NAT"... or have i missed something? im not too concerned about my modem's pppoe because it seems to be quite robust. whenever i lose ADSL line sync, the modem's pppoe/pppoa would automagically reconnect without fail. again, please correct me if i have missed something here as well. |
|
|||
well since the openbsd box is acting as the firewall/nat/gateway, i guess i should set the modem to bridge mode. i gather that since the modem's firmwire isn't audited at all (compared to openbsd), there might be many (exploitable) bugs that im just unaware of. in the worst case, the username/password could be compromised from buggy firmware on the modem, right?
|
|
|||
I prefer to ahve PPPOE dialing in modem because this is much more flexible and secure.
I hope this help. Thanks. Last edited by Peter_APIIT; 14th June 2008 at 12:52 AM. Reason: Add some information. |
|
|||
why do you say that PPPoE dialling in-modem is more secure?
|
|
|||
Quote:
I used it prior to switching to a more affordable cable solution. |
|
|||
Sorry to say that. Should be in PPPOE in OpenBSD.
|
|
|||
thanks for the clarification
|
|
|||
In the past i run OpenBSD PPPOE but i switched to modem PPPOE.
A good modem let you route all the traffic, so there is no NAT between the modem and the *BSD box. You can the protect your BSD box easy with pf, also VPN with IPSEC works great behind a routing modem. Two reason for me to switch from OpenBSD PPPOE to the modem PPPOE. My provider beaks the line every 24 hours so my postfix apache and other deamons didn't work as expected. I could bind them to a dummy or other interface and redirect with pf, but this hasn't stop the trouble. IPSEC and ssh runs happy behind a routing modem with private IP (both directions). |
|
|||
Quote:
|
|
|||
Yes, you are right I used kernel PPPOE since it was more stable with my provider then userland PPPOE.
|
|
|
Similar Threads | ||||
Thread | Thread Starter | Forum | Replies | Last Post |
pppoe internet connection on another lladdr | enaqx | General software and network | 3 | 4th July 2009 12:07 AM |
pppoe | kaschei | OpenBSD General | 2 | 20th May 2009 01:14 AM |
PF and kernel-level PPPoE(4) | gezley | OpenBSD Security | 3 | 15th May 2009 06:56 PM |
PPPoE -> ADSL Router (Bridge) - Slow connect? | DraconianTimes | OpenBSD General | 0 | 31st December 2008 01:07 PM |
USB EV-DO modem support | Bruco | FreeBSD General | 1 | 6th June 2008 09:50 PM |