|
|
|||
Problem with pf for PPPoE
Hi,
I just installed OpenBSD 4.6, because I want to use nat to make a very basic firewall to split my ADSL connection between a few computers (some Linux, some Windows). I set up a very basic pf.conf with only what is necessary to use the internet. On my OpenBSD box everything work fine, I have access to any website but on my other computers only 80% of the websites work, other website like "msn.com" and "grc.com" doesn't work, it say 'Waiting for www.grc.com..." in the Firefox status bar. I tried many different settings but nothing work ... Here is my pf.conf: Code:
ext_if = "pppoe0" set skip on lo match in all scrub (no-df max-mss 1440) nat on $ext_if from !(ext_if$) to any -> (ext_if$) Anybody have a clue? Thanks a lot |
|
|||
The following section from the pppoe(4) man page discusses the MTU issue but gives a different match rule than yours
Code:
MTU/MSS ISSUES Problems can arise on machines with private IPs connecting to the Inter- net via a machine running both Network Address Translation (NAT) and pppoe. Standard Ethernet uses a Maximum Transmission Unit (MTU) of 1500 bytes, whereas PPPoE mechanisms need a further 8 bytes of overhead. This leaves a maximum MTU of 1492. pppoe sets the MTU on its interface to 1492 as a matter of course. However, machines connecting on a private LAN will still have their MTUs set to 1500, causing conflict. While pppoe(8) has an internal option, ``mssfixup'', which is enabled by default and takes care of this, pppoe users have to rely on other meth- ods. Using a packet filter, the Maximum Segment Size (MSS) can be set (clamped) to the required value. The following rule in pf.conf(5) would set the MSS to 1440: match on pppoe0 scrub (max-mss 1440) Although in theory the maximum MSS over a PPPoE interface is 1452 bytes, 1440 appears to be a safer bet. Note that setting the MSS this way can have undesirable effects, such as interfering with the OS detection fea- tures of pf(4). See pf.conf(5) for more information on MTU, MSS, and NAT.
__________________
You don't need to be a genius to debug a pf.conf firewall ruleset, you just need the guts to run tcpdump |
|
|||
It works!!!!!
Thanks a lot for the help, i'm a newbie in the networking world and I don't think I would have solved this by myself... Now I'll add some security... |
Tags |
match on pppoe, mss, pppoe |
Thread Tools | |
Display Modes | |
|
|
Similar Threads | ||||
Thread | Thread Starter | Forum | Replies | Last Post |
Freebsd router PPP/PPPoE connection problem | mrthomas | FreeBSD General | 4 | 1st January 2010 10:36 PM |
pppoe internet connection on another lladdr | enaqx | General software and network | 3 | 4th July 2009 12:07 AM |
pppoe | kaschei | OpenBSD General | 2 | 20th May 2009 01:14 AM |
PF and kernel-level PPPoE(4) | gezley | OpenBSD Security | 3 | 15th May 2009 06:56 PM |
Modem PPPoE vs OpenBSD PPPoE | ryoken | OpenBSD Security | 13 | 15th June 2008 10:07 PM |