|
|||
PF and kernel-level PPPoE(4)
OpenBSD 4.5
xl0 internal interface xl1 external interface DSL modem in bridging mode I want to replace an Endian firewall with an OpenBSD firewall. I understand kernel-level PPPoE works better than userland PPPoE. I am able to set PPPoE up, but I have some questions regarding the PF aspect of it. I have followed the guides but I am stuck on these issues. 1) With kernel-level PPPoE, is it necessary for PF to be disabled until after the connection is brought up? If so, how do I enable PF as soon as the connection goes live? What happens if the connection dies? 2) pppoe0 replaces xl1 as the external interface in pf.conf, correct? Thank you. |
|
|||
You should really take some time and read the PF User Guide.
Quote:
Quote:
Assuming that you will be doing NAT and have a dynamic IP, pay attention to this part of the above guide. Quote:
|
|
|||
Quote:
Quote:
Quote:
|
|
|||
I have a issue regarding this very same setup.
CLOUD-----------soekris gateway-----------LAN (vr0)pppoe0 vr1 When i'm in the LAN, all is good. When i'm right on the gateway, DNS works ( udp ), icmp works, but I can't get TCP to work. Here is a snip of what's going on: on the lan: lerequin# uname -a OpenBSD laptop 4.5 GENERIC#118 i386 lerequin# telnet google.ca 80 Trying 64.233.161.104... Connected to google.ca. Escape character is '^]'. ^] telnet> quit Connection closed. lerequin# on the gateway: # uname -a OpenBSD lataupe.xxxxxxx.com 4.5 GENERIC#1749 i386 # ping google.nl PING google.nl (216.239.59.104): 56 data bytes 64 bytes from 216.239.59.104: icmp_seq=0 ttl=244 time=159.768 ms --- google.nl ping statistics --- 1 packets transmitted, 1 packets received, 0.0% packet loss round-trip min/avg/max/std-dev = 159.768/159.768/159.768/0.000 ms # telnet google.nl 80 Trying 74.125.77.104... ^C # telnet openbsd.org 80 Trying 199.185.137.3... ^C # nslookup > server 127.0.0.1 Default server: 127.0.0.1 Address: 127.0.0.1#53 > freebsd.org Server: 127.0.0.1 Address: 127.0.0.1#53 Non-authoritative answer: Name: freebsd.org Address: 69.147.83.40 > exit # tcp connetion hangs. # cat /etc/hostname.vr0 up # cat /etc/hostname.pppoe0 inet 0.0.0.0 255.255.255.255 NONE pppoedev vr0 authproto pap \ authname 'xxxxxx@acanac.net' authkey 'xxxxxxx' up dest 0.0.0.1 !/sbin/route add default -ifp pppoe0 0.0.0.1 # # netstat -rnfinet Routing tables Internet: Destination Gateway Flags Refs Use Mtu Prio Iface default 0.0.0.1 UGS 7 1337177 - 8 pppoe0 10.1.1/24 link#2 UC 4 0 - 4 vr1 10.1.1.1 00:00:24:c9:32:69 UHLc 0 14 - 4 lo0 10.1.1.25 00:22:15:8d:93:ff UHLc 0 0 - 4 vr1 10.1.1.204 00:0b:6b:36:72:ab UHLc 2 264074 - 4 vr1 10.1.1.207 link#2 UHLc 1 440518 - 4 vr1 67.XXX.8.1 67.XXX.13.124 UH 0 0 - 4 pppoe0 127/8 127.0.0.1 UGRS 0 0 33204 8 lo0 127.0.0.1 127.0.0.1 UH 2 1899 33204 4 lo0 224/4 127.0.0.1 URS 0 0 33204 8 lo0 # pf rulz striped down for the post: # cat /etc/pf.conf ext_if="pppoe0" int_if="vr1" table <lan_sub> { 10.1.1.0/24 } table <fuckers> persist #set loginterface $ext_if set skip on lo0 set debug loud #scrub all no-df random-id fragment reassemble reassemble tcp scrub out log (all) on $ext_if max-mss 1440 nat log (all) on $ext_if from !($ext_if) to any -> ($ext_if) block drop log (all) all block drop quick log (all) inet6 block drop quick log (all) from <fuckers> pass in quick log (all) on $int_if modulate state pass out quick log (all) on $ext_if modulate state pass in quick log (all) on $ext_if proto tcp from any port > 1024 to ($ext_if) port ssh flags S/SA modulate state (max-src-conn 5, max-src-conn-rate 10/5, overload <fuckers> flush global) pass in quick log (all) inet proto icmp all icmp-type echoreq modulate state while doing a telnet google.com 80 on the soekris: # tcpdump -i pflog0 -X -s 1500 -e -vvv host google.com tcpdump: listening on pflog0, link-type PFLOG 14:51:04.002160 rule 5/(match) [uid 0, pid 24578] pass out on pppoe0: dsl-67-XXX-13-124.acanac.net.56197 > yx-in-f100.google.com.www: S [tcp sum ok] 4038451558:4038451558(0) win 16384 <mss 1440,nop,nop,sackOK,nop,wscale 0,nop,nop,timestamp 697898457 0> (DF) [tos 0x10] (ttl 64, id 51129, len 64) 14:51:04.059010 rule 0/(match) [uid 0, pid 24578] nat in on pppoe0: yx-in-f100.google.com.www > 0.0.0.0.41797: S [tcp sum ok] 3120326047:3120326047(0) ack 4038451559 win 5672 <mss 1430,sackOK,timestamp 1821837804 697898457,nop,wscale 6> (ttl 51, id 27033, len 60) 14:51:04.383735 rule 0/(match) [uid 0, pid 24578] nat in on pppoe0: yx-in-f100.google.com.www > 0.0.0.0.41797: S [tcp sum ok] 3120326047:3120326047(0) ack 4038451559 win 5672 <mss 1430,sackOK,timestamp 1821838129 697898457,nop,wscale 6> (ttl 51, id 27034, len 60) 14:51:04.984323 rule 0/(match) [uid 0, pid 24578] nat in on pppoe0: yx-in-f100.google.com.www > 0.0.0.0.41797: S [tcp sum ok] 3120326047:3120326047(0) ack 4038451559 win 5672 <mss 1430,sackOK,timestamp 1821838729 697898457,nop,wscale 6> (ttl 51, id 27035, len 60) the synack comes back, but it doesn't reach telnet. so telnet keep sending syn until it reaches the timeout. It looks like the packets are natted back to 0.0.0.0 instead of the pppoe0 ip address and I guess telnet is not listening 0.0.0.0. # netstat Active Internet connections Proto Recv-Q Send-Q Local Address Foreign Address (state) tcp 0 0 *.37330 qy-in-f104.googl.www SYN_SENT at this point I don't know more. ......... anyone? Last edited by spid3r; 15th May 2009 at 07:18 PM. |
|
|
Similar Threads | ||||
Thread | Thread Starter | Forum | Replies | Last Post |
pppoe internet connection on another lladdr | enaqx | General software and network | 3 | 4th July 2009 12:07 AM |
pppoe | kaschei | OpenBSD General | 2 | 20th May 2009 01:14 AM |
PPPoE -> ADSL Router (Bridge) - Slow connect? | DraconianTimes | OpenBSD General | 0 | 31st December 2008 01:07 PM |
Modify host-level firewall rules (without getting locked out) | anomie | Guides | 13 | 16th June 2008 04:26 AM |
Modem PPPoE vs OpenBSD PPPoE | ryoken | OpenBSD Security | 13 | 15th June 2008 10:07 PM |