ALP - Aquileia Linux Project

Gruppo Utenti GNU/Linux – Free Software Bassa Friulana
Oggi è 14/11/2018, 15:34

Tutti gli orari sono UTC




Apri un nuovo argomento Rispondi all’argomento  [ 2 messaggi ] 
Autore Messaggio
 Oggetto del messaggio: OpenBSD pppoe e router in bridge
MessaggioInviato: 10/06/2006, 23:31 
Non connesso
new_entry
new_entry

Iscritto il: 10/06/2006, 23:22
Messaggi: 1
Codice:
howto configure a router (configuration available for cisco - zyxel - Pirelli Discus Alice gate)
to work in Bridge Mode instead NAT, using a OpenBSD firewall for pppoe and filtering.
 
 
This is useful if you have an OpenBSD firewall using only one public IP.
 
The network diagram could be:
 
       __                        /( DMZ )
    __(  )__                    /
   (        )                  /
  ( internet )-------(X)-x-[FW]---( LAN )
   (__    __)                  \
      (__)                      \
                                 \( ... )
 
+--------+
|legenda:|
+--------+
(X): Router
[FW]: Firewall
( DMZ ): DMZ Lan, here you can place servers that must be reached, mail server, www, ftp, ...
( LAN ): your client Lan
( ... ): whatever :)
 
The router just manage the adsl link and the OpenBSD box negotiate the pppoe connection taking
the public IP.
 
 
+-------------+
|Our scenario:|
+-------------+
OpenBSD box: soekris net4801
Router: Cisco soho 77 (tested also on a Cisco 837. Anyway it can be applied to any cisco ADSL router)
        (here below there's the configuration for a zyxel prestige 662 too - for the Pirelli just turn it on :D )
 
Router configuration (general configuration, for details see below)
IP: 192.168.1.1
Mode: Bridge
 
+------------+
|OpenBSD Box:|
+------------+
# network interfaces
sis0: 192.168.1.254/24 (connected to the router via cross cable)
sis1: 192.168.69.254/24 (lan interface)
sis2: 10.0.0.254/24
 
 
# ppp.conf
default:
    set log Phase Chat LCP IPCP CCP tun command
    set redial 15 0
    set reconnect 15 10000
pppoe:
    set device "!/usr/sbin/pppoe -i sis0"
    set mtu max 1492
    set mru max 1492
    disable acfcomp protocomp
    deny acfcomp
    set speed sync
    enable lqr
    set authname "yourusername"
    set authkey "yourpassword"
    add default HISADDR
 
 
# pf.conf
ext_if="tun0"
bri_if="sis0"
int_if="sis1"
dmz_if="sis2"
 
int_ip="192.168.69.254/32"
bri_ip="192.168.1.254/32"
dmz_ip="10.0.0.254/32"
 
router="192.168.1.1/32"
server="10.0.0.1/32"
 
int_lan="192.168.69.0/24"
dmz_lan="10.0.0.0/24"
 
scrub in all fragment reassemble
 
nat on $ext_if from $int_lan to any -> $ext_if
nat on $ext_if from $dmz_lan to any -> $ext_if
 
block log on { tun0 sis0 sis1 sis2 } all
pass in on $int_if from $int_lan to any keep state
pass out on $ext_if from any to any keep state
pass out on $bri_if from $bri_ip to $router keep state
pass out on $int_if from $int_ip to $int_lan keep state
 
 
the dmz_lan is just an example, using nat the server(s) on DMZ can surf the internet but you need to create
the rdr and pass rules to open services on internet
 
(e.g.: rdr on $ext_if proto tcp from any to $pub_ip port {80 443} -> $server
 will redirect all the traffic reached by port 80 and 443 to the $server in DMZ)
 
 
obviusly you need to configure the OpenBSD box to work as a router so ipforwarding and whatever you need
 
 
 
+---------------------+
|Router configuration:|
+---------------------+
 
Zyxel Prestige 662
 
                        Menu 4 - Internet Access Setup
 
                    ISP's Name= MyISP
                    Encapsulation= RFC 1483
                    Multiplexing= LLC-based
                    VPI #= 8
                    VCI #= 35
                    ATM QoS Type= UBR
                      Peak Cell Rate (PCR)= 0
                      Sustain Cell Rate (SCR)= 0
                      Maximum Burst Size (MBS)= 0
                    My Login= N/A
                    My Password= N/A
                    ENET ENCAP Gateway= N/A
                    IP Address Assignment= N/A
                      IP Address= N/A
                    Network Address Translation= None
                      Address Mapping Set= N/A
 
 
                        Menu 5.2 - TCP/IP Ethernet Setup
 
                    TCP/IP Setup:
                      IP Address= 192.168.2.1
                      IP Subnet Mask= 255.255.255.0
                      RIP Direction= None
                        Version= N/A
                      Multicast= None
 
 
                         Menu 11.1 - Remote Node Profile
 
     Rem Node Name= MyISP                 Route= None
     Active= Yes                          Bridge= Yes
 
     Encapsulation= RFC 1483              Edit IP/Bridge= No
     Multiplexing= LLC-based              Edit ATM Options= No
     Service Name= N/A                    Edit Advance Options= N/A
     Incoming:                            Telco Option:
       Rem Login= N/A                       Allocated Budget(min)= N/A
       Rem Password= N/A                    Period(hr)= N/A
     Outgoing:                              Schedule Sets= N/A
       My Login= N/A                        Nailed-Up Connection= N/A
       My Password= N/A                   Session Options:
       Authen= N/A                          Edit Filter Sets= No
                                            Idle Timeout(sec)= N/A
 
 
Cisco SOHO 77
 
hostname bridge
!
boot-start-marker
boot-end-marker
!
ip subnet-zero
no ip routing
no ip domain lookup
!
!
!
interface Ethernet0
 ip address 192.168.1.1 255.255.255.0
 no ip route-cache
 bridge-group 1
 hold-queue 100 out
!
interface ATM0
 no ip address
 no ip route-cache
 no ip mroute-cache
 no atm ilmi-keepalive
 dsl operating-mode auto
 bridge-group 1
 hold-queue 224 in
 pvc 8/35
  encapsulation aal5snap
 !
!
ip classless
no ip http server
!
bridge 1 protocol ieee
!
!
scheduler max-task-time 5000
end
 
 
+-----------------+
|Add-ons and Tips:|
+-----------------+
Cisco:
remember that Cisco interfaces are always in shutdown by default, so please:
conf t
int eth0
no shutdown
int atm0
no shutdown
and go on :)
 
 
Zyxel:
The Prestige 662 is a router with wireless access point, don't waste money to *** it if you want to use it on this way
there are a lot of cheapier Zyxel router
 
 
Pirelli:
this strange object (http://www.pirelli.com/en_42/cables_systems/telecom/telecom_systems/broadband_access/products/pdf/mag.pdf)
is not manageable, just turn it on, it will have IP 192.168.1.1 and will work in bridge mode by default
 
 
OpenBSD
start the pppoe with the command:
ppp -background pppoe
to see the debug since the connection is up
 
after this you can run it with the command:
/usr/sbin/ppp -ddial pppoe
 
 
Please note that if you don't give to the ppp daemon enough time to go up, you will have an error reading the pf.conf
firewall ruleset because the interface tun0 is not ready yet
It's a good choice to sleep 5 before reading pf.conf firewall ruleset
 
 
Well this is the end of this "cerebral masturbation"
for any comment, help request, insults, whatever, feel free to write me to:
 
leos[at]malignuz.org
 
 
+-------+
|greets:|
+-------+
Mattia for Cisco configuration
sand for pppoe tips
Theo for OpenBSD


Top
 Profilo  
 
 Oggetto del messaggio:
MessaggioInviato: 11/06/2006, 9:48 
Non connesso
Site Admin
Site Admin
Avatar utente

Iscritto il: 18/08/2004, 19:41
Messaggi: 1237
Località: Aquileia
Benvenuto sul forum Leos ;)

Grazie mille per averci fornito la guida ;)

Buona permanenza sul Forum ALP sperando di poter intrattenere altre discussioni in futuro :mrgreen:
:ciauz:

_________________
Davide Tommasin
BLOG di uno qualsiasi
ALP - Aquileia Linux Project
CKF - Canoa Kayak Friuli
Immagine Immagine


Top
 Profilo  
 
Visualizza ultimi messaggi:  Ordina per  
Apri un nuovo argomento Rispondi all’argomento  [ 2 messaggi ] 

Tutti gli orari sono UTC


Chi c’è in linea

Visitano il forum: Nessuno e 0 ospiti


Non puoi aprire nuovi argomenti
Non puoi rispondere negli argomenti
Non puoi modificare i tuoi messaggi
Non puoi cancellare i tuoi messaggi
Non puoi inviare allegati

Cerca per:
Vai a:  
cron
Powered by phpBB® Forum Software © phpBB Group
Traduzione Italiana phpBBItalia.net basata su phpBB.it 2010
[ Time : 0.092s | 15 Queries | GZIP : Off ]