ALP - Aquileia Linux Project

Gruppo Utenti GNU/Linux – Free Software Bassa Friulana
Oggi è 22/04/2019, 0:32

Tutti gli orari sono UTC

Apri un nuovo argomento Rispondi all’argomento  [ 2 messaggi ] 
Autore Messaggio
 Oggetto del messaggio: OpenBSD pppoe e router in bridge
MessaggioInviato: 10/06/2006, 23:31 
Non connesso

Iscritto il: 10/06/2006, 23:22
Messaggi: 1
howto configure a router (configuration available for cisco - zyxel - Pirelli Discus Alice gate)
to work in Bridge Mode instead NAT, using a OpenBSD firewall for pppoe and filtering.
This is useful if you have an OpenBSD firewall using only one public IP.
The network diagram could be:
       __                        /( DMZ )
    __(  )__                    /
   (        )                  /
  ( internet )-------(X)-x-[FW]---( LAN )
   (__    __)                  \
      (__)                      \
                                 \( ... )
(X): Router
[FW]: Firewall
( DMZ ): DMZ Lan, here you can place servers that must be reached, mail server, www, ftp, ...
( LAN ): your client Lan
( ... ): whatever :)
The router just manage the adsl link and the OpenBSD box negotiate the pppoe connection taking
the public IP.
|Our scenario:|
OpenBSD box: soekris net4801
Router: Cisco soho 77 (tested also on a Cisco 837. Anyway it can be applied to any cisco ADSL router)
        (here below there's the configuration for a zyxel prestige 662 too - for the Pirelli just turn it on :D )
Router configuration (general configuration, for details see below)
Mode: Bridge
|OpenBSD Box:|
# network interfaces
sis0: (connected to the router via cross cable)
sis1: (lan interface)
# ppp.conf
    set log Phase Chat LCP IPCP CCP tun command
    set redial 15 0
    set reconnect 15 10000
    set device "!/usr/sbin/pppoe -i sis0"
    set mtu max 1492
    set mru max 1492
    disable acfcomp protocomp
    deny acfcomp
    set speed sync
    enable lqr
    set authname "yourusername"
    set authkey "yourpassword"
    add default HISADDR
# pf.conf
scrub in all fragment reassemble
nat on $ext_if from $int_lan to any -> $ext_if
nat on $ext_if from $dmz_lan to any -> $ext_if
block log on { tun0 sis0 sis1 sis2 } all
pass in on $int_if from $int_lan to any keep state
pass out on $ext_if from any to any keep state
pass out on $bri_if from $bri_ip to $router keep state
pass out on $int_if from $int_ip to $int_lan keep state
the dmz_lan is just an example, using nat the server(s) on DMZ can surf the internet but you need to create
the rdr and pass rules to open services on internet
(e.g.: rdr on $ext_if proto tcp from any to $pub_ip port {80 443} -> $server
 will redirect all the traffic reached by port 80 and 443 to the $server in DMZ)
obviusly you need to configure the OpenBSD box to work as a router so ipforwarding and whatever you need
|Router configuration:|
Zyxel Prestige 662
                        Menu 4 - Internet Access Setup
                    ISP's Name= MyISP
                    Encapsulation= RFC 1483
                    Multiplexing= LLC-based
                    VPI #= 8
                    VCI #= 35
                    ATM QoS Type= UBR
                      Peak Cell Rate (PCR)= 0
                      Sustain Cell Rate (SCR)= 0
                      Maximum Burst Size (MBS)= 0
                    My Login= N/A
                    My Password= N/A
                    ENET ENCAP Gateway= N/A
                    IP Address Assignment= N/A
                      IP Address= N/A
                    Network Address Translation= None
                      Address Mapping Set= N/A
                        Menu 5.2 - TCP/IP Ethernet Setup
                    TCP/IP Setup:
                      IP Address=
                      IP Subnet Mask=
                      RIP Direction= None
                        Version= N/A
                      Multicast= None
                         Menu 11.1 - Remote Node Profile
     Rem Node Name= MyISP                 Route= None
     Active= Yes                          Bridge= Yes
     Encapsulation= RFC 1483              Edit IP/Bridge= No
     Multiplexing= LLC-based              Edit ATM Options= No
     Service Name= N/A                    Edit Advance Options= N/A
     Incoming:                            Telco Option:
       Rem Login= N/A                       Allocated Budget(min)= N/A
       Rem Password= N/A                    Period(hr)= N/A
     Outgoing:                              Schedule Sets= N/A
       My Login= N/A                        Nailed-Up Connection= N/A
       My Password= N/A                   Session Options:
       Authen= N/A                          Edit Filter Sets= No
                                            Idle Timeout(sec)= N/A
Cisco SOHO 77
hostname bridge
ip subnet-zero
no ip routing
no ip domain lookup
interface Ethernet0
 ip address
 no ip route-cache
 bridge-group 1
 hold-queue 100 out
interface ATM0
 no ip address
 no ip route-cache
 no ip mroute-cache
 no atm ilmi-keepalive
 dsl operating-mode auto
 bridge-group 1
 hold-queue 224 in
 pvc 8/35
  encapsulation aal5snap
ip classless
no ip http server
bridge 1 protocol ieee
scheduler max-task-time 5000
|Add-ons and Tips:|
remember that Cisco interfaces are always in shutdown by default, so please:
conf t
int eth0
no shutdown
int atm0
no shutdown
and go on :)
The Prestige 662 is a router with wireless access point, don't waste money to *** it if you want to use it on this way
there are a lot of cheapier Zyxel router
this strange object (
is not manageable, just turn it on, it will have IP and will work in bridge mode by default
start the pppoe with the command:
ppp -background pppoe
to see the debug since the connection is up
after this you can run it with the command:
/usr/sbin/ppp -ddial pppoe
Please note that if you don't give to the ppp daemon enough time to go up, you will have an error reading the pf.conf
firewall ruleset because the interface tun0 is not ready yet
It's a good choice to sleep 5 before reading pf.conf firewall ruleset
Well this is the end of this "cerebral masturbation"
for any comment, help request, insults, whatever, feel free to write me to:
Mattia for Cisco configuration
sand for pppoe tips
Theo for OpenBSD

 Oggetto del messaggio:
MessaggioInviato: 11/06/2006, 9:48 
Non connesso
Site Admin
Site Admin
Avatar utente

Iscritto il: 18/08/2004, 19:41
Messaggi: 1237
Località: Aquileia
Benvenuto sul forum Leos ;)

Grazie mille per averci fornito la guida ;)

Buona permanenza sul Forum ALP sperando di poter intrattenere altre discussioni in futuro :mrgreen:

Davide Tommasin
BLOG di uno qualsiasi
ALP - Aquileia Linux Project
CKF - Canoa Kayak Friuli
Immagine Immagine

Visualizza ultimi messaggi:  Ordina per  
Apri un nuovo argomento Rispondi all’argomento  [ 2 messaggi ] 

Tutti gli orari sono UTC

Chi c’è in linea

Visitano il forum: Nessuno e 1 ospite

Non puoi aprire nuovi argomenti
Non puoi rispondere negli argomenti
Non puoi modificare i tuoi messaggi
Non puoi cancellare i tuoi messaggi
Non puoi inviare allegati

Cerca per:
Vai a:  
Powered by phpBB® Forum Software © phpBB Group
Traduzione Italiana basata su 2010
[ Time : 0.135s | 13 Queries | GZIP : Off ]