Re: DSL works, almost
From: David Efflandt (efflandt_at_xnet.com)
Date: Sat, 13 Mar 2004 02:07:28 +0000 (UTC)
On Fri, 12 Mar 2004 09:44:35 -0500, Geoff Wheeler <email@example.com> wrote:
> Oh, so damn close. Thanks again, David. Now to my next round of Qs.
> David Efflandt wrote:
>> On Thu, 11 Mar 2004 14:00:40 -0500, Geoff Wheeler <firstname.lastname@example.org> wrote:
>>>...It's a Westell 2200, which means it has routing capability, but I don't
>>>want that, right? My thinking is that a machine in direct contact with
>>>the outside world should _not_ contain info about my home LAM, correct?
>>> Isn't that the reason for your suggestion to mask the LAN?
>> I do not know the capabilties of your modem/router, which is why I
>> suggested masquerading your LAN behind your Linux router. By default,
>> your modem router would only answer for local LAN IPs in its network.
>> If your other LAN behind the Linux box was not masqueraded, your
>> modem/router would ignore them.
> Which, I guess, is what it's doing. I may be answering my own question
> from below (working my way back up your reply), but it seems that any
> way I go I'll be MASQing my home LAN to eth1/ppp0. Since, through dhcp,
> the modem/router only knows from eth1, every request must come from that
> IP, yes? And if'n I PPPoE from Linux, that'll be happening anyway, but
> from eth0->ppp0, no?
Yes, if the modem was in bridge mode, your Linux would have to masquerade
eth0 LAN IPs as its ppp0 IP (assuming you only get single IP from ISP).
The eth1 IP in that case would be unused, unless (unless you need to set
it to something specific to access modem config).
>> Basically doing your own pppoe (if you could switch modem/router to bridge
>> modem) would eliminate the double NAT (masquerading behind NAT). However,
>> I am not familiar with WinPoET and whether it differs from standard PPPoE.
> Yeahbutyeahbutyeahbut. I can enable/disable NAT on modem/router, so if
> I disable it there, and use NAT on Linux to translate for home LAN,
> isn't that preferrable? My concern is that using PPPoE on Linux won't
> allow me to access the modem/router for configuring, unless I tear down
> PPPoE and re-enable dhcpc for the time required to access modem/router.
My adsl modem is only a bridge and has no config, so accessing it once
pppoe is working is a non-issue.
> Small price, surely, but isn't LAN->eth1->modem/router->PPPoE->world
> better insulation than LAN->ppp0->PPPoE->modem/router/world? I realize
> this leaves the modem vulnerable, but better that than my home LAN, no?
It all depends upon whether you run any servers and if double NAT makes
port forwarding in more confusing. The problem with some (not all)
routers is that web server logs behind it "might" show IP of router
instead of IP of actual web client.
>> That still would not work from your eth0 LAN unless masquerading is
>> working properly (and /proc/sys/net/ipv4/ip_forward contains 1).
> OK, next confusion. If I go PPPoE route on Linux, what should the
> routing table show. Right now, it'll put the remote addy in the table
> and not the local, so how does eth0 get any knowledge of ppp0(local) in
> order to send packets to ppp0(remote)? Or does it need to? I'm
> starting to get an inkling about MASQing here, and it must not have been
> working, ever, since when I tried demand dialling, dialling would be
> triggered for foreign addies but they would never resolve. This would
> be because requests were coming from IPs different from ppp0, correct?
Routing on my SuSE 8.2 pppoe/firewall/router is very simple. It only has
host route to remote ppp IP (automatic), -net route for my LAN (automatic
from network scripts), and default route using remote ppp IP as gateway
(pppd defaultroute option). In my case eth1 is used for pppoe, but I set
it to unused private IP, netmask 255.255.255.255 so it does not even show
up in routing:
> /sbin/route -n
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
22.214.171.124 0.0.0.0 255.255.255.255 UH 0 0 0 ppp0
192.168.1.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0
0.0.0.0 126.96.36.199 0.0.0.0 UG 0 0 0 ppp0
Again, routing is just for outgoing traffic and Linux knows which IPs of
its own it should receive traffic for (including 'lo' loopback interface).
-- David Efflandt - All spam ignored http://www.de-srv.com/