Re: HELP: NAT/Masquerading broken with 2.6.11 + pppoe (long)
From: Horst Knobloch (horschti2_at_gmx.de)
Date: Mon, 16 May 2005 13:59:37 +0200
Albrecht Dreß <firstname.lastname@example.org> wrote:
> Am Mon, 16 May 2005 00:15:45 +0200 schrieb Horst Knobloch:
>> I would try to use for the pppoe connection a dedicated
>> eth-NIC to which the DSL modem is directly connected.
>> IIRC NICs with an IP address assigned are supposed to
"are supposed" is a little bit strong "is said" is
>> cause problems when running PPPoE over it. I can't
>> remember the exact reasons, though and I had even
>> such a setup successfully running a long time ago.
> Well, this would of course be a possibility... However, IMHO Linux ought
> to be able to handle this setup - as I said before, it *does* work
> perfectly with MacOS 10.3 (which is built on top of a BSD system, but
> that shouldn't make a big difference).
I think I also never a read an explanation for it and
this was the reason why I tried it and it worked (at
least with rp-pppoe).
>> However I would give it a try with a dedicated NIC. They are very cheap
>> nowadays and such a setup is smarter anyway, since the broadcasts of
>> your private LAN are not bridged by DSL modem towards your ISP.
> Hmmm, if I understand the setup correctly, the DSL modem is supposed to
> catch only the packets directed to it, right (i.e the ppp0 interface)?
> So it should be possible to block all broadcasts (and other unwanted
> packets) coming from and sent to the isp
In your setup (pppoe is running on Linux) the ADSL modem is
a bridge, bridging traffic between the physical ethernet
(your private LAN) and the ATM interface towards your provider.
The bridge must transmit broadcasts in your LAN towards the
provider. That's how bridges work and you can't prevent this
by any filter rules deployed on the Linux box.
> using a proper firewall
> (iptables, ipfw) setup?
No (unless it is a very samrt bridge which supports filtering).
Installing filter rules on the linux box doesn't help when
the ADSL modem bridge is connected to the same LAN segment
where also the other hosts reside.
However in most cases you deploy an ADSL router or a router
to which the ADSL modem is connected on its WAN port for
doing this filtering, or connect the ADSL modem on a
dedicate ethernet of your Linux box.
PS. It wouldn't hurt to also check the rules actually in
place via iptables-save to make sure that no other rules
are installed e.g. when the ppp interfaces comes up which
causes you problems.
-- »When pings go wrong (It hurts me too)« E.Clapton/E.James/P.Tscharn