KrUsTy!
September 30th, 2003, 23:12
A while ago I made a OpenBSD DSL firewall with PPPoe for a friend of mine. I've been asked about it a couple time since and so I got my notes and have put together how I got it working. I figure it might be usefull to have here at SE, and get some people to add to it, correct it, and make suggestions to make it a fairly good reference. I myself don't have a DSL line, so I can't really test what is here, but I remember that it worked for my freind.
I have lifted much of this from some other how-tos on the net, which I list at the end of this mini-howto. This uses the ppp in openbsd, and is user based. I understand that you could configure it from a kernel mode, but I have not played with that.
All the ppp conf files are in the /etc/ppp directory.
The ppp.conf I made extactly as follows, I got this directly from one of the how-tos listed at the bottom.
[code:1:3705e01c25]default:
set log Phase Chat IPCP CCP tun command
set redial 15 0
set reconnect 15 10000
pppoe:
set device "!/usr/sbin/pppoe -i fxp0"
disable acfcomp protocomp
deny acfcomp
set mtu max 1492
set speed sync
enable lqr
set lqrperiod 5
set cd 5
set dial
set login
set timeout 0
set authname xxxxxxx
set authkey xxxxxx
add! default HISADDR
enable dns
enable mssfixup [/code:1:3705e01c25]
The authname and authkey would have the username and password of your DSL. Replace the “xxxxxx” with what applies.
The fxp0 should be replaced with the Ethernet device that you have in your computer. The ppp daemon will create a virtual interface called “tun0”. This is your actual connection device. It is linked to the physical device, but the connection gets create on the tun0. All pf rules will need to reference the tun0, not the physical device. The virtual tun0 is your external connection.
This is taken straight from one of the how-to on the net, and says it perfectly;
“The ppp daemon takes care of automatically assigning the name servers and the routes. Consequently, make sure there is no file "/etc/mygate", and bear in mind that "/etc/resolv.conf" will be automatically generated as well, at connection time. This has the advantage that you don't need to know anything about the details of your connection (name server addresses, etc...) to your ISP. Your user ID and password are sufficient, as the ppp daemon will negotiate with the server and obtain the information it needs to open the connection.”
You will not require a hostname.fxp0 file for the ethernet interface using PPPoe.
To enable items starting after the PPPoe connection has come up you will need to setup the ppp.linkup file in /etc/ppp
To start pf when the link comes up;
[code:1:3705e01c25]MYADDR:
! sh -c "/sbin/ifconfig pflog0 up"
! sh -c "/sbin/pfctl -e –f /etc/pf.conf"[/code:1:3705e01c25]
Make sure to have the space before the "!". There is a ppp.linkup.sample in the /etc/ppp area to look at for form.
For an IPSEC VPN that you want to run via the PPPoe connection, you should be able to also have iskampd start once the link comes up as well by adding this line to the ppp.linkup file;
[code:1:3705e01c25] ! sh –c “/sbin/isakmpd”[/code:1:3705e01c25]
This assumes that you have a valid pf.conf and you have the isakpmd setup files configured.
To start up the PPPoe at boot, you add the following to the /etc/rc.local file;
[code:1:3705e01c25]ifconfig fxp0 up
route flush
ppp -ddial pppoe[/code:1:3705e01c25]
Remember to replace fxp0 with your device.
You can also use these commands to startup the PPPoe connection manually. I remember that once issued, I got a whole whack of error messages on the console, but the link came up. To check it,
ifconfig –a
You should see a tun0 device with an address, something like this,
tun0: flags=8011 mtu 1492
inet 65.92.185.97 --> 65.92.185.1 netmask 0xffffffff
In the /etc/rc.conf file you will want to have PF turned off, as it will be started when your PPPoe connection is made, and not at the startup of the networking. Same goes for the iskampd is your are using it.
Here are some excellent how tos about PPPoe and OpenBSD on the net which I have used extensively for reference, and quoted directly in this mini-how to. They are for older versions of OpenBSD, so some of the pf stuff will be old, but teh rest should be correct. You should deffinately read these over before starting.
http://www.realo.ca/BSDinstall.html
http://www.drones.com/obsd-fw.html
Hope this gets people going. Please post any corrections, additions and comments! Looking forward to hearing from people that are actually using PPPoe on DSL with OpenBSD and see if this is close to what they are doing.
{K}
I have lifted much of this from some other how-tos on the net, which I list at the end of this mini-howto. This uses the ppp in openbsd, and is user based. I understand that you could configure it from a kernel mode, but I have not played with that.
All the ppp conf files are in the /etc/ppp directory.
The ppp.conf I made extactly as follows, I got this directly from one of the how-tos listed at the bottom.
[code:1:3705e01c25]default:
set log Phase Chat IPCP CCP tun command
set redial 15 0
set reconnect 15 10000
pppoe:
set device "!/usr/sbin/pppoe -i fxp0"
disable acfcomp protocomp
deny acfcomp
set mtu max 1492
set speed sync
enable lqr
set lqrperiod 5
set cd 5
set dial
set login
set timeout 0
set authname xxxxxxx
set authkey xxxxxx
add! default HISADDR
enable dns
enable mssfixup [/code:1:3705e01c25]
The authname and authkey would have the username and password of your DSL. Replace the “xxxxxx” with what applies.
The fxp0 should be replaced with the Ethernet device that you have in your computer. The ppp daemon will create a virtual interface called “tun0”. This is your actual connection device. It is linked to the physical device, but the connection gets create on the tun0. All pf rules will need to reference the tun0, not the physical device. The virtual tun0 is your external connection.
This is taken straight from one of the how-to on the net, and says it perfectly;
“The ppp daemon takes care of automatically assigning the name servers and the routes. Consequently, make sure there is no file "/etc/mygate", and bear in mind that "/etc/resolv.conf" will be automatically generated as well, at connection time. This has the advantage that you don't need to know anything about the details of your connection (name server addresses, etc...) to your ISP. Your user ID and password are sufficient, as the ppp daemon will negotiate with the server and obtain the information it needs to open the connection.”
You will not require a hostname.fxp0 file for the ethernet interface using PPPoe.
To enable items starting after the PPPoe connection has come up you will need to setup the ppp.linkup file in /etc/ppp
To start pf when the link comes up;
[code:1:3705e01c25]MYADDR:
! sh -c "/sbin/ifconfig pflog0 up"
! sh -c "/sbin/pfctl -e –f /etc/pf.conf"[/code:1:3705e01c25]
Make sure to have the space before the "!". There is a ppp.linkup.sample in the /etc/ppp area to look at for form.
For an IPSEC VPN that you want to run via the PPPoe connection, you should be able to also have iskampd start once the link comes up as well by adding this line to the ppp.linkup file;
[code:1:3705e01c25] ! sh –c “/sbin/isakmpd”[/code:1:3705e01c25]
This assumes that you have a valid pf.conf and you have the isakpmd setup files configured.
To start up the PPPoe at boot, you add the following to the /etc/rc.local file;
[code:1:3705e01c25]ifconfig fxp0 up
route flush
ppp -ddial pppoe[/code:1:3705e01c25]
Remember to replace fxp0 with your device.
You can also use these commands to startup the PPPoe connection manually. I remember that once issued, I got a whole whack of error messages on the console, but the link came up. To check it,
ifconfig –a
You should see a tun0 device with an address, something like this,
tun0: flags=8011 mtu 1492
inet 65.92.185.97 --> 65.92.185.1 netmask 0xffffffff
In the /etc/rc.conf file you will want to have PF turned off, as it will be started when your PPPoe connection is made, and not at the startup of the networking. Same goes for the iskampd is your are using it.
Here are some excellent how tos about PPPoe and OpenBSD on the net which I have used extensively for reference, and quoted directly in this mini-how to. They are for older versions of OpenBSD, so some of the pf stuff will be old, but teh rest should be correct. You should deffinately read these over before starting.
http://www.realo.ca/BSDinstall.html
http://www.drones.com/obsd-fw.html
Hope this gets people going. Please post any corrections, additions and comments! Looking forward to hearing from people that are actually using PPPoe on DSL with OpenBSD and see if this is close to what they are doing.
{K}