OpenBSD as DSL Router using hostname.pppoe0?

Hello guys,

I set up OpenBSD as DSL router using the kernel pppoe.
Because my DSL connection is faster then 10 MBit I'm using the kernel
pppoe to use the bandwith.

I've noticed that pf fails to do the routing/nat in such scenarios:

1. OpenBSD Router boots
-> It takes some seconds until pppoe0 gets a IP from the ISP!
-> pf gets enabled during boot, pppoe0 has no IP yet, NAT wont work

2. OpenBSD is already booted
-> I used pfctl -f /etc/pf.conf after pppoe0 got an IP and everything works
-> then the bad ISP does a 24h disconnect (~23.59 and 58 secs)
-> then NAT breaks again (because pppoe0 got a new ip and the old
   one is still used by pf?!)

Those problems don't appear if I use tun0 (but userland pppoe is far to
slow for this DSL link).

Is there any solution for this problem (for now a cronjob just reloads the
pf every 23:50 after enforcing ifconfig pppoe0 down && ifconfig pppoe0 up
&&  wait 5 secs to ensure it got a IP).

How do other people (you) solved this without using the userland
implementation? :-/

Kind regards,
Sebastian

Quoting sebastian.rother@...:

Hi,

My ADSL is only 8Mb download and and 640K upload. I have three
interfaces on my OpenBSD 4.2 router and the DSL provider assigns a
static address, so not sure whether the comparisons here are valid.

I haven't had any problems so far with pf interfering with xDSL and
NAT. In case it is of any help this is what I have in my settings:

hostname.pppoe0

inet 0.0.0.0 255.255.255.255 NONE pppoedev dc0 authproto pap authname
'username' authkey 'passwd' up dest 0.0.0.1
!/sbin/route add default 0.0.0.1

The server was upgraded from 4.1 to 4.2 using the CD and it has been
in service since OpenBSD 3.2 (userland pppoe till OpenBSD 3.8 and
kernel pppoe since OpenBSD 3.9) without any problems.

My pf.conf has the following entries related to pppoe

scrub out on $ext_if max-mss 1440


HTH,

Vijay


----------------------------------------------------------------
This message was sent using IMP, the Internet Messaging Program.

Well with static IPs I've no problem either.
It's just after the forced disconnect of the ISP and after pppoe0 got a
new IP. Then NAT and routing fails. I solve this via a rule reload (after
pppoe0 got a new IP) but that looks like some stonge-age method
(seriously.. ).

I just wonder if somebody else noticed this and if somebody may solved
this in a different way.


Kind regards,
Sebastian

sebastian.rother@... P=P0P?P8Q
P0: I guess you use ($ext_if) - with brackets - instead of the IP address
manually entered (which you obviously don't know). This way PF monitors
the interface for changes of it's IP address and adjusts rules
accordingly. You can verify if it does by doing a 'pfctl -s rules' after
a reconnection, without first reloading the ruleset.

The problem, though, is probably the states which were already created -
they keep matching the old IP. Clearing of the state table should be
sufficient, and I think this could be done with a macro in your
hostname.pppoe0, like this:
!pfctl -F state

I've personally never had to do such things, so consider everything I
say just as suggestions.

Kind regards,
Doichin

Well I added your macro right now but I'm unsure if hostname.pppoe0 is
read everytime pppoe0 gets a disconnect (and later a new IP). I think
hostname.pppoe0 is read once on boot and the rest is all in kernelspace
then (Oh a disconnect! No worries lets try to reconnect...!).

I might be wrong and I might understood the concept in a wrong way but
hostname.pppoe0 gets called once (and just once) at boot. So how could
this macro help after pppoe0 got a new IP?
Or is the hostname.pppoe0 realy read once after pppoe0 got a disconnect?!

So far I never used such a macro because of my understanding it would have
no effect (not even at boot time because pppoe0 sometimes has 2-3 secs no
IP (the OS boots further, pf gets enabled) and then it has).

If I might misunderstood something please correct me.

Kind regards,
Sebastian

p.s.
Thanks for the suggestion with the macro!
Combined with a little 'sleep' that may solves the issue for the intial
booting propably. Never thougth (again) about a macro in the
hostname.pppoe0 'course it may wont solve the real problem I face

sebastian.rother@... P=P0P?P8Q
P0: I'm unsure of this, too, and the man pages of hostname.if and pppoe seem
unclear about this. But I guess you're right - commands will be executed
only on system boot or network restart.
> So far I never used such a macro because of my understanding it would have
> no effect (not even at boot time because pppoe0 sometimes has 2-3 secs no
> IP (the OS boots further, pf gets enabled) and then it has).
>  
You set $ext_if to "pppoe0". Then by using ($ext_if) PF nows it has to
lookup the IP address of the interface, and reflect changes to it back
in the ruleset. So I guess at least at boot time it should be of help.
The ! command in the hostname.pppoe0 file is irrelevant at boot - you
don't have any states to flush.

Regards,
Doichin

*cut*
> I'm unsure of this, too, and the man pages of hostname.if and pppoe seem
> unclear about this. But I guess you're right - commands will be executed
> only on system boot or network restart.

Yes that's kinda true. I just wonder that nobody asked about a solution
before. Does everybody uses a hack familiar to pfctl -F all each 23hrs, 58
minutes and n seconds? :)

Either no developer uses aDSL at home (with a ISP forcing him to reconnect
every 24 hours) or nobody uses OpenBSD as router or nobody uses the
connection permanently. :-/

It's hard to imagine that there's no other solution.

> You set $ext_if to "pppoe0". Then by using ($ext_if) PF nows it has to
> lookup the IP address of the interface, and reflect changes to it back
> in the ruleset. So I guess at least at boot time it should be of help.
> The ! command in the hostname.pppoe0 file is irrelevant at boot - you
> don't have any states to flush.

Well but why does it work with tun0?
In fact pf should do exactly the same but with pppoe0 it just doesn't work
(with tun0 it's all uberslow but works, no pfctl-execution needed).

Is that a behavior wich is totaly kernel related and do I've realy no
other option then using pfctl via cron to reactivate nat/routing because
the IP of pppoe0 changed (that's realy stone age bs...)? :-/

I'm no pppoe nor a kernel expert so I'm happy about every piece of
clarification. :-)

Kind regards,
Sebastian

On Sat, Dec 29, 2007 at 05:16:11AM +0100, sebastian.rother@... wrote:
> Either no developer uses aDSL at home (with a ISP forcing him to reconnect
> every 24 hours) or nobody uses OpenBSD as router or nobody uses the
> connection permanently. :-/

I use the following hostname.pppoe:

inet 0.0.0.0 255.255.255.255 NONE \
        pppoedev xl0 authproto pap \
        authname 'me@myprovider' authkey 'sEcReT' up
dest 0.0.0.1
!/sbin/route add default -ifp pppoe0 0.0.0.1

with xl0 as external interface (the one to which the adsl modem is
connected) and the following lines in pf.conf to do NAT:

ext_if="pppoe0"
int_if="rl0"
nat on $ext_if from !($ext_if) -> ($ext_if:0)

It's exact the setup mentioned in the pppoe(4) EXAMPLES and the pf faq
http://www.openbsd.org/faq/pf/example1.html#allrules

Also my ISP disconnects after 24h, but I have no problem with NAT.
It works perfect!

OT: You did not ask this, but if someone want's to use dyndns in such
a setup ddclient has to run as daemon and do IP detection via pppoe0:

daemon=300      # check all 5 minutes
use=if          # use interface to check for changes (not web, not ip)
if=pppoe0       # use pppoe0 interface for this


Regards
  Dieter

I forgot to Cc the list, so i resend it:

Dieter Rauschenberger wrote: Or use ifstated(8) and net/ipcheck as an alternative. You can also use
it to flush your pf state tables.

************* /etc/ifstated.conf *********************

init-state auto
pppoe_up = "pppoe0.link.up"
pppoe_down = "pppoe0.link.down"

state auto{
         if ($pppoe_up) set-state pppoe-up
         if ($pppoe_down) set-state pppoe-down
}

state pppoe-up{
         init{
                 run "logger pppoe up!"
                 run "/root/scripts/pppoe-up.sh"
         }
         if ($pppoe_down) set-state pppoe-down
}

state pppoe-down{
         init{
                 run "logger pppoe down!"
#               run "/root/scripts/pppoe-down.sh"
         }
         if ($pppoe_up) set-state pppoe-up
}


************ /root/scripts/pppoe-up.sh *****************
#!/bin/sh
#

logger -t pppoe-up  "Updating DynDNS"
( cd /root/ipcheck && \
     /usr/local/bin/ipcheck.py -i pppoe0 username password \
     rebserv.dyndns.org )

# 'pfctl -F states' could go here!   <<-------


-Heinrich

29 December 2007 c. 05:48:55 sebastian.rother@... wrote:
Same problem, easy solution:

My hostname.pppoe0:

>>>
inet 0.0.0.0 255.255.255.255 NONE pppoedev rl0 authproto chap authname
'MYLOGIN' authkey 'MYPASS' up
dest 0.0.0.1
!/sbin/route delete default
!/sbin/route add default 0.0.0.1
<<<

Snip from pf.conf:
>>>
inet_if="pppoe0"
ext_if="rl0"
scrub in on pppoe0 max-mss 1400 fragment reassemble
scrub out on pppoe0 max-mss 1400 no-df random-id fragment reassemble
nat on $inet_if from !($inet_if) -> ($inet_if:0)
pass in on $inet_if proto tcp to ($inet_if) port ssh
<<<

Details are well laid in man pages, I didn't need anything except them.

BTW: I use DynDNS (noip is in ports) for remote administration, so this
setup (with open SSH port) works OK even with dynamic IPs.

--
  Best wishes,
    Vadim Zhukov