| Rev | Author | # | Line |
|---|---|---|---|
| 20 | ZakWilcox | 1 | Trying to configure an ADSL modem/router as modem only to use with a Linux router (and indeed many wireless routers) in NZ can be problematic owing to the lack of PPPoE support from NZ telcos. Here are a few pointers about how to do it. |
| 8 | PeterScott | 2 | |
| 3 | |||
| 4 | !!THE PROBLEM | ||
| 5 | |||
| 20 | ZakWilcox | 6 | Telecom NZ uses PPPoA encapsluation for its DSL, along with all the other ISPs who use telecoms network. It is said however that Telstra Clear NZ uses PPPoE, although I haven't tried it. If so you should be able to use full transparent bridging and the half bridge issue goes away. |
| 8 | PeterScott | 7 | |
| 20 | ZakWilcox | 8 | PPPoA is the encapsulation type used by modems in this situation, and when this is the case, you cannot use PPPoE from the router to the modem, as you would with full bridging. |
| 8 | PeterScott | 9 | |
| 10 | Why would you want to do this anyway:? | ||
| 20 | ZakWilcox | 11 | * To setup stronger NAT than that provided by modem/routers. |
| 12 | * to avoid double NAT - NAT's bad enough without doing it twice. | ||
| 13 | * to have better control over port forwarding, VPNs etc | ||
| 14 | * If you want to do IP accounting, captive portal, etc | ||
| 15 | * filtering and NAT can be done on a real PC instead of a cheap slow modem router that we'd like to handle as little processing as possible. | ||
| 8 | PeterScott | 16 | |
| 17 | To get an idea of the confusion this issue causes: | ||
| 18 | * http://www.ben.geek.nz/adsl-routing-solution-in-detail/ | ||
| 19 | * http://whirlpool.net.au/forum-replies-archive.cfm/806160.html | ||
| 20 | * http://phirate.exorsus.net/wiki/doku.php?id=nz_dsl_modem_networking | ||
| 21 | * http://www.speedtouch.net.nz/forum/topic.asp?TOPIC_ID=1002 | ||
| 22 | * http://forums.whirlpool.net.au/forum-replies-archive.cfm/941840.html | ||
| 23 | |||
| 20 | ZakWilcox | 24 | Take overseas howtos with a large grain of salt. (ZakWilcox: the UK situation is almost identical!) |
| 8 | PeterScott | 25 | |
| 26 | |||
| 27 | !! SOLUTIONS | ||
| 28 | |||
| 20 | ZakWilcox | 29 | What to do then? You are left with a motley collection of choices, few of which are ideal. |
| 30 | * find a modem with the best possible implementation of half bridge, aka DHCP spoofing or IP extension (description below) | ||
| 31 | * ditto using PPTP | ||
| 32 | * use 1:1 static NAT + DMZ | ||
| 33 | * use a static route in your Linux router, and keep an eye on your ISP and uplink | ||
| 8 | PeterScott | 34 | |
| 35 | !!HALF BRIDGE EXPLAINED | ||
| 36 | |||
| 20 | ZakWilcox | 37 | So what is that strange thing? Originally half-bridge was a nickname given to routers that function as proxy ARP hosts, with the same IP on both interfaces. Essentially you get bridge-like functionality (think transparent bridge) but packets are actually routed, not bridged - with all the consequences of such scenario. With modern Linux and BSD systems, you can actually see layer 2 packets in iptables/arptables (Linux) or pf (BSD). |
| 9 | MichalSoltys | 38 | |
| 20 | ZakWilcox | 39 | But in our case, half-bridge has the proxy ARP flag set only on the LAN interface, and doesn't assign any IP address, besides local management one on the LAN side. The idea behind this whole trick is to present your first downstream router with the single external IP assigned to you by the ISP, and turn routing modem into half-bridge of sorts. |
| 8 | PeterScott | 40 | |
| 12 | PeterScott | 41 | Your modem gets configured in the following way: |
| 8 | PeterScott | 42 | |
| 20 | ZakWilcox | 43 | * route to public IP given by ISP is set at the LAN interface (with /32 mask), along with possible local addresses for management purpose, like 192.168.0.0/24 |
| 44 | * proxy ARP flag is turned on on the LAN interface | ||
| 45 | * default route is set on the WAN interface | ||
| 46 | * LAN side runs DHCP daemon, advertising public IP - possibly but not necessarily - with faked router address and netmask (more about it below) | ||
| 47 | * Public address is *not* set anywhere in the modem. Actually, besides local address on the LAN interface - nothing else is assigned. | ||
| 8 | PeterScott | 48 | |
| 12 | PeterScott | 49 | So what happens at your first downstream router? There are a various behaviours: |
| 8 | PeterScott | 50 | |
| 20 | ZakWilcox | 51 | * your machine is set as a router with default route in link scope. The effect of that is that for every internet address you need an ARP entry in your ARP (neighbourhood) cache. Note though, that you're pretty much guaranteed to have to increase the ARP cache (under Linux look for net.ipv4.neigh.default.gc_thresh{1,2,3} ), if you run some more brutal network application (think emule, mldonkey, etc.). This is how e.g. DM111P behaved with earlier firmwares. It's perfectly fine if you have an actual PC governed by you as the first downstream router (and remember about ARP cache thresholds). It can be a killer if you use some cheap router with weak CPU, locked firmware and tiny amount of memory. In such scenario a DHCP daemon running on the modem advertises the public IP with 255.255.255.255 netmask, and the router address is the same as the public one. |
| 52 | * modem fakes different router address in some small subnet, usually 255.255.255.0, which contains the address presented by ISP as well (usually router == public IP + 1). The idea is precisely the same as above, but you don't need monster ARP cache anymore, and faking the router address is harmless (packets will be routed properly), as it's not set anywhere in the modem. DM111P with the latest firmware behaves in this way. | ||
| 53 | * there are also a bit less sensible methods - e.g. your modem gives public IP/32, but gives router address literally out of the blue - XP can cope with that, but you might need to give Linux a hand. See below for some info (LINUX ROUTE FIX) | ||
| 54 | * there are other methods I can think of - e.g. using ebtables instead of proxy ARP | ||
| 8 | PeterScott | 55 | |
| 56 | |||
| 20 | ZakWilcox | 57 | As you can guess, the renewal time in such scenarios is very short - so the public IP changes can be found relatively quickly. E.g. my DM111P gives lease for 5 minutes, without explicit renewal or rebind times - which are chosen appropriately by my DHCP client (150 and 262 respectively). Both with dhcpcd and dhclient you can supply custom scripts which can act and e.g. send signals to daemons to notify them about ip change. If you have modem giving router address outside the public IP's netmask - fix that as well. |
| 8 | PeterScott | 58 | |
| 59 | |||
| 12 | PeterScott | 60 | !!LINUX STATIC ROUTE FIX |
| 8 | PeterScott | 61 | |
| 20 | ZakWilcox | 62 | Windows doesn't seem to mind the gateway being in a different subnet, but Linux does. |
| 8 | PeterScott | 63 | |
| 12 | PeterScott | 64 | "... the reason is that the router issues a DHCP lease with a default route outside of the IP/Netmask of the interface. Eg: DHCP issues IP=202.36.240.10/255.255.255.0 and a Gateway address of 202.36.1.1 Windows happily handles this (as you've noted). Linux's routing tables don't off the cuff. The solution is to create a static host route to the gateway, then set it as the default route. eg: |
| 8 | PeterScott | 65 | |
| 66 | route add -host 202.36.1.1 dev eth0 | ||
| 67 | |||
| 68 | route add default gw 202.36.1.1 dev eth0 | ||
| 69 | |||
| 70 | I believe a couple of years ago I posted on this, and provided a patch | ||
| 71 | to "pump" (dhcp client) which did exactly this (there is no harm if the | ||
| 72 | gateway IS on the same subnet). | ||
| 73 | |||
| 74 | This effect by the way, not only affects Linux, but also Cisco routers, | ||
| 75 | and Packeteers. | ||
| 76 | Again, the work around (adding a manual host route) works with this | ||
| 77 | equipment, but the cavet is that if the ISP changes their routers IP | ||
| 78 | address (which can, and DOES, happen), then your manual routes fail. | ||
| 79 | |||
| 80 | As for the whole thing being a kludge, no kidding. As I understand, | ||
| 81 | pretty much everywhere else in the world, everyone issues at least 2 IP | ||
| 82 | addresses. One for your DSL router, and one for your PC. We had a team | ||
| 83 | from the UK over here for a client, and they were stunned how our ADSL | ||
| 84 | service worked (or rather, didn't). | ||
| 85 | |||
| 86 | If someone does find a reputable, current, available in NZ with | ||
| 87 | Telepermit, in stock (and predicted to be for awhile) router that does a | ||
| 88 | PPPoE to PPPoA bridge, then I'd be very interested." | ||
| 89 | |||
| 90 | (source www.linux.net.nz/pipermail/nzlug/2008-April/012586.html) | ||
| 91 | |||
| 92 | |||
| 93 | |||
| 94 | "With linux based routers, the fix is to insert a static route to the "gateway" IP into the route table, then use that gateway IP as the default | ||
| 95 | eg ifconfig eth0 <public IP> netmask 255.255.255.255 | ||
| 96 | route add -host <gateway IP> dev eth0 | ||
| 97 | route add default gw <gateway IP> | ||
| 98 | |||
| 99 | Now, the gateway IP can be _any_ IP (except the public IP) for which there is an IP interface on the LAN side of the modem. All you want is for the WAN interface to arp for the "gateway", which will be the mac address of the LAN side of the modem. If you try the above code without the static route, Linux complains that the gateway is not on the <public IP>/32 net - which it isn't - but the static route fixes it. This is my understanding why some routers won't work with half bridge, as when the DHCP client on the router WAN interface gets the parameters from the DHCP server on the LAN side of the modem, the networking code tries to insert the default GW without the static route, and fails. It is this router DHCP behavior that makes half bridge modem setups dodgy. | ||
| 100 | |||
| 101 | BTW, with a half bridge and Linux based routers, you don't have to use a DHCP client on the WAN interface, you can set it up manually as above, with the absolute proviso that your public IP is static. The DNS issue can be worked around, at least with speedtouch modems, by setting the modem's config address as the DNS server address for your local net. If you set the "<gateway IP>" to be the config address, eg 10.0.0.138 for speedtouch modems, your LAN side PC's can have their DNS server address set to this value, and will be able to route through the Linux router to the modem." | ||
| 102 | |||
| 103 | (source:www.whirlpool.net.au/forum-replies-archive.cfm/806160.html) | ||
| 104 | |||
| 105 | !My experience | ||
| 106 | |||
| 20 | ZakWilcox | 107 | So it doesn't really matter which actual IP you use for the static route so long as it's in the same subnet. In my case today: |
| 108 | * The ISP's gateway: 58.28.15.31 | ||
| 109 | * The address the ISP is issuing the modem today: 118.90.11.128 | ||
| 110 | * The address the modem is issuing me today: 118.90.11.128 | ||
| 111 | * The gateway the modem is issuing me: 118.90.11.129 (the above+1) | ||
| 8 | PeterScott | 112 | |
| 113 | route add -host 118.90.11.129 dev eth1 #eth1 is the linux routers WAN | ||
| 114 | |||
| 115 | route add default gw 118.90.11.129 dev eth1 | ||
| 116 | |||
| 117 | You might need to manually reconnect the PPP link on the modem at this point to kick it back into life. | ||
| 118 | |||
| 20 | ZakWilcox | 119 | After the WAN IP changes it doesn't matter that the gateway is no longer 118.90.11.129, its just to give arp an idea where to start looking. |
| 8 | PeterScott | 120 | |
| 20 | ZakWilcox | 121 | Also I can still get into the modems web config area from the LAN on the other side of the the Linux router. To do this you need to alter the modem's web page access port to say 81, and access it at {address}:81. Otherwise you wont be able to get into it, because there are too many web servers. |
| 8 | PeterScott | 122 | |
| 20 | ZakWilcox | 123 | eg: browsing to 192.168.1.254:81 from my workstation at 192.168.0.200, via the Linux router at 192.168.0.1 LAN/(192.168.1.1 WAN) to 192.168.1.254:81 |
| 8 | PeterScott | 124 | |
| 125 | |||
| 126 | !!MODEMS | ||
| 127 | |||
| 20 | ZakWilcox | 128 | The following ADSL2 modems are reported to have a better-than-average half bridge implementation: |
| 8 | PeterScott | 129 | |
| 130 | - Linksys AM300 (Firmware 1.19.04 ) | ||
| 131 | |||
| 12 | PeterScott | 132 | As of Feb 08 firmware this is now reported to work. |
| 8 | PeterScott | 133 | See http://www.geekzone.co.nz/forums.asp?ForumId=49&TopicId=19132 |
| 134 | |||
| 20 | ZakWilcox | 135 | - DSE XH9949 ADSL2+ Modem/Router (Firmware is an exact clone of the RTA1320 but the hardware has much better air ventilation than the RTA1320) |
| 10 | JohnSmith | 136 | |
| 20 | ZakWilcox | 137 | - Dynalink RTA1320 (runs hot) |
| 14 | AndrewThrift | 138 | |
| 20 | ZakWilcox | 139 | - Thomson SpeedTouch 516,536,546v6 (same chipsets as RTA1320/XH9949 but better firmware) |
| 8 | PeterScott | 140 | |
| 20 | ZakWilcox | 141 | - PCI ADSL modems with Linux support (e.g. Traverse in Australia) |
| 8 | PeterScott | 142 | |
| 20 | ZakWilcox | 143 | PCI modems get around the bridge problem altogether by using a PPP interface in the router. However historically PCI DSL modems have had little or no driver support, and reportedly lower performance on bad lines. |
| 8 | PeterScott | 144 | |
| 20 | ZakWilcox | 145 | The following are older ADSL1 modems that have better-than-average half bridge implementations. At least people have reported success with them. They may get you going for now but not a long term solution with ADSL2. |
| 146 | - Thomson Speedtouch (PPTP with pptp-client) 510, pro, 536 etc | ||
| 8 | PeterScott | 147 | - 3com Homeconnect |
| 148 | - Dlink 302 | ||
| 20 | ZakWilcox | 149 | - Netgear 834 |
| 150 | - Nokia M1122 (has PPTP pass-through of a PPPoA connection which is probably a better option then half-bridge) | ||
| 8 | PeterScott | 151 | |
| 20 | ZakWilcox | 152 | A better alternative solution is to use PPTP passthrough of a PPPoA connection. This means the router establishes the connection via PPTP using the modem. This means the router receives the public IP, has no MTU problems and is the one responsibile for establishing the PPP connection to your ISP. This is supported by a few modems available in New Zealand - specifically: |
| 18 | NilEinne | 153 | |
| 154 | - Nokia M1122 (ADSL1 only) | ||
| 20 | ZakWilcox | 155 | - Most Thomson (formerly Alcatel SpeedTouch ADSL1 and ADSL2+ modems including 536v6 commonly supplied by Xtra. This feature is not always available from the web interface but can usually easily be set up via the CLI (http://www.speedtouch.net.nz/forum/topic.asp?TOPIC_ID=1239) |
| 19 | NilEinne | 156 | |
| 20 | ZakWilcox | 157 | My experience with m0n0wall (yes not Linux) is that both of these with PPTP passthrough work well |
| 18 | NilEinne | 158 | |
| 159 | |||
| 160 | There is also another good alternative solution: | ||
| 8 | PeterScott | 161 | |
| 17 | HadleyRich | 162 | - Draytek Vigor 110, (not available in NZ). |
| 163 | - Draytek Vigor DV120 (http://nicegear.co.nz/draytek/) | ||
| 12 | PeterScott | 164 | - Draytek Vigor DV2700e (http://www.delphinus.co.nz/draytek-vigor-dv2700e/) Has a PPPoE to PPPoA bridging device. |
| 20 | ZakWilcox | 165 | - BT 2700HGV (not available in NZ) does PPPoE to PPPoA bridging; see http://btb.lithium.com/btb/board/message?board.id=Broadband&thread.id=1637 and http://btb.lithium.com/btb/board/message?board.id=Broadband&thread.id=981 |
| 12 | PeterScott | 166 | |
| 20 | ZakWilcox | 167 | The Vigor 110 is not currently available in NZ. The DV2700e is, but is a modem/router. Their website states that these products contain a true PPPoE-PPPoA bridge, and customer feedback confirms this to be so. The Draytek 120 is expected to be available here in November 2008. See also [Draytek Vigor]. |
lib/blame.php:177: Warning: Invalid argument supplied for foreach()