+Trying to configure an ADSL modem/router as modem only to use with a Linux router (and indeed many wireless routers) in NZ can be problematic owing to the lack of PPPoE support from NZ telcos. Here are a few pointers about how to do it. 

+Telecom NZ uses PPPoA encapsluation for its DSL, along with all the other ISPs who use telecoms network. It is said however that Telstra Clear NZ uses PPPoE , although I haven't tried it. If so you should be able to use full transparent bridging and the half bridge issue goes away. 

+PPPoA is the encapsulation type used by modems in this situation, and when this is the case, you cannot use PPPoE from the router to the modem, as you would with full bridging. 

+* To setup stronger NAT than that provided by modem/routers.  

+* to avoid double NAT - NAT 's bad enough without doing it twice.  

+* to have better control over port forwarding , VPNs etc  

+* If you want to do IP accounting, captive portal, etc  

+* filtering and NAT can be done on a real PC instead of a cheap slow modem router that we'd like to handle as little processing as possible. 

+Take overseas howtos with a large grain of salt. (ZakWilcox: the UK situation is almost identical!)  

+What to do then? You are left with a motley collection of choices, few of which are ideal.  

+* find a modem with the best possible implementation of half bridge, aka DHCP spoofing or IP extension ( description below)  

+* ditto using PPTP  

+* use 1:1 static NAT + DMZ  

+* use a static route in your Linux router, and keep an eye on your ISP and uplink 

+So what is that strange thing? Originally half-bridge was a nickname given to routers that function as proxy ARP hosts, with the same IP on both interfaces. Essentially you get bridge-like functionality (think transparent bridge) but packets are actually routed, not bridged - with all the consequences of such scenario. With modern Linux and BSD systems, you can actually see layer 2 packets in iptables/arptables (Linux ) or pf (BSD ). 

+But in our case, half-bridge has the proxy ARP flag set only on the LAN interface, and doesn't assign any IP address, besides local management one on the LAN side. The idea behind this whole trick is to present your first downstream router with the single external IP assigned to you by the ISP, and turn routing modem into half-bridge of sorts. 

+* route to public IP given by ISP is set at the LAN interface (with /32 mask), along with possible local addresses for management purpose, like 192.168../24  

+* proxy ARP flag is turned on on the LAN interface  

+* default route is set on the WAN interface  

+* LAN side runs DHCP daemon, advertising public IP - possibly but not necessarily - with faked router address and netmask (more about it below)  

+* Public address is *not* set anywhere in the modem. Actually, besides local address on the LAN interface - nothing else is assigned. 

+* your machine is set as a router with default route in link scope. The effect of that is that for every internet address you need an ARP entry in your ARP (neighbourhood) cache. Note though, that you're pretty much guaranteed to have to increase the ARP cache (under Linux look for net.ipv4.neigh.default.gc_thresh{1,2,3} ), if you run some more brutal network application (think emule, mldonkey, etc.). This is how e.g. DM111P behaved with earlier firmwares. It's perfectly fine if you have an actual PC governed by you as the first downstream router (and remember about ARP cache thresholds). It can be a killer if you use some cheap router with weak CPU , locked firmware and tiny amount of memory. In such scenario a DHCP daemon running on the modem advertises the public IP with 255.255.255.255 netmask, and the router address is the same as the public one.  

+* modem fakes different router address in some small subnet, usually 255.255.255., which contains the address presented by ISP as well (usually router == public IP + 1). The idea is precisely the same as above, but you don't need monster ARP cache anymore, and faking the router address is harmless (packets will be routed properly), as it's not set anywhere in the modem. DM111P with the latest firmware behaves in this way.  

+* there are also a bit less sensible methods - e.g. your modem gives public IP /32, but gives router address literally out of the blue - XP can cope with that, but you might need to give Linux a hand. See below for some info (LINUX ROUTE FIX)  

+* there are other methods I can think of - e.g. using ebtables instead of proxy ARP  

+As you can guess, the renewal time in such scenarios is very short - so the public IP changes can be found relatively quickly. E.g. my DM111P gives lease for 5 minutes, without explicit renewal or rebind times - which are chosen appropriately by my DHCP client (150 and 262 respectively). Both with dhcpcd and dhclient you can supply custom scripts which can act and e.g. send signals to daemons to notify them about ip change. If you have modem giving router address outside the public IP 's netmask - fix that as well. 

+Windows doesn't seem to mind the gateway being in a different subnet, but Linux does. 

+So it doesn't really matter which actual IP you use for the static route so long as it's in the same subnet. In my case today:  

+* The ISP's gateway: 58.28.15.31  

+* The address the ISP is issuing the modem today: 118.90.11.128  

+* The address the modem is issuing me today: 118.90.11.128  

+* The gateway the modem is issuing me: 118.90.11.129 (the above+1) 

+After the WAN IP changes it doesn't matter that the gateway is no longer 118.90.11.129, its just to give arp an idea where to start looking. 

+Also I can still get into the modems web config area from the LAN on the other side of the the Linux router. To do this you need to alter the modem's web page access port to say 81, and access it at {address}:81. Otherwise you wont be able to get into it, because there are too many web servers. 

+eg: browsing to 192.168.1.254:81 from my workstation at 192.168..200, via the Linux router at 192.168..1 LAN/(192.168.1.1 WAN) to 192.168.1.254:81 

+The following ADSL2 modems are reported to have a better- than- average half bridge implementation: 

+- DSE XH9949 ADSL2+ Modem/Router (Firmware is an exact clone of the RTA1320 but the hardware has much better air ventilation than the RTA1320) 

+- Dynalink RTA1320 (runs hot) 

+- Thomson SpeedTouch 516,536,546v6 (same chipsets as RTA1320/XH9949 but better firmware) 

+- PCI ADSL modems with Linux support (e.g. Traverse in Australia)  

+PCI modems get around the bridge problem altogether by using a PPP interface in the router. However historically PCI DSL modems have had little or no driver support, and reportedly lower performance on bad lines. 

+The following are older ADSL1 modems that have better- than- average half bridge implementations . At least people have reported success with them. They may get you going for now but not a long term solution with ADSL2.  

+- Thomson Speedtouch (PPTP with pptp-client) 510, pro, 536 etc 

+- Netgear 834  

+- Nokia M1122 (has PPTP pass-through of a PPPoA connection which is probably a better option then half-bridge) 

+A better alternative solution is to use PPTP passthrough of a PPPoA connection. This means the router establishes the connection via PPTP using the modem. This means the router receives the public IP, has no MTU problems and is the one responsibile for establishing the PPP connection to your ISP. This is supported by a few modems available in New Zealand - specifically:  

+  

+- Nokia M1122 (ADSL1 only)  

+- Most Thomson (formerly Alcatel SpeedTouch ADSL1 and ADSL2+ modems including 536v6 commonly supplied by Xtra. This feature is not always available from the web interface but can usually easily be set up via the CLI (http://www.speedtouch.net.nz/forum/topic.asp?TOPIC_ID=1239)  

+  

+My experience with m0n0wall (yes not Linux) is that both of these with PPTP passthrough work well  

+  

+  

+There is also another good alternative solution: 

+The Vigor 110 is not currently available in NZ. The DV2700e is, but is a modem/router. Their website states that these products contain a true PPPoE-PPPoA bridge, and customer feedback confirms this to be so. The Draytek 120 is expected to be available here in November 2008. See also [Draytek Vigor].