Differences between current version and predecessor to the previous major change of Half bridge with PPPoA.
Other diffs: Previous Revision, Previous Author, or view the Annotated Edit History
Newer page: | version 20 | Last edited on Sunday, September 27, 2009 2:09:48 pm | by ZakWilcox | |
Older page: | version 17 | Last edited on Thursday, April 9, 2009 8:43:11 pm | by HadleyRich | Revert |
@@ -1,66 +1,66 @@
-Trying to setup
an adsl
modem/router as modem only to use with a linux
router (and indeed many wireless routers) in NZ can be problematic owing to the lack of PPPoE support from NZ telcos. Here follows
a few pointers about how to do it.
+Trying to configure
an ADSL
modem/router as modem only to use with a Linux
router (and indeed many wireless routers) in NZ can be problematic owing to the lack of PPPoE support from NZ telcos.
Here are
a few pointers about how to do it.
!!THE PROBLEM
-Telecom NZ uses PPPoA encapsluation for its DSL, along with all the other ISPS
who use telecoms network. It is said however that Telstra Clear NZ uses pppoe
, although i havent
tried it. If so you should be able to use full transparent bridging and the half bridge issue goes away.
+Telecom NZ uses PPPoA encapsluation for its DSL, along with all the other ISPs
who use telecoms network. It is said however that Telstra Clear NZ uses PPPoE
, although I haven't
tried it. If so you should be able to use full transparent bridging and the half bridge issue goes away.
-PPPoA is the encapsulation type used by modems in this situation, and when this is the case, you cannot use pppoe
from the router to the modem, as you would with full bridging.
+PPPoA is the encapsulation type used by modems in this situation, and when this is the case, you cannot use PPPoE
from the router to the modem, as you would with full bridging.
Why would you want to do this anyway:?
-* To setup stronger nat
than that provided by modem/routers.
-* to avoid double nat, nat
's bad enough without doing it twice.
-* to have better control over port forwading
, vpns
etc
-* If you want to do ip
accounting, captive portal, etc
-* filtering and nat
done on real pc
instead of cheap slow modem router that we want
to make
as little processing as possible.
+* To setup stronger NAT
than that provided by modem/routers.
+* to avoid double NAT - NAT
's bad enough without doing it twice.
+* to have better control over port forwarding
, VPNs
etc
+* If you want to do IP
accounting, captive portal, etc
+* filtering and NAT can be
done on a
real PC
instead of a
cheap slow modem router that we'd like
to handle
as little processing as possible.
To get an idea of the confusion this issue causes:
* http://www.ben.geek.nz/adsl-routing-solution-in-detail/
* http://whirlpool.net.au/forum-replies-archive.cfm/806160.html
* http://phirate.exorsus.net/wiki/doku.php?id=nz_dsl_modem_networking
* http://www.speedtouch.net.nz/forum/topic.asp?TOPIC_ID=1002
* http://forums.whirlpool.net.au/forum-replies-archive.cfm/941840.html
-Take overseas howtos with a large grain of salt.
+Take overseas howtos with a large grain of salt. (ZakWilcox: the UK situation is almost identical!)
!! SOLUTIONS
-What to do then? You are left with a mottly
collection of choices, few of which are ideal.
-* find a modem with the best possible implementation of half bridge, aka dhcp
spoofing or ip
extension,
description below
-* ditto using pptp
-* use 1:1 static nat
+ DMZ
-* use a static route in your linux
router, and keep an eye on your isp
and uplink
+What to do then? You are left with a motley
collection of choices, few of which are ideal.
+* find a modem with the best possible implementation of half bridge, aka DHCP
spoofing or IP
extension (
description below)
+* ditto using PPTP
+* use 1:1 static NAT
+ DMZ
+* use a static route in your Linux
router, and keep an eye on your ISP
and uplink
!!HALF BRIDGE EXPLAINED
-So what is that strange thing? Originally half-bridge was a nickname given to routers that function as proxy-arp
hosts, with the same ip
on both interfaces. Essentially you get bridge-like functionality (think transparent bridge) but packets are actually routed, not bridged - with all the consequences of such scenario. With modern linux
and bsd
systems, you can actually see layer 2 packets in iptables/arptables (linux
) or pf (bsd
).
+So what is that strange thing? Originally half-bridge was a nickname given to routers that function as proxy ARP
hosts, with the same IP
on both interfaces. Essentially you get bridge-like functionality (think transparent bridge) but packets are actually routed, not bridged - with all the consequences of such scenario. With modern Linux
and BSD
systems, you can actually see layer 2 packets in iptables/arptables (Linux
) or pf (BSD
).
-But in our case, half-bridge has the proxy-arp
flag set only on the LAN interface, and doesn't assign any ip
address, besides local management one on the LAN side. The idea behind this whole trick is to present your first downstream router with the single external IP assigned to you by the ISP, and turn routing modem into half-bridge of sorts.
+But in our case, half-bridge has the proxy ARP
flag set only on the LAN interface, and doesn't assign any IP
address, besides local management one on the LAN side. The idea behind this whole trick is to present your first downstream router with the single external IP assigned to you by the ISP, and turn routing modem into half-bridge of sorts.
Your modem gets configured in the following way:
-*route to public ip
given by isp
is set at the LAN interface (with /32 mask), along with possible local addresses for management purpose, like 192.168../24
-*proxy-arp
flag is turned on on the LAN interface
-*default route is set on the WAN interface
-*LAN side runs dhcp
daemon, advertising public ip
- possibly but not necessarily - with faked router address and netmask (more about it below)
-*Public address is *not* set anywhere in the modem. Actually, besides local address on the LAN interface - nothing else is assigned.
+* route to public IP
given by ISP
is set at the LAN interface (with /32 mask), along with possible local addresses for management purpose, like 192.168../24
+* proxy ARP
flag is turned on on the LAN interface
+* default route is set on the WAN interface
+* LAN side runs DHCP
daemon, advertising public IP
- possibly but not necessarily - with faked router address and netmask (more about it below)
+* Public address is *not* set anywhere in the modem. Actually, besides local address on the LAN interface - nothing else is assigned.
So what happens at your first downstream router? There are a various behaviours:
-* your machine is set as a router with default route in link scope. The effect of that is that for every internet address you need an arp
entry in your arp
(neighbourhood) cache. Note though, that you're pretty much guaranteed to have to increase the arp
cache (under linux
look for net.ipv4.neigh.default.gc_thresh{1,2,3} ), if you run some more brutal network application (think emule, mldonkey, etc.). This is how e.g. DM111P behaved with earlier firmwares. It's perfectly fine if you have actual pc
governed by you as the first downstream router (and remember about arp
cache thresholds). It can be a killer if you use some cheap router with weak cpu
, locked firmware and tiny amount of memory. In such scenario, dhcp
daemon running on the modem,
advertises public ip
with 255.255.255.255 netmask, and the router address is the same as the public one.
-*modem fakes different router address in some small subnet, usually 255.255.255., which contains the address presented by ISP as well (usually router == public ip
+ 1). The idea is precisely the same as above, but you don't need monster arp
cache anymore, and faking router address is harmless (packets will be routed properly), as it's not set anywhere in the modem. DM111P with the latest firmware behaves in this way.
-*there're
also a bit less sensible methods - e.g. your modem gives public ip
/32, but gives router address literally out of the blue - xp
can cope with that, linux -
you might need to give it
a hand. See below for some info (LINUX ROUTE FIX)
-*there're
other methods I can think of - e.g. using ebtables instead of proxy-arp
+* your machine is set as a router with default route in link scope. The effect of that is that for every internet address you need an ARP
entry in your ARP
(neighbourhood) cache. Note though, that you're pretty much guaranteed to have to increase the ARP
cache (under Linux
look for net.ipv4.neigh.default.gc_thresh{1,2,3} ), if you run some more brutal network application (think emule, mldonkey, etc.). This is how e.g. DM111P behaved with earlier firmwares. It's perfectly fine if you have an
actual PC
governed by you as the first downstream router (and remember about ARP
cache thresholds). It can be a killer if you use some cheap router with weak CPU
, locked firmware and tiny amount of memory. In such scenario a DHCP
daemon running on the modem advertises the
public IP
with 255.255.255.255 netmask, and the router address is the same as the public one.
+* modem fakes different router address in some small subnet, usually 255.255.255., which contains the address presented by ISP as well (usually router == public IP
+ 1). The idea is precisely the same as above, but you don't need monster ARP
cache anymore, and faking the
router address is harmless (packets will be routed properly), as it's not set anywhere in the modem. DM111P with the latest firmware behaves in this way.
+* there are
also a bit less sensible methods - e.g. your modem gives public IP
/32, but gives router address literally out of the blue - XP
can cope with that, but
you might need to give Linux
a hand. See below for some info (LINUX ROUTE FIX)
+* there are
other methods I can think of - e.g. using ebtables instead of proxy ARP
-As you can guess, the renewal time in such scenarios is very short - so the public ip
changes can be found relatively quickly. E.g. my DM111P gives lease for 5 minutes, without explicit renewal or rebind times - which are chosen appropriately by my dhcp
client (150 and 262 respectively). Both with dhcpcd and dhclient you can supply custom scripts which can act and e.g. send signals to daemons to notify them about ip change. Or in case if
you have modem giving router address not within
public ip
's netmask - fix that as well.
+As you can guess, the renewal time in such scenarios is very short - so the public IP
changes can be found relatively quickly. E.g. my DM111P gives lease for 5 minutes, without explicit renewal or rebind times - which are chosen appropriately by my DHCP
client (150 and 262 respectively). Both with dhcpcd and dhclient you can supply custom scripts which can act and e.g. send signals to daemons to notify them about ip change. If
you have modem giving router address outside the
public IP
's netmask - fix that as well.
!!LINUX STATIC ROUTE FIX
-Windows doesnt
seem to mind the gateway being in a different subnet. But linux
does.
+Windows doesn't
seem to mind the gateway being in a different subnet, but Linux
does.
"... the reason is that the router issues a DHCP lease with a default route outside of the IP/Netmask of the interface. Eg: DHCP issues IP=202.36.240.10/255.255.255.0 and a Gateway address of 202.36.1.1 Windows happily handles this (as you've noted). Linux's routing tables don't off the cuff. The solution is to create a static host route to the gateway, then set it as the default route. eg:
route add -host 202.36.1.1 dev eth0
@@ -103,56 +103,65 @@
(source:www.whirlpool.net.au/forum-replies-archive.cfm/806160.html)
!My experience
-So it doesnt
really matter which acutal
IP you use for the static route so long as its
in the same subnet. In my case today:
-* The isps
gateway is actually
: 58.28.15.31
-* The address the isp
is issuing the modem today is
118.90.11.128
-* The address the modem is issuing me today is
118.90.11.128
-* The gateway the modem is issuing me is
: 118.90.11.129 (the above+1)
+So it doesn't
really matter which actual
IP you use for the static route so long as it's
in the same subnet. In my case today:
+* The ISP's
gateway: 58.28.15.31
+* The address the ISP
is issuing the modem today:
118.90.11.128
+* The address the modem is issuing me today:
118.90.11.128
+* The gateway the modem is issuing me: 118.90.11.129 (the above+1)
route add -host 118.90.11.129 dev eth1 #eth1 is the linux routers WAN
route add default gw 118.90.11.129 dev eth1
You might need to manually reconnect the PPP link on the modem at this point to kick it back into life.
-After the WAN IP changes it doesnt
matter that the gateway is no longer 118.90.11.129, its just to give arp an idea where to start looking.
+After the WAN IP changes it doesn't
matter that the gateway is no longer 118.90.11.129, its just to give arp an idea where to start looking.
-Also i
can still get into the modems web config area from the LAN on the otherside
of the the linux
router. To do this you need to alter the modems
web page access port to say 81, and browse to
it using
{address}:81. Otherwise you wont be able to get into it, becasue
there are too many web servers.
+Also I
can still get into the modems web config area from the LAN on the other side
of the the Linux
router. To do this you need to alter the modem's
web page access port to say 81, and access
it at
{address}:81. Otherwise you wont be able to get into it, because
there are too many web servers.
-eg: browsing to 192.168.1.254:81 from my workstation at 192.168..200, via the linux
router at 192.168..1 LAN/(192.168.1.1 WAN) to 192.168.1.254:81
+eg: browsing to 192.168.1.254:81 from my workstation at 192.168..200, via the Linux
router at 192.168..1 LAN/(192.168.1.1 WAN) to 192.168.1.254:81
!!MODEMS
-The following ADSL2 modems are reported to have better than average half bridge implementation:
+The following ADSL2 modems are reported to have a
better-
than-
average half bridge implementation:
- Linksys AM300 (Firmware 1.19.04 )
As of Feb 08 firmware this is now reported to work.
See http://www.geekzone.co.nz/forums.asp?ForumId=49&TopicId=19132
-- DSE XH9949 ADSL2+ Modem/Router (Firmware is an exact clone of the RTA1320 but the hardware has much better air ventellation
than the RTA1320)
+- DSE XH9949 ADSL2+ Modem/Router (Firmware is an exact clone of the RTA1320 but the hardware has much better air ventilation
than the RTA1320)
-- Dynalink RTA1320 (run
hot)
+- Dynalink RTA1320 (runs
hot)
-- Thomson SpeedTouch 516,536,546v6
(same chipsets as RTA1320/XH9949 but better firmware)
+- Thomson SpeedTouch 516,536,546v6 (same chipsets as RTA1320/XH9949 but better firmware)
-- PCI ADSL modems with Linux support ( eg
Traverse in Australia
+- PCI ADSL modems with Linux support (e.g.
Traverse in Australia)
-PCI modems get around the bridge problem altogether by using a ppp
interface in the router. However hitorically
PCI DSL modems have had little or no driver support, and reportedly lower performance on bad lines.
+PCI modems get around the bridge problem altogether by using a PPP
interface in the router. However historically
PCI DSL modems have had little or no driver support, and reportedly lower performance on bad lines.
-The following are older adsl1
modems that have better than average half bridge setups
. At least people have reported success with them. They may get you going for now but not a long term solution with ADSL2.
-- Thomson Speedtouch (PPTP with pptp-client) 510, pro ,536 etc
+The following are older ADSL1
modems that have better-
than-
average half bridge implementations
. At least people have reported success with them. They may get you going for now but not a long term solution with ADSL2.
+- Thomson Speedtouch (PPTP with pptp-client) 510, pro, 536 etc
- 3com Homeconnect
- Dlink 302
-- netgear
834
-- nokoia m1122
(has PPtP passthrough
of a PPPoA connection which is probably a better option then half-bridge)
+- Netgear
834
+- Nokia M1122
(has PPTP pass-through
of a PPPoA connection which is probably a better option then half-bridge)
-Finally there
is the prospect
of a better
solution:
+A better alternative solution
is to use PPTP passthrough
of a PPPoA connection. This means the router establishes the connection via PPTP using the modem. This means the router receives the public IP, has no MTU problems and is the one responsibile for establishing the PPP connection to your ISP. This is supported by a few modems available in New Zealand - specifically:
+
+- Nokia M1122 (ADSL1 only)
+- Most Thomson (formerly Alcatel SpeedTouch ADSL1 and ADSL2+ modems including 536v6 commonly supplied by Xtra. This feature is not always available from the web interface but can usually easily be set up via the CLI (http://www.speedtouch.net.nz/forum/topic.asp?TOPIC_ID=1239)
+
+My experience with m0n0wall (yes not Linux) is that both of these with PPTP passthrough work well
+
+
+There is also another good alternative
solution:
- Draytek Vigor 110, (not available in NZ).
- Draytek Vigor DV120 (http://nicegear.co.nz/draytek/)
- Draytek Vigor DV2700e (http://www.delphinus.co.nz/draytek-vigor-dv2700e/) Has a PPPoE to PPPoA bridging device.
+- BT 2700HGV (not available in NZ) does PPPoE to PPPoA bridging; see http://btb.lithium.com/btb/board/message?board.id=Broadband&thread.id=1637 and http://btb.lithium.com/btb/board/message?board.id=Broadband&thread.id=981
-The former
is not currently available in NZ, although the latter
is but is a modem/router. Their website states that these products contain a true pppoe to pppoa
bridge, and customer feedback confirms this to be so. The Draytek 120 is expected to be available here in November 2008. See also [Draytek Vigor]
+The Vigor 110
is not currently available in NZ. The DV2700e
is,
but is a modem/router. Their website states that these products contain a true PPPoE-PPPoA
bridge, and customer feedback confirms this to be so. The Draytek 120 is expected to be available here in November 2008. See also [Draytek Vigor].