Differences between version 9 and predecessor to the previous major change of Half bridge with PPPoA.
Other diffs: Previous Revision, Previous Author, or view the Annotated Edit History
| Newer page: | version 9 | Last edited on Wednesday, May 28, 2008 8:45:07 am | by MichalSoltys | Revert |
| Older page: | version 8 | Last edited on Monday, April 28, 2008 10:28:17 am | by PeterScott | Revert |
@@ -31,23 +31,32 @@
* find a modem with the best possible implementation of half bridge, aka dhcp spoofing or ip extension, description below
* ditto using pptp
* experiment with 1:1 nat, DMZs, tweaks at best, although 1:1+DMZ might work
* use a static route in your linux router, and keep an eye on your isp and uplink
-
!!HALF BRIDGE EXPLAINED
-Its
a cludge if ever there was one. Basically the modem runs dhcp
, issues you
with an address that happens to be
the same as the public WAN address it got from your isp
, issues itself
with WAN+1 as your gateway
, messes with
the netmask
and hopes that your
LAN/
downstream router can cope
with it
. Throw in 30 second lease renews
and you got something
of miracle if it actually works
.
+So what is that strange thing ? Originally half-bridge is
a nickname given to routers that function as proxy-arp hosts
, with the same ip on both interfaces. Essentially you get bridge-like functionality (think transparent bridge) but packets are actually routed
, not bridged -
with all the consequences of such scenario. With modern linux and bsd systems
, you can actually see layer 2 packets in iptables/arptables (linux) or pf (bsd).
+
+But in our case, half-bridge has
the proxy-arp flag set only on the LAN interface,
and doesn't assign any ip address, besides local management one on the
LAN side. The idea behind this whole trick is to present your first
downstream router with the single external IP assigned to you by the ISP, and turn routing modem into half-bridge of sorts
. Why ? The reasons can be plenty - e.g. filtering
and nat done on real pc instead
of el-cheapo slow router that we want to make as little processing as possible
.
+Your modem gets configured in following way:
-"the modem does the half-bridge mode
by giving
the modem a fake IP address 1 higher than the real IP address
, then spoofs the netmask to pretend the modem is in the same
local network as the PC or router
. Unless they do something special in the router this means you will not be able to connect to other local ISP users whose IP address the PC thinks
is local, not out
on the internet. The reason they do this
is that many routers don't like being given
the real
netmask of 255.255.255.255 for a single PPP IP
address with a real ISP gateway IP that
is not in the same
local network. Windows XP understands when it gets such details by dhcp - but you cannot enter them manually. Linksys routers based
on Linux don't like this combination
- but this an easy to fix software issue (e.g. with a firewall script in 3rd party firmware!) not an inherent Linux problem
.
+*route to public ip given
by isp is set at
the LAN interface (with /32 mask)
, along with possible
local addresses for management purpose, like 192
.168../24
+*proxy-arp flag
is turned on
on the LAN interface
+*default route
is set on
the WAN interface
+*LAN side runs dhcp daemon, advertising public ip - possibly but not necessarily - with faked router address and
netmask (more about it below)
+*Public
address is *
not* set anywhere
in the modem. Actually, besides
local address
on the LAN interface
- nothing else is assigned
.
-... In Half Bridge mode other modems use a shorter lease time of 60 seconds which leads to lots of 'dhcp renews' every 30 seconds. But with a lease time of 5 minutes, if the WAN IP changes the
router may give up after trying to renew its old lease for 2.5minutes! When half-bridge modems start up they give a temporary local IP address which then gets replaced by the real one when the DSL is synched, maybe the lease time is shorter then
? Also if swapping from PC to router the modem will wait for the lease to run out before giving the single WAN IP to the router - in half-bridge it only expects one upstream device."
+So what happens at your first downstream
router ? I've seen few behaviours:
-
(source: www.whirlpool
.net.au
/forum
-replies
-archive
.cfm/806160.html
)
+*your machine is set as a router with default route in link scope. The effect of that is that for every internet address you need an arp entry in your arp
(neighbourhood) cache
. Note though, that you're pretty much guaranteed to have to increase the arp cache (under linux look for
net.ipv4.neigh.default.gc_thresh{1,2,3} ), if you run some more brutal network application (think emule, mldonkey, etc.). This is how e.g. DM111P behaved with earlier firmwares. It's perfectly fine if you have actual pc governed by you as the first downstream router (and remember about arp cache thresholds). It can be a killer if you use some cheap router with weak cpu, locked firmware and tiny amount of memory. In such scenario, dhcp daemon running on the modem, advertises public ip with 255.255.255.255 netmask, and the router address is the same as the public one.
+*modem fakes different router address in some small subnet, usually 255.255.255., which contains the address presented by ISP as well (usually router == public ip + 1). The idea is precisely the same as above, but you don't need monster arp cache anymore, and faking router address is harmless (packets will be routed properly), as it's not set anywhere in the modem. DM111P with the latest firmware behaves in this way.
+*there're also a bit less sensible methods - e.g. your modem gives public ip
/32, but gives router address literally out of the blue
- xp can cope with that, linux
- you might need to give it a hand
. See below for some info (LINUX ROUTE FIX
)
+*there're other methods I can think of - e.g. using ebtables instead of proxy-arp
-My experience with half bridge is that once
you got it up it will work ok
, however there
are issues
with dropped connections,
and not being able
to reconnect soemtimes
. Using `half bridge` with a static ISP WAN
address, will avoid some of the worst of these issues, and probably an acceptable solution
.
+As
you can guess
, the renewal time in such scenarios is very short - so the public ip changes can be found relatively quickly. E.g. my DM111P gives lease for 5 minutes, without explicit renewal or rebind times - which
are chosen appropriately by my dhcp client (150 and 262 respectively). Both
with dhcpcd
and dhclient you can supply custom scripts which can act and e.g. send signals to daemons
to notify them about ip change
. Or in case if you have modem giving router
address not within public ip's netmask - fix that as well
.
!!LINUX ROUTE FIX
