Penguin
Recent Changes
Diff: Half bridge with PPPoA
EditPageHistoryDiffInfoLikePages

Differences between version 12 and predecessor to the previous major change of Half bridge with PPPoA.

Other diffs: Previous Revision, Previous Author, or view the Annotated Edit History

Newer page: version 12 Last edited on Thursday, June 26, 2008 7:53:36 am by PeterScott Revert
Older page: version 11 Last edited on Sunday, June 8, 2008 6:42:34 pm by JohnSmith Revert
@@ -1,20 +1,19 @@
-Trying to setup an adsl modem/router as modem only to use with a linux router (and indeed many wireless routers) in NZ can be problematic owing to the lack of PPPoE support from NZ telcos.  
-  
-Herefollows a few pointers (draft)
+Trying to setup an adsl modem/router as modem only to use with a linux router (and indeed many wireless routers) in NZ can be problematic owing to the lack of PPPoE support from NZ telcos. Here follows a few pointers about how to do it
  
  
 !!THE PROBLEM 
  
-Telecom NZ uses pppoa encapsluation for its DSL, along with all the other ISPS who use telecoms network. It is said however that Telstra Clear NZ uses pppoe, although i havent tried it. If so you should be able to use full transparent bridging and the half bridge issue goes away. 
+Telecom NZ uses PPPoA encapsluation for its DSL, along with all the other ISPS who use telecoms network. It is said however that Telstra Clear NZ uses pppoe, although i havent tried it. If so you should be able to use full transparent bridging and the half bridge issue goes away. 
  
-pppoa is the encapsulation type used by modems in this situation, and when thats what you have got , you cannot use pppoe from the router to the modem, as you would with full bridging. 
+PPPoA is the encapsulation type used by modems in this situation, and when this is the case , you cannot use pppoe from the router to the modem, as you would with full bridging. 
  
 Why would you want to do this anyway:? 
 * To setup stronger nat than that provided by modem/routers. 
-* to avoid double nat, nats bad enough without doing it twice. 
+* to avoid double nat, nat's bad enough without doing it twice. 
 * to have better control over port forwading, vpns etc 
 * If you want to do ip accounting, captive portal, etc 
+* filtering and nat done on real pc instead of cheap slow modem router that we want to make as little processing as possible.  
  
 To get an idea of the confusion this issue causes: 
 * http://www.ben.geek.nz/adsl-routing-solution-in-detail/ 
 * http://whirlpool.net.au/forum-replies-archive.cfm/806160.html 
@@ -26,49 +25,44 @@
  
  
 !! SOLUTIONS 
  
-What to do then? You are left with a mottly collection of choices, none of which are ideal. 
+What to do then? You are left with a mottly collection of choices, few of which are ideal. 
 * find a modem with the best possible implementation of half bridge, aka dhcp spoofing or ip extension, description below 
 * ditto using pptp 
-* experiment with 1:1 nat, DMZs, tweaks at best, although 1:1 +DMZ might work  
+* use 1:1 static nat + DMZ 
 * use a static route in your linux router, and keep an eye on your isp and uplink 
  
 !!HALF BRIDGE EXPLAINED 
  
-So what is that strange thing ? Originally half-bridge is a nickname given to routers that function as proxy-arp hosts, with the same ip on both interfaces. Essentially you get bridge-like functionality (think transparent bridge) but packets are actually routed, not bridged - with all the consequences of such scenario. With modern linux and bsd systems, you can actually see layer 2 packets in iptables/arptables (linux) or pf (bsd). 
+So what is that strange thing? Originally half-bridge was a nickname given to routers that function as proxy-arp hosts, with the same ip on both interfaces. Essentially you get bridge-like functionality (think transparent bridge) but packets are actually routed, not bridged - with all the consequences of such scenario. With modern linux and bsd systems, you can actually see layer 2 packets in iptables/arptables (linux) or pf (bsd). 
  
-But in our case, half-bridge has the proxy-arp flag set only on the LAN interface, and doesn't assign any ip address, besides local management one on the LAN side. The idea behind this whole trick is to present your first downstream router with the single external IP assigned to you by the ISP, and turn routing modem into half-bridge of sorts. Why ? The reasons can be plenty - e.g. filtering and nat done on real pc instead of el-cheapo slow router that we want to make as little processing as possible
+But in our case, half-bridge has the proxy-arp flag set only on the LAN interface, and doesn't assign any ip address, besides local management one on the LAN side. The idea behind this whole trick is to present your first downstream router with the single external IP assigned to you by the ISP, and turn routing modem into half-bridge of sorts. 
  
-Your modem gets configured in following way: 
+Your modem gets configured in the following way: 
  
 *route to public ip given by isp is set at the LAN interface (with /32 mask), along with possible local addresses for management purpose, like 192.168.0.0/24 
 *proxy-arp flag is turned on on the LAN interface 
 *default route is set on the WAN interface 
 *LAN side runs dhcp daemon, advertising public ip - possibly but not necessarily - with faked router address and netmask (more about it below) 
 *Public address is *not* set anywhere in the modem. Actually, besides local address on the LAN interface - nothing else is assigned. 
  
-So what happens at your first downstream router ? I've seen few behaviours: 
+So what happens at your first downstream router? There are a various behaviours: 
  
-*your machine is set as a router with default route in link scope. The effect of that is that for every internet address you need an arp entry in your arp (neighbourhood) cache. Note though, that you're pretty much guaranteed to have to increase the arp cache (under linux look for net.ipv4.neigh.default.gc_thresh{1,2,3} ), if you run some more brutal network application (think emule, mldonkey, etc.). This is how e.g. DM111P behaved with earlier firmwares. It's perfectly fine if you have actual pc governed by you as the first downstream router (and remember about arp cache thresholds). It can be a killer if you use some cheap router with weak cpu, locked firmware and tiny amount of memory. In such scenario, dhcp daemon running on the modem, advertises public ip with 255.255.255.255 netmask, and the router address is the same as the public one. 
+* your machine is set as a router with default route in link scope. The effect of that is that for every internet address you need an arp entry in your arp (neighbourhood) cache. Note though, that you're pretty much guaranteed to have to increase the arp cache (under linux look for net.ipv4.neigh.default.gc_thresh{1,2,3} ), if you run some more brutal network application (think emule, mldonkey, etc.). This is how e.g. DM111P behaved with earlier firmwares. It's perfectly fine if you have actual pc governed by you as the first downstream router (and remember about arp cache thresholds). It can be a killer if you use some cheap router with weak cpu, locked firmware and tiny amount of memory. In such scenario, dhcp daemon running on the modem, advertises public ip with 255.255.255.255 netmask, and the router address is the same as the public one. 
 *modem fakes different router address in some small subnet, usually 255.255.255.0, which contains the address presented by ISP as well (usually router == public ip + 1). The idea is precisely the same as above, but you don't need monster arp cache anymore, and faking router address is harmless (packets will be routed properly), as it's not set anywhere in the modem. DM111P with the latest firmware behaves in this way. 
 *there're also a bit less sensible methods - e.g. your modem gives public ip/32, but gives router address literally out of the blue - xp can cope with that, linux - you might need to give it a hand. See below for some info (LINUX ROUTE FIX) 
 *there're other methods I can think of - e.g. using ebtables instead of proxy-arp 
  
  
 As you can guess, the renewal time in such scenarios is very short - so the public ip changes can be found relatively quickly. E.g. my DM111P gives lease for 5 minutes, without explicit renewal or rebind times - which are chosen appropriately by my dhcp client (150 and 262 respectively). Both with dhcpcd and dhclient you can supply custom scripts which can act and e.g. send signals to daemons to notify them about ip change. Or in case if you have modem giving router address not within public ip's netmask - fix that as well. 
  
  
-!!LINUX ROUTE FIX 
+!!LINUX STATIC ROUTE FIX 
  
 Windows doesnt seem to mind the gateway being in a different subnet. But linux does. 
  
-  
- "... the reason is that the router issues a DHCP lease with a default route outside of the IP/Netmask of the interface. Eg: DHCP issues IP=202.36.240.10/255.255.255.0 and a Gateway address of 202.36.1.1  
- Windows happily handles this (as you've noted). Linux's routing tables  
- don't off the cuff.  
- The solution is to create a static host route to the gateway, then set  
- it as the default route. eg: 
+"... the reason is that the router issues a DHCP lease with a default route outside of the IP/Netmask of the interface. Eg: DHCP issues IP=202.36.240.10/255.255.255.0 and a Gateway address of 202.36.1.1 Windows happily handles this (as you've noted). Linux's routing tables don't off the cuff. The solution is to create a static host route to the gateway, then set it as the default route. eg: 
  
 route add -host 202.36.1.1 dev eth0 
  
 route add default gw 202.36.1.1 dev eth0 
@@ -134,16 +128,16 @@
 The following ADSL2 modems are reported to have better than average half bridge implementation: 
  
 - Linksys AM300 (Firmware 1.19.04 ) 
  
-After much drama extracting firmware fixes from linksys this is now reported to work as of feburary 2008
+As of Feb 08 firmware this is now reported to work. 
 See http://www.geekzone.co.nz/forums.asp?ForumId=49&TopicId=19132 
  
 - DSE XH9949 ADSL2+ Modem/Router (Firmware is an exact clone of the RTA1320 but the hardware has much better air ventellation than the RTA1320) 
  
 - Dynalink RTA1320 (run hot) 
  
-- PCI ADSL modem from Traverse in Australia (work under Linux).  
+- PCI ADSL modems with Linux support ( eg Traverse in Australia 
  
 PCI modems get around the bridge problem altogether by using a ppp interface in the router. However hitorically PCI DSL modems have had little or no driver support, and reportedly lower performance on bad lines. 
  
 The following are older adsl1 modems that have better than average half bridge setups. At least people have reported success with them. They may get you going for now but not a long term solution with ADSL2. 
@@ -156,5 +150,7 @@
 Finally there is the prospect of a better solution: 
  
 - Draytek Vigor 110, new product, adsl2, modem only. 
  
-Not currently available here (no telepermit?) Their website states that this is a true pppoe to pppoa bridge, and customer feedback confirms this to be so. You dont have to go near the web interface. Plug and play. The user /passwrd etc is done by the router via pppoe. Update: Jack Pivac (www.delphinus.co.nz) reports that the NZ draytek distributer is planning on bringing this product into NZ, eta June 2008. 
+- Draytek Vigor DV2700e (http://www.delphinus.co.nz/draytek-vigor-dv2700e/) Has a PPPoE to PPPoA bridging device.  
+  
+The former is not currently available here, although the latter is but is a modem/router. Their website states that these products contain a true pppoe to pppoa bridge, and customer feedback confirms this to be so. Update: Jack Pivac (www.delphinus.co.nz) reports that the NZ draytek distributer is planning on bringing the 110 product into NZ, eta October 2008.