NAT & PPPoE (detailed email) --FIXED

Tue Mar 16 16:00:54 PST 2004

To all that helped.. the NAT & Verizon PPPoE setup is working great.
Firewall rules are in.. and now working on squid. 

Thank you all. I knew this list is great!

This is how things are setup:

/etc/rc.conf

defaultrouter=""
hostname="fw.somehost.com"
ppp_enable="YES"
ppp_mode="auto"
ppp_nat="YES"
ppp_profile="papchap"
ppp_user="root"
ifconfig_fxp0="UP"
ifconfig_fxp1="inet 192.168.1.1  netmask 255.255.255.0"
ifconfig_tun0="DHCP"
gateway_enable="YES"
firewall_enable="YES"
firewall_script="/etc/rc.firewall"
firewall_type="OPEN"
firewall_quiet="YES"

/etc/ppp/ppp.conf

default:
 #PPPoE: PPP over Ethernet
 set device PPPoE:fxp0
 set speed sync
 set mru 1492
 set mtu 1492
 set ctsrts off
 enable lqr
 set log phase tun local
 set ifaddr 10.0.0.1/0 192.168.1.1/0
 add default HISADDR
 enable dns
 nat enable yes
 nat same_ports yes
papchap:
 set authname {username}
 set authkey {password}

ifconfig:

fxp0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
        inet6 fe80::280:5fff:fed7:8892%fxp0 prefixlen 64 scopeid 0x1
        ether 00:80:5f:d7:88:92
        media: Ethernet autoselect (100baseTX <full-duplex>)
        status: active
fxp1: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
        inet 192.168.1.1 netmask 0xffffff00 broadcast 192.168.1.255
        inet6 fe80::2a0:c9ff:feaa:d54c%fxp1 prefixlen 64 scopeid 0x2
        ether 00:a0:c9:aa:d5:4c
        media: Ethernet autoselect (100baseTX <full-duplex>)
        status: active
tun0: flags=8051<UP,POINTOPOINT,RUNNING,MULTICAST> mtu 1492
        inet 10.0.0.1 --> 192.168.1.1 netmask 0xffffffff
        inet 141.149.140.76 --> 10.15.1.1 netmask 0xffffffff
        Opened by PID 56

I also took out "options NETGRAPH" from the kernel and rebuilt it. Works
just fine. Eventually I'll post it on my website someday. Thanks.

--
Mohsin AbdulRahman
MTech at BuffNET.Net

On Fri, 12 Mar 2004, Chuck Swiger wrote:

> Mohsin Rahman wrote:
> > Thank you. I will try tun0 as my nat interface. However, if lets say, the
> > modem drops the connection and the next attempt to access the internet,
> > wouldn't FreeBSD assign the new ip address to tun1 and basically render
> > tun0 nat useless? A better solution might be to let do ppp -nat perhaps. I
> > will test and post my results. Thanks.
> 
> You should have ppp do the NAT, yes.  If you use ppp with the -auto or -ddial, 
> you can have on-demand dialing where ppp will attempt to bring up the link if 
> it drops.  That means NAT should handle the link drop better (since ppp knows 
> to use the new connection's IP), and it also means that your firewall rules 
> can simply use tun0.
> 
> /etc/ppp/ppp.conf should contain something like:
> 
> default:
>   set log local connect ipcp lcp lqm chat
> # set log all
>   ident user-ppp VERSION (built COMPILATIONDATE)
>   enable lqr
>   set server 3000 xxxxx
>   set timeout 1200                       # 20 minute idle timer
> # enable dns                            # request DNS info (for resolv.conf)
>   set device PPPoE:fxp0:verizon
>   set login
>   set dial "ABORT BUSY ABORT NO\\sCARRIER TIMEOUT 5 \
>             \"\" AT OK-AT-OK ATE1Q0 OK \\dATDT\\T TIMEOUT 40 CONNECT"
>   set urgent udp +53
>   set urgent tcp +53
>   set urgent udp +123
>   set urgent tcp +123
>   set ifaddr 162.84.171.0/0 10.3.23.0/0 255.255.255.255 0.0.0.0
>   add! default HISADDR                   # Add a (sticky) default route
>   nat enable yes
>   nat use_sockets yes
>   nat same_ports yes
>   nat port tcp 192.168.1.3:6667 6667
> 
> verizon:
>   set authname xxxxx
>   set authkey xxxxx
> 
> [ ... ]
> -- 
> -Chuck
> 
> 