NAT & PPPoE (detailed email) --FIXED
Mohsin Rahman
mtech at buffnet.net
Tue Mar 16 16:00:54 PST 2004
To all that helped.. the NAT & Verizon PPPoE setup is working great.
Firewall rules are in.. and now working on squid.
Thank you all. I knew this list is great!
This is how things are setup:
/etc/rc.conf
defaultrouter=""
hostname="fw.somehost.com"
ppp_enable="YES"
ppp_mode="auto"
ppp_nat="YES"
ppp_profile="papchap"
ppp_user="root"
ifconfig_fxp0="UP"
ifconfig_fxp1="inet 192.168.1.1 netmask 255.255.255.0"
ifconfig_tun0="DHCP"
gateway_enable="YES"
firewall_enable="YES"
firewall_script="/etc/rc.firewall"
firewall_type="OPEN"
firewall_quiet="YES"
/etc/ppp/ppp.conf
default:
#PPPoE: PPP over Ethernet
set device PPPoE:fxp0
set speed sync
set mru 1492
set mtu 1492
set ctsrts off
enable lqr
set log phase tun local
set ifaddr 10.0.0.1/0 192.168.1.1/0
add default HISADDR
enable dns
nat enable yes
nat same_ports yes
papchap:
set authname {username}
set authkey {password}
ifconfig:
fxp0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
inet6 fe80::280:5fff:fed7:8892%fxp0 prefixlen 64 scopeid 0x1
ether 00:80:5f:d7:88:92
media: Ethernet autoselect (100baseTX <full-duplex>)
status: active
fxp1: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
inet 192.168.1.1 netmask 0xffffff00 broadcast 192.168.1.255
inet6 fe80::2a0:c9ff:feaa:d54c%fxp1 prefixlen 64 scopeid 0x2
ether 00:a0:c9:aa:d5:4c
media: Ethernet autoselect (100baseTX <full-duplex>)
status: active
tun0: flags=8051<UP,POINTOPOINT,RUNNING,MULTICAST> mtu 1492
inet 10.0.0.1 --> 192.168.1.1 netmask 0xffffffff
inet 141.149.140.76 --> 10.15.1.1 netmask 0xffffffff
Opened by PID 56
I also took out "options NETGRAPH" from the kernel and rebuilt it. Works
just fine. Eventually I'll post it on my website someday. Thanks.
--
Mohsin AbdulRahman
MTech at BuffNET.Net
On Fri, 12 Mar 2004, Chuck Swiger wrote:
> Mohsin Rahman wrote:
> > Thank you. I will try tun0 as my nat interface. However, if lets say, the
> > modem drops the connection and the next attempt to access the internet,
> > wouldn't FreeBSD assign the new ip address to tun1 and basically render
> > tun0 nat useless? A better solution might be to let do ppp -nat perhaps. I
> > will test and post my results. Thanks.
>
> You should have ppp do the NAT, yes. If you use ppp with the -auto or -ddial,
> you can have on-demand dialing where ppp will attempt to bring up the link if
> it drops. That means NAT should handle the link drop better (since ppp knows
> to use the new connection's IP), and it also means that your firewall rules
> can simply use tun0.
>
> /etc/ppp/ppp.conf should contain something like:
>
> default:
> set log local connect ipcp lcp lqm chat
> # set log all
> ident user-ppp VERSION (built COMPILATIONDATE)
> enable lqr
> set server 3000 xxxxx
> set timeout 1200 # 20 minute idle timer
> # enable dns # request DNS info (for resolv.conf)
> set device PPPoE:fxp0:verizon
> set login
> set dial "ABORT BUSY ABORT NO\\sCARRIER TIMEOUT 5 \
> \"\" AT OK-AT-OK ATE1Q0 OK \\dATDT\\T TIMEOUT 40 CONNECT"
> set urgent udp +53
> set urgent tcp +53
> set urgent udp +123
> set urgent tcp +123
> set ifaddr 162.84.171.0/0 10.3.23.0/0 255.255.255.255 0.0.0.0
> add! default HISADDR # Add a (sticky) default route
> nat enable yes
> nat use_sockets yes
> nat same_ports yes
> nat port tcp 192.168.1.3:6667 6667
>
> verizon:
> set authname xxxxx
> set authkey xxxxx
>
> [ ... ]
> --
> -Chuck
>
>
More information about the freebsd-questions
mailing list