ovi at unixservers.us
Wed Jun 27 11:30:46 UTC 2007
Alexander Motin wrote:
> Nikolay Pavlov wrote:
>> This is probably a new feature request, but is this possible to create
>> some kind of VirtualTemplate interface like it is in Cisco access
>> routers. Currently i have to configure bunch of different ng interfaces
>> for every kind user. However on my Cisco 7206VXR i can bundle physical
>> link together with VirtaulTemplate interface in one vpdn-group config
>> like this:
>> And all the ppp interfaces for all users will use this configuration
>> as a template.
> Yes, I am thinking about that. That is not trivial change. It will
> require changing all internal model from static to the dynamic one.
> But that change also should give many other bonuses so I would like to
> One of problems is more or less new config file syntax required. I
> have very limited cisco experience, so it is difficult for me to adopt
> their model to mpd, but I would not like to reinvent a wheel. I will
> be grateful for any ideas/examples of how do you see that.
Mpd is a great piece of software, I use it for almost 3 years.
There are some things I want to share with you
I've used in the past pppoed, but I had to switch to mpd because I had
problems with pppoed crashing because of a bad switch (burned port) on
I have a small network (Ethernet + Fiber) in a small town, and sometimes
it happend for a switch to freeze or even stop working, flooding pppoe
server with arp requests, that crashes the pppoe server. Using pppoed
few years ago it started to crash when I had few users, like up to 100.
Replacing it with mpd solved the problem then. Well, my network grew to
2000 users (1000 connected at the same time, on peek hours), and now, if
a switch port crashes, mpd crashes too.
I am talking about mpd4. I've used 3.18, and I can say 4 is a lot
faster...... on 3.18 i had on a P IV at 3 GHZ with 2GB RAM, 70% cpu
usage for 600-700 users connected at the same time. With mpd4, I have
not more than 20% cpu usage with same number of users. This is great
thinking that I have an 100mbps network, and some people are using pppoe
connection when transfer files from other users in same network, which
put some load on pppoe server. I did install a dhcp server, with private
addresses, and usualy comunication between LAN users is done directly
and not via pppoe server (which shoud be use for Internet connection).
For my 2000 users I have a config file witch holds 2000 sections for
every pppoe tunnel. It took me some time to generate it, I've wrote a
php script do do that.
It would be useful a feature like one Nikolay wrote. Also as you know
PPPoE is vulnerable to arp poisoning and to DoSs. Having a small network
with 10-20 computers using mpd is easy, but having 2000 users or more,
things changes, problems appears. Solving arp poisoning or DoS attack
(sometimes caused by a burned switch port which mixes RX with TX) I
thing can be done using a Layer2 managed switch, with ACLs, I will try
and I'll inform you.
When having many users, it is useful to have high availability, so it
would be nice and useful to setup multiple pppoe servers . I've tried
that, using a router, connected
to 2 pppoe servers, and at every pppoe connection, a route was added to
the router and when user disconnected, the route was deleted from
router. This is still a buggy implementation, we had problems messing
up routing table.
So to conclude:
- an option like Nikolay said, would be very useful, not to generate
thousands of rules manualy
- it would be nice to have a documentation, or to give me some clues how
could be done high availability with mpd pppoe servers, and I'll wrote a
documentation for that
- would be nice to have a documentation for tuning mpd for lots of
users, I can do that but I would need your feedback
More information about the freebsd-net