Dear Alexander
Thank yoo for your email, it is very interesting.
I am not very familiar with BGP (but I will learn), my question is: did
you use multiple pppoe servers with different subnet for every pppoe server,
or you have high availability with every serverer giving IPs from the
same pool of addresses. I am using Radius, and I would like to have
configured the
pppoe servers the same way, so if I would need more power, I would add
another server, that would offer pppoe connections from the same pool,
using the same
radius server as everyone. I think if bgp sessions are estabilished
between router and pppoe servers, every pppoe server would have his own
subnet of addresses
to give to users, which is not good, it will be interesting every pppoe
server to accept all users. So not have pppoeserve1 for 100 customers,
pppoeserv2 for another 100 customers and so on.
The second issue I've encountered , on my setup I've connected router to
two pppoe servers, and on pppoe servers decond network card of both
pppoe servers
was connected to our LAN. Because all users from lan already have setup
pppoe on their workstations, I wanted to transparently for them make
this system work.
So, I setup both pppoe servers with the same name (same hostname), and
also the service name is *. Still the load is not balanced, most of the
users connect to one server, and only few of them to the other. It is a
posibility that the fastest pppoe server who answer to establish the
connection with user?
I've searched a lot for those issues, I did not found much information
on the Internet, maybe you know some resources for me to study.
Thank you
Best regards,
Ovidiu
Alexander Motin wrote:
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Ovi wrote:
Also as you know
PPPoE is vulnerable to arp poisoning and to DoSs. Having a small network
with 10-20 computers using mpd is easy, but having 2000 users or more,
things changes, problems appears. Solving arp poisoning or DoS attack
(sometimes caused by a burned switch port which mixes RX with TX) I
thing can be done using a Layer2 managed switch, with ACLs, I will try
and I'll inform you.
Even if pppoe have some DoS weaknesses it also have some protection
mechanisms against it. It's a pity but ng_pppoe originally implements
protocol in a way which does not allow this protection to be effectively
used.
As I have told 4.2 release contains overload protection which should
also help against DoS attacks. I am not sure it will be able to handle
100Mbit/s flood of PADI requests from broken switch, but should avoid
mpd freeze in such case.
When having many users, it is useful to have high availability, so it
would be nice and useful to setup multiple pppoe servers . I've tried
that, using a router, connected
to 2 pppoe servers, and at every pppoe connection, a route was added to
the router and when user disconnected, the route was deleted from
router. This is still a buggy implementation, we had problems messing
up routing table.
Having several PPPoE servers in one segment is a normal solution
protocol. It is not so efficient now as it could be due to ng_pppoe
implementation problem I have told, but it still should increase
performance and stability.
What is about routing problems, you just should find good dynamic
routing solution. I have successfully working network with hundred PPPoE
servers and many thousands of users with routing successfully managed by
quagga bgp.
- --
Alexander Motin
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.7 (FreeBSD)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
iD8DBQFGglNH0kCgngV3usoRAoANAJ9k2lRBnR8VtWu4pm1BhiQKwrimuQCgkTEE
oY83aUVdgXzPITM/ea4cTK8=
=Sk3P
-----END PGP SIGNATURE-----
_______________________________________________
freebsd-net@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-net
To unsubscribe, send any mail to "[EMAIL PROTECTED]"
_______________________________________________
freebsd-net@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-net
To unsubscribe, send any mail to "[EMAIL PROTECTED]"
