On Thu, 26 May 2005 03:23:39 -0400, Melameth, Daniel D. wrote: >Just moved from cable to DSL connectivity at home and decided to give >3.7's new kernelized pppoe as shot. > >My DSL connection trains at 7Mb/s down and 896Kb/s up and testing with >Internet speed tests, I generally get 5.5Mb/s down and 715Kb/s up. >These tests were done with the DSL router provided by my ISP. Once I >switched the router to act as just a modem, doing rfc1483 bridging, and >had the OpenBSD box handle the pppoe connection instead, which appears >to do the establish, authenticate and network phases flawlessly, the >same speed tests show my maximum to be 1.5Mb/s down and 715Kb/s up--even >though the modem is training at full speed and the CPU states on the >OpenBSD box appear okay, and I am not certain what is causing this. >This issue is reproducible from NAT/PAT clients with PF and from the >OpenBSD box itself without PF (which I believe rules out MTU issues). I >have tried the following without success, am not certain where to look >next and am looking for help: > >* Setting the MTU to 1492 on the physical pppoe interface (as per >man 4 pppoe (it's a bit confusing where to actually adjust this)?) >* Setting MSS to 1440 on pppoe in pf.conf (as per man 4 pppoe) >* Setting the MTU to 1492 or less on the interfaces of NAT clients > >One thing I noticed of possible interest is a seemingly peculiar >round-robin option in: > >$ sudo pfctl -s nat >nat on pppoe0 inet from 192.168.x.x/27 to ! 192.168.x.x/30 -> (pppoe0) >round-robin > >As the only nat line I have in my pf.conf is: >nat on $ext_if from $int_if:network to ! $wan_if:network -> ( $ext_if ) > >Any thoughts/suggestions appreciated as I CANNOT IMAGINE relying on my >ISP's router for WAP, firewall, QoS and other functions. > >Thanks, >Danny >
<snip lots of useful evidence not relevant to my reply> When you have a modem that will do all the connection stuff I am amazed that anyone feels the need to do PPPoE. In my case (not universally true, sadly) I can do PPPoA if I let the modem do it with the correct config. That means MTU=MRU=1500 and MSS=1460 which sits very well with ethernet. You wonder about security: My setup uses OpenBSD to do all that stuff. Here at my office I have a /29 that is routed over my WAN IP and I can use some "interesting" NAT rules to make my LAN boxen look like they are on one of the /29 IPs. My SOHO clients don't run servers and so don't need to pay for more IPs so what we do is set the modem up in NAT mode and then use the DMZ host setting that some modems have. Others have the same function under another name. Let's see how this works: ADSL-> WAN IP [modem] 192.168.1.1->192.168.1.2[openbsd]172.16.0.1->172.16.0.0/24LAN So we NAT in OpenBSD and again in the modem BUT any traffic that hits the WAN IP but is NOT a part of a connection setup by an outbound NAT in the modem hits the $ext_if of the OBSD firewall. Works like a charm and I can ssh in and do stuff for them and they can do rsync over ssh for their inventory lists etc. If you need more just reply on list and I'll send you info off list. >From the land "down under": Australia. Do we look <umop apisdn> from up over? Do NOT CC me - I am subscribed to the list. Replies to the sender address will fail except from the list-server.
