On 2016-09-28, tech-lists <tech-li...@zyxst.net> wrote: > Hello misc@ > > Hoping someone can help me please. I have a bit of a chicken and egg > situation with regard to routing real IPs through a PPPoE connection in > that I know some of the terms but my understanding is limited on others. > I've read around pppoe on freebsd and openbsd and openbsd seems to me to > be the one to go for as it looks simpler and additionally has a > reputation for robustness. > > The setup that I want goes like this > > internet > | > | > draytek vigor 130 in pppoe bridge mode > | > |rl0 connected to modem > openbsd 6.0 with two rl interfaces, running pppoe > | > |rl1 connected to unmanaged switch/LAN > > The LAN machines have their own firewalls and will be manually set with > real IPs in my /29. I don't need NAT on this machine, though maybe pf is > needed for anti-spoof. I'm confident I can set up the actual pppoe > connection through use of the online faq.
No baby jumbos with rl(4) so you are stuck with 1492 MTU, so you need PF so you can do "scrub (max-mss 1440)" as described in pppoe(4)'s "MTU/MSS ISSUES" section. > What I'm unsure about is this: > > 1. do I need to bridge the rl0 and rl1 interfaces? The way a lot of No, and this won't work at all, you're just seeing pppoe frames on rl0. > fixed IP on *dsl is delivered in the UK is that the connection gets > dynamically the same IP each time, because it's tied to the login > credentials/radius profile. In my redacted-ip example case I get > 82.xx.yy.102 if just one machine with a pppoe client connects to the > internet. I have 82.xx.yy.96/29 in CIDR. > > 2. how do I make rl1 accept incoming and outgoing traffic from the rest > of my /29? Is it as simple as putting the following in hostname.rl0: > > inet 82.xx.yy.102 255.255.255.248 The /29 needs to go on the interface facing the LAN, in that case rl*1*, so this goes in /etc/hostname.rl1. For hostname.pppoe0 you can do something like this. inet 0.0.0.0 255.255.255.255 0.0.0.1 pppoedev rl0 authproto chap authname "zen123456@zen" authkey "foo" up > and then set the sysctl net.inet.ip.forwarding=1 ? Yes.
