From: "ropers" <[EMAIL PROTECTED]>
To: "Peter Kay - Syllopsium" <[EMAIL PROTECTED]>
Cc: <misc@openbsd.org>
Sent: Monday, September 08, 2008 2:05 PM
Subject: Re: Bridging pppoe(4) to another NIC - is this even possible, as
it appears impossible to change the MTU?
2008/9/8 Peter Kay - Syllopsium <[EMAIL PROTECTED]>:
I'm trying to create a transparent bridging firewall with a NIC at one
end
and PPPoE(4) at the other end. In this case I'm using OpenBSD 4.4-CURRENT
sparc (same thing happens on 4.2) on a sparcstation 10 with quad ethernet
(qe - 10Mb).
The problem is that the bridge cannot be established, probably because
the
MTUs do not match.
The MTU of qe(0 to 3) is 1500.
The MTU of pppoe0 (established via pppoe(4)) is 1492
I can't change the MTU of qe0-3.
There's an overhead of 8 bytes in PPPoE - does this therefore mean it can
never go above 1492?
The MTU of pppoe can be modified, but only to 1492 or lower.
Additionally I am confused by the OpenBSD 4.4 changelist item :
'Adapt maximum permitted MTU on pppoe(4) to the MTU of the connected
Ethernet/VLAN interface.'
This, to me, potentially indicates that the MTU of pppoe could be matched
to
the MTU of the NIC (although, is this perhaps limited by the fact that to
do
so it would need 1500+8 bytes of overhead, and thus blow the 1500
Ethernet
MTU limit?). I tried applying 4.4-CURRENT and the MTU of pppoe stays at
1492.
Any solution? Find a NIC which can have its MTU lowered, perhaps?
Also, even if I could get the MTUs to match, bridge complains on startup
because pppoe0 does not yet exist. Is there a more elegant solution than
a
shellscript with a delay and a series of brconfig commands to fix this?
Cheers!
Peter
When you say you want PPPoE at the other end, what exactly do you
mean? Is the PPPoE stuff on a separate box that you reach via RJ-45,
ie. does your net look loke this:
Intranet <--> int_if--OpenBSD_bridge--ext_if <--> DSL modem w/ PPPoE
Or do you want the PPPoE login/"dialup" stuff to be handled by
OpenBSD, ie. does your network look like this:
Intranet <--> int_if--OBSD_box--ext_if <--> DSL modem in dumb as a brick
mode
If it is the latter then I'm not quite sure where you want to build a
transparent bridge. Because IIRC your external interface in this
scenario would be a tun interface and you would use NAT. Unless of
course... Ok, let me ask you this then: What kind of Internet
connectivity do you have / what kind of Internet connection do you
have from your ISP? If you are just using an ordinary SOHO user PPPoE
offering from a regular ISP, then you more than likely just get ONE
IPv4 address, which means you will have to use NAT, not bridging, no
two ways about it. Or am I horribly misunderstanding something?
A somewhat confused
--ropers
I have an ADSL connection with 8 IPs, so the topology looks like :
Intranet <-->Int_if--OpenBSD_bridge_with_pf--ext_if<-->ADSL router bridging
PPPoE packets.
The router is in bridging mode so 'all' it does is shift the PPPoE packets
from the POTS (telephone) connection to the Ethernet port. It passes PPPoE
on to the external OpenBSD interface pppoe(4) is bound to. The pppoe(4)
should establish the ppp connection and receive the traffic for all 8 IPs. I
don't have the space or the inclination to subnet, so I want to transparent
bridge with pf for firewalling between pppoe and the internal interface.
I realise 1:1 NAT is an option here, but I'd prefer my internal systems to
remain with WAN addresses, but protected by a firewall. I'm doing all this
because otherwise I have to lose one IP address to my router, and I'd rather
not.
(What I *actually* want to do eventually is to have three interfaces on the
firewall. One internal, one DMZ, one external (pppoe bound) where
external->dmz is a transparent firewall and external->internal is NAT)
PK
