Categories

A sample text widget

Etiam pulvinar consectetur dolor sed malesuada. Ut convallis euismod dolor nec pretium. Nunc ut tristique massa.

Nam sodales mi vitae dolor ullamcorper et vulputate enim accumsan. Morbi orci magna, tincidunt vitae molestie nec, molestie at mi. Nulla nulla lorem, suscipit in posuere in, interdum non magna.

PPPoE in a multiple-connection Linux firewall

I had to configure a PPPoE interface as a secondary Internet connection in a Linux firewall, using the CentOS Linux distribution. The idea was to route HTTP and HTTPS traffic through the PPPoE connection to leverage the bandwidth usage of the primary static-IP connection.

There are some things to consider when the PPPoE connection is setup in this scenario.

The Basics

In this section, I’ll explain how to configure a PPPoE interface in CentOS.

1) Install required software

# yum install rp-pppoe

2) Configure the PPPoE connection

The following is the output of the adsl-setup command. The answers are in bold text:

[root@fw ~]# adsl-setup
Welcome to the ADSL client setup.  First, I will run some checks on
your system to make sure the PPPoE client is installed properly...

LOGIN NAME

Enter your Login Name (default root): adsl-user-name

INTERFACE

Enter the Ethernet interface connected to the ADSL modem
For Solaris, this is likely to be something like /dev/hme0.
For Linux, it will be ethX, where 'X' is a number.
(default eth0): eth2

Do you want the link to come up on demand, or stay up continuously?
If you want it to come up on demand, enter the idle time in seconds
after which the link should be dropped.  If you want the link to
stay up permanently, enter 'no' (two letters, lower-case.)
NOTE: Demand-activated links do not interact well with dynamic IP
addresses.  You may have some problems with demand-activated links.
Enter the demand value (default no): no

DNS

Please enter the IP address of your ISP's primary DNS server.
If your ISP claims that 'the server will provide dynamic DNS addresses',
enter 'server' (all lower-case) here.
If you just press enter, I will assume you know what you are
doing and not modify your DNS setup.
Enter the DNS information here: (Press ENTER)

PASSWORD

Please enter your Password: ***********
Please re-enter your Password: ***********

USERCTRL

Please enter 'yes' (three letters, lower-case.) if you want to allow
normal user to start or stop DSL connection (default yes): no

FIREWALLING

Please choose the firewall rules to use.  Note that these rules are
very basic.  You are strongly encouraged to use a more sophisticated
firewall setup; however, these will provide basic security.  If you
are running any servers on your machine, you must choose 'NONE' and
set up firewalling yourself.  Otherwise, the firewall rules will deny
access to all standard servers like Web, e-mail, ftp, etc.  If you
are using SSH, the rules will block outgoing SSH connections which
allocate a privileged source port.

The firewall choices are:
0 - NONE: This script will not set any firewall rules.  You are responsible
 for ensuring the security of your machine.  You are STRONGLY
 recommended to use some kind of firewall rules.
1 - STANDALONE: Appropriate for a basic stand-alone web-surfing workstation
2 - MASQUERADE: Appropriate for a machine acting as an Internet gateway
 for a LAN
Choose a type of firewall (0-2): 0

Start this connection at boot time

Do you want to start this connection at boot time?
Please enter no or yes (default no):yes

** Summary of what you entered **

Ethernet Interface: eth2
User name:          adsl-user-name
Activate-on-demand: No
DNS:                Do not adjust
Firewalling:        NONE
User Control:       no
Accept these settings and adjust configuration files (y/n)? y
Adjusting /etc/sysconfig/network-scripts/ifcfg-ppp0
Adjusting /etc/ppp/chap-secrets and /etc/ppp/pap-secrets
 (But first backing it up to /etc/ppp/chap-secrets.bak)
 (But first backing it up to /etc/ppp/pap-secrets.bak)

Congratulations, it should be all set up!

Type '/sbin/ifup ppp0' to bring up your xDSL link and '/sbin/ifdown ppp0'
to bring it down.
Type '/sbin/adsl-status /etc/sysconfig/network-scripts/ifcfg-ppp0'
to see the link status.

[root@fw ~]#

Define the Ethernet Interface!

Even though it’s not mandatory to configure the Ethernet interface (e.g. eth2) connected to the PPPoE device, it is highly recommended that you do it. This will avoid the OS to recognize the Ethernet interface with a different name. If this happens, the PPPoE setup scripts will not find the Ethernet interface and the PPPoE interface (e.g. ppp0) will not be setup.

In the following example, the Ethernet interface eth2 is erroneously recognized as “__tmp1109941636“:

[root@fw ~]# ifconfig -a
__tmp1109941636 Link encap:Ethernet  HWaddr 00:E0:4C:55:5E:37
 BROADCAST MULTICAST  MTU:1500  Metric:1
 RX packets:4940 errors:0 dropped:0 overruns:0 frame:0
 TX packets:499 errors:0 dropped:0 overruns:0 carrier:0
 collisions:0 txqueuelen:1000
 RX bytes:393404 (384.1 KiB)  TX bytes:100208 (97.8 KiB)
 Interrupt:209 Base address:0x4400 

eth0      Link encap:Ethernet  HWaddr 00:08:A1:B5:F5:DC
 inet addr:200.1.1.2  Bcast:200.1.1.3  Mask:255.255.255.252
 inet6 addr: fe80::208:a1ff:feb5:f5dc/64 Scope:Link
 UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
 RX packets:220 errors:0 dropped:0 overruns:0 frame:0
 TX packets:29 errors:0 dropped:0 overruns:0 carrier:0
 collisions:0 txqueuelen:1000
 RX bytes:16646 (16.2 KiB)  TX bytes:3971 (3.8 KiB)
 Interrupt:217 Base address:0xe000 

eth1      Link encap:Ethernet  HWaddr 00:08:A1:82:69:99
 inet addr:10.10.10.1  Bcast:10.10.10.255  Mask:255.255.255.0
 inet6 addr: fe80::208:a1ff:fe82:6999/64 Scope:Link
 UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
 RX packets:4940 errors:0 dropped:0 overruns:0 frame:0
 TX packets:501 errors:0 dropped:0 overruns:0 carrier:0
 collisions:0 txqueuelen:1000
 RX bytes:393404 (384.1 KiB)  TX bytes:100708 (98.3 KiB)
 Interrupt:201 Base address:0xb000 

lo        Link encap:Local Loopback
 inet addr:127.0.0.1  Mask:255.0.0.0
 inet6 addr: ::1/128 Scope:Host
 UP LOOPBACK RUNNING  MTU:16436  Metric:1
 RX packets:8 errors:0 dropped:0 overruns:0 frame:0
 TX packets:8 errors:0 dropped:0 overruns:0 carrier:0
 collisions:0 txqueuelen:0
 RX bytes:560 (560.0 b)  TX bytes:560 (560.0 b) 

sit0      Link encap:IPv6-in-IPv4
 NOARP  MTU:1480  Metric:1
 RX packets:0 errors:0 dropped:0 overruns:0 frame:0
 TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
 collisions:0 txqueuelen:0
 RX bytes:0 (0.0 b)  TX bytes:0 (0.0 b) 

[root@fw ~]#

We can prevent this strange behavior by defining the eth2 interface with the minimum information, including the MAC Address. Create the file /etc/sysconfig/network-scripts/ifcfg-eth2 with the following text:

DEVICE=eth2
ONBOOT=no
HWADDR=70:5a:b6:95:4c:9b

Prevent default route overriding

When the PPPoE connection is setup, the existing default route is overridden by a new one created to make the PPPoE interface the default route. This is the default behavior.

As the PPPoE connection is secondary, you may want to prevent the PPPoE connection setup to override the default route. To do this, create the file /etc/ppp/ip-up.local with the following text:

#!/bin/bash
#
# When the PPPoE conection is established, the default
# route is overriden. Here we restore the default gateway
# as defined in "/etc/sysconfig/network".
DEFAULT_GATEWAY=`grep GATEWAY /etc/sysconfig/network | cut -d'=' -f2`
/sbin/route delete default
/sbin/route add default gw $DEFAULT_GATEWAY

Make the new script executable:

# chmod 755 /etc/ppp/ip-up.local

Testing

Use the following commands to test your configuration:

# ifdown ppp0
# ifup ppp0
# netstat -nr | egrep '^0.0.0.0'  # To show the default route

With the configuration explained in this article, the default route should not change when taking the PPPoE interface (e.g. ppp0) up/down.

Enjoy!

  • Delicious
  • Facebook
  • Digg
  • Reddit
  • StumbleUpon
  • Twitter

1 comment to PPPoE in a multiple-connection Linux firewall

Leave a Reply

 

 

 

You can use these HTML tags

<a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>