Using OpenBSD with a PPPoA/PPPoE link

This guide is for setting up an OpenBSD firewall on a PPPoA link using an ADSL router/modem and an ethernet link between the OpenBSD machine and ADSL router.

Preface

This guide has been written in a rush and has not been proof read. Hopefully you'll get the idea. When I have more time, I'll probably rewrite it to be more consice. Which could be never, maybe I should add the Beta tag to it and be all fashionable on the internet. Under Construction is *so* 90s.

It should be noted that this example works fine for a static setup. If your ISP changes your IP in their DHCP server then this will break the internal bridge if it's used and possibly all your routing. Although if you using dynamic IP then you probably do not need to worry since you'll only have one IP and you won't be routing a block of IPs. The kernel pppoe device will update if there is an IP change so if you have a simple set up then you do not need to worry. Obivously your pf.conf will have to take account of that.

Introduction

I find it very common that people do not understand why one uses the kernel pppoe pseudo-device and not a pppoa device. The only difference between PPPoA and PPPoE is the encapsulation. One inside ethernet frames and the other inside ATM. The question is, do you have an ATM network device inside your OpenBSD machine? The answer is probably no, unless it's some awful USB ADSL modem device, you might be lucky and find it is supported. Ethernet based ADSL routers are well worth the money when compared against a USB ADSL modem. Anyway the point is you're more likily you have an ethernet card linking your OpenBSD firewall to your ADSL modem. So you need to speak PPPoE, not PPPoA. The ADSL modem in the correct mode will change the encapsulation from Ethernet to ATM. Which is the default, but it'll try and do alsorts of other things like having a global IP, which you want you OpenBSD box to have. The mode you want is bridging. Which assuming not all ADSL modems seem to support. There might be a way to hack around the problem, trail and error may be fruitful.

Another question might be why bother. The most attractive for me is having a more flexible firewall. Also the security of a dated VxWorks or cut down Linux based hardware firewall could be questionable. I doubt neither have (or could have due to hardware limitations) the security features which OpenBSD comes with. Due to manufactures needing to reduce the cost of a given product remove proper memory management which is required for things like W^X. The same is true with wireless access points, the old softmodems, and probably wireless cards too.

Reading

This things first you need to read is pppoe(4). You might also like to compare it with pppoe(8) the userland version. Also note the documation on the OpenBSD website. Especially the section on PPPoE/PPPoA which is near the end of that section. Most of the section is on the userland PPP daemons. The kernel land pppoe driver first appeared in OpenBSD 3.7, but it was in 3.8 where it became stable.

Example

First off is /etc/hostname.pppoe0 which is a pseudo network device. Notice that rl1 is the real network device. This is the connection to my ADSL modem. You should not need any other connections on that subnet, so a crossover cable will do the job. The config should work for 3.7-3.9. There has been a config change in the current branch which will probably end up in OpenBSD 4.0.

pppoedev rl1
!/usr/sbin/spppcontrol \$if myauthproto=chap myauthname=username \
	myauthkey=password
!/sbin/ifconfig \$if inet 0.0.0.0 0.0.0.1
!/sbin/route add default 0.0.0.1
up

Next up we have /etc/hostname.rl1. As above this is the connection to my ASDL modem. It doesn't need a IP, but if you want to connect to the admin interface on your ADSL modem then you'll need an IP.

Now depending on your config, you might want to want to set up a bridge to include all the internal network interface cards in your firewall. Even if that's one network interface card. It'll mean your firewall will use one IP. I found that without doing this the firewall would be a bit confused to what state is was in. If you're just doing NAT, then you do not need to bother with this since the internel network interface cards will have private IP addresses.

Here's a quick run through the set up direct from my prompt. The AAA.AAA.AAA.AAA is the public IP address. I thought that O for octel would be too confusing.

# cat /etc/bridgename.bridge0                                                  
add xl0
add rl0
up
# cat /etc/hostname.xl0
up media 100baseTX
# cat /etc/hostname.rl0 
inet AAA.AAA.AAA.AAA 255.255.255.0 AAA.AAA.AAA.255
alias 192.168.200.100 255.255.255.255
alias 192.168.100.100 255.255.255.255

What it should end up looking like

lo0: flags=8049 mtu 33224
        groups: lo 
        inet 127.0.0.1 netmask 0xff000000 
        inet6 ::1 prefixlen 128
        inet6 fe80::1%lo0 prefixlen 64 scopeid 0x8
xl0: flags=8943 mtu 1500
        lladdr 00:60:08:77:77:77
        media: Ethernet 100baseTX
        status: active
        inet6 fe80::260:8ff:ff77:3d4b%xl0 prefixlen 64 scopeid 0x1
rl0: flags=8943 mtu 1500
        lladdr 00:00:bb:ee:bb:45
        media: Ethernet autoselect (100baseTX full-duplex)
        status: active
        inet AAA.AAA.AAA.AAA netmask 0xfffffff0 broadcast AAA.AAA.AAA.255 
        inet6 fe80::250:dead:beef:b769%rl0 prefixlen 64 scopeid 0x2
rl1: flags=8843 mtu 1500
        lladdr 00:00:bb:ee:bb:44
        media: Ethernet autoselect (100baseTX full-duplex)
        status: active
        inet 192.168.50.100 netmask 0xffffff00 broadcast 192.168.50.255
        inet6 fe80::250:dead:beef:b3e4%rl1 prefixlen 64 scopeid 0x3
pppoe0: flags=8851 mtu 1492
        dev: rl1 state: session
        sid: 0xe1f PADI retries: 14 PADR retries: 0 time: 36d 10:26:00
        groups: pppoe egress 
        inet AAA.AAA.AAA.AAA --> 0.0.0.1 netmask 0xff000000 
        inet6 fe80::260:8ff:ff77:3d4b%pppoe0 ->  prefixlen 64 scopeid 0x9
bridge0: flags=41 mtu 1500
        groups: bridge

Notice the connection time. The oldest connection in my pftop is 1484 hours. That's nearly 62 days. So hopefully you can see that the kernel land pppoe driver is very stable. When my BT exchange briefly fell over. It killed everybodies ADSL connections. Most people had to restart their ADSL modems since the they were out of sync with the DSLAMs. I never noticed that apart from maybe 2 minutes downtime whilst I had to wait for the exchange to come back online.

If you don't have the bridge enabled which includes all of the physical network interface card which route public IPs then you may see "inet 0.0.0.0 --> 0.0.0.1" in your pppoe0 output. Everything should work, except local routing on the friewall. Also it just seemed untidy to me, so I had to fix it. Oddly it's not possible to add the pppoe device to the bridge. I'm not too sure why. But when I enabled the bridge for the other interfaces it looked a lot happier.

ADSL ethernet router/modem setup

When you're configuring your ADSL modem make sure you do not end up with a router you can not connect too. I set my router IP to 192.168.50.200.

Here's what I posted to a mailing list about setting it up. Apparently if there's no "Bridge mode", then "DHCP mode" may do the job. You'll probably have to wait for a DHCP timeout, or end up assigning an IP twice, once to the ADSL modem, then to the OpenBSD box. The key is to look for what gives you the mininal set of options which are required. It's a bit product specific at the moment. There isn't much required from the ADSL router point of view. Just, encapsulation, VPI, VCI and maybe QoS. Your ISP should have given you those details, so it shouldn't be hard to configure.

I don't know for sure. I have the DSL-504T. Looking at the "Setup, DSL Setup" config of it, I have it setup as a "Bridge" with the approiate; Encapsulation, VPI, VCI, and QoS setting given by my ISP. On the "WAN Setup" they is no layer 3 setting, ie IP setting, since I want my OpenBSD box to do that bit. There's no point choosing DHCP since you still have to authenicate via PPP. If you don't have a bridge setup then DHCP looks like it'll work, although it's not needed. Obivously try it if you have no other option.

Looking at the LAN setup I have disabled DHCP since I wanted to use dhcpd on my OpenBSD box. I have disabled the DNS relay function. Again I do that on another box since I maintain internal DNS for my RFC 1918 IPs, aka Private IPs 10/8, 172.16/12, 192.168/16. Then I changed the management IP to a different subnet, matching the IP of my ethernet card used by the pppoe network device. I have to use ssh port forwarding to access my D-link router, but then until today I hadn't connected to it since September 2005. And quite frankly I'd much prefer managing my adsl connection via my OpenBSD box than a web interface.

Where username and password are set to what you ISP has given you for your PPPoA setting.

It's all in the man page, except I have given the physical network card an IP. If you were doing pure pppoe to your ISP, then you would do as the man page reads. You may also want to take note about setting the MTU as per the man page.

# ifconfig pppoe0                                                               
pppoe0: flags=8851 mtu 1492           
        dev: rl1 state: session                                                 
        sid: 0xcf8 PADI retries: 14 PADR retries: 0 time: 17d 15:03:41          
        groups: pppoe egress                                                    
        inet 10.10.10.10 --> 0.0.0.1 netmask 0xff000000                         
        inet6 fe80::260:8ff:dead:beef%pppoe0 ->  prefixlen 64 scopeid 0x9

Where 10.10.10.10 is the IP your ISP assigns you. I ususally find that on first booting the pppoe device takes a while to authenication but once up it's really stable. Seems better than most customer ADSL modems and also seems to cope with DSLAM reboots at the exchange very well. I've not had any complaints about it.

As for the other side of my OpenBSD router I have quite a complicated setup which is probably overkill for most peoples needs. If you're just doing NAT on a single NIC then that should be pritty straight forward via /etc/pf.conf

It was a pain to setup, but I'm glad of it now. Especially when there's DoS exploits in Netgear ADSL routers using IRC DCC commands when SPI is turned of. I'd much rather trust my OpenBSD than VxWorks or Linux based modem. Usually they're accessively slimed down and missing a lot of features OpenBSD has to offer.

Summary

There may be a better set up for doing this, but I have not found any docs on the web for this. This works very well for me, and my network uptime is very important. Enjoy.