Skip site navigation (1)Skip section navigation (2)
Date:      Thu, 16 Oct 2008 04:43:48 -0700
From:      Jeremy Chadwick <koitsu@FreeBSD.org>
To:        Da Rock <rock_on_the_web@comcen.com.au>
Cc:        freebsd-questions@freebsd.org
Subject:   Re: How to get my Dad's Win2k system to access internet through my FreeBSD 6.2 system
Message-ID:  <20081016114348.GA8970@icarus.home.lan>
In-Reply-To: <1224156544.3458.104.camel@laptop1.herveybayaustralia.com.au>
References:  <831334.93256.qm@web56806.mail.re3.yahoo.com> <1224138644.3458.97.camel@laptop1.herveybayaustralia.com.au> <gd769f$8fg$1@ger.gmane.org> <1224156544.3458.104.camel@laptop1.herveybayaustralia.com.au>

next in thread | previous in thread | raw e-mail | index | archive | help
On Thu, Oct 16, 2008 at 09:29:04PM +1000, Da Rock wrote:
> 
> On Thu, 2008-10-16 at 06:54 -0400, Michael Powell wrote:
> > Da Rock wrote:
> > 
> > [snip] 
> > > I'm assuming the problem with double nat'ing is the confusion in packet
> > > traffic. So if the OP is using his ADSL modem to connect to the net,
> > > then it could be safe to assume the public IP would be to the modem
> > > itself, and not his box (barring the possible use of USB), so then the
> > > nat'ing would already be done. Therefore, the best and easiest way would
> > > be to simply bridge his interfaces- correct? Less overheads, etc, plus
> > > simplicity of setup.
> > >
> > 
> > There is another option, a variant of which I use. My el cheapo deluxe DSL
> > modem has really crappy broken firewall and DNS implementations. Wireshark
> > showed Windows Messenger service spam leaking past and as soon as I saw
> > that I assumed it was probably the tip of the iceberg.
> > 
> > You can also bridge the modem (disabling it's NAT as well). In a fully
> > bridged configuration your FreeBSD gateway will have to perform PPPoE
> > handshake and login as well. 
> > 
> 
> Setting up the modem itself this way can be tricky at times, depending
> on the model and the service. One gotcha with this method can be if your
> ISP is using heartbeat, and so you'll have to either script yourself or
> find one that suits.
> 
> > I use a second option called split-bridge, which they have named "IP
> > Passthrough". This allows the DSL modem to be responsible for the PPPoE
> > session. It works by passing the WAN public IP to the Internet facing NIC
> > in my FreeBSD box via DHCP. So, while my interior LAN NIC is static, my
> > outside NIC is ifconfig_xl0="DHCP". It gets assigned whatever IP Verizon
> > sends.
> > 
> 
> Is this also called IP spoofing?

No, this is **NOT** IP spoofing.

What Michael's describing is a feature many DSL modems offer.  There is
no official term for what it is, since DSL modems are supposed to be
bridges (layer 2 devices), but in fact this feature causes the modem to
act like something that sits between layer 2 and layer 3 -- yet is not a
router.  Different modems call it something different.

If you enable this feature, what happens is this:

The modem requires you to access its administrative web page.  You
insert your PPPoE Username and Password (which it saves to
NVRAM/EEPROM), and click Connect.  The DSL modem then continues to do
the PPPoE encapsulation, so that your FreeBSD box, Windows box, or
whatever (that's connected to the DSL modem on the LAN port) does not
have to.

The modem is given an IP address as part of the PPPoE hand-off.  That IP
address is, of course, a public Internet IP.  The modem also enables use
of a DHCP server, so that a machine connect to its LAN port can do a
DHCP request and get an IP address -- but here's the kicker.

The IP address the modem returns to the machine on the LAN is the
public IP address the ISP gave the modem via PPPoE.

"So how does this work?"  All network I/O between the LAN port and
the modem itself is done at layer 2 past that point -- meaning, the
modem acts "almost purely" as a bridge from that point forward: but
it still does the PPPoE encapsulation for you.  So, like I said,
the modem acts like a device that sits between layer 2 and layer 3.

Does this make more sense?

The reason this feature is HIGHLY desired is because not all PPPoE
implementations are compatible with an ISPs implementation.  It is
*always* best to use whatever equipment they give you or guarantee
works with them; using your own, or some other PPPoE daemon/method,
can result in lots of trouble.

I've personally used this method, I might add.  I can give you
reference material on how to set it up and use it, over at
dslreports.com.  Lots of DSL modems these days offer said feature.

-- 
| Jeremy Chadwick                                jdc at parodius.com |
| Parodius Networking                       http://www.parodius.com/ |
| UNIX Systems Administrator                  Mountain View, CA, USA |
| Making life hard for others since 1977.              PGP: 4BD6C0CB |




Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20081016114348.GA8970>