Date: Tue, 27 Oct 2009 15:26:51 +0100 From: Polytropon <freebsd@edvax.de> To: =?ISO-8859-1?Q?D=E1nielisz_L=E1szl=F3?= <laszlo_danielisz@yahoo.com> Cc: freebsd-questions@freebsd.org Subject: Re: PPPoE client+pf+nat Message-ID: <20091027152651.6a2e336e.freebsd@edvax.de> In-Reply-To: <744998.27248.qm@web30808.mail.mud.yahoo.com> References: <744998.27248.qm@web30808.mail.mud.yahoo.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On Tue, 27 Oct 2009 06:51:26 -0700 (PDT), D=E1nielisz L=E1szl=F3 <laszlo_da=
nielisz@yahoo.com> wrote:
> Hello,
>=20
> I am looking to configure my FreeBSD 8.0 machine for the purpose specifie=
d in the subject.
> Let's say I have two NICs in my PC: ext_if (for wan/pppoe connection) and=
int_if for my LAN.
> How would you manage to get work NAT with pf using PPPoE from my ISP; I'd=
like to use DHCP on my LAN.
It's quite easy, I did this in the past with FreeBSD 5.
1. PPPoE
--------
Setup /etc/ppp/ppp.conf with the correct data for your ISP.
It woule be like this:
<pppoe provider name, arbitrary>:
set device PPPoE:<external interface>
set authname <username for PPPoE connection>
set authkey <password>
set dial
set login
add default HISADDR
In /etc/rc.conf, enter
ifconfig_<external_interface>=3D"up"
ppp_enable=3D"YES"
ppp_profile=3D"<pppoe provider name as in /etc/ppp/ppp.conf>"
ppp_mode=3D"ddial"
ppp_nat=3D"YES"
for the external interface, and for the internal one:
ifconfig_<internal_interface>=3D"inet 192.168.100.1 netmask 0xffffff00"
(or any other subnet definition you like)
dhcpd_enable=3D"YES"
dhcpd_conf=3D"/usr/local/etc/dhcpd.conf"
dhcpd_ifaces=3D"<internal_interface>"
dhcpd_flags=3D"-q"
Keep in mind that you have to load
netgraph_load=3D"YES"
ng_ether_load=3D"YES"
ng_pppoe_load=3D"YES"
ng_socket_load=3D"YES"
per /boot/loader.conf in order to enable the Netgraph
subsystem. I think tho
2. PF
-----
Sorry, I'm not familiar with PF, I always used IPFW. So I
had the rule
add divert natd ip from any to any via <external interface>
prior to the other rules that formed a setting to be
described as: "Only allow those (named) ports for connections,
disallow anything else."
3. DHCP
-------
Install the ISC DHCP server from ports and configure the
settings for the local network as intended. THis is usually
done in /usr/local/etc/dhcpd.conf with a content like this:
option domain-name-servers <your ISP's name servers>;
ddns-update-style none;
subnet 192.168.100.0 netmask 255.255.255.0 {
range 192.168.100.2 192.168.100.250;
option routers 192.168.100.1;
}
You can add "host" entries for "well-known" so they always
get the same IP according to their MAC, and "deny unknown-clients;"
to force MAC knowledge.
Since I ran this setting in v5, kernel configuration required
to have
options DUMMYNET
options IPFIREWALL
options IPFIREWALL_VERBOSE
options IPFIREWALL_DEFAULT_TO_ACCEPT
options IPDIVERT
in the file. I'm sure this is not needed anymore, because
there are modules for this. Of course, you can include the
options for NETGRAPH here, too.
IMPORTANT NOTE: I'm not using such a setting anymore, so I'm
not sure if this is still recommended or even working on v8.
--=20
Polytropon
Magdeburg, Germany
Happy FreeBSD user since 4.0
Andra moi ennepe, Mousa, ...
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20091027152651.6a2e336e.freebsd>