NEOHAPSIS - Peace of Mind Through Integrity and Insight

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com

Neohapsis > Archives > OpenBSD Security> 2005-01

Re: ADSL modem/router connexion problem

From: Adriaan (adriaan312hccnet.nl)
Date: Sun Jan 23 2005 - 18:56:48 CST

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Sun, 23 Jan 2005, Jakob Fix wrote:

> Thanks Rod,
>
> > If you can get a modem to do all the dirty work then you never want to
> > do PPPoE again.
>
> It's not that I like using PPPoE :-) it's the one way I know works.
>
> > The only thing you gain by using PPPoE is grabbing your static IP as
> > the $ext_if address on your firewall and there are better ways to do
> > that.
>
> Well, that's the problem: If I use the modem as router then I don't
> know how to modify my pf.conf to suit. My previous ext_if suddenly is
> intranet as well, isn't it? Consider this:
>
> current:
> intranet --- re0 OpenBSD re1 --- pppoe ---ADSL modem --- Internet
>
> new:
> intranet --- re0 OpenBSD re1 --- Router --- ??? --- Internet
>
> Where does the intranet end? re0, re1, the router?
>
> > If you want to see what I have done for many clients this way just
> > respond on list and I'll send you private email.
>
> Well yes, please, I'd like to learn!
>
> --
> cheers,
> Jakob.

I have an Speedtouch ADSL router

INTERNET
   |
80.xx.xx.xx
Speedtouch
10.0.0.138
   |
   |
   |
10.0.0.200
  OBSD
192.168.222.10-----switch-------192.168.222.111

The Speedtouch will do NAT on internal->external source addresses.
For outgoing replies it has no problems. For both the 10/8 and
192.168.222/24 networks it will NAT these source addresses to 80.xx.xx.xx.

Incoming de-NATted replies for 10/8 initiated connections are also no
problem. The 10/8 network is reachable via 10.0.0.138.

However,incoming replies originally originated from the 192.168.222/24
network are a problem.

It doesn't know where to send incoming de-NATted replies with a
192.168.222/24 destination address.

By adding a static route on the ADSL router, the equivalence of

"route add -net 192.168.222.0/24 10.0.0.200",

the routing issue will be solved.
Because the Speedtouch uses source routing, it meant I had to add a
couple of routes.

=Adriaan=

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]