[Shorewall-users] Adding the ppp0 interface

Discussion:

Grant

2016-09-21 16:38:51 UTC

I've been using shorewall for awhile with net0 on the WAN and net1 on
the LAN. I just switched to PPPoE so now I have ppp0 in addition to
net0 and net1. I've replaced net0 with ppp0 everywhere in my
shorewall config and added net0 as a second interface in the loc zone
along with net1. Everything seems to be working fine. Does it sound
like I've made any glaring errors?

I read that CLAMPMSS=Yes is usually required when using PPPoE. Do I
need it if things are working fine without it?

Are there any other config changes to consider when switching from
DHCP to PPPoE?

- Grant

------------------------------------------------------------------------------

Simon Hobson

2016-09-21 19:14:42 UTC

Permalink

Post by Grant
I've been using shorewall for awhile with net0 on the WAN and net1 on
the LAN. I just switched to PPPoE so now I have ppp0 in addition to
net0 and net1. I've replaced net0 with ppp0 everywhere in my
shorewall config and added net0 as a second interface in the loc zone
along with net1. Everything seems to be working fine. Does it sound
like I've made any glaring errors?
I read that CLAMPMSS=Yes is usually required when using PPPoE. Do I
need it if things are working fine without it?
Are there any other config changes to consider when switching from
DHCP to PPPoE?

I wouldn't put net1 in the loc zone - I've put it in a separate zone, not that I do anything on that interface as the current modem doesn't have an accessible management interface until I get round to unlocking it ;-) It shouldn't matter, but it is on the outside of your firewall.
int ethint detect tcpflags,routeback,nosmurfs,dhcp
fttc ethfttc detect tcpflags,nosmurfs
dsl ppp10 detect tcpflags,nosmurfs,optional,wait=15,mss=1450

I would set CLAMPMSS, or what you find is that it looks like it's working, but you get strange failures. Everything works as long as no packet you send is larger than 1492* bytes - I think the other end takes care of dealing with MSS on your inbound traffic. So web browsing seems to work fine, you can access you email, etc. Then you find you can't send an email, and certain web sites fail (eg when sending a form or uploading a file).

* 1492 is the normal MSS of 1500 bytes for an ethernet frame, less the 8 byte overhead for PPPoE. I think I must have been a bit tired when I put 1450 in my config and couldn't be bothered to look it up. It doesn't do any harm at 1450 bytes - it just means large transfers take a few more frames.

------------------------------------------------------------------------------

Grant

2016-09-25 00:44:02 UTC

Permalink

Post by Simon Hobson

I can't think of a scenario that would necessitate eth0 and eth1 in
separate zones. Am I missing something?

Post by Simon Hobson
int ethint detect tcpflags,routeback,nosmurfs,dhcp
fttc ethfttc detect tcpflags,nosmurfs
dsl ppp10 detect tcpflags,nosmurfs,optional,wait=15,mss=1450

Here's mine:

net ppp0 tcpflags,routefilter,nosmurfs,logmartians
loc net0 tcpflags,nosmurfs
loc net1 tcpflags,nosmurfs

Post by Simon Hobson
I would set CLAMPMSS, or what you find is that it looks like it's working, but you get strange failures. Everything works as long as no packet you send is larger than 1492* bytes - I think the other end takes care of dealing with MSS on your inbound traffic. So web browsing seems to work fine, you can access you email, etc. Then you find you can't send an email, and certain web sites fail (eg when sending a form or uploading a file).

This page:

http://shorewall.net/manpages/shorewall.conf.html

references CONFIG_IP_NF_TARGET_TCPMSS for CLAMPMSS=Yes but I have these instead:

CONFIG_NETFILTER_XT_TARGET_TCPMSS=y
CONFIG_NETFILTER_XT_MATCH_TCPMSS=y

All good?

- Grant

------------------------------------------------------------------------------