[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: How to setup NAT and PF for PPPoE in OpenBSD3.2



I'm fairly certain that the external interface should be referred to
as tun0. When you run ppp, it creates a virtual adapter that runs on
top of the network interface, in your case dc0. AFAIK, that is always
tun0.

Nick

On Thu, 13 Mar 2003 19:43:32 -0800 (PST), Gavin Li <bsdlist_(_at_)_yahoo_(_dot_)_com> wrote:

I setup the PPPoE with these in the /etc/ppp/ppp.conf
default:
set log Phase tun command
set redial 15 0
set reconnect 15 10000
pppoe:
set device "!/usr/sbin/pppoe -i dc0"
disable acfcomp protocomp
deny acfcomp
set speed sync
set dial
set login
set authname b1jwzn79
set authkey m1l4r8
add default HISADDR
enable dns
enable mssfixup

I can access internet from this gateway, but I can't
access internet from my intranet. Previously I have a
pf.conf which is used for my gateway, it use ethernet
to connect to enternet. but now I have to use PPPoE to
connect the ethernet. I don't know how to do it.
Please give me some advice, Thanks.
This is my pf.conf
# pf.conf for OpenBSD3.2
# Gavin Li
# The external interface is dc0

# use a macro for the interface name, so it can be
changed easily
ext_if = "dc0"
#ext_ip = ($ext_if) #"24.153.101.144"
int_if = "dc1"
int_ip = "192.168.1.1"
web_ip = "192.168.1.2"
int_net = "192.168.1.0/24"


# normalize all incoming traffic scrub in on $ext_if all fragment reassemble

# NAT
# translate outgoing packets' source addresses (any
protocol)
# in this case, any address but the gateway's external
address is mapped
nat on $ext_if inet from ! ($ext_if) to any ->
($ext_if)


# RDR # translate incoming packets' destination addresses # as an example, redirect a TCP and UDP port to an internal machine rdr on $ext_if inet proto tcp from any to ($ext_if) port 80 -> $web_ip port 80 #rdr on $ext_if inet proto udp from any to ($ext_if) port 80 -> $web_ip port 80 pass in quick on $ext_if inet proto tcp from any to $web_ip port 80

# block and log everything by default
block             out log on $ext_if           all
block             in  log on $ext_if           all
block return-rst  out log on $ext_if proto tcp all
block return-rst  in  log on $ext_if proto tcp all
block return-icmp out log on $ext_if proto udp all
block return-icmp in  log on $ext_if proto udp all

# block anything coming from source we have no back
routes for
block in from no-route to any

# block and log outgoing packets that don't have our
address as source,
# they are either spoofed or something is
misconfigured (NAT disabled,
# for instance), we want to be nice and don't send out
garbage.
block out log quick on $ext_if inet from ! ($ext_if)
to any

# silently drop broadcasts (cable modem noise)
block in quick on $ext_if from any to 255.255.255.255

# block and log incoming packets from reserved address
space and invalid
# addresses, they are either spoofed or misconfigured,
we can't reply to
# them anyway (hence, no return-rst).
block in log quick on $ext_if from { 10.0.0.0/8,
172.16.0.0/12, \
192.168.0.0/16, 255.255.255.255/32 } to any

# ICMP

# pass out/in certain ICMP queries and keep state
(ping)
# state matching is done on host addresses and ICMP id
(not type/code),
# so replies (like 0/0 for 8/0) will match queries
# ICMP error messages (which always refer to a TCP/UDP
packet) are
# handled by the TCP/UDP states
pass out on $ext_if inet proto icmp all icmp-type 8
code 0 keep state
pass in  on $ext_if inet proto icmp all icmp-type 8
code 0 keep state

# UDP

# pass out all UDP connections and keep state
pass out on $ext_if proto udp all keep state

# pass in certain UDP connections and keep state (DNS)
pass in on $ext_if proto udp from any to any port
domain keep state

# TCP

# pass out all TCP connections and modulate state
pass out on $ext_if proto tcp all modulate state

# pass in certain TCP connections and keep state (SSH,
SMTP, DNS, IDENT)
pass in on $ext_if proto tcp from any to any port {
ssh, smtp, domain, \
auth } flags S/SA keep state

# pass in data mode connections for ftp-proxy running
on this host.
# (see ftp-proxy(8) for details)
pass in on $ext_if inet proto tcp from any to
($ext_if) port >= 49152 \
flags S/SA keep state
Yahoo! Web Hosting - establish your business online
http://webhosting.yahoo.com