ADSL Router - PPP Half Bridge mode background info & Help!

Hi all

I've got this Planet 3000 something ADSL Router. Now I've got it set up
to connect to my ISP with a username and password, and doing NAT (it
does DHCP too by default)

Now this is all fine and dandy. The only thing, though, is that it's
connected to only one machine - my linux server - to which a whole lan
is connected.

Now, every time I need to open a port on a client machine I have to log
into the modem and enable "virtual servers" or port forwarding, save
settings, reboot modem. Which is, understandably, annoying! Plus theres
a limit of 20 forwarder ports, and some crash the firmware!

SO i've seen this bridge/half bridge/something mode... where the linux
server gets to do the PPPoE and gets the WAN IP on a linux interface.

I've tried to set this up, by setting various Bridge and Half Bridge
settings and protocols on the modem, but nothing that makes the Linux
box see the modem.

Could anyone familiar with the involved technology briefly give me an
overview of how it works/is supposed to work?

Does the modem get an IP in a setup like this? Does all the traffic get
sent to the modem purely based on its MAC address? Does the interface
the modem is connected on need an IP address?

What is DMZ? Is it a better option? Will it accomplish the same?

Thanks, Teachers!

Coenraad Loubser wrote:
> Hi all
>
> I've got this Planet 3000 something ADSL Router. Now I've got it set up
> to connect to my ISP with a username and password, and doing NAT (it
> does DHCP too by default)
>
> Now this is all fine and dandy. The only thing, though, is that it's
> connected to only one machine - my linux server - to which a whole lan
> is connected.
>
> Now, every time I need to open a port on a client machine I have to log
> into the modem and enable "virtual servers" or port forwarding, save
> settings, reboot modem. Which is, understandably, annoying! Plus theres
> a limit of 20 forwarder ports, and some crash the firmware!
>
> SO i've seen this bridge/half bridge/something mode... where the linux
> server gets to do the PPPoE and gets the WAN IP on a linux interface.
>
> I've tried to set this up, by setting various Bridge and Half Bridge
> settings and protocols on the modem, but nothing that makes the Linux
> box see the modem.
>
> Could anyone familiar with the involved technology briefly give me an
> overview of how it works/is supposed to work?
>
> Does the modem get an IP in a setup like this? Does all the traffic get
> sent to the modem purely based on its MAC address? Does the interface
> the modem is connected on need an IP address?
>
> What is DMZ? Is it a better option? Will it accomplish the same?
>
> Thanks, Teachers!

So, do you want to get from the internal network to the Internet
via the Linux server and the ADSL connection?

I'd leave the ADSL box in as simple as possible configuration
and do the routing and address translation tasks in the Linux box.

The first step is to make the Linux box see the Net via
the ADSL. This is a place where we cannot help much, the
devil lurks in the details, and the details are in the
ADSL box and your ISP's systems.

The second step is to make the internal network run
(with private IP addresses) and work with the server.

The third step is to make the server work as a NAT
and firewall for the ADSL. Do not attempt to run a
wideband connection without a firewall - it's like
going to a cheap brothel without any protection
whatsoever. The first cracker attacked my first
ADSL connection 25 minutes after it was set up.

Get the Rusty's Remarkably Unreliable Guides from
<http://people.netfilter.org/~rusty/unreliable-guides/>.
Please do not let the name of the guide series to
mislead you - they are the best you can get.

HTH

--

Tauno Voipio
tauno voipio (at) iki fi

Hi,

On 2005-04-18, Coenraad Loubser <(E-Mail Removed)> wrote:
> Hi all
>
> I've got this Planet 3000 something ADSL Router. Now I've got it set up
> to connect to my ISP with a username and password, and doing NAT (it
> does DHCP too by default)
>
> Now this is all fine and dandy. The only thing, though, is that it's
> connected to only one machine - my linux server - to which a whole lan
> is connected.
>
> Now, every time I need to open a port on a client machine I have to log
> into the modem and enable "virtual servers" or port forwarding, save
> settings, reboot modem. Which is, understandably, annoying! Plus theres
> a limit of 20 forwarder ports, and some crash the firmware!
>
A few friends of mine have to put up with this. I fortunately was able to
persuade my ADSL router to do PPP half-bridge/ZIPB/DHCP Spoofing (different
names for the same thing).

> SO i've seen this bridge/half bridge/something mode... where the linux
> server gets to do the PPPoE and gets the WAN IP on a linux interface.
>
> I've tried to set this up, by setting various Bridge and Half Bridge
> settings and protocols on the modem, but nothing that makes the Linux
> box see the modem.
>
> Could anyone familiar with the involved technology briefly give me an
> overview of how it works/is supposed to work?
>
I really am only experienced with PPPoA setups (us Brits have PPPoA delivered
to the doorstep) but the idea is that you configure the router in a bog
standard NAT configuration with all the firewall, port forwarding and other
fancy features explicitly turned off. You flip the 'half bridge' switch on
the router and all your linux box (or any OS for that matter) needs to do is
make a DHCP request to the router and then the Linux box by magic gets the
real IP and sees the Internet effectively directly.

In reality usually the router 'steals' the IP address, one lower or one
higher than yours, and you get the router as your default gateway on a 'fake'
IP address. This has the side effect that you will not be able to speak to
the actual person who 'owns' the IP address, however there is probably a one
in four billion chance you actually would want to

> Does the modem get an IP in a setup like this? Does all the traffic get
> sent to the modem purely based on its MAC address? Does the interface
> the modem is connected on need an IP address?
>
Now you are a PPPoE kinda person. I personally would expect it to behave in
the same manner as PPPoA as the point of half-bridge is that the PPP
encapsulation occurs elsewhere....I could be wrong though.

> What is DMZ? Is it a better option? Will it accomplish the same?
>
Not what you need, unless you fail to get the half bridge working. What you
would do is 'double-NAT'. For example the network segment between the linux
box and the router is 192.168.0.0/24 whilst your home LAN (linux box to LAN)
is 192.168.1.0/24. The router would pass through all traffic to your linux
box. In effect you treat it as if you have said for *all* port numbers port
forward to my Linux box.

Have fun

Alex

> Thanks, Teachers!

Coenraad Loubser <(E-Mail Removed)> wrote:

> I've got this Planet 3000 something ADSL Router. Now I've got it set up
> to connect to my ISP with a username and password, and doing NAT (it
> does DHCP too by default)
....
> SO i've seen this bridge/half bridge/something mode... where the linux
> server gets to do the PPPoE and gets the WAN IP on a linux interface.
....>
> I've tried to set this up, by setting various Bridge and Half Bridge
> settings and protocols on the modem,

Make sure that your bridged WAN interface uses the same
PVC (VPI/VCI) as the PPPoE interface. Check that you
also use the proper encapsulation for this interface
(either LLC bridged/Eth. without FCS, LLC bridged/Eth.
with FCS or VC multiplexing). It should be the same as
for the PPPoE interface. However I don't know the
configuration screens of your modem, so things might be
named differently.

If you don't know the right enacpsulation you could find
out by try-and-error. However for this you would need
to have the Linux pppoe stuff already set up.


....
> Does the modem get an IP in a setup like this?

Not necessary for bridging, however the bridge
might need one so that you can access its
configuration.


> Does all the traffic get
> sent to the modem purely based on its MAC address?

Yes, the bridge forwards traffic by analyzing
MAC addresses from the ethernet frame.


> What is DMZ? Is it a better option? Will it accomplish the same?

The DMZ is of no need for your (bridge) setup.


Ciao, Horst
--
»When pings go wrong (It hurts me too)« E.Clapton/E.James/P.Tscharn

Horst Knobloch wrote:
> Coenraad Loubser <(E-Mail Removed)> wrote:
>
>
>>I've got this Planet 3000 something ADSL Router. Now I've got it set up
>>to connect to my ISP with a username and password, and doing NAT (it
>>does DHCP too by default)
>
> ...
>
>>SO i've seen this bridge/half bridge/something mode... where the linux
>>server gets to do the PPPoE and gets the WAN IP on a linux interface.
>
> ...>
>
>>I've tried to set this up, by setting various Bridge and Half Bridge
>>settings and protocols on the modem,
>
>
> Make sure that your bridged WAN interface uses the same
> PVC (VPI/VCI) as the PPPoE interface. Check that you
> also use the proper encapsulation for this interface
> (either LLC bridged/Eth. without FCS, LLC bridged/Eth.
> with FCS or VC multiplexing). It should be the same as
> for the PPPoE interface. However I don't know the
> configuration screens of your modem, so things might be
> named differently.
Aha! Now I didnt notice these settings anywhere, I dont recall - if I
had I would set them the same though.. I think this is where I failed!

Well, currently the modem connects perfectly and I forward all LAN
(192.168.0.x) traffic to it (10.0.0.2), as well as do some port
forwarding via iptables. (which it forwards to the linux box) - the main
thing I want to eliminate!

I downloaded this standalone pppoe dialler, but it just terminated
saying that it received no packets ("beacon" or whatever packets from
the isp, I suppose that the modem shouldve passed on if it was properly
configured). The built-in one that came with Suse pretty much did the same.

Could this also happen because I had one of the settings you mentioned
on the linux side wrong?

>
> If you don't know the right enacpsulation you could find
> out by try-and-error. However for this you would need
> to have the Linux pppoe stuff already set up.
>
>
> ...
>
>>Does the modem get an IP in a setup like this?
>
>
> Not necessary for bridging, however the bridge
> might need one so that you can access its
> configuration.
True..

>
>
>
>>Does all the traffic get
>>sent to the modem purely based on its MAC address?
>
>
> Yes, the bridge forwards traffic by analyzing
> MAC addresses from the ethernet frame.
>
>
>
>>What is DMZ? Is it a better option? Will it accomplish the same?
>
>
> The DMZ is of no need for your (bridge) setup.
>
>
> Ciao, Horst
Thanks man!

Alexander Clouter wrote:
> Hi,
>
> On 2005-04-18, Coenraad Loubser <(E-Mail Removed)> wrote:
>
>>Hi all
>>
>>I've got this Planet 3000 something ADSL Router. Now I've got it set up
>>to connect to my ISP with a username and password, and doing NAT (it
>>does DHCP too by default)
>>
>>Now this is all fine and dandy. The only thing, though, is that it's
>>connected to only one machine - my linux server - to which a whole lan
>>is connected.
>>
>>Now, every time I need to open a port on a client machine I have to log
>>into the modem and enable "virtual servers" or port forwarding, save
>>settings, reboot modem. Which is, understandably, annoying! Plus theres
>>a limit of 20 forwarder ports, and some crash the firmware!
>>
>
> A few friends of mine have to put up with this. I fortunately was able to
> persuade my ADSL router to do PPP half-bridge/ZIPB/DHCP Spoofing (different
> names for the same thing).
>
>
>>SO i've seen this bridge/half bridge/something mode... where the linux
>>server gets to do the PPPoE and gets the WAN IP on a linux interface.
>>
>>I've tried to set this up, by setting various Bridge and Half Bridge
>>settings and protocols on the modem, but nothing that makes the Linux
>>box see the modem.
>>
>>Could anyone familiar with the involved technology briefly give me an
>>overview of how it works/is supposed to work?
>>
>
> I really am only experienced with PPPoA setups (us Brits have PPPoA delivered
PPPoE (-over ethernet) PPPoA (-over ATM)
Same thing for all practical purposes! It seems! Just, ethernet
packets are bigger than atm packets. a lot bigger! 53 bytes vs ?? 1234
something
> to the doorstep) but the idea is that you configure the router in a bog
> standard NAT configuration with all the firewall, port forwarding and other
> fancy features explicitly turned off. You flip the 'half bridge' switch on
> the router and all your linux box (or any OS for that matter) needs to do is
> make a DHCP request to the router and then the Linux box by magic gets the
> real IP and sees the Internet effectively directly.
>
> In reality usually the router 'steals' the IP address, one lower or one
> higher than yours, and you get the router as your default gateway on a 'fake'
> IP address. This has the side effect that you will not be able to speak to
> the actual person who 'owns' the IP address, however there is probably a one
> in four billion chance you actually would want to
A fake IP! Really?

Well that would happen to me before I could mutter the word 'lotto'

Hmm... maybe this is called half-bridge and what I'm trying to do is
bridge, or something. Or maybe thats an -A and -E difference It seems
fishy... Do you get this fake gateway if you issue the "route -n"
command? Or is it invisible? (In which case Hmm.. fishy man, fishy!)

>
>>Does the modem get an IP in a setup like this? Does all the traffic get
>>sent to the modem purely based on its MAC address? Does the interface
>>the modem is connected on need an IP address?
>>
>
> Now you are a PPPoE kinda person. I personally would expect it to behave in
> the same manner as PPPoA as the point of half-bridge is that the PPP
> encapsulation occurs elsewhere....I could be wrong though.
No I think you are quite correct!
>
>
>>What is DMZ? Is it a better option? Will it accomplish the same?
>>
>
> Not what you need, unless you fail to get the half bridge working. What you
> would do is 'double-NAT'. For example the network segment between the linux
My current setup is in effect double nat, as my router forwards ports to
my linux box, which in turn forwards it. Also, NAT is performed at both
points.
> box and the router is 192.168.0.0/24 whilst your home LAN (linux box to LAN)
> is 192.168.1.0/24. The router would pass through all traffic to your linux
> box. In effect you treat it as if you have said for *all* port numbers port
Yah, except my router only has the ability to forward 20 ports! How
"hacker-safe" is that! Hah. Inconvenient is what it is. Maybe with a
firmware upgrade...

> forward to my Linux box.
>
> Have fun
>
> Alex
>
>
>>Thanks, Teachers!

Cool man.

Tauno Voipio wrote:
> Coenraad Loubser wrote:
>
>> Hi all
>>
>> I've got this Planet 3000 something ADSL Router. Now I've got it set
>> up to connect to my ISP with a username and password, and doing NAT
>> (it does DHCP too by default)
>>
>> Now this is all fine and dandy. The only thing, though, is that it's
>> connected to only one machine - my linux server - to which a whole lan
>> is connected.
>>
>> Now, every time I need to open a port on a client machine I have to
>> log into the modem and enable "virtual servers" or port forwarding,
>> save settings, reboot modem. Which is, understandably, annoying! Plus
>> theres a limit of 20 forwarder ports, and some crash the firmware!
>>
>> SO i've seen this bridge/half bridge/something mode... where the linux
>> server gets to do the PPPoE and gets the WAN IP on a linux interface.
>>
>> I've tried to set this up, by setting various Bridge and Half Bridge
>> settings and protocols on the modem, but nothing that makes the Linux
>> box see the modem.
>>
>> Could anyone familiar with the involved technology briefly give me an
>> overview of how it works/is supposed to work?
>>
>> Does the modem get an IP in a setup like this? Does all the traffic
>> get sent to the modem purely based on its MAC address? Does the
>> interface the modem is connected on need an IP address?
>>
>> What is DMZ? Is it a better option? Will it accomplish the same?
>>
>> Thanks, Teachers!
>
>
> So, do you want to get from the internal network to the Internet
> via the Linux server and the ADSL connection?
>
> I'd leave the ADSL box in as simple as possible configuration
> and do the routing and address translation tasks in the Linux box.
Currently being done. Except the router does it too! In addition!

> The first step is to make the Linux box see the Net via
> the ADSL. This is a place where we cannot help much, the
> devil lurks in the details, and the details are in the
> ADSL box and your ISP's systems.
Well, the adsl modem can get an IP and default gateway from the ISP,
after sending a login and password...

Now if only I can put the modem in this cool "bridge" mode, so the linux
box could do that...

>
> The second step is to make the internal network run
> (with private IP addresses) and work with the server.
LAN running smoothly, transparent proxies, webserver, port forwarding,
all fine and dandy!
>
> The third step is to make the server work as a NAT
> and firewall for the ADSL. Do not attempt to run a
> wideband connection without a firewall - it's like
> going to a cheap brothel without any protection
> whatsoever. The first cracker attacked my first
> ADSL connection 25 minutes after it was set up.
Heh heh. Yeah. My modem gets flooded with incoming traffic and crashes
now and then. If my linux box does the pppoe then I'll be able to see why!
>
> Get the Rusty's Remarkably Unreliable Guides from
> <http://people.netfilter.org/~rusty/unreliable-guides/>.
> Please do not let the name of the guide series to
> mislead you - they are the best you can get.
>
> HTH
>
Cool. looking at it now! Btw if you guys have more than one windoze pc
on the same desk, get desktop rover from http://www.neslosoftware.com it
is HOT- better than vnc or anything. You can just cut and paste and drag
your mouse to the other pc's desks. Lovely. And type and paste there!
Very convenient. But I'll code a better version when I get the time...

Aha, cool, I have been over those!
Thanks man!

Later
C:

Coenraad Loubser <(E-Mail Removed)> wrote:

> Horst Knobloch wrote:
>> Coenraad Loubser <(E-Mail Removed)> wrote:

[Planet 3000 ADSL Router to be configured as a Bridge]

>> Make sure that your bridged WAN interface uses the same
>> PVC (VPI/VCI) as the PPPoE interface. Check that you
>> also use the proper encapsulation for this interface
>> (either LLC bridged/Eth. without FCS, LLC bridged/Eth.
>> with FCS or VC multiplexing). It should be the same as
>> for the PPPoE interface. However I don't know the
>> configuration screens of your modem, so things might be
>> named differently.
>
> Aha! Now I didnt notice these settings anywhere, I dont recall - if I
> had I would set them the same though.. I think this is where I failed!

They might be named completely differently. Without
a manual the names or the options are hard to guess.


> Well, currently the modem connects perfectly and I forward all LAN
> (192.168.0.x) traffic to it (10.0.0.2), as well as do some port
> forwarding via iptables. (which it forwards to the linux box) - the main
> thing I want to eliminate!

Sounds like you still have it configured as a router and
not as a bridge. Is there a manual of your ADLS router
online available? In the manual should be more hints what
and how you must configure the modem as a bridge.
Unfortunately I didn't find one online.


> I downloaded this standalone pppoe dialler, but it just terminated
> saying that it received no packets ("beacon" or whatever packets from
> the isp, I suppose that the modem shouldve passed on if it was properly
> configured).
....
> Could this also happen because I had one of the settings you mentioned
> on the linux side wrong?

It just means that your ADSL modem is not properly
bridging. You have not enabled bridging between WAN
and LAN interface, wrong VPI/VCI or wrong encapsulation
choosen.

Ciao, Horst
--
»When pings go wrong (It hurts me too)« E.Clapton/E.James/P.Tscharn

Horst Knobloch wrote:
> Coenraad Loubser <(E-Mail Removed)> wrote:
>
>
>>Horst Knobloch wrote:
>>
>>>Coenraad Loubser <(E-Mail Removed)> wrote:
>
>
> [Planet 3000 ADSL Router to be configured as a Bridge]
>
>
>>>Make sure that your bridged WAN interface uses the same
>>>PVC (VPI/VCI) as the PPPoE interface. Check that you
>>>also use the proper encapsulation for this interface
>>>(either LLC bridged/Eth. without FCS, LLC bridged/Eth.
>>>with FCS or VC multiplexing). It should be the same as
>>>for the PPPoE interface. However I don't know the
>>>configuration screens of your modem, so things might be
>>>named differently.
>>
>>Aha! Now I didnt notice these settings anywhere, I dont recall - if I
>>had I would set them the same though.. I think this is where I failed!
>
>
> They might be named completely differently. Without
> a manual the names or the options are hard to guess.
>
>
>
>>Well, currently the modem connects perfectly and I forward all LAN
>>(192.168.0.x) traffic to it (10.0.0.2), as well as do some port
>>forwarding via iptables. (which it forwards to the linux box) - the main
>>thing I want to eliminate!
>
>
> Sounds like you still have it configured as a router and
> not as a bridge. Is there a manual of your ADLS router
> online available? In the manual should be more hints what
> and how you must configure the modem as a bridge.
> Unfortunately I didn't find one online.
>
Hey man! Thanks for the help. Yes, of course I have it set up like this,
otherwise I would not be able to email - and my problem is I cant get
bridge mode working ;D

http://wish.org.za/EM-ADE3100.pdf

PL-ADE-3100 is the model number. the docs are fairly useless and only
show pictures of the web interface with idiotic duh "click ok" style
instructions. Then again.. maybe I should play with the LLC-1384 and
weird named settings...

Will report back shortly... If I can get back online again...


>
>
>>I downloaded this standalone pppoe dialler, but it just terminated
>>saying that it received no packets ("beacon" or whatever packets from
>>the isp, I suppose that the modem shouldve passed on if it was properly
>>configured).
>
> ...
>
>>Could this also happen because I had one of the settings you mentioned
>>on the linux side wrong?
>
>
> It just means that your ADSL modem is not properly
> bridging. You have not enabled bridging between WAN
> and LAN interface, wrong VPI/VCI or wrong encapsulation
> choosen.
>
> Ciao, Horst

Great!

Got it sorted

In addition to the "Enable Bridge mode" option, I had to change the
encapsulation to "1483 Bridged LLC"

Works like a dream now...

Now to study up iptables, because nmap localhost shows WAAY to many open
ports...