PPPoE switched into the LAN (no dedicated NIC)

Hello,

my primary router PC just died (HDD failure), so to avoid changing NICs
around, and because I had no other PC with two NICs in them, I did the
following:

- Hardware: 2 PCs, frodo and sam, one switching hub.
- frodo is wired to the hub.
- sam is wired to the hub.
- The PPPoE access concentrator is wired to the hub. (!)
- sam runs the PPPoE connection and does NAT for frodo (and any other PCs
on the LAN).
- No other routers/switches; flat LAN.

Now, I see the following good points about this:

- I don't need to climb below the desk and switch around the NICs. :-)
- Any (!) PC on the LAN can manage the PPPoE connection without any (!)
recabling. I don't have to switch on one specific "router" PC to have a
'net connection. I'm much more flexible when the next HDD breaks down, and
I don't have to have a big HDD in the dedicated Linux router anymore,
since when I have to download something overnight, I can just switch it
off and let the download PC with the big HDD do the PPPoE itself.
- It works. To be sure of it, I had a Linux PC doing the PPPoE and NAT, as
well as a Win98SE PC doing the PPPoE and NAT, and in both cases it worked
flawlessly (as far as I could tell with a bit of sniffing).
- Regarding internet access, it should be as safe or unsafe as if I had a
separate NIC for the PPPoE.
- I'm toying with the idea of getting a Mini-ITX board as a new router PC.
Due to the very restricted space, needing only one NIC is a *very* lage
boon to me.
- I never heard about this anywhere, and was quite fascinated that it
works (but after reading the beginning of the PPPoE RFC it's clear that it
should work, since PPPoE is just standard Ethernet traffic...).

I see the following bad points:

- The Access Concentrator is physically on my LAN, without any firewall,
router, etc. So some evil soul on the POP side could speak un-firewalled
IP to my LAN by physically plugging in a NIC card at the POP and
configuring it to match my LAN settings.
- There is (more) spillover of broadcast traffic on the PPPoE link (it
will get all broadcast IPs on my LAN, where it didn't get any with its own
dedicated NIC).

Any comments? Would you suggest to dump this solution and go back to a
dedicated NIC for the PPPoE?

Thanks,
Ekkehard
--
Using M2, Opera's revolutionary e-mail client: http://www.opera.com/m2/

"Ekkehard Kraemer" <(E-Mail Removed)> wrote in message
news(E-Mail Removed)...
> Hello,
>
> my primary router PC just died (HDD failure), so to avoid changing NICs
> around,

Gee. I can see why you would want to avoid so much effort.



> and because I had no other PC with two NICs in them, I did the
> following:
>
> - Hardware: 2 PCs, frodo and sam, one switching hub.
> - frodo is wired to the hub.
> - sam is wired to the hub.
> - The PPPoE access concentrator is wired to the hub. (!)
> - sam runs the PPPoE connection and does NAT for frodo (and any other PCs
> on the LAN).

yep, ethernet is a flexible communications system.

> - No other routers/switches; flat LAN.

naivity - switches are a flat lan.
switches are just a type of hub.

bridges make a virtual flat lan.

> - I don't need to climb below the desk and switch around the NICs. :-)

My wife is like that. put my shoes on for me, change the tv channel for me,
turn the tv up for me, turn the tv down for me.

struth.


> - Any (!) PC on the LAN can manage the PPPoE connection without any (!)
> recabling. I don't have to switch on one specific "router" PC to have a
> 'net connection.

yep.


>I'm much more flexible when the next HDD breaks down, and

well is that really a problem ? are you prepared for hurricanes and nuclear
attacks too ?

> I don't have to have a big HDD in the dedicated Linux router anymore,

you never did need a big HDD.


> since when I have to download something overnight, I can just switch it
> off and let the download PC with the big HDD do the PPPoE itself.


you could always use linux on a PC with a small HDD , or a PC without a HDD.


> - Regarding internet access, it should be as safe or unsafe as if I had a
> separate NIC for the PPPoE.

correct, there isnt a security hassle.


> - The Access Concentrator is physically on my LAN, without any firewall,
> router, etc. So some evil soul on the POP side could speak un-firewalled
> IP to my LAN by physically plugging in a NIC card at the POP and
> configuring it to match my LAN settings.


yes they would have to go to great lengths to do some attack, however it
works on that side.



> - There is (more) spillover of broadcast traffic on the PPPoE link (it
> will get all broadcast IPs on my LAN, where it didn't get any with its own
> dedicated NIC).

Nope, the modem wont listen to broadcasts - wont relay them to the ISP ..
???
Anyway, its not a problem. The PPP server will just ignore the odd packets.


> Any comments? Would you suggest to dump this solution and go back to a
> dedicated NIC for the PPPoE?
>
> Thanks,
> Ekkehard
> --
> Using M2, Opera's revolutionary e-mail client: http://www.opera.com/m2/

On Fri, 26 Dec 2003 19:14:03 +1100, Leon. <(E-Mail Removed)>
wrote:

Hello Leon,

> Gee. I can see why you would want to avoid so much effort.

Yes, I regard spending an hour or more on restoring that PC vs. just
plugging a cable into a switch as quite an effort, at least for an interim
solution on christmas day. Do you know the effect of wives and scissors on
men and network cables if said men start swapping NIC cards on the
christmas eve?

The ex-router-PC has no floppy or CD drive, and the PC which was available
to replace the firewall is one with no possibility to add another network
card.

> yep, ethernet is a flexible communications system.

Aye, I found it funny that this kind of setup is never mentioned in any
HOWTOs etc. and was looking for real reasons why not to do it. Maybe there
is a strong point that escaped me so far.

> Nope, the modem wont listen to broadcasts - wont relay them to the ISP

Doesn't the modem have to listen to broadcasts to transfer the session
initiation package to the access concentrator? Do DSL modems know how the
initiation package looks like, and filter out the other broadcasts?

>> Any comments? Would you suggest to dump this solution and go back to a
>> dedicated NIC for the PPPoE?

Ekkehard

Ekkehard Kraemer wrote:

> Aye, I found it funny that this kind of setup is never mentioned in any
> HOWTOs etc. and was looking for real reasons why not to do it. Maybe
> there is a strong point that escaped me so far.

Sorry that I cannot quote the source of this, but there is (was) one
HowTo on this, at least there was one some years ago when I switched to
DSL myself... - IIRC there was a french guy who had a fairly good guide
on that, with good explainations on what exactly is going on.

In short, there is no technical problem to do it this way. Even security
issues are only a minor aspect in that context, but personally I don't
feel comfortable when internal and external connections are not properly
(i. e. physically) seperated. And one more thing is about bandwith, that
if You only have one DSL line, You will eventually have to have one box
managing that line and thus NATting all other local clients. Since all
that happens on the same physical net, You will end up doubling the
traffic in there. But in practice that should be no problem: The DSL is
relatively slow anyway, compared to Your LAN speed.


Cheers, Jack.

--
----------------------------------------------------------------------
My personal reading of the string "MicroSoft" expands to "NanoWeak"...

>
> > yep, ethernet is a flexible communications system.
>
> Aye, I found it funny that this kind of setup is never mentioned in any
> HOWTOs etc. and was looking for real reasons why not to do it. Maybe there
> is a strong point that escaped me so far.

I heard that the PPPoE modems "lock on" to listening to the first ethernet
address the hear from.
When you change the nic talking to it, the solution is to turn the modem off
,and then have it directly connected to the PC that is going to PPPoE to it
and then turn it on.

But thats just what I heard about one modem once.

Maybe it doesnt apply to all modems.

Maybe some only listen to the ethernet packets addressed to their hardware
address. Thats the way I would do it.

On Sun, 28 Dec 2003 19:02:42 +1100, Leon. <(E-Mail Removed)>
wrote:

> I heard that the PPPoE modems "lock on" to listening to the first
> ethernet
> address the hear from.
> When you change the nic talking to it, the solution is to turn the modem
> off
> ,and then have it directly connected to the PC that is going to PPPoE to
> it
> and then turn it on.

Sorry, for the confusion - the original question was not "how" to connect
the modem to a switch, but whether it would be unsafe or evil to do it.

My own DSL-modem does not lock on to the NICs. I can just kill the PPPoE
session on one PC and start another one on another PC.

> Maybe some only listen to the ethernet packets addressed to their
> hardware
> address. Thats the way I would do it.

They only get the unicast packets addressed to their (or their CA's?) MAC
address anyway, since there's a switch in front of it. The original
question was what happens with broadcast packets (DHCP, ARP, etc.).

From another source, I'm almost convinced that (modern) DSL modems only
forward PPPoE traffic (ethernet-type "PPPoE") in both directions; but not
sure on that. In that case, everything should be perfectly fine.

Ekkehard