Subject: Re: NetBSD vs. PPPoA (with native IPv6)
To: Matthias Scheler <email@example.com>
From: Amadeus Stevenson <firstname.lastname@example.org>
Date: 05/03/2006 17:18:43
We have a consumer bulldog (8mbit/600kbit) adsl line which needs to be
shared in a student halls of residence. I'll go through what I did,
although it may bear little resemblance to your scenario (mainly as
we're on ipv4).
The system was originally running off a Speedtouch 510 ethernet router
(pppoA) with the router providing limited ipv4 dhcp addresses via nat
to the client machines.
When reworking the system I had the following considerations in mind:
-Bandwidth shaping due to tiny uplink for ~60 students
-"Idiot proof" or - after a hard modem reset minimal configuration needed
-Did I mention "idiot proof"? The idea is that when I'm gone it should
be easy to fix.
There are a few possibilities with this modem if you want to use a
-transparent bridging + 1 layer of NAT; similar to that described by
Matthias; gateway does ppp stuff directly and skips modem NAT
-dhcp spoofing + 1 layer of NAT; first machine to request ip gets the
external ip + all traffic and skips modem NAT, although I'm not sure
what overhead is involved compared to the above
-regular dhcp + 2 layers of nat (one from modem, then one from gateway
to rest of network)
-regular dhcp + "1.5" layers of nat (set default NAPT server to
gateway, which forwards all packets to the gateway as in dhcp
spoofing, but without the external ip. "1.5" as on the modem side
there is only 1 ip address involved in NAT: that of the gateway).
I avoided transparent bridging as I know that no-one without previous
experience with *nix and netbsd ppp would be able to update the login
settings if they changed.
I used dhcp spoofing for a while, but ran in to problems when people
would trip over the modem power and the gateway had issues with
getting a new ip address when the modem dialed in again. Also if hard
reset there was quite a lot of configuration to do to get this to
work. Not to forget also people plugging in other machines to the
router (which has 4 ethernet ports), shutting down the gateway (by
tripping over it or something) and then their machine getting sole
access to the internet...
Now we're using regular dhcp + "1.5" layers of nat at the moment, so
it looks something like this:
ADSL -> Speedtouch Router [81.xx.xx.xx] One IP NAT -> netbsd Gateway
[10.x.x.x] NAT -> Client network [192.x.x.x]
I imagine this involves less overhead, and allows me to easily run net
services from the gateway, than with the 2 layer NAT setup. Of course,
when people still insist on plugging in their computers to the modem,
then resetting the modem because their internet won't work, the
default NAPT server entry in the modem config needs to be updated if
the gateway ip changes (assigned via dhcp).
Without a doubt transparent bridging would be better as then only one
layer of NAT would exist between clients and the internet. Of course
ipv6 with lots of ip space would be the best but we're not nearly
ready for that here.
How did you get ipv6 over your ipv4 interface Matthias?
For bandwidth shaping I had to experiment a lot as I found the
documentation very scarce on this subject for netbsd (via google).
I settled on ALTQ with netbsd-2.0 and ipfilter and that seems to be OK
with PRIQ, although something more flexible could be better. We're
already extremely limited with a 600kbit uplink and 60 students who
all like file sharing (although not any more thanks to draconian local
As far as idiot-proofing goes, power-cycling the modem and gateway
(the bad way) works fine, and I have setup a variety of remote
administration and visual aid tools mainly through cgi with a local
However I know it will only be a few months after I leave before the
adsl line goes down for some reason, and the "mysterious" black netbsd
box gets the blame and gets retired. It's very hard to train people,
especially if there is a huge lack of technically-minded people.
Sorry for the rambling,
On 5/3/06, Matthias Scheler <email@example.com> wrote:
> like most NetBSD users I've talked to I've used an ADSL router in the
> past to connect my NetBSD boxes to a BT ADSL service (in my case via
> AAISP). Such a setup has various disadvantages:
> 1.) If you have only 1 public IPv4 address it will be used by the router
> and you can provide service only via NAT.
> 2.) Even if you have multiple public IPv4 addresses you either have to
> use a briding firewall (difficult), a transfer network (not possible
> with most providers) or settle for the poor firewall functionality
> offered by the ADSL router.
> 3.) It cannot support native IPv6 over the ADSL line unless the router
> supports it, too. It seems that the Cisco 872 is the only ADSL router
> on the market which supports IPv6. And like all Cisco products it is
> expensive (and has probably a lot of bugs in its IOS ;-).
> The only alternative solution I've heard about is to use a SpeedTouch
> 330 USB ADSL Modem. These modems are only supported via driver for the
> the NetBSD port FreeBSD's Userland PPP. Besides causing considerable
> overhead (because network traffic is copied between kernel and
> userland several times) this solution supports neither native IPv6
> (unless somebody ports a newer version of the Userland PPP) nor ADSL 2+.
> Searching for a better solution I found the Linksys ADSL2MUE. Besides
> being a very simple ADSL router it can also act in "Bridge Mode".
> While running in this mode it will look out for PPPoE (PPP over
> Ethernet) packets on its ethernet interface and send them out as
> PPPoA (PPP over ATM) packets over its ADSL interface and vice versa.
> And PPP over Ethernet is supported by NetBSD very well via the
> pppoe(4) network interface. This allows you to use a NetBSD box as
> the ADSL router quite easily and without burning a lot of CPU time.
> I'm using such a setup at home since a few days with a SPARCstation 20
> acting as firewall and ADSL router. It is connected to the ADSL2MUE
> modem over an extra ethernet interface (probably not necessary). On
> that interface it uses IPv4 for configuring and monitoring the modem
> and PPPoE for the DSL connection. This setup works reliable and fast
> (getting the ADSL router out of the IP routing improved ping times by
> a few milliseconds) and allows me to use AAISP's support for native
> IPv6 over DSL connections (without any tunneling).
> I hope somebody else finds this suggestion useful, too.
> Kind regards
> Matthias Scheler http://scheler.de/~matt=