Subject: pppoe connection randomly down
To: None <netbsd-help@NetBSD.org>
From: J.Lorec <j.lorec@ddcr.biz>
List: netbsd-help
Date: 03/18/2004 21:06:22
hello everyone,
I'm using netbsd as an internet gateway for a small non-corporate local
network with only few services running and I have a really weird problem
with the adsl connection attached.
Randomly (well, I didn't find any cyclic point) I lose complete connection
to the "outside" -I mean internet-, ping is mysteriously quiet while the
pppoe session seems to be still operational.
I use a sagem modem tunneled through an old ethernet card I can't remember
the constructor name and model type (detected here as ne2).
The system was a 1.6.1 with a heavily customized and stripped down kernel
and a partially updated userland. I've very recently moved to a 1.6.2 with
the same tweaks or a 1.6.2 GENERIC kernel (kept unmodified for testing
purposes) and its untouched userland associated. It could be uncorrelated
but it seems (I have no proof and this is, only a vague impression) that the
downtime occurence is more frequent using this new release (same
configuration files, same options than the old one).
To fix this when it happens I have to completely restart the network, no
"less absolute" solution seems to work; I remember that a few times before I
decided to fully upgrade it even didn't help.
Nothing appears in the logs (except some daemons that couldn't get connected
to the outside).
The local network has no problem in the meantime, ever.
When I didn't encounter this problem, everything works as I expect.
Could this be a hardware failure? a configuration problem (please ask for
specific config file)? or an annoyance of my ISP?
please may someone help me troubleshooting this.
NB: I Xed my current ip
>cat /etc/ifconfig.pppoe0
create
! /sbin/ifconfig ne2 media 10baseT up
! /sbin/pppoectl -e ne2 $int
! /sbin/pppoectl $int myauthproto=chap myauthname='XXXXXXXX'
myauthsecret='XXXXXXXX' hisauthproto=none
inet 0.0.0.0 0.0.0.1
! /sbin/route add default -inet 0.0.0.1
up
I used to get ifwatchd running but not anymore as it was no help (in my case
pppoe0 is not detected as being down):
>cat /etc/ip-down
#! /bin/sh
/sbin/route delete default $5
>cat /etc/ip-up
#! /bin/sh
INET_A=`/sbin/ifconfig pppoe0 | /usr/bin/grep netmask | /usr/bin/awk '{
print $2 }'`
INET_R=`/sbin/ifconfig pppoe0 | /usr/bin/grep netmask | /usr/bin/awk '{
print $4 }'`
/sbin/route delete default
if [ $INET_A = "0.0.0.0" ]; then
exit 1
fi
/sbin/route add default $INET_R
/sbin/ipf -Fa -f /etc/ipf.conf && /sbin/ipf -y
/etc/rc.d/ipnat reload
>dmesg
...
ex0 at pci0 dev 10 function 0: 3Com 3c905B-TX 10/100 Ethernet (rev. 0x30)
ex0: interrupting at irq 12
ex0: MAC address 00:10:5a:c4:c8:51
exphy0 at ex0 phy 24: 3Com internal media interface
exphy0: 10baseT, 10baseT-FDX, 100baseTX, 100baseTX-FDX, auto
ne2 at pci0 dev 11 function 0: RealTek 8029 Ethernet
ne2: Ethernet address 00:80:c8:fd:4c:68
ne2: 10base2, 10baseT, 10baseT-FDX, auto, default [0x00 0x30] auto
ne2: interrupting at irq 10
...
while my internet connection is lost:
>ifconfig pppoe0
pppoe0: flags=8851<UP,POINTOPOINT,RUNNING,SIMPLEX,MULTICAST> mtu 1492
inet 81.56.X.X -> 192.168.254.254 netmask 0xff000000
>pppoectl -d pppoe0
pppoe0: state = session
Session ID: 0xe229
PADI retries: 0
PADR retries: 0
>route show
default 192.168.254.254 UG
loopback 127.0.0.1 UGR
localhost 127.0.0.1 UH
192.168.1.0 link#1 U
glaaki 00:10:5a:c4:c8:51 UH
dagon 02:0c:6e:e3:d7:47 UH
...
192.168.254.254 81.56.X.X UH
Some misc configs:
I don't think it could help but...
>cat /etc/ipnat.cf
map pppoe0 192.168.1.0/24 -> 0/32 proxy port ftp ftp/tcp mssclamp 1440
map pppoe0 192.168.1.0/24 -> 0/32 proxy port 554 raudio/tcp mssclamp 1440
map pppoe0 192.168.1.0/24 -> 0/32 proxy port 7070 raudio/tcp mssclamp 1440
map pppoe0 192.168.1.0/24 -> 0/32 portmap tcp/udp 40000:60000 mssclamp 1440
map pppoe0 192.168.1.0/24 -> 0/32 mssclamp 1440
rdr ex0 192.168.1.1/32 port 80 -> 127.0.0.1 port 80 tcpudp
rdr ex0 0.0.0.0/0 port 80 -> 127.0.0.1 port 3128 tcpudp
rdr pppoe0 0.0.0.0/0 port 5842 -> 192.168.1.9 port 4661 tcp
>cat /etc/ipf.cf
#################################################################
# Loopback Interface
#################################################################
pass in quick on lo0 all
pass out quick on lo0 all
#################################################################
#
# Generic for all other interfaces
#
#################################################################
# Group definitions.
block in quick on pppoe0 all head 100
block out quick on pppoe0 all head 200
block in quick on ex0 all head 300
block out quick on ex0 all head 400
#################################################################
# (Inbound Section)
# public internet -> private net.
#################################################################
# Block dubious packets.
block in quick on pppoe0 all with ipopts group 100
block in quick on pppoe0 all with frag group 100
block in quick on pppoe0 all with short group 100
block in quick on pppoe0 proto tcp all flags FUP group 100
block in quick on pppoe0 proto tcp all flags SF/SFRA group 100
block in quick on pppoe0 proto tcp all flags /SFRA group 100
# Non-routable addresses + deny all broadcast stuff.
block in quick on pppoe0 from 192.168.0.0/16 to any group 100
block in quick on pppoe0 from 172.16.0.0/12 to any group 100
block in quick on pppoe0 from 127.0.0.0/8 to any group 100
block in quick on pppoe0 from 10.0.0.0/8 to any group 100
block in quick on pppoe0 from 169.254.0.0/16 to any group 100
block in quick on pppoe0 from 192.0.2.0/24 to any group 100
block in quick on pppoe0 from 204.152.64.0/23 to any group 100
block in quick on pppoe0 from 224.0.0.0/3 to any group 100
block in quick on pppoe0 from 255.255.255.255/32 to any group 100
block in quick on pppoe0 from 0.0.0.0/32 to any group 100
# Modem specific
pass in quick on pppoe0 proto udp from any port = 3456 to any port = 3456
keep state group 100
# Allow in services
pass in quick on pppoe0 proto tcp from any to 81.56.X.X port = ssh flags S
keep state group 100
pass in quick on pppoe0 proto tcp from any to 81.56.X.X port = www flags S
keep state group 100
pass in quick on pppoe0 proto tcp from any to 81.56.X.X port = https flags S
keep state group 100
pass in quick on pppoe0 proto tcp from any to 81.56.X.X port = smtp flags S
keep state group 100
pass in quick on pppoe0 proto tcp from any to 81.56.X.X port = imap flags S
keep state group 100
pass in quick on pppoe0 proto tcp from any to 81.56.X.X port = pop3 flags S
keep state group 100
pass in quick on pppoe0 proto tcp from any to 81.56.X.X port = smtps flags S
keep state group 100
pass in quick on pppoe0 proto tcp from any to 81.56.X.X port = imaps flags S
keep state group 100
pass in quick on pppoe0 proto tcp from any to 81.56.X.X port = pop3s flags S
keep state group 100
pass in quick on pppoe0 proto udp from any to 81.56.X.X port = ntp keep
state group 100
pass in quick on pppoe0 proto tcp from any to 81.56.X.X port = ftp flags S
keep state group 100
pass in quick on pppoe0 proto tcp from any port = ftp-data to 81.56.X.X port
> 1024 flags S keep state group 100
block return-rst in quick on pppoe0 proto tcp from any to 81.56.X.X port =
auth group 100
# PGP
pass in quick on pppoe0 proto tcp from any to any port = 11371 flags S keep
state group 100
# gCodeWarrior
pass in quick on pppoe0 proto tcp from any to any port = 5842 flags S keep
state group 100
# RealMedia
pass in quick on pppoe0 proto tcp from any to any port = 554 flags S keep
state group 100
pass in quick on pppoe0 proto tcp from any to any port = 7070 flags S keep
state group 100
# Shoutcast
pass in quick on pppoe0 proto tcp from any to any port = 8038 flags S keep
state group 100
# Parent Squid proxies
pass in quick on pppoe0 proto tcp from 212.X.X.0/24 port = 3128 to 81.56.X.X
keep state group 100
##pass in quick on pppoe0 proto udp from 212.X.X.0/24 port = 3130 to
81.56.X.X keep state group 100
# ping
pass in quick on pppoe0 proto icmp from any to 81.56.X.X icmp-type 8 keep
state group 100
# Deny and block anything else.
block in log quick on pppoe0 all group 100
#################################################################
# (Outbound Section)
# Private net -> public internet.
#################################################################
# Non-routable addresses + deny all broadcast stuff.
block out log quick on pppoe0 from any to 192.168.0.0/16 group 200
block out log quick on pppoe0 from any to 172.16.0.0/12 group 200
block out log quick on pppoe0 from any to 127.0.0.0/8 group 200
block out log quick on pppoe0 from any to 10.0.0.0/8 group 200
block out log quick on pppoe0 from any to 169.254.0.0/16 group 200
block out log quick on pppoe0 from any to 192.0.2.0/24 group 200
block out log quick on pppoe0 from any to 204.152.64.0/23 group 200
block out log quick on pppoe0 from any to 224.0.0.0/3 group 200
block out log quick on pppoe0 from any to 255.255.255.255/32 group 200
block out log quick on pppoe0 from any to 0.0.0.0/32 group 200
# Modem specific
pass out quick on pppoe0 proto udp from 81.56.X.X port = 3456 to any port =
3456 keep state group 200
# Allow out services.
pass out quick on pppoe0 proto tcp from any to any port = domain flags S
keep state group 200
pass out quick on pppoe0 proto udp from any to any port = domain keep state
group 200
pass out quick on pppoe0 proto tcp from any to any port = ssh flags S keep
state group 200
pass out quick on pppoe0 proto tcp from any to any port = www flags S keep
state group 200
pass out quick on pppoe0 proto tcp from any to any port = https flags S keep
state group 200
pass out quick on pppoe0 proto tcp from any to any port = smtp flags S keep
state group 200
pass out quick on pppoe0 proto tcp from any to any port = imap flags S keep
state group 200
pass out quick on pppoe0 proto tcp from any to any port = pop3 flags S keep
state group 200
pass out quick on pppoe0 proto tcp from any to any port = smtps flags S keep
state group 200
pass out quick on pppoe0 proto tcp from any to any port = imaps flags S keep
state group 200
pass out quick on pppoe0 proto tcp from any to any port = pop3s flags S keep
state group 200
pass out quick on pppoe0 proto udp from any to any port = ntp keep state
group 200
pass out quick on pppoe0 proto tcp from any to any port = whois flags S keep
state group 200
pass out quick on pppoe0 proto udp from any to any port 33434 >< 33690 keep
state group 200
pass out quick on pppoe0 proto tcp from any to any port = cvspserver flags S
keep state group 200
pass out quick on pppoe0 proto tcp from any port = ftp-data to any port >
1024 flags S keep state group 200
pass out quick on pppoe0 proto tcp from any to any port = ftp flags S keep
state group 200
# ICMP
pass out quick on pppoe0 proto icmp from any to any keep state group 200
# Parent Squid proxies
pass out quick on pppoe0 proto tcp from 81.56.X.X port = 3128 to
212.XX.XX.0/24 keep state group 200
# User convenience
pass out quick on pppoe0 proto tcp from any to any port 1025 >< 65535 flags
S keep state group 200
pass out quick on pppoe0 proto udp from any to any port 1025 >< 65535 keep
state group 200
# Deny and block anything else.
block out log quick on pppoe0 all group 200
#################################################################
# Inside Interface local Lan Nic
#################################################################
# Allow everything as long as it is TCP, UDP or ICMP.
pass in quick on ex0 proto tcp from any to any group 300
pass in quick on ex0 proto udp from any to any group 300
pass in quick on ex0 proto icmp from any to any group 300
block in log quick on ex0 all group 300
pass out quick on ex0 proto tcp from any to any group 400
pass out quick on ex0 proto udp from any to any group 400
pass out quick on ex0 proto icmp from any to any group 400
block out log quick on ex0 all group 400
>cat /etc/sysctl.conf
#!/sbin/sysctl -f
net.inet.ip.forwarding=1 #with GENERIC kernel
net.inet.tcp.mss_ifmtu=1
net.inet.ip.redirect=0
net.inet.ip.allowsrcrt=0
net.inet.ip.forwsrcrt=0
net.inet.ip.directed-broadcast=0
#net.inet.tcp.drop_synfin=1
net.inet.tcp.sendspace=65535
net.inet.tcp.recvspace=65535