|
17th December 2009
|
|||
|
|||
Problem with pf for PPPoE
Hi,
I just installed OpenBSD 4.6, because I want to use nat to make a very basic firewall to split my ADSL connection between a few computers (some Linux, some Windows). I set up a very basic pf.conf with only what is necessary to use the internet. On my OpenBSD box everything work fine, I have access to any website but on my other computers only 80% of the websites work, other website like "msn.com" and "grc.com" doesn't work, it say 'Waiting for www.grc.com..." in the Firefox status bar. I tried many different settings but nothing work  ... Here is my pf.conf:Code:
ext_if = "pppoe0" set skip on lo match in all scrub (no-df max-mss 1440) nat on $ext_if from !(ext_if$) to any -> (ext_if$) Anybody have a clue? Thanks a lot 
|
|
18th December 2009
|
|||
|
|||
|
The following section from the pppoe(4) man page discusses the MTU issue but gives a different match rule than yours
Code:
MTU/MSS ISSUES
Problems can arise on machines with private IPs connecting to the Inter-
net via a machine running both Network Address Translation (NAT) and
pppoe. Standard Ethernet uses a Maximum Transmission Unit (MTU) of 1500
bytes, whereas PPPoE mechanisms need a further 8 bytes of overhead. This
leaves a maximum MTU of 1492. pppoe sets the MTU on its interface to
1492 as a matter of course. However, machines connecting on a private
LAN will still have their MTUs set to 1500, causing conflict.
While pppoe(8) has an internal option, ``mssfixup'', which is enabled by
default and takes care of this, pppoe users have to rely on other meth-
ods. Using a packet filter, the Maximum Segment Size (MSS) can be set
(clamped) to the required value. The following rule in pf.conf(5) would
set the MSS to 1440:
match on pppoe0 scrub (max-mss 1440)
Although in theory the maximum MSS over a PPPoE interface is 1452 bytes,
1440 appears to be a safer bet. Note that setting the MSS this way can
have undesirable effects, such as interfering with the OS detection fea-
tures of pf(4).
See pf.conf(5) for more information on MTU, MSS, and NAT.
__________________
You don't need to be a genius to debug a pf.conf firewall ruleset, you just need the guts to run tcpdump
|
|
18th December 2009
|
|||
|
|||
|
It works!!!!!
Thanks a lot for the help, i'm a newbie in the networking world and I don't think I would have solved this by myself... Now I'll add some security...
|
 |
| Tags |
| match on pppoe, mss, pppoe |
| Thread Tools | |
| Display Modes | |
|
|
Similar Threads
|
||||
| Thread | Thread Starter | Forum | Replies | Last Post |
| Freebsd router PPP/PPPoE connection problem | mrthomas | FreeBSD General | 4 | 1st January 2010 09:36 PM |
| pppoe internet connection on another lladdr | enaqx | General software and network | 3 | 4th July 2009 12:07 AM |
| pppoe | kaschei | OpenBSD General | 2 | 20th May 2009 01:14 AM |
| PF and kernel-level PPPoE(4) | gezley | OpenBSD Security | 3 | 15th May 2009 06:56 PM |
| Modem PPPoE vs OpenBSD PPPoE | ryoken | OpenBSD Security | 13 | 15th June 2008 10:07 PM |
Linear Mode
