how-to block ads
|
DyerUser
Premium
join:2004-01-29
Dyer, IN
 ·AT&T Yahoo
| Using all 8 statics with Linux
Yes, it is possible to use all 8 ip addresses that SBC assigns via the PPOE interface under Linux.
I had a setup using ipchains and portforwarding to use the 5 IPs we get from SBC, but I had wanted to make the move to iptables for some time, and with SBC chaning my statics on me, I took this as the opportunity to do some digging. I found a number of people in various forums asking how to even use the 5 IPs with Linux and PPP. Almost all of them were asking in terms of SBC. I did not find any answers out there, so I wanted to write this up, hopefully to be picked up by the search engines for others to be able to do the same.
It's long. I suppose I'll find out if DSLReports has a length limit.
Note. Other than playing with Knoppix, I have always used Red Hat variants. My current Linux Firewall/Server is running CentOS (www.centos.org), which is a Red Hat Enterprise Linux clone. I assume that these instructions will work for the Fedora series, and they may work for others, but I do not know. This should give someone knowledgeable enough the clues needed to get it working on another architecture.
What this covers: Getting a single Linux machine so that it will grab, respond to and use all 8 of your SBC assigned IPs.
What this does not cover: Firewall/Forwarding setup to get your Linux NATing for your internal network. (If you are sophisticated enough to try using all 8 IPs on Linux, I figure you already have a NAT setup.)
Pre-reqs for these instructions:
1) Cayman 3546
2) Recent Red Hat Linux based distribution.
3) Static account with SBC
Network assumptions:
1) Cayman 3546 has its admin interface available at 192.168.1.254 (The default)
2) Static address block is 169.129.154.80 - 169.129.154.87
Overview: I accomplished this basically by first putting the 3546 in bridge mode, setting up a ppp0 interface to handle the PPPOE connection to the redback, and finally setting up ip-aliases ppp0:1 through ppp0:7 for the remaining IP addresses.
1. SET UP THE ETHERNET CARD TO TALK TO THE CAYMAN
The Linux box has a single ethernet card plugged into the 3546. That ethernet card is set up to have an IP address that is in the same network as the 3546. This way, even after you have the PPPOE set up, you can still get into the Cayman. The ethernet card will not have any IP address configured from the block of statics, only the network for the 3546. Most likely, you can skip this section.
I'll refer to some pages of the Red Hat Enterprise Linux 3 System Administration Guide for some of the work involved in this. To set up an ethernet card, need to configure the appropriate ethernet interface.
First, start up the Network Administration Tool (To start the application, go to the Main Menu Button (on the Panel) => System Settings => Network, or type the command redhat-config-network at a shell prompt (for example, in an XTerm or a GNOME terminal). If you type the command, the graphical version is displayed if X is running, otherwise, the text-based version is displayed. ) (see the network admin section).
You want to choose the ethernet interface (eth1 in my setup) that is plugged into the 3546 and chose to give it a static ip address of the 192.168.1.1, a netmask of 255.255.255.0 and you can leave the gateway at 192.168.1.1. (This ethernet interface will never be used for anything at the IP level other than talking to the 3546.
2. PUT THE CAYMAN INTO BRIDGE MODE
Refer to the instructions on the Netopia site for putting the Cayman into bridged mode.
Before saving and restarting with the new settings, make sure you have printed copies of any reference material you need online, because you'll be unable to browse for a bit. After completing the changes and re-starting the modem, confirm that you can still get into the admin interface at 192.168.1.254. If not, re-set the 3546 and start over.
3. SET UP YOUR LINUX BOX TO HANDLE MAKING A PPPOE CONNECTION
Detailed instructions for setting up a DSL connection are available in the Red Hat manual.
Basically, using the Network Administration Tool, add an interface. Choose ppp. Select eth1 (or the one connected to the 3546) as the device to use. Type SBC into the Provider box. Fill in your log-in name (remember this is of the form userid@static.sbcglobal.net) and your password. Click, Forward and then Apply. A new device (ppp0) should now show up in your devices list.
Click on the ppp0 device and then click the Edit button. Make sure you check the "Activate device when computer starts" option.
Go to the Advanced tab and check "Restart if connection dies" and "Make this connection the default route." (I think the latter will already be checked.)
That's it.
3a. FIREWALL
I am not covering iptables firwall or NAT set-up here. However, you should set rules for both, and you should make sure that you activate them now, before making your PPPOE connection live. In fact, to get one of the seven IP addresses and not cause yourself problems, you are going to have to have some firewall rules in place. I do have a few comments about setting this up at the end, but I do not include any detailed instructions.
4. TEST YOUR PPPOE CONNECTION
Restart your network connection ("/etc/rc.d/init.d/network restart" at a root prompt) and confirm that you can surf from the Linux box.
5. INTERMISSION: DISCUSSION OF IP BLOCKS
Before we create ip aliases for your other static ips, a word about your netblock. You should already know the netblock that SBC has assigned to you. If for some odd reason, you don't, you can do issue an "ifconfig" command at a root prompt to see what IP address that SBC assigned to your ppp0 interface, and then do a "whois x.x.x.x." on that IP address to see the ARIN entry for you block of 8. Here is a portion of the Ameritech - SBC FAQ on static IPs, with the IP addresses modified slightly to fit my example:
SBC/Ameritech bridges the subnet across 1 IP, your router takes up 1 IP, and there is the
*1 broadcast IP, so in a class C range (which is what you get from SBC/Ameritech), you have
* 5 usable ip's (8-3=5)
The SBC/Ameritech Region is only offered a single 5 IP block unlike other SBC Regions whic
*h can order larger IP blocks.
This is an example of a SBC/Ameritech Routed Subnet with a total of 8 IP's 5 usable:
169.129.154.87 Broadcast (programmed in the RedBack, not useable by customer)
169.129.154.86 Router (WAN interface/Gateway)
169.129.154.85 Free for use on Lan(public/routable IP address)
169.129.154.84 Free for use on Lan(public/routable IP address)
169.129.154.83 Free for use on Lan(public/routable IP address)
169.129.154.82 Free for use on Lan(public/routable IP address)
169.129.154.81 Free for use on Lan(public/routable IP address)
169.129.154.80 Network (programmed in the RedBack, not useable by customer)
The usable Static/Public IP addresses are the 5 immediately below what your Router is assi
*gned. The one before that and the one after the Router's IP complete the 8 IP block.
(*) WARNING 3 long line(s) split
Actually, I've found that in the above example 0 and 7 are usable and I am running into no problems. (To get the broadcast usable, I had to do set things up in a way that you probably shouldn't, but it has been working so far. I'll post a followup if it causes problems.)
Ignoring the broadcast and network addresses for now, this set-up will get you 6, not 5, ip addresses because the one reserved for your WAN interface is the one your ppp0 connection gets from SBC when it does PPPOE.
6. HAND CREATE ppp0 IP ALIAS FILES
We are going to use IP aliasing to bind all 8 ip addresses to the ppp0 connection. There is no way to set up the appropriate entries using the Red Hat Network Admin Tool. So, we are going to first hand-create some files and then we will use the Network Admin Tool to make sure they are active at startup and adjust netmasks if need be.
If you look in /etc/sysconfig/network-scripts/ you should see a file created by the network admin tool called ifcfg-ppp0. Make sure your ppp0 connection is active and look at the file. It should look something like:
# Please read /usr/share/doc/initscripts-*/sysconfig.txt
# for the documentation of these parameters.
USERCTL=yes
PEERDNS=yes
TYPE=xDSL
DEVICE=ppp0
BOOTPROTO=dhcp
PIDFILE=/var/run/pppoe-adsl.pid
FIREWALL=NONE
PING=.
PPPOE_TIMEOUT=80
LCP_FAILURE=3
LCP_INTERVAL=20
CLAMPMSS=1412
CONNECT_POLL=6
CONNECT_TIMEOUT=60
PERSIST=yes
SYNCHRONOUS=no
DEFROUTE=yes
USER='userid@static.sbcglobal.net'
PROVIDER=sbc
ETH=eth1
DEMAND=no
ONBOOT=yes
NETMASK=255.255.255.248
IPADDR=169.129.154.86
GATEWAY=169.129.154.254
Note the GATEWAY address. For the two different static blocks I've received, it has always been a x.x.x.254 address, but check just to be sure. (Yes, it also says FIREWALL=NONE. I'm not using the firewall scripts that come with the Red Hat distribution.)
Now, create 6 files: ppp0:1, ppp0:2, ppp0:3, ppp0:4, ppp0:5, ppp0:6. (We'll talk about the seventh one, the broadcast address, in more detail in a different section.) Each file should look like the following. The only thing that will be different are the IPADDR and the DEVICE lines.
GATEWAY=169.129.154.254
TYPE=Ethernet
IPADDR=169.129.154.80
DEVICE=ppp0:1
BOOTPROTO=none
NETMASK=255.255.255.248
ONBOOT=yes
USERCTL=no
PEERDNS=yes
Now, I know it says "TYPE=Ethernet" and that the PEERDNS setting is pointless because of the ppp0 device, but both of those get added by the network admin tool when you administer these devices. (It won't let you create them, but it will administer them--sort of. It sometimes misreports their up or down status in the network admin tool, though an "ifconfig" always seems correct.)
After this, go ahead and open the network admin tool and make sure they are all set to be activated at startup and that the settings look ok in there. Uncheck and check something so it thinks things have changed and then save your settings. You are doing this to make sure that there are no problems with the files and that the network admin tool will write out correct ones if you ever really do need to edit them.
Now, restart your network ("/etc/rc.d/init.d/network restart" at a root prompt) and you should have 7 usable addresses. Depending on your firewall rules, you can try pinging them from a neighbors DSL connection or something else, but all 7 are active and respond.
7. CONCLUSION: DISCUSSION OF THE BROADCAST ADDRESS
Originally, I set my Linux box up to use just the 6 (169.129.154.81 to 169.129.154.86 in our example) IPs that were supposed to be usable. However, I also had my firewall logging some outside connection attempts and I noticed that ppp0 was seeing packets bound for 169.129.154.80 and 169.129.154.87. That got me to thinking. So, I added a ppp0:x file for each of them as described in the previous section. It worked for 169.129.154.80 but was a no go for 169.129.154.87, even though I could still see packets coming in at 87.
After a little playing around, I realized the issue was my netmask. The ppp0 device is going to get a netmask of 255.255.255.248 from the redback. Nothing you can do to change that. I had used that for my other ips, but you don't have to. At least, I mean no one is making you. Really, you should, but you don't have to. You see, that netmask tells all the ppp0 interfaces that 169.129.154.87 is the broadcast address. A packet addressed to that IP address is supposed to go to all the other IPs in the network. And that is why I couldn't use it. When I tried to route traffic out that IP, either the userland tool or the networking stuff in the kernel realized it was stupid to make a web connection to a broadcast address and it silently prevented me.
So, I got to thinking, what if I told it that 169.129.154.87 wasn't my broadcast address? What if I gave it a slightly larger netmask so that 169.129.154.87 was not the last address in the block? Turns out, if I do that, then I can use that "broadcast" IP address.
Now, I don't know if I should be doing that. It goes against everything not to have a broadcast address in a network. However, every IP in the network is bound to a single interface, so doing anything to the broadcast address seems kind of silly anyway.
What I did, though, was adjust my netblock and firewall any packet inbound or outbound that would go to any other IP in the netblock that I've told my interface it is in. This means that if any SBC customers put up some really cool stuff on their static and they happen to be sitting right next to me, I won't be able to get to it. I've totally blocked myself off from a portion of the aDSL static blocks. But the bragging rights of saying that I have 8 usable IPs on SBC's PPPOE static package is worth it. If someone next to me puts up something really, really cool, then I can always lose the one IP I gain by doing this.
However, figuring out what netmask to use and what IPs to block gets a bit involved. I'll go over the theory briefly. I suspect that if you are the kind of person to try this, you may not even need it.
I also suspect that all the SBC static blocks are carved out of /24 CIDR networks, that they all use the 254 IP address for their gateway and thus that the final /29 in each /24 is unassigned. Given that the first /29 contains the network address, I suspect that it too, is unassigned. However, given that the redback is forwarding my traffic destined for the first and last IPs in my /29, I suspect that the redbacks do not have the network segmented into a bunch of small /29 CIDR blocks.
But, figuring out the netmask to use to make sure that your "broadcast" address is not a "broadcast" address is going to depend on where you fall within the /24.
For example, in the 169.129.154.80/29 that we are using, if we were to lie and say our network were actually a 169.129.154.80/28, then it would go from 169.129.154.80 to 169.129.154.95. That would make 169.129.154.95 the broadcast address.
So, we could get our Linux box to respond to 169.129.154.87 requests by changing the netmask in all the ppp0:x files to 255.255.255.240. (Can't do it on the ppp0 file because that gets overwritten each time a PPPOE connection is made. In fact, I you probably only need to do it for the ppp0:x file that is used for your "broadcast" address, but I've not tested that.) Then, before actually making the change live, we'd want to blackhole 169.129.154.88 - 169.129.154.95.
Of course, that's why I picked this network range for the example. If we were actually in the 169.129.154.72/29 network, then a network of 169.129.154.72/28 would not work because that would go from 169.129.154.64 - 169.129.154.79 and our "broadcast" would still be a "broadcast" on the network. So, we'd have to go with 169.129.154.72/27 and then blackhole 169.129.154.64 - 169.129.154.71 and 169.129.154.80 - 169.129.154.95.
If you are unlucky enough to have a /29 broadcast that ends in 128, you'll have to use a full /24 for your network. In that case, be sure to remember to leave a the x.x.x.254 gateway open so you can get out.
That's it and likely more than most people wanted to read, I'm sure, but if someone else is trying to set this up even just to get their Linux box to use the 6 approved IP addresses, this will serve to help get them going. | |
dgilbert
Good Bye My Friend
Premium,MVM
join:2002-06-15
none
clubs:
| you can do it, but SBC may gripe about it. i have done the same thing using my 3547 and my statics, i never had any problems but i have heard of others who did. usually the provider catches on to it, and raise holy hell for them using the broadcast ip. maybe you will get lucky and they won't catch on.
--
If you can read this, thank a teacher..........and since it's in English, thank a soldier. | |
DyerUser
Premium
join:2004-01-29
Dyer, IN
·AT&T Yahoo
1 edit | Sshhh! Don't tell.
Well, I guess, I'm going to have this for a very short time, then. 
And, if they are going to get pissed, then why are they routing script-kiddie probes to it? | |
RadioDoc
58ef2c0
Premium,ExMod 2000-03
join:2000-05-11
·AT&T Midwest
1 edit | Routing to a network broadcast address isn't exactly an exotic concept...
How about submitting that post as a FAQ entry? Just hit edit, copy the text and paste it to »Ameritech - SBC FAQ (section 2.95). I can do it but you won't get credit for it if I do.
Submission link: »Ameritech - SBC FAQ | |
DyerUser
Premium
join:2004-01-29
Dyer, IN
·AT&T Yahoo
| said by RadioDoc  :How about submitting that post as a FAQ entry? Done.
I wanted to take the time to write it up because of the difficulty I had finding information and the number of times I saw the question asked. Didn't even know you could submit to the FAQ, or I would probably have just done that in the first place. | |
RadioDoc
58ef2c0
Premium,ExMod 2000-03
join:2000-05-11 | Yeah it's not terribly obvious with the link all the way at the bottom. It's in there now though. Thanks!
--
I am the termite of temptation. | |
ruffldroostr
join:2005-01-24
Saint Louis, MO
|  reply to DyerUser
Perhaps you answered this in your post and the fact that I've been researching this for months and everything has just run together at this point, but anyways...
So I get all the stuff about setting up the ppp interfaces and all that in linux, what then would the point be of creating all those interfaces to be used on the same box? Are you then using the linux box to route them out on seperate NAT'd networks? Also, could you use the setup above to route that?
Basically I have their 5 Static(sticky ip) setup that you have and I am trying to make a linux box that is capable of authenticating via pppoe and then routing traffic from the 5 usable through that.
Any suggestions/info/ideas would be greatly appreciated and thanks in advance! | |
DyerUser
Premium
join:2004-01-29
Dyer, IN
·AT&T Yahoo
1 edit | said by ruffldroostr :So I get all the stuff about setting up the ppp interfaces and all that in linux, what then would the point be of creating all those interfaces to be used on the same box? Are you then using the linux box to route them out on seperate NAT'd networks? Also, could you use the setup above to route that? I'm new to iptables. I know that there are other (preferred?) methods to use Linux as a straight router, so that your ppp0 interface grabs the one gateway address and then routes everything else out to a group of 5 machines on the other side.
If you wanted to have 2 independent web servers, a mail server, and a db server, you could use iptables to just route the appropriate protocols to machines in the other side using NAT. But, for that, you'd really only need 2 ip addresses because the mail and db server are going to be using different ports than the web server.
I will be serving some content from that machine on one of my IPs. I'll have two different IPs that will be used for a dedicated VPN connection to some work sites. I will also have a web/mail server on the other side that will be using NATing/port forwarding to serve content. Quite frankly, I can really get by with just 5 IP addresses, but I saw that I could use all 8 and I figure if I keep them, that some use will pop up.
Check out »iptables-tutorial.frozentux.net/···ial.html
It has a good intro to iptables and sample dmz settings, which may be something like what you want. | |
trader22
Premium
join:2003-11-12
Nashotah, WI
| reply to DyerUser
said by DyerUser :What I did, though, was adjust my netblock and firewall any packet inbound or outbound that would go to any other IP in the netblock that I've told my interface it is in. This means that if any SBC customers put up some really cool stuff on their static and they happen to be sitting right next to me, I won't be able to get to it. I've totally blocked myself off from a portion of the aDSL static blocks. But the bragging rights of saying that I have 8 usable IPs on SBC's PPPOE static package is worth it. If someone next to me puts up something really, really cool, then I can always lose the one IP I gain by doing this. I have done essentially what you have done, except using FreeBSD as the pppoe router instead of linux. Using FreeBSD, and probably under linux too, there is actually a way do solve the problem of the nearby addresses too. For the addresses you don't own, but that are within the range of your fudged netmask, just set up static routes to route these out the ppp interface. For the FreeBSD router (or maybe the linux router too), that will make sure these addresses are sent out the ppp link even though they are within the local netmask range.
For any other devices that connect to the pppoe router (FreeBSD in my case), if you enable "proxy arp all" on the router, it will proxy arp all the ips for which there are static routes going out the ppp interface. That way, devices connected to the router will think the router is aliased to those ips, and will direct all traffic for them to the router. The router then routes these out the ppp link. In FreeBSD "proxy arp all" is a kernel tunable knob. | |
ruffldroostr
join:2005-01-24
Saint Louis, MO
| reply to DyerUser
Yeah, I pretty much want to do with what you first said...using it to get the main gateway address and routing the traffic to the usable 5. I guess I could fool around with iptables to route the traffic that way, the only thing is I have the firewalls and routing in place for all the local networks(I used to be on straight static ips), so I really just need it to do the routing of the ips part. If you or anyone has any ideas or places to look, please feel free to let me know as this would greatly help me out. Thanks again. | |
ruffldroostr
join:2005-01-24
Saint Louis, MO | reply to DyerUser
Trader22, I understood everything you said there and I wouldn't be opposed to using BSD, except that I have no idea how to do what you just said. If you have any documentation or sites that have the info, I would love to have them to try. Thanx. | |
efflandt
join:2002-01-25
Elgin, IL
·AT&T Midwest
| reply to ruffldroostr
said by ruffldroostr :Basically I have their 5 Static(sticky ip) setup that you have and I am trying to make a linux box that is capable of authenticating via pppoe and then routing traffic from the 5 usable through that. Any suggestions/info/ideas would be greatly appreciated and thanks in advance! Not sure which Linux version you are using, but SuSE has SuSEfirewall2 that is very easy to configure 3 interfaces and what is allowed between them: public IP, DMZ (block of public IPs), and masqueraded LAN. You can use your ppp0 IP as nic IP for DMZ. It basically is a matter of editing variables in the file and it takes care of the iptables rules to accomplish that.
Note that you can use the same IP on 2 interfaces as long as netmask is different (255.255.255.255 for ppp0 and 255.255.255.248, or host specific routing on DMZ). For example I use same IP for eth0 (/32 w/host route) and wlan0 (to Linux router) on my laptop which routes my desktop PC (until I reconnect warranty replacement WEP11). | |
JasonWISP
join:2004-06-29
| reply to DyerUser
Hi,
I have SBC DSL Express Package (1.5/384) and run a webserver/mailserver. I'd like to get the static IP package, and do this, but I'm wondering - are they sticky or static IPs? I've read hours and hours on DSLReports and haven't been able to figure it out yet. If it's sticky, will they give me a block of IPs still? I have Ameritech/SBC. Also, how do I get SBC to give the package to me without the router and tech installation?
Sorry for all the questions!  I'd like to upgrade some day... Also, I'd like to get Pro. But, the guys at Team Data told me about a month ago that I'm too far away. (I'm on a RT) The guy also told me that they are sticky for a fact. About a month before calling then, I had called and asked about one IP. They said that'd work. The other guy (last time) said nope. They no longer offer that (which was the same, they just didn't make you have the tech fee/router).
Thanks!  | |
nwrickert
sand groper
Premium,MVM
join:2004-09-04
Geneva, IL
 ·AT&T U-Verse
·AT&T Midwest
| If it's sticky, will they give me a block of IPs still?
Also, how do I get SBC to give the package to me without the router and tech installation? I have heard conflicting reports on whether that is even possible. Ask, but don't be surprised if they insist on the router +tech install. | |
RadioDoc
58ef2c0
Premium,ExMod 2000-03
join:2000-05-11
·AT&T Midwest
| reply to JasonWISP
All "static" addresses are delivered via PPPoE and are indeed "sticky", not static as in a bridged /29. Your IP address block is tied to your main account user ID and are given out via the RADIUS authentication process when you log in and establish the PPPoE session.
--
I am the termite of temptation. | |
JasonWISP
join:2004-06-29 | reply to DyerUser
Thanks guys! Does this mean I have my own netblock, and the IPs for each of my machines/router/linux will randomly be chosen, or do I set it in there? | |
nwrickert
sand groper
Premium,MVM
join:2004-09-04
Geneva, IL | You are able to assign the IPs to your machines. If you finish up with a tech visit, then get your money's worth by having them show you how (or have them set it up). | |
JasonWISP
join:2004-06-29 | reply to DyerUser
Ok, I think I could do that... But why is it sticky then? | |
nwrickert
sand groper
Premium,MVM
join:2004-09-04
Geneva, IL | "Sticky" is just the term people use when the address block is assigned dynamically but you always get the same addresses assigned anyway. SBC is using PPPoE, and assigning the addresses during the PPPoE initialization. | |
JasonWISP
join:2004-06-29 | reply to DyerUser
Ah, thank you! Will SBC then support that block? (like, put my name on it, reverseDNS if I want, etc) | |
|
