Friday, December 21, 2012

IPv6

A dual stack (IPv4+IPv6) PPPoE service is provided by eircom on a trial basis.  It is activated in the same way as standard IPv4 PPPoE.
root@voyage:/etc/ppp/peers# ls
MPN-UK eircom eircom-ipv6
Add ipv6 to the end of the PPP peer config file.
root@voyage:/etc/ppp/peers# cat eircom-ipv6
user test1@ipv6.eircom.net
pty "/usr/sbin/pppoe -I eth0 -T 80 -m 1452"
noipdefault
usepeerdns
defaultroute
hide-password
lcp-echo-interval 20
lcp-echo-failure 3
connect /bin/true
noauth
persist
mtu 1492
noaccomp
default-asyncmap
plugin rp-pppoe.so eth0
user “test1"
ipparam eircom-ipv6
+ipv6
Start the PPP session
root@voyage:~# pon eircom-ipv6
View the interface status
root@voyage:/etc/ppp/peers# ifconfig ppp2
ppp2      Link encap:Point-to-Point Protocol
          inet addr:xx.xx.xx.xx  P-t-P:159.134.191.151  Mask:255.255.255.255
          inet6 addr: 2001:bb0:dd0:xxx:xxx:xxx:xxx:xxx:xxx/64 Scope:Global
          inet6 addr: fe80::2482:3cac:a65d:c664/10 Scope:Link
          UP POINTOPOINT RUNNING NOARP MULTICAST  MTU:1492  Metric:1
          RX packets:17 errors:0 dropped:0 overruns:0 frame:0
          TX packets:6 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:3
          RX bytes:1082 (1.0 KiB)  TX bytes:130 (130.0 B)
Posted by at No comments:

Thursday, December 20, 2012

VLAN

VLAN tagging can be configured on the WAN interface if required. This may be needed for example in a GPON service where the RG is connected to an NTU that expects a VLAN tag.

root@voyage:~# cat /etc/network/interfaces 

auto lo
iface lo inet loopback
 
auto eth0.10
iface eth0 inet dhcp
  post-up pon eircom 

auto eth1
iface eth1 inet manual 

auto eth2
iface eth2 inet manual 

auto wlan0
iface wlan0 inet manual
  hostapd /etc/hostapd/hostapd.wlan0.conf 

auto br0
iface br0 inet static
    address 192.168.11.254
    netmask 255.255.255.0
    network 192.168.11.0
    broadcast 192.168.11.255
    bridge_ports eth1 eth2 wlan0
    bridge_stp off
    up nat.sh br0 eth0 “192.168.11.0/24”




Posted by at No comments:

Port forwarding





Port forwarding allows connections from the outside (WAN) to be forwarded to a device on the inside (LAN). I use this to remotely connect to my windows desktop, access my Calibre library etc. To configure the iptables firewall to allow this it's necessary to understand a little bit more about how packets are handled by the application by studying the diagram above.

This is an example of port forwarding with NAT. Two commands are needed for every service, one to translate the destination address and one to allow the packet through the firewall.

iptables --append PREROUTING \        #  append rule to PREROUTING chain
 -t nat \                             # operate on NAT table
 --in-interface ppp0 \                # for packets received on ppp0
 --protocol tcp \                     # check TCP
 --dport 23 \                         # match destination port
 --jump DNAT --to 192.168.11.112:23   # what to do on match 
                                      (translate destination address)

iptables --append FORWARD \           # append rule to FORWARD chain
 --in-interface ppp0 \                # for packets received on ppp0
 --out-interface wlan0 \              # to be sent on wlan0
 --protocol tcp \                     # check TCP
 --destination 192.168.11.112 \       # match destination address
 --dport 23 \                         # match destination port
 --jump ACCEPT                        # what to do on match (ACCEPT)

Posted by at No comments:

Wednesday, December 19, 2012

Dynamic DNS

Dynamic DNS service is provided by dyndns.com (no-ip.org is good as well). ddclient script is called at system startup. This periodically checks what IP address has been assigned to the PPP interface and contacts the Dynamic DNS server to update the DNS entry. Thus the router is always reachable using a domain name even though the WAN IP address may change whenever the PPP session is restarted.
root@voyage:/etc/init.d# ls
README          killprocs              php-fastcgi  ssh
bootlogs        klogd                  pppd-dns     sudo
bootmisc.sh     kmod                   procps       sysklogd
checkfs.sh      live                   radvd        udev
checkroot.sh    live-config            rc           udev-mtab
cron            mountall-bootclean.sh  rc.local     umountfs
ddclient        mountall.sh            rcS          umountnfs.sh
dibbler-client  mountdevsubfs.sh       reboot       umountroot
dnsmasq         mountkernfs.sh         resolvconf   urandom
ebtables        mountnfs-bootclean.sh  rmnologin    voyage-pxe
halt            mountnfs.sh            rpcbind      voyage-sync
hostapd         mountoverflowtmp       rsync        voyage-util
hostname.sh     mtab.sh                sendsigs     watchdog
hwclock.sh      networking             single       wd_keepalive
ifplugd         nocatsplash            skeleton     wide-dhcpv6-client

ddclient gets settings from /etc/ddclient.conf
root@voyage:~# cat /etc/ddclient.conf

daemon=600
# check every 600 seconds

# log update msgs to syslog
syslog=yes

# Mail failed updates to user
mail-failure=lorcan@horrorthon.com

# record PID in file.
pid=/var/run/ddclient.pid

## Detect IP with our CheckIP server
use=web, web=checkip.dyndns.com/, web-skip='IP Address'

## DynDNS username and password here
login=xxxxxx
password=xxxxxx

## Default options
protocol=dyndns2
server=members.dyndns.org

## Dynamic DNS hosts
xxxxxxxx.dyndns-remote.com

To debug dynamic DNS, run ddclient in debug mode
root@voyage:~# ddclient -daemon=0 -noquiet -debug
DEBUG:    proxy  =
DEBUG:    url    = checkip.dyndns.com
DEBUG:    server = checkip.dyndns.com
DEBUG:    get_ip: using web, checkip.dyndns.com reports xx.xx.xx.xx
WARNING:  cannot update xxxxxx.dyndns-remote.com from xx.xx.xx.xx to xx.xx.xx.xx until after Thu Jan  1 00:00:30 1970.
DEBUG:    proxy  =
DEBUG:    url    = myip.dnsomatic.com
DEBUG:    server = myip.dnsomatic.com
DEBUG:    get_ip: using web, myip.dnsomatic.com reports xx.xx.xx.xx
WARNING:  cannot update opendns_network_label from xx.xx.xx.xx to xx.xx.xx.xx until after Thu Jan  1 00:00:30 1970.

It's not working in this case, and the error is related to the system date. What date does it think it is?
root@voyage:~# date
Sat Dec 12 19:05:29 GMT 1914

Not sure what's gone wrong there, but might as well install NTP to keep the system time up to date.
root@voyage:~# apt-get install ntp
Reading package lists... Done
Building dependency tree
Reading state information... Done
The following extra packages will be installed:
  libcap2 libopts25
Suggested packages:
  ntp-doc
The following NEW packages will be installed:
  libcap2 libopts25 ntp
0 upgraded, 3 newly installed, 0 to remove and 112 not upgraded.
Need to get 628 kB of archives.
After this operation, 1448 kB of additional disk space will be used.
Do you want to continue [Y/n]? Y
Get:1 http://cdn.debian.net/debian/ wheezy/main libcap2 i386 1:2.22-1.2 [14.0 kB]
Get:2 http://cdn.debian.net/debian/ wheezy/main libopts25 i386 1:5.12-0.1 [72.2 kB]
Get:3 http://cdn.debian.net/debian/ wheezy/main ntp i386 1:4.2.6.p5+dfsg-2 [542 kB]
Fetched 628 kB in 5s (122 kB/s)
Selecting previously unselected package libcap2:i386.
(Reading database ... 18045 files and directories currently installed.)
Unpacking libcap2:i386 (from .../libcap2_1%3a2.22-1.2_i386.deb) ...
Selecting previously unselected package libopts25.
Unpacking libopts25 (from .../libopts25_1%3a5.12-0.1_i386.deb) ...
Selecting previously unselected package ntp.
Unpacking ntp (from .../ntp_1%3a4.2.6.p5+dfsg-2_i386.deb) ...
Setting up libcap2:i386 (1:2.22-1.2) ...
Setting up libopts25 (1:5.12-0.1) ...
Setting up ntp (1:4.2.6.p5+dfsg-2) ...
[ ok ] Starting NTP server: ntpd.

Check NTP. These timeservers are installed by default.
root@voyage:~# ntpq -p
     remote           refid      st t when poll reach   delay   offset  jitter
==============================================================================
-ns1.ooonet.ru   89.109.251.23    2 u    9   64    1  132.414    1.078   0.737
+service0-eth4.d 195.111.98.17    2 u    7   64    1   79.145   -5.807   0.906
+ntp.goneco.de   129.69.1.153     2 u    5   64    1   66.232   -4.427   1.494
*hosted.by.pcext 193.190.230.66   2 u    3   64    1   46.044   -5.622   0.631

Check the date again
root@voyage:~# date
Wed Jul 17 22:06:58 GMT 2013

Restart ddclient in debug mode again
root@voyage:~# ddclient -daemon=0 -noquiet -debug
DEBUG:    proxy  =
DEBUG:    url    = checkip.dyndns.com
DEBUG:    server = checkip.dyndns.com
DEBUG:    get_ip: using web, checkip.dyndns.com reports xx.xx.xx.xx
DEBUG:    proxy  =
DEBUG:    url    = myip.dnsomatic.com
DEBUG:    server = myip.dnsomatic.com
DEBUG:    get_ip: using web, myip.dnsomatic.com reports xx.xx.xx.xx
DEBUG:
DEBUG:     nic_dyndns2_update -------------------
DEBUG:    proxy  =
DEBUG:    url    = http://members.dyndns.org/nic/update?system=dyndns&hostname=xxxxxx.dyndns-remote.com&myip=86.40.184.26
DEBUG:    server = members.dyndns.org
SUCCESS:  updating xxxxxx.dyndns-remote.com: good: IP address set to xx.xx.xx.xx


Posted by at No comments:

PPTP

As I'm located in Ireland, I use a PPTP tunnel to a UK ISP in order to access BBC iPlayer. I use my-private-network.co.uk for this service. Just like for the PPPoE service, create a new file in the directory /etc/ppp/peers
root@voyage:/etc/ppp/peers# cat MPN-UK

pty "pptp harry.my-private-network.co.uk --nolaunchpppd"
name xxxxxx
remotename PPTP
require-mppe-128
file /etc/ppp/options.pptp
ipparam MPN-UK        
persist                #automatically restart connection if it goes down

 Username and password are stored in /etc/ppp/chap-secrets
root@voyage:/etc/ppp# cat /etc/ppp/chap-secrets

"eircom@eircom.net" * "broadband1"
"pptp_username" PPTP "pptp_password" *

Additional options are stored in /etc/ppp/options.pptp
root@voyage:/etc/ppp# cat options.pptp

lock
noauth
refuse-pap
refuse-eap
refuse-chap
refuse-mschap
nobsdcomp
nodeflate

Manually start MPN-UK PPPTP tunnel
root@voyage:~# pon MPN-UK

Create a new startup script to set up the firewall rules and add specific routes. This script configures the iptables firewall and adds a route to BBC via the PPTP tunnel

root@voyage:/etc/ppp/ip-up.d# cat MPN-UK
#!/bin/sh
"Running /etc/ppp/ip-up.d/MPN-UK..."

if [ "${PPP_IPPARAM}" = "MPN-UK" ]; then

/sbin/route add -net 212.0.0.0/8 dev ${IFNAME}

iptables -I OUTPUT 1 -d 212.0.0.0/8 -o ${IFNAME} -j ACCEPT  
iptables -A FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS  --clamp-mss-to-pmtu
 
echo "NAT"
iptables -t nat -A POSTROUTING -o ${IFNAME} -j MASQUERADE
 
fi

Check the routing table
root@voyage:/etc/ppp/ip-up.d# route
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
default         *               0.0.0.0         U     0      0        0 ppp0
no.rdns-yet.uks *               255.255.255.255 UH    0      0        0 ppp0
b-ras2.srl.dubl *               255.255.255.255 UH    0      0        0 ppp0
192.168.11.0    *               255.255.255.0   U     0      0        0 br0
192.168.12.0    *               255.255.255.0   U     0      0        0 eth0
212.0.0.0       *               255.0.0.0       U     0      0        0 ppp1

Posted by at No comments:
Subscribe to: Comments (Atom)