[Leaf-user] PPP server without proxy arp
I can't find anything on this - how would one go about setting up a PPP server that didn't use proxy arp? Our ISP changed our IP allocation and yanked almost 200 IP addresses - and now we don't have enough addresses for proxy arp. I had originally wanted to set up PPPd to use particular IPs and masquerade through the IP of the server - can this be done? ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user
Re: [Leaf-user] PPP server without proxy arp
At the risk of speaking without a clue as to your actual setup... On an LRP box you can associate the PPP server IPs with the internal masqueraded network, rather than with an external network (still proxyarp). You may need to add a network card to create a fake internal net... Hope this is somewhere in the ballpark. Jon David Douthitt wrote: > > I can't find anything on this - how would one go about setting up a PPP > server that didn't use proxy arp? > > Our ISP changed our IP allocation and yanked almost 200 IP addresses - > and now we don't have enough addresses for proxy arp. > > I had originally wanted to set up PPPd to use particular IPs and > masquerade through the IP of the server - can this be done? > > ___ > Leaf-user mailing list > [EMAIL PROTECTED] > https://lists.sourceforge.net/lists/listinfo/leaf-user ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user
RE: [Leaf-user] PPP server without proxy arp
Ah yes David, firstly VK is Australia, I can't for the life of me remember what Canada's prefix is, its been so long since I actually talked on HF. It is close to VK I do remember that though. Anyway I found this out today, the fact I have to recompile ppp to do this, M$ use encrypted passwords on CHAP, Unix / Linux does not, it uses plain text passwords, hence the need for the chap-secrets file. Now can I do this? I have RH 5.2 which I believe has the right version of glibc, please correct me here, this will be a first. When this is done I will try to repackage pppd.lrp and release it as a M$ variant, that is if anyone wants it. Yes it is a windows machine dialling in, a mate of mine. Strange how the ISP's are resuming C class address ranges, we had that too at work, 256 for 8, not really enough, time to change ISP! Thank you very much for answering, 73's Matt -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of David Douthitt Sent: Friday, 9 November 2001 1:01 AM To: [EMAIL PROTECTED] Subject: Re: [Leaf-user] PPP server without proxy arp Matthew Pozzi wrote: > Now the flip side, if you do get it going please let me know, I cannot for > the life of me get the chap authentication to work. Everything else seems > fine. I had it working fine until our ISP took away our 256-host net and replaced it with a 64-host net. Now I need to use masquerading - we don't have 24 IPs to spare. CHAP probably won't work - if you are, as is likely, using a Windows machine to connect to a Linux system, it probably won't work without compiling PPP with special support for Microsoft's MSCHAP and other Microsoft extensions. I'll let you know how it goes. > Matt > VK4KLM VK4 Canadian? DE N9UBH 73's and 88's ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user
Re: [Leaf-user] PPP server without proxy arp
Hi Charles, Um, my mindset was probably the old "if you have a hammer, every problem looks like a nail" situation. I have always required a proxy-arp situation, so I hadn't considered separate ppp "hosts". So you can drop the : (lets client specify) and proxyarp, and just get a ppp interface, which could have packets masq'd. I guess I am used to using network.conf to define the masquerading - I suppose you could use ppp0, ppp1, ppp2, etc in network.conf. It sounded like Dave had ~20 ppp connections, which at least in my warped mind would make a dummy interface with a single set of rules make sense. I guess I am also used to specifying the IPMASQing on a per interface basis rather than on the external interface. As one of my old professors used to say, "There's more than one way to skin a cat." - Jon Charles Steinkuehler wrote: > > > > > Since you are shy some "real" addresses for the PPP clients, would it > be > > > > ok to put the PPP clients on a masq'd subnet? > > > > > > That's what I was hoping for. > > > > > > > To do this, you could > > > > toss a cheap NIC into the box, assign it to a masq'd 192.168.x.x > subnet > > > > (don't attach it to anything), and then use its address as the first > > > > address in the options.ttySX line. > > > > > > Could I use the dummy (network) device for this purpose instead of a > > > cheap NIC? > > > > > > > The additional NIC allows you to establish a fake masq'd net, and > gives > > > > your PPP clients a little more security. You can drop the second > > > > address if you assign each client a unique 192.168.x.x address, or > with > > > > the options.ttySX, you can assign a unique internal IP address by > serial > > > > connection (or by phone #). > > > > > > I was thinking I'd do this: > > > > > > NIC: Internet-visible IP addr > > > PPP(24x): private IP range (10.x.x.x or 192.168.x.x) > > > > > > ...with the discussion you've given me, that adds: > > > > > > NIC #2: dummy interface > > > > > > ...would this work? > > Um...just wack me if I'm missing something obvious here, but what's with the > extra NIC and proxy arp stuff? > > As I understand it, David needs to connect some PPP users to the 'net, and > doesn't have 'real' IPs to assign, so he wants to use masquerading...fine. > > Masquerading happens in the forwarding chain of linux 2.2 kernels. The IP > packets will be forwarded as long as forwarding is enabled, and the system > has a route to the destination IP...pretty basic. The kernel knows about > the pppX devices when pppd creates and configures them once a connection > comes up. As soon as this happens, the kernel will start routing packets > between the new ppp interface and any other interfaces configured. If there > are masquerade rules in the forward chain, the pakets will be masqueraded. > > I'm confused about why you'd need an "internal net" ethernet card with > proxy-arp enable, unless you actually wanted to allow folks access to your > internal net (dialup users for a small business network would be a good > example...get access to the office net and piggyback off their 'net > connection with one phone call). > > Charles Steinkuehler > http://lrp.steinkuehler.net > http://c0wz.steinkuehler.net (lrp.c0wz.com mirror) > > ___ > Leaf-user mailing list > [EMAIL PROTECTED] > https://lists.sourceforge.net/lists/listinfo/leaf-user ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user
Re: [Leaf-user] PPP server without proxy arp
Oh, and Dave was using a 2.0.x box, so I would guess ipchains would not be an option - I don't know if this matters or not in terms of the forwarding rules. - Jon Jonathan French wrote: > > Hi Charles, > > Um, my mindset was probably the old "if you have a hammer, every problem > looks like a nail" situation. I have always required a proxy-arp > situation, so I hadn't considered separate ppp "hosts". So you can drop > the : (lets client specify) and proxyarp, and just get > a ppp interface, which could have packets masq'd. I guess I am used to > using network.conf to define the masquerading - I suppose you could use > ppp0, ppp1, ppp2, etc in network.conf. It sounded like Dave had ~20 ppp > connections, which at least in my warped mind would make a dummy > interface with a single set of rules make sense. I guess I am also used > to specifying the IPMASQing on a per interface basis rather than on the > external interface. > > As one of my old professors used to say, "There's more than one way to > skin a cat." > > - Jon > > Charles Steinkuehler wrote: > > > > > > > Since you are shy some "real" addresses for the PPP clients, would it > > be > > > > > ok to put the PPP clients on a masq'd subnet? > > > > > > > > That's what I was hoping for. > > > > > > > > > To do this, you could > > > > > toss a cheap NIC into the box, assign it to a masq'd 192.168.x.x > > subnet > > > > > (don't attach it to anything), and then use its address as the first > > > > > address in the options.ttySX line. > > > > > > > > Could I use the dummy (network) device for this purpose instead of a > > > > cheap NIC? > > > > > > > > > The additional NIC allows you to establish a fake masq'd net, and > > gives > > > > > your PPP clients a little more security. You can drop the second > > > > > address if you assign each client a unique 192.168.x.x address, or > > with > > > > > the options.ttySX, you can assign a unique internal IP address by > > serial > > > > > connection (or by phone #). > > > > > > > > I was thinking I'd do this: > > > > > > > > NIC: Internet-visible IP addr > > > > PPP(24x): private IP range (10.x.x.x or 192.168.x.x) > > > > > > > > ...with the discussion you've given me, that adds: > > > > > > > > NIC #2: dummy interface > > > > > > > > ...would this work? > > > > Um...just wack me if I'm missing something obvious here, but what's with the > > extra NIC and proxy arp stuff? > > > > As I understand it, David needs to connect some PPP users to the 'net, and > > doesn't have 'real' IPs to assign, so he wants to use masquerading...fine. > > > > Masquerading happens in the forwarding chain of linux 2.2 kernels. The IP > > packets will be forwarded as long as forwarding is enabled, and the system > > has a route to the destination IP...pretty basic. The kernel knows about > > the pppX devices when pppd creates and configures them once a connection > > comes up. As soon as this happens, the kernel will start routing packets > > between the new ppp interface and any other interfaces configured. If there > > are masquerade rules in the forward chain, the pakets will be masqueraded. > > > > I'm confused about why you'd need an "internal net" ethernet card with > > proxy-arp enable, unless you actually wanted to allow folks access to your > > internal net (dialup users for a small business network would be a good > > example...get access to the office net and piggyback off their 'net > > connection with one phone call). > > > > Charles Steinkuehler > > http://lrp.steinkuehler.net > > http://c0wz.steinkuehler.net (lrp.c0wz.com mirror) > > > > ___ > > Leaf-user mailing list > > [EMAIL PROTECTED] > > https://lists.sourceforge.net/lists/listinfo/leaf-user > > ___ > Leaf-user mailing list > [EMAIL PROTECTED] > https://lists.sourceforge.net/lists/listinfo/leaf-user ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user
Re: [Leaf-user] PPP server without proxy arp
I missed the part about the 2.0 kernel...I don't know if that complicates things or not. With 2.2 and ipchains, it doesn't matter if you've got one PPP interface or a thousand, if they're all assigned IP's encompased in a single network specification, it's one ipchain rule to masquerade them. Assuming all PPP interfaces are in the 10. private IP space: ipchains -A forward -j MASQ -s 10.0.0.0/8 -d 0/0 -i I would presume something similar could be done with kernel 2.0.x Charles Steinkuehler http://lrp.steinkuehler.net http://c0wz.steinkuehler.net (lrp.c0wz.com mirror) > Oh, and Dave was using a 2.0.x box, so I would guess ipchains would not > be an option - I don't know if this matters or not in terms of the > forwarding rules. > - Jon > > Jonathan French wrote: > > > > Hi Charles, > > > > Um, my mindset was probably the old "if you have a hammer, every problem > > looks like a nail" situation. I have always required a proxy-arp > > situation, so I hadn't considered separate ppp "hosts". So you can drop > > the : (lets client specify) and proxyarp, and just get > > a ppp interface, which could have packets masq'd. I guess I am used to > > using network.conf to define the masquerading - I suppose you could use > > ppp0, ppp1, ppp2, etc in network.conf. It sounded like Dave had ~20 ppp > > connections, which at least in my warped mind would make a dummy > > interface with a single set of rules make sense. I guess I am also used > > to specifying the IPMASQing on a per interface basis rather than on the > > external interface. > > > > As one of my old professors used to say, "There's more than one way to > > skin a cat." > > > > - Jon > > > > Charles Steinkuehler wrote: > > > > > > > > > Since you are shy some "real" addresses for the PPP clients, would it > > > be > > > > > > ok to put the PPP clients on a masq'd subnet? > > > > > > > > > > That's what I was hoping for. > > > > > > > > > > > To do this, you could > > > > > > toss a cheap NIC into the box, assign it to a masq'd 192.168.x.x > > > subnet > > > > > > (don't attach it to anything), and then use its address as the first > > > > > > address in the options.ttySX line. > > > > > > > > > > Could I use the dummy (network) device for this purpose instead of a > > > > > cheap NIC? > > > > > > > > > > > The additional NIC allows you to establish a fake masq'd net, and > > > gives > > > > > > your PPP clients a little more security. You can drop the second > > > > > > address if you assign each client a unique 192.168.x.x address, or > > > with > > > > > > the options.ttySX, you can assign a unique internal IP address by > > > serial > > > > > > connection (or by phone #). > > > > > > > > > > I was thinking I'd do this: > > > > > > > > > > NIC: Internet-visible IP addr > > > > > PPP(24x): private IP range (10.x.x.x or 192.168.x.x) > > > > > > > > > > ...with the discussion you've given me, that adds: > > > > > > > > > > NIC #2: dummy interface > > > > > > > > > > ...would this work? > > > > > > Um...just wack me if I'm missing something obvious here, but what's with the > > > extra NIC and proxy arp stuff? > > > > > > As I understand it, David needs to connect some PPP users to the 'net, and > > > doesn't have 'real' IPs to assign, so he wants to use masquerading...fine. > > > > > > Masquerading happens in the forwarding chain of linux 2.2 kernels. The IP > > > packets will be forwarded as long as forwarding is enabled, and the system > > > has a route to the destination IP...pretty basic. The kernel knows about > > > the pppX devices when pppd creates and configures them once a connection > > > comes up. As soon as this happens, the kernel will start routing packets > > > between the new ppp interface and any other interfaces configured. If there > > > are masquerade rules in the forward chain, the pakets will be masqueraded. > > > > > > I'm confused about why you'd need an "internal net" ethernet card with > > > proxy-arp enable, unless you actually wanted to allow folks access to your > > > internal net (dialup users for a small business network would be a good > > > example...get access to the office net and piggyback off their 'net > > > connection with one phone call). > > > > > > Charles Steinkuehler > > > http://lrp.steinkuehler.net > > > http://c0wz.steinkuehler.net (lrp.c0wz.com mirror) > > > > > > ___ > > > Leaf-user mailing list > > > [EMAIL PROTECTED] > > > https://lists.sourceforge.net/lists/listinfo/leaf-user > > > > ___ > > Leaf-user mailing list > > [EMAIL PROTECTED] > > https://lists.sourceforge.net/lists/listinfo/leaf-user ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user
