Configuration

Hardware

You need two Ethernet interfaces on your PPPoE router. Technically, you can build a PPPoE router with only one interface, but it is not recommended. Except for the two-interfaces requirements, an ordinary PC hardware is just suitable for the PPPoE router. If you are interested in my hardware, I wrote a brief explanation for your reference.

In my case, I used two Ethernet boards, LGY-PCI-TXC, manufactured by MELCO/BUFFALO, based on SiS 900 chip. This board is supported by standard sis driver of FreeBSD. They are recognized as sis0 and sis1. I assigned sis0 to connect the machine to the in-house LAN, and sis1 to connect to the ADSL modem.

Note that plugging the two same Ethernet boards in a PC is confusing, since it is unclear which board is sis0 and which is sis1. (It is said that, technically, the numbering is totally predictable, as it is determined based on the PCI slot priorities in which those boards are plugged.) I suggest that, before plugging in those boards and closing the PC case, locate the labels that show Ethernet MAC addresses of the boards, and take notes. When FreeBSD boots, the kernel displays an address for each board, and you can know which is which by comparing the displayed address and the notes. (Remember that you can see the info. again by dmesg command after the system becomes multi user mode.)

Software

Operating System Version

As of this writing, I'm running FreeBSD 4.2 RELEASE (plus some security patches,) with ppp command upgraded to its version 2.3. The FreeBSD Handbook is unclear about the minimum FreeBSD version to support PPPoE, but it is generally suggested to use the latest.

As I wrote in another page, you will need the ppp command dated Dec. 2000 or later to run PPPoE and to make the box a router. If you run FreeBSD 4.2 or earlier, the ppp included in the RELEASE is older than what is required, so you need to upgrade the ppp, at least.

You should be reminded that, as other operating systems, FreeBSD may contain some security holes, and patches are created when they are discovered. Since you are going to connect your machine to the Internet through ADSL, your machine will be threatened by bad guys around the world, 24 hours a day, 365 days a year. Keeping old software as-is is inappropriate for a PPPoE router, for the reason. You should use latest RELEASE or STABLE versions, as well as necessary security patches applied.

Packages

I've installed the following packages on my machine, that are generally required by a so-called NAT router. You can, of course, use ports instead. (I prefer packages, since I don't want to compile everything.)

isc-dhcp: Although I've long been using WIDE DHCP for the DHCP server for my network, I switched to ISC's when FreeBSD RELEASE included ISC version of DHCP client. Dynamic DNS update feature is another reason for the switch.

The Network

The configuration we will discuss is for the network of the following structure.

WAN Specification

Physically through an Ethernet cable, the PC is connected to ADSL modem, using PPPoE protocol.
The interface for this connection is sis1.
IP address for the interface is dynamically assigned through PPP conversation.
The addresses of DNS servers are also notified through PPP, but they are just ignored, and some fixed addresses are written in appropriate config file manually.

LAN Specification

It forms a single subnet spanning single segment.
The interface for this connection is sis0.
The network address is 192.168.250/24. The host IP address for the interface is 192.168.250.1.
Hosts on the network (in-house LAN) will have bootleg domain names.
Each machine on the network will be assigned a dynamic IP address through DHCP (and other parameters,) except some hosts.

Routing Specification

The PPPoE router we are building will be the only router on the LAN. The router considers the WAN as its default router, directing any non-local IP addresses to the PPPoE peer. (No routing information exchange protocols, such as RIP, are used.
Use NAT. No reserved ports (port forwarding) are assumed. (As the result, no hosts on the LAN can act as a server for the Internet.
Communication between a privileged port on a machine on the LAN and an Internet host are generally forbidden.
Unprivileged traffic are unblocked.
ICMP messages are passed. (This may gain the chance of DoS attack, but blocking ICMP causes many troubles.)

Other Services

On the router, following services are made available.

Runs DNS server to resolve names as much as possible to reduce the DNS query traffic and latency.
Runs NTP server so that machines on the LAN synchronizes their clocks.
No mails servers (SMTP/POP) nor HTTP proxy servers.

Example Configuration Files

Here are configuration files I'm actually using as of this writing, shown as an example.

`/etc/rc.conf`

ifconfig_sis0="inet 192.168.250.1  netmask 255.255.255.0"
ifconfig_sis1="up media 10baseT/UTP"            # to be used by PPPoE
ppp_enable="YES"
ppp_profile="-unit0 adsl"
hostname="bear.home.example.com"
sendmail_enable="NO"
named_enable="YES"
named_flags=""
gateway_enable="YES"
xntpd_enable="YES"
sshd_enable="NO"
inetd_enable="YES"
usbd_enable="YES"
apm_enable="YES"
blanktime="60"
saver="apm"
rand_irqs="10 12 14 15"
portmap_enable="NO"

`/etc/ppp/ppp.conf`

default:
  set log phase tun command

pppoe:
  set device PPPoE:sis1
  set mru 1454
  set mtu 1454
  set dial
  set login
  set redial 1 8
  set timeout 900       # 15 minutes

protect:
  nat enable yes
  nat deny_incoming no  # yes
  nat same_ports yes
  nat use_sockets yes
  nat log yes
  set filter in     0 permit udp src eq  123 dst eq  123
  set filter in     1 deny   udp             dst lt 1024
  set filter in     2 deny   tcp             dst lt 1024
  set filter in     3 permit 0/0 0/0
  set filter out    0 permit udp src eq  123 dst eq  123
  set filter out    1 deny   udp src lt 1024
  set filter out    2 deny   tcp src lt 1024
  set filter out    3 permit 0/0 0/0
  set filter dial   0 deny   udp             dst eq  123
  set filter dial   1 permit 0/0 0/0
  set filter alive  0 deny   udp             dst eq  123
  set filter alive  1 deny   udp src eq  123
  set filter alive  2 permit 0/0 0/0

adsl:
  load pppoe
  load protect
  set authname XXXXXXXX
  set authkey XXXXXXXX
  set ifaddr 10.0.0.1/0 10.0.0.2/0
  add! default HISADDR

Note about changes to `/etc/ppp/ppp.conf`

In the above configuration file (ppp.conf), the lines for MTU/MRU specification at the time this page was first published was shown as follows:

  set mru 1454
  set mtu 1454

That's what's written in the config on my machine, and there were no problem then.

However, when I upgraded the operating system to FreeBSD 4.4 RELEASE, the black hole problem appeared again. It was caused by the changes of the way MTU/MRU are handled by PPP command. The keyword max must be added in the config for TCP MSS FIXUP feature to work properly on the newer FreeBSD RELEASEs.

`/etc/namedb/named.conf`

options {
        directory "/etc/namedb";

        listen-on { 192.168.250.1; 127.0.0.1; };

        forwarders {
                211.15.32.8;            // Metallic
                211.15.32.18;           // Metallic
        };

        dump-file "s/named_dump.db";
};

zone "." {
        type hint;
        file "named.root";
};

zone "0.0.127.in-addr.arpa" {
        type master;
        file "localhost.rev";
        allow-query { 127.0.0.1; 192.168.250.0/24; };
};

zone "0.0.10.in-addr.arpa" {
        type master;
        file "pppdummy.rev";
        allow-query { 127.0.0.1; 192.168.250.0/24; };
};

zone "example.com" {
        type master;
        file "s/example.com";
        allow-update { 127.0.0.1; };
        allow-query { 127.0.0.1; 192.168.250.0/24; };
};

zone "250.168.192.in-addr.arpa" {
        type master;
        file "s/250.168.192.in-addr.arpa";
        allow-update { 127.0.0.1; };
        allow-query { 127.0.0.1; 192.168.250.0/24; };
};

`/etc/namedb/pppdummy.rev`

$TTL    3600

@       IN      SOA     bear.home.example.com. root.bear.home.example.com. (
                                1       ; Serial
                                3600    ; Refresh
                                900     ; Retry
                                3600000 ; Expire
                                3600 )  ; Minimum
        IN      NS      bear.home.example.com.