Author Topic: Design Flaw: PPPoE in 1.4  (Read 2350 times)

Fro

  • Zen Apprentice
  • *
  • Posts: 5
  • Karma: +0/-0
    • View Profile
Design Flaw: PPPoE in 1.4
« on: March 15, 2010, 11:33:23 pm »
After spending the better part of today figuring out why my external interface won't come back up after a reboot I found what appears to be a big flas in the design of the PPPoE support incorporated in 1.4.

Configuring PPPoE out of the box works just fine.  Everything comes up, I can use the machine as a firewall/router with DHCP on the private LAN and all the mail/spam/content filtering... everyone happy!

Then I go to work.  I need to listen to my music at the office.  To do that I need to poke a hole in the firewall to connect to my media server.  Problem is I can't: ppp0 is not an option in the firewall port forwarding.

I tried eth1, which is the physical interface, but the requests are all coming in ppp0 and are being denied as such in the logs.

So I poke around the forums and find the "ifaces_to_ignore" setting in the /etc/ebox/80network.conf file.  Great!  Remove ppp from this line and I can now add port forwarding settings to allow me to connect.

Then a power hit.  Everything reboots. eth1 won't come up and therefore ppp0 won't come up.  Start them manually and get an IP address from my provider, but firewall and a few other services have already failed due to the lack of ppp0.

Needless to say, I hack it, get half the things working, reboot and it all fails again.  After a couple hours, I think about the original settings and add ppp back to the ifaces_to_ignore setting.  Reboot and POOF! eth1 and ppp0 start up automagically.  Everything works great except I can't add port forwarding for ppp0 to the private LAN.

I'd try to set this up outside of ebox (like I origanlly did with just Ubuntu and Shorewall), but that defeats the purpose of using ebox and I think it would cause other problems since none of the ebox modules would know the status of the interfaces.

I'm willing to test loads to correct this and also willing to promote ebox but find this to be a flaw I can't live with in the long term.  I have the need to edit the firewall settings remotely and with this current limitation I can't as I can't be assured the public interface will be restored after a power outage or reboot.

javi

  • Zen Hero
  • *****
  • Posts: 1042
  • Karma: +0/-0
    • View Profile
Re: Design Flaw: PPPoE in 1.4
« Reply #1 on: March 16, 2010, 12:17:31 am »
Redirections for PPPoE are already fixed in trunk:

Quote
HEAD
    + Bug fix: port forwarding now works with PPPoE

J. A. Calvo

  • Zentyal Staff
  • Zen Hero
  • *****
  • Posts: 1986
  • Karma: +67/-3
    • View Profile
    • http://blogs.zentyal.org/jacalvo
Re: Design Flaw: PPPoE in 1.4
« Reply #2 on: March 16, 2010, 01:09:48 am »
In fact they are also fixed in 1.4 (ebox-firewall 1.4.3).
Zentyal Server Lead Developer

javi

  • Zen Hero
  • *****
  • Posts: 1042
  • Karma: +0/-0
    • View Profile
Re: Design Flaw: PPPoE in 1.4
« Reply #3 on: March 16, 2010, 01:16:25 am »
In fact they are also fixed in 1.4 (ebox-firewall 1.4.3).

My bad. I just checked trunk :). So fro could you try upgrade to ebox-firewall 1.4.3 to see if that solves the issue?

Thanks

Fro

  • Zen Apprentice
  • *
  • Posts: 5
  • Karma: +0/-0
    • View Profile
Re: Design Flaw: PPPoE in 1.4
« Reply #4 on: March 16, 2010, 07:41:08 pm »
Confirmed this is still an issue in 1.4.3.

Configuration is as follows:
eth0 internal static IP
eth1 external pppoe configured through ebox

With ppp in the ifaces_to_ignore setting, reboot of machine will automatically configure eth1 and ppp0.  With ppp removed from ifaces_to_ignore setting, reboot of machine will result in only eth0 being available.

J. A. Calvo

  • Zentyal Staff
  • Zen Hero
  • *****
  • Posts: 1986
  • Karma: +67/-3
    • View Profile
    • http://blogs.zentyal.org/jacalvo
Re: Design Flaw: PPPoE in 1.4
« Reply #5 on: March 16, 2010, 07:50:33 pm »
If your pppoe interface is managed through eBox (that means you have set the interface as PPPoE in the eBox configuration) then you don't have to add it to the ifaces_to_ignore variable. When adding a port forwarding rule you have to select ethX instead of ppp0, it should work in 1.4.3.

If it doesn't work, please paste the output of "iptables -t nat -L -n -v".
Zentyal Server Lead Developer

Fro

  • Zen Apprentice
  • *
  • Posts: 5
  • Karma: +0/-0
    • View Profile
RESOLVED: Design Flaw: PPPoE in 1.4
« Reply #6 on: March 17, 2010, 03:54:46 pm »
I apologize.  The "redirections" part should have pointed me to what you were actually doing to correct this.

Yes, it does work now if you setup all port forwarding using your external interface rather than the ppp0 interface (leaving ppp in the ifaces_to_ignore setting).

Thank you for your quick replies on this.

jpv

  • Zen Apprentice
  • *
  • Posts: 3
  • Karma: +0/-0
    • View Profile
Re: Design Flaw: PPPoE in 1.4
« Reply #7 on: September 28, 2010, 10:55:52 pm »
Hi,

I'm having a similar problem.  How did you configure eth1 to connect with ppp0?  My server has only 1 nic, should it have 2?  Is there any instructions on how to configure ppp0 with Zentyal 2.0-1 x64?

I tried pppoeconf which works for a little while but then Zentyal overwrites the configuration with broken settings.
« Last Edit: September 28, 2010, 11:02:40 pm by jpv »