Results 1 to 10 of 10

Thread: vlans and internet access via pppoe

  1. #1
    Join Date
    Aug 2008
    Location
    Belgium
    Posts
    181

    Default vlans and internet access via pppoe

    Hello,

    I try to give access for pc in vlan2, vlan3 to internet but it fails.

    I have a server acting as router and a switch level 2.
    The server has 3 ethernet ports
    en01 ==> bridge for VM br0 with IP 192.168.1.120
    en02 ==> link to vlan with IP 192.168.1.121
    en03 ==> used for pppoe (no IP)
    The server has a DHCP and a DNS servers. The PC in vlan 2 and vlan 3 receive their address correctly from the DHCP (10.0.2.xxx or 10.0.3.xxx).
    Topology
    Code:
     vdsl <==  pppoe  Linux server   en02 ==>  trunk port for vlan2 and vlan3
                              |
                              br0 (VM)
    I defined the pppoe following this forum link https://forums.opensuse.org/showthre...91#post2682291

    I start the pppoe interface
    Code:
    hpprol2:~ # systemctl start ppp@proximus.service
    hpprol2:~ # systemctl status ppp@proximus.service
    ● ppp@proximus.service - PPP link to proximus
       Loaded: loaded (/usr/lib/systemd/system/ppp@.service; disabled; vendor preset: disabled)
       Active: active (running) since Thu 2019-02-07 14:53:55 CET; 5s ago
         Docs: man:pppd(8)
      Process: 327 ExecStart=/usr/sbin/pppd call proximus linkname proximus updetach nolog (code=exited, status=0/SUCCESS)
     Main PID: 345 (pppd)
        Tasks: 1 (limit: 4915)
       Memory: 3.6M
       CGroup: /system.slice/system-ppp.slice/ppp@proximus.service
               └─345 /usr/sbin/pppd call proximus linkname proximus updetach nolog
    
    Feb 07 14:53:55 hpprol2 pppd[327]: CHAP authentication succeeded: CHAP authentication success, unit 43953
    Feb 07 14:53:55 hpprol2 pppd[327]: CHAP authentication succeeded
    Feb 07 14:53:55 hpprol2 pppd[327]: peer from calling number 02:07:00:85:B8:00 authorized
    Feb 07 14:53:55 hpprol2 pppd[327]: replacing old default route to br0 [192.168.1.1]
    Feb 07 14:53:55 hpprol2 pppd[327]: local  IP address 81.240.190.170
    Feb 07 14:53:55 hpprol2 pppd[327]: remote IP address 91.182.112.1
    Feb 07 14:53:55 hpprol2 pppd[327]: primary   DNS address 195.238.2.22
    Feb 07 14:53:55 hpprol2 pppd[327]: secondary DNS address 195.238.2.21
    Feb 07 14:53:55 hpprol2 systemd[1]: Started PPP link to proximus.
    Feb 07 14:53:57 hpprol2 pppd[345]: Script /etc/ppp/ip-up finished (pid 346), status = 0x0
    thereafter I can access internet from the server

    firewalld is started and ppp0 is defined in zone "external" while all other interfaces are defined in zone "home"
    for the vlan i added the following rules
    Code:
    hppprol2:~ # firewall-cmd --direct --add-rule ipv4 nat POSTROUTING 0 -o ppp0 -j MASQUERADE
    success
    hpprol2:~ # firewall-cmd --direct --add-rule ipv4 filter FORWARD 0 -i vlan2 -j ACCEPT
    success
    hpprol2:~ # firewall-cmd --direct --add-rule ipv4 filter FORWARD 0 -i ppp0 -o vlan2 -m state --state RELATED,ESTABLISHED -j ACCEPT
    success
    hpprol2:~ # firewall-cmd --direct --add-rule ipv4 filter FORWARD 0 -i vlan3 -j ACCEPT
    success
    hpprol2:~ # firewall-cmd --direct --add-rule ipv4 filter FORWARD 0 -i ppp0 -o vlan3 -m state --state RELATED,ESTABLISHED -j ACCEPT
    success
    but I don't have internet access from the pc in the vlans
    I the DNS log I see that the query occurs
    Code:
    client @0x7f37342053c0 10.0.3.100#54920 (incoming.telemetry.mozilla.org): query: incoming.telemetry.mozilla.org IN A + (192.168.1.120)
    client @0x7f373425bd00 10.0.3.100#54920 (incoming.telemetry.mozilla.org): query: incoming.telemetry.mozilla.org IN A + (192.168.1.120)
    client @0x7f373425bd00 10.0.3.100#54920 (incoming.telemetry.mozilla.org): query: incoming.telemetry.mozilla.org IN A + (192.168.1.120)
    looking at the route I have
    Code:
    hpprol2:~ # route -n
    Kernel IP routing table
    Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
    0.0.0.0         0.0.0.0         0.0.0.0         U     0      0        0 ppp0
    10.0.2.0        0.0.0.0         255.255.255.0   U     0      0        0 vlan2
    10.0.3.0        0.0.0.0         255.255.255.0   U     0      0        0 vlan3
    91.182.112.1    0.0.0.0         255.255.255.255 UH    0      0        0 ppp0
    192.168.1.0     0.0.0.0         255.255.255.0   U     0      0        0 br0
    192.168.1.0     0.0.0.0         255.255.255.0   U     0      0        0 eno2
    192.168.90.0    0.0.0.0         255.255.255.0   U     0      0        0 virbr1
    the lines related to ppp0 are added when I start the pppoe. One thing strange is that there is no line defined as gateway
    I found this link https://www.tldp.org/HOWTO/PPP-HOWTO/manual.html which which says that there must be a default gateway
    So i deleted the first line and added the default gateway
    Code:
    hpprol2:~ # route del default
    hpprol2:~ # route add default gw 91.182.112.1
    hpprol2:~ # route -n
    Kernel IP routing table
    Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
    0.0.0.0         91.182.112.1    0.0.0.0         UG    0      0        0 ppp0
    10.0.2.0        0.0.0.0         255.255.255.0   U     0      0        0 vlan2
    10.0.3.0        0.0.0.0         255.255.255.0   U     0      0        0 vlan3
    91.182.112.1    0.0.0.0         255.255.255.255 UH    0      0        0 ppp0
    192.168.1.0     0.0.0.0         255.255.255.0   U     0      0        0 br0
    192.168.1.0     0.0.0.0         255.255.255.0   U     0      0        0 eno2
    192.168.90.0    0.0.0.0         255.255.255.0   U     0      0        0 virbr1

    but this doesn't solve the internet access for the vlan PC. I have the feeling that I need maybe more rules for the masquerade but I did not found many documents related to firewalld
    Any advice?
    Regards
    Philippe
    Tumbleweed (x86_64) Kernel 4.18.5 with KDE plasma

  2. #2
    Join Date
    Jun 2008
    Location
    Auckland, NZ
    Posts
    19,466
    Blog Entries
    1

    Default Re: vlans and internet access via pppoe

    The client IP addresses and routes would have added to the picture here. Can you ping the remote pppoe client from the hosts connected via the vlans? I'm wondering if you're missing a static route back to this pppoe-connected host.
    openSUSE Leap 15.0; KDE Plasma 5

  3. #3
    Join Date
    Sep 2012
    Posts
    4,788

    Default Re: vlans and internet access via pppoe

    Quote Originally Posted by phil524 View Post
    but I don't have internet access from the pc in the vlans
    That's far too vague. In most cases "no Internet" turns out DNS problem. Can you ping 8.8.8.8?
    I the DNS log I see that the query occurs
    "DNS log" where? How is it relevant to Internet access (it is serious question)? Do you also see response (otherwise client of course have no address to start with)?
    One thing strange is that there is no line defined as gateway
    PPP is point to point, IP addresses are completely irrelevant, everything pushed on one end will appear on another end. No other host is accessible over PPP link.
    Any advice?
    Start with showing actual configuration on client and server (at least "ip a; ip r" on both and "iptables -L -n -v; iptables -L -n -v -t nat" on server) as well as "traceroute -n 8.8.8.8 from client).

  4. #4
    Join Date
    Aug 2008
    Location
    Belgium
    Posts
    181

    Default Re: vlans and internet access via pppoe

    Hello,
    Quote Originally Posted by deano_ferrari View Post
    The client IP addresses and routes would have added to the picture here. Can you ping the remote pppoe client from the hosts connected via the vlans? I'm wondering if you're missing a static route back to this pppoe-connected host.
    from a client PC on vlan3 with IP = 10.0.3.100 I can ping the Linux server (192.168.1.120) and the local IP PPPoE address but not the remote IP 91.182.112.1

    The "route print" on this windows pc show the gateway 10.0.3.255.
    Code:
    Destination    Mask                Gateway       Interface adrress  Metric                     
    0.0.0.0         0.0.0.0               10.0.3.255     10.0.3.100           31
    10.0.3.0        255.255.255.0     on-link          10.0.3.100          291
    10.0.3.100     255.255.255.255  on-link          10.0.3.100          291

    Regards
    Philippe

    91.182.112.1 91.182.112.1 91.182.112.1
    Tumbleweed (x86_64) Kernel 4.18.5 with KDE plasma

  5. #5
    Join Date
    Aug 2008
    Location
    Belgium
    Posts
    181

    Default Re: vlans and internet access via pppoe

    Hello,
    Quote Originally Posted by arvidjaar View Post
    That's far too vague. In most cases "no Internet" turns out DNS problem. Can you ping 8.8.8.8?
    From the vlan PC (windows) I can ping the server and the local IP pppoe address but I cannot ping any external address.
    "DNS log" where? How is it relevant to Internet access (it is serious question)? Do you also see response (otherwise client of course have no address to start with)?
    from /var/lib/named/log/dnsquery.log.

    PPP is point to point, IP addresses are completely irrelevant, everything pushed on one end will appear on another end. No other host is accessible over PPP link.

    Start with showing actual configuration on client and server (at least "ip a; ip r" on both and "iptables -L -n -v; iptables -L -n -v -t nat" on server) as well as "traceroute -n 8.8.8.8 from client).
    Here the output from the server for the ip commands
    Code:
    hpprol2:~ # ip a
    1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
        link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
        inet 127.0.0.1/8 scope host lo
           valid_lft forever preferred_lft forever
    2: eno1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq master br0 state UP group default qlen 1000
        link/ether 9c:8e:99:5b:48:12 brd ff:ff:ff:ff:ff:ff
    3: eno2: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP group default qlen 1000
        link/ether 9c:8e:99:5b:48:13 brd ff:ff:ff:ff:ff:ff
        inet 192.168.1.121/24 brd 192.168.1.255 scope global eno2
           valid_lft forever preferred_lft forever
    4: eno3: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP group default qlen 1000
        link/ether 9c:8e:99:5b:48:14 brd ff:ff:ff:ff:ff:ff
    5: eno4: <BROADCAST,MULTICAST> mtu 1500 qdisc noop state DOWN group default qlen 1000
        link/ether 9c:8e:99:5b:48:15 brd ff:ff:ff:ff:ff:ff
    6: br0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
        link/ether 9c:8e:99:5b:48:12 brd ff:ff:ff:ff:ff:ff
        inet 192.168.1.120/24 brd 192.168.1.255 scope global br0
           valid_lft forever preferred_lft forever
        inet 192.168.1.100/24 brd 192.168.1.255 scope global secondary br0:100
           valid_lft forever preferred_lft forever
        inet 192.168.1.101/24 brd 192.168.1.255 scope global secondary br0:101
           valid_lft forever preferred_lft forever
    7: vlan3@eno2: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
        link/ether 9c:8e:99:5b:48:13 brd ff:ff:ff:ff:ff:ff
        inet 10.0.3.1/24 brd 10.0.3.255 scope global vlan3
           valid_lft forever preferred_lft forever
    8: vlan2@eno2: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
        link/ether 9c:8e:99:5b:48:13 brd ff:ff:ff:ff:ff:ff
        inet 10.0.2.1/24 brd 10.0.2.255 scope global vlan2
           valid_lft forever preferred_lft forever
    9: virbr1: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc noqueue state DOWN group default qlen 1000
        link/ether 52:54:00:3c:cc:26 brd ff:ff:ff:ff:ff:ff
        inet 192.168.90.1/24 brd 192.168.90.255 scope global virbr1
           valid_lft forever preferred_lft forever
    10: virbr1-nic: <BROADCAST,MULTICAST> mtu 1500 qdisc pfifo_fast master virbr1 state DOWN group default qlen 1000
        link/ether 52:54:00:3c:cc:26 brd ff:ff:ff:ff:ff:ff
    12: ppp0: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1492 qdisc pfifo_fast state UNKNOWN group default qlen 3
        link/ppp 
        inet 81.245.122.202 peer 91.182.112.1/32 scope global ppp0
           valid_lft forever preferred_lft forever
    hpprol2:~ # ip r
    default dev ppp0 scope link 
    10.0.2.0/24 dev vlan2 proto kernel scope link src 10.0.2.1 
    10.0.3.0/24 dev vlan3 proto kernel scope link src 10.0.3.1 
    91.182.112.1 dev ppp0 proto kernel scope link src 81.245.122.202 
    192.168.1.0/24 dev br0 proto kernel scope link src 192.168.1.120 
    192.168.1.0/24 dev eno2 proto kernel scope link src 192.168.1.121 
    192.168.90.0/24 dev virbr1 proto kernel scope link src 192.168.90.1 linkdown
    the outputs of the iptables command are to big
    Link to output of iptables -L -n -v
    http://susepaste.org/79098264
    http://paste.opensuse.org/79098264


    Link to output of iptables -L -n-v - t nat
    http://susepaste.org/44077744
    http://paste.opensuse.org/44077744

    on the windows pc "tracert 8.8.8.8" gives only "time out"
    the command ipconfig /all is
    Code:
    ipconfig /all
       Suffixe DNS propre à la connexion. . . : pce23.net.
       Description. . . . . . . . . . . . . . : Realtek PCIe GBE Family Controller
       Adresse physique . . . . . . . . . . . : C0-25-E9-1F-39-89
       DHCP activé. . . . . . . . . . . . . . : Oui
       Configuration automatique activée. . . : Oui
       Adresse IPv4. . . . . . . . . . . . . .: 10.0.3.100(préféré)
       Masque de sous-réseau. . . . . . . . . : 255.255.255.0
       Bail obtenu. . . . . . . . . . . . . . : mardi 29 janvier 2019 08:45:40
       Bail expirant. . . . . . . . . . . . . : vendredi 8 février 2019 00:44:52
       Passerelle par défaut. . . . . . . . . : 10.0.3.255
       Serveur DHCP . . . . . . . . . . . . . : 10.0.3.1
       Serveurs DNS. . .  . . . . . . . . . . : 192.168.1.120
       NetBIOS sur Tcpip. . . . . . . . . . . : Activé
    Regards
    Philippe
    Tumbleweed (x86_64) Kernel 4.18.5 with KDE plasma

  6. #6
    Join Date
    Sep 2012
    Posts
    4,788

    Default Re: vlans and internet access via pppoe

    Quote Originally Posted by phil524 View Post
    from a client PC on vlan3 with IP = 10.0.3.100 I can ping the Linux server (192.168.1.120) and the local IP PPPoE address but not the remote IP 91.182.112.1
    Is forwarding enabled on your server?
    Code:
    grep . /proc/sys/net/ipv4/ip_forward /proc/sys/net/ipv4/conf/*/forwarding

  7. #7
    Join Date
    Aug 2008
    Location
    Belgium
    Posts
    181

    Default Re: vlans and internet access via pppoe

    Hello,
    Quote Originally Posted by arvidjaar View Post
    Is forwarding enabled on your server?
    Code:
    grep . /proc/sys/net/ipv4/ip_forward /proc/sys/net/ipv4/conf/*/forwarding
    yes I had enabled the forwarding in Yast network.
    Code:
    hpprol2:~ # grep . /proc/sys/net/ipv4/ip_forward /proc/sys/net/ipv4/conf/*/forwarding
    /proc/sys/net/ipv4/ip_forward:1
    /proc/sys/net/ipv4/conf/all/forwarding:1
    /proc/sys/net/ipv4/conf/br0/forwarding:1
    /proc/sys/net/ipv4/conf/default/forwarding:1
    /proc/sys/net/ipv4/conf/eno1/forwarding:1
    /proc/sys/net/ipv4/conf/eno2/forwarding:1
    /proc/sys/net/ipv4/conf/eno3/forwarding:1
    /proc/sys/net/ipv4/conf/eno4/forwarding:1
    /proc/sys/net/ipv4/conf/lo/forwarding:1
    /proc/sys/net/ipv4/conf/virbr1-nic/forwarding:1
    /proc/sys/net/ipv4/conf/virbr1/forwarding:1
    /proc/sys/net/ipv4/conf/vlan2/forwarding:1
    /proc/sys/net/ipv4/conf/vlan3/forwarding:1
    Regards
    Philippe
    Tumbleweed (x86_64) Kernel 4.18.5 with KDE plasma

  8. #8
    Join Date
    Sep 2012
    Posts
    4,788

    Default Re: vlans and internet access via pppoe

    Quote Originally Posted by phil524 View Post
    The "route print" on this windows pc show the gateway 10.0.3.255.
    I honestly do not understand how it is supposed to work. According to ipconfig output you are using /24 network so this is broadcast address, it is not valid for a host. Nor does it match address of your server (which is supposed to be default gateway if I understand your topology correctly) which is 10.0.3.1 according to your "ip a" output.

    Try changing default gateway to real address 10.0.3.1.

  9. #9
    Join Date
    Aug 2008
    Location
    Belgium
    Posts
    181

    Default Re: vlans and internet access via pppoe

    Thanks,

    Quote Originally Posted by arvidjaar View Post
    I honestly do not understand how it is supposed to work. According to ipconfig output you are using /24 network so this is broadcast address, it is not valid for a host. Nor does it match address of your server (which is supposed to be default gateway if I understand your topology correctly) which is 10.0.3.1 according to your "ip a" output.

    Try changing default gateway to real address 10.0.3.1.
    I missed this point in the dhcpd.conf. Now internet access works for the PC on vlan2 and 3

    Some download processes still fails but I think it may be related to the mtu size.

    Many thanks for your advice
    Philippe
    Tumbleweed (x86_64) Kernel 4.18.5 with KDE plasma

  10. #10
    Join Date
    Sep 2012
    Posts
    4,788

    Default Re: vlans and internet access via pppoe

    Quote Originally Posted by phil524 View Post
    Some download processes still fails but I think it may be related to the mtu size.
    You may be interested in TCPMSS iptables extension (--set-mss or --clamp-mss-to-pmtu).

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •