network advice for ppp0

Greetings!

A Leap-42.3, running as KVM guest, serves as internet gateway (GTW 192.168.1.222) for the local network (192.168.1.0)

The networkdevice eth0 is intern and eth1 is extern.
Both devices are bridged from the KVM host.

Firewalling is done with SuSEFirewall2, everything standard.

Works well since years.

Sometimes, once a year or so, the cable-modem (internet connection eth1) fails and I need a backup internet connection.
For this purpouse I use a HuaweiE220 UBS stick attached to the gateway computer.

Using wvdial I dial up my GSM internet provider, works well so far.
ifconfig shows the device ppp0 and journalctl -f shows

Jun 14 12:32:27 GTW pppd[7131]: Plugin passwordfd.so loaded.
Jun 14 12:32:27 GTW pppd[7131]: pppd 2.4.7 started by monitor, uid 0
Jun 14 12:32:27 GTW pppd[7131]: Using interface ppp0
Jun 14 12:32:27 GTW pppd[7131]: Connect: ppp0 <–> /dev/ttyUSB0
Jun 14 12:32:27 GTW pppd[7131]: CHAP authentication succeeded
Jun 14 12:32:27 GTW pppd[7131]: CHAP authentication succeeded
Jun 14 12:32:31 GTW pppd[7131]: Could not determine remote IP address: defaulting to 10.64.64.64
Jun 14 12:32:31 GTW pppd[7131]: local IP address 10.27.128.130
Jun 14 12:32:31 GTW pppd[7131]: remote IP address 10.64.64.64
Jun 14 12:32:31 GTW pppd[7131]: primary DNS address xxx.xxx.xxx.xxx
Jun 14 12:32:31 GTW pppd[7131]: secondary DNS address yyy.yyy.yyy.yyy
Jun 14 12:32:31 GTW nscd[666]: 666 monitored file /etc/resolv.conf was written to
Jun 14 12:32:31 GTW pppd[7131]: Script /etc/ppp/ip-up finished (pid 7138), status = 0x0

The settings of SuSEFirewall2 are obviously sufficient to protect the gateway machine from outside access.
A networkcheck shows no open ports, as expected.

Intenet browsing from GTW works.

However, internet access from a network client 192.168.1.20 does not work, it is filtered by the default SuSEFirewall2 setting:
Jun 14 12:32:35 GTW kernel: SFW2-FWDint-DROP-DEFLT IN=eth0 OUT=ppp0 MAC=aa:bb:00:00:02:22:34:97:f6:a3:59:e1:08:00 SRC=192.168.1.20 DST=aaa.aaa.aaa.aaa LEN=66 TOS=0x00 PREC=0x00 TTL=127 ID=30822 PROTO=UDP SPT=56162 DPT=53 LEN=46

The OUT device ppp0 is filtered.

Questions:

1. Do I have to manually insert aNAT rule to the firewall/iptables to provide network address translation from eth0 to ppp0?

2. What would be the appropriate approach to configure the ppp0 interface with yast, defining it as external device?

Thanks for reading and hints
Wolf

This guide should be enough to get internet sharing working as desired…
https://wiki.archlinux.org/index.php/Internet_sharing#With_iptables

An openSUSE guide using YaST to help with the necessary…
https://en.opensuse.org/SDB:Internet_connection_sharing

Answering your specific questions…

I’m not sure that any YaST reference will help since you’re using wvdial to connect using your Huawei.
In fact, the general recommendation is to set up Network Manager to support PPPoE connections… but if you want to use wvdial and you have it working, that’s fine. But, if you set up Network Manager for both Internet providers, you’ll be able to switch between Providers more easily (IMO).

So, for instance right now it’s possible your Internet Connection sharing is not working because when you switch off your eth1 connection, ICS isn’t enabled for your alternate dialup upstream connection using wvdial, and requires a configuration for wvdial. But, if you used Network Manager for both connections, then a single ICS configuration would work for both.

The above should address your most likely problem…
For anything beyond that, do you have any other LAN Hosts set up (virtual or physical)?
Comparing which machines work and what don’t is typically a first step in troubleshooting.

TSU

Thanks, TSU;

Adding ppp0 to the line
FW_DEV_EXT=“eth0 ppp0” in /etc/sysconfig/SuSEfirewall2
and
defaultroute and replacedefaultroute in /etc/ppp/peers/wvdial
made the thing work with wvdial, embedded in a script.

Wolf

That’s one way to make it work, the tiny bit of extra latency shouldn’t be noticeable on a client machine.

Congrats.

TSU