vlans and internet access via pppoe

Hello,

I try to give access for pc in vlan2, vlan3 to internet but it fails.

I have a server acting as router and a switch level 2.
The server has 3 ethernet ports
en01 ==> bridge for VM br0 with IP 192.168.1.120
en02 ==> link to vlan with IP 192.168.1.121
en03 ==> used for pppoe (no IP)
The server has a DHCP and a DNS servers. The PC in vlan 2 and vlan 3 receive their address correctly from the DHCP (10.0.2.xxx or 10.0.3.xxx).
Topology

 vdsl <==  pppoe  Linux server   en02 ==>  trunk port for vlan2 and vlan3
                          |
                          br0 (VM) 

I defined the pppoe following this forum link https://forums.opensuse.org/showthread.php/502199-UPGRADING-REMOVES-PPPOE-(13-1-gt-13-2)?p=2682291#post2682291

I start the pppoe interface

hpprol2:~ # systemctl start ppp@proximus.service
hpprol2:~ # systemctl status ppp@proximus.service
● ppp@proximus.service - PPP link to proximus
   Loaded: loaded (/usr/lib/systemd/system/ppp@.service; disabled; vendor preset: disabled)
   Active: active (running) since Thu 2019-02-07 14:53:55 CET; 5s ago
     Docs: man:pppd(8)
  Process: 327 ExecStart=/usr/sbin/pppd call proximus linkname proximus updetach nolog (code=exited, status=0/SUCCESS)
 Main PID: 345 (pppd)
    Tasks: 1 (limit: 4915)
   Memory: 3.6M
   CGroup: /system.slice/system-ppp.slice/ppp@proximus.service
           └─345 /usr/sbin/pppd call proximus linkname proximus updetach nolog

Feb 07 14:53:55 hpprol2 pppd[327]: CHAP authentication succeeded: CHAP authentication success, unit 43953
Feb 07 14:53:55 hpprol2 pppd[327]: CHAP authentication succeeded
Feb 07 14:53:55 hpprol2 pppd[327]: peer from calling number 02:07:00:85:B8:00 authorized
Feb 07 14:53:55 hpprol2 pppd[327]: replacing old default route to br0 [192.168.1.1]
Feb 07 14:53:55 hpprol2 pppd[327]: local  IP address 81.240.190.170
Feb 07 14:53:55 hpprol2 pppd[327]: remote IP address 91.182.112.1
Feb 07 14:53:55 hpprol2 pppd[327]: primary   DNS address 195.238.2.22
Feb 07 14:53:55 hpprol2 pppd[327]: secondary DNS address 195.238.2.21
Feb 07 14:53:55 hpprol2 systemd[1]: Started PPP link to proximus.
Feb 07 14:53:57 hpprol2 pppd[345]: Script /etc/ppp/ip-up finished (pid 346), status = 0x0

thereafter I can access internet from the server :slight_smile:

[FONT=verdana]firewalld is started and ppp0 is defined in zone “external” while all other interfaces are defined in zone “home”[/FONT]
for the vlan i added the following rules

hppprol2:~ # firewall-cmd --direct --add-rule ipv4 nat POSTROUTING 0 -o ppp0 -j MASQUERADE
success
hpprol2:~ # firewall-cmd --direct --add-rule ipv4 filter FORWARD 0 -i vlan2 -j ACCEPT
success
hpprol2:~ # firewall-cmd --direct --add-rule ipv4 filter FORWARD 0 -i ppp0 -o vlan2 -m state --state RELATED,ESTABLISHED -j ACCEPT
success
hpprol2:~ # firewall-cmd --direct --add-rule ipv4 filter FORWARD 0 -i vlan3 -j ACCEPT
success
hpprol2:~ # firewall-cmd --direct --add-rule ipv4 filter FORWARD 0 -i ppp0 -o vlan3 -m state --state RELATED,ESTABLISHED -j ACCEPT
success

but I don’t have internet access from the pc in the vlans
I the DNS log I see that the query occurs

client @0x7f37342053c0 10.0.3.100#54920 (incoming.telemetry.mozilla.org): query: incoming.telemetry.mozilla.org IN A + (192.168.1.120)
client @0x7f373425bd00 10.0.3.100#54920 (incoming.telemetry.mozilla.org): query: incoming.telemetry.mozilla.org IN A + (192.168.1.120)
client @0x7f373425bd00 10.0.3.100#54920 (incoming.telemetry.mozilla.org): query: incoming.telemetry.mozilla.org IN A + (192.168.1.120)

looking at the route I have

hpprol2:~ # route -n
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
0.0.0.0         0.0.0.0         0.0.0.0         U     0      0        0 ppp0
10.0.2.0        0.0.0.0         255.255.255.0   U     0      0        0 vlan2
10.0.3.0        0.0.0.0         255.255.255.0   U     0      0        0 vlan3
91.182.112.1    0.0.0.0         255.255.255.255 UH    0      0        0 ppp0
192.168.1.0     0.0.0.0         255.255.255.0   U     0      0        0 br0
192.168.1.0     0.0.0.0         255.255.255.0   U     0      0        0 eno2
192.168.90.0    0.0.0.0         255.255.255.0   U     0      0        0 virbr1

the lines related to ppp0 are added when I start the pppoe. One thing strange is that there is no line defined as gateway
I found this link https://www.tldp.org/HOWTO/PPP-HOWTO/manual.html which which says that there must be a default gateway
So i deleted the first line and added the default gateway

hpprol2:~ # route del default
hpprol2:~ # route add default gw 91.182.112.1
hpprol2:~ # route -n
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
0.0.0.0         91.182.112.1    0.0.0.0         UG    0      0        0 ppp0
10.0.2.0        0.0.0.0         255.255.255.0   U     0      0        0 vlan2
10.0.3.0        0.0.0.0         255.255.255.0   U     0      0        0 vlan3
91.182.112.1    0.0.0.0         255.255.255.255 UH    0      0        0 ppp0
192.168.1.0     0.0.0.0         255.255.255.0   U     0      0        0 br0
192.168.1.0     0.0.0.0         255.255.255.0   U     0      0        0 eno2
192.168.90.0    0.0.0.0         255.255.255.0   U     0      0        0 virbr1

[FONT=verdana]but this doesn’t solve the internet access for the vlan PC. I have the feeling that I need maybe more rules for the masquerade but I did not found many documents related to firewalld
[/FONT]Any advice?
Regards
Philippe

The client IP addresses and routes would have added to the picture here. Can you ping the remote pppoe client from the hosts connected via the vlans? I’m wondering if you’re missing a static route back to this pppoe-connected host.

That’s far too vague. In most cases “no Internet” turns out DNS problem. Can you ping 8.8.8.8?

I the DNS log I see that the query occurs

“DNS log” where? How is it relevant to Internet access (it is serious question)? Do you also see response (otherwise client of course have no address to start with)?

One thing strange is that there is no line defined as gateway

PPP is point to point, IP addresses are completely irrelevant, everything pushed on one end will appear on another end. No other host is accessible over PPP link.

Any advice?

Start with showing actual configuration on client and server (at least “ip a; ip r” on both and “iptables -L -n -v; iptables -L -n -v -t nat” on server) as well as "traceroute -n 8.8.8.8 from client).

Hello,

from a client PC on vlan3 with IP = 10.0.3.100 I can ping the Linux server (192.168.1.120) and the local IP PPPoE address but not the remote IP 91.182.112.1

[FONT=verdana]The “route print” on this windows pc show the gateway 10.0.3.255.


Destination    Mask                Gateway       Interface adrress  Metric                     
0.0.0.0         0.0.0.0               10.0.3.255     10.0.3.100           31
10.0.3.0        255.255.255.0     on-link          [FONT=courier new][FONT=verdana]10.0.3.100          291
[/FONT][FONT=verdana]10.0.3.100     255.255.255.255  on-link          [FONT=courier new][FONT=verdana]10.0.3.100          291[/FONT][/FONT][/FONT]

[/FONT]
[/FONT][FONT=verdana]Regards
Philippe
[/FONT]91.182.112.1 91.182.112.1 91.182.112.1

Hello,

From the vlan PC (windows) I can ping the server and the local IP pppoe address but I cannot ping any external address.

“DNS log” where? How is it relevant to Internet access (it is serious question)? Do you also see response (otherwise client of course have no address to start with)?

from /var/lib/named/log/dnsquery.log.

PPP is point to point, IP addresses are completely irrelevant, everything pushed on one end will appear on another end. No other host is accessible over PPP link.

Start with showing actual configuration on client and server (at least “ip a; ip r” on both and “iptables -L -n -v; iptables -L -n -v -t nat” on server) as well as "traceroute -n 8.8.8.8 from client).

Here the output from the server for the ip commands

hpprol2:~ # ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
2: eno1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq master br0 state UP group default qlen 1000
    link/ether 9c:8e:99:5b:48:12 brd ff:ff:ff:ff:ff:ff
3: eno2: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP group default qlen 1000
    link/ether 9c:8e:99:5b:48:13 brd ff:ff:ff:ff:ff:ff
    inet 192.168.1.121/24 brd 192.168.1.255 scope global eno2
       valid_lft forever preferred_lft forever
4: eno3: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP group default qlen 1000
    link/ether 9c:8e:99:5b:48:14 brd ff:ff:ff:ff:ff:ff
5: eno4: <BROADCAST,MULTICAST> mtu 1500 qdisc noop state DOWN group default qlen 1000
    link/ether 9c:8e:99:5b:48:15 brd ff:ff:ff:ff:ff:ff
6: br0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
    link/ether 9c:8e:99:5b:48:12 brd ff:ff:ff:ff:ff:ff
    inet 192.168.1.120/24 brd 192.168.1.255 scope global br0
       valid_lft forever preferred_lft forever
    inet 192.168.1.100/24 brd 192.168.1.255 scope global secondary br0:100
       valid_lft forever preferred_lft forever
    inet 192.168.1.101/24 brd 192.168.1.255 scope global secondary br0:101
       valid_lft forever preferred_lft forever
7: vlan3@eno2: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
    link/ether 9c:8e:99:5b:48:13 brd ff:ff:ff:ff:ff:ff
    inet 10.0.3.1/24 brd 10.0.3.255 scope global vlan3
       valid_lft forever preferred_lft forever
8: vlan2@eno2: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
    link/ether 9c:8e:99:5b:48:13 brd ff:ff:ff:ff:ff:ff
    inet 10.0.2.1/24 brd 10.0.2.255 scope global vlan2
       valid_lft forever preferred_lft forever
9: virbr1: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc noqueue state DOWN group default qlen 1000
    link/ether 52:54:00:3c:cc:26 brd ff:ff:ff:ff:ff:ff
    inet 192.168.90.1/24 brd 192.168.90.255 scope global virbr1
       valid_lft forever preferred_lft forever
10: virbr1-nic: <BROADCAST,MULTICAST> mtu 1500 qdisc pfifo_fast master virbr1 state DOWN group default qlen 1000
    link/ether 52:54:00:3c:cc:26 brd ff:ff:ff:ff:ff:ff
12: ppp0: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1492 qdisc pfifo_fast state UNKNOWN group default qlen 3
    link/ppp 
    inet 81.245.122.202 peer 91.182.112.1/32 scope global ppp0
       valid_lft forever preferred_lft forever
hpprol2:~ # ip r
default dev ppp0 scope link 
10.0.2.0/24 dev vlan2 proto kernel scope link src 10.0.2.1 
10.0.3.0/24 dev vlan3 proto kernel scope link src 10.0.3.1 
91.182.112.1 dev ppp0 proto kernel scope link src 81.245.122.202 
192.168.1.0/24 dev br0 proto kernel scope link src 192.168.1.120 
192.168.1.0/24 dev eno2 proto kernel scope link src 192.168.1.121 
192.168.90.0/24 dev virbr1 proto kernel scope link src 192.168.90.1 linkdown 

the outputs of the iptables command are to big
Link to output of iptables -L -n -v
http://susepaste.org/79098264
http://paste.opensuse.org/79098264

Link to output of iptables -L -n-v - t nat
http://susepaste.org/44077744
http://paste.opensuse.org/44077744

on the windows pc “tracert 8.8.8.8” gives only “time out”
the command ipconfig /all is

ipconfig /all
   Suffixe DNS propre à la connexion. . . : pce23.net.
   Description. . . . . . . . . . . . . . : Realtek PCIe GBE Family Controller
   Adresse physique . . . . . . . . . . . : C0-25-E9-1F-39-89
   DHCP activé. . . . . . . . . . . . . . : Oui
   Configuration automatique activée. . . : Oui
   Adresse IPv4. . . . . . . . . . . . . .: 10.0.3.100(préféré)
   Masque de sous-réseau. . . . . . . . . : 255.255.255.0
   Bail obtenu. . . . . . . . . . . . . . : mardi 29 janvier 2019 08:45:40
   Bail expirant. . . . . . . . . . . . . : vendredi 8 février 2019 00:44:52
   Passerelle par défaut. . . . . . . . . : 10.0.3.255
   Serveur DHCP . . . . . . . . . . . . . : 10.0.3.1
   Serveurs DNS. . .  . . . . . . . . . . : 192.168.1.120
   NetBIOS sur Tcpip. . . . . . . . . . . : Activé

Regards
Philippe

Is forwarding enabled on your server?

grep . /proc/sys/net/ipv4/ip_forward /proc/sys/net/ipv4/conf/*/forwarding

Hello,

yes I had enabled the forwarding in Yast network.

hpprol2:~ # grep . /proc/sys/net/ipv4/ip_forward /proc/sys/net/ipv4/conf/*/forwarding
/proc/sys/net/ipv4/ip_forward:1
/proc/sys/net/ipv4/conf/all/forwarding:1
/proc/sys/net/ipv4/conf/br0/forwarding:1
/proc/sys/net/ipv4/conf/default/forwarding:1
/proc/sys/net/ipv4/conf/eno1/forwarding:1
/proc/sys/net/ipv4/conf/eno2/forwarding:1
/proc/sys/net/ipv4/conf/eno3/forwarding:1
/proc/sys/net/ipv4/conf/eno4/forwarding:1
/proc/sys/net/ipv4/conf/lo/forwarding:1
/proc/sys/net/ipv4/conf/virbr1-nic/forwarding:1
/proc/sys/net/ipv4/conf/virbr1/forwarding:1
/proc/sys/net/ipv4/conf/vlan2/forwarding:1
/proc/sys/net/ipv4/conf/vlan3/forwarding:1

Regards
Philippe

I honestly do not understand how it is supposed to work. According to ipconfig output you are using /24 network so this is broadcast address, it is not valid for a host. Nor does it match address of your server (which is supposed to be default gateway if I understand your topology correctly) which is 10.0.3.1 according to your “ip a” output.

Try changing default gateway to real address 10.0.3.1.

Thanks,

I missed this point in the dhcpd.conf. Now internet access works for the PC on vlan2 and 3

Some download processes still fails but I think it may be related to the mtu size.

Many thanks for your advice
Philippe

You may be interested in TCPMSS iptables extension (–set-mss or --clamp-mss-to-pmtu).