Router:Linux - Debian

From AAISP Support Site
Revision as of 21:53, 15 July 2015 by TomJepp (talk | contribs) (Even more formatting fixes...)

You might choose to use a Linux machine as your router rather than an off-the-shelf piece of routing hardware.

You'll need to use an ADSL or FTTC modem in bridge mode for this to work - see the page for your modem to see how to set that up.

This guide provides an example configuration for Debian Jessie.

Prerequsites

  • a Linux PC with Debian Jessie already installed and two network interfaces - one for the connection to the modem, and one for the connection to your LAN
  • a ADSL or FTTC modem, or a fibre ONT (for FTTP) (as appropriate for your connection)

Assumptions

  • eth0 is plugged directly into your modem or ONT
  • eth1 will be used for your LAN

Setting up pppd

pppd will be used to actually connect to A&A.

To install pppd, and the other software that will be required run:

apt-get update
apt-get install pppd pppoe iproute2

pppd uses several different configuration files:

  • /etc/ppp/options - default settings for pppd
  • /etc/ppp/peers/aaisp - the configuration file for settings specific to connecting to A&A
  • /etc/ppp/chap-secrets - the location where your A&A line password is stored

/etc/ppp/options should be left as-is - we will not change this file.

/etc/ppp/peers/aaisp

This file contains the settings that are used to configure your connection to A&A:

user your-username-here
plugin rp-pppoe.so eth0
noipdefault
defaultroute
hide-password
lcp-echo-interval 1
lcp-echo-failure 10
noauth
persist
maxfail 0
mtu 1492
noaccomp
default-asyncmap
+ipv6
ipv6cp-use-ipaddr
ifname pppoe-aaisp

Each line in this file sets a different setting:

  • user your-username-here - this line sets the username that pppd will use to log in. Replace "your-username-here" with your A&A line username. It will be in the form "example@a.1"
  • plugin rp-pppoe.so eth0 - tells pppd to load the PPPoE plugin, and to use the network interface "eth0" to connect
  • noipdefault - tells pppd not to try and guess an IP to use, but instead to use the IP explicitly given by A&A
  • defaultroute - automatically set the PPP connection as your default route (for IPv4 only)
  • hide-password - hides your password when logging authentication packets
  • lcp-echo-interval 1 - send a LCP echo to A&A once every second
  • lcp-echo-failure 10 - automatically drop the connection after 10 failed LCP echoes
  • noauth - don't require A&A to send authentication details
  • persist - automatically reconnect if the connection drops
  • maxfail 0 - sets the the number of consecutive failed connection attempts before pppd gives up. Setting this to 0 means that pppd will retry forever
  • mtu 1492 - sets the max MTU for packets inside the PPP connection - 1492 is a "safe" value for PPPoE on most hardware. Some modems will be able to use "baby jumbo frames" (RFC 4638). See the "Using a full 1500 MTU" section for more details.
  • noaccomp - disables address/control compression
  • default-asyncmap - disables the negotation of an asyncmap - forces all control characters to be escaped
  • +ipv6 - enable IPv6 support
  • ipv6cp-use-ipaddr - use your IPv4 address as the local identifier for IPv6CP
  • ifname pppoe-aaisp - renames the PPP connection from an automatically generated name (such as ppp0) to pppoe-aaisp - this makes further configuration easier!

/etc/ppp/chap-secrets

This file contains the password that is used to connect to A&A.

# Secrets for authentication using CHAP
# client      server   secret                      IP addresses
example@a.1   *        YourLinePasswordGoesHere

Replace "YourLinePasswordGoesHere" with the password for your A&A connection.

Making IPv6 work with pppd

Out of the box, you'll notice that you can't access the internet using IPv6.

This is because pppd doesn't create a default route for IPv6. We can force it to do this by creating another file.

Create /etc/ppp/ipv6-up.d/0000-defaultroute, and enter the following contents:

#!/bin/bash
/sbin/ip -6 route add default dev $1

Now run:

chmod 755 /etc/ppp/ipv6-up.d/0000-defaultroute

This file will now be run every time your PPP connects, and will automatically create an IPv6 default route!

Testing pppd

Before you proceed, you should test your ppp configuration.

Firstly, run:

pppoe -I eth0 -A

This should produce some output similar to the following:

Access-Concentrator: acc-aln1.ry
Got a cookie: 79 f0 19 2c d3 ec ae 4b 04 75 ee 8a 30 76 a6 ea
AC-Ethernet-Address: a0:f3:e4:34:5f:8f

If something is wrong, you will probably get:

pppoe: Timeout waiting for PADO packets

If you get this error message, check your configuration matches the examples above. If you're still stuck, contact A&A support.

Now try to actually connect:

pon aaisp
tail -n 20 /var/log/messages

This should produce output like the following:

Jul 15 22:05:45 router pppd[23049]: Plugin rp-pppoe.so loaded.
Jul 15 22:05:45 router pppd[23050]: pppd 2.4.6 started by thomas, uid 0
Jul 15 22:05:45 router pppd[23050]: PPP session is 522
Jul 15 22:05:45 router pppd[23050]: Connected to 00:03:97:1c:80:02 via interface eth0
Jul 15 22:05:45 router pppd[23050]: Renamed interface ppp0 to pppoe-aaisp
Jul 15 22:05:45 router pppd[23050]: Using interface pppoe-aaisp
Jul 15 22:05:45 router pppd[23050]: Connect: pppoe-aaisp <--> eth0
Jul 15 22:06:32 router pppd[23050]: CHAP authentication succeeded
Jul 15 22:06:32 router pppd[23050]: CHAP authentication succeeded
Jul 15 22:06:32 router pppd[23050]: peer from calling number 00:03:97:1C:80:02 authorized
Jul 15 22:06:32 router pppd[23050]: local  IP address <your WAN IP address here>
Jul 15 22:06:32 router pppd[23050]: remote IP address 81.187.81.187
Jul 15 22:06:32 router pppd[23050]: local  LL address fe80::5893:5ee6:a435:8672
Jul 15 22:06:32 router pppd[23050]: remote LL address fe80::0203:97ff:fe19:8000

If it does, then your pppd configuration works perfectly! Run the following to disconnect, and do the rest of the configuration:

poff aaisp

Setting up the rest of the router

The rest of this configuration is split into two parts - one assuming that you have a connection with only one IPv4 address and will configure NAT, and one assuming you have a block of IPv4 allocated by A&A that you wish to use on your local network.

Home::1 will generally only have one IPv4 address.

One IPv4 Address

Configuring /etc/network/interfaces

/etc/network/interfaces contains most of the network configuration for a Debian machine.

For our example, it should look like:

# This file describes the network interfaces available on your system
# and how to activate them. For more information, see interfaces(5).

# The loopback network interface
auto lo
iface lo inet loopback

# The primary network interface - the network interface carrying PPP
auto eth0
iface eth0 inet manual

auto aaisp
iface aaisp inet ppp
   provider aaisp

auto eth1
iface eth1 inet static
   address 192.168.1.1
   netmask 255.255.255.0
	
iface eth1 inet6 static
   address <your IPv6 address here>
   netmask 64

Replace "<your IPv6 address here>" with the first address from the prefix you've been allocated. You can see this prefix on clueless.

By default, A&A will allocate a /48 prefix, but will only route it to your line in /56 or /64 chunks.

For example, your prefix might be: 2001:db8:b9::/48. You might have 2001:db8:b9:2041::/64 routed to your line. In this example, you'd use "2001:db8:b9:2041::1" as your IPv6 address.

If you're not sure what IPv6 address to use, contact support!

Configuring your firewall

You'll need to configure a firewall for IPv4 and IPv6. The best way to do this on Debian is to use the iptables-persistent package - this will take care of automatically loading your firewall configuration at boot.

This example will set up:

  • Allowing all traffic from your LAN to the internet
  • Blocking unsolicited traffic from the internet to your LAN
  • NAT for IPv4

To set up some sensible defaults, do:

apt-get update
apt-get install iptables ip6tables

# clear any existing IPv4 rules
iptables -t filter -F
iptables -t nat -F
iptables -t mangle -F
iptables -t filter -X
iptables -t nat -X
iptables -t mangle -X
# set up default traffic policies - drop all incoming and forwarded traffic except any that is explicitly allowed
# but allow outbound traffic by default
iptables -P FORWARD DROP
iptables -P INPUT DROP
iptables -P OUTPUT ACCEPT
iptables -t nat -P OUTPUT ACCEPT
iptables -t nat -P PREROUTING ACCEPT
iptables -t nat -P POSTROUTING ACCEPT

# Set up rules for traffic going directly to the router
iptables -A INPUT -i lo -m comment --comment "Accept all from localhost" -j ACCEPT
iptables -A INPUT -p icmp -m comment --comment "Accept all ICMP" -j ACCEPT
iptables -A INPUT -i eth1 -m comment --comment "Accept all from the LAN" -j ACCEPT
iptables -A INPUT -i pppoe-aaisp -m state RELATED,ESTABLISHED -m comment --comment "Allow return traffic" -j ACCEPT
iptables -A INPUT -m comment --comment "Reject all remaining traffic" -j REJECT

# Set up rules for traffic being forwarded through the router
iptables -A FORWARD -p tcp --tcp-flags SYN,RST SYN -o pppoe-aaisp -m comment --comment "Clamp MSS for traffic going via PPP" -j TCPMSS --clamp-mss-to-pmtu
iptables -A FORWARD -i eth1 -o pppoe-aaisp -m comment --comment "Allow traffic from LAN -> internet" -j ACCEPT
iptables -A FORWARD -i pppoe-aaisp -o eth1 -m state RELATED,ESTABLISHED -m comment --comment "Allow return traffic from internet -> LAN" -j ACCEPT
iptables -A FORWARD -m comment --comment "Reject all remaining traffic" -j REJECT

# Handle IPv4 NAT
iptables -t nat -A POSTROUTING -o pppoe-aaisp -m comment --comment "NAT" -j MASQUERADE

# clear any existing IPv6 rules
ip6tables -F
ip6tables -X
# set up default IPv6 policies
ip6tables -P FORWARD DROP
ip6tables -P INPUT DROP
ip6tables -P OUTPUT ACCEPT

# Set up rules for traffic going directly to the router
ip6tables -A INPUT -i lo -m comment --comment "Accept all from localhost" -j ACCEPT
ip6tables -A INPUT -p ipv6-icmp -m comment --comment "Accept all ICMP" -j ACCEPT
ip6tables -A INPUT -i eth1 -m comment --comment "Accept all from LAN" -j ACCEPT
ip6tables -A INPUT -i pppoe-aaisp -m state --state RELATED,ESTABLISHED -m comment --comment "Accept related & return traffic" -j ACCEPT
ip6tables -A INPUT -m comment --comment "Reject all remaining input traffic" -j REJECT

# Set up rules for traffic being forwarded through the router
ip6tables -A FORWARD -p ipv6-icmp -m comment --comment "Forward all ICMP" -j ACCEPT
ip6tables -A FORWARD -i eth1 -o pppoe-aaisp -m comment --comment "Allow LAN -> internet" -j ACCEPT
ip6tables -A FORWARD -i pppoe-aaisp -o eth1 -m state --state RELATED,ESTABLISHED -m comment --comment "Allow related & return traffic WAN -> LAN" -j ACCEPT
ip6tables -A FORWARD -m comment --comment "Reject remaining forwarding traffic" -j REJECT
# Now install iptables-persistent. When asked, choose "YES" to save existing IPv4 and IPv6 rules
apt-get install iptables-persistent
systemctl enable netfilter-persistent

A block of IPv4 addresses

Configuring /etc/network/interfaces

/etc/network/interfaces contains most of the network configuration for a Debian machine.

For our example, it should look like:

# This file describes the network interfaces available on your system
# and how to activate them. For more information, see interfaces(5).
# The loopback network interface
auto lo
iface lo inet loopback

# The primary network interface - the network interface carrying PPP
auto eth0
iface eth0 inet manual

auto aaisp
iface aaisp inet ppp
   provider aaisp

auto eth1
iface eth1 inet static
   address <your IPv4 address here>
   netmask <the correct subnet mask for your IPv4 block here>
	
iface eth1 inet6 static
   address <your IPv6 address here>
   netmask 64

Replace "<your IPv6 address here>" with the first address from the prefix you've been allocated. You can see this prefix on clueless. By default, A&A will allocate a /48 prefix, but will only route it to your line in /56 or /64 chunks. For example, your prefix might be: 2001:db8:b9::/48. You might have 2001:db8:b9:2041::/64 routed to your line. In this example, you'd use "2001:db8:b9:2041::1" as your IPv6 address.

If you're not sure what IPv6 address to use, contact support!


For IPv4, A&A will have allocated you a block to use.

For example, your block might be: 198.51.100.96/28. In this case, you'd have 16 addresses, 14 of which are usable. The first usable IP would be 198.51.100.97 - and we would use this for your LAN IP on the router. For a /28, the correct netmask would be "255.255.255.240".

If you're not sure what to use, contact support!

Configuring your firewall

You'll need to configure a firewall for IPv4 and IPv6. The best way to do this on Debian is to use the iptables-persistent package - this will take care of automatically loading your firewall configuration at boot.

This example will set up:

  • Allowing all traffic from your LAN to the internet
  • Blocking unsolicited traffic from the internet to your LAN
apt-get update
apt-get install iptables ip6tables

# clear any existing IPv4 rules
iptables -t filter -F
iptables -t nat -F
iptables -t mangle -F
iptables -t filter -X
iptables -t nat -X
iptables -t mangle -X
# set up default traffic policies - drop all incoming and forwarded traffic except any that is explicitly allowed
# but allow outbound traffic by default
iptables -P FORWARD DROP
iptables -P INPUT DROP
iptables -P OUTPUT ACCEPT
iptables -t nat -P OUTPUT ACCEPT
iptables -t nat -P PREROUTING ACCEPT
iptables -t nat -P POSTROUTING ACCEPT

# Set up rules for traffic going directly to the router
iptables -A INPUT -i lo -m comment --comment "Accept all from localhost" -j ACCEPT
iptables -A INPUT -p icmp -m comment --comment "Accept all ICMP" -j ACCEPT
iptables -A INPUT -i eth1 -m comment --comment "Accept all from the LAN" -j ACCEPT
iptables -A INPUT -i pppoe-aaisp -m state RELATED,ESTABLISHED -m comment --comment "Allow return traffic" -j ACCEPT
iptables -A INPUT -m comment --comment "Reject all remaining traffic" -j REJECT

# Set up rules for traffic being forwarded through the router
iptables -A FORWARD -p tcp --tcp-flags SYN,RST SYN -o pppoe-aaisp -m comment --comment "Clamp MSS for traffic going via PPP" -j TCPMSS --clamp-mss-to-pmtu
iptables -A FORWARD -i eth1 -o pppoe-aaisp -m comment --comment "Allow traffic from LAN -> internet" -j ACCEPT
iptables -A FORWARD -i pppoe-aaisp -o eth1 -m state RELATED,ESTABLISHED -m comment --comment "Allow return traffic from internet -> LAN" -j ACCEPT
iptables -A FORWARD -m comment --comment "Reject all remaining traffic" -j REJECT

# clear any existing IPv6 rules
ip6tables -F
ip6tables -X
# set up default IPv6 policies
ip6tables -P FORWARD DROP
ip6tables -P INPUT DROP
ip6tables -P OUTPUT ACCEPT

# Set up rules for traffic going directly to the router
ip6tables -A INPUT -i lo -m comment --comment "Accept all from localhost" -j ACCEPT
ip6tables -A INPUT -p ipv6-icmp -m comment --comment "Accept all ICMP" -j ACCEPT
ip6tables -A INPUT -i eth1 -m comment --comment "Accept all from LAN" -j ACCEPT
ip6tables -A INPUT -i pppoe-aaisp -m state --state RELATED,ESTABLISHED -m comment --comment "Accept related & return traffic" -j ACCEPT
ip6tables -A INPUT -m comment --comment "Reject all remaining input traffic" -j REJECT

# Set up rules for traffic being forwarded through the router
ip6tables -A FORWARD -p ipv6-icmp -m comment --comment "Forward all ICMP" -j ACCEPT
ip6tables -A FORWARD -i eth1 -o pppoe-aaisp -m comment --comment "Allow LAN -> internet" -j ACCEPT
ip6tables -A FORWARD -i pppoe-aaisp -o eth1 -m state --state RELATED,ESTABLISHED -m comment --comment "Allow related & return traffic WAN -> LAN" -j ACCEPT
ip6tables -A FORWARD -m comment --comment "Reject remaining forwarding traffic" -j REJECT
# Now install iptables-persistent. When asked, choose "YES" to save existing IPv4 and IPv6 rules
apt-get install iptables-persistent
systemctl enable netfilter-persistent

Appendicies

Some users may want to change these settings. Some useful extras are documented below:

Using a full 1500 MTU