# ADSL and baselayout (SOLVED)

## r00t440

I think the new baselayout has some problems. I am using baselayout-1.12.5

Here's how it goes:

If you have a DSL connection, the traditional way was to use rp-pppoe. But with the latest baselayout, you are advised to use the PPPoE module instead.

In my /etc/conf.d/net I have the following settings for my DSL connection:

```
...

config_ppp0=( "ppp" )

link_ppp0="eth_wan"

plugins_ppp0=( "pppoe" )

username_ppp0='someuser@isp'

password_ppp0='somepass'

pppd_ppp0=( "updetach defaultroute" )

```

I can authenticate successfully to my ISP and get a connection, and I guess I can ping everyone on the internet so meaning I don't have any problem with DNS. After setting up my NAT, it appears that I can't browse any website but Google (other sub-domains of google is also inaccessible). I have not tried browsing from my Gentoo box since i've set it up as my gateway/router. From behind nat, I can ping any ip-address but I can't browse any website except Google.

So i've resorted to rp-pppoe package, which solved my problem.

my /etc/conf.d/net now looks like this:

```
...

config_eth_wan=( "adsl" )

...

```

The new baselayout's module mode is flawed, so currently I'm using the rp-pppoe package; or maybe I have missed something. Please someone point out my mistake. Thanks.Last edited by r00t440 on Fri Sep 29, 2006 2:57 am; edited 2 times in total

----------

## k0001

exactly the same problem here!

https://forums.gentoo.org/viewtopic-t-502169.html

i'll try changing to rp-pppoe.. hope it works.

i'm fileing a bug in a minute.

----------

## k0001

ok! that worked!... but, let me ask you how can i add rp-pppoe to autoconnect on startup?

----------

## r00t440

 *k0001 wrote:*   

> ok! that worked!... but, let me ask you how can i add rp-pppoe to autoconnect on startup?

 

set your /etc/conf.d/net to something like:

```
...

config_eth_wan=( "adsl" )

... 
```

hope that helps...

----------

## k0001

thanxs

https://bugs.gentoo.org/show_bug.cgi?id=149277

----------

## r00t440

thanks for making a bug report.

Btw, i've been thinking about the problem lately and I thought that it may not be necessarily a problem with baselayout but rather its a problem with net-dialup/ppp package since the PPPoE module comes with net-dialup/ppp. 

It also appears to me that the problem has something to do with MSS. In rp-pppoe you have the option to "clamp the MSS", I wonder if its possible with the PPPoE module. I'll try to search around for answers.   :Very Happy: 

----------

## r00t440

Hello, I am successful in using the PPPoE module. To clamp MSS you have to add a rule in you mangle table with someting like: 

```
iptables -t mangle -A FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --set-mss 1412
```

Now I can browse any website from behind NAT. But I guess this is still a problem with net-dialup/ppp or baselayout. 

I have reverted my /etc/conf.d/net settings back and it uses the PPPoE module now, since rp-pppoe is already deprecated - according to the latest baselayout.

Here's how my /etc/conf.d/net looks like:

```
...

config_ppp0=( "ppp" )

link_ppp0="eth_wan"

plugins_ppp0=( "pppoe" )

username_ppp0='someuser@isp'

password_ppp0='somepass'

pppd_ppp0=( "updetach defaultroute" )

...
```

----------

## UberLord

 *r00t440 wrote:*   

> Now I can browse any website from behind NAT. But I guess this is still a problem with net-dialup/ppp or baselayout. 

 

baselayout does nothing with NAT or iptables rules, and probably never will.

----------

## mrness

 *UberLord wrote:*   

>  *r00t440 wrote:*   Now I can browse any website from behind NAT. But I guess this is still a problem with net-dialup/ppp or baselayout.  
> 
> baselayout does nothing with NAT or iptables rules, and probably never will.

 

Same goes for pppd. Nothing from baselayout or net-dialup/ppp has anything to do with the iptables.

Maybe you got confused by the fact that rp-pppoe do change the iptables rules (see /etc/ppp/firewall-* files).

We declared adsl baselayout module obsolete because it was superseded by ppp module and because the new way is a lot saner than those crappy rp-pppoe scripts. If you are happy with rp-pppoe, knock yourself out. No one plans to remove adsl module; not in the foreseeable future anyway.

----------

## r00t440

wow, finally the devs responded. 

First of all I am very sorry for what I've concluded, please understand that I am just starting to learn linux. I think it would be best if we'll focus on solving the problem. I'm not sure which package the file /etc/conf.d/net belongs to, but AFAIK it belongs to baselayout. IMO, there should be an option on /etc/conf.d/net for "clamp MSS". 

Thanks in advance.

----------

## mrness

 *r00t440 wrote:*   

> wow, finally the devs responded.

 

Not many devs read forums and certainly you won't get a response the next hour you ask. Usually advanced users take their time to answer. If you want an answer, choose your subject carefully, ask smart questions and be patient.

 *r00t440 wrote:*   

> I'm not sure which package the file /etc/conf.d/net belongs to, but AFAIK it belongs to baselayout.

 

true

 *r00t440 wrote:*   

> IMO, there should be an option on /etc/conf.d/net for "clamp MSS".

 

And how can we tell what position in chain users want? How about the other parameters of the rule? When this rule should be added and when should be removed?

As we already said, baselayout doesn't care what firewall rules you have and it isn't its job to know about it. Sure, if you want to alter your firewall in preup() function, you are free to do it, but the user must take this decision. From the general perspective, /etc/{conf,init}.d/iptables is the one responsible with your firewall.

As a side note, in a perfect world (the one in which network admins will be competent enough to know better than blocking ICMP frag-needed), this iptables rule shouldn't exist.

----------

## tnt

there's a CLAMPMSS option in /etc/ppp/pppoe.conf 

```
cat /etc/ppp/pppoe.conf |grep CLAMPMSS

CLAMPMSS=1412

#CLAMPMSS=no

```

should it be enought or I have to use firewall rule?

which sites do not work with invalid CLAMPMSS settings? 

(I want to try them to see if everything is OK)

----------

## r00t440

 *mrness wrote:*   

> 
> 
> As we already said, baselayout doesn't care what firewall rules you have and it isn't its job to know about it. Sure, if you want to alter your firewall in preup() function, you are free to do it, but the user must take this decision. From the general perspective, /etc/{conf,init}.d/iptables is the one responsible with your firewall.

 

Ok, correct me If I am wrong and apologies for my being naive. It appears that this Clamp MSS thingy is an iptables/firewall  stuff. Right? Hmm ok, now I am starting to understand things. The previous rp-pppoe package automatically sets a firewall rule for this, that's why NATed PPPoE connections works fine with the rp-pppoe. Maybe it would be better if there will be a note on this issue in the /etc/conf.d/net.example file. Thanks for everyone's patience!   :Embarassed: 

 *tnt wrote:*   

> there's a CLAMPMSS option in /etc/ppp/pppoe.conf 
> 
> ```
> cat /etc/ppp/pppoe.conf |grep CLAMPMSS
> 
> ...

 

@tnt The conf file you mentioned is utilized by the rp-pppoe package. If you are using that package then it is very likely that everything's going to work just fine. But, that approach is already deprecated according to the latest baselayout. If you plan to use the PPPoE module, then you need to add a firewall rule for the "Clamp MSS" thingy.

----------

## mrness

 *tnt wrote:*   

> should it be enought or I have to use firewall rule?

 

I was wrong. rp-pppoe doesn't use a firewall rule to limit MSS, it uses pppoe for that (the program pass each and every received/sent package to an internal function which alter MSS  if that is the case).

In iptables world things are different. Rules have parameters and is just plain wrong to assume things on users behalf. If you want that, then *nix world isn't for you.

That being said, a nice warning in net.example followed by a reccomended iptables rule would probably worth its water. Open a bug requesting just this.

----------

## r00t440

 *mrness wrote:*   

> That being said, a nice warning in net.example followed by a reccomended iptables rule would probably worth its water. Open a bug requesting just this.

 

https://bugs.gentoo.org/show_bug.cgi?id=149525

----------

