# iptables and move to ppp interface

## robthebob

Hi all,

I use an iptables-based firewall on my Gentoo server performs routing for my house and NATs traffic as appropriate. I have an Ethernet modem that connects and passes the IP through to eth0. Recently I changed my setup to use pppoa on the Gentoo box and simply use the modem as a bridge. This left me with a ppp0 interface having the IP address and eth0 existing, but having no IP address (and according to tshark, not having any packets pass through it). I changed eth0 to ppp0 in my firewall script and reran it.

At this point things started to work pretty well. Most websurfing and all the other stuff I tend to do seemed to be fine, except for two things:

1. My internet banking website login page would not come up.

2. The hotmail login page would not load.

Both SSL, so some kind of link there.

When dumping packets from various interfaces to try and figure out what was going on I obtained the result that some packets just after the initial opening of the SSL connection were being dropped, but I just could not see what. In the end I changed back to having the modem doing the dialling and eth0 having the IP address. Once again everything worked fine.

So... I am happy that it works at the moment, but very frustrated that i don't know why it didn't work using ppp. I would really appreciate any advice you guys have to offer.

----------

## DawgG

i've had the same problem on a similar dsl-setup.

the banking-pages loaded without problems again after i had changed the local clients' mtu to 1492 (you might have to experiment with this value a little bit, maybe ask your isp)

hope it works!

----------

## robthebob

My /etc/conf.d/net had the following values for the ppp interface:

pppd_ppp0=(

   "noauth"

   "defaultroute"

   "default-asyncmap"

   "ipcp-accept-remote"

   "ipcp-accept-local"

   "lcp-echo-interval 15"

   "lcp-echo-failure 3"

   "persist"

   "holdoff 2"

   "mru 1492"

   "mtu 1492"

   "debug"

   "lock"

)

Do you think I should try reducing the mtu? It seems like 1492 should be the right value.

----------

## DawgG

what's the mtu on the clients' nics right now? is it 1500?

only change the mtu on the clients (that's what helped in my case, i think that's a well-known dsl-issue), not on the (dsl)-router. there's an iptables-rule that can do that on the router (can't recall it right now, sth like "iptables -A FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu" (DON'T USE THIS VERBATIM) )

try this on one client (assuming eth0 is the nic you want to use)

```
ifconfig eth0 mtu 1492
```

and see if the pages load. if you've found the correct value, you can put it in /etc/conf.d/net, eg

```
config_eth0=( "192.168.0.2/24 brd 192.168.0.255 mtu 1492" )
```

good luck!

----------

## robthebob

Are you saying that I would need to change the mtu on all the machines apart from the router? That isn't really an acceptable solution for me because of friends bringing their laptops into the house and other people's computers. I would have thought it could be handled transparently by the routing machine.

----------

## DarKRaveR

 *robthebob wrote:*   

> Are you saying that I would need to change the mtu on all the machines apart from the router? That isn't really an acceptable solution for me because of friends bringing their laptops into the house and other people's computers. I would have thought it could be handled transparently by the routing machine.

 

That's why you should use the iptables rule. Read this, it explains why the path discovery in certain cases does not work and how to fix it.

http://security.maruhn.com/iptables-tutorial/x10386.html

BTW: If you have an ethernet modem, how can you be using PPPoA ?

----------

## robthebob

 *DarKRaveR wrote:*   

> 
> 
> That's why you should use the iptables rule. Read this, it explains why the path discovery in certain cases does not work and how to fix it.
> 
> http://security.maruhn.com/iptables-tutorial/x10386.html
> ...

 

Looks good, I'll give this a go.

The connection to my ISP is PPPoA - this is handled by the modem. My routing machine uses PPP (perhaps oE then rather than oA) to communicate to the ISP, and this is translated by the modem appropriately. I have the modem set to RFC1483 bridging mode.

----------

## DarKRaveR

Sou you are using PPPoE and the modem bridges. What puzzles me, how did you do this before?

Oh, and I was asking, because if you have a PCI(e) DSL Modem in your computer, you could skip the PPPoE stuff and really use PPPoA directly AFAIK, just wanted to make sure.

----------

## robthebob

Previously I used standard ethernet to connect to the modem and the modem held the login details and performed the authentication etc. It then passed on the IP address to my routing machine.

The difference is essentially:

1) Interface was eth0, modem has all settings, username, password etc.

2) Interface is ppp0, modem in bridging mode only.

In both cases the interface obtains the same IP address.

----------

