Subject: pppoe on port-alpha
To: None <port-alpha@netbsd.org>
From: Miles Nordin <carton@Ivy.NET>
List: port-alpha
Date: 03/04/2003 22:24:34
I'm running current-20021205 and pppoe(4) is broken on the Alpha.  It
works fine from the same source tree built for mipsel or i386.  I had
to use the old mouse-pppoe package instead, and that works fine.

Maybe pppoe(4) is fixed on Alpha by now.  I should file a pr but it is
such a bitch to build -current for all three archs and fix all the
stupid tiny build problems that invariably hang it up, to see if the
problem is fixed already.  I collected a matrix of tcpdumps (pppoe
peer on one axis, tcpdumper on the other---it was weird in that the
Alpha did not incriminate itself.  tcpdump onthe Alpha showed normal
pppoe packets, while tcpdump on mipsel pointed at the same network
segment revealed the bogosity.) to file a pr but lost them.  sorry, I
am too disorganized righ tnow.

In the mean time there is no documentation for mouse-pppoe, but what
you do is:

1. build the ancient mouse-pppoe package.  Ignore the decoy ``roaring
   penguin'' pppoe package which will install a pile of penguin shit
   that doesn't work and a pile of enthusiastic, chatty, arrogant
   documentation (cough).

2. create an /etc/ppp/pap-secrets with your ISP username and password

3. bring up the interface with no IP address

   ifconfig tlp0 up

4. start mouse-pppoe specifying your username as the second parameter

   mouse-pppoe tlp0 vrsq45dz

4a. options files in /etc/ppp aren't used. (? i think)

5. if you want it to actually work, start mouse-pppoe from within a
   shell script that does while true; mouse-pppoe ...; done

6. and use a super-complicated script to kill it if the link goes down.

7. mouse-pppoe sets the mtu at 1400 for no particularly good reason,
   so adjust your NAT mssclamp accordingly.

here are my config files.  Please do not give me unsolicited advice
about ``security.''  If this helps you, great, but I'm not looking for
help in return.  

BTW vze4j35s is my _username_.  yes.  Hurrah for the glass-edge
sharpness of brilliant bleeding-edge incumbent carriers that use one
PVC for all their customers, and may the FCC reward them handsomely
for their valuable contribution to our ``broadband infrastructure.''

/etc/ifconfig.rtk0
-----8<-----
up
!nohup ksh -c "while true; do mouse-pppoe $int vze4j35s; sleep 10; done" > /dev/null 2>&1 &
-----8<-----

/etc/ppp/ip-down
-----8<-----
#! /bin/ksh

PATH=/usr/bin:/bin:/usr/sbin:/sbin:/usr/pkg/bin:/usr/pkg/sbin:/usr/X11R6/bin:/usr/local/bin:/usr/local/sbin

route delete -net default $5
ipf -y

# ksh seems to die more quickly (or, at all) given -HUP.
kill -HUP `cat /var/run/network-watchdog.pid`

-----8<-----

/etc/ppp/ip-up
-----8<-----
#! /bin/ksh

PATH=/usr/bin:/bin:/usr/sbin:/sbin:/usr/pkg/bin:/usr/pkg/sbin:/usr/X11R6/bin:/usr/local/bin:/usr/local/sbin

# ooo you thought you could just put 'defaultroute' in /etc/ppp/options 
# didn't you? ahHAHAHAHAHA!
route delete -net default > /dev/null 2>&1 || true
route add -net default $5

# dynamic IP address.
ipf -y

/etc/ppp/network-watchdog &

-----8<-----

/etc/ppp/network-watchdog
-----8<-----
#! /bin/ksh

PATH=/usr/local/sbin:/usr/pkg/sbin:/usr/sbin:/sbin:/usr/local/bin:/usr/pkg/bin:/usr/bin:/bin

#most of this script is locking.  probably, there is a faster way to do this.
#my thinking is not entirely clear.  however, i think that this slow way
#is correct.

# remove the trivial case
touch /var/run/network-watchdog.pid || exit 1

#existance of $$.network-watchdog.pid is the locking-lock.  ownership of the 
#main lock is guaranteed not to change when a locking-lock doesn't exist.
#so, grab the locking-lock.  unlike the main lock, we are guaranteed to get
#it eventually.
locklocked=0
while [ $locklocked = 0 ]; do
	ln /var/run/network-watchdog.pid /var/run/$$.network-watchdog.pid
	[ -e /var/run/$$.network-watchdog.pid ] || exit 1
	locklocked=1
	for t in /var/run/*.network-watchdog.pid; do
		pid=$(basename $t .network-watchdog.pid) 
		if [ -z "$pid" ]; then
			rm -f /var/run/$$.network-watchdog.pid
			exit 1
		fi
		if [ $(ps -p $pid | wc -l) -eq 1 ]; then
			rm -f $t
		else
			if [ $pid != $$ ]; then
				locklocked=0
				rm /var/run/$$.network-watchdog.pid
				sleep $(( $(date +%s) % 3 + 5 ))
				break
			fi
		fi
	done
done

#break the main lock
echo $$ > /var/run/network-watchdog.pidnew.$$
mv -f /var/run/network-watchdog.pidnew.$$ /var/run/network-watchdog.pid

#if the lock was real, give it back and release the locking-lock.
pid=$(cat /var/run/$$.network-watchdog.pid)
if [ -n "$pid" ] && [ $(ps -p $pid | wc -l) -gt 1 ]; then
	mv -f /var/run/$$.network-watchdog.pid /var/run/network-watchdog.pid
	exit 1
fi

#release the locking-lock.
rm /var/run/$$.network-watchdog.pid


logger -p daemon.notice -t network-watchdog[$$] "network-watchdog running."
trys=0

while :; do
	while ping -n -c 2 -i 2 -w 16 -o $(ifconfig ppp0 | grep "	inet " | sed -e 's/^.* -> //' -e 's/ netmask .*$//') < /dev/null > /dev/null 2>&1; do
		trys=0
		sleep 16
	done
	trys=$(( $trys + 1 ))

	if [ $(( $trys % 4 )) -eq 0 ]; then
		logger -p daemon.notice -t network-watchdog[$$] "Restarting pppd because there was no responce to four ICMP echo-requests sent to the PPP peer."
		kill -HUP $(cat /var/run/ppp0.pid)
# we no longer believe in sleeping at this point in the state diagram.  
# rather, we are waiting for ip-down to kill the network-watchdog.  The 
# outer loop is not used in normal operation.
		sleep 60
		logger -p daemon.notice -t network-watchdog[$$] "WARNING---the watchdog survived restarting pppd.  This wasn't expected by its programmer."
	fi
done


-----8<-----

/etc/ppp/pap-secrets
-----8<-----
# authenticatee		authenticator		password	allowed ips
vze4j35s		*			argldyGar-b
-----8<-----

/etc/ipnat.conf
-----8<-----
#
# The 'map' entries are for outgoing connections.  Microsoft ``Internet 
# Connection Sharing.''  no ping.  Only TCP and UDP.  0/32 allows ppp0 
# address to be dynamic.
#
# The 'rdr' entries at the end are for incomming connections.
#
# _______
# Proxies
# 
# see pppoe(4) for discussion of mssclamp.
#
# IP Filter proxies in general are as:
#  proxy [port <portname>] <tag>/<protocol>
#  the <tag> should match a tagname in the proxy table, as does the protocol.
#  and it must come before non-proxy NAT rules that also match the same 
#  packets.
# I think non-passive FTP should also work, while with no proxy only 
# passive FTP works.  
# I'm not sure if we're allowed to use mssclamp with this.  The problem is 
# that 'proxy' is not documented except by example, and of the several 
# proxies built into IPFilter, ftp/tcp is the only one that's even documented 
# by example---the other's aren't even mentioned outside the source code.  
# Darren Reed IPFilter sucks documentation-wise.
map ppp0 192.168.0.0/16 -> 0/32 proxy port ftp   ftp/tcp    mssclamp 1360
#
# http://www.mail-archive.com/ipfilter@coombs.anu.edu.au/msg01248.html
#  and don't you fucking scoff at rsh.  It can be Kerberized, remember?
map ppp0 192.168.0.0/16 -> 0/32 proxy port shell rcmd/tcp   mssclamp 1360
#
# probably broken.  The problems are twofold:
#  1. This rule is for IKE only.  The proxy needs to make a NAT entry 
#     for 'protocol esp'.
#  2. Even if it worked, probably only one person on the inside could 
#     use IPsec at a time, and it probably wouldn't work with all 
#     IPsecs.
#  thus our solution for the hard-core should be an IPv6 tunnel.  they can 
#  do IPsec over IPv6 if they want real non-ssh PKI and encryption.
#  http://www.cs.ndsu.nodak.edu/~davlarso/ipf/
map ppp0 192.168.0.0/16 -> 0/32 proxy port 500   ipsec/udp
#
# does this random shit even work?
#  http://home.earthlink.net/~jaymzh666/ipf/IPFques.html#29
#  http://www.drones.com/obsd29-fw.html
map ppp0 192.168.0.0/16 -> 0/32 proxy port 7070  raudio/tcp mssclamp 1360
map ppp0 192.168.0.0/16 -> 0/32 proxy port 554   raudio/tcp mssclamp 1360
map ppp0 192.168.0.0/16 -> 0/32 proxy port 1720  h323/tcp   mssclamp 1360
#
# _________ 
# Plain NAT
#
map ppp0 192.168.0.0/16 -> 0/32 portmap tcp/udp 1024:65535 mssclamp 1360
#
# _______________
# Port forwarding
#
# this is for so-called ``servers.''
# redir entries are for outside hosts trying to reach the Verizon-assigned
#  ``dynamic, real'' IP address.  castrovalva will answer most of these 
#  itself, but a few are sent to phoenix's ``static, fake'' address.
#
# ftp.proxy is listening on castrovalva's port 8021, 
#  forwarding to 192.168.1.11:21
# <boggle.>  just listen on port 1121 with ftp.proxy, no need for NAT.
#rdr ppp0 0/0 port 1121 -> 127.0.0.1 port 8021 tcp
# noooo....:
#rdr ppp0 0/0 port 1121 -> 192.168.1.11 port 21 tcp
rdr ppp0 0/0 port 1122 -> 192.168.1.11 port 22 tcp
rdr ppp0 0/0 port 1180 -> 127.0.0.1 port 80 tcp
#
-----8<-----

/etc/sysctl.conf
-----8<-----
#!/sbin/sysctl -f
#
# $NetBSD: sysctl.conf,v 1.3 2000/04/15 21:14:49 tsarna Exp $
#
# sysctl(8) variables to set at boot time.

# Default core name template:
#kern.defcorename=%n.core

# Number of kernel threads to use for NFS client
#vfs.nfs.iothreads=4
vm.execmax=80

# for combination of stupid pppoe and broken firewalls
# see pppoe(4) and mssclamp in /etc/ipnat.conf
net.inet.tcp.mss_ifmtu=1
-----8<-----

-- 
I'm a troo believer that goes for what I see,
And one leetl flour is not eeNOUGH for a bee.