Using half bridge

Trying to set up an adsl modem/router to run as a modem only to use with a Linux router (and indeed many wireless routers) in NZ can be problematic owing to the lack of PPPoE support from NZ telcos. Here follows a few pointers about how to do it.

 

The Problem

Telecom NZ (along with large parts of the UK and South Africa) uses PPPoA encapsluation for its DSL, along with all the other ISPS who piggyback off telecoms network. Using the PPPoA encapsulation type with dsl products means that you cannot use pppoe from the linux router to the modem, nor use full bridging.

 

 

Why would you want to do this anyway:?

• To setup a more robust than that provided by modem/routers.
• to avoid double nat, it is bad enough without doing it twice.
• to have better control over port forwarding, vpns etc
• If you want to do ip accounting, captive portal, traffic shaping etc

 

To get an idea of the confusion this issue causes:

[http://www.ben.geek.nz/adsl-routing-solution-in-detail/]

[http://whirlpool.net.au/forum-replies-archive.cfm/806160.html]

[http://phirate.exorsus.net]/wiki/doku.php?id=nz_dsl_modem_networking]

[http://www.speedtouch.net.nz/forum/topic.asp?TOPIC_ID=1002]

[http://forums.whirlpool.net.au/forum-replies-archive.cfm/941840.html]

 

Thus the moral of the story is to take overseas howtos with a good large grain of salt.

 

Solutions

What to do then? You are left with a motley collection of choices, few of which are ideal.

• find a modem with the best possible implementation of half bridge, aka dhcp spoofing or ip extension, description below
• ditto using pptp
• use 1:1 static nat + DMZ
• use a static route in your linux router, and keep an eye on your isp and uplink

 

Half bridge explained

Originally half-bridge was a nickname given to routers that function as proxy-arp hosts, with the same ip on both interfaces. Essentially you get bridge-like functionality (think transparent bridge) but packets are actually routed, not bridged.

 

But in the case of consumer grade dsl modems, the idea behind this whole trick is to present your first downstream router with the single external IP assigned to you by the ISP, and turn routing modem into half-bridge of sorts.

 

Your modem gets configured in the following way:

• route to public ip given by isp is set at the LAN interface (with /32 mask), along with possible local addresses for management purpose, like 192.168.0.0/24
• proxy-arp flag is turned on on the LAN interface
• default route is set on the WAN interface
• LAN side runs dhcp daemon, advertising public ip - possibly but not necessarily - with faked router address and netmask (more about it below)
• Public address is not set anywhere in the modem. Actually, besides local address on the LAN interface - nothing else is assigned.

 

So what happens at your first downstream router? Early implementations set your machine as a router with default route in link scope. The effect of that is that for every internet address you need an arp entry in your arp (neighbourhood) cache. So you`re pretty much guaranteed to have to increase the arp cache. In such scenarios, dhcp runns on the modem, advertises public ip with 255.255.255.255 netmask, and the router address is the same as the public one.

• the more common method is that the modem fakes a different router address in the same, usually 255.255.255.0, which contains the address presented by ISP as well (usually public ip + 1). The idea is the same as above, but you don`t need monster arp cache anymore, and faking router address is harmless (packets will be routed properly), as it`s not set anywhere in the modem.
• there`re also a bit less sensible methods - e.g. your modem gives public ip/32, but gives router address literally out of the blue.       Sometimes the   modem gives your router an address not within public ip`s netmask.

 

As you can guess, the renewal time in such scenarios is very short - so the public ip changes can be noticed relatively quickly.

 

LINUX STATIC ROUTE FIX

Windows doesnt seem to mind the gateway being in a different subnet. But linux does.

 

`... the reason is that the router issues a DHCP lease with a default route outside of the IP/Netmask of the interface. Eg: DHCP issues IP=202.36.240.10/255.255.255.0 and a Gateway address of 202.36.1.1 Windows happily handles this (as you`ve noted). Linux`s routing tables don`t off the cuff. The solution is to create a static host route to the gateway, then set it as the default route. eg:

 

route add -host 202.36.1.1 dev eth0

route add default gw 202.36.1.1 dev eth0

 

I believe a couple of years ago I posted on this, and provided a patch to `pump` (dhcp client) which did exactly this (there is no harm if the gateway IS on the same subnet).

 

This effect by the way, not only affects Linux, but also Cisco routers, and Packeteers. Again, the work around (adding a manual host route) works with this equipment, but the cavet is that if the ISP changes their routers IP address (which can, and DOES, happen), then your manual routes fail.

 

As for the whole thing being a kludge, no kidding. As I understand, pretty much everywhere else in the world, everyone issues at least 2 IP addresses. One for your DSL router, and one for your PC. We had a team from the UK over here for a client, and they were stunned how our ADSL service worked (or rather, didn`t).

 

If someone does find a reputable, current, available in NZ with Telepermit, in stock (and predicted to be for awhile) router that does a PPPoE to PPPoA bridge, then I`d be very interested.`

 

      (source www.linux.net.nz/pipermail/nzlug/2008-April/012586.html)

 

`With linux based routers, the fix is to insert a static route to the `gateway` IP into the route table, then use that gateway IP as the default eg ifconfig eth0 <public IP> netmask 255.255.255.255 route add -host <gateway IP> dev eth0 route add default gw <gateway IP>

 

Now, the gateway IP can be any IP (except the public IP) for which there is an IP interface on the LAN side of the modem. All you want is for the WAN interface to arp for the `gateway`, which will be the mac address of the LAN side of the modem. If you try the above code without the static route, Linux complains that the gateway is not on the <public IP>/32 net - which it isn`t - but the static route fixes it. This is my understanding why some routers won`t work with half bridge, as when the DHCP client on the router WAN interface gets the parameters from the DHCP server on the LAN side of the modem, the networking code tries to insert the default GW without the static route, and fails. It is this router DHCP behavior that makes half bridge modem setups dodgy.

 

BTW, with a half bridge and Linux based routers, you don`t have to use a DHCP client on the WAN interface, you can set it up manually as above, with the absolute proviso that your public IP is static. The DNS issue can be worked around, at least with speedtouch modems, by setting the modem`s config address as the DNS server address for your local net. If you set the `<gateway IP>` to be the config address, eg 10.0.0.138 for speedtouch modems, your LAN side PC`s can have their DNS server address set to this value, and will be able to route through the Linux router to the modem.`

 

      (source:www.whirlpool.net.au/forum-replies-archive.cfm/806160.html)

 

My experience

 

So it doesnt really matter which actual IP you use for the static route so long as its in the same subnet. In my case today:

 

      * The isps gateway is actually: 58.28.15.31

      * The address the isp is issuing the modem today is 118.90.11.128

      * The address the modem is issuing me today is 118.90.11.128

      * The gateway the modem is issuing me is : 118.90.11.129 (the above+1)

 

route add -host 118.90.11.129 dev eth1 #eth1 is the linux routers WAN

route add default gw 118.90.11.129 dev eth1

 

You might need to manually reconnect the PPP link on the modem at this point to kick it back into life.

 

After the WAN IP changes it doesnt matter that the gateway is no longer 118.90.11.129, its just to give arp an idea where to start looking.

 

Also i can still get into the modems web config area from the LAN on the otherside of the the linux router. To do this you need to alter the modems web page access port to say 81, and browse to it using :81. Otherwise you wont be able to get into it, becasue there are too many web servers.

 

eg: browsing to 192.168.1.254:81 from my workstation at 192.168.0.200, via the linux router at 192.168.0.1 LAN/(192.168.1.1 WAN) to 192.168.1.254:81

MODEMS

 

The following ADSL2 modems are reported to have better than average half bridge implementation:

• Linksys AM300 (Firmware 1.19.04 ) As of Feb 08 firmware this is now reported to work. See [http://www.geekzone.co.nz/forums.asp?ForumId=49&TopicId=19132]
• DSE XH9949 ADSL2+ Modem/Router (Firmware is an exact clone of the RTA1320 but the hardware has much better air ventilation than the RTA1320)
• Dynalink RTA1320 (run hot)
• Thomson SpeedTouch 516,536,546v6 (same chipsets as RTA1320/XH9949 but better firmware)
• PCI ADSL modems with Linux support ( eg Traverse in Australia

 

PCI modems get around the bridge problem altogether by using a ppp interface in the router. However historically PCI DSL modems have had little or no driver support, and reportedly lower performance on bad lines.

 

The following are older adsl1 modems that have better than average half bridge setups. At least people have reported success with them. They may get you going for now but not a long term solution with ADSL2.

 

• Thomson Speedtouch (PPTP with pptp-client) 510, pro ,536 etc
• 3com Homeconnect
• Dlink 302
• netgear 834
• nokia m1122 (has PPtP pass through of a PPPoA connection which is probably a better option then half-bridge)

 

Finally there is the prospect of a better solution:

• Draytek Vigor 120, new product, adsl2, modem only.
• Draytek Vigor DV2700e (http://www.delphinus.co.nz/draytek-vigor-dv2700e/) Has a PPPoE to PPPoA bridging device.

www.webspaces.net.nz/page.php?view=using-half-bridge 2011-08-02