bridge between ppp and ethernet - 1 IP address and assign it to another host

bridge between ppp and ethernet - 1 IP address and assign it to another host

[bert hubert]

Hi people,

I have an application that wants a Real IP Address, but for a variety of
good reasons, I can't connect the machine to the internet directly.

So, I need this:

DSL - Linux - Windows PC

Where I need the Windows PC to think it has the real single IP addres
assigned to me by the DSL provider. I run PPTP on the Linux box, which
should not touch traffic for that IP address.

Now I know that several DSL routers are capable of this stunt, so we should
be able to do this too. But how?

Linux is pretty stubborn in routing packets for its own IP address elsewhere
(rightfully so). I previously spent some time on this with a lot of
SNAT/DNAT trickery but it is not very pleasing, nor did it work.

What we're trying to do is a lot like building a bridge between ethernet and
ppp, but not quite.

Anybody have ideas? If we find something I'll post it on http://lartc.org.

-- 
http://www.PowerDNS.com      Open source, database driven DNS Software 
http://netherlabs.nl              Open and Closed source services

bridge between ppp and ethernet - 1 IP address and assign it to another host

[Mark Smith]

Hi Ben,

(sorry for not preserving the message thread id, I'm not subscribed to netdev)

"What we're trying to do is a lot like building a bridge between ethernet and
ppp, but not quite."

I've thought doing this sort of thing would be quite useful, in
particular if the Linux box could also perform firewalling on the
"bridged" traffic. 



Regards,
Mark.

-- 

    The Internet's nature is peer to peer.

Re: bridge between ppp and ethernet - 1 IP address and assign it to another host

[jamal]

I actually havent quiet figured what you guys are talking about.
Did i misunderstand or is it as simple as having ethernet on one (LAN)
side and ppp on other (wan) side?

cheers,
jamal

On Sun, 2005-03-06 at 00:01, Mark Smith wrote:
> Hi Ben,
> 
> (sorry for not preserving the message thread id, I'm not subscribed to netdev)
> 
> "What we're trying to do is a lot like building a bridge between ethernet and
> ppp, but not quite."
> 
> I've thought doing this sort of thing would be quite useful, in
> particular if the Linux box could also perform firewalling on the
> "bridged" traffic. 
> 
> 
> 
> Regards,
> Mark.

Re: bridge between ppp and ethernet - 1 IP address and assign it to another host

[Mark Smith]

On 07 Mar 2005 07:39:59 -0500
jamal <hadi@cyberus.ca> wrote:

Hi Jamal, Bert,

(Bert, sorry for calling you Ben earlier, I must have got a bit
distracted between seeing your name on a web page, and typing it on my
email client)

I'm fairly confident that broadly I'm thinking about the same way as
Bert, although as I'm about to go into some detail, it might turn out we
have slightly different ideas.

> 
> I actually havent quiet figured what you guys are talking about.
> Did i misunderstand or is it as simple as having ethernet on one (LAN)
> side and ppp on other (wan) side?
>

Not quite that simple. It's sort of "half routing" / "half bridging".

The Linux box terminates the PPP connection, including performing
authentication and aquisition of a /32 IP address from the service
providers PPP server - a typical point-to-point scenario. However,
rather than considering that IP address to now be a local address on the
Linux host, it is then allocated to the Windows (for e.g.) box ie. on
the Window's box's ethernet interface, the IP address is assigned. One
possiblity would be for the Linux box to issue the IP address to the
Windows box via DHCP. The Windows box's default gateway would be remote
PPP endpoint IP address, which means that the Linux box would also have
to perform Proxy ARP for that remote IP address on it's windows facing
ethernet interface. 

(I'm not sure if there would be issues with the default gateway on the
Windows box not being part of the same IP subnet that the allocated IP
address is, maybe that would be solved by assigning a /32 mask to the IP
address on the windows box, or possibly have DHCP configure a host route
on the Windows box for the default gateway, pointing out the ethernet
interface, so that it ARPs for the default gateway address, which the
Proxy ARP on the Linux box would receive. It would be interesting to see
what the DSL modems that do this trick do on the devices sitting behind
them.).

Here is the path an incoming and outgoing IP packets would follow,
adding in my firewalling suggestion :

1) IP packet comes in encapsulated in PPP.

2) The Linux box decapsulates it from the PPP header / trailer.

3) The Linux box performs layer 3 firewalling processing against the IP
packet.

4) If the IP packet passes the firewall rules, it is then encapsulated
in an ethernet frame, and sent to the Windows box. This might be achived
by configuring a host route for the IP address on the Linux box,
pointing directly to the ethernet interface, indicating it is directly
attached.

5) The windows box does what ever it wants with the IP packet, as normal.

6) The windows box sends a IP packet back, encapsulated in the ethernet
frame, via it's default gateway, which would be the Linux box Proxy
ARP'ing for the IP address of the remote PPP endpoint IP address.

7) The Linux box receives the IP packet, decapsulates it, and then
passes it through the layer 3 outgoing firewalling rules again.

8) If it passes those, it is then encapsulated in PPP, and off it goes.

The role the Linux box would be performing would be PPP session
termination, layer 3 firewalling and layer 2 style forwarding between
its ethernet and PPP interfaces.

Actually, what I've just described is quite similar to translational
bridging eg 802.5 (Token Ring) <-> 802.3 (Ethernet), with a bit of layer
3 processing ie. the firewalling occuring during the translation between
the layer 2 frame formats. The reason why it isn't quite translational
bridging is that PPP doesn't really have layer 2 addresses at all, so
the ethernet device can't specify a destination address in its header of
the PPP remote endpoint layer 2 address, which is why the Linux box has
to act as a Proxy for ARPs for the IP address of the remote end. In a TR
<-> Eth translation scenario, TR and Eth use compatible IEEE MAC
addresses, so the ethernet device can be fooled into believing it is
talking to another ethernet device, and vice versa, with a device in
between performing frame translation.

pppd already supports the Proxy ARP facility, although it is commonly
used to make a PPP connected remote PC appear on the local LAN where the
PPPD server is located. In the above scenario, Proxy ARP would be making
the remote router (ie. default getway) appear on the local LAN that the
Windows PC is attached to.


Hopefully that all makes sense ! If it doesn't, please ask, I'll work
out another way to explain it, or go into more detail.

Regards,
Mark.



-- 

    The Internet's nature is peer to peer.

Re: bridge between ppp and ethernet - 1 IP address and assign it to another host

[bert hubert]

On Tue, Mar 08, 2005 at 12:26:43AM +1030, Mark Smith wrote:

> (Bert, sorry for calling you Ben earlier, I must have got a bit
> distracted between seeing your name on a web page, and typing it on my
> email client)

I'll live :-) there are several Ben's I'd love to be confused with :-)

> I'm fairly confident that broadly I'm thinking about the same way as
> Bert, although as I'm about to go into some detail, it might turn out we
> have slightly different ideas.

Indeed, we are in full agreement. The idea is to have the ability to fully
firewall and monitor a machine that absolutely needs to have a real
routable IP address, without wasting an IP address for the router (or trying
to get an ISP to assign you multiple addresses, which can be a major chore
these days).

I'd settle for a 'dirty' solution. Remco van Mook of Virtu.nl suggested
abusing iptables -j QUEUE combind with tun/tap to inject the packets on the
ethernet side, where userspace does the PPP -> ethernet conversion by making
up the required headers.

Ideas?

-- 
http://www.PowerDNS.com      Open source, database driven DNS Software 
http://netherlabs.nl              Open and Closed source services

Re: bridge between ppp and ethernet - 1 IP address and assign it to another host

[jamal]

On Mon, 2005-03-07 at 16:32, bert hubert wrote:
> On Tue, Mar 08, 2005 at 12:26:43AM +1030, Mark Smith wrote:

I think i got it finally ..

> Indeed, we are in full agreement. The idea is to have the ability to fully
> firewall and monitor a machine that absolutely needs to have a real
> routable IP address, without wasting an IP address for the router (or trying
> to get an ISP to assign you multiple addresses, which can be a major chore
> these days).
> 
> I'd settle for a 'dirty' solution. Remco van Mook of Virtu.nl suggested
> abusing iptables -j QUEUE combind with tun/tap to inject the packets on the
> ethernet side, where userspace does the PPP -> ethernet conversion by making
> up the required headers.
>
> Ideas?

Seems you will get much speedup doing it in the kernel instead.
So lets take the steps Mark posted. Actually before that, is the proxy
ARP really necessary if the windoz machines have a default gateway of
this proxy machine.

Lets looks t incoming from PPP:
 
> 1) IP packet comes in encapsulated in PPP.

> 2) The Linux box decapsulates it from the PPP header / trailer.

> 3) The Linux box performs layer 3 firewalling processing against the 
> IP packet.

Assuming 1 to 1 mapping i.e each pppx maps to one windows machine
(on one eth device?);
then when you issue the DHCP IP to the windoz machine you add the
following rules:

(assuming kernels 2.6.8 and up) with tc actions

eg 
tc ...ingress pppx...
tc ... dev pppx u32 match 0/0 i.e match all packets that came via pppx 
      action some firewall rules here .. (stateless for now)
      action some rate limit here ..
      action mirred redirect ethx  // eventually redirect to windoz

I think this should work fine; there may be need to rewrite MAC
addresses - but if you give this a shot and things are screwed up we
could redraw.
I am willing toi help you resolve the issue if you put the effort.

>4) If the IP packet passes the firewall rules, it is then encapsulated
>in an ethernet frame, and sent to the Windows box. This might be
>achived by configuring a host route for the IP address on the Linux 
> box, pointing directly to the ethernet interface, indicating it is
> directly attached.

If you do the above, do you really need to route to the windoz machines?
Let them worry about things...

On the return path it is much simpler; just have windows forward and let
routing take care of it. 
So summary:
 -->pppx -->"switch"---> windoz
 <--pppx <-- L3route <--- windoz

cheers,
jamal

Re: bridge between ppp and ethernet - 1 IP address and assign it to another host

[Mark Smith]

Hi Jamal, Bert,

On 07 Mar 2005 18:33:26 -0500
jamal <hadi@cyberus.ca> wrote:

> On Mon, 2005-03-07 at 16:32, bert hubert wrote:
> > On Tue, Mar 08, 2005 at 12:26:43AM +1030, Mark Smith wrote:
> 
> I think i got it finally ..
> 
> > Indeed, we are in full agreement. The idea is to have the ability to fully
> > firewall and monitor a machine that absolutely needs to have a real
> > routable IP address, without wasting an IP address for the router (or trying
> > to get an ISP to assign you multiple addresses, which can be a major chore
> > these days).
> > 
> > I'd settle for a 'dirty' solution. Remco van Mook of Virtu.nl suggested
> > abusing iptables -j QUEUE combind with tun/tap to inject the packets on the
> > ethernet side, where userspace does the PPP -> ethernet conversion by making
> > up the required headers.
> >

A while back I was playing a bit with policy forwarding/routing,
specifically trying to get traffic for a local address to travel
"outside" the machine that it was assigned to, rather than short
circuiting internal to the host.

All I did was move the default rule for matching local addresses from
0 within the 64K priority list to the middle of it, ie 16383. This
allowed me to insert policy forwarding rules for local addresses before
the local address match. I was then able to push traffic for local
addresses out the ethernet interface. When it returned, I then had a
policy rule that matched incoming traffic against the local address
table.

It seems to me that the biggest issue with this "transparent firewall /
ppp proxy" scenario is getting the Linux box to ignore what thinks to be
is a local IP adress, and throw it at its forwarding table instead. What
I did allows this to be overridden using policy forwarding. I'm not sure
about how layer 3 firewalling would work, however I'd guess that since
the packet is being forwarded, it would be matched against any iptables
FORWARD rules.

I went into some detail as to how it worked and how I set it up in the
following post. :

http://oss.sgi.com/archives/netdev/2004-06/msg00536.html

Alexey gave some feedback suggesting that doing what I was doing would
cause some inconsistencies in other areas of the kernel networking stack
sadly. Maybe if there is a more common use for this sort of ability, eg
this scenario, worth putting the effort into "fixing" those other areas.
Unfortunately I don't know enough about kernel programming, and I'm a
bit rusty on C, such that I couldn't pursue these other areas myself.

Regards,
Mark.

-- 

    The Internet's nature is peer to peer.

Re: bridge between ppp and ethernet - 1 IP address and assign it to another host

[jamal]

On Mon, 2005-03-07 at 20:27, Mark Smith wrote:
> Hi Jamal, Bert,
> 
> On 07 Mar 2005 18:33:26 -0500
> jamal <hadi@cyberus.ca> wrote:
> 
> > On Mon, 2005-03-07 at 16:32, bert hubert wrote:
> > > On Tue, Mar 08, 2005 at 12:26:43AM +1030, Mark Smith wrote:
> > 
> > I think i got it finally ..
> > 
> > > Indeed, we are in full agreement. The idea is to have the ability to fully
> > > firewall and monitor a machine that absolutely needs to have a real
> > > routable IP address, without wasting an IP address for the router (or trying
> > > to get an ISP to assign you multiple addresses, which can be a major chore
> > > these days).
> > > 
> > > I'd settle for a 'dirty' solution. Remco van Mook of Virtu.nl suggested
> > > abusing iptables -j QUEUE combind with tun/tap to inject the packets on the
> > > ethernet side, where userspace does the PPP -> ethernet conversion by making
> > > up the required headers.
> > >
> 
> A while back I was playing a bit with policy forwarding/routing,
> specifically trying to get traffic for a local address to travel
> "outside" the machine that it was assigned to, rather than short
> circuiting internal to the host.

Yes, I remember that discussion ;-> Alexey wasnt very thrilled.

[Ive deleted the rest of your text for brevity]. 
Note that the redirect at L2 overcomes the issues you were trying ot
address in that email (and infact instead of redirecting you can also
just "mirror")...
So it seems if all you do is bridge and firewall and you never involve
IP then you should be fine.
So maybe the return path as well should have no IP involvment either
and be L2 switched as well.

I think what is needed is some experimenting with some windoz test
clients, a ppp server and the middle proxy machine. Like i said i am
willing to help.

cheers,
jamal

Re: bridge between ppp and ethernet - 1 IP address and assign it to another host

[Remco van Mook]

I've been toying with the suggestion to do something with routing table 0 to
accomplish this, and I can report it works, standard 2.6.10 kernel. Here's how
I did it:

Assuming a linux system, connected to a local network 172.16.0.0/24, own
address 172.16.0.13, 'ppp' ip address to be assigned to a system that has
ip address 172.16.0.4

On the box that establishes the PPP connection:
1) establish ppp connection, get IP address, say 192.168.0.2
2) ip route del local 192.168.0.2
3) ip route add 192.168.0.2 via 172.16.0.4

On the other box, 172.16.0.4:

1) ip addr add 192.168.0.2 dev eth0
2) ip route add 0/0 via 172.16.0.13

I didn't bother assigning the IP address for the other box dynamically; that
might still pose a challenge - outside the scope of netdev IMHO.

Optionally you might want to SNAT outbound traffic on the PPP interface to
enforce the correct IP address. Of course the solution doesn't actually
'bridge' the traffic, you get another visible hop, but the effect is almost
the same.

Kind regards,

Remco van Mook

Re: bridge between ppp and ethernet - 1 IP address and assign it to another host

[jamal]

nice solution but maybe challenging to get to work with braindead
windoz machines. 
My thinking is if you have to use windoz then you probably wanna hide
everything from them - which may require kernel hacking (I think it is
worth it ;->).


cheers,
jamal

On Wed, 2005-03-09 at 15:01, Remco van Mook wrote:
> I've been toying with the suggestion to do something with routing table 0 to
> accomplish this, and I can report it works, standard 2.6.10 kernel. Here's how
> I did it:
> 
> Assuming a linux system, connected to a local network 172.16.0.0/24, own
> address 172.16.0.13, 'ppp' ip address to be assigned to a system that has
> ip address 172.16.0.4
> 
> On the box that establishes the PPP connection:
> 1) establish ppp connection, get IP address, say 192.168.0.2
> 2) ip route del local 192.168.0.2
> 3) ip route add 192.168.0.2 via 172.16.0.4
> 
> On the other box, 172.16.0.4:
> 
> 1) ip addr add 192.168.0.2 dev eth0
> 2) ip route add 0/0 via 172.16.0.13
> 
> I didn't bother assigning the IP address for the other box dynamically; that
> might still pose a challenge - outside the scope of netdev IMHO.
> 
> Optionally you might want to SNAT outbound traffic on the PPP interface to
> enforce the correct IP address. Of course the solution doesn't actually
> 'bridge' the traffic, you get another visible hop, but the effect is almost
> the same.
> 
> Kind regards,
> 
> Remco van Mook
> 

Re: bridge between ppp and ethernet - 1 IP address and assign it to another host

[Horms]

On Sat, Mar 05, 2005 at 11:04:30PM +0100, bert hubert wrote:
> Hi people,
> 
> I have an application that wants a Real IP Address, but for a variety of
> good reasons, I can't connect the machine to the internet directly.
> 
> So, I need this:
> 
> DSL - Linux - Windows PC
> 
> Where I need the Windows PC to think it has the real single IP addres
> assigned to me by the DSL provider. I run PPTP on the Linux box, which
> should not touch traffic for that IP address.
> 
> Now I know that several DSL routers are capable of this stunt, so we should
> be able to do this too. But how?
> 
> Linux is pretty stubborn in routing packets for its own IP address elsewhere
> (rightfully so). I previously spent some time on this with a lot of
> SNAT/DNAT trickery but it is not very pleasing, nor did it work.
> 
> What we're trying to do is a lot like building a bridge between ethernet and
> ppp, but not quite.
> 
> Anybody have ideas? If we find something I'll post it on http://lartc.org.

Have you tried using LVS with Direct Routing? It might do the trick
as long as the Windows PC can route outgoing packets directly through
the DLS router.

-- 
Horms