On 2022-02-02, Georg Pfuetzenreuter <georg@syscid.com> wrote:
> Hi,
>
> I currently have the following set up in the default routing table:
>
> Physical interface - vio0
> VLAN interface - vlan3 (parent vio0)
> PPPoE interface - pppoe0 (pppoedev vlan3)
>
> I now want to set up a second PPPoE interface - since the manual
> pppoe(4) states "Two pppoe interfaces configured with the same wildcard
> destination address cannot share a routing table." I need to replicate
> above setup in a second rdomain.
You can however use different wildcard addresses for each pppoe interface,
0.0.0.2, 0.0.0.3, [...] 0.0.0.255
> I attempted two approaches:
> a) keeping the physical interface in the default rdomain 0, and
> installing a second VLAN interface in rdomain 1
> -> the second VLAN interface does not seem to be able to communicate
> with the physical one (makes sense)
>
> b) keeping the physical and the single VLAN interface in the default
> rdomain 0, and installing the second PPPoe interface in rdomain 1
> -> the second PPPoe interface does not seem to be able to communicate
> with the VLAN interface (makes sense too)
There's no routing table or PF in between pppoe and the interface it's
running on (i.e. the pppoedev interface), likewise between a vlan and the
parent interface (in common configurations there isn't even an IP address
on that pppoedev/parent interface). I don't think it matters for what
you've described which rdomain is on the pppoedev or parent interfaces,
only on the pppoe itself.
> The only approach I can think of, is routing between the two rdomains
> with pf.
> Is that the only way to go, or can I avoid the packet filter in the
> middle? It feels like it might complicate troubleshooting future PPPoE
> connection issues on the second PPPoE interface.
>
> If it is the only way to go, what would be the cleanest approach,
> avoiding the leakage of WAN traffic between the rdomains?
> I was unable to locate any `rdr-to` examples involving PPPoE - since the
> PPPoE interfaces do not have an IP address before they authenticates to
> the remote server (as I am using wildcards allowing the remote PPPoE
> endpoint to assign an address), I assume it would be easier to forward
> on a VLAN level. However that would require dissecting between the two
> separate PPPoE exchanges - I thought of this pseudo-pf-code, but cannot
> find a feasible way to "tag" pppoeX-traffic *before* the interface has
> an IP address:
> match on pppoe1 to any rdr-to vlan3:network rdomain 0
> match on vlan3 to any <pppoe0-traffic> rdr-to pppoe1:network rdomain 1
You're trying to combine two different ways of handling the situation
here where you only use one or the other, but I think haven't discovered
the pf.conf flags/modifiers to use with it.
I think the easier way for this is to keep everything in the default
rdomain and use route-to (not rdr-to); the :network modifier is not what
you want - you'll want "pppoe1:peer" instead
:network Translates to the network(s) attached to the
interface.
:peer Translates to the point-to-point interface's peer
address(es).
The other way to do it is put the pppoe interfaces (and possibly the
vlan containing your client machines) in rdomains and use pf "rtable"
rules to move traffic between them.
The other thing you're likely to need is making sure packets are natted
to the relevant address for the pppoe interface which they're sent out of.
--
Please keep replies on the mailing list.
No comments:
Post a Comment