Running your own Linux router over Verizon DSL
ProblemYou have a Verizon DSL account, but you prefer to run your own Linux router and/or NAT and not rely on the box they send you (a Westell model 6100, in my case).
KeywordsVerizon, DSL, Westell, Linux, ppp, pppoe, iptables, NAT, router, dnsmasq.
The big picture is that you turn the Westell box into a bridge, run PPPoE in Linux, and set up iptables and dnsmasq to do what the Westell was doing for you.
All of this assumes you successfully connected to Verizon, went through their whole agonizing spiel in Internet Explorer to setup your account. I'm also assuming you're running Debian, but I'm sure all of this translates reasonably to other distributions as well.
First, turn off the DHCP server on the Westell under Configuration -> DHCP Server.
Now, turn the Westell box into a dumb bridge. Connect a PC straight to the Westell ethernet port and open http://192.168.1.1/ with a browser. Go to Configuration -> VC Configuration. Write down the current configuration. Then edit the 0/35 entry: a windows pops up. Set Status to Bridge and Mode to Bridge, also. Save it using the "set VC" button.
I also moved the Westell box away from 192.168.1.1, by going to Configuration -> Private Lan Configuration and setting the Modem IP Address to 192.168.1.3. (My wireless hub is 192.168.1.2, but never mind that.) That allows me to set the Linux NAT to 192.168.1.1 later on.
At this point the Westell box no longer connects to the Internet. Now plug your Linux box straight into the Westell box. Alternatively, plug both of them into a switch that is powered on; this is what I do, including a third ethernet cable that runs to my wireless hub (on which you need to disable DHCP and other clever tricks it may decide to play for you!)
Run pppoeconf, accept the defaults, fill out your Verizon username and password (that you set up during your agonizing Windows adventure)
Edit /etc/ppp/peers/dsl-provider and set mtu to 1412. If you don't, you'll notice your browser freezing when loading images larger than roughly 1500 bytes. Basically, you will not be able to use your connection.
Make sure /etc/network/interfaces looks roughly as follows:
auto lo iface lo inet loopback auto eth0 iface eth0 inet static address 192.168.1.1 netmask 255.255.255.0 auto dsl-provider iface dsl-provider inet ppp provider dsl-provider pre-up /sbin/ifconfig eth0 up # line maintained by pppoeconfObviously you may need to change the IP address, the name of the interface, etc.
Now, surely, things won't work. The commands pon dsl-provider and poff and, occasionally, killall -9 pppd are your friends. /var/log/syslog has some useful messages. You can uncomment the debug option in /etc/ppp/peers/dsl-provider if you need more info about what is failing. Eventually, you'll want to see something like this in your /var/log/syslog:
Aug 10 21:39:39 localhost pppd: Plugin rp-pppoe.so loaded. Aug 10 21:39:39 localhost pppd: pppd 2.4.3 started by root, uid 0 Aug 10 21:39:39 localhost pppd: PPP session is 30173 Aug 10 21:39:39 localhost pppd: Using interface ppp0 Aug 10 21:39:39 localhost pppd: Connect: ppp0 <--> eth0 Aug 10 21:39:39 localhost pppd: Couldn't increase MTU to 1500 Aug 10 21:39:39 localhost pppd: Couldn't increase MRU to 1500 Aug 10 21:39:41 localhost pppd: Couldn't increase MRU to 1500 Aug 10 21:39:41 localhost pppd: PAP authentication succeeded Aug 10 21:39:41 localhost pppd: peer from calling number 00:01:xx:xx:xx:xx authorized Aug 10 21:39:41 localhost pppd: Cannot determine ethernet address for proxy ARP Aug 10 21:39:41 localhost pppd: local IP address 68.x.x.x Aug 10 21:39:41 localhost pppd: remote IP address 10.x.x.x Aug 10 21:39:41 localhost pppd: primary DNS address 71.x.x.x Aug 10 21:39:41 localhost pppd: secondary DNS address 68.x.x.x
Now, turning this Linux box into a NAT involves setting up iptables, but first:
echo 1 > /proc/sys/net/ipv4/ip_forwardTo ensure this happens at boot time, edit /etc/sysctl.conf and add
You need to set up iptables to masquerade. My iptables configuration is in a file which includes, as a bare minimum:
*filter :INPUT ACCEPT :FORWARD ACCEPT :OUTPUT ACCEPT COMMIT *nat :PREROUTING ACCEPT :POSTROUTING ACCEPT :OUTPUT ACCEPT -A POSTROUTING -s 192.168.1.0/24 -j MASQUERADE COMMITI wouldn't recommend you run it like this, but you get the point. You can now run (as root)
iptables-restore < a_file_containing_the_rules_aboveWhere a_file_containing_the_rules_above is a file containing the iptables configuration above.
Finally, you need to set up dnsmasq by installing it and uncommenting one of the dhcp-range lines in /etc/dnsmasq.conf. Mine says:
# many things here # ... dhcp-range=192.168.1.100,192.168.1.200,24h # ... # many things hereessentially handing out IP address between .100 and .200, with a lease time of one day.
If you need to be able to log in to your node from the outside world, you can give it a dynamic DNS hostname, using http://dyndns.com/, for example. Install, configure, and run the ez-ipupdate package to periodically update the hostname entry.
Now you're a happy duck. Quack! If not and everything breaks, I'm sure it's all my fault. Please send me improvements to this page.