top image
home  /  pages  /  tech tips  /  contact about

Running your own Linux router over Verizon DSL


You have a Verizon DSL account, but you prefer to run your own Linux router and/or NAT and not rely on the box they send you (a Westell model 6100, in my case).


Verizon, DSL, Westell, Linux, ppp, pppoe, iptables, NAT, router, dnsmasq.


The big picture is that you turn the Westell box into a bridge, run PPPoE in Linux, and set up iptables and dnsmasq to do what the Westell was doing for you.

All of this assumes you successfully connected to Verizon, went through their whole agonizing spiel in Internet Explorer to setup your account. I'm also assuming you're running Debian, but I'm sure all of this translates reasonably to other distributions as well.

First, turn off the DHCP server on the Westell under Configuration -> DHCP Server.

Now, turn the Westell box into a dumb bridge. Connect a PC straight to the Westell ethernet port and open with a browser. Go to Configuration -> VC Configuration. Write down the current configuration. Then edit the 0/35 entry: a windows pops up. Set Status to Bridge and Mode to Bridge, also. Save it using the "set VC" button.

I also moved the Westell box away from, by going to Configuration -> Private Lan Configuration and setting the Modem IP Address to (My wireless hub is, but never mind that.) That allows me to set the Linux NAT to later on.

At this point the Westell box no longer connects to the Internet. Now plug your Linux box straight into the Westell box. Alternatively, plug both of them into a switch that is powered on; this is what I do, including a third ethernet cable that runs to my wireless hub (on which you need to disable DHCP and other clever tricks it may decide to play for you!)

Run pppoeconf, accept the defaults, fill out your Verizon username and password (that you set up during your agonizing Windows adventure)

Edit /etc/ppp/peers/dsl-provider and set mtu to 1412. If you don't, you'll notice your browser freezing when loading images larger than roughly 1500 bytes. Basically, you will not be able to use your connection.

Make sure /etc/network/interfaces looks roughly as follows:

auto lo
iface lo inet loopback

auto eth0
iface eth0 inet static

auto dsl-provider
iface dsl-provider inet ppp
     provider dsl-provider
     pre-up /sbin/ifconfig eth0 up # line maintained by pppoeconf
Obviously you may need to change the IP address, the name of the interface, etc.

Now, surely, things won't work. The commands pon dsl-provider and poff and, occasionally, killall -9 pppd are your friends. /var/log/syslog has some useful messages. You can uncomment the debug option in /etc/ppp/peers/dsl-provider if you need more info about what is failing. Eventually, you'll want to see something like this in your /var/log/syslog:

Aug 10 21:39:39 localhost pppd[6545]: Plugin loaded.
Aug 10 21:39:39 localhost pppd[6546]: pppd 2.4.3 started by root, uid 0
Aug 10 21:39:39 localhost pppd[6546]: PPP session is 30173
Aug 10 21:39:39 localhost pppd[6546]: Using interface ppp0
Aug 10 21:39:39 localhost pppd[6546]: Connect: ppp0 <--> eth0
Aug 10 21:39:39 localhost pppd[6546]: Couldn't increase MTU to 1500
Aug 10 21:39:39 localhost pppd[6546]: Couldn't increase MRU to 1500
Aug 10 21:39:41 localhost pppd[6546]: Couldn't increase MRU to 1500
Aug 10 21:39:41 localhost pppd[6546]: PAP authentication succeeded
Aug 10 21:39:41 localhost pppd[6546]: peer from calling number 00:01:xx:xx:xx:xx authorized
Aug 10 21:39:41 localhost pppd[6546]: Cannot determine ethernet address for proxy ARP
Aug 10 21:39:41 localhost pppd[6546]: local  IP address 68.x.x.x
Aug 10 21:39:41 localhost pppd[6546]: remote IP address 10.x.x.x
Aug 10 21:39:41 localhost pppd[6546]: primary   DNS address 71.x.x.x
Aug 10 21:39:41 localhost pppd[6546]: secondary DNS address 68.x.x.x

Now, turning this Linux box into a NAT involves setting up iptables, but first:

echo 1 > /proc/sys/net/ipv4/ip_forward
To ensure this happens at boot time, edit /etc/sysctl.conf and add

You need to set up iptables to masquerade. My iptables configuration is in a file which includes, as a bare minimum:



I wouldn't recommend you run it like this, but you get the point. You can now run (as root)
iptables-restore < a_file_containing_the_rules_above
Where a_file_containing_the_rules_above is a file containing the iptables configuration above.

Finally, you need to set up dnsmasq by installing it and uncommenting one of the dhcp-range lines in /etc/dnsmasq.conf. Mine says:

# many things here
# ...
# ...
# many things here
essentially handing out IP address between .100 and .200, with a lease time of one day.

If you need to be able to log in to your node from the outside world, you can give it a dynamic DNS hostname, using, for example. Install, configure, and run the ez-ipupdate package to periodically update the hostname entry.

Now you're a happy duck. Quack! If not and everything breaks, I'm sure it's all my fault. Please send me improvements to this page.

Copyright © 1994-2011 by Thomer M. Gil
Updated: 2006/08/10