NAT through ppp0

General questions
1

Hello all,

My current physical configuration:

  • 1 Hyper-V (Server 2016) host
  • 4 physical NIC’s: 1 directly connected to the modem (PPPoE connection), 3 NIC’s connected to 3 WiFI routers (these 2 routers are in Access Point operational mode, therefore NAT and DHCP are disabled on these devices).
  • 5 virtual switches created: 4 External (with assigned NIC) and one Internal

Current VyOS configuration:

ppp0 - managed to setup successfully (I receive ping reply from www.yahoo.com)
eth0 - in which the cable from the modem is plugged in has no IP Address (physical WAN port, I guess)
eth1 - cable from WiFi AP 1 - 192.168.1.10
eth2 - cable from WiFi AP 2 - 192.168.1.20
eth3 - cable from WiFi AP 3 - 192.168.1.30

I’ve managed to install VyOS on a VM. The purpose of this VM is to be the facing Router to the Internet (ISP Modem → VyOS Router → 3 WiFi AP’s → Client devices).

Questions:

  1. Can I assign 192.168.1.1 to eth0 and act as a DHCP server and DNS forwarder (from ppp0)?
  2. When I configure NAT, do I need to NAT to interface ppp0 with source 192.168.1.0/24? And also, is it safe?
  3. If I can NAT to ppp0, the Firewall rules (packages from the OUTSIDE), should be only applied to ppp0 interface?

Thanks in advance

2

Hello,
can you draw scheme?
why you have several interfaces with ips from same range?

3

Well, in order to make things work, I had to change some physical configurations, as:

  • I renounced on assigning physical interfaces to the router. It seems that trying/creating a physical switch from the other physical interfaces of the Hyper-V host wasn’t a good idea.
  • I bought a physical switch, and my vyos config suffered some internal modifications
  • no more eth2 and eth3, now I have only eth0 (which is reserved for pppoe0) and eth1 (which is the LAN interface, and also the communication port with the physical switch)
  • eth1 address - 192.168.1.1 (DHCP service on it), everything is working well internally.

Now, my other issue is with the TCP clamping (changing TCP-MSS in order to make Internet browsing work properly). It seems that the only way that I can make this working is to sudo su and apply the following iptables command line:

iptables -t mangle -I POSTROUTING 1 -p tcp -o pppoe0 --tcp-flags SYN SYN -j TCPMSS --set-mss 1452

The issue is that this command line has to be applied every time my Router reboots, and this is because the mentioned iptables command wont be written in the config file.
Any advises?

4

So, I’ve managed to make it work flawlessly by assigning a policy route on pppoe 0 and eth1 by the following command line:

[code]set policy route MSS
set policy route MSS rule 5 protocol tcp set tcp-mss 1452
set policy route MSS rule 5 tcp flags SYN

set interfaces ethernet eth0 pppoe 0 policy route MSS
set interfaces ethernet eth1 policy route MSS[/code]

I hope this will help other users/visitors who encounter PPPoE connectivity issues.

5

I had to do this:

[code]set policy route MSS
set policy route MSS rule 5 protocol tcp
set policy route MSS rule 5 set tcp-mss 1452
set policy route MSS rule 5 tcp flags SYN

set interfaces ethernet eth0 pppoe 0 policy route MSS
set interfaces ethernet eth1 policy route MSS[/code]

I had previously modified /etc/rc.local to include:

/sbin/iptables -t mangle -I FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu

which also works well since /etc/rc.local is the final script that runs on each boot-up.