[Soekris] soekris physical network connection for dsl

Ron Watkins soekris-tech at malor.com
Tue Jun 28 18:31:55 UTC 2005

Patrick McNamee wrote:

>I've got a Soekris 4501 set up with OpenBSD 3.5-stable. I
>plan to update it to 3.7 soon.
>I've got OpenBSD running on the Soekris, and I've got pf
>running, but I need help getting the Soekris physically
>hooked up to my network. I have a DSL connection, ISP
>protocol PPPoA. I figured I'd be able to attach the output
>of the DSL modem to my $ext_if (sis0) and then attach my
>$int_if (sis1) to my hub's uplink and that would do it.
>But that's gotten me nowhere. sis0 becomes active and lights
>up on the Soekris, but sis1 remains dark (no carrier).
>I've added this to /etc/rc on the Soekris: sysctl -w
>Here's my pf.conf:
>### macros
>tcp_services = "{ 22 }"
>icmp_types = "echoreq"
>priv_nets = "{,,,
> }"
>comp3 = ""
>### options
>set block-policy return
>#set loginterface $ext_if
>### scrub
>scrub in all
>### nat
>nat on $ext_if from $int_if:network to any -> ($ext_if)
>### redirection
>rdr on $ext_if proto tcp from any to any port 80  -> $comp3
>rdr on $ext_if proto tcp from any to any port 443 -> $comp3
>### filter rules
>block all
>pass quick on lo0 all
>block drop in  on $ext_if from $priv_nets to any
>block drop out on $ext_if from any to $priv_nets
>pass in on $ext_if inet proto tcp from any to ($ext_if) port
>$tcp_services flags S/SA keep state
>pass in on $ext_if proto tcp from any to $comp3 port 80
>flags S/SA synproxy state
>pass in on $ext_if proto tcp from any to $comp3 port 443
>flags S/SA synproxy state
>pass in inet proto icmp all icmp-type $icmp_types keep state
>pass in on  $int_if from $int_if:network to any keep state
>pass out on $int_if from any to $int_if:network keep state
>pass out on $ext_if proto tcp all modulate state flags S/SA
>pass out on $ext_if proto { udp, icmp } all keep state
>Here's the output of ifconfig -a on the Soekris:
>lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> mtu 33224
>        inet netmask 0xff000000 
>        address: xx:xx:xx:xx:xx:xx
>        media: Ethernet autoselect (100baseTX full-duplex)
>        status: active
>        inet netmask 0xffffff00 broadcast
>        address: xx:xx:xx:xx:xx:xx
>        media: Ethernet autoselect (none)
>        status: no carrier
>        inet netmask 0xffffff00 broadcast
>sis2: flags=8802<BROADCAST,SIMPLEX,MULTICAST> mtu 1500
>        address: xx:xx:xx:xx:xx:xx
>        media: Ethernet autoselect (none)
>        status: no carrier
>pflog0: flags=0<> mtu 33224
>pfsync0: flags=0<> mtu 2020
>enc0: flags=0<> mtu 1536
>Can anyone help in any way, either by giving me a quick
>explanation or pointing me in the right direction?
>Patrick McNamee
>Soekris-tech mailing list
>Soekris-tech at lists.soekris.com
I find it useful to try to troubleshoot from the ground up... the 
pf.conf is just about the last thing you should be thinking about, IMO. 

First thing I'd try would be to make sure the hardware is working.  Try 
swapping the cables going into the Soekris and see if you get a light on 
sis1.  If you don't, then something in the Soekris hardware may be bad 
(unlikely), or you may not have enabled the port in your network 
configuration(quite likely).  If the light moves, then try swapping the 
cables on the other end.  If the lights don't change, one of your cables 
is bad or the wrong type.  If you end up the same as you were the first 
time, then the cables are okay and the Soekris is okay, and your hub is 
probably misconfigured.

At that point, check to see if your hub has a obvious, raised button.  
If it does, try pressing it; this is usually used to toggle one port 
from crossover to straight.  And try another port on your hub.  If 
nothing works at all, try another hub.  (also note, that if you have 
diagnosed a bad cable, you may have a crossover cable, and that same 
button on the hub can potentially get that cable working for you.) 

Basically, you're trying to prove that your Soekris ports are good, your 
cables are good, your overall hub is good, and the port on the hub into 
which you're connecting is working and correctly configured. 

Once you've gotten all that nailed down, then I'd suggest testing 
internal connectivity with sis1.. don't run pf yet, that just 
complicates things.  Bring up that interface and make sure you can ping 
your internal hosts and, ideally, connect to an internal service or two. 

I'm pretty clueless on the next step.... I'm not much of an OpenBSD guy, 
and I know absolutely nothing about your DSL provider or PPPoA.  
Basically, you'll need to bring up that interface, get an IP address, 
and test to make sure you're able to talk to the outside world.  I have 
no clue how you'd do that.  I have avoided PPPoAnything like the plague. 

Then turn on forwarding and NAT, and verify that you can get out from 
machines behind  the firewall.  If you're running 1:1 NAT, where outside 
hosts could get in during testing, that complicates things, and you'll 
want to run pf before turning on forwarding.  If it's many-to-1 NAT, the 
normal approach, it should be safe to test without pf running, since any 
outside scans won't have entries in the connection table and shouldn't 
go anywhere. 

Finally, once your connection is running, lock it down with pf. 

More information about the Soekris-tech mailing list