Author: J. "Floid" Kanowitz
Date: 27-12-01 11:21
For a while, I was stuck trying to figure out how to configure both ends of a PPP "WAN," such that the BSD machines on each end could dial the other side of the WAN, or an ISP for internet service. The whole mess would've been handled through some CGI scripts, so less savvy users could dial and hang up connections from their home page.
I wanted to run a very open firewall on the WAN link, but keep the internet connection secured. I was lost, I was confused, and I asked a number of people- most of whom told me "What? You can't do that! Buy DSL!"
Well, you can do it, and there's an easy way. (Thanks to Brian Somers, maintainer of the OpenBSD PPP port, for explaining this to me.)
Userland ppp has the "-unit" option, specifying the "tun" interface that it uses. Without it, it simply picks the first available interface.
However, if you want to use IPF, PF, or another seperate firewall, just configure your rules for a specific tun interface, and call ppp with the proper option:
ppp -ddial -unit0 myisp
or
ppp -ddial -unit1 officenetwork
As a caveat, your packet filter may need to be restarted when the interfaces are assigned new IP addresses, but I've been waiting for an opportunity to get this 'secret' out. If you use ppp's built-in firewall and NAT services, you'll have a much easier ride- but if you're itching to use the standalone filters that all the self-help books document, this is how you pull it off without running everything as root.
Of course, buying DSL does have its advantages, and if one end of your WAN can serve a VPN to the internet-at-large, you dramatically simplify the problem.
[As to the auto-answer problem... Hasn't anyone heard of an init string? ;)]
|
|
