Skip to content

Instantly share code, notes, and snippets.

@jperkin

jperkin/smartos-pppoe-router.md

Last active September 8, 2024 13:06
Show Gist options
  • Save jperkin/7717d3e84e93885ab14da3bce3039f4b to your computer and use it in GitHub Desktop.
Save jperkin/7717d3e84e93885ab14da3bce3039f4b to your computer and use it in GitHub Desktop.
Download ZIP
SmartOS PPPoE Router (AAISP, v6, DNS/DHCP)
Raw
smartos-pppoe-router.md

Intro

This documents my setup of a SmartOS server as my PPPoE router, providing DNS/DHCP services to the local network.

Basic setup:

  • DSL modem (VMG1312) in bridge mode handling the DSL connection
  • 192.168.1.0/24 local network
  • 192.168.1.5 will be the IP address of the router zone
  • e1000g0 is the configured internal 'admin' interface
  • e1000g1 is the external interface connected to the modem, left unconfigured

Zone Creation

Create a NAT/DNS/DHCP zone using the following JSON. Notes:

  • The image is currently minimal-64 16.3.1 but pkgsrc is only used for dnsmasq.
  • PPP will negotiate the upstream DNS servers and dnsmasq will use them directly, so "resolvers" set to "127.0.0.1" ensures we go via dnsmasq and avoid hardcoding any remote servers which may change.
  • "addrconf" enables automatic IPv6, but we specify the IPv4 address so that we have a known default route.
  • "allow_ip_spoofing" is required for NAT.
  • "dhcp_server" is required to serve DHCP.
{
  "brand": "joyent",
  "image_uuid": "95f265b8-96b2-11e6-9597-972f3af4b6d5",
  "alias": "dsl",
  "hostname": "dsl.local",
  "dns_domain": "local",
  "resolvers": [
    "127.0.0.1"
  ],
  "max_physical_memory": 256,
  "nics": [
    {
      "nic_tag": "admin",
      "ips": ["192.168.1.5/24", "addrconf"],
      "netmask": "255.255.255.0",
      "allow_ip_spoofing": true,
      "dhcp_server": true
    }
  ]
}
$ vmadm create -f dsl.json

Pass through the network device to allow sppptun(1m) to access it. If there's a cleaner way to do this I'd be interested.

$ zonecfg -z uuid <<EOF
add device
set match="/dev/e1000g"
end
verify
commit
exit
EOF

Configure PPPoE

Until SmartOS includes /usr/bin/pppd, copy it from another illumos distribution to /root/pppd and fixup the init script:

$ vi /etc/init.d/pppd
s,/usr/bin/pppd,/root/pppd,g

Configure e1000g1 as the PPPoE interface:

$ echo e1000g1 >/etc/ppp/pppoe.if

Create /etc/ppp/peers/aaisp with the following:

sppptun
plugin pppoe.so
connect "/usr/lib/inet/pppoec -v e1000g1"
user your-isp-username
password your-isp-password
noauth
noipdefault
persist
defaultroute
usepeerdns
debug
logfile /var/log/pppd.log
+ipv6

Create /etc/ppp/ipv6-up with the following:

#!/bin/sh
/usr/sbin/route add -inet6 default $5

Create /etc/ppp/ipv6-down with the following:

#!/bin/sh
/usr/sbin/route delete -inet6 default $5

And make both scripts executable.

$ chmod +x /etc/ppp/ipv6-*

Add a call to pppd to the end of the 'start' section of /etc/init.d/pppd:

/root/pppd call aaisp

Enable the init script on boot:

$ ln /etc/init.d/pppd /etc/rc2.d/S50pppd

Configure Routing

Configure /etc/inet/ndpd.conf with your IPv6 prefix:

ifdefault AdvSendAdvertisements true
if net0 AdvSendAdvertisements 1 prefix your-ipv6-prefix::/64 net0

Configure /etc/ipf/ipnat.conf for NAT:

map sppp0 192.168.1.0/24 -> 0/32

Enable routing daemons:

$ svcadm enable ipv4-forwarding
$ svcadm enable ipv6-forwarding
$ svcadm enable ripng
$ svcadm enable ipfilter

Configure dnsmasq

dnsmasq provides DNS/DHCP services in a small and lightweight package. Use unbound/isc-dhcpd/whatever if you prefer.

$ pkgin -y up
$ pkgin -y install dnsmasq

Edit /opt/local/etc/dnsmasq.conf. My config below handles:

  • Using the generated /etc/ppp/resolv.conf file for the forwarding DNS servers
  • Assign DHCP pool to the upper 192.168.1.128-254 hosts
  • Provide known static DHCP to the lower 192.168.1.1-127 hosts
domain-needed
bogus-priv
resolv-file=/etc/ppp/resolv.conf
interface=net0
bind-interfaces
dhcp-authoritative
dhcp-leasefile=/var/run/dnsmasq.leases
dhcp-range=192.168.1.128,192.168.1.254,255.255.255.0,12h
dhcp-host=aa:bb:cc:dd:ee:ff,192.168.1.20

Enable it.

$ svcadm enable dnsmasq

Reboot

Everything should now be configured, and a reboot will activate everything correctly and ensure things are properly configured for next time.

TODO

  • Try turning off the persist option and migrating the startup script to SMF. I've had a few occasions where the LNS has dropped the connection but pppd doesn't notice and just sits unconnected.
@joki1337
Copy link

joki1337 commented Sep 6, 2024

Hello @jperkin ! Thank you for this! It really helped me to get off the ground.
You propably already know this: If you don't want to pass through the network device to allow sppptun to access it you have to use "allow_restricted_traffic": true on the other nic.
For example:

{
  "nics": [
    {
      "nic_tag": "<other_nic_tag>",
      "ips": ["..."],
      "allow_ip_spoofing": true,
      "allow_restricted_traffic": true
    }
  ]
}

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment