So you just got connected via Tweak, XMS, plinq or KPN to the local Fiber To The Home network. A friendly KPN engineer stopped by and installed this butt-ugly "modem" in your closet and left after finishing his bittorrent downloads. Yay, internet. Booh, "KPN Experia Box". WTF !? An Experia Box ? No way I'm letting KPN control my network like that. Their NATting sucks (changing the randomly chosen source ports of my outgoing traffic to predictable ones), it does DHCP for a network that I don't use at home and, worst of all, is under the control of KPN. They can log in remotely and upgrade firmware (hello, Big Brother) or change the configuration whenever they want. No way I'm going to let them do that. I went to Tweak for a reason - I don't want KPN and their crap in my network.
Of course this means that I'll have to find another solution. Luckily, I've dealt with this sort of nonsense before. I will replace the KPN Experia Box with a small, low-power, quiet OpenBSD box. Below you'll find instructions to do what I did. If you want to use another open source operating system such as FreeBSD, NetBSD or Linux (or maybe some other device such as a Juniper Netscreen or whatever else you may have), the below may not apply 100%, but should get you going in the right direction.
Let's see, what exactly does this piece of crap do ?
I'll be replacing the Experia Box with a Liantec LPC-5740E1N4-512 machine. This machine contains a 1GHz VIA Eden processor with the VIA PadLock encryption engine extension, 4 Intel Gigabit Ethernet ports, 512MB of memory (expandable to 1.5GB), an onboard Compact Flash slot (to boot from) and a SATA port. For those interested, the dmesg is available here.
Turns out, the fiber carries three VLANs (802.1q) :
So we configure a vlan(4) interface on our OpenBSD machine by creating /etc/hostname.vlan6:
vlan 6 vlandev em2 description "internet"
Since we're dealing with KPN (even though I'm a Tweak customer), of course it would be too easy to simply have a plain vlan with ethernet frames coming in and going out to carry your internet traffic. No, it's a lot more convenient to have a layer of PPPoE on top of the vlan for the actual IP connectivity. This is great, because it means you'll never be able to get native IPv6 (remember, this is KPN, the old Dutch telecom monopoly - and as we all know, telcos are afraid of IP, barely know how to spell it so anything more fancy will make them cry).
Fine then, pppoe is supported just fine in OpenBSD. Either via the userland pppoe(8) program or with the in-kernel pppoe(4) driver. I opted for the in-kernel solution and created another config file, /etc/hostname.pppoe0:
inet 0.0.0.0 255.255.255.255 NONE pppoedev vlan6 authproto pap authname 'MY VERY SECRET USERNAME' authkey 'MY VERY SECRET PASSWORD' up dest 0.0.0.1 description "Tweak" !/sbin/route add default -ifp pppoe0 0.0.0.1
vlan 4 vlandev em2 description "TV up" group tv
up group lan description "to media"
vlan 4 vlandev em1 description "TV down" group tv
add vlan4 add vlan40 up description "TV bridge"One final change that is required applies to pf(4). Since pf will filter IP packets with options set by default, you'll have to allow these explicitly in your pf configuration. With the group 'tv' set up as in the above examples, you need to add the following to your pf.conf(5):
pass on tv inet from any to any allow-opts
© 2010, 2011 Paul 'WEiRD' de Weerd |