mpd 做pppoe客户端实例

mpd 做pppoe客户端实例之一！需实践！

终于找到一点空闲时间，完成了这篇笔记，请兄弟们指教。

家里安装宽带有将近三年了，一直用宽带路由器，做接入设备。由于宽带路由器常死机，所以用FreeBSD做了一个ADSL网关，mpd做ADSL PPPOE拨号。最开始是用FreeBSD自带的PPP做PPPOE拨号，后来找到mpd这个内核级别的工具，据说在速度和资源占用方面要好，于是改用mpd。pf做防火墙，NAT与端口转发，pf是OpenBSD的默认防火墙软件，OpenBSD在安全方面有独到的地方，在安全和性能方面都有不错的表现，FreeBSD 5.x已经引入pf。

编辑内核文件，加入

options NETGRAPH

options NETGRAPH_ETHER

options NETGRAPH_SOCKET

options NETGRAPH_PPPOE

options NETGRAPH_PPP

options NETGRAPH_BPF

options NETGRAPH_VJC

options NETGRAPH_IFACE

options NETGRAPH_PPTPGRE

options NETGRAPH_KSOCKET

options NETGRAPH_MPPC_ENCRYPTION

device pf

device pflog

device pfsync



1． mpd安装

# cd /usr/ports/net/mpd/

#make install clean



2． 配置mpd

编辑/usr/local/etc/mpd/mpd.conf

default:
load PPPoE

PPPoE:
new -i ng0 PPPoE PPPoE
set iface addrs 1.1.1.1 2.2.2.2
set iface route default
set iface disable on-demand
set iface idle 0
set bundle disable multilink
set bundle authname *****
set link no acfcomp protocomp
set link disable pap chap
set link aclearcase/" target="_blank" >ccept chap
set link mtu 1492
set link keep-alive 10 60
set ipcp yes vjcomp
set ipcp ranges 0.0.0.0/0 0.0.0.0/0
set iface up-script /usr/local/etc/mpd/mpd_pf.linkup
open iface



编辑/usr/local/etc/mpd/mpd.links

PPPoE:
set link type pppoe
set pppoe iface xe1
set pppoe service "adsl3"
set pppoe disable incoming
set pppoe enable originate



编辑/usr/local/etc/mpd/mpd_pf.linkup
并且改为可执行文件

#!/bin/sh
/sbin/pfctl -Fa -e -f /etc/pf.conf



编辑/etc/syslog.conf

!mpd
*.* /var/log/mpd.log



编辑/etc/newsyslog.conf

/var/log/mpd.log 640 7 100 * j



编辑/etc/rc.conf，打开网关与pf功能，注意：这里先禁止pf载入规则，因为pf在mpd之前启动，如果载入规则，由于mpd没启动，所以虚拟网卡ng0也就没有，pf会出错，前面的脚本mpd_pf.linkup就是这个功能，mpd启动后执行，载入pf规则。

gateway_enable="YES"

pf_enable="YES"

pf_rules="/etc/pf.conf"

pf_flags="-d"

pflog_enable="YES"

pflog_logfile="/var/log/pflog"

pflog_flags=""



我的/etc/pf.conf

# macros

int_if = "xe0"

ext_if = "ng0"

tcp_services = "{ 20, 21, 22, 25, 80, 110, 9745 }"

icmp_types = "echoreq"

priv_nets = "{ 127.0.0.0/8, 192.168.0.0/16, 172.16.0.0/12, 10.0.0.0/8 }"

server = "192.168.0.12"

bt = 192.168.0.21



# options

set timeout { interval 30, frag 10 }

set timeout { tcp.first 120, tcp.opening 30, tcp.established 3600 }

set timeout { tcp.closing 120, tcp.finwait 45, tcp.closed 90 }

set timeout { udp.first 60, udp.single 30, udp.multiple 60 }

set timeout { icmp.first 20, icmp.error 10 }

set timeout { other.first 60, other.single 30, other.multiple 60 }

set limit { states 20000, frags 5000 }

set block-policy drop

set loginterface $ext_if

set optimization aggressive

set require-order yes



# scrub

scrub in all

scrub out all random-id max-mss 1440



# nat/rdr

nat on $ext_if from $int_if:network to any -> ($ext_if)

rdr on $int_if proto tcp from any to any port 21 -> 127.0.0.1 port 8021

rdr on $ext_if proto tcp from any to any port 21 -> $server

rdr on $ext_if proto tcp from any to any port 50000:60000 -> $server

rdr on $ext_if proto tcp from any to any port 22 -> $server

rdr on $ext_if proto tcp from any to any port 25 -> $server

rdr on $ext_if proto tcp from any to any port 80 -> $server

rdr on $ext_if proto tcp from any to any port 110 -> $server

rdr on $ext_if proto tcp from any to any port 9745 -> $bt



# filter rules

block log all

pass quick on lo0 all

pass quick on $int_if all keep state

block drop in quick on $ext_if from $priv_nets to any

block drop out quick on $ext_if from any to $priv_nets

pass in quick on $ext_if inet proto tcp from any to ($ext_if) port $tcp_services flags S/SA keep state

pass in quick on $ext_if proto tcp from any to $server port 21 flags S/SA synproxy state

pass in quick on $ext_if proto tcp from any to $server port 50000:60000 keep state

pass in quick on $ext_if proto tcp from any to $server port 22 flags S/SA synproxy state

pass in quick on $ext_if proto tcp from any to $server port 25 flags S/SA synproxy state

pass in quick on $ext_if proto tcp from any to $server port 80 flags S/SA synproxy state

pass in quick on $ext_if proto tcp from any to $server port 110 flags S/SA synproxy state

pass in quick on $ext_if proto tcp from any to $bt port 9745 keep state

pass in quick on $ext_if inet proto tcp from port 20 to ($ext_if) user proxy flags S/SA keep state

pass in inet proto icmp all icmp-type $icmp_types keep state

pass in on $int_if from $int_if:network to any keep state

pass out on $int_if from any to $int_if:network keep state

pass out on $ext_if proto tcp all modulate state flags S/SA

pass out on $ext_if proto { udp, icmp } all keep state



确保net.inet.ip.forwarding -> 1


问题：mpd好像有缺陷，如果pf.conf没有这一句：scrub out all random-id max-mss 1440，你会发现很多网站都上不去，包括chinaunix，bsdforum.org，现象就是一直在载入页面，但是就是出不来，时间长了就出错，奇怪的是，有些网站又没问题。

原文转自：http://www.ltesting.net