Professional Documents
Culture Documents
Table of Contents
Introduction
Setting up PPPoE over VLAN
Installing / configuring IGMP Proxy and special pf rules
Introduction
This document describes the modifications needed to a normal DSL firewall setup in order to use VDSL
and IPTV (T-Home Entertain) as offered by Deutsche Telekom.
Please make sure that your WAN Ethernet card is capable of acting as a VLAN parent. Not all interfaces
may work.
At the time of writing I am using OpenBSD 4.2 -current because the vr(4) driver needed for my ALIX board
seems
to have had added proper VLAN support after OpenBSD 4.2 -stable.
It´s not mandatory, but you should consider getting network equipment capable of IGMP Snooping.
Otherwise you might slow down your LAN or W-LAN with Multicast traffic.
/etc/hostname.vlan7
You could also call your VLAN interface vlan0 instead of vlan7 but as we have to use vlan id 7, I vote for
vlan7.
http://un.geeig.net/openbsd-vdsl.html 1/4
15-6-2014 Using OpenBSD with VDSL
Anschlusskennung: 11111111111
T-Onlinenummer: 222222222222
Mitbenutzer: 0001
Passwort: 12345678
So your
/etc/hostname.pppoe0
net.inet.tcp.mssdflt=1452
net.inet.tcp.recvspace=131072
net.inet.tcp.sendspace=131072
net.inet.udp.recvspace=139264
net.inet.udp.sendspace=32768
net.inet.ip.mforwarding=1
Multicast forwarding is mandatory for IPTV, the rest of the values have proven to speed up my connection.
Use them at your own risk, depending on your hardware things may get broken.
I am able to obtain full VDSL 50 speed with these, though.
Choose some T-Home DNS servers from here and put them in your /etc/resolv.confor set up your
own caching nameserver.
You should now be able to
# ping www.heise.de
PING www.heise.de (193.99.144.85): 56 data bytes
64 bytes from 193.99.144.85: icmp_seq=0 ttl=250 time=23.687 ms
64 bytes from 193.99.144.85: icmp_seq=1 ttl=250 time=23.370 ms
# cd /usr/ports/net/igmpproxy
# make
# make install
then create /etc/igmpproxy.conf. My LAN interface is vr0, my WAN interface vr1 and I also have an
unused spare interface vr2.
For safety reasons, we disable every interface not involved in IGMP/Multicast.
So I use the following configuration:
quickleave
phyint pppoe0 upstream ratelimit 0 threshold 1
altnet 217.0.119.0/24
altnet 193.158.35.0/24
altnet 239.35.0.0/16
phyint vr0 downstream ratelimit 0 threshold 1
phyint vr1 disabled
phyint vr2 disabled
The altnetnets are the T-Home multicast networks we need. Now we can start igmpproxy using
# /usr/local/bin/igmpproxy
at first.
Nearly finished now, we just need a few extra pf rules to allow multicast/igmp traffic.
Add a variation of the following to your setup. You can always tighten the ruleset,
these are just to get you started. They do not reflect my actual ruleset.
You need to allow-optson the igmp rules, keep statehas been omitted as it is default now.
scrub on $LANINT
scrub on $WANINT random-id max-mss 1452 reassemble tcp fragment reassemble
[...]
pass in on $WANINT inet proto igmp to 224.0.0.0/4 allow-opts
pass in on $WANINT inet proto udp to 224.0.0.0/4
[...]
pass out on $WANINT inet proto igmp from $WANIP to 224.0.0.0/4 allow-opts
[...]
pass in on $LANINT inet proto igmp from $SETTOPBOX to 224.0.0.0/4 allow-opts
pass in on $LANINT inet proto udp from $SETTOPBOX
pass in on $LANINT inet proto tcp from $SETTOPBOX
[...]
pass out on $LANINT inet proto igmp from $LANIP to 224.0.0.0/4 allow-opts
pass out on $LANINT inet proto udp to 224.0.0.0/4
Enjoy!
Cheers,
Tobias
http://un.geeig.net/openbsd-vdsl.html 3/4
15-6-2014 Using OpenBSD with VDSL
last modified 12 February 2008
http://un.geeig.net/openbsd-vdsl.html 4/4