HOWTO-ADSL-BEZEQ ---------------- Originally written and still maintained by Dr. Daniel Arbel Additions and clarifications by Muli Ben-Yehuda The most recent version of this document can be found at http://damyen.technion.ac.il/~dani/adsl-howto.txt http://www.mulix.org/adsl-howto.txt Ver 2.2.8 Mar 2003 - Link to Yaad Golani's BSD Howto. Ver 2.2.7 Dec 2002 - Fixed stale URLs (patch from Carl Staelin). Ver 2.2.6 Sep 2002 - Added link to Yaad Golani's FBSD ADSL HOWTO. Ver 2.2.5 Sep 2002 - change location to http://www.mulix.org/adsl-howto.txt Ver 2.2.4 Apr 2002 - change BEZEQ_ADSL to BEZEQ_ISRAEL (mulix) ver 2.2.3 Mar 2002 - pptp 1.1.0 released with --quirks patch (mulix) Ver 2.2.2 Dec 2001 - Switch various URLs from www.pointer.co.il to vipe.technion.ac.il (mulix) Ver 2.2.1 Nov 2001 - Add DNS information and highlight MTU problem (dani) Update pptp info, add note to *bsd users (mulix) Ver 2.2 Sep 2001 - General updates. Added links to Ethernet howto, document about MTU, iptables firewall explanations and sample script (dani). General update, different PPTP version and patches explanation (mulix) Ver 2.1.3 May 2001 - Additions of some provider codes, misc fixes, tcp-mss-clamp with kernel 2.4.4, alcatel security vulnerability and contributors section (mulix). Ver 2.1.2 Apr 2001 - Edited pptp command line, ifconfig eth0 example (mulix) Ver 2.1.1 Mar 2001 - Added ip masquerade with kernel 2.4. Cleanup. (mulix) Ver 2.1.0 Feb 2001 - Added ip masquerade instructions. Typo fixes. Ver 2.0.0 Feb 2001 - New version to celebrate the last bug fix and general availability of ADSL to Linux community. General cleanup Ver 1.2.1 Feb 2001 - fixed wrong 'ifconfig eth0' command (mulix) Ver 1.2 Feb 2001 - Orckit ATUR3 modem now working! (mulix) Note about different mtu's for eth0 and ppp0(mulix) Ver 1.1.5 Feb 2001 - adds info about the patched pppd (mulix) ver 1.1.4 Feb 2001 - adds info about Alcatel modems, a patch to pptp to support Alcatel ISDN ADSL modem. Ver 1.1.3 Jan 2001 - added note on modem names (ATUR2 and ATUR3) (mulix) Ver 1.1.2 Jan 2001 - note on how to get the modem version string (mulix) Ver 1.1.1 Jan 2001 - added note about pppd patch (mulix) Ver 1.1 Jan 2001 - additions and clarifications by mulix added "note about different ADSL modems" added "where to get more help" (mulix) ver 1.0.2 Jan 2001 - changes after the beginning of commercial service. ver 1.0.1 Sep 2000 - corrections for pap authentication and stopping sessions. ver 1.0 Aug 2000 DISCLAIMER: The info in this document is based mostly on our own experiences. Use it at your own risk, and if you find any omissions or mistakes, please don't hesitate to let us know. A note for MACHBA (Israely Academic Network) users: For specific ADSL instructions please refer to your local site information or ask the local network manager. Table of contents ----------------- 1) A NOTE ABOUT THE DIFFERENT ADSL MODEMS - read first! 2) INTRODUCTION 3) LINUX INSTALLATION 4) DEBUGGING 5) IP MASQUERADING AND THE ADSL SETUP 6) WHERE TO GO FOR HELP 7) NOTE TO *BSD USERS 8) CONTRIBUTORS A NOTE ABOUT THE DIFFERENT ADSL MODEMS - read first! ---------------------------------------------------- _Orckit modems_ There are two different Orckit ADSL modems. You can differentiate between them by examining the version string the modem gives. So far, we know of the following modems: The modem known by Bezeq technical support as "ATUR2": "Modem version 5.00.0.3 Orckit Release 2.0 , Version 4 (16:00 June 1 1999)" and the modem known (by us) as "ATUR3": "Orckit ATUR3 version: Adsl 4.0.0.34, Data 4.9 (ATM), Based on Virata 6.3.0.9-full release (Jun 27 2000)" To find out your modem version string, simply telnet to the modem 'telnet 10.0.0.138'. The password is 'password'. Once you are logged in to the modem, type 'version'. To find out more things you can do with your Orckit modems, check out http://www.cs.huji.ac.il/~alsbergt/docs/orckit-adsl.txt (You probably should not be doing this unless you know what you are doing). _Alcatel modems_ There are four Alcatel modem types: one for ISDN lines, two ethernet modems for analog lines, and one USB modem. The USB model was not tested with Linux yet. All three ethernet modems work with Linux. The ISDN model needs a patch to the dialing software, see details later. Some Alcatel modems of the Speed Touch family have a serious security vulnerability. You can find more details about it at http://www.securityfocus.com/archive/1/175229. Also, some Alcatel modems allow changing of all sorts of configuration parameters through a web based interface (simply point your browser to the modem's internal IP address. You probably should not be doing this unless you know what you are doing.) INTRODUCTION ------------ This introduction describes the mechanism and specifics of the windows installation of the ADSL service. Bezeq do not officially support linux (although it is rumored that they might, in the yet-to-be-determined future) and therefore can provide no clue about how to connect a Linux box. Digging in Bezeq installation and reading this introduction will help you make the conclusions needed when connecting your Linux box. We describe here the details of the Orckit equipment. If you have Alcatel gear and it looks a bit different, try to use intuition... (I did not have the privilege to use Alcatel ADSL...). 1) The communication between the ADSL unit and the computer is done by ethernet NIC (a regular network card). Bezeq will supply one to you, for an additional charge, or you can buy and install it yourself. Installing a network card is not covered by this ADSL-HOWTO, but is covered extensively elsewhere (see for example http://tldp.org/HOWTO/Ethernet-HOWTO.html). The NIC uses the following setup: network 10.0.0.0 mask 255.0.0.0 host: 10.200.1.1 adsl: 10.0.0.138 no dns, no domain , no gateway. It is possible to use an address other than 10.200.1.1 for the host side of the pptp connection, such as 10.*.*.* (excluding 10.0.0.138) or 192.168.*.*, but doing it is not covered in this howto. It is also possible to use the 10.x.x.x network for other purposes and route traffic to the modem directly through the NIC, but doing this is not covered in this howto. 2) Bezeq will install (or tell you to install yourself) a peace of software (which they call a "dialer") that connects automatically to their ADSL portal and activates your browser to show the main page. From there you can surf to the service selection and connect to your ISP. This is the front end hiding the things that actually take place: 3) A connection is established by dialing (yes, dial up just like with a "regular" modem) using the private network mechanism (VPN). If you want to set this up yourself, here are the steps: a) Install ms virtual private network adapter (it might already be installed if Bezeq installed the ADSL in your computer). b) Go to dial up networking and start the wizard to create a new connection. c) For this connection, use Microsoft VPN adapter. d) host name is "10.0.0.138 RELAY_PPP1". Don't write the quotes, and yes, it really is a space between '138' and 'RELAY'. 5) Once the connection icon is created, go to its properties and disable netbeui, ipx etc (these are various net protocols which you do not need for this type of connection). 6) Start the connection. the username is @I (for guest access this will be guest@OXxxxxx where Xxxxx is your chosen ISP with its first character in upercase (i.e. Actcom ) the letter after the '@' is NOT zero . Note that guest access is not free of charge, and in fact VERY expensive. For non guest access to actcom, the username is username@IActcom. 'username' is obviously your actcom user name, notice the upper case 'I' and 'A' and lower case 'ctcom'. 7) If you receive a connection and are able to use it, you may go on to Linux installation. If not, try to search in the registry (search for 'wow') whether some details have been changed by Bezeq (most likely to change are the username and ISP strings). ISP NAMES --------- The known ISP strings are: ISP ISP String === ========== Actcom Actcom Barak 013 Barak Bezeq International Bezint Internet Gold Inzahav Israserve Israsrv Netvision Netvision Kavey Zahav 012 Kzahav Infogate Infogate Urbis Urbis LINUX INSTALLATION (finally ...) -------------------------------- You should have no problem installing a NIC for ADSL. Reduce the MTU on eth0 to 1500 (run the command 'ifconfig eth0 10.200.1.1 netmask 255.0.0.0 mtu 1500'). Use a kernel with ppp support and latest pppd.If you are using a kernel from the 2.2 series, you need pppd 2.3.x. If you are using a kernel from the 2.4 series, you need pppd 2.4.x. To check what version of pppd you have, run 'pppd --version', and to check what kernel version you are running, run 'uname -a'. You can download ppp from http://ftp.samba.org/pub/ppp/. . The equivalent of Microsoft VPN adapter is just the pptp program. You should use the latest (as of this writing) pptp version, 1.1.0, which is available at http://pptpclient.sourceforge.net/download.phtml. For more details about pptp and the patches ADSL support in Israel required, please read http://www.mulix.org/adsl.html Compile pptp. Read the pptp docs to see that you have pppd in the proper place. The authentication method is forced by the server. In order to cover both options (pap and chap), edit or create 2 identical files (/etc/ppp/chap-secrets and /etc/ppp/pap-secrets) to include proper lines like: "@I" "10.0.0.138 RELAY_PPP1" "" In case you are not a registered user of any of the ISPs you may select one of the guest accesses (which are VERY expensive!): "guest@OActcom" "10.0.0.138 RELAY_PPP1" "Bezeq" and finally, start a call: pptp 10.0.0.138 --quirks=BEZEQ_ISRAEL debug user @I \ remotename "10.0.0.138 RELAY_PPP1" defaultroute mtu 1452 mru 1452 \ noauth If everything goes well you should be connected, and your networking will look something like that: # netstat -r -n Kernel IP routing table Destination Gateway Genmask Flags MSS Window irtt Iface 10.200.1.1 0.0.0.0 255.255.255.255 UH 0 0 0 eth0 213.8.120.1 0.0.0.0 255.255.255.255 UH 0 0 0 ppp0 10.0.0.0 0.0.0.0 255.0.0.0 U 0 0 0 eth0 127.0.0.0 0.0.0.0 255.0.0.0 U 0 0 0 lo 0.0.0.0 213.8.120.1 0.0.0.0 UG 0 0 0 ppp0 # ifconfig -a eth0 Link encap:Ethernet HWaddr 00:50:BF:0E:F6:A8 inet addr:10.200.1.1 Bcast:10.255.255.255 Mask:255.0.0.0 UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 RX packets:51825 errors:0 dropped:0 overruns:0 frame:0 TX packets:56376 errors:0 dropped:0 overruns:0 carrier:0 collisions:109 txqueuelen:100 Interrupt:9 Base address:0xb000 lo Link encap:Local Loopback inet addr:127.0.0.1 Mask:255.0.0.0 UP LOOPBACK RUNNING MTU:3924 Metric:1 RX packets:61 errors:0 dropped:0 overruns:0 frame:0 TX packets:61 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:0 ppp0 Link encap:Point-to-Point Protocol inet addr:213.8.120.98 P-t-P:213.8.120.1 Mask:255.255.255.255 UP POINTOPOINT RUNNING NOARP MULTICAST MTU:1452 Metric:1 RX packets:49753 errors:0 dropped:0 overruns:0 frame:0 TX packets:26973 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:10 Now you have to check your connectivity. Start with 'ping ip.addr.ess.here' to the remote side of the ppp connection (the P-t-P entry, which is the ip that comes before the "Mask" in the output of ifconfig. 213.8.120.1 in the example above). If this isn't ok, repeat the steps above. If it is ok, check that you have a working DNS by running the command 'nslookup ' or 'host ' : 12:39pm :bee:/~> host linux.org.il linux.org.il. has address 192.117.122.34 If your box cannot resolve names to ip addresses, check your DNS configuration. You basically have two options: 1) Rely on the PPP process to set a DNS server entry in the /etc/resolv.conf file. This is done by adding the option 'usepeerdns' to the /etc/ppp/options file. See also "Comments about the command line dialing". 2) Add a static DNS server in this file. Best would be your ISP DNS server. The file /etc/resolv.conf roughly looks like this: 10:45am :bee:/~> more /etc/resolv.conf nameserver 132.68.1.9 If you did one of the two options above and still have no DNS resolution working, check that DNS is listed as an option for hosts resolution in the file /etc/nsswitch.conf: hosts: files nisplus nis dns More information in regards to setting up DNS can be found at many places. For example, the linux documentation project or 'man 5 resolver'. Stopping a session Stopping a session should be done as follows: 1) down the ppp0 interface: ifconfig ppp0 down 2) kill the pppd process, this will kill pptp as well: killall pppd Comments about the command line dialing --------------------------------------- The parameters in the command line after "pptp 10.0.0.138 --quirks=BEZEQ_ISRAEL" are passed to pppd. You may put them in /etc/ppp/options instead. In this case, any dialing will use them, not only the adsl one. Important options are: mtu 1452 # to overcome an Orckit bug ? mru 1452 # to overcome an Orckit bug ? defaultroute # this makes the ppp connection your default gateway. probably # what you want. usepeerdns # this option will cause pppd to receive an address of the ISP dns # server and put it in your /etc/resolv.conf . This is a good idea, # but the file tends to grow with time .. noipdefault # For some reason, pppd will propose the IP of my internal interface # (e.g. 192.168.2.12), and I don't want anybody to know about it. lcp-echo-interval 60 # Without the next 2 lines, pppd won't detect loss of connection, lcp-echo-failure 3 # because pppd regularely uses modem DTR line to detect connection drop, # and pptp doesn't have one. DEBUGGING -------- If you have problems, some debugging is possible: 1) Debug messages appear on the window that runs the pptp command. 2) More debug messages go to /var/log/messages or /var/log/daemon.log. Make sure you are running pppd with the 'debug' keyword (given to pppd either on the command line or in /etc/ppp/options). 3) You may increase the debug level of pppd (see the man page). 4) To see what is going on between your Linux box and the ADSL system, install tcpdump or ethereal and record the LAN traffic. 5) It is possible to add even MORE debugging information by adding "kdebug 7" to the pppd invocation. This is a VERY wordy option. IP MASQUERADING AND THE ADSL SETUP --------------------------------- If you have more than one pc you would most probably want to share the adsl connection with all them. Here comes the ip masquerading for your help. This topic is covered in the ip masquerade HOWTO http://tldp.org/HOWTO/IP-Masquerade-HOWTO.html, so I will outline what has to be done and be detailed in the points special to the adsl setup. MAKE SURE THAT YOU READ THE DOCUMENT IN http://damyen.technion.ac.il/~dani/adsl-mtu.txt AND THAT YOU IMPLEMENT ONE OF THE RECOMMENDATION THERE. FAILING TO DO SO WILL CAUSE CONNECTIVITY PROBLEMS FOR STATIONS IN THE MASQUERADED NETWORK. Preparations: 1) You have to boot a Linux kernel with ipchains support (2.2) or iptables support (2.4). Since IPTables acts as a real firewall system (see the section "Why is iptables better ?" bellow) I strongly reccomend using it instead of ipchains. Also you will need specific modules (most common are is the ftp masquerade module, but there are others). Your kernel may already be prepared for that, depending on your distribution. For further details see the ip masquerade howto. 2) You have to physically connect the adsl modem to the local network. There are basically two options here: a) Add a second network card to the Linux box. One for the adsl modem and one to connect the other computer, or hub/switch if you have one. b) Use the same network card for all. connect all the pc's and adsl modem to hub/switch and put the all in the private 10.x.x.x network address range. Option (b) looks strange at the beginning, and unless you setup your firewalling rules correctly can be a security problem, but it does have an advantage: The internet is connected through a ppp interface in your Linux box, and the ethernet segment on ip network 10.0.0.0 ends at your ADSL's ethernet port. From bandwidth point of view, the adsl is limited to about 2 Mbs so the 10 Mbs of ethernet hub can handle this with no problem. Therefore, Option (b) saves you a slot in the Linux box. Note that to connect 2 PC directly with ethernet cable, you need a cross wired cable, and not a straight cable like you have between your adsl modem and PC. The same goes to connecting the adsl modem to a hub: you need a cross wired cable here as well. (an ethernet cable consists of 2 twisted pairs of copper wires. Each pair has its own color, with one of the two being white + color, the other just the color. the wiring is as follows: pair a pin 1 to pin 1 , pin 2 to pin 2. pair b: 3 to 3 , 6 to 6 . A cross connect will be 1 to 3 , 2 to 6, 3 to 1 , 6 to 2). Setup: If you have chosen to use option (a), assign the second ethernet card a network number in the 192.168.0.0 range, e.g. 192.168.1.1, with mask 255.255.255.0 Assign the other PCs with addresses at the same segment (192.168.1.x) with the same mask. Make their default gateway the ip of the Linux box: 192.168.1.1 in this example. Reduce the PCs MTU of the ethernet card to 1452 (if your PC run windows see remark bellow). You can also Set up the PCs with a DNS server. You can run a caching DNS server on the Linux box, and set the Linux box to be the PCs DNS server, or just put your regular DNS server (the one specified at /etc/resolv.conf on the linux server). Now run the ipchains rules that enable the ip masquerading. Something like this if you are running kernel 2.2.x. (for kernel 2.4.x, read on) (again, refer to the ip masquerade HOWTO for complete description): #!/bin/sh # to load the modules needed: /sbin/depmod -a /sbin/modprobe ip_masq_ftp #CRITICAL: Enable IP forwarding since it is disabled by default since # # Redhat Users: you may try changing the options in # /etc/sysconfig/network from: # # FORWARD_IPV4=false # to # FORWARD_IPV4=true # echo "1" > /proc/sys/net/ipv4/ip_forward #CRITICAL: Enable automatic IP defragmenting since it is disabled by default # in 2.2.x kernels. This used to be a compile-time option but the # behavior was changed in 2.2.12 # echo "1" > /proc/sys/net/ipv4/ip_always_defrag # Dynamic IP users: # # If you get your IP address dynamically from SLIP, PPP, or DHCP, enable # this following option. This enables dynamic-ip address hacking # in IP MASQ, # making the life with Diald and similar programs much easier. # echo "1" > /proc/sys/net/ipv4/ip_dynaddr # MASQ timeouts # # 2 hrs timeout for TCP session timeouts # 10 sec timeout for traffic after the TCP/IP "FIN" packet is # received # 160 sec timeout for UDP traffic (Important for MASQ'ed ICQ users) # /sbin/ipchains -M -S 7200 10 160 # Enable simple IP forwarding and Masquerading # # NOTE: The following is an example for an internal LAN address in # the 192.168.1.x network with a 255.255.255.0 or a "24" bit # subnet mask # # ** Please change this network number, subnet mask, and your # Internet # ** connection interface name to match your internal LAN setup # # this line prevents masquerading services for foreign hosts. /sbin/ipchains -P forward DENY # This line causes the actual masquerading and forwarding of your # 192.168.1.0 segment: /sbin/ipchains -A forward -s 192.168.1.0/24 -j MASQ # You may replace this with specific ip number for each host you have: /sbin/ipchains -A forward -s 192.168.1.2/32 -j MASQ and thats all... Now, if you chose option (b) (using only one ethernet card on the Linux box) all that changes are the internal ip numbers. Reducing the MS Windows MTU ------------------------ We have encountered connectivity problems between hosts in the masqueraded segment and internet hosts/servers. The workaround for this problem is to reduce their ethernet MTU from 1500 to 1452. To understand the source of this problem you may want to read the doc in http://damyen.technion.ac.il/~dani/adsl-mtu.txt While changing the mtu in Linux is trivial, doing so in a Windows system requires playing with the registry. Do it carefully and at your own risk. If there are mistakes here, please let me know so others will not suffer... For win95(?), run regedit and find the object: My Computer\HKEY_LOCAL_MACHINE\System\CurrentControlSet\Class\NetTrans\000x (there may be 0001, 0002 etc , so find the one with the ip number assigned to the ethernet card) add a new string value named MaxMTU with 1452 as the string. For win98, the key is named (My Computer\HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Class\NetTrans\000x) Win2k is similar (find the correct instance of ethernet card by the ip number), but you have to add a DWORD object. Firewalling and Masquerading with kernel 2.4 ---------------------------- Why is IPTables better? In iptables the mechanism of stateful inspection was implemented in the filtering engine. This means that just like in a commercial firewall (i.e. CheckPoint FWall-1, etc) the high port numbers (actualy, all ports that do not run services) are closed, and open only to traffic associated with a connection previously started by a trusted host (trusted means that it has a specific 'allow' rule in the firewall configuration). This tightens the firewall (all ports, even above 1023 may be closed by default) and simplifies the ruleset (no longer static allow for high ports that serve the returning traffic). It also applies to icmp messages that may be allowed only if they are associated with an actual existing connection. Since there are a lot of attacks on dial up and adsl connected hosts, and the service providers do not perform any filtering what so ever, I have a sample iptables script you may use as a starting point for your own firewalling: http://damyen.technion.ac.il/~dani/fw-adsl.sh The script has a few ADSL specific rules and the rest is prety general and you may refer to the HOWTOs for further help. Basically, with kernel 2.4 the relevant HOWTOs are the NAT-howto (http://netfilter.kernelnotes.org/unreliable-guides/NAT-HOWTO/index.html) and the Packet-Filtering HOWTO (http://netfilter.kernelnotes.org/unreliable-guides/packet-filtering-HOWTO/index.html). WHERE TO GO FOR HELP -------------------- good luck, and if you have any problems, feel free to ask for support on linux-il, the mailing list dedicated to all things linux in israel. To learn more about linux-il, go to http://www.linux.org.il. You can also try asking on #iglu, on the efnet irc network. Make sure to provide detailed error messages, we are not mind readers... NOTE TO *BSD USERS ------------------ Yaad Golani has written a detailed HOWTO on how to connect to ADSL with the various BSD systems. It's available at http://www.penguin.org.il/guides/adsl-bsd/adsl-bsd.txt CONTRIBUTORS ------------ Dani Arbel Muli Ben-Yehuda Haim Gelfenbeyn Marc A. Volovic Elad Tsur Tzahi Fadida Aviram Jenik Alex Shnitman Tzafrir Cohen Eran Tromer Amir Szekely Mark A.R. Carl Staelin