Re: Dialup->Broadband. Changes? [Long]

From: Martin (nospam_at_example.org)
Date: 10/23/04 

Date: Sat, 23 Oct 2004 13:43:28 +0100

Matt Mills wrote:

> Hi all,
>
> At _LAST_ broadband *might* be available in my area, so I have ordered
> it and am awaiting the activation date. I wondered to myself what
> changes might I need to make to my LAN to make everything work with
> broadband.
...
> 1) The first problem I encountered was that the FreeBSD box has no USB
> ports, so I will have nowhere to connect the broadband modem. I have
> just purchased a PCI card with 5 USB ports on it, hopefully this will
> take care of that. Do these cards work on FreeBSD?

Most USB chips seem to be detected, but I've never used an add-in USB card.
However I would suggest a router not a modem, so USB would not be needed.

> 2) Presumably I need to make some changes to my ppp config. Should I
> refer to the PPPoE section of the handbook. Is this what I will have?

Can't help you there, but PPP isn't needed if you go for a router.

> 3) I believe that the broadband modem will have to connect to a network
> card in the FreeBSD box in some way. I have added an additional network
> card to the machine, so that there are now two. Was this the right thing
> to do? How do I need to configure the second network card, presumably it
> will not be on the same subnet? Will it have an IP address?

Two options...

1. Buy a USB ADSL modem. That connects only with USB (ethernet not
required). But that's not what I would personally recommend.

2. Buy an ADSL router. This has an ADSL (phone line) socket on one side, and
an Ethernet socket on the other (USB not required). In that case, you can
pick an RFC1918 private network range such as 172.16.*.*, 10.*.*.*, or
192.168.*.* for the cable between the FreeBSD firewall and the router,
making sure that this is a different network range from your main internal
network.

I would recommend going for a router because it seems cleaner to me, and it
gives you an extra "outer skin" where you can stick some first-level
filtering rules, so that you have to *** up the rules in two places before
your network is exposed to the internet. I have a Cisco 800-series ADSL
router from EBay myself, but colleagues of mine use DrayTek Vigor series
ADSL routers. Either of these devices can be configured to do fairly decent
filtering, which when combined with the filtering that FreeBSD offers, will
give very good seperation from the Internet. The DrayTek Vigor is supposed
to be much more user-friendly than the Cisco, unless you wanted to learn
Cisco IOS anyway. On my Cisco and my FreeBSD box, I've activated stateful
firewalling including egress filtering.

Netgear offers ADSL routers which are very cheaply priced, but I'd avoid
buying at that price level if possible because I've seen some real dross at
the cheaper end, even from household names. One Netgear unit (DG834?) I
configured for a friend exhibits several open TCP ports when port-scanned
from the Internet. Port-scanning it from the Internet also seemed to crash
its internal DHCP server and generally slow it down. Maybe more tweaking
or a later firmware version will fix all that, but meanwhile the moral of
the story is to buy such devices based on trusted recommendations, not
purely on price, tempting though that is.

>
> 4) Anything else?

You should probably take the opportunity to review the firewall ruleset on
the FreeBSD box. Generally of course things will just be easier, because
you no longer need worry about unwanted dialling events: you just keep the
ADSL line up all the time.

Have fun!

- Martin.