Chapter 5 - Broadband Connectivity
Its now time to plug in our modem and dial up the information super highway, look out Internet here we come. While we are inside this chapter, we will also explore the concepts of Dynamic DNS and how it can be automated for users that have Dynamic IP accounts.
Detailed technical aspects of individual modems will not be covered here, please consult your user manual for information on key modem settings. If the modem came preconfigured from your ISP, please contact them for any technical assistance. |
Ethernet Modems
The most typical Internet connection type for home users is by means of a modem, whether it be dialup, ethernet, cable, or wireless, the concepts are all virtually the same. Today's modems are quite advanced and come with many neat security features to help protect the average user from the everyday threats out on the Internet.
Broadband modems generally operate in two different modes, that of 'bridged' or 'routed'.
There are pros and cons about both connection types, particularly if it is a modem router which is capable of stateful packet inspection and maintaining a secure state for the hosts on the private network. This HOWTO will concentrate on the bridging type connection, and provide the means for your server to establish, maintain and secure its own connection.
To connect to an ethernet modem the server must be fitted with a second ethernet device; common practice is to identify your "external" public network interface as eth0 (this is also consistent with this HOWTO's documentation). The ethernet device will be configured and controlled the same way as described in the previous chapter, with one minor difference being the protocol type assigned to the device. The ethernet device (and modem) are only maintaining a virtual tunnel over which the PPP link will travel, so it needs to be configured with BOOTPROTO=none parameter.
[bash]# vi /etc/sysconfig/network-scripts/ifcfg-eth0 |
# External Ethernet Device (BRIDGED MODE - NO PROTOCOL) DEVICE=eth0 TYPE=Ethernet ONBOOT=yes USERCTL=no BOOTPROTO=none <-- No protocol defined here. PEERDNS=no HWADDR=00:00:21:E0:B8:B9 IPV6INIT=no |
After the ethernet device has been configured to operate in bridged mode, use some ethernet cable to connect the modem to the eth0 device. The modem should be able to connect to the exchange (or cable service), however the link still needs to be configured with the PPPoE settings.
When the ethernet "eth0" device is brought to the active state it will not be allocated (or broadcast for) an IP address and therefore not appear in the routing table as it is in "bridged" mode. |
PPPoE Configuration
When you connect to the Internet using an old style dialup modem, your computer communicates over the telephone system and back to your ISP using PPP (Point-to-Point Protocol). The broadband system is virtually the same but now your computer uses PPPoE (Point-to-Point Protocol over Ethernet) which is a modified version designed for the newer broadband specifications.
Roaring Penguin provides a free Linux PPPoE client that is already installed as a base package in many distributions. The PPPoE client is ideally suited to USB and ethernet (bridged mode) modems where a virtual link has already been established by the modem, and the PPPoE client handles the remaining dialup and authentication functions over that link. When an ethernet modem connects using the routed mode, it does so by using a similar PPPoE client preconfigured at the modem.
The PPPoE configuration file is stored in the same location with the other networking device files, however it is slightly more detailed than the other files, as shown below.
[bash]# vi /etc/sysconfig/network-scripts/ifcfg-ppp0 |
TYPE=xDSL DEVICE=ppp0 PROVIDER=ppp0 USER='username@myisp.com' ONBOOT=yes DEMAND=no USERCTL=no PERSIST=yes PEERDNS=no DEFROUTE=yes ETH=eth0 BOOTPROTO=dialup FIREWALL=NONE PING=. PPPOE_TIMEOUT=80 LCP_INTERVAL=20 LCP_FAILURE=3 CONNECT_TIMEOUT=60 CONNECT_POLL=6 CLAMPMSS=1412 SYNCHRONOUS=no PIDFILE=/var/run/pppoe-adsl.pid IPV6INIT=no |
Parameter | Details |
DEVICE | The logical name for the PPP device |
PROVIDER | A friendly name for the ISP |
USER | The ISP account username (password is specified in separate file) |
ONBOOT | Specifies whether the devices should start when the system starts (depending on network service) |
USERCTL | Directs that only root, or all system users can control the device |
PERSIST | Will attempt to redial the connection if the link is disconnected |
PEERDNS | Import the DNS nameserver settings into /etc/resolv.conf (careful if running own DNS) |
ETH | Tells PPPoE client which network device to use |
BOOTPROTO | The protocol type used to initialise the device (static | dhcp | none) |
Now that the PPPoE connection is configured, the authentication details for the account need to be stored so the client can automate the login process.
You should notice in the credentials file below, that the USER and PROVIDER details specified in the above configuration file are provided as the first two fields in the file. This binds the details together so the PPPoE client knows which details belong to which ISP connection (it is possible to have multiple PPP connections listed here).
[bash]# vi /etc/ppp/pap-secrets |
"username@myisp.com" "ppp0" "YOUR_ISP_PASSWORD" |
As with any authentication credentials, they should be kept secure from unauthorised access. This is more so if the server is accessible by other system users.
[bash]# chmod 600 /etc/ppp/pap-secrets |
The PPPoE client implementation also uses a small server application that listens for discovery frames from the remote connection. The following settings are required for the pppoe-server.
[bash]# vi /etc/ppp/pppoe-server-options |
require-pap login lcp-echo-interval 10 lcp-echo-failure 2 |
The PPPoE configuration is now completed and the connection is ready to be tested. It is assumed that your modem is properly connected and if an ethernet modem is being used, that the extra network device (eth0) is also configured and ready.
The easiest way to test the interface is to restart the networking service, which will test all of the devices by stopping and then starting them using the initscripts.
[bash]# /etc/init.d/network restart |
By checking the syslog you should be able to see if the connection was successful. If the connection was not successful, you should be provided with some error messages. Below is a successful connection.
[bash]# tail /var/log/messages |
galaxy network: Bringing up interface eth1: succeeded galaxy pppd[10190]: pppd 2.4.2 started by root, uid 0 galaxy pppd[10190]: Using interface ppp0 galaxy pppd[10190]: Connect: ppp0 <--> /dev/pts/4 galaxy pppoe[10191]: PPP session is 5036 galaxy pppd[10190]: CHAP authentication succeeded galaxy pppd[10190]: local IP address xxx.xxx.xxx.xxx <-- Your DHCP Address galaxy pppd[10190]: remote IP address 202.154.95.169 galaxy network: Bringing up interface ppp0: succeeded |
Specific connection details of the ppp0 device can also be provided with the ifconfig command. This should identify the local (your) IP address, the remote IP address and other details like connection statistics.
[bash]# ifconfig ppp0 |
ppp0 | Link encap:Point-to-Point Protocol inet addr:xxx.xxx.xxx.xxx P-t-P:202.154.95.169 Mask:255.255.255.255 UP POINTOPOINT RUNNING NOARP MULTICAST MTU:1492 Metric:1 RX packets:2753 errors:0 dropped:0 overruns:0 frame:0 TX packets:2636 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:3 RX bytes:1470035 (1.4 Mb) TX bytes:472461 (461.3 Kb) |
The device can be manually controlled with the following commands, these should start to look familiar now as you use them often to control your connections.
[bash]# ifup ppp0 bash]# ifdown ppp0 |
Now that we are finally connected to the Internet we need to make sure we can send data using the link. Remember the configuration parameter we earlier used called DEFROUTE=yes, well that attribute should have placed a default gateway into the routing table when the ppp0 device connected, this now allows any packets that are not destined for the private network to be routed out to the Internet when the device is connected.
[bash]# route -n |
Kernel IP routing table Destination Gateway Genmask Flags Metric Ref Use Iface 202.154.95.169 0.0.0.0 255.255.255.255 UH 0 0 0 ppp0 <-- Remote Interface 192.168.1.0 0.0.0.0 255.255.255.0 U 0 0 0 eth1 0.0.0.0 202.154.95.169 0.0.0.0 UG 0 0 0 ppp0 <-- Default Gateway |
The eth0 device does not get listed in the routing table, it is only providing a virtual connection for the ppp0 link to cross. |
Dynamic DNS Services
Dynamic DNS is a service offered by many organisations that allow general Internet users to bind a Fully Qualified Domain Name to a dynamic IP address, something that is normally only achieved with a static IP address.
The concept is simple, you have a fully qualified domain name that you want to point to your home computer, the only problem is that your ISP account uses dynamic IP addresses and it changes every time your server reconnects to the Internet. DDNS allows dynamic IP account users a service where their DNS records are updated if their connection (IP Address) details change, and then allows the updated information to be propagated throughout the rest of the DNS world. With an always on server and a reliable Internet account, it is technically rare for an IP address to change, so many home users are embracing the capability.
Many new broadband modems are capable of supporting DDNS and automatic updates using preconfigured software internal to the modem. We will provide our own automation script a little further on.
DDNS is only used with globally routed IP addresses which are external of your private network. This is not the internal private network addresses. Basic DNS principles for private networks are covered in Chapter 8. |
To use DDNS you need the following:
An Internet domain name was considered as one of our planning principles in Chapter 2. To fully implement our networking services for the external network, a domain name is required. InterNIC maintains this list (http://www.internic.net/origin.html) of Domain Registrars listed by country if you need to register a domain.
Some Dynamic DNS service providers also offer sub domain names that can be registered and used for free, the names are similar to "yourname.no-ip.org" or "yourname.homelinux.org". If you are happy using a simple sub domain instead of registering (and paying for) your own domain name, then you should have a look at some of the services offered by the Dynamic DNS service providers.
Some of the DDNS service providers are listed in the following table. Most offer free accounts that will allow the registration of a few domain names, providing the basic requirements for home users. Some providers offer extra services like backup mail server for times that your Internet connection may be offline, however these extra services may not be free. If in doubt about the services provided, please contact the relevant organisation.
Organisation | Website |
ZoneEdit | http://www.zoneedit.com/ |
No-IP.com | http://www.no-ip.com/ |
DynDNS.org | http://www.dyndns.org/ |
DHS International | http://www.dhs.org/ |
DyNS | http://www.dyns.cx/ |
Cn99 | http://www.3322.org/ |
DynDNS.DK | http://dyndns.dk/ |
eNom, Inc | http://www.enom.com/ |
TZODNS | http://www.tzo.com/ |
At this point you will need to configure your registered domain name using one of the DDNS service provider accounts. Please consult their online documentation for assistance in this task.
You will need to register your host (ie. galaxy.example.com) against your present dynamic IP address. You should also now add an "alias" (or CNAME) of "www" which points to galaxy.example.com - substitute for your specific domain. Be sure to set an MX (mail exchange) record for your domain if you plan on setting up a mail server for your network. |
Dynamic DNS Automation
The key to effective Dynamic DNS is ensuring that whenever your dynamic IP address changes on your broadband account, that the changes are sent to your DDNS service promptly so they can be replicated across the entire DNS.
This can be achieved by editing your ppp connection script, and placing a wget HTTP request towards the bottom of the script to execute after the dialup connection has been called. The following update is for a zoneedit.com DDNS account.
[bash]# vi /etc/ppp/ip-up.local |
wget -O - --http-user=username --http-passwd=password --no-check-certificate \ "https://dynamic.zoneedit.com/auth/dynamic.html?host=galaxy.example.com" |
Always check the wget command in a terminal window first, this allows you to debug it slightly and view (or install) any SSL certificates that are associated with the website. |
You should be aware that while the above communication is using the HTTPS protocol which provides some level of confidentiality for your account details, the executing command line can be viewed by any local user simply with the ps command. This is an important consideration if normal users are going to have access on the server.
The output of the above command looks similar to this.
[bash]# wget -O - --http-user=username --http-passwd=password --no-check-certificate \ "https://dynamic.zoneedit.com/auth/dynamic.html?host=galaxy.example.com" |
--21:28:12-- https://dynamic.zoneedit.com/auth/dynamic.html?host=galaxy.example.com => `-' Resolving dynamic.zoneedit.com... 69.72.142.98 Connecting to dynamic.zoneedit.com[69.72.142.98]:443... connected. WARNING: Certificate verification error for dynamic.zoneedit.com: self signed certificate WARNING: certificate common name `localhost.localdomain' doesn't match requested host name `dynamic.zoneedit.com'. HTTP request sent, awaiting response... 200 OK Length: 109 [text/html] 0% [ ] 0 --.--K/s <success CODE="200" TEXT="Update succeeded." ZONE="example.com" HOST="galaxy.example.com" IP="xxx.xxx.xxx.xxx"> 100%[====================================================================>] 109 --.--K/s 21:28:17 (1.93 MB/s) - `-' saved [109/109] |
The above solution ensures that any time the ppp0 interface is brought up using the correct initialisation scripts, that an update is sent to the DDNS service.
It is possible for many reasons that the ppp0 interface can be started and the DDNS update may be unsuccessful. This scenario can be addressed by using a script which is called every few hours as a precautionary measure.
Create the following script to update the account details for your ZoneEdit.com account.
[bash]# vi /bin/ddns-update |
#!/bin/sh # # DDNS Automation Script - ZoneEdit.com # File: /bin/ddns-update # Set ZoneEdit.com Account Details USER=username PASS=password HOST=galaxy.example.com EMAIL=admin@example.com # Constants - change files if needed TMP1=/tmp/ddns_tmp1 TMP2=/tmp/ddns_tmp2 # Send update request and save results wget -O $TMP1 --http-user=$USER --http-passwd=$PASS --no-check-certificate \ "https://dynamic.zoneedit.com/auth/dynamic.html?host=$HOST" echo ZoneEdit.com - DDNS Update > $TMP2 echo Time: `date '+%T - %e %B'` >> $TMP2 cat $TMP1 >> $TMP2 cat $TMP2 | mail -s "ZoneEdit.com - DDNS Update for $HOST" $EMAIL rm -f $TMP1 $TMP2 |
Next you need to make the script executable (Consider if only root or all users can read the script, and apply the appropriate permissions).
[bash]# chmod +x /bin/ddns-update |
To test the script you should execute it manually at the command prompt to see if it is functional. If the script is suitable it can be scheduled with cron to execute on a regular basis.
[bash]# crontab -e |
00 */8 * * * /bin/ddns-update |
The above crontab entry will execute the ddns-update script every 8 hours.
The script is designed to email the update query results to a particular user account. If you receive the following '707' error code, then the DDNS update script is being scheduled too often and should be relaxed.
ERROR CODE="707" TEXT="Duplicate updates for the same host/ip, adjust client settings" ZONE="example.com" HOST="galaxy.example.com"> |
Remember the initial ip-up solution should provide adequate stability for your DDNS requirements, and the ddns-update script is only a precautionary measure; try not to over use it.
0 Comments:
Post a Comment