This page was created to answer questions put to me on how I configured Linux to utilise my ADSL connection.

I'm currently using Telstra's Bigpond ADSL service to connect to the Internet from home. I am subscribed to their "Freedom Deluxe" plan, which gives me 512k down/128k up - or between 25kb/s and 50kb/s to mirror.aarnet. The link is generally stable, although because all of the traffic is routed through Victoria, ping times can vary quite considerably.

I am using a Linux gateway - which Telstra will not support in any way if there is a problem. That's fine, because I will always try to diagnose any problems before ringing Telstra Bigpond Tech Support anyway... However, if there is a problem, their first question will be "what is the error message?", which is a bit hard to answer when you're not using the Windows Telstra ADSL client. My only solution is to have the Windows client available for when something bad does happen (by installing it onto my work laptop).

Please remember to read the Telstra ADSL AUP so as to get the most out of your new-found freedom.

If you are looking to setup/configure ADSL on a Windows box, please have a look at The CableGuy, being maintained by Darren Stribning.

For all of the Australian Broadband news, broadband goss, and a place to find lots of broadband-related links, have a look at Whirlpool.

I'm using a bog-standard RedHat 6.2 installation, which has been considerably hardened to protect the gateway from most forms of attack - latest patches, unnecessary packages removed, firewall software installed, tripwire installed, etc. You really need to think about security when connected to the Internet (semi)permanently, otherwise you will find your machine 0wn3d.

The only other requirements are as follows:

• The ADSL modem needs to have been installed and configured by the Telstra Technician. You'll receive a username and password pair, as well as some other details
• The technician will attempt to provide you with a USB-to-10baseT ethernet adapter - refuse it and ask for a PCI network card. The one supplied to me was an SMC EzyConnect PCI network adapter. Apparently it is supported by Linux, but I exchanged it for a Netgear FA310TX (which are well-supported by Linux). The network adapter needs to be installed into your linux gateway.
• I use Roaring Penguin's rp-pppoe drivers to run the ADSL link. The current version is 3.0.
• You will need a recent release of the PPP daemon
• It would be preferable if the techie shows you that the link is working before they walk out the door, either by having it installed through your Windows machine, or using their laptop - this saves a lot of heartache.

... is very simple - unpack, ./configure, make, make install, adsl-setup, adsl-start

Seriously! - but below are more detailed steps for the technically illiterate:

1. Configure the network card - it needs to be "up" with no IP address or anything else. Do not set the interface to "dhcp", use pump or dhcpcd or anything like that on the interface. A simple "ifconfig eth1 up" should suffice.
2. Download the latest RP-PPPoE from Roaring Penguin's web site (see above for the link)
3. If you downloaded the source, untar the tar.gz archive into a directory you have read/write access to.
4. Change directory to the "src" subdirectory of the "rp-pppoe" directory.
5. Change user to root

6. # ./configure

7. # make

8. # make install

9. # adsl-setup

10. Answer the questions when the adsl-setup program prompts you:
• You username will be "username@bigpond"
• Your password is all lowercase irrespective of how the techie writes it
• The ethernet interface is the interface brought up by steps above (hint: the one without the IP addresses configured)
• You don't want to use dial-on-demand - sounds good but isn't necessary, as Telstra is not charging you for your time online - you may as well stay online for as long as possible.
• Because you're on the Internet basically permanently, it is recommended that you configure some sort of firewalling, using either a commercial firewall package, ipchains, or iptables (for 2.3/2.4 kernels). If you already run a firewall on the gateway, you can specify "0" for the firewall question.

11. # adsl-start

    to start the ADSL connection

12. #adsl-stop

    to stop the ADSL connection

13. # adsl-status

    to determine whether the ADSL PPP connection is up or not

The authentication method is "chap", not "pap", which has confused some people trying to set up all of this. In any event, rp-pppoe will modify both the "chap-secrets" and "pap-secrets" when installing.

There's not much configuration required to have a network at home connecting through the ADSL link. Essentially, you will need to configure masquerading support, as well as set the ip_forwarding option in the kernel. Your firewall rules will become a little bit more complicated (to allow the traffic out and back). Note that, according to the AUP, you're not allowed to run any web services, FTP servers, IRC servers, etc. However, I haven't detected any probes from Telstra trying to check and see if I am running any servers.

As for routing, let the PPP daemon work it all out. When the PPP daemon has negotiated a PPP session, it should set the default route to the be other end of the ADSL connection (which is a site down in Melbourne). If you try to ping this end-point, you won't get anything back, as apparently Telstra has configured the end-point to drop all echo requests *sigh* When are they going to get real people to set this stuff up?

I'm sure you value the information you have sitting on your home network, so please think about putting some barriers up to stop the average script kiddie from hacking your network. If you are unsure how to do this, have a look at my Security web pages.

Please note that having a home network connecting through your ADSL link will generally breach the AUP.

For detailed Windows and Mac network configuration, have a look at CableGuy's web site, linked above.

The Linux 2.4 series kernels now have in-built (but experimental) support for ADSL. I'm not running a 2.4 kernel, so I don't know how this is configured. Crossfire has however been able to configure his ADSL connection to utilise 2.4 kernels, and has posted his 2.4 ADSL Howto on his website.

Crossfire also goes into quite some detail about setting up appropriate IP-tables rules, which you can use to start building iptables-based rulesets.

So what is the "clamp-mss" option all about? There is a PPPoE paper on Roaring Penguin's web site which goes into quite a lot of detail about how pppoe works. In the paper, they describe the MTU issue, which is why clamp-mss exists.

Basically, the maximum size of an ethernet frame is 1518 bytes, with 18 bytes used by headers and stuff, leaving 1500 bytes for data. If you run "ifconfig eth0", you will see the MTU of the ethernet interface set to 1500 bytes. Now, because PPP "encapsulates" the ethernet frames, there is an additional 8 byte overhead, for PPP and pppoe headers. Therefore, the maximum data size is now 1492 bytes per frame.

If you send ethernet packets with 1500 bytes of data, the PPP link needs to somehow fit that 1500 bytes of data into a 1492 byte space - it won't compress the data, therefore it must use fragmentation. PPP will create a new frame and put the last 8 bytes of data into that frame.

The link will end up being congested with lots of tiny packets, with many of these fragments being dropped (mostly due to the "don't fragment" bit set).

The solution is to let the TCP stack determine the correct MTU to use - through "path MTU discovery". Unfortunately, this sometimes does not work, as some routers, and most firewalls, will not allow ICMP "fragmentation needed" packets between the end-points of the connections. Thus the "clamp-mss" option in rp-pppoe.

The pppoe daemon will "snoop" the MSS being negotiated between the end-points, and modify it in-situ, reducing the usual 1500 byte MTU down to 1412 or something, with the result being that fragmentation disappears. I have "clamp-mss" turned on, and set to 1412.

An interesting side effect is that I have had to reduce the MTU on all of the interfaces on my internal network down to 1412, as my gateway doesn't allow path MTU discovery to occur. You might need to do this as well.

When I ordered the ADSL connection, the sales person asked me whether I wanted "additional users". I thought this was an option to "legitimise" having a network connected to the ADSL modem at home, so I said "yes!". I was then charged $10/m for the "additional user", which was never set up, nor explained to me what the hell it was for.

My theory is that because the ADSL modem can support multiple simultaneous PPP sessions, an "additional user" allows other residents of the premises to connect through the same ADSL line back to Telstra, and establish their own PPP sessions.

The moral of this story is don't ask or accept the "additional users" option. It's not required, and costs you $$$ in the end.

The Telstra ADSL service is generally reliable. You have to remember that it has just come out of pilot, so there will be problems. I've found that there have been a few types of outages:

If you want to know whether there are problems with the ADSL link, check the Becsta.NET Statistics Page - if there are no regular spikes in the ADSL graph, you know there was some form of outage (at least with my link). Alternatively, you can check the Telstra Bigpond Service Status page.

For some time I suspected there was more to this rather large, black, Telstra-supplied Alcatel Speed Touch Home ADSL modem than Telstra were letting on. The ADSL modem came in a large box, along with a power transformer and some cables. Interestingly, there was no documentation on the modem at all. Reading up on the ADSL modem vulnerabilities, my suspicions were confirmed.

If you're curious, have a look at the Speed Touch Home User Manual (Warning, it's quite large @ 3.7Mb). Apparently you can connect to the ADSL modem through telnet, and play around with the configurations from a command line. I seriously recommend YOU DO NOT stuff around with the guts of the modem, because if something goes wrong, and you stuff it up, Telstra may not want to support you. They supplied the modem in a particular configuration, and without documentation, for a good reason: us "bad" consumers cannot be trusted to maintain the configuration in a supportable state if we have access to the documentation. Giving consumers access to documentation and the guts of the modem would make the tech support job a helluva lot harder too.

Well, now you have access to the documentation.

That's about it, I think. There's plenty of documentation for you to read on Roaring Penguin's site if you have any problems with the above.

Update 1: I've moved house, and currently don't have my ADSL link reconnected (which I now miss quite badly). I've moved to a place which does not have Optus or Telstra Cable (why won't these companies support putting the requisite equipment into units - they'd have a captive market!), but thankfully (according to the Telstra web site) I can still get access to ADSL. I'm back to using a 33k6 modem link for now, and it bites.

Update 2: The "Alcatel Speed Touch Home" ADSL modem has been found to be lacking as far as security is concerned. Tsutomu Shimomura and Tom Perrine of the San Diego Supercomputer Centre have discovered several implementation flaws with several versions of the Alcatel Speed Touch ADSL modem. They have posted information on the various vulnerabilites to Bugtraq, and you can find information at Security Focus. Whether there are any real risks of compromise is yet to be determined - the guys at SDSC certainly make the vulnerabilities seem easy to exploit - so we'll have to wait and see. Will Telstra do anything? I doubt it very much.

Tsutomu and Tom's report on the SDSC security web site.

The Bugtraq article submitted by Tom Perrine.

The Security Focus report (based on the Bugtraq article)

A c|net news article on the vulnerabilities discovered.

Don't forget that, with any permanent connection, you will need to do something to stop your machines being 0wN3d. If you want to get some ideas, have a look at my set of Security pages.

You can email me if you like.