{"id":470,"date":"2023-09-03T22:03:43","date_gmt":"2023-09-03T21:03:43","guid":{"rendered":"https:\/\/blog.inplico.uk\/?p=470"},"modified":"2025-02-21T21:59:51","modified_gmt":"2025-02-21T21:59:51","slug":"vodafone-broadband-multi-ip-setup","status":"publish","type":"post","link":"https:\/\/blog.inplico.uk\/?p=470","title":{"rendered":"Using the server as a router and firewall"},"content":{"rendered":"

PPPOE<\/strong><\/p>\n

If you are using an ISP provided router then you probably will not need to set up pppoe, but if you are using a modem you will.\u00a0 From experience thus far it seems that FTP connection tend to work better with modems whereas FTTC have been better with routers.\u00a0 Vodafone multi IP in particular is much simpler to configure if you use the Vodafone router.<\/p>\n

If you are using a modem (or a router in modem mode) then you will need to connect it at both ends before you begin.\u00a0 Once you have it connected then install and run pppoeconf<\/strong> and follow the instructions on screen and all being well you will have a connection which you can manage with<\/p>\n

pon dsl-provider<\/pre>\n
to establish the connection or<\/p>\n
poff dsl-provider<\/pre>\n
to disconnect.\u00a0 You can use ifconfig to review the connections.\u00a0 If you have one called ppp0 or similar with a public ip address assigned then you have a connection and should be able to access the internet from your server (curl https:\/\/www.debian.org should\u00a0 return the html for the debian website or you can just try an apt-get update).<\/p>\n
Now (DEBIAN STYLE OS):<\/p>\n
If you look at your \/etc\/network\/interfaces<\/strong> You will note a configuration for your ppp interface that looks something like<\/p>\n
auto dsl-provider\r\n        iface dsl-provider inet ppp\r\n        pre-up \/bin\/ip link set eno2 up # line maintained by pppoeconf\r\n        provider dsl-provider\r\n<\/pre>\n
As you can see the line that says “line maintained by pppoeconf” identifies the physical interface that your modem is connected to (in my case eno2)<\/p>\n
(ARCH STYLE)<\/p>\n
Arch\/Manjaro et al do not have the luxury of an interfaces configuration file so we are just using stock systemd-networkd instead.\u00a0 It’s configuration file is in \/etc\/systemd\/network and doesn’t exist by default.\u00a0 Each file is given a name that starts with its precedence then the interface name and a “.network” suffix and they are processed in order of precedence so 10-xxx will be processed before 20-xxx:<\/p>\n
10-eno1.network\r\n20-eno2.network<\/pre>\n
This configuration is not using pppoe, just a standard connection and therefore we have a local interface and a WAN interface.\u00a0 In our example the local interface is 10 and the WAN is 20.<\/p>\n
The files contain the following respectively:<\/p>\n
[Match]\r\nName=eno1\r\n[Network]\r\nAddress=172.17.1.23\/16\r\n<\/pre>\n
for 10-eno1.network and<\/p>\n
[Match]\r\nName=eno2\r\n[Address]\r\nAddress=xxx.xxx.xx.99\/24\r\n[Route]\r\nDestination=0.0.0.0\/0\r\nGateway=xxx.xxx.xx.97\r\nMetric=1\r\nGatewayOnLink=yes\r\n<\/pre>\n
:wFor 20-eno2.network; the WAN interface (where 99 is the address of the interface and 97 is the address of the gateway (this was set up against a Vodafone router which has a whole separate page dedicated to it on this blog).<\/p>\n
The systemd configuration above would be identical to the following stanza in the \/etc\/network\/interfaces file:<\/p>\n
iface eno2 inet static\r\n        address xxx.xxx.xxx.99\r\n        netmask 255.255.255.0\r\n        broadcast xxx.xxx.xxx.xxx\r\n        post-up route add default gw xxx.xxx.xxx.xxx metric 1\r\n        post-down route del default gw xxx.xxx.xxx.xxx\r\n<\/pre>\n
systemd works out the broadcast for itself and automatically pulls the route when the interface is taken down.\u00a0 It has been rumoured\u00a0 that net-tools will be depreciated for some time now so I expect Debian will pull this method at some point but that rumour is around 10 years old now so don’t hold your breath.<\/p>\n
Incidentally, while testing I just used the ip command to bring the interfaces up and set them (this works for ether Debian or Arch based os so I will give a brief outline here:<\/p>\n
This method will liven up the interface but does not persist so you will\u00a0 have to use one of the methods above if you don’t want to set up the interface on every reboot.<\/p>\n
ip set link up<\/pre>\n
brings the interface online.<\/p>\n
ip addr add xxx.xxx.xxx.xxx\/xx dev eno1<\/pre>\n
sets an ip address and subnet mask.<\/p>\n
ip route add default via xxx.xxx.xxx.xxx dev eno2<\/pre>\n
will establish a route so that you can access your server from the outside world through interface eno2 (Note: The ip address is that of your gateway, not your interface).<\/p>\n
If you have your dns set up correctly you should now have a link and be able to ssh to your server from the outside world.<\/p>\n
 <\/p>\n
PORT FORWARDING<\/strong><\/p>\n
In order to pass traffic from one interface to another you need to enable port forwarding.\u00a0 To do so immediately issue<\/p>\n
echo 1 > \/proc\/sys\/net\/ipv4\/ip_forward<\/pre>\n
at the command prompt.\u00a0 To make this permanent you need to edit \/etc\/sysctl.conf <\/strong>and either add or uncomment the line<\/p>\n
net.ipv4.ip_forward = 1<\/pre>\n
 <\/p>\n
IPTABLES<\/strong><\/p>\n
WARNING:\u00a0 The interface will be different depending on your initial setup.\u00a0 If you are using pppoe with a single static ip then it is likely that every you will use ppp0<\/strong>; if you are connected to a router then it will likely be a physical interface such as eno1<\/strong>, eno2<\/strong>, eth1<\/strong>…. etc.\u00a0 In the examples here we are going to assume that your configuration is a singe static IP and your are using pppoe and a modem (or router in modem mode) therefore everything references the virtual interface ppp0<\/strong>.\u00a0 For other interfaces it is simply a matter of changing this (everything else is the same).<\/p>\n
To get things working properly we need to set up iptables<\/strong>.\u00a0 First thing to do is install iptables-persistent<\/strong> in the usual way and then back up any existing rules by issuing the command.<\/p>\n
Alternatively for Arch style distributions you can use systemd’s built in iptables service. the only real difference is the rules are stored in \/etc\/iptables\/iptables.rules.\u00a0 Setting them up is identical except for<\/p>\n
DEBIAN:\r\niptables-save > \/etc\/iptables\/rules.v4\r\nARCH:\r\niptables-save > \/etc\/iptables\/iptables.rules<\/pre>\n
Now we need to set up a few new rules:<\/p>\n