Running with an MTU of 1412 is just wrong in so many ways; I decided I'd kick my Westell Wirespeed into IP Passthrough mode so PPPoE (evil in and of itself) is handled internally instead of on my firewall. MTU 1500, you are mine now!

But first...

IP passthrough mode works horribly on a Wirespeed with the older 1.05.04 firmware. I experienced around 50% packet loss and the network was essentially unusable. You will need to download firmware 1.06.15 from Bellsouth, for whom this particular DSL router was specifically designed. Fetch this and put it someplace safe. If something bad happens, you might want a copy of the original firmware, too. (It's unlisted, but that URI worked as of this writing.)

Accessing the Wirespeed

Plug the modem into a free ethernet interface on the machine you intend to use as a firewall (and/or personal workstation). IP passthrough mode uses MAC address tricks, so it's essential (for the Wirespeed's sanity) you use the same network card you plan on using later. If it's not, it'll become confused and it won't work.

For comparison's sake, my firewall box has four network cards. I am using eth0 as the external interface and eth1 as my internal interface. The rest are for other fun things. For this procedure I plugged my Wirespeed into eth0 which will become its permanent home.

Now, the fun part. The confguration is completely browser based, but the moron who designed the Web UI thought JavaScript was awesome, so you need a JavaScript capable browser to upgrade the firmware and set up IP passthrough mode. If you're running the X Window system on the box in question, you're essentially good to go. If not, your other options are configuring NAT, which you'll probably want to do anyway if this is a network with multiple machines, or move the network card into a machine which does have a JavaScript compatible browser. (Konqueror did not work for me; Mozilla and Internet Explorer work fine.)

As a firewall should never have a graphical environment on it, I opted for option two. (Moving network cards around is kind of silly and superfluous.) For this, you will need to have Netfilter configured if you're using a Linux 2.4 series kernel. Assuming your firewall is ready to rock, enable NAT (adjusting your IP range as necessary) with either of the following commands:

# If you're using a dynamic IP
iptables -t nat -A POSTROUTING -s 192.168.0.0/24 \
  -o eth0 -j MASQUERADE
# If you've been assigned a static IP
iptables -t nat -A POSTROUTING -s 192.168.0.0/24 \
  -o eth0 -j SNAT --to-source 192.168.1.254

Thereafter, you need to run `pump` or another DHCP client on the interface you plugged the modem into.

rebecca:~# pump -i -d eth0

With your Wirespeed plugged into your external, NAT'd interface, point a graphical browser to its configuration Web page. Input your PPPoE login information if necessary, then proceed to click on the option for updating the modem. You will be presented with a file upload form. Select that image you saved in a safe place earlier, the 1.06.15 firmware image, and select the update software graphic. The page will then be updated with the status of the firmware flash. If all goes well, the modem will reset. Once this exciting step is complete, you can configure IP passthrough mode.

Enabling IP passthrough

Most of the work is already done. Point your browser to the configuration Web page again. Select the expert option from the menu, then confirm that's actually what you want to do (no, seriously, that's the next step). Now, select the new configure option from the menu and select the IP passthrough option. You will be presented with a list of machine names or IP addresses, probably just one, and a submit graphic. If you have DNS configured internally, select the appropriate machine name. If not, you will probably see 192.168.1.97 or something similar. You can view the HTML source of the frame and look for the MAC address of your external interface. That's the one you want to select.

The modem will reset it self. You will need to reset your interface; Unplug the ethernet connection to the modem.

Run `pump` again. You should get a public IP if IP passthrough mode is functioning correctly. If you get a 192.168.1.1 address, then you're probably okay, you just need to unplug the cable again and run `pump` a few more times. You should get a public IP in a few more seconds or so.

If you want this to come up at start up, and I'm sure you do, under Debian GNU/Linux add the following stanza to your /etc/network/interfaces configuration file:

auto eth0
iface eth0 inet dhcp
        up /etc/firewall/gShield.rc --start
        up /usr/sbin/ddclient
        down /etc/firewall/gShield.rc --stop

Everything should be good to go. Enjoy!

What happens with my connection to Bellsouth dies?

With PPPoE, control of the connection was always retained by the firewall itself and user configurable. Now that the Westell is in control, what's the deal?

The Westell issues an IP lease for 2 hours. My DHCP client, `pump`, attempts to reacquire the lease after an hour and fourty five minutes. If reacquisition succeeds, and it nearly always will, you're good to go. If it fails for some reason, like for example the Westell loses its PPP connection with Bellsouth, reacquisition will fail. `pump` will keep trying until it eventually obtains a new lease.

From my experience thus far, the Westell has always eventually reacquired a PPPoE connection without having to manually cycle the power on the device. Recently I finally lost connectivity to Bellsouth for a period of time. It came time for `pump` to renew its lease, and it failed for a while, but eventually picked up a new address from the Westell. The situation was resolved in fifteen minutes. It seems `pump` and the Westell will do the right thing during an outage without requiring manual intervention. (As an anecdotal comparison I have had `pppoe` simply give up and die during extended outages requiring user intervention.)

Nov  7 02:48:15 rebecca pumpd[109]: reject: msgtyp: 6
Nov  7 02:48:15 rebecca pumpd[109]: failed to renew lease for device eth0
...
Nov  7 03:03:15 rebecca pumpd[109]: failed to renew lease for device eth0
Nov  7 03:03:15 rebecca pumpd[109]: PUMP: sending discover
Nov  7 03:03:15 rebecca pumpd[109]: got dhcp offer
...

# We really want to get back online
retries 3

# What to do when we get a lease; This is
# device nonspecific
script /usr/local/sbin/kick-stuff.sh

# Define our external interface
device eth0 {
  nodns
}

A Microsoft Windows box was harmed during this experiment. The box in question was owned in less than five minutes of being connected to the Internet by W32.Nachi when IP passthrough mode was tested on it using the older firmware revision, 1.05.04, with around 50% packet loss. Props go out to Microsoft and the trojan author for making this exciting event possible.

Links and Useful Resources

• DSLreports information on this specific Westell device

Copyright and Revision Information

08-23-03 - Initial Draft
09-03-03 - Added information about what happens when the Westell loses connection
11-08-03 - Added more information about what happens when the Westell losses connectivity