Using Frontier LightningLink with UNIX

This page contains notes detailing my experiences with Frontier's LightningLink ADSL service and UNIX. Specifically, I use OpenBSD 2.6 and 2.7 but some of this information may be useful to people running FreeBSD, Linux or another *NIX system. Frontier currently offers ADSL service in the Rochester, NY area but various parts of this document may be applicable to other DSL providers or cable modem providers.

Installation

A Frontier tech and a CompUSA tech showed up to do the install. There were problems in the CO with my line so the Frontier tech went to sort those out. The CompUSA tech had never done a *NIX install. My roommate has a Windows machine and we had to wait a half hour or so for the Frontier tech to fix the line so I just had him do the install on the Windows machine. Frontier uses Cisco 677 ADSL routers, not DSL modems so installation is simple. I already had a NIC so he made sure it was set up for DHCP and added the Frontier login web page to the desktop (http://www.frontierdsl.com).

Installation on the OpenBSD box was easy. It is a firewall so it was two NICs. I plugged the router into the "external" NIC, ran dhcpd, fixed my caching nameserver to point to Frontier's DNS servers and I was able to get an address. However, I still needed to authenticate in order to access anything but the authentication server. Luckily, Frontier's authentication system is simple. I'll discuss it in the next section.

Authentication

The authentication system is web based but was a little more difficult to work with than I had anticipated. The web pages use Javascript to do image changes on "rollovers" so I couldn't use lynx to authenticate. I telnet'ed to the web server to grab the pages and figure out how to authenticate. The submit URLs actually point to a server-side processing system, probably a servlet. CGI parameters are passed to the servlet to accomplish the different functions. The format is http://www.frontierdsl.com/dashboard?fcn=FUNCTION&ADDITIONAL_PARAMS

First, you need to authenticate with the DSL service. The following procedure accomplishes this.

fcn parameter value

accountLogon username username

password password

Secondly, you need to authenticate with your ISP. If your ISP is Frontier the following logs you in.

fcn parameter value

serviceLogon service frontiernet.dsl

The procedure is similar for other providers, but you also need to specify a username and password. If anyone knows the specifics for a certain provider, mail me and I will post the information on this page.

Finally, to log off the service:

fcn parameter value

accountLogoff

accountLogoff yes Yes

NOTE: this involves two accesses, one without parameters, the second with the yes parameter.

I've included the program I use to handle authentication. It is written in Python and requires the urllib module. This module should be installed by default on any v1.5 or later distribution of Python. Edit the file to set your username and password (near the top). The following are valid options:

-logon This logs you into the system.
-logoff This logs you out of the system.
-debug This allows oyu to manually enter fcn's and parameters. This is useful for finding out new fcn's. Look in /tmp for files of the form @pid.num for the html returned.

This program is distributed with a standard BSD style license. I take no responsibility for anything that happens due to the use of this software. Please give me credit if you use this code anywhere else. I encorage you to send in additions and code fixes.

Also, the utility currently does no error checking or validation. The only way to know if you logged on successfully is to try and access a net resource. When I have some time I'll add some simple error checking. I also intend to add support for different, or multiple service providers. The servlet also provides statistical information on the current session. I would like to add a -query option to support this. If you would like to be informed of future updates, send me some mail.

Frontier LightningLink Users

I am interested in starting up an online users group for Frontier DSL subscribers. If anyone uses LightningLink or a similar service and runs an alternative operating system including any UNIX flavor, OS/2, BeOS, etc. contact me and I will add you to the mailing list.

Routing, NAT, and firewalling

There are many excellant NAT ans firewall tutorials available on the net. This is not meant to replace or compete with them. This section gives a brief overview of my firewall setup and assumes you have basic knowledge of OpenBSD ipnat and ipf. This is almost the same setup I used when I had a cable modem so much of this information is relevent to cable modem users.

My DSL router is connected to a Cisco Catalyst 2100 switch. My "external" exthernet card is connected to the switch and exists in the same VLAN as the router. This allows me to easily add a machine to the DMZ if, for example, I decide to move my web server to a separate IP address. The "internal" NIC on my firewall is attached to a separate VLAN on the switch and all the other machines on the internal network are also connected to this VLAN. The firewall also runs a name server. This is primarily a caching name server but contains entries for all my computers that resolve to internal (192.168.60.x) addresses. My primary name server, located at granite canyon contains entries for these machines that resolve to the firewall's external IP address.

I use a fairly simple /etc/ipnat.rules file. First, I created a file called /etc/ipnat.template as follows.

rdr ep0 NEWIP/32 port www -> meth.wopr.org port www
rdr ep0 NEWIP/32 port 2222 -> meth.wopr.org port ssh
rdr ep0 NEWIP/32 port 2223 -> speed.wopr.org port ssh
rdr ep0 NEWIP/32 port 7777 -> meth.wopr.org port 7777
rdr ep0 NEWIP/32 port 8227 -> meth.wopr.org port 23
rdr ep0 NEWIP/32 port 6112 -> crack.wopr.org port 6112

map ep0 192.168.60.0/24 -> NEWIP/32 portmap tcp/udp 10000:20000
map ep0 192.168.60.0/24 -> NEWIP/32

This forwards some select ports such as ssh and http to the appropriate machines. Only established connections and the above mentioned special cases are allow through the firewall. Traffic from firewalled machines to the internet is unrestricted. I then edited the dhclient-script file which is run after dhclient obtains a DHCP lease. After the default route is added, I run the command:

sed -e "s/NEWIP/$new_ip_address/g" /etc/ipnat.template > /etc/ipnat.rules

This generates a valid /etc/ipnat.rules. I decided to do things this way instead of specifying just an interface in the /etc/ipnat.rules file for a couple of reasons. When I started using ipnat, it was not completly functional and it did not always work correctly if I didn't specify an IP address. Also, it is very easy for me to determine where and when dhclient failed if I was unable to obtain an address. Both these reasons are relics of an older system and I will probably do things differently when I next do a clean install of the operating system. Never the less, some people may find this information of some use.

The firewall also runs snort to detect intrusion attempts. However, people seemed to have figured out that OpenBSD is very secure so my IDS doesn't see much activity these days. I have a very basic SOCKS firewall set up but it is rarly running. It sees very little use so it usually just loads down my system and poses another possible security hole.

Running on an Intel 486 DX4 66MHz machine, I can sustain 2 MB throughput. This is more data that the ADSL link can handle so it is more than acceptable. In the near future, I will be upgrading to a Cyrix P200+ MMX machine. This machine will also function as a web server and a file server.

This network setup runs efficiently and is secure enough for a small home network consisting of a couple of Windows machines, a small file server, a small web and database server, and a few SUN IPC workstations.

Please send comments and suggestions to retrev@csh.rit.edu

fcn	parameter	value
accountLogon	username	username
	password	password