Good Day All,

What we are trying to do...we feel, should be relatively simple!?

I have a linux fedora machine with 2 NIC's.  One NIC card is connected to our LAN switch, the other card is connected to a billlion adsl router which has been placed into bridge mode.

Our plan is to bring up two seperate ppp interfaces on the linux machine (both running on the same NIC [eth1] to the billion), and then mangle packets appropriately so as to place our vpn traffic onto the one ppp interface (which uses a shaped account) and then all other (essentially internet browsing) onto the remaining ppp interface (which uses a cheaper, shaped browsing account).

The problems that we are facing...

The thinking was to create ppp0 on the shaped account and mark as the default route, then bring up ppp1 and mangle the vpn traffic onto that interface (based on outbound protocol and port number).  My problem is that our machine does not seem to maintain the correct "device number to account mapping" when I bring up these interfaces (ie, I state "ifup ppp1" and ppp0 interface comes up.  The devices are specified correctly in the files, ppp0 and 1 respectively.

What would some of you pro's consider the ideal setup?

My experience has led me to the point of policy-based iptables config, routing table definitions, rulesets that identify the iptables mangled packets and subsequently hand them to the correct routing table.  It appears however that ppp0 and ppp1 sometimes 'swap' in a sense of which account (be it the shaped and unshaped) they represent.

What am I missing?

Any help or ideas would be much appreciated...throw me some technical stuff I am happy to get my hands dirty with the linux routing capabilities!


asked 12/14/2010 06:48

bexco's gravatar image

bexco ♦♦

5 Answers:
Before using the ifup script, take a look at the output from ifconfig -a. Are both ppp0 and ppp1 present? Post the output anyway. If so, what happens when you enter ifconfig ppp1 up?
My understanding is that ppp interfaces only come into being as you start instances of pppd, and are only ever down during link establishment.
duncan_roe's gravatar image


The way I configure iptables to cooperate with ppp is to have the iptables commands in /etc/ppp/ip-up & ip-down. Inside these scripts, you should have enough information to do what you want. From man pppd:
A program or script which is executed when the link is available for sending and receiving IP packets (that is, IPCP has come up).  It is executed with the parameters interface-name tty-device speed local-IP-address remote-IP-address ipparam
As far as I can tell, the ppp link is not up until this script finishes.
duncan_roe's gravatar image


The answer lies in the PID file that is created for each connection in linux.  Our out of the box setup resulted in the system defining the same pid file for ALL ppp connections that we created on the machine.  The resulting behaviour is that the system will not 'support'/allow multiple ppp connections at the same time as they all want to make use of the same pidfile.

To work around this, we simply defined a dedicated pid file for each ppp connection that we created.

This can be defined in the /etc/sysconfig/network-scripts/ifcfg-pppX file (where X is a number).

In our example, we defined the following:

PIDFILE=/var/run/ in the ifcfg-ppp0 file, AND
PIDFILE=/var/run/ in the ifcfg-ppp1 file.

These dedicated pidfiles then allowed both connections simulataneously:
ifup ppp0
ifup ppp1

From there, we used iptables to mangle packets so as to make some policy based routing decisions as to which traffic would flow over which ppp interface.

Hope this helps
bexco's gravatar image


Self answered
bexco's gravatar image


Interesting. Good pickup
duncan_roe's gravatar image


Your answer
[hide preview]

Follow this question

By Email:

Once you sign in you will be able to subscribe for any updates here



Answers and Comments



Asked: 12/14/2010 06:48

Seen: 393 times

Last updated: 11/01/2011 09:16