PPPoE Server
VyOS utilizes accel-ppp to provide PPPoE server functionality. It can be used with local authentication or a connected RADIUS server.
Note
Please be aware, due to an upstream bug, config changes/commits will restart the ppp daemon and will reset existing PPPoE connections from connected users, in order to become effective.
Configuring PPPoE Server
set service pppoe-server access-concentrator PPPoE-Server
set service pppoe-server authentication mode local
set service pppoe-server authentication local-users username test password 'test'
set service pppoe-server client-ip-pool PPPOE-POOL range 192.168.255.2-192.168.255.254
set service pppoe-server default-pool 'PPPOE-POOL'
set service pppoe-server outside-address 192.0.2.2
set service pppoe-server gateway-address 192.168.255.1
set service pppoe-server interface eth0
Use this command to set a name for this PPPoE-server access concentrator.
Set authentication backend. The configured authentication backend is used for all queries.
radius: All authentication queries are handled by a configured RADIUS server.
local: All authentication queries are handled locally.
noauth: Authentication disabled.
Create <user> for local authentication on this system. The users password will be set to <pass>.
Use this command to define the first IP address of a pool of
addresses to be given to pppoe clients. If notation x.x.x.x-x.x.x.x,
it must be within a /24 subnet. If notation x.x.x.x/x is
used there is possibility to set host/netmask.
Use this command to define default address pool name.
Use this command to define the interface the PPPoE server will use to listen for PPPoE clients.
Configuring RADIUS authentication
To enable RADIUS based authentication, the authentication mode needs to be changed within the configuration. Previous settings like the local users, still exists within the configuration, however they are not used if the mode has been changed from local to radius. Once changed back to local, it will use all local accounts again.
set service pppoe-server authentication mode radius
Configure RADIUS <server> and its required shared <secret> for communicating with the RADIUS server.
Since the RADIUS server would be a single point of failure, multiple RADIUS servers can be setup and will be used subsequentially. For example:
set service pppoe-server authentication radius server 10.0.0.1 key 'foo'
set service pppoe-server authentication radius server 10.0.0.2 key 'foo'
Note
Some RADIUS severs use an access control list which allows or denies queries, make sure to add your VyOS router to the allowed client list.
RADIUS source address
If you are using OSPF as IGP, always the closest interface connected to the RADIUS server is used. With VyOS 1.2 you can bind all outgoing RADIUS requests to a single source IP e.g. the loopback interface.
Source IPv4 address used in all RADIUS server queires.
Note
The source-address must be configured on one of VyOS interface.
Best practice would be a loopback or dummy interface.
RADIUS advanced options
Configure RADIUS <server> and its required port for authentication requests.
Mark RADIUS server as offline for this given <time> in seconds.
Temporary disable this RADIUS server.
Timeout to wait reply for Interim-Update packets. (default 3 seconds)
Specifies IP address for Dynamic Authorization Extension server (DM/CoA)
Port for Dynamic Authorization Extension server (DM/CoA)
Secret for Dynamic Authorization Extension server (DM/CoA)
Maximum number of tries to send Access-Request/Accounting-Request queries
Timeout to wait response from server (seconds)
Value to send to RADIUS server in NAS-Identifier attribute and to be matched in DM/CoA requests.
Value to send to RADIUS server in NAS-IP-Address attribute and to be matched in DM/CoA requests. Also DM/CoA server will bind to that address.
Source IPv4 address used in all RADIUS server queires.
Specifies which RADIUS server attribute contains the rate limit information.
The default attribute is Filter-Id.
Note
If you set a custom RADIUS attribute you must define it on both dictionaries at RADIUS server and client.
Enables bandwidth shaping via RADIUS.
Specifies the vendor dictionary, dictionary needs to be in /usr/share/accel-ppp/radius.
Received RADIUS attributes have a higher priority than parameters defined within the CLI configuration, refer to the explanation below.
Allocation clients ip addresses by RADIUS
If the RADIUS server sends the attribute Framed-IP-Address then this IP
address will be allocated to the client and the option default-pool within the CLI
config is being ignored.
If the RADIUS server sends the attribute Framed-Pool, IP address will be allocated
from a predefined IP pool whose name equals the attribute value.
If the RADIUS server sends the attribute Stateful-IPv6-Address-Pool, IPv6 address
will be allocated from a predefined IPv6 pool prefix whose name equals the attribute value.
If the RADIUS server sends the attribute Delegated-IPv6-Prefix-Pool, IPv6
delegation pefix will be allocated from a predefined IPv6 pool delegate
whose name equals the attribute value.
Note
Stateful-IPv6-Address-Pool and Delegated-IPv6-Prefix-Pool are defined in
RFC6911. If they are not defined in your RADIUS server, add new dictionary.
User interface can be put to VRF context via RADIUS Access-Accept packet, or change
it via RADIUS CoA. Accel-VRF-Name is used from these purposes. It is custom ACCEL-PPP attribute.
Define it in your RADIUS server.
Renaming clients interfaces by RADIUS
If the RADIUS server uses the attribute NAS-Port-Id, ppp tunnels will be
renamed.
Note
The value of the attribute NAS-Port-Id must be less than 16
characters, otherwise the interface won’t be renamed.
Automatic VLAN Creation
VLAN’s can be created by Accel-ppp on the fly via the use of a Kernel module
named vlan_mon, which is monitoring incoming vlans and creates the
necessary VLAN if required and allowed. VyOS supports the use of either
VLAN ID’s or entire ranges, both values can be defined at the same time for
an interface.
When configured, PPPoE will create the necessary VLANs when required. Once the user session has been cancelled and the VLAN is not needed anymore, VyOS will remove it again.
set service pppoe-server interface eth3 vlan 100
set service pppoe-server interface eth3 vlan 200
set service pppoe-server interface eth3 vlan 500-1000
set service pppoe-server interface eth3 vlan 2000-3000
Bandwidth Shaping
Bandwidth rate limits can be set for local users or RADIUS based attributes.
For Local Users
Download bandwidth limit in kbit/s for <user>.
Upload bandwidth limit in kbit/s for <user>.
set service pppoe-server access-concentrator 'ACN'
set service pppoe-server authentication local-users username foo password 'bar'
set service pppoe-server authentication local-users username foo rate-limit download '20480'
set service pppoe-server authentication local-users username foo rate-limit upload '10240'
set service pppoe-server authentication mode 'local'
set service pppoe-server client-ip-pool IP-POOL range '10.1.1.100/24'
set service pppoe-server default-pool 'IP-POOL'
set service pppoe-server name-server '10.100.100.1'
set service pppoe-server name-server '10.100.200.1'
set service pppoe-server interface 'eth1'
set service pppoe-server gateway-address '10.1.1.2'
Once the user is connected, the user session is using the set limits and
can be displayed via show pppoe-server sessions.
show pppoe-server sessions
ifname | username | ip | calling-sid | rate-limit | state | uptime | rx-bytes | tx-bytes
-------+----------+------------+-------------------+-------------+--------+----------+----------+----------
ppp0 | foo | 10.1.1.100 | 00:53:00:ba:db:15 | 20480/10240 | active | 00:00:11 | 214 B | 76 B
For RADIUS users
The current attribute Filter-Id is being used as default and can be
setup within RADIUS:
Filter-Id=2000/3000 (means 2000Kbit down-stream rate and 3000Kbit up-stream rate)
The command below enables it, assuming the RADIUS connection has been setup and is working.
Use this command to enable bandwidth shaping via RADIUS.
Other attributes can be used, but they have to be in one of the dictionaries in /usr/share/accel-ppp/radius.
Load Balancing
Use this command to enable the delay of PADO (PPPoE Active Discovery Offer) packets, which can be used as a session balancing mechanism with other PPPoE servers.
set service pppoe-server pado-delay 50 sessions '500'
set service pppoe-server pado-delay 100 sessions '1000'
set service pppoe-server pado-delay 300 sessions '3000'
In the example above, the first 499 sessions connect without delay. PADO packets will be delayed 50 ms for connection from 500 to 999, this trick allows other PPPoE servers send PADO faster and clients will connect to other servers. Last command says that this PPPoE server can serve only 3000 clients.
IPv6
Specifies IPv6 negotiation preference.
require - Require IPv6 negotiation
prefer - Ask client for IPv6 negotiation, do not fail if it rejects
allow - Negotiate IPv6 only if client requests
deny - Do not negotiate IPv6 (default value)
Use this comand to set the IPv6 address pool from which an PPPoE client will get an IPv6 prefix of your defined length (mask) to terminate the PPPoE endpoint at their side. The mask length can be set from 48 to 128 bit long, the default value is 64.
Use this command to configure DHCPv6 Prefix Delegation (RFC3633) on PPPoE. You will have to set your IPv6 pool and the length of the delegation prefix. From the defined IPv6 pool you will be handing out networks of the defined length (delegation-prefix). The length of the delegation prefix can be set from 32 to 64 bit long.
Use this command to define default IPv6 address pool name.
set service pppoe-server ppp-options ipv6 allow
set service pppoe-server client-ipv6-pool IPv6-POOL delegate '2001:db8:8003::/48' delegation-prefix '56'
set service pppoe-server client-ipv6-pool IPV6-POOL prefix '2001:db8:8002::/48' mask '64'
set service pppoe-server default-ipv6-pool IPv6-POOL
IPv6 Advanced Options
Accept peer interface identifier. By default is not defined.
Specifies fixed or random interface identifier for IPv6. By default is fixed.
random - Random interface identifier for IPv6
x:x:x:x - Specify interface identifier for IPv6
Specifies peer interface identifier for IPv6. By default is fixed.
random - Random interface identifier for IPv6
x:x:x:x - Specify interface identifier for IPv6
ipv4-addr - Calculate interface identifier from IPv4 address.
calling-sid - Calculate interface identifier from calling-station-id.
Scripting
Script to run when session interface changed by RADIUS CoA handling
Script to run when session interface going to terminate
Script to run before session interface comes up
Advanced Options
Authentication Advanced Options
Assign static IP address to <user> account.
Client IP Pool Advanced Options
PPP Advanced Options
Disable Compression Control Protocol (CCP). CCP is enabled by default.
Specifies number of interfaces to keep in cache. It means that don’t destroy interface after corresponding session is destroyed, instead place it to cache and use it later for new sessions repeatedly. This should reduce kernel-level interface creation/deletion rate lack. Default value is 0.
Specifies IPv4 negotiation preference.
require - Require IPv4 negotiation
prefer - Ask client for IPv4 negotiation, do not fail if it rejects
allow - Negotiate IPv4 only if client requests (Default value)
deny - Do not negotiate IPv4
Defines the maximum <number> of unanswered echo requests. Upon reaching the value <number>, the session will be reset. Default value is 3.
If this option is specified and is greater than 0, then the PPP module will send LCP pings of the echo request every <interval> seconds. Default value is 30.
Specifies timeout in seconds to wait for any peer activity. If this option specified it turns on adaptive lcp echo functionality and “lcp-echo-failure” is not used. Default value is 0.
Defines minimum acceptable MTU. If client will try to negotiate less then specified MTU then it will be NAKed or disconnected if rejects greater MTU. Default value is 100.
Specifies MPPE negotiation preference.
require - ask client for mppe, if it rejects drop connection
prefer - ask client for mppe, if it rejects don’t fail. (Default value)
deny - deny mppe
Default behavior - don’t ask client for mppe, but allow it if client wants. Please note that RADIUS may override this option by MS-MPPE-Encryption-Policy attribute.
Global Advanced options
Acceptable rate of connections (e.g. 1/min, 60/sec)
Maximum number of concurrent session start attempts
Connected client should use <address> as their DNS server. This command accepts both IPv4 and IPv6 addresses. Up to two nameservers can be configured for IPv4, up to three for IPv6.
Specifies Service-Name to respond. If absent any Service-Name is acceptable and client’s Service-Name will be sent back. Also possible set multiple service-names: sn1,sn2,sn3
Per default the user session is being replaced if a second authentication request succeeds. Such session requests can be either denied or allowed entirely, which would allow multiple sessions for a user in the latter case. If it is denied, the second session is being rejected even if the authentication succeeds, the user has to terminate its first session and can then authentication again.
disable: Disables session control.
deny: Deny second session authorization.
replace: Terminate first session when second is authorized (default)
Monitoring
Use this command to locally check the active sessions in the PPPoE server.
show pppoe-server sessions
ifname | username | ip | calling-sid | rate-limit | state | uptime | rx-bytes | tx-bytes
-------+----------+------------+-------------------+-------------+--------+----------+----------+----------
ppp0 | foo | 10.1.1.100 | 00:53:00:ba:db:15 | 20480/10240 | active | 00:00:11 | 214 B | 76 B
Examples
IPv4
The example below uses ACN as access-concentrator name, assigns an address from the pool 10.1.1.100-111, terminates at the local endpoint 10.1.1.1 and serves requests only on eth1.
set service pppoe-server access-concentrator 'ACN'
set service pppoe-server authentication local-users username foo password 'bar'
set service pppoe-server authentication mode 'local'
set service pppoe-server client-ip-pool IP-POOL range '10.1.1.100-10.1.1.111'
set service pppoe-server default-pool 'IP-POOL'
set service pppoe-server interface eth1
set service pppoe-server gateway-address '10.1.1.2'
set service pppoe-server name-server '10.100.100.1'
set service pppoe-server name-server '10.100.200.1'
Dual-Stack IPv4/IPv6 provisioning with Prefix Delegation
The example below covers a dual-stack configuration.
set service pppoe-server authentication local-users username test password 'test'
set service pppoe-server authentication mode 'local'
set service pppoe-server client-ip-pool IP-POOL range '192.168.0.1/24'
set service pppoe-server default-pool 'IP-POOL'
set service pppoe-server client-ipv6-pool IPv6-POOL delegate '2001:db8:8003::/48' delegation-prefix '56'
set service pppoe-server client-ipv6-pool IPV6-POOL prefix '2001:db8:8002::/48' mask '64'
set service pppoe-server default-ipv6-pool IPv6-POOL
set service pppoe-server ppp-options ipv6 allow
set service pppoe-server name-server '10.1.1.1'
set service pppoe-server name-server '2001:db8:4860::8888'
set service pppoe-server interface 'eth2'
set service pppoe-server gateway-address '10.100.100.1'
The client, once successfully authenticated, will receive an IPv4 and an IPv6 /64 address to terminate the PPPoE endpoint on the client side and a /56 subnet for the clients internal use.
vyos@pppoe-server:~$ sh pppoe-server sessions
ifname | username | ip | ip6 | ip6-dp | calling-sid | rate-limit | state | uptime | rx-bytes | tx-bytes
--------+----------+-------------+--------------------------+---------------------+-------------------+------------+--------+----------+----------+----------
ppp0 | test | 192.168.0.1 | 2001:db8:8002:0:200::/64 | 2001:db8:8003::1/56 | 00:53:00:12:42:eb | | active | 00:00:49 | 875 B | 2.1 KiB