PPPoE server

Created by Yuriy Andamasov, Modified on Tue, 11 Apr, 2023 at 4:29 PM by Yuriy Andamasov

VyOS utilizes accel-ppp to provide PPPoE server functionality. It can be used with local authentication or a connected RADIUS server.

Please be aware, due to an upstream bug, config changes/commits will restart the ppp daemon and will reset existing PPPoE connections from connected users, in order to become effective.

Configuration

The example below uses ACN as access-concentrator name, assigns an address from the pool 10.1.1.100-111, terminates at the local endpoint 10.1.1.1 and serves requests only on eth1.

set service pppoe-server access-concentrator 'ACN'
set service pppoe-server authentication local-users username foo password 'bar'
set service pppoe-server authentication mode 'local'
set service pppoe-server client-ip-pool start '10.1.1.100'
set service pppoe-server client-ip-pool stop '10.1.1.111'
set service pppoe-server dns-servers server-1 '10.100.100.1'
set service pppoe-server dns-servers server-2 '10.100.200.1'
set service pppoe-server interface 'eth1'
set service pppoe-server local-ip '10.1.1.2'


Connections can be locally checked via the command

vyos@vyos-rtr:~$ show pppoe-server sessions
ifname | username |     ip     |    calling-sid    | rate-limit  | state  |  uptime  | rx-bytes | tx-bytes
-------+----------+------------+-------------------+-------------+--------+----------+----------+----------
ppp0   | foo      | 10.1.1.100 | 08:00:27:ba:db:15 | 20480/10240 | active | 00:00:11 | 214 B    | 76 B


Client IP address pools

To automatically assign the client an IP address as tunnel endpoint, a client IP pool is needed. The source can be either RADIUS or a local subnet or IP range defintion.

Once the local tunnel endpoint set service pppoe-server local-ip '10.1.1.2' has been defined, the client IP pool can be either defined as a range or as subnet using CIDR notation. If the CIDR notation is used, multiple subnets can be setup which are used sequentially. 

Client IP address via IP range defintion


set service pppoe-server client-ip-pool start '10.1.1.100'
set service pppoe-server client-ip-pool stop '10.1.1.111'


Client IP subnets via CIDR notation


set service pppoe-server client-ip-pool subnet '10.1.1.0/24'
set service pppoe-server client-ip-pool subnet '10.1.2.0/24'
set service pppoe-server client-ip-pool subnet '10.1.3.0/24'


RADIUS based IP pools (Framed-IP-Address)

To use a radius server, you need to switch to authentication mode radius and of course need to specify an IP for the server. You can have multiple RADIUS server configured, if you wish to achieve redundancy.

set service pppoe-server access-concentrator 'ACN'
set service pppoe-server authentication mode 'radius'
set service pppoe-server authentication radius-server 10.1.100.1 secret 'secret'
set service pppoe-server interface 'eth1'
set service pppoe-server local-ip '10.1.1.2'


RADIUS provides the IP addresses in the example above via Framed-IP-Address.

RADIUS based shaper setup

The current attribute ‘Filter-Id’ is being used as default and can be setup within RADIUS:

Filter-Id=2000/3000 (means 2000Kbit down-stream rate and 3000Kbit up-stream rate)

The command below enables it, assuming the RADIUS connection has been setup and is working.

set service pppoe-server authentication radius-settings rate-limit enable 


Other attributes can be used, but they have to be in one of the dictionaries in /usr/share/accel-ppp/radius.

Practical Configuration Examples

Dual-stack provisioning with IPv6 PD via pppoe

The example below covers a dual-stack configuration via pppoe-server.


set service pppoe-server authentication local-users username test password 'test'
set service pppoe-server authentication mode 'local'
set service pppoe-server client-ip-pool start '192.168.0.1'
set service pppoe-server client-ip-pool stop '192.168.0.10'
set service pppoe-server client-ipv6-pool delegate-prefix '2001:db8:8003::1/48,56'
set service pppoe-server client-ipv6-pool prefix '2001:db8:8002::1/48,64'
set service pppoe-server dns-servers server-1 '8.8.8.8'
set service pppoe-server dnsv6-servers server-1 '2001:4860:4860::8888'
set service pppoe-server interface 'eth2'
set service pppoe-server local-ip '10.100.100.1'


The client, once successfully authenticated, will receive an IPv4 and an IPv6 /64 address, to terminate the pppoe endpoint on the client side and a /56 subnet for the clients internal use.

vyos@pppoe-server:~$ sh pppoe-server sessions
 ifname | username |     ip      |            ip6           |       ip6-dp        |    calling-sid   
--------+----------+-------------+--------------------------+---------------------+------------------
 ppp0   | test     | 192.168.0.1 | 2001:db8:8002:0:200::/64 | 2001:db8:8003::1/56 | 08:00:27:12:42:eb 

Was this article helpful?

That’s Great!

Thank you for your feedback

Sorry! We couldn't be helpful

Thank you for your feedback

Let us know how can we improve this article!

Select at least one of the reasons
CAPTCHA verification is required.

Feedback sent

We appreciate your effort and will try to fix the article