PPPoE Sub-interfaces

This example is the typical case where the ISP router is replaced by VyOS for a Fibre access.

eth1 is the WAN interface. The ISP provides internet connectivity with PPPoE over VLAN 835.

vyos@vyos-rtr# set interfaces ethernet eth1 vif 835 pppoe 1 default-route 'auto'
vyos@vyos-rtr# set interfaces ethernet eth1 vif 835 pppoe 1 mtu '1492' 
vyos@vyos-rtr# set interfaces ethernet eth1 vif 835 pppoe 1 name-server 'none' 
vyos@vyos-rtr# set interfaces ethernet eth1 vif 835 pppoe 1 password '***' 
vyos@vyos-rtr# set interfaces ethernet eth1 vif 835 pppoe 1 'policy' 
vyos@vyos-rtr# set interfaces ethernet eth1 vif 835 pppoe 1 user-id '***'

TCP MSS Clamping

Path MTU Discovery doesn't work well anymore. PPPoE has a limited MTU and you cannot rely on PMTU Discovery to prevent biggest packets to be dropped. There is another way to set the maximum packet size, the Maximum Segment Size. This is a field in the TCP Options part of a SYN packet. by setting the MSS value, you are telling the remote side unequivocally 'do not try to send me packets bigger than this value'. The TCP MSS Clamping policy have to be applied to the LAN interface (eth0). MSS have to be set to 1452, which is PPPoE MTU (1492) minus IP headers (40).

Define a policy pppoe-out with rule 100 resetting the tcp-mss field of incoming packets:

vyos@vyos-rtr# set policy route pppoe-out description 'PPPoE TCPMSS clamping'
vyos@vyos-rtr# set policy route pppoe-out rule 100 protocol 'tcp'
vyos@vyos-rtr# set policy route pppoe-out rule 100 set tcp-mss '1452'
vyos@vyos-rtr# set policy route pppoe-out rule 100 tcp flags 'SYN'

Apply it to eth0:

set interfaces ethernet eth0 policy route 'pppoe-out'