RADIUSdesk

logo
Trace: ppp-pppoe-basic

This is an old revision of the document!

Table of Contents

Basic PPPoE Setup

Introduction

  • This document will cover a basic PPPoE setup using Accel-ppp.
  • It will consist of the following:
    • A PPPoE server using RADIUS for AAA.
    • The host machine running the PPPoE server will also act as a router.
  • What will not be configured here:
    • COA / Disconnection of users.

Our Setup

  • We will use a standard Ubuntu 22.04 VM which is running in Virtual-box with one network interface.
ip -brief address show enp0s3
enp0s3           UP             192.168.8.119/24 metric 100 fd00:add5:73db:f600:a00:27ff:fe08:a18/64 fe80::a00:27ff:fe08:a18/64
  • We use one network interface (enp0s3) to prove that since PPPoE is a layer 2 protocol; it can live together on the same network running TCP/IP without interfering.
  • A more robust and scalable option can be using a Virtial Machine with two network interfaces or use VLANs.

Config file

  • Accel-ppp has a single configuration file with various sections. (/etc/accel-ppp.conf)
  • Below is our slimmed down accel-ppp.conf file.
  • We removed unused sections to make it less intimidating.
accel-ppp.conf
[modules]
log_file
pppoe
auth_pap
radius
ippool
shaper
 
[core]
log-error=/var/log/accel-ppp/core.log
thread-count=4
 
[ppp]
verbose=1
min-mtu=1280
mtu=1400
mru=1400
#accomp=deny
#pcomp=deny
#ccp=0
#mppe=require
ipv4=require
ipv6=deny
ipv6-intf-id=0:0:0:1
ipv6-peer-intf-id=0:0:0:2
ipv6-accept-peer-intf-id=1
lcp-echo-interval=20
#lcp-echo-failure=3
lcp-echo-timeout=120
unit-cache=1
#unit-preallocate=1
 
[pppoe]
verbose=1
#ac-name=xxx
#service-name=yyy
#pado-delay=0
#pado-delay=0,100:100,200:200,-1:500
called-sid=mac
#tr101=1
#padi-limit=0
#ip-pool=pppoe
#ipv6-pool=pppoe
#ipv6-pool-delegate=pppoe
#ifname=pppoe%d
#sid-uppercase=0
#vlan-mon=eth0,10-200
#vlan-timeout=60
#vlan-name=%I.%N
#interface=eth1,padi-limit=1000
interface=enp0s3
 
[dns]
dns1=1.1.1.1
dns2=8.8.8.8
 
[radius]
dictionary=/usr/share/accel-ppp/radius/dictionary
nas-identifier=accel-ppp
#nas-ip-address=192.168.8.118
#nas-ip-address=127.0.0.1
#gw-ip-address=192.168.8.1
server=164.160.89.129,testing123,auth-port=1812,acct-port=1813,req-limit=50,fail-timeout=0,max-fail=10,weight=1
dae-server=127.0.0.1:3799,testing123
verbose=1
#timeout=3
#max-try=3
#acct-timeout=120
#acct-delay-time=0
#acct-delay-start=0
#acct-on=0
acct-interim-interval=120
#acct-interim-jitter=0
#default-realm=
#strip-realm=0
#attr-tunnel-type=My-Tunnel-Type
#nas-port-id-in-req=1
 
[client-ip-range]
10.0.0.0/8
 
 
[ip-pool]
gw-ip-address=192.168.0.1
#vendor=Cisco
##attr=Cisco-AVPair
attr=Framed-Pool
192.168.0.2-255
192.168.1.1-255,name=pool1
192.168.2.1-255,name=pool2
192.168.3.1-255,name=pool3
192.168.4.1-255,name=pool4,next=pool1
192.168.4.0/24
 
[log]
log-file=/var/log/accel-ppp/accel-ppp.log
log-emerg=/var/log/accel-ppp/emerg.log
log-fail-file=/var/log/accel-ppp/auth-fail.log
#log-debug=/dev/stdout
#syslog=accel-pppd,daemon
#log-tcp=127.0.0.1:3000
copy=1
#color=1
#per-user-dir=per_user
#per-session-dir=per_session
#per-session=1
level=3
 
[shaper]
vendor=Mikrotik
attr=Mikrotik-Rate-Limit
#rate-multiplier=10000
#attr=Filter-Id
#down-burst-factor=0.1
#up-burst-factor=1.0
#latency=50
#mpu=0
#mtu=0
#r2q=10
#quantum=1500
#moderate-quantum=1
#cburst=1534
#ifb=ifb0
up-limiter=police
down-limiter=tbf
#leaf-qdisc=sfq perturb 10
#leaf-qdisc=fq_codel [limit PACKETS] [flows NUMBER] [target TIME] [interval TIME] [quantum BYTES] [[no]ecn]
#rate-multiplier=1
#fwmark=1
#rate-limit=2048/1024
#attr-down=PPPD-Downstream-Speed-Limit
#attr-up=PPPD-Upstream-Speed-Limit
verbose=1
 
[cli]
verbose=1
telnet=127.0.0.1:2000
tcp=127.0.0.1:2001
#password=123
#sessions-columns=ifname,username,ip,ip6,ip6-dp,type,state,uptime,uptime-raw,calling-sid,called-sid,sid,comp,inbound-if,service-name,rx-bytes,tx-bytes,rx-bytes-raw,tx-bytes-raw,rx-pkts,tx-pkts,netns,vrf
  • Next we can look at some of these sections in more detail.

Modules

  • The modules section contains the modules Accel-ppp will use.
  • The following modules are crucial in our setup:
    • pppoe This module is used to create the PPPoE server.
    • auth_pap We will use PAP authentication to keep it simple. There are however also support for other authentication protocols like CHAP and MSCHAP. Include those modules if you want to support additional authentication protocols.
    • radius The PPP part of PPPoE will communicate with RADIUS in order to try and authenticate a user. The reply from RADIUS can be used to determine / set items like the IP Pool from which the client needs to get an IP Address, and the bandwidth allocated to the connection.
    • shaper In order to throttle / shape the bandwidth of the connection the shaper module is used. It can get a per user instruction from RADIUS or can apply a global defined default value for all the other connections. The shaper also includes support for more advanced features like bursting.

pppoe

  • The one very important item here is the interface on which we want to run the PPPoE server.
interface=enp0s3

radius

  • We comment the following out. If we don't, Accel-ppp will not start up when the values specified does not match the IP setup of the machine.
#nas-ip-address=192.168.8.118
#nas-ip-address=127.0.0.1
#gw-ip-address=192.168.8.1
  • We also specify how often the accounting updated needs to happen. We choose every two minutes.
acct-interim-interval=120

shaper

  • We use this machine as a drop-in replacement for a Mikrotik router.
  • We have to inform the shaper to look for Mikrotik reply attributes and apply them.
vendor=Mikrotik
attr=Mikrotik-Rate-Limit
  • RADIUS Reply will look like this (Incl Bursting)
Mikrotik-Rate-Limit = "512k/512k 1024k/1024k 1024k/1024k 100/100"
  • Logfile output:
[2023-09-26 17:42:19]:  info: enp0s3: send [RADIUS(1) Access-Request id=1 <User-Name "dirk"> <NAS-Identifier "accel-ppp"> <NAS-Port-Type Virtual> <Service-Type Framed-User> <Framed-Protocol PPP> <Calling-Station-Id "00:25:82:00:92:31"> <Called-Station-Id "08:00:27:08:0a:18"> <User-Password 0xfcd3bafc5c447f0a4af152376ea34fc5>]
[2023-09-26 17:42:19]:  info: enp0s3: recv [RADIUS(1) Access-Accept id=1 <Framed-Pool "pool1"> <Framed-Protocol PPP> <Mikrotik-Rate-Limit "512k/512k 1024k/1024k 1024k/1024k 100/100"> <Framed-Compression Van-Jacobson-TCP-IP>]

ip-pool

  • This section defines IP Pools.
  • Additionally you can give a name to a pool.
  • The RADIUS reply attribute then can specify the pool to use (Framed-Pool)
  • Again this is similar to Mikrotik and Cisco PPPoE servers making a drop-in replacement possible.
  • RADIUS reply will contain this:
Framed-Pool = "pool1"
  • Logfile output:
[2023-09-26 17:42:19]:  info: enp0s3: send [RADIUS(1) Access-Request id=1 <User-Name "dirk"> <NAS-Identifier "accel-ppp"> <NAS-Port-Type Virtual> <Service-Type Framed-User> <Framed-Protocol PPP> <Calling-Station-Id "00:25:82:00:92:31"> <Called-Station-Id "08:00:27:08:0a:18"> <User-Password 0xfcd3bafc5c447f0a4af152376ea34fc5>]
[2023-09-26 17:42:19]:  info: enp0s3: recv [RADIUS(1) Access-Accept id=1 <Framed-Pool "pool1"> <Framed-Protocol PPP> <Mikrotik-Rate-Limit "512k/512k 1024k/1024k 1024k/1024k 100/100"> <Framed-Compression Van-Jacobson-TCP-IP>]

Testing it out

  • Now that our config file is done we can try to start up the PPPoE server.
sudo systemctl start accel-ppp
sudo systemctl status accel-ppp
● accel-ppp.service - Accel-PPP
     Loaded: loaded (/lib/systemd/system/accel-ppp.service; enabled; vendor preset: enabled)
     Active: active (running) since Tue 2023-09-26 19:05:22 UTC; 2s ago
    Process: 14706 ExecStart=/usr/sbin/accel-pppd -d -p /var/run/accel-pppd.pid -c /etc/accel-ppp.conf (code=exited, status=0/SUCCESS)
   Main PID: 14707 (accel-pppd)
      Tasks: 9 (limit: 1031)
     Memory: 2.1M
        CPU: 10ms
     CGroup: /system.slice/accel-ppp.service
             └─14707 /usr/sbin/accel-pppd -d -p /var/run/accel-pppd.pid -c /etc/accel-ppp.conf

Sep 26 19:05:22 osboxes systemd[1]: Starting Accel-PPP...
Sep 26 19:05:22 osboxes systemd[1]: Started Accel-PPP.

Is there a problem?

  • There are a couple of log files which you can tail -f in order to help troubleshoot if things are not working as intented.
cd /var/log/accel-ppp
ls -l
total 2576
-rw------- 1 root root 1781664 Sep 26 19:05 accel-ppp.log
-rw------- 1 root root  842805 Sep 25 11:19 auth-fail.log
-rw-r--r-- 1 root root       0 Sep 23 05:46 core.log
-rw-r--r-- 1 root root      48 Sep 24 19:52 emerg.log

Enabling Masquerading

  • Consider the following output of ip a
system@osboxes:~$ ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host 
       valid_lft forever preferred_lft forever
2: enp0s3: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP group default qlen 1000
    link/ether 08:00:27:08:0a:18 brd ff:ff:ff:ff:ff:ff
    inet 192.168.8.119/24 metric 100 brd 192.168.8.255 scope global dynamic enp0s3
       valid_lft 84345sec preferred_lft 84345sec
    inet6 fd00:add5:73db:f600:a00:27ff:fe08:a18/64 scope global dynamic mngtmpaddr noprefixroute 
       valid_lft 6960sec preferred_lft 3360sec
    inet6 fe80::a00:27ff:fe08:a18/64 scope link 
       valid_lft forever preferred_lft forever
3: ppp0: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1492 qdisc tbf state UNKNOWN group default qlen 3
    link/ppp 
    inet 192.168.0.1 peer 192.168.0.2/32 scope global ppp0
       valid_lft forever preferred_lft forever
  • The machine running PPPoE will act as a router and thus needs to be configured as such.
  • This means that the IP packets needs to be forwarded from the PPP interface (which is a logical interface) to the WAN port (on the IP layer).
  • In our case, both of these are running on the same Ethernet port (enp0s3).
  • On the VM this Ethernet port is a virtual Ethernet port if things are not confusing enough 8-O
  • For the traffic of ppp0 to go out into the Internet we need to:
    1. Enable forwarding of IPv4 traffic.
    2. Add MASQUERADE support on the interface that has internet connectivity (enp0s3 with the ip of 192.168.8.119)

Enable Packet forwarding for IPv4

  • Edit the /etc/sysctl.conf file.
  • Find and un-comment net.ipv4.ip_forward=1 line.
  • Reboot the machine.
  • Also confirm that there is no firewall active:
 sudo iptables -L
Chain INPUT (policy ACCEPT)
target     prot opt source               destination         

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination         

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination

Add MASQUERADE support on WAN (enp0s3)

  • We need to add a script which will add an IP Table rule that enables MASQUERADE during startup.
  • Create the file /etc/rc.local with the following content (replace enp0s3 if it is different on your server)
#!/bin/bash
iptables -t nat -A POSTROUTING -o enp0s3 -j MASQUERADE
exit 0
  • Create the file /etc/systemd/system/rc-local.service with the following content:
# /etc/systemd/system/rc-local.service
[Unit]
 Description=/etc/rc.local Compatibility
 ConditionPathExists=/etc/rc.local

[Service]
 Type=forking
 ExecStart=/etc/rc.local start
 TimeoutSec=0
 StandardOutput=tty
 RemainAfterExit=yes
 SysVStartPriority=99

[Install]
 WantedBy=multi-user.target
  • Then:
sudo touch /etc/rc.local
sudo chmod +x /etc/rc.local
sudo systemctl enable rc-local
  • Check with:
sudo systemctl start rc-local.service
sudo systemctl status rc-local.service
  • Reboot the machine and make sure the rule is applied after starup
sudo iptables -L -t nat -v
Chain PREROUTING (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain POSTROUTING (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         
  261 36732 MASQUERADE  all  --  any    enp0s3  anywhere             anywhere

Connecting a Client

  • Everything is now set up and ready for the first client to connect.
  • We will use OpenWrt with the following /etc/config/network config.
  • The PPPoE username is dirk and password is testing123.
config interface 'loopback'
        option device 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'
 
config device
        option name 'br-lan'
        option type 'bridge'
        list ports 'wan'
 
config interface 'lan'
        option device 'br-lan'
        option proto 'pppoe'
        option username 'dirk'
        option password 'testing123'
  • This device is connected onto the same network (broadcast domain) where our Accel-ppp server is running so the network packets will reach the PPPoE server.
Last modified: 2023/10/15 04:43