====== Basic PPPoE Setup ======
===== Introduction =====
* This document will cover a basic PPPoE setup using Accel-ppp.
* It will consist of the following:
* A PPPoE server using RADIUS for AAA.
* The host machine running the PPPoE server will also act as a router.
* What will **not be** configured here:
* COA / Disconnection of users.
===== Our Setup =====
* We will use a standard Ubuntu 22.04 VM which is running in Virtual-box with **one** network interface.
ip -brief address show enp0s3
enp0s3 UP 192.168.8.119/24 metric 100 fd00:add5:73db:f600:a00:27ff:fe08:a18/64 fe80::a00:27ff:fe08:a18/64
* We use one network interface (enp0s3) to prove that since PPPoE is a layer 2 protocol; it can live together on the same network running TCP/IP without interfering.
* A more robust and scalable option can be using a Virtial Machine with two network interfaces or use VLANs.
===== Config file =====
* Accel-ppp has a single configuration file with various sections. //(/etc/accel-ppp.conf)//
* Below is our slimmed down **accel-ppp.conf** file.
* We removed unused sections to make it less intimidating.
[modules]
log_file
pppoe
auth_pap
radius
ippool
shaper
[core]
log-error=/var/log/accel-ppp/core.log
thread-count=4
[ppp]
verbose=1
min-mtu=1280
mtu=1400
mru=1400
ipv4=require
ipv6=deny
ipv6-intf-id=0:0:0:1
ipv6-peer-intf-id=0:0:0:2
ipv6-accept-peer-intf-id=1
lcp-echo-interval=20
lcp-echo-timeout=120
unit-cache=1
[pppoe]
verbose=1
called-sid=mac
interface=enp0s3
[dns]
dns1=1.1.1.1
dns2=8.8.8.8
[radius]
dictionary=/usr/share/accel-ppp/radius/dictionary
nas-identifier=accel-ppp
#nas-ip-address=192.168.8.118
#nas-ip-address=127.0.0.1
#gw-ip-address=192.168.8.1
server=164.160.89.129,testing123,auth-port=1812,acct-port=1813,req-limit=50,fail-timeout=0,max-fail=10,weight=1
dae-server=127.0.0.1:3799,testing123
verbose=1
[client-ip-range]
10.0.0.0/8
[ip-pool]
gw-ip-address=192.168.0.1
attr=Framed-Pool
192.168.0.2-255
192.168.1.1-255,name=pool1
192.168.2.1-255,name=pool2
192.168.3.1-255,name=pool3
192.168.4.1-255,name=pool4,next=pool1
192.168.4.0/24
[log]
log-file=/var/log/accel-ppp/accel-ppp.log
log-emerg=/var/log/accel-ppp/emerg.log
log-fail-file=/var/log/accel-ppp/auth-fail.log
copy=1
level=3
[shaper]
vendor=Mikrotik
attr=Mikrotik-Rate-Limit
up-limiter=police
down-limiter=tbf
verbose=1
[cli]
verbose=1
telnet=127.0.0.1:2000
tcp=127.0.0.1:2001
* Next we can look at some of these sections in more detail.
==== Modules ====
* The modules section contains the modules Accel-ppp will use.
* The following modules are crucial in our setup:
* **pppoe** This module is used to create the PPPoE server.
* **auth_pap** We will use PAP authentication to keep it simple. There are however also support for other authentication protocols like CHAP and MSCHAP. Include those modules if you want to support additional authentication protocols.
* **radius** The PPP part of PPPoE will communicate with RADIUS in order to try and authenticate a user. The reply from RADIUS can be used to determine / set items like the IP Pool from which the client needs to get an IP Address, and the bandwidth allocated to the connection.
* **shaper** In order to throttle / shape the bandwidth of the connection the shaper module is used. It can get a per user instruction from RADIUS or can apply a global defined default value for all the other connections. The shaper also includes support for more advanced features like bursting.
==== pppoe ====
* The one very important item here is the interface on which we want to run the PPPoE server.
interface=enp0s3
==== radius ====
* We comment the following out. If we don't, Accel-ppp will not start up when the values specified does not match the IP setup of the machine.
#nas-ip-address=192.168.8.118
#nas-ip-address=127.0.0.1
#gw-ip-address=192.168.8.1
* We also specify how often the accounting updated needs to happen. We choose every two minutes.
acct-interim-interval=120
==== shaper ====
* We use this machine as a ** drop-in replacement for a Mikrotik router**.
* We have to inform the shaper to look for Mikrotik reply attributes and apply them.
vendor=Mikrotik
attr=Mikrotik-Rate-Limit
* RADIUS Reply will look like this (Incl Bursting)
Mikrotik-Rate-Limit = "512k/512k 1024k/1024k 1024k/1024k 100/100"
* Logfile output:
[2023-09-26 17:42:19]: info: enp0s3: send [RADIUS(1) Access-Request id=1 ]
[2023-09-26 17:42:19]: info: enp0s3: recv [RADIUS(1) Access-Accept id=1 ]
==== ip-pool ====
* This section defines IP Pools.
* Additionally you can give a name to a pool.
* The RADIUS reply attribute then can specify the pool to use (Framed-Pool)
* Again this is similar to Mikrotik and Cisco PPPoE servers making a **drop-in replacement** possible.
* RADIUS reply will contain this:
Framed-Pool = "pool1"
* Logfile output:
[2023-09-26 17:42:19]: info: enp0s3: send [RADIUS(1) Access-Request id=1 ]
[2023-09-26 17:42:19]: info: enp0s3: recv [RADIUS(1) Access-Accept id=1 ]
===== Testing it out =====
* Now that our config file is done we can try to start up the PPPoE server.
sudo systemctl start accel-ppp
sudo systemctl status accel-ppp
● accel-ppp.service - Accel-PPP
Loaded: loaded (/lib/systemd/system/accel-ppp.service; enabled; vendor preset: enabled)
Active: active (running) since Tue 2023-09-26 19:05:22 UTC; 2s ago
Process: 14706 ExecStart=/usr/sbin/accel-pppd -d -p /var/run/accel-pppd.pid -c /etc/accel-ppp.conf (code=exited, status=0/SUCCESS)
Main PID: 14707 (accel-pppd)
Tasks: 9 (limit: 1031)
Memory: 2.1M
CPU: 10ms
CGroup: /system.slice/accel-ppp.service
└─14707 /usr/sbin/accel-pppd -d -p /var/run/accel-pppd.pid -c /etc/accel-ppp.conf
Sep 26 19:05:22 osboxes systemd[1]: Starting Accel-PPP...
Sep 26 19:05:22 osboxes systemd[1]: Started Accel-PPP.
==== Is there a problem? ====
* There are a couple of log files which you can **tail -f** in order to help troubleshoot if things are not working as intented.
cd /var/log/accel-ppp
ls -l
total 2576
-rw------- 1 root root 1781664 Sep 26 19:05 accel-ppp.log
-rw------- 1 root root 842805 Sep 25 11:19 auth-fail.log
-rw-r--r-- 1 root root 0 Sep 23 05:46 core.log
-rw-r--r-- 1 root root 48 Sep 24 19:52 emerg.log
===== Enabling Masquerading =====
* Consider the following output of **ip a**
system@osboxes:~$ ip a
1: lo: mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: enp0s3: mtu 1500 qdisc fq_codel state UP group default qlen 1000
link/ether 08:00:27:08:0a:18 brd ff:ff:ff:ff:ff:ff
inet 192.168.8.119/24 metric 100 brd 192.168.8.255 scope global dynamic enp0s3
valid_lft 84345sec preferred_lft 84345sec
inet6 fd00:add5:73db:f600:a00:27ff:fe08:a18/64 scope global dynamic mngtmpaddr noprefixroute
valid_lft 6960sec preferred_lft 3360sec
inet6 fe80::a00:27ff:fe08:a18/64 scope link
valid_lft forever preferred_lft forever
3: ppp0: mtu 1492 qdisc tbf state UNKNOWN group default qlen 3
link/ppp
inet 192.168.0.1 peer 192.168.0.2/32 scope global ppp0
valid_lft forever preferred_lft forever
* The machine running PPPoE will act as a router and thus needs to be configured as such.
* This means that the IP packets needs to be forwarded from the PPP interface (which is a logical interface) to the WAN port (on the IP layer).
* In our case, both of these are running on the same Ethernet port (enp0s3).
* On the VM this Ethernet port is a virtual Ethernet port if things are not confusing enough 8-O
* For the traffic of ppp0 to go out into the Internet we need to:
- Enable forwarding of IPv4 traffic.
- Add MASQUERADE support on the interface that has internet connectivity (enp0s3 with the ip of 192.168.8.119)
==== Enable Packet forwarding for IPv4 ====
* Edit the **/etc/sysctl.conf** file.
* Find and un-comment **net.ipv4.ip_forward=1** line.
* Reboot the machine.
* Also confirm that there is no firewall active:
sudo iptables -L
Chain INPUT (policy ACCEPT)
target prot opt source destination
Chain FORWARD (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
==== Add MASQUERADE support on WAN (enp0s3) ====
* We need to add a script which will add an IP Table rule that enables MASQUERADE during startup.
* Create the file **/etc/rc.local** with the following content (replace **enp0s3** if it is different on your server)
#!/bin/bash
iptables -t nat -A POSTROUTING -o enp0s3 -j MASQUERADE
exit 0
* Create the file **/etc/systemd/system/rc-local.service** with the following content:
# /etc/systemd/system/rc-local.service
[Unit]
Description=/etc/rc.local Compatibility
ConditionPathExists=/etc/rc.local
[Service]
Type=forking
ExecStart=/etc/rc.local start
TimeoutSec=0
StandardOutput=tty
RemainAfterExit=yes
SysVStartPriority=99
[Install]
WantedBy=multi-user.target
* Then:
sudo touch /etc/rc.local
sudo chmod +x /etc/rc.local
sudo systemctl enable rc-local
* Check with:
sudo systemctl start rc-local.service
sudo systemctl status rc-local.service
* Reboot the machine and make sure the rule is applied after starup
sudo iptables -L -t nat -v
Chain PREROUTING (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain POSTROUTING (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
261 36732 MASQUERADE all -- any enp0s3 anywhere anywhere
===== Connecting a Client =====
* Everything is now set up and ready for the first client to connect.
* We will use OpenWrt with the following ///etc/config/network// config.
* The PPPoE username is ''dirk'' and password is ''testing123''.
config interface 'loopback'
option device 'lo'
option proto 'static'
option ipaddr '127.0.0.1'
option netmask '255.0.0.0'
config device
option name 'br-lan'
option type 'bridge'
list ports 'wan'
config interface 'lan'
option device 'br-lan'
option proto 'pppoe'
option username 'dirk'
option password 'testing123'
* This device has to be connected to the **same network** (broadcast domain) where our Accel-ppp server is running in order for the network packets to reach the PPPoE server.
===== Checking The Log File =====
* The Accel-ppp log file will give us more feedback when a client connects.
* Run the following command
sudo tail -f /var/log/accel-ppp/accel-ppp.log
* Here is the output we got
[2023-10-15 02:53:26]: info: enp0s8: send [RADIUS(1) Access-Request id=1 ]
[2023-10-15 02:53:26]: info: enp0s8: recv [RADIUS(1) Access-Accept id=1 ]
[2023-10-15 02:53:26]: info: ppp1: connect: ppp1 <--> pppoe(c4:4b:d1:00:97:49)
[2023-10-15 02:53:26]: info: ppp1: dirk: authentication succeeded
[2023-10-15 02:53:26]: warn: ppp1: IPV6CP: discarding packet
[2023-10-15 02:53:26]: info: ppp1: send [RADIUS(1) Accounting-Request id=1 ]
[2023-10-15 02:53:26]: info: ppp1: recv [RADIUS(1) Accounting-Response id=1]
===== Using accel-cmd =====
* You can get more information on the current running instance of Accel-ppp by using the accel-cmd program.
accel-cmd show stat
* Results in the following in our case
accel-cmd show stat
uptime: 0.08:17:34
cpu: 0%
mem(rss/virt): 5240/244536 kB
core:
mempool_allocated: 177084
mempool_available: 165700
thread_count: 4
thread_active: 1
context_count: 9
context_sleeping: 0
context_pending: 0
md_handler_count: 8
md_handler_pending: 0
timer_count: 3
timer_pending: 0
sessions:
starting: 0
active: 1
finishing: 0
pppoe:
starting: 0
active: 1
delayed PADO: 0
recv PADI: 4
drop PADI: 0
sent PADO: 4
recv PADR(dup): 4(0)
sent PADS: 4
filtered: 0
radius(1, 164.160.89.129):
state: active
fail count: 0
request count: 0
queue length: 0
auth sent: 4
auth lost(total/5m/1m): 0/0/0
auth avg query time(5m/1m): 0/0 ms
acct sent: 7
acct lost(total/5m/1m): 0/0/0
acct avg query time(5m/1m): 0/0 ms
interim sent: 254
interim lost(total/5m/1m): 6/0/0
interim avg query time(5m/1m): 59/0 ms
* To see the current active sessions
accel-cmd show sessions
* Result in the following:
ifname | username | calling-sid | ip | rate-limit | type | comp | state | uptime
--------+----------+-------------------+-------------+------------+-------+------+--------+----------
ppp0 | dirk | c4:4b:d1:00:97:49 | 192.168.1.4 | 512/512 | pppoe | | active | 00:48:53