Basic PPPoE Setup

Introduction

• This document will cover a basic PPPoE setup using Accel-ppp.
• It will consist of the following:
  • A PPPoE server using RADIUS for AAA.
  • The host machine running the PPPoE server will also act as a router.
• What will not be configured here:
  • COA / Disconnection of users.

Our Setup

• We will use a standard Ubuntu 22.04 VM which is running in Virtual-box with one network interface.

ip -brief address show enp0s3
enp0s3           UP             192.168.8.119/24 metric 100 fd00:add5:73db:f600:a00:27ff:fe08:a18/64 fe80::a00:27ff:fe08:a18/64 

• We use one network interface (enp0s3) to prove that since PPPoE is a layer 2 protocol; it can live together on the same network running TCP/IP without interfering.
• A more robust and scalable option can be using a Virtial Machine with two network interfaces or use VLANs.

Config file

• Accel-ppp has a single configuration file with various sections. (/etc/accel-ppp.conf)
• Below is our slimmed down accel-ppp.conf file.
• We removed unused sections to make it less intimidating.

accel-ppp.conf

[modules]
log_file
pppoe
auth_pap
radius
ippool
shaper
 
[core]
log-error=/var/log/accel-ppp/core.log
thread-count=4
 
[ppp]
verbose=1
min-mtu=1280
mtu=1400
mru=1400
ipv4=require
ipv6=deny
ipv6-intf-id=0:0:0:1
ipv6-peer-intf-id=0:0:0:2
ipv6-accept-peer-intf-id=1
lcp-echo-interval=20
lcp-echo-timeout=120
unit-cache=1
 
[pppoe]
verbose=1
called-sid=mac
interface=enp0s3
 
[dns]
dns1=1.1.1.1
dns2=8.8.8.8
 
[radius]
dictionary=/usr/share/accel-ppp/radius/dictionary
nas-identifier=accel-ppp
#nas-ip-address=192.168.8.118
#nas-ip-address=127.0.0.1
#gw-ip-address=192.168.8.1
server=164.160.89.129,testing123,auth-port=1812,acct-port=1813,req-limit=50,fail-timeout=0,max-fail=10,weight=1
dae-server=127.0.0.1:3799,testing123
verbose=1
 
[client-ip-range]
10.0.0.0/8
 
 
[ip-pool]
gw-ip-address=192.168.0.1
attr=Framed-Pool
192.168.0.2-255
192.168.1.1-255,name=pool1
192.168.2.1-255,name=pool2
192.168.3.1-255,name=pool3
192.168.4.1-255,name=pool4,next=pool1
192.168.4.0/24
 
[log]
log-file=/var/log/accel-ppp/accel-ppp.log
log-emerg=/var/log/accel-ppp/emerg.log
log-fail-file=/var/log/accel-ppp/auth-fail.log
copy=1
level=3
 
[shaper]
vendor=Mikrotik
attr=Mikrotik-Rate-Limit
up-limiter=police
down-limiter=tbf
verbose=1
 
[cli]
verbose=1
telnet=127.0.0.1:2000
tcp=127.0.0.1:2001

• Next we can look at some of these sections in more detail.

Modules

• The modules section contains the modules Accel-ppp will use.
• The following modules are crucial in our setup:
  • pppoe This module is used to create the PPPoE server.
  • auth_pap We will use PAP authentication to keep it simple. There are however also support for other authentication protocols like CHAP and MSCHAP. Include those modules if you want to support additional authentication protocols.
  • radius The PPP part of PPPoE will communicate with RADIUS in order to try and authenticate a user. The reply from RADIUS can be used to determine / set items like the IP Pool from which the client needs to get an IP Address, and the bandwidth allocated to the connection.
  • shaper In order to throttle / shape the bandwidth of the connection the shaper module is used. It can get a per user instruction from RADIUS or can apply a global defined default value for all the other connections. The shaper also includes support for more advanced features like bursting.

pppoe

• The one very important item here is the interface on which we want to run the PPPoE server.

interface=enp0s3

radius

• We comment the following out. If we don't, Accel-ppp will not start up when the values specified does not match the IP setup of the machine.

#nas-ip-address=192.168.8.118
#nas-ip-address=127.0.0.1
#gw-ip-address=192.168.8.1

• We also specify how often the accounting updated needs to happen. We choose every two minutes.

acct-interim-interval=120

shaper

• We use this machine as a drop-in replacement for a Mikrotik router.
• We have to inform the shaper to look for Mikrotik reply attributes and apply them.

vendor=Mikrotik
attr=Mikrotik-Rate-Limit

• RADIUS Reply will look like this (Incl Bursting)

Mikrotik-Rate-Limit = "512k/512k 1024k/1024k 1024k/1024k 100/100"

• Logfile output:

[2023-09-26 17:42:19]:  info: enp0s3: send [RADIUS(1) Access-Request id=1 <User-Name "dirk"> <NAS-Identifier "accel-ppp"> <NAS-Port-Type Virtual> <Service-Type Framed-User> <Framed-Protocol PPP> <Calling-Station-Id "00:25:82:00:92:31"> <Called-Station-Id "08:00:27:08:0a:18"> <User-Password 0xfcd3bafc5c447f0a4af152376ea34fc5>]
[2023-09-26 17:42:19]:  info: enp0s3: recv [RADIUS(1) Access-Accept id=1 <Framed-Pool "pool1"> <Framed-Protocol PPP> <Mikrotik-Rate-Limit "512k/512k 1024k/1024k 1024k/1024k 100/100"> <Framed-Compression Van-Jacobson-TCP-IP>]

ip-pool

• This section defines IP Pools.
• Additionally you can give a name to a pool.
• The RADIUS reply attribute then can specify the pool to use (Framed-Pool)
• Again this is similar to Mikrotik and Cisco PPPoE servers making a drop-in replacement possible.
• RADIUS reply will contain this:

Framed-Pool = "pool1"

• Logfile output:

[2023-09-26 17:42:19]:  info: enp0s3: send [RADIUS(1) Access-Request id=1 <User-Name "dirk"> <NAS-Identifier "accel-ppp"> <NAS-Port-Type Virtual> <Service-Type Framed-User> <Framed-Protocol PPP> <Calling-Station-Id "00:25:82:00:92:31"> <Called-Station-Id "08:00:27:08:0a:18"> <User-Password 0xfcd3bafc5c447f0a4af152376ea34fc5>]
[2023-09-26 17:42:19]:  info: enp0s3: recv [RADIUS(1) Access-Accept id=1 <Framed-Pool "pool1"> <Framed-Protocol PPP> <Mikrotik-Rate-Limit "512k/512k 1024k/1024k 1024k/1024k 100/100"> <Framed-Compression Van-Jacobson-TCP-IP>]

Testing it out

• Now that our config file is done we can try to start up the PPPoE server.

sudo systemctl start accel-ppp
sudo systemctl status accel-ppp
● accel-ppp.service - Accel-PPP
     Loaded: loaded (/lib/systemd/system/accel-ppp.service; enabled; vendor preset: enabled)
     Active: active (running) since Tue 2023-09-26 19:05:22 UTC; 2s ago
    Process: 14706 ExecStart=/usr/sbin/accel-pppd -d -p /var/run/accel-pppd.pid -c /etc/accel-ppp.conf (code=exited, status=0/SUCCESS)
   Main PID: 14707 (accel-pppd)
      Tasks: 9 (limit: 1031)
     Memory: 2.1M
        CPU: 10ms
     CGroup: /system.slice/accel-ppp.service
             └─14707 /usr/sbin/accel-pppd -d -p /var/run/accel-pppd.pid -c /etc/accel-ppp.conf

Sep 26 19:05:22 osboxes systemd[1]: Starting Accel-PPP...
Sep 26 19:05:22 osboxes systemd[1]: Started Accel-PPP.

Is there a problem?

• There are a couple of log files which you can tail -f in order to help troubleshoot if things are not working as intented.

cd /var/log/accel-ppp
ls -l
total 2576
-rw------- 1 root root 1781664 Sep 26 19:05 accel-ppp.log
-rw------- 1 root root  842805 Sep 25 11:19 auth-fail.log
-rw-r--r-- 1 root root       0 Sep 23 05:46 core.log
-rw-r--r-- 1 root root      48 Sep 24 19:52 emerg.log

Enabling Masquerading

• Consider the following output of ip a

system@osboxes:~$ ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host 
       valid_lft forever preferred_lft forever
2: enp0s3: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP group default qlen 1000
    link/ether 08:00:27:08:0a:18 brd ff:ff:ff:ff:ff:ff
    inet 192.168.8.119/24 metric 100 brd 192.168.8.255 scope global dynamic enp0s3
       valid_lft 84345sec preferred_lft 84345sec
    inet6 fd00:add5:73db:f600:a00:27ff:fe08:a18/64 scope global dynamic mngtmpaddr noprefixroute 
       valid_lft 6960sec preferred_lft 3360sec
    inet6 fe80::a00:27ff:fe08:a18/64 scope link 
       valid_lft forever preferred_lft forever
3: ppp0: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1492 qdisc tbf state UNKNOWN group default qlen 3
    link/ppp 
    inet 192.168.0.1 peer 192.168.0.2/32 scope global ppp0
       valid_lft forever preferred_lft forever

• The machine running PPPoE will act as a router and thus needs to be configured as such.
• This means that the IP packets needs to be forwarded from the PPP interface (which is a logical interface) to the WAN port (on the IP layer).

• For the traffic of ppp0 to go out into the Internet we need to:
  1. Enable forwarding of IPv4 traffic.
  2. Add MASQUERADE support on the interface that has internet connectivity (enp0s3 with the ip of 192.168.8.119)

Enable Packet forwarding for IPv4

• Edit the /etc/sysctl.conf file.
• Find and un-comment net.ipv4.ip_forward=1 line.
• Reboot the machine.
• Also confirm that there is no firewall active:

 sudo iptables -L
Chain INPUT (policy ACCEPT)
target     prot opt source               destination         

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination         

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination   

Add MASQUERADE support on WAN (enp0s3)

• We need to add a script which will add an IP Table rule that enables MASQUERADE during startup.
• Create the file /etc/rc.local with the following content (replace enp0s3 if it is different on your server)

#!/bin/bash
iptables -t nat -A POSTROUTING -o enp0s3 -j MASQUERADE
exit 0

• Create the file /etc/systemd/system/rc-local.service with the following content:

# /etc/systemd/system/rc-local.service
[Unit]
 Description=/etc/rc.local Compatibility
 ConditionPathExists=/etc/rc.local

[Service]
 Type=forking
 ExecStart=/etc/rc.local start
 TimeoutSec=0
 StandardOutput=tty
 RemainAfterExit=yes
 SysVStartPriority=99

[Install]
 WantedBy=multi-user.target

• Then:

sudo touch /etc/rc.local
sudo chmod +x /etc/rc.local
sudo systemctl enable rc-local

• Check with:

sudo systemctl start rc-local.service
sudo systemctl status rc-local.service

• Reboot the machine and make sure the rule is applied after starup

sudo iptables -L -t nat -v
Chain PREROUTING (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain POSTROUTING (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         
  261 36732 MASQUERADE  all  --  any    enp0s3  anywhere             anywhere            

Connecting a Client

• Everything is now set up and ready for the first client to connect.
• We will use OpenWrt with the following /etc/config/network config.
• The PPPoE username is dirk and password is testing123.

config interface 'loopback'
        option device 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'
 
config device
        option name 'br-lan'
        option type 'bridge'
        list ports 'wan'
 
config interface 'lan'
        option device 'br-lan'
        option proto 'pppoe'
        option username 'dirk'
        option password 'testing123'

• This device has to be connected to the same network (broadcast domain) where our Accel-ppp server is running in order for the network packets to reach the PPPoE server.

Checking The Log File

• The Accel-ppp log file will give us more feedback when a client connects.
• Run the following command

sudo tail -f /var/log/accel-ppp/accel-ppp.log 

• Here is the output we got

[2023-10-15 02:53:26]:  info: enp0s8: send [RADIUS(1) Access-Request id=1 <User-Name "dirk"> <NAS-Identifier "accel-ppp"> <NAS-Port-Type Virtual> <Service-Type Framed-User> <Framed-Protocol PPP> <Calling-Station-Id "c4:4b:d1:00:97:49"> <Called-Station-Id "08:00:27:08:25:67"> <User-Password 0xa8b2cc499a76d411bc05892369653482>]
[2023-10-15 02:53:26]:  info: enp0s8: recv [RADIUS(1) Access-Accept id=1 <Framed-Pool "pool1"> <Framed-Protocol PPP> <Mikrotik-Rate-Limit "512k/512k 1024k/1024k 1024k/1024k 100/100"> <Framed-Compression Van-Jacobson-TCP-IP> <Vendor-Specific 0x0000372a080600000200> <Vendor-Specific 0x0000372a070600000200>]
[2023-10-15 02:53:26]:  info: ppp1: connect: ppp1 <--> pppoe(c4:4b:d1:00:97:49)
[2023-10-15 02:53:26]:  info: ppp1: dirk: authentication succeeded
[2023-10-15 02:53:26]:  warn: ppp1: IPV6CP: discarding packet
[2023-10-15 02:53:26]:  info: ppp1: send [RADIUS(1) Accounting-Request id=1 <User-Name "dirk"> <NAS-Identifier "accel-ppp"> <NAS-Port 1> <NAS-Port-Id "ppp1"> <NAS-Port-Type Virtual> <Service-Type Framed-User> <Framed-Protocol PPP> <Calling-Station-Id "c4:4b:d1:00:97:49"> <Called-Station-Id "08:00:27:08:25:67"> <Acct-Status-Type Start> <Acct-Authentic RADIUS> <Acct-Session-Id "f2119cecef0b3356"> <Acct-Session-Time 0> <Acct-Input-Octets 0> <Acct-Output-Octets 0> <Acct-Input-Packets 0> <Acct-Output-Packets 0> <Acct-Input-Gigawords 0> <Acct-Output-Gigawords 0> <Framed-IP-Address 192.168.1.3>]
[2023-10-15 02:53:26]:  info: ppp1: recv [RADIUS(1) Accounting-Response id=1]

Using accel-cmd

• You can get more information on the current running instance of Accel-ppp by using the accel-cmd program.

accel-cmd show stat

• Results in the following in our case

accel-cmd show stat
uptime: 0.08:17:34
cpu: 0%
mem(rss/virt): 5240/244536 kB
core:
  mempool_allocated: 177084
  mempool_available: 165700
  thread_count: 4
  thread_active: 1
  context_count: 9
  context_sleeping: 0
  context_pending: 0
  md_handler_count: 8
  md_handler_pending: 0
  timer_count: 3
  timer_pending: 0
sessions:
  starting: 0
  active: 1
  finishing: 0
pppoe:
  starting: 0
  active: 1
  delayed PADO: 0
  recv PADI: 4
  drop PADI: 0
  sent PADO: 4
  recv PADR(dup): 4(0)
  sent PADS: 4
  filtered: 0
radius(1, 164.160.89.129):
  state: active
  fail count: 0
  request count: 0
  queue length: 0
  auth sent: 4
  auth lost(total/5m/1m): 0/0/0
  auth avg query time(5m/1m): 0/0 ms
  acct sent: 7
  acct lost(total/5m/1m): 0/0/0
  acct avg query time(5m/1m): 0/0 ms
  interim sent: 254
  interim lost(total/5m/1m): 6/0/0
  interim avg query time(5m/1m): 59/0 ms

• To see the current active sessions

accel-cmd show sessions

• Result in the following:

 ifname | username |    calling-sid    |     ip      | rate-limit | type  | comp | state  |  uptime  
--------+----------+-------------------+-------------+------------+-------+------+--------+----------
 ppp0   | dirk     | c4:4b:d1:00:97:49 | 192.168.1.4 | 512/512    | pppoe |      | active | 00:48:53