diff options
author | rebortg <github@ghlr.de> | 2020-12-08 14:57:44 +0100 |
---|---|---|
committer | rebortg <github@ghlr.de> | 2020-12-08 14:57:44 +0100 |
commit | f6c43343bbea7c98b6e735f5204da1759343ca23 (patch) | |
tree | 8ddd1150ffaf65cd36678ebc95c7d9fb22ae1dce /docs/configuration/service/pppoe-server.rst | |
parent | e6d0a80db37769a3d40084a8d55abfd7b24b941a (diff) | |
parent | 0bb741b58bc0dd7f0beae7364ed519f7165bdbb7 (diff) | |
download | vyos-documentation-f6c43343bbea7c98b6e735f5204da1759343ca23.tar.gz vyos-documentation-f6c43343bbea7c98b6e735f5204da1759343ca23.zip |
Merge branch 'sagitta' of https://github.com/rebortg/vyos-documentation
Diffstat (limited to 'docs/configuration/service/pppoe-server.rst')
-rw-r--r-- | docs/configuration/service/pppoe-server.rst | 397 |
1 files changed, 397 insertions, 0 deletions
diff --git a/docs/configuration/service/pppoe-server.rst b/docs/configuration/service/pppoe-server.rst new file mode 100644 index 00000000..224ff0d8 --- /dev/null +++ b/docs/configuration/service/pppoe-server.rst @@ -0,0 +1,397 @@ +.. _pppoe-server: + +############ +PPPoE Server +############ + +VyOS utilizes `accel-ppp`_ to provide PPPoE server functionality. It can +be used with local authentication or a connected RADIUS server. + +.. note:: Please be aware, due to an upstream bug, config + changes/commits will restart the ppp daemon and will reset existing + PPPoE connections from connected users, in order to become effective. + +Configuration +============= + + +First steps +----------- + + +.. cfgcmd:: set service pppoe-server access-concentrator <name> + + Use this command to set a name for this PPPoE-server access + concentrator. + +.. cfgcmd:: set service pppoe-server authentication mode <local | radius> + + Use this command to define whether your PPPoE clients will locally + authenticate in your VyOS system or in RADIUS server. + +.. cfgcmd:: set service pppoe-server authentication local-users username <name> password <password> + + Use this command to configure the username and the password of a + locally configured user. + +.. cfgcmd:: set service pppoe-server interface <interface> + + Use this command to define the interface the PPPoE server will use to + listen for PPPoE clients. + +.. cfgcmd:: set service pppoe-server gateway-address <address> + + Use this command to configure the local gateway IP address. + +.. cfgcmd:: set service pppoe-server name-server <address> + + Use this command to set the IPv4 or IPv6 address of every Doman Name + Server you want to configure. They will be propagated to PPPoE + clients. + + +Client Address Pools +-------------------- + +To automatically assign the client an IP address as tunnel endpoint, a +client IP pool is needed. The source can be either RADIUS or a local +subnet or IP range definition. + +Once the local tunnel endpoint ``set service pppoe-server gateway-address +'10.1.1.2'`` has been defined, the client IP pool can be either defined +as a range or as subnet using CIDR notation. If the CIDR notation is +used, multiple subnets can be setup which are used sequentially. + + +**Client IP address via IP range definition** + +.. cfgcmd:: set service pppoe-server client-ip-pool start <address> + + Use this command to define the first IP address of a pool of + addresses to be given to PPPoE clients. It must be within a /24 + subnet. + +.. cfgcmd:: set service pppoe-server client-ip-pool stop <address> + + Use this command to define the last IP address of a pool of + addresses to be given to PPPoE clients. It must be within a /24 + subnet. + +.. code-block:: none + + set service pppoe-server client-ip-pool start '10.1.1.100' + set service pppoe-server client-ip-pool stop '10.1.1.111' + + +**Client IP subnets via CIDR notation** + +.. cfgcmd:: set service pppoe-server client-ip-pool subnet <address> + + Use this command for every pool of client IP addresses you want to + define. The addresses of this pool will be given to PPPoE clients. + You must use CIDR notation and it must be within a /24 subnet. + +.. code-block:: none + + set service pppoe-server client-ip-pool subnet '10.1.1.0/24' + set service pppoe-server client-ip-pool subnet '10.1.2.0/24' + set service pppoe-server client-ip-pool subnet '10.1.3.0/24' + + +**RADIUS based IP pools (Framed-IP-Address)** + +To use a radius server, you need to switch to authentication mode RADIUS +and then configure it. + +.. cfgcmd:: set service pppoe-server authentication radius server <address> key <secret> + + Use this command to configure the IP address and the shared secret + key of your RADIUS server. You can have multiple RADIUS servers + configured if you wish to achieve redundancy. + + +.. code-block:: none + + set service pppoe-server access-concentrator 'ACN' + set service pppoe-server authentication mode 'radius' + set service pppoe-server authentication radius server 10.1.100.1 key 'secret' + set service pppoe-server interface 'eth1' + set service pppoe-server gateway-address '10.1.1.2' + +RADIUS provides the IP addresses in the example above via +Framed-IP-Address. + +**RADIUS sessions management DM/CoA** + +.. cfgcmd:: set service pppoe-server authentication radius dynamic-author <key | port | server> + + Use this command to configure Dynamic Authorization Extensions to + RADIUS so that you can remotely disconnect sessions and change some + authentication parameters. + +.. code-block:: none + + set service pppoe-server authentication radius dynamic-author key 'secret123' + set service pppoe-server authentication radius dynamic-author port '3799' + set service pppoe-server authentication radius dynamic-author server '10.1.1.2' + + +Example, from radius-server send command for disconnect client with +username test + +.. code-block:: none + + root@radius-server:~# echo "User-Name=test" | radclient -x 10.1.1.2:3799 disconnect secret123 + +You can also use another attributes for identify client for disconnect, +like Framed-IP-Address, Acct-Session-Id, etc. Result commands appears in +log. + +.. code-block:: none + + show log | match Disconnect* + +Example for changing rate-limit via RADIUS CoA. + +.. code-block:: none + + echo "User-Name=test,Filter-Id=5000/4000" | radclient 10.1.1.2:3799 coa secret123 + +Filter-Id=5000/4000 (means 5000Kbit down-stream rate and 4000Kbit +up-stream rate) If attribute Filter-Id redefined, replace it in RADIUS +CoA request. + +Automatic VLAN Creation +----------------------- + +.. cfgcmd:: set service pppoe-server interface <interface> <vlan-id | vlan range> <text> + + VLAN's can be created by accel-ppp on the fly via the use of a Kernel + module named `vlan_mon`, which is monitoring incoming vlans and + creates the necessary VLAN if required and allowed. VyOS supports the + use of either VLAN ID's or entire ranges, both values can be defined + at the same time for an interface. When configured, the PPPoE will + create the necessary VLANs when required. Once the user session has + been cancelled and the VLAN is not needed anymore, VyOS will remove + it again. + +.. code-block:: none + + set service pppoe-server interface eth3 vlan-id 100 + set service pppoe-server interface eth3 vlan-id 200 + set service pppoe-server interface eth3 vlan-range 500-1000 + set service pppoe-server interface eth3 vlan-range 2000-3000 + + + +Bandwidth Shaping +----------------- + +Bandwidth rate limits can be set for local users or RADIUS based +attributes. + +For Local Users +^^^^^^^^^^^^^^^ + +.. cfgcmd:: set service pppoe-server authentication local-users username <name> rate-limit <download | upload> + + Use this command to configure a data-rate limit to PPPOoE clients for + traffic download or upload. The rate-limit is set in kbit/sec. + +.. code-block:: none + + set service pppoe-server access-concentrator 'ACN' + set service pppoe-server authentication local-users username foo password 'bar' + set service pppoe-server authentication local-users username foo rate-limit download '20480' + set service pppoe-server authentication local-users username foo rate-limit upload '10240' + set service pppoe-server authentication mode 'local' + set service pppoe-server client-ip-pool start '10.1.1.100' + set service pppoe-server client-ip-pool stop '10.1.1.111' + set service pppoe-server name-server '10.100.100.1' + set service pppoe-server name-server '10.100.200.1' + set service pppoe-server interface 'eth1' + set service pppoe-server gateway-address '10.1.1.2' + + +Once the user is connected, the user session is using the set limits and +can be displayed via 'show pppoe-server sessions'. + +.. code-block:: none + + show pppoe-server sessions + ifname | username | ip | calling-sid | rate-limit | state | uptime | rx-bytes | tx-bytes + -------+----------+------------+-------------------+-------------+--------+----------+----------+---------- + ppp0 | foo | 10.1.1.100 | 00:53:00:ba:db:15 | 20480/10240 | active | 00:00:11 | 214 B | 76 B + + +For RADIUS users +^^^^^^^^^^^^^^^^ + +The current attribute 'Filter-Id' is being used as default and can be +setup within RADIUS: + +Filter-Id=2000/3000 (means 2000Kbit down-stream rate and 3000Kbit +up-stream rate) + +The command below enables it, assuming the RADIUS connection has been +setup and is working. + +.. cfgcmd:: set service pppoe-server authentication radius rate-limit enable + + Use this command to enable bandwidth shaping via RADIUS. + +Other attributes can be used, but they have to be in one of the +dictionaries in */usr/share/accel-ppp/radius*. + + +Load Balancing +-------------- + + +.. cfgcmd:: set service pppoe-server pado-delay <number-of-ms> sessions <number-of-sessions> + + Use this command to enable the delay of PADO (PPPoE Active Discovery + Offer) packets, which can be used as a session balancing mechanism + with other PPPoE servers. + +.. code-block:: none + + set service pppoe-server pado-delay 50 sessions '500' + set service pppoe-server pado-delay 100 sessions '1000' + set service pppoe-server pado-delay 300 sessions '3000' + +In the example above, the first 499 sessions connect without delay. PADO +packets will be delayed 50 ms for connection from 500 to 999, this trick +allows other PPPoE servers send PADO faster and clients will connect to +other servers. Last command says that this PPPoE server can serve only +3000 clients. + + +IPv6 +---- + +IPv6 client's prefix assignment +^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ + +.. cfgcmd:: set service pppoe-server client-ipv6-pool prefix <address> mask <number-of-bits> + + Use this comand to set the IPv6 address pool from which a PPPoE + client will get an IPv6 prefix of your defined length (mask) to + terminate the PPPoE endpoint at their side. The mask length can be + set from 48 to 128 bit long, the default value is 64. + + +IPv6 Prefix Delegation +^^^^^^^^^^^^^^^^^^^^^^ + +.. cfgcmd:: set service pppoe-server client-ipv6-pool delegate <address> delegation-prefix <number-of-bits> + + Use this command to configure DHCPv6 Prefix Delegation (RFC3633). You + will have to set your IPv6 pool and the length of the delegation + prefix. From the defined IPv6 pool you will be handing out networks + of the defined length (delegation-prefix). The length of the + delegation prefix can be set from 32 to 64 bit long. + + +Maintenance mode +================ + +.. opcmd:: set pppoe-server maintenance-mode <enable | disable> + + For network maintenance, it's a good idea to direct users to a backup + server so that the primary server can be safely taken out of service. + It's possible to switch your PPPoE server to maintenance mode where + it maintains already established connections, but refuses new + connection attempts. + + +Checking connections +==================== + +.. opcmd:: show pppoe-server sessions + + Use this command to locally check the active sessions in the PPPoE + server. + + +.. code-block:: none + + show pppoe-server sessions + ifname | username | ip | calling-sid | rate-limit | state | uptime | rx-bytes | tx-bytes + -------+----------+------------+-------------------+-------------+--------+----------+----------+---------- + ppp0 | foo | 10.1.1.100 | 00:53:00:ba:db:15 | 20480/10240 | active | 00:00:11 | 214 B | 76 B + + +Per default the user session is being replaced if a second +authentication request succeeds. Such session requests can be either +denied or allowed entirely, which would allow multiple sessions for a +user in the latter case. If it is denied, the second session is being +rejected even if the authentication succeeds, the user has to terminate +its first session and can then authentication again. + +.. code-block:: none + + vyos@# set service pppoe-server session-control + Possible completions: + disable Disables session control + deny Deny second session authorization + + + + + + +Examples +======== + +IPv4 +---- + +The example below uses ACN as access-concentrator name, assigns an +address from the pool 10.1.1.100-111, terminates at the local endpoint +10.1.1.1 and serves requests only on eth1. + +.. code-block:: none + + set service pppoe-server access-concentrator 'ACN' + set service pppoe-server authentication local-users username foo password 'bar' + set service pppoe-server authentication mode 'local' + set service pppoe-server client-ip-pool start '10.1.1.100' + set service pppoe-server client-ip-pool stop '10.1.1.111' + set service pppoe-server interface eth1 + set service pppoe-server gateway-address '10.1.1.2' + set service pppoe-server name-server '10.100.100.1' + set service pppoe-server name-server '10.100.200.1' + + + +Dual-Stack IPv4/IPv6 provisioning with Prefix Delegation +-------------------------------------------------------- + +The example below covers a dual-stack configuration via pppoe-server. + +.. code-block:: none + + set service pppoe-server authentication local-users username test password 'test' + set service pppoe-server authentication mode 'local' + set service pppoe-server client-ip-pool start '192.168.0.1' + set service pppoe-server client-ip-pool stop '192.168.0.10' + set service pppoe-server client-ipv6-pool delegate '2001:db8:8003::/48' delegation-prefix '56' + set service pppoe-server client-ipv6-pool prefix '2001:db8:8002::/48' mask '64' + set service pppoe-server name-server '8.8.8.8' + set service pppoe-server name-server '2001:4860:4860::8888' + set service pppoe-server interface 'eth2' + set service pppoe-server gateway-address '10.100.100.1' + +The client, once successfully authenticated, will receive an IPv4 and an +IPv6 /64 address to terminate the pppoe endpoint on the client side and +a /56 subnet for the clients internal use. + +.. code-block:: none + + vyos@pppoe-server:~$ sh pppoe-server sessions + ifname | username | ip | ip6 | ip6-dp | calling-sid | rate-limit | state | uptime | rx-bytes | tx-bytes + --------+----------+-------------+--------------------------+---------------------+-------------------+------------+--------+----------+----------+---------- + ppp0 | test | 192.168.0.1 | 2001:db8:8002:0:200::/64 | 2001:db8:8003::1/56 | 00:53:00:12:42:eb | | active | 00:00:49 | 875 B | 2.1 KiB + +.. include:: /_include/common-references.txt |