diff options
Diffstat (limited to 'docs/services/pppoe-server.rst')
-rw-r--r-- | docs/services/pppoe-server.rst | 397 |
1 files changed, 0 insertions, 397 deletions
diff --git a/docs/services/pppoe-server.rst b/docs/services/pppoe-server.rst deleted file mode 100644 index 4deb6c7e..00000000 --- a/docs/services/pppoe-server.rst +++ /dev/null @@ -1,397 +0,0 @@ -.. _pppoe-server: - -############ -PPPoE Server -############ - -VyOS utilizes `accel-ppp`_ to provide PPPoE server functionality. It can -be used with local authentication or a connected RADIUS server. - -.. note:: Please be aware, due to an upstream bug, config - changes/commits will restart the ppp daemon and will reset existing - PPPoE connections from connected users, in order to become effective. - -Configuration -============= - - -First steps ------------ - - -.. cfgcmd:: set service pppoe-server access-concentrator <name> - - Use this command to set a name for this PPPoE-server access - concentrator. - -.. cfgcmd:: set service pppoe-server authentication mode <local | radius> - - Use this command to define whether your PPPoE clients will locally - authenticate in your VyOS system or in RADIUS server. - -.. cfgcmd:: set service pppoe-server authentication local-users username <name> password <password> - - Use this command to configure the username and the password of a - locally configured user. - -.. cfgcmd:: set service pppoe-server interface <interface> - - Use this command to define the interface the PPPoE server will use to - listen for PPPoE clients. - -.. cfgcmd:: set service pppoe-server local-ip <address> - - Use this command to configure the local gateway IP address. - -.. cfgcmd:: set service pppoe-server name-server <address> - - Use this command to set the IPv4 or IPv6 address of every Doman Name - Server you want to configure. They will be propagated to PPPoE - clients. - - -Client Address Pools --------------------- - -To automatically assign the client an IP address as tunnel endpoint, a -client IP pool is needed. The source can be either RADIUS or a local -subnet or IP range definition. - -Once the local tunnel endpoint ``set service pppoe-server local-ip -'10.1.1.2'`` has been defined, the client IP pool can be either defined -as a range or as subnet using CIDR notation. If the CIDR notation is -used, multiple subnets can be setup which are used sequentially. - - -**Client IP address via IP range definition** - -.. cfgcmd:: set service pppoe-server client-ip-pool start <address> - - Use this command to define the first IP address of a pool of - addresses to be given to PPPoE clients. It must be within a /24 - subnet. - -.. cfgcmd:: set service pppoe-server client-ip-pool stop <address> - - Use this command to define the last IP address of a pool of - addresses to be given to PPPoE clients. It must be within a /24 - subnet. - -.. code-block:: none - - set service pppoe-server client-ip-pool start '10.1.1.100' - set service pppoe-server client-ip-pool stop '10.1.1.111' - - -**Client IP subnets via CIDR notation** - -.. cfgcmd:: set service pppoe-server client-ip-pool subnet <address> - - Use this command for every pool of client IP addresses you want to - define. The addresses of this pool will be given to PPPoE clients. - You must use CIDR notation and it must be within a /24 subnet. - -.. code-block:: none - - set service pppoe-server client-ip-pool subnet '10.1.1.0/24' - set service pppoe-server client-ip-pool subnet '10.1.2.0/24' - set service pppoe-server client-ip-pool subnet '10.1.3.0/24' - - -**RADIUS based IP pools (Framed-IP-Address)** - -To use a radius server, you need to switch to authentication mode RADIUS -and then configure it. - -.. cfgcmd:: set service pppoe-server authentication radius server <address> key <secret> - - Use this command to configure the IP address and the shared secret - key of your RADIUS server. You can have multiple RADIUS servers - configured if you wish to achieve redundancy. - - -.. code-block:: none - - set service pppoe-server access-concentrator 'ACN' - set service pppoe-server authentication mode 'radius' - set service pppoe-server authentication radius server 10.1.100.1 key 'secret' - set service pppoe-server interface 'eth1' - set service pppoe-server local-ip '10.1.1.2' - -RADIUS provides the IP addresses in the example above via -Framed-IP-Address. - -**RADIUS sessions management DM/CoA** - -.. cfgcmd:: set service pppoe-server authentication radius dynamic-author <key | port | server> - - Use this command to configure Dynamic Authorization Extensions to - RADIUS so that you can remotely disconnect sessions and change some - authentication parameters. - -.. code-block:: none - - set service pppoe-server authentication radius dynamic-author key 'secret123' - set service pppoe-server authentication radius dynamic-author port '3799' - set service pppoe-server authentication radius dynamic-author server '10.1.1.2' - - -Example, from radius-server send command for disconnect client with -username test - -.. code-block:: none - - root@radius-server:~# echo "User-Name=test" | radclient -x 10.1.1.2:3799 disconnect secret123 - -You can also use another attributes for identify client for disconnect, -like Framed-IP-Address, Acct-Session-Id, etc. Result commands appears in -log. - -.. code-block:: none - - show log | match Disconnect* - -Example for changing rate-limit via RADIUS CoA. - -.. code-block:: none - - echo "User-Name=test,Filter-Id=5000/4000" | radclient 10.1.1.2:3799 coa secret123 - -Filter-Id=5000/4000 (means 5000Kbit down-stream rate and 4000Kbit -up-stream rate) If attribute Filter-Id redefined, replace it in RADIUS -CoA request. - -Automatic VLAN Creation ------------------------ - -.. cfgcmd:: set service pppoe-server interface <interface> <vlan-id | vlan range> <text> - - VLAN's can be created by accel-ppp on the fly via the use of a Kernel - module named `vlan_mon`, which is monitoring incoming vlans and - creates the necessary VLAN if required and allowed. VyOS supports the - use of either VLAN ID's or entire ranges, both values can be defined - at the same time for an interface. When configured, the PPPoE will - create the necessary VLANs when required. Once the user session has - been cancelled and the VLAN is not needed anymore, VyOS will remove - it again. - -.. code-block:: none - - set service pppoe-server interface eth3 vlan-id 100 - set service pppoe-server interface eth3 vlan-id 200 - set service pppoe-server interface eth3 vlan-range 500-1000 - set service pppoe-server interface eth3 vlan-range 2000-3000 - - - -Bandwidth Shaping ------------------ - -Bandwidth rate limits can be set for local users or RADIUS based -attributes. - -For Local Users -^^^^^^^^^^^^^^^ - -.. cfgcmd:: set service pppoe-server authentication local-users username <name> rate-limit <download | upload> - - Use this command to configure a data-rate limit to PPPOoE clients for - traffic download or upload. The rate-limit is set in kbit/sec. - -.. code-block:: none - - set service pppoe-server access-concentrator 'ACN' - set service pppoe-server authentication local-users username foo password 'bar' - set service pppoe-server authentication local-users username foo rate-limit download '20480' - set service pppoe-server authentication local-users username foo rate-limit upload '10240' - set service pppoe-server authentication mode 'local' - set service pppoe-server client-ip-pool start '10.1.1.100' - set service pppoe-server client-ip-pool stop '10.1.1.111' - set service pppoe-server name-server '10.100.100.1' - set service pppoe-server name-server '10.100.200.1' - set service pppoe-server interface 'eth1' - set service pppoe-server local-ip '10.1.1.2' - - -Once the user is connected, the user session is using the set limits and -can be displayed via 'show pppoe-server sessions'. - -.. code-block:: none - - show pppoe-server sessions - ifname | username | ip | calling-sid | rate-limit | state | uptime | rx-bytes | tx-bytes - -------+----------+------------+-------------------+-------------+--------+----------+----------+---------- - ppp0 | foo | 10.1.1.100 | 00:53:00:ba:db:15 | 20480/10240 | active | 00:00:11 | 214 B | 76 B - - -For RADIUS users -^^^^^^^^^^^^^^^^ - -The current attribute 'Filter-Id' is being used as default and can be -setup within RADIUS: - -Filter-Id=2000/3000 (means 2000Kbit down-stream rate and 3000Kbit -up-stream rate) - -The command below enables it, assuming the RADIUS connection has been -setup and is working. - -.. cfgcmd:: set service pppoe-server authentication radius rate-limit enable - - Use this command to enable bandwidth shaping via RADIUS. - -Other attributes can be used, but they have to be in one of the -dictionaries in */usr/share/accel-ppp/radius*. - - -Load Balancing --------------- - - -.. cfgcmd:: set service pppoe-server pado-delay <number-of-ms> sessions <number-of-sessions> - - Use this command to enable the delay of PADO (PPPoE Active Discovery - Offer) packets, which can be used as a session balancing mechanism - with other PPPoE servers. - -.. code-block:: none - - set service pppoe-server pado-delay 50 sessions '500' - set service pppoe-server pado-delay 100 sessions '1000' - set service pppoe-server pado-delay 300 sessions '3000' - -In the example above, the first 499 sessions connect without delay. PADO -packets will be delayed 50 ms for connection from 500 to 999, this trick -allows other PPPoE servers send PADO faster and clients will connect to -other servers. Last command says that this PPPoE server can serve only -3000 clients. - - -IPv6 ----- - -IPv6 client's prefix assignment -^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ - -.. cfgcmd:: set service pppoe-server client-ipv6-pool prefix <address> mask <number-of-bits> - - Use this comand to set the IPv6 address pool from which a PPPoE - client will get an IPv6 prefix of your defined length (mask) to - terminate the PPPoE endpoint at their side. The mask length can be - set from 48 to 128 bit long, the default value is 64. - - -IPv6 Prefix Delegation -^^^^^^^^^^^^^^^^^^^^^^ - -.. cfgcmd:: set service pppoe-server client-ipv6-pool delegate <address> delegation-prefix <number-of-bits> - - Use this command to configure DHCPv6 Prefix Delegation (RFC3633). You - will have to set your IPv6 pool and the length of the delegation - prefix. From the defined IPv6 pool you will be handing out networks - of the defined length (delegation-prefix). The length of the - delegation prefix can be set from 32 to 64 bit long. - - -Maintenance mode -================ - -.. opcmd:: set pppoe-server maintenance-mode <enable | disable> - - For network maintenance, it's a good idea to direct users to a backup - server so that the primary server can be safely taken out of service. - It's possible to switch your PPPoE server to maintenance mode where - it maintains already established connections, but refuses new - connection attempts. - - -Checking connections -==================== - -.. opcmd:: show pppoe-server sessions - - Use this command to locally check the active sessions in the PPPoE - server. - - -.. code-block:: none - - show pppoe-server sessions - ifname | username | ip | calling-sid | rate-limit | state | uptime | rx-bytes | tx-bytes - -------+----------+------------+-------------------+-------------+--------+----------+----------+---------- - ppp0 | foo | 10.1.1.100 | 00:53:00:ba:db:15 | 20480/10240 | active | 00:00:11 | 214 B | 76 B - - -Per default the user session is being replaced if a second -authentication request succeeds. Such session requests can be either -denied or allowed entirely, which would allow multiple sessions for a -user in the latter case. If it is denied, the second session is being -rejected even if the authentication succeeds, the user has to terminate -its first session and can then authentication again. - -.. code-block:: none - - vyos@# set service pppoe-server session-control - Possible completions: - disable Disables session control - deny Deny second session authorization - - - - - - -Examples -======== - -IPv4 ----- - -The example below uses ACN as access-concentrator name, assigns an -address from the pool 10.1.1.100-111, terminates at the local endpoint -10.1.1.1 and serves requests only on eth1. - -.. code-block:: none - - set service pppoe-server access-concentrator 'ACN' - set service pppoe-server authentication local-users username foo password 'bar' - set service pppoe-server authentication mode 'local' - set service pppoe-server client-ip-pool start '10.1.1.100' - set service pppoe-server client-ip-pool stop '10.1.1.111' - set service pppoe-server interface eth1 - set service pppoe-server local-ip '10.1.1.2' - set service pppoe-server name-server '10.100.100.1' - set service pppoe-server name-server '10.100.200.1' - - - -Dual-Stack IPv4/IPv6 provisioning with Prefix Delegation --------------------------------------------------------- - -The example below covers a dual-stack configuration via pppoe-server. - -.. code-block:: none - - set service pppoe-server authentication local-users username test password 'test' - set service pppoe-server authentication mode 'local' - set service pppoe-server client-ip-pool start '192.168.0.1' - set service pppoe-server client-ip-pool stop '192.168.0.10' - set service pppoe-server client-ipv6-pool delegate '2001:db8:8003::/48' delegation-prefix '56' - set service pppoe-server client-ipv6-pool prefix '2001:db8:8002::/48' mask '64' - set service pppoe-server name-server '8.8.8.8' - set service pppoe-server name-server '2001:4860:4860::8888' - set service pppoe-server interface 'eth2' - set service pppoe-server local-ip '10.100.100.1' - -The client, once successfully authenticated, will receive an IPv4 and an -IPv6 /64 address to terminate the pppoe endpoint on the client side and -a /56 subnet for the clients internal use. - -.. code-block:: none - - vyos@pppoe-server:~$ sh pppoe-server sessions - ifname | username | ip | ip6 | ip6-dp | calling-sid | rate-limit | state | uptime | rx-bytes | tx-bytes - --------+----------+-------------+--------------------------+---------------------+-------------------+------------+--------+----------+----------+---------- - ppp0 | test | 192.168.0.1 | 2001:db8:8002:0:200::/64 | 2001:db8:8003::1/56 | 00:53:00:12:42:eb | | active | 00:00:49 | 875 B | 2.1 KiB - -.. include:: /common-references.rst |