.. _ipoe_server: ########### IPoE Server ########### VyOS utilizes `accel-ppp`_ to provide :abbr:`IPoE (Internet Protocol over Ethernet)` server functionality. It can be used with local authentication (mac-address) or a connected RADIUS server. IPoE is a method of delivering an IP payload over an Ethernet-based access network or an access network using bridged Ethernet over Asynchronous Transfer Mode (ATM) without using PPPoE. It directly encapsulates the IP datagrams in Ethernet frames, using the standard :rfc:`894` encapsulation. The use of IPoE addresses the disadvantage that PPP is unsuited for multicast delivery to multiple users. Typically, IPoE uses Dynamic Host Configuration Protocol and Extensible Authentication Protocol to provide the same functionality as PPPoE, but in a less robust manner. .. note:: Please be aware, due to an upstream bug, config changes/commits will restart the ppp daemon and will reset existing IPoE sessions, in order to become effective. *********************** Configuring IPoE Server *********************** IPoE can be configure on different interfaces, it will depend on each specific situation which interface will provide IPoE to clients. The clients mac address and the incoming interface is being used as control parameter, to authenticate a client. The example configuration below will assign an IP to the client on the incoming interface eth2 with the client mac address 08:00:27:2f:d8:06. Other DHCP discovery requests will be ignored, unless the client mac has been enabled in the configuration. .. code-block:: none set interfaces ethernet eth1 address '192.168.0.1/24' set service ipoe-server authentication interface eth1.100 mac 00:50:79:66:68:00 set service ipoe-server authentication interface eth1.101 mac 00:50:79:66:68:01 set service ipoe-server authentication mode 'local' set service ipoe-server client-ip-pool IPOE-POOL range '192.168.0.2-192.168.0.254' set service ipoe-server default-pool 'IPOE-POOL' set service ipoe-server gateway-address '192.168.0.1/24' set service ipoe-server interface eth1 mode 'l2' set service ipoe-server interface eth1 network 'vlan' set service ipoe-server interface eth1 vlan '100-200' .. cfgcmd:: set service ipoe-server authentication interface mac Creates local pppoe user with username=**** and password=**** (mac-address) .. cfgcmd:: set service ipoe-server authentication mode Set authentication backend. The configured authentication backend is used for all queries. * **radius**: All authentication queries are handled by a configured RADIUS server. * **local**: All authentication queries are handled locally. * **noauth**: Authentication disabled .. cfgcmd:: set service ipoe-server client-ip-pool range Use this command to define the first IP address of a pool of addresses to be given to l2tp clients. If notation ``x.x.x.x-x.x.x.x``, it must be within a /24 subnet. If notation ``x.x.x.x/x`` is used there is possibility to set host/netmask. .. cfgcmd:: set service ipoe-server default-pool Use this command to define default address pool name. .. cfgcmd:: set service ipoe-server gateway-address Specifies address to be used as server ip address if radius can assign only client address. In such case if client address is matched network and mask then specified address and mask will be used. You can specify multiple such options. .. cfgcmd:: set service ipoe-server interface mode Set authentication backend. The configured authentication backend is used for all queries. * **l2**: It means that clients are on same network where interface is.**(default)** * **local**: It means that client are behind some router. .. cfgcmd:: set service ipoe-server interface network Specify where interface is shared by multiple users or it is vlan-per-user. * **shared**: Multiple clients share the same network. **(default)** * **vlan**: One VLAN per client. .. code-block:: none vyos@vyos:~$ show ipoe-server sessions ifname | username | calling-sid | ip | rate-limit | type | comp | state | uptime --------+----------+-------------------+-------------+------------+------+------+--------+---------- ipoe0 | eth1.100 | 00:50:79:66:68:00 | 192.168.0.2 | | ipoe | | active | 00:04:55 ipoe1 | eth1.101 | 00:50:79:66:68:01 | 192.168.0.3 | | ipoe | | active | 00:04:44 ********************************* Configuring RADIUS authentication ********************************* To enable RADIUS based authentication, the authentication mode needs to be changed within the configuration. Previous settings like the local users, still exists within the configuration, however they are not used if the mode has been changed from local to radius. Once changed back to local, it will use all local accounts again. .. code-block:: none set service ipoe-server authentication mode radius .. cfgcmd:: set service ipoe-server authentication radius server key Configure RADIUS `` and its required shared `` for communicating with the RADIUS server. Since the RADIUS server would be a single point of failure, multiple RADIUS servers can be setup and will be used subsequentially. For example: .. code-block:: none set service ipoe-server authentication radius server 10.0.0.1 key 'foo' set service ipoe-server authentication radius server 10.0.0.2 key 'foo' .. note:: Some RADIUS severs use an access control list which allows or denies queries, make sure to add your VyOS router to the allowed client list. RADIUS source address ===================== If you are using OSPF as IGP, always the closest interface connected to the RADIUS server is used. With VyOS 1.2 you can bind all outgoing RADIUS requests to a single source IP e.g. the loopback interface. .. cfgcmd:: set service ipoe-server authentication radius source-address
Source IPv4 address used in all RADIUS server queires. .. note:: The ``source-address`` must be configured on one of VyOS interface. Best practice would be a loopback or dummy interface. RADIUS advanced options ======================= .. cfgcmd:: set service ipoe-server authentication radius server port Configure RADIUS `` and its required port for authentication requests. .. cfgcmd:: set service ipoe-server authentication radius server fail-time