summaryrefslogtreecommitdiff
path: root/docs/configuration/interfaces/pppoe.rst
blob: 65081e1c7b0c157c9e172f9ea9942dd4f253c8ab (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
:lastproofread: 2022-07-27

.. _pppoe-interface:

#####
PPPoE
#####

:abbr:`PPPoE (Point-to-Point Protocol over Ethernet)` is a network protocol
for encapsulating PPP frames inside Ethernet frames. It appeared in 1999,
in the context of the boom of DSL as the solution for tunneling packets
over the DSL connection to the :abbr:`ISPs (Internet Service Providers)`
IP network, and from there to the rest of the Internet. A 2005 networking
book noted that "Most DSL providers use PPPoE, which provides authentication,
encryption, and compression." Typical use of PPPoE involves leveraging the
PPP facilities for authenticating the user with a username and password,
predominately via the PAP protocol and less often via CHAP.

***************
Operating Modes
***************

VyOS supports setting up PPPoE in two different ways to a PPPoE internet
connection. This is because most ISPs provide a modem that is also a wireless
router.

Home Users
==========

In this method, the DSL Modem/Router connects to the ISP for you with your
credentials preprogrammed into the device. This gives you an :rfc:`1918`
address, such as ``192.168.1.0/24`` by default.

For a simple home network using just the ISP's equipment, this is usually
desirable. But if you want to run VyOS as your firewall and router, this
will result in having a double NAT and firewall setup. This results in a
few extra layers of complexity, particularly if you use some NAT or
tunnel features.

Business Users
==============

In order to have full control and make use of multiple static public IP
addresses, your VyOS will have to initiate the PPPoE connection and control
it. In order for this method to work, you will have to figure out how to make
your DSL Modem/Router switch into a Bridged Mode so it only acts as a DSL
Transceiver device to connect between the Ethernet link of your VyOS and the
phone cable. Once your DSL Transceiver is in Bridge Mode, you should get no
IP address from it. Please make sure you connect to the Ethernet Port 1 if
your DSL Transceiver has a switch, as some of them only work this way.

Once you have an Ethernet device connected, i.e. `eth0`, then you can
configure it to open the PPPoE session for you and your DSL Transceiver
(Modem/Router) just acts to translate your messages in a way that
vDSL/aDSL understands.

*************
Configuration
*************

Common interface configuration
==============================

.. cmdinclude:: /_include/interface-description.txt
   :var0: pppoe
   :var1: pppoe0

.. cmdinclude:: /_include/interface-disable.txt
   :var0: pppoe
   :var1: pppoe0

.. cmdinclude:: /_include/interface-mtu.txt
   :var0: pppoe
   :var1: pppoe0

.. cmdinclude:: /_include/interface-vrf.txt
   :var0: pppoe
   :var1: pppoe0

PPPoE options
=============

.. cfgcmd:: set interfaces pppoe <interface> access-concentrator <name>

   Use this command to restrict the PPPoE session on a given access
   concentrator. Normally, a host sends a PPPoE initiation packet to start the
   PPPoE discovery process, a number of access concentrators respond with offer
   packets and the host selects one of the responding access concentrators to
   serve this session.

   This command allows you to select a specific access concentrator when you
   know the access concentrators `<name>`.

.. cfgcmd:: set interfaces pppoe <interface> authentication username <username>

   Use this command to set the username for authenticating with a remote PPPoE
   endpoint. Authentication is optional from the system's point of view but
   most service providers require it.

.. cfgcmd:: set interfaces pppoe <interface> authentication password <password>

   Use this command to set the password for authenticating with a remote PPPoE
   endpoint. Authentication is optional from the system's point of view but
   most service providers require it.

.. cfgcmd:: set interfaces pppoe <interface> connect-on-demand

   When set the interface is enabled for "dial-on-demand".

   Use this command to instruct the system to establish a PPPoE connection
   automatically once traffic passes through the interface. A disabled on-demand
   connection is established at boot time and remains up. If the link fails for
   any reason, the link is brought back up immediately.

   Enabled on-demand PPPoE connections bring up the link only when traffic needs
   to pass this link.  If the link fails for any reason, the link is brought
   back up automatically once traffic passes the interface again. If you
   configure an on-demand PPPoE connection, you must also configure the idle
   timeout period, after which an idle PPPoE link will be disconnected. A
   non-zero idle timeout will never disconnect the link after it first came up.

.. cfgcmd:: set interfaces pppoe <interface> no-default-route

   Only request an address from the PPPoE server but do not install any default
   route.

   Example:

   .. code-block:: none

     set interfaces pppoe pppoe0 no-default-route

   .. note:: This command got added in VyOS 1.4 and inverts the logic from the old
     ``default-route`` CLI option.

.. cfgcmd:: set interfaces pppoe <interface> default-route-distance <distance>

   Set the distance for the default gateway sent by the PPPoE server.

   Example:

   .. code-block:: none

     set interfaces pppoe pppoe0 default-route-distance 220

.. cfgcmd:: set interfaces pppoe <interface> mru <mru>

   Set the :abbr:`MRU (Maximum Receive Unit)` to `mru`. PPPd will ask the peer to
   send packets of no more than `mru` bytes. The value of `mru` must be between 128
   and 16384.

   A value of 296 works well on very slow links (40 bytes for TCP/IP header + 256
   bytes of data).

   The default is 1492.

   .. note:: When using the IPv6 protocol, MRU must be at least 1280 bytes.

.. cfgcmd:: set interfaces pppoe <interface> idle-timeout <time>

   Use this command to set the idle timeout interval to be used with on-demand
   PPPoE sessions. When an on-demand connection is established, the link is
   brought up only when traffic is sent and is disabled when the link is idle
   for the interval specified.

   If this parameter is not set or 0, an on-demand link will not be taken down
   when it is idle and after the initial establishment of the connection. It
   will stay up forever.

.. cfgcmd:: set interfaces pppoe <interface> holdoff <time>

   Use this command to set re-dial delay time to be used with persist PPPoE
   sessions. When the PPPoE session is terminated by peer, and on-demand
   option is not set, the router will attempt to re-establish the PPPoE link.

   If this parameter is not set, the default holdoff time is 30 seconds.

.. cfgcmd:: set interfaces pppoe <interface> local-address <address>

   Use this command to set the IP address of the local endpoint of a PPPoE
   session. If it is not set it will be negotiated.

.. cfgcmd:: set interfaces pppoe <interface> no-peer-dns

   Use this command to not install advertised DNS nameservers into the local
   system.

.. cfgcmd:: set interfaces pppoe <interface> remote-address <address>

   Use this command to set the IP address of the remote endpoint of a PPPoE
   session. If it is not set it will be negotiated.

.. cfgcmd:: set interfaces pppoe <interface> service-name <name>

   Use this command to specify a service name by which the local PPPoE interface
   can select access concentrators to connect with. It will connect to any
   access concentrator if not set.

.. cfgcmd:: set interfaces pppoe <interface> source-interface <source-interface>

   Use this command to link the PPPoE connection to a physical interface. Each
   PPPoE connection must be established over a physical interface. Interfaces
   can be regular Ethernet interfaces, VIFs or bonding interfaces/VIFs.

.. cfgcmd:: set interfaces pppoe <interface> ip adjust-mss <mss | clamp-mss-to-pmtu>

  As Internet wide PMTU discovery rarely works, we sometimes need to clamp our
  TCP MSS value to a specific value. This is a field in the TCP options part of
  a SYN packet. By setting the MSS value, you are telling the remote side
  unequivocally 'do not try to send me packets bigger than this value'.

  .. note:: This command was introduced in VyOS 1.4 - it was previously called:
    ``set firewall options interface <name> adjust-mss <value>``

  .. hint:: MSS value = MTU - 20 (IP header) - 20 (TCP header), resulting in
    1452 bytes on a 1492 byte MTU.

  Instead of a numerical MSS value `clamp-mss-to-pmtu` can be used to
  automatically set the proper value.

.. cfgcmd:: set interfaces pppoe <interface> ip disable-forwarding

  Configure interface-specific Host/Router behaviour. If set, the interface will
  switch to host mode and IPv6 forwarding will be disabled on this interface.

.. cfgcmd:: set interfaces pppoe <interface> ip source-validation <strict | loose | disable>

  Enable policy for source validation by reversed path, as specified in
  :rfc:`3704`. Current recommended practice in :rfc:`3704` is to enable strict
  mode to prevent IP spoofing from DDos attacks. If using asymmetric routing
  or other complicated routing, then loose mode is recommended.

  - strict: Each incoming packet is tested against the FIB and if the interface
    is not the best reverse path the packet check will fail. By default failed
    packets are discarded.

  - loose: Each incoming packet's source address is also tested against the FIB
    and if the source address is not reachable via any interface the packet
    check will fail.

  - disable: No source validation

IPv6
----

.. cfgcmd:: set interfaces pppoe <interface> ipv6 address autoconf

   Use this command to enable acquisition of IPv6 address using stateless
   autoconfig (SLAAC).

.. cfgcmd:: set interfaces pppoe <interface> ipv6 adjust-mss <mss | clamp-mss-to-pmtu>

  As Internet wide PMTU discovery rarely works, we sometimes need to clamp our
  TCP MSS value to a specific value. This is a field in the TCP options part of
  a SYN packet. By setting the MSS value, you are telling the remote side
  unequivocally 'do not try to send me packets bigger than this value'.

  .. note:: This command was introduced in VyOS 1.4 - it was previously called:
    ``set firewall options interface <name> adjust-mss <value>``

  .. hint:: MSS value = MTU - 40 (IPv6 header) - 20 (TCP header), resulting in
    1432 bytes on a 1492 byte MTU.

  Instead of a numerical MSS value `clamp-mss-to-pmtu` can be used to
  automatically set the proper value.

.. cfgcmd:: set interfaces pppoe <interface> ipv6 disable-forwarding

  Configure interface-specific Host/Router behaviour. If set, the interface will
  switch to host mode and IPv6 forwarding will be disabled on this interface.

.. cmdinclude:: /_include/interface-dhcpv6-prefix-delegation.txt
  :var0: pppoe
  :var1: pppoe0

*********
Operation
*********

.. opcmd:: show interfaces pppoe <interface>

   Show detailed information on given `<interface>`

   .. code-block:: none

     vyos@vyos:~$ show interfaces pppoe pppoe0
     pppoe0: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1492 qdisc pfifo_fast state UNKNOWN group default qlen 3
         link/ppp
         inet 192.0.2.1 peer 192.0.2.255/32 scope global pppoe0
            valid_lft forever preferred_lft forever

         RX:  bytes    packets     errors    dropped    overrun      mcast
         7002658233    5064967          0          0          0          0
         TX:  bytes    packets     errors    dropped    carrier collisions
          533822843    1620173          0          0          0          0

.. opcmd:: show interfaces pppoe <interface> queue

   Displays queue information for a PPPoE interface.

   .. code-block:: none

     vyos@vyos:~$ show interfaces pppoe pppoe0 queue
     qdisc pfifo_fast 0: root refcnt 2 bands 3 priomap  1 2 2 2 1 2 0 0 1 1 1 1 1 1 1 1
      Sent 534625359 bytes 1626761 pkt (dropped 62, overlimits 0 requeues 0)
      backlog 0b 0p requeues 0

Connect/Disconnect
==================

.. opcmd:: disconnect interface <interface>

   Test disconnecting given connection-oriented interface. `<interface>` can be
   ``pppoe0`` as the example.

.. opcmd:: connect interface <interface>

   Test connecting given connection-oriented interface. `<interface>` can be
   ``pppoe0`` as the example.

*******
Example
*******

Requirements:

* Your ISPs modem is connected to port ``eth0`` of your VyOS box.
* No VLAN tagging required by your ISP.
* You need your PPPoE credentials from your DSL ISP in order to configure
  this. The usual username is in the form of name@host.net but may vary
  depending on ISP.
* The largest MTU size you can use with DSL is 1492 due to PPPoE overhead.
  If you are switching from a DHCP based ISP like cable then be aware that
  things like VPN links may need to have their MTU sizes adjusted to work
  within this limit.
* With the ``name-server`` option set to ``none``, VyOS will ignore the
  nameservers your ISP sends you and thus you can fully rely on the ones you
  have configured statically.

.. note:: Syntax has changed from VyOS 1.2 (crux) and it will be automatically
   migrated during an upgrade.

.. note:: A default route is automatically installed once the interface is up.
  To change this behavior use the ``no-default-route`` CLI option.

.. code-block:: none

  set interfaces pppoe pppoe0 authentication username 'userid'
  set interfaces pppoe pppoe0 authentication password 'secret'
  set interfaces pppoe pppoe0 source-interface 'eth0'


You should add a firewall to your configuration above as well by
assigning it to the pppoe0 itself as shown here:

.. code-block:: none

  set firewall interface pppoe0 in name NET-IN
  set firewall interface pppoe0 local name NET-LOCAL
  set firewall interface pppoe0 out name NET-OUT

VLAN Example
============

Some recent ISPs require you to build the PPPoE connection through a VLAN
interface. One of those ISPs is e.g. Deutsche Telekom in Germany. VyOS
can easily create a PPPoE session through an encapsulated VLAN interface.
The following configuration will run your PPPoE connection through VLAN7
which is the default VLAN for Deutsche Telekom:

.. code-block:: none

  set interfaces pppoe pppoe0 authentication username 'userid'
  set interfaces pppoe pppoe0 authentication password 'secret'
  set interfaces pppoe pppoe0 source-interface 'eth0.7'


IPv6 DHCPv6-PD Example
----------------------

.. stop_vyoslinter

The following configuration will setup a PPPoE session source from eth1 and
assign a /64 prefix out of a /56 delegation (requested from the ISP) to eth0.
The IPv6 address assigned to eth0 will be <prefix>::1/64. If you do not know
the prefix size delegated to you, start with sla-len 0.

In addition we setup IPv6 :abbr:`RA (Router Advertisements)` to make the
prefix known on the eth0 link.

.. start_vyoslinter

.. code-block:: none

  set interfaces pppoe pppoe0 authentication username vyos
  set interfaces pppoe pppoe0 authentication password vyos
  set interfaces pppoe pppoe0 dhcpv6-options pd 0 interface eth0 address '1'
  set interfaces pppoe pppoe0 dhcpv6-options pd 0 interface eth0 sla-id '0'
  set interfaces pppoe pppoe0 dhcpv6-options pd 0 length '56'
  set interfaces pppoe pppoe0 ipv6 address autoconf
  set interfaces pppoe pppoe0 source-interface eth1

  set service router-advert interface eth0 prefix ::/64