IPoE-server interface ethX vlan (vlan-mon) must not be used with client-subnet
set service ipoe-server authentication mode 'noauth' set service ipoe-server interface eth1 client-subnet '100.64.204.0/24' set service ipoe-server interface eth1 network 'vlan' set service ipoe-server interface eth1 vlan '2000-2021'
It generates the next configuration:
vyos@r2# cat /run/accel-pppd/ipoe.conf | grep "\[ipoe" -A 10 [ipoe] verbose=1 interface=re:^eth1\.(200\d|201\d|202[0-1])$,shared=0,mode=L2,ifcfg=1,range=100.64.204.0/24,start=dhcpv4,ipv6=1 vlan-mon=eth1,2000-2021 noauth=1 proxy-arp=1
vlan-mon means that VLANs (2000-2021) will be added dynamically and attached to eth1 interface
But instead of using the shared network range for all VLANs it will generate a configuration that each VLAN uses separately and the same range 100.64.204.0/24
I.e
eth1.2000 range 100.64.204.0/24 (the first client gets address from 100.64.204.2) eth2.2001 range 100.64.204.0/24 (the first client gets address from 100.64.204.2)
It causes the clients in different VLANs get the same IP addresses which is a wrong behavior
vyos@r2:~$ show ipoe-server sessions ifname | username | calling-sid | ip | rate-limit | type | comp | state | uptime -----------+----------+-------------------+--------------+------------+------+------+--------+---------- eth1.2004 | | 00:50:79:66:68:0c | 100.64.204.2 | | ipoe | | active | 00:00:22 eth1.2005 | | 00:50:79:66:68:0d | 100.64.204.2 | | ipoe | | active | 00:00:14 vyos@r2:~$
We need to disable such options in the verify section. And use named ip-polls instead. set service ipoe-server client-ip-pool name.