Page MenuHomeVyOS Platform
Create Task
Maniphest T7240

IPv6 Prefix Delegation does not work for PPP/L2TP with RADIUS attribute Accel-VRF-Name
Closed, ResolvedPublicBUG
Actions

Description

IPv6 Prefix Delegation does not work for PPP/L2TP with RADIUS attribute Accel-VRF-Name

RADIUS user

user2@local-host.local Cleartext-Password := "user2"
    Service-Type = Framed-User,
    Framed-IP-Address = "100.64.0.12",
    Framed-IPv6-Prefix = "2001:db8:0:2c::/64",
    Delegated-IPv6-Prefix = 2001:db8:0:ff2c::/64,
    Accel-VRF-Name = "CGNAT-VRF",
    Framed-Protocol = PPP

Without VRF the latest entry exists if check with sudo ip monitor route:

local 100.64.0.1 dev l2tp0 table local proto kernel scope host src 100.64.0.1 
100.64.0.12 dev l2tp0 proto kernel scope link src 100.64.0.1 
fe80::/64 dev l2tp0 proto kernel metric 256 pref medium
local fe80::100:0:0:0 dev l2tp0 table local proto kernel metric 0 pref medium
anycast fe80:: dev l2tp0 table local proto kernel metric 0 pref medium
multicast ff00::/8 dev l2tp0 table local proto kernel metric 256 pref medium
2001:db8:0:2c::/64 dev l2tp0 proto kernel metric 256 pref medium
local 2001:db8:0:2c:100:: dev l2tp0 table local proto kernel metric 0 pref medium
anycast 2001:db8:0:2c:: dev l2tp0 table local proto kernel metric 0 pref medium

2001:db8:0:ff2c::/64 via fe80::fdc1:47ff:fec7:1e9 dev l2tp0 metric 1024 pref medium

With VRF we do not see the PrefixDelegation route.

local 100.64.0.1 dev l2tp0 table CGNAT-VRF proto kernel scope host src 100.64.0.1 
100.64.0.12 dev l2tp0 table CGNAT-VRF proto kernel scope link src 100.64.0.1 
fe80::/64 dev l2tp0 table CGNAT-VRF proto kernel metric 256 pref medium
local fe80::100:0:0:0 dev l2tp0 table CGNAT-VRF proto kernel metric 0 pref medium
anycast fe80:: dev l2tp0 table CGNAT-VRF proto kernel metric 0 pref medium
multicast ff00::/8 dev l2tp0 table CGNAT-VRF proto kernel metric 256 pref medium
2001:db8:0:2c::/64 dev l2tp0 table CGNAT-VRF proto kernel metric 256 pref medium
local 2001:db8:0:2c:100:: dev l2tp0 table CGNAT-VRF proto kernel metric 0 pref medium
anycast 2001:db8:0:2c:: dev l2tp0 table CGNAT-VRF proto kernel metric 0 pref medium

VyOS config seems does not metter if it PPPoE server or L2TP LAC:

set container name radius allow-host-networks
set container name radius image 'dchidell/radius-web'
set container name radius volume accel destination '/usr/share/freeradius/dictionary.accel'
set container name radius volume accel source '/usr/share/accel-ppp/radius/dictionary.accel'
set container name radius volume clients destination '/etc/raddb/clients.conf'
set container name radius volume clients source '/config/containers/radius/clients'
set container name radius volume users destination '/etc/raddb/users'
set container name radius volume users source '/config/containers/radius/users'
set vpn l2tp remote-access authentication mode 'radius'
set vpn l2tp remote-access authentication protocols 'chap'
set vpn l2tp remote-access authentication protocols 'pap'
set vpn l2tp remote-access authentication radius accounting-interim-interval '3500'
set vpn l2tp remote-access authentication radius acct-timeout '0'
set vpn l2tp remote-access authentication radius server 127.0.0.1 key 'vyos-secret'
set vpn l2tp remote-access client-ip-pool default-range-pool range '192.168.111.1-192.168.111.100'
set vpn l2tp remote-access client-ip-pool default-range-pool range '192.168.111.0/24'
set vpn l2tp remote-access default-pool 'default-range-pool'
set vpn l2tp remote-access gateway-address '100.64.0.1'
set vpn l2tp remote-access lns host-name 'megahost'
set vpn l2tp remote-access lns shared-secret 'SssEcrEttT'
set vpn l2tp remote-access mtu '1500'
set vpn l2tp remote-access name-server '1.0.0.1'
set vpn l2tp remote-access name-server '1.1.1.1'
set vpn l2tp remote-access outside-address '0.0.0.0'
set vpn l2tp remote-access ppp-options disable-ccp
set vpn l2tp remote-access ppp-options ipv6 'allow'
set vrf name CGNAT-VRF table '100'

Routing tables
user1 without VRF
user2 with VRF

vyos@ppp-serv:~$ show l2tp-server sessions 
 ifname |        username        |     ip      |           ip6          |        ip6-dp        | calling-sid | rate-limit | state  |  uptime  | rx-bytes | tx-bytes 
--------+------------------------+-------------+------------------------+----------------------+-------------+------------+--------+----------+----------+----------
 l2tp0  | user2@local-host.local | 100.64.0.12 | 2001:db8:0:2c:200::/64 | 2001:db8:0:ff2c::/64 | 192.0.2.2   |            | active | 00:16:25 | 2.4 KiB  | 1.2 KiB  
 l2tp2  | user1@local-host.local | 100.64.0.10 | 2001:db8:0:2b:200::/64 | 2001:db8:0:ff2b::/64 | 192.0.2.2   |            | active | 00:15:44 | 894 B    | 1.4 KiB
vyos@ppp-serv:~$ 
vyos@ppp-serv:~$ 
vyos@ppp-serv:~$ 
vyos@ppp-serv:~$ show ipv6 route vrf all
Codes: K - kernel route, C - connected, S - static, R - RIPng,
       O - OSPFv3, I - IS-IS, B - BGP, N - NHRP, T - Table,
       v - VNC, V - VNC-Direct, A - Babel, F - PBR,
       f - OpenFabric,
       > - selected route, * - FIB route, q - queued, r - rejected, b - backup
       t - trapped, o - offload failure

VRF CGNAT-VRF:
C>* 2001:db8:0:2c::/64 is directly connected, l2tp0, 00:17:23
C>* fe80::/64 is directly connected, l2tp0, 00:17:23

VRF default:
C>* 2001:db8:0:2b::/64 is directly connected, l2tp2, 00:16:42
K>* 2001:db8:0:ff2b::/64 [0/1024] via fe80::fc9f:31ff:fe84:1bb0, l2tp2, 00:16:08
C * fe80::/64 is directly connected, l2tp2, 00:16:42
C * fe80::/64 is directly connected, eth1, 01:35:45
C * fe80::/64 is directly connected, eth0, 01:35:47
C>* fe80::/64 is directly connected, lo, 01:35:49
vyos@ppp-serv:~$

The bug is in the upstream https://github.com/accel-ppp/accel-ppp
Or this feature was not implemented, when VRF was implemented https://github.com/accel-ppp/accel-ppp/commit/737bf4d8b6e9e1bf50be69e8c99028bb2696190c

Details

Version
VyOS 1.4.1
Is it a breaking change?
Unspecified (possibly destroys the router)
Issue type
Bug (incorrect behavior)

Related Objects

Event Timeline

Viacheslav created this task.Mar 12 2025, 1:03 PM
Viacheslav triaged this task as Normal priority.
Viacheslav updated the task description. (Show Details)Mar 12 2025, 1:09 PM
Viacheslav updated the task description. (Show Details)Mar 12 2025, 1:20 PM
pasik subscribed.Mar 12 2025, 2:02 PM
Viacheslav added projects: VyOS Rolling, VyOS 1.5 Circinus.Mar 12 2025, 2:22 PM
Viacheslav updated the task description. (Show Details)Mar 12 2025, 3:31 PM
Viacheslav added a comment.EditedMar 12 2025, 9:11 PM

Possible fix https://github.com/accel-ppp/accel-ppp/pull/93
Needs testing

Update
this PR fixes only Framed-Route, Framed-IPv6-Route but does not IPv6-PD

Viacheslav added a comment.Aug 22 2025, 10:46 AM

Will be fixed after migration to the accel-ppp-ng T7744

SrividyaA subscribed.Oct 5 2025, 5:01 AM
Viacheslav added a comment.EditedOct 6 2025, 1:09 PM

Working on the latest rolling (checked VyOS 2025.10.05-0020-rolling)
VyOS config:

set container name radius allow-host-networks
set container name radius image 'dchidell/radius-web'
set container name radius volume accel destination '/usr/share/freeradius/dictionary.accel'
set container name radius volume accel source '/usr/share/accel-ppp/radius/dictionary.accel'
set container name radius volume clients destination '/etc/raddb/clients.conf'
set container name radius volume clients source '/config/containers/radius/clients'
set container name radius volume dictionary destination '/usr/share/freeradius/dictionary'
set container name radius volume dictionary source '/config/containers/radius/dictionary'
set container name radius volume users destination '/etc/raddb/users'
set container name radius volume users source '/config/containers/radius/users'
set service pppoe-server access-concentrator 'ACN'
set service pppoe-server authentication mode 'radius'
set service pppoe-server authentication radius server 192.168.122.14 key 'vyos-secret'
set service pppoe-server client-ip-pool FIRST range '100.64.0.0/18'
set service pppoe-server client-ipv6-pool IPv6-POOL delegate 2001:db8:8003::/48 delegation-prefix '56'
set service pppoe-server client-ipv6-pool IPv6-POOL prefix 2001:db8:8002::/48 mask '64'
set service pppoe-server default-ipv6-pool 'IPv6-POOL'
set service pppoe-server default-pool 'FIRST'
set service pppoe-server gateway-address '100.64.0.1'
set service pppoe-server interface eth1 combined
set service pppoe-server interface eth1.23
set service pppoe-server log level '5'
set service pppoe-server name-server '1.1.1.1'
set service pppoe-server name-server '1.0.0.1'
set service pppoe-server ppp-options disable-ccp
set service pppoe-server ppp-options ipv6 'allow'
set service pppoe-server session-control 'disable'

RADIUS users

client-1	Cleartext-Password := "client-1"
    Service-Type = Framed-User,
    Accel-VRF-Name = "red",
    Framed-IP-Address = 10.0.0.11,
    Stateful-IPv6-Address-Pool = "IPv6-POOL",
    Delegated-IPv6-Prefix-Pool = "IPv6-POOL",
    Framed-Route = "100.64.0.11/32 10.0.0.11 1",
    Framed-Protocol = PPP

client-2	Cleartext-Password := "client-2"
    Service-Type = Framed-User,
    Accel-VRF-Name = "CGNAT-VRF",
    Framed-IP-Address = 10.0.0.12,
    Stateful-IPv6-Address-Pool = "IPv6-POOL",
    Delegated-IPv6-Prefix-Pool = "IPv6-POOL",
    Framed-Route = "100.64.0.12/32 10.0.0.12 1",
    Framed-Protocol = PPP

Check:
show sessions:

vyos@r14:~$ show pppoe-server sessions 
 ifname | username |    ip     |            ip6           |         ip6-dp         |    calling-sid    | rate-limit | state  |  uptime  | rx-bytes | tx-bytes 
--------+----------+-----------+--------------------------+------------------------+-------------------+------------+--------+----------+----------+----------
 ppp0   | client-1 | 10.0.0.11 | 2001:db8:8002:0:200::/64 | 2001:db8:8003::/56     | 52:54:00:09:0b:01 |            | active | 00:10:36 | 1.9 KiB  | 2.3 KiB  
 ppp1   | client-2 | 10.0.0.12 | 2001:db8:8002:1:200::/64 | 2001:db8:8003:100::/56 | 52:54:00:09:0b:01 |            | active | 00:09:31 | 818 B    | 1.3 KiB
vyos@r14:~$

VRF red

vyos@r14# run show ip route vrf red 
Codes: K - kernel route, C - connected, L - local, S - static,
       R - RIP, O - OSPF, I - IS-IS, B - BGP, E - EIGRP, N - NHRP,
       T - Table, v - VNC, V - VNC-Direct, A - Babel, F - PBR,
       f - OpenFabric, t - Table-Direct,
       > - selected route, * - FIB route, q - queued, r - rejected, b - backup
       t - trapped, o - offload failure

VRF red:
C>* 10.0.0.11/32 is directly connected, ppp0, weight 1, 00:05:02
K * 10.0.0.11/32 [0/0] is directly connected, ppp0, weight 1, 00:05:02
L>* 100.64.0.1/32 is directly connected, ppp0, weight 1, 00:05:02
K>* 100.64.0.11/32 [0/1] via 10.0.0.11, ppp0, weight 1, 00:05:02
[edit]
vyos@r14# 
[edit]
vyos@r14# run show ipv6 route vrf red 
Codes: K - kernel route, C - connected, L - local, S - static,
       R - RIPng, O - OSPFv3, I - IS-IS, B - BGP, N - NHRP,
       T - Table, v - VNC, V - VNC-Direct, A - Babel, F - PBR,
       f - OpenFabric, t - Table-Direct,
       > - selected route, * - FIB route, q - queued, r - rejected, b - backup
       t - trapped, o - offload failure

VRF red:
K>* ::1/128 [0/256] is directly connected, red, weight 1, 00:15:58
C>* 2001:db8:8002::/64 is directly connected, ppp0, weight 1, 00:05:09
K * 2001:db8:8002::/64 [0/256] is directly connected, ppp0, weight 1, 00:05:09
L>* 2001:db8:8002:0:100::/128 is directly connected, ppp0, weight 1, 00:05:09
K>* 2001:db8:8003::/56 [0/1024] via fe80::f449:15ff:fe64:22e6, ppp0, weight 1, 00:04:38
C>* fe80::/64 is directly connected, ppp0, weight 1, 00:05:09
[edit]
vyos@r14#

VRF CGNAT

vyos@r14# run show ip route vrf CGNAT-VRF 
Codes: K - kernel route, C - connected, L - local, S - static,
       R - RIP, O - OSPF, I - IS-IS, B - BGP, E - EIGRP, N - NHRP,
       T - Table, v - VNC, V - VNC-Direct, A - Babel, F - PBR,
       f - OpenFabric, t - Table-Direct,
       > - selected route, * - FIB route, q - queued, r - rejected, b - backup
       t - trapped, o - offload failure

VRF CGNAT-VRF:
C>* 10.0.0.12/32 is directly connected, ppp1, weight 1, 00:04:31
K * 10.0.0.12/32 [0/0] is directly connected, ppp1, weight 1, 00:04:31
L>* 100.64.0.1/32 is directly connected, ppp1, weight 1, 00:04:31
K>* 100.64.0.12/32 [0/1] via 10.0.0.12, ppp1, weight 1, 00:04:31
[edit]
vyos@r14# 
[edit]
vyos@r14# run show ipv6 route vrf CGNAT-VRF 
Codes: K - kernel route, C - connected, L - local, S - static,
       R - RIPng, O - OSPFv3, I - IS-IS, B - BGP, N - NHRP,
       T - Table, v - VNC, V - VNC-Direct, A - Babel, F - PBR,
       f - OpenFabric, t - Table-Direct,
       > - selected route, * - FIB route, q - queued, r - rejected, b - backup
       t - trapped, o - offload failure

VRF CGNAT-VRF:
K>* ::1/128 [0/256] is directly connected, CGNAT-VRF, weight 1, 00:16:30
C>* 2001:db8:8002:1::/64 is directly connected, ppp1, weight 1, 00:04:36
K * 2001:db8:8002:1::/64 [0/256] is directly connected, ppp1, weight 1, 00:04:36
L>* 2001:db8:8002:1:100::/128 is directly connected, ppp1, weight 1, 00:04:36
K>* 2001:db8:8003:100::/56 [0/1024] via fe80::f4ce:e3ff:fe2b:fff5, ppp1, weight 1, 00:04:05
C>* fe80::/64 is directly connected, ppp1, weight 1, 00:04:36
[edit]
vyos@r14#

The client config and checks

vyos@r15:~$ show conf com | match ppp
set interfaces pppoe pppoe1 authentication password 'client-1'
set interfaces pppoe pppoe1 authentication username 'client-1'
set interfaces pppoe pppoe1 dhcpv6-options pd 1 interface dum1
set interfaces pppoe pppoe1 ipv6 address autoconf
set interfaces pppoe pppoe1 source-interface 'eth1'
set interfaces pppoe pppoe2 authentication password 'client-2'
set interfaces pppoe pppoe2 authentication username 'client-2'
set interfaces pppoe pppoe2 dhcpv6-options pd 1 interface dum2
set interfaces pppoe pppoe2 ipv6 address autoconf
set interfaces pppoe pppoe2 source-interface 'eth1'
vyos@r15:~$ 

vyos@r15:~$ show int
Codes: S - State, L - Link, u - Up, D - Down, A - Admin Down
Interface    IP Address                                MAC                VRF        MTU  S/L    Description
-----------  ----------------------------------------  -----------------  -------  -----  -----  -------------
dum1         2001:db8:8003:0:41c:89ff:fe32:a6ab/56     06:1c:89:32:a6:ab  default   1500  u/u
dum2         2001:db8:8003:100:68da:23ff:fe8c:c02b/56  6a:da:23:8c:c0:2b  default   1500  u/u
eth0         192.168.122.15/24                         52:54:00:55:80:8c  default   1500  u/u
eth1         -                                         52:54:00:09:0b:01  default   1500  u/u
eth2         -                                         52:54:00:96:17:74  default   1500  u/u
eth3         -                                         52:54:00:60:2a:d6  default   1500  u/u
eth4         -                                         52:54:00:73:28:72  default   1500  u/u
lo           127.0.0.1/8                               00:00:00:00:00:00  default  65536  u/u
             ::1/128
pppoe1       10.0.0.11/32                              n/a                default   1492  u/u
             2001:db8:8002:0:200::/64
pppoe2       10.0.0.12/32                              n/a                default   1492  u/u
             2001:db8:8002:1:200::/64
vyos@r15:~$
Viacheslav added a comment.Oct 6 2025, 1:28 PM

For the circinus works as expected

vyos@r14:~$ show version 
Version:          VyOS 1.5-stream-202510060458
Release train:    circinus
Release flavor:   generic

Built by:         autobuild@vyos.net
Built on:         Mon 06 Oct 2025 04:58 UTC
Build UUID:       4cc18633-7a44-40d1-949b-aeaa55f48ca6
Build commit ID:  9ebaec6bbf6877

checks

vyos@r14:~$ show ip route vrf red 
Codes: K - kernel route, C - connected, L - local, S - static,
       R - RIP, O - OSPF, I - IS-IS, B - BGP, E - EIGRP, N - NHRP,
       T - Table, v - VNC, V - VNC-Direct, A - Babel, F - PBR,
       f - OpenFabric, t - Table-Direct,
       > - selected route, * - FIB route, q - queued, r - rejected, b - backup
       t - trapped, o - offload failure

VRF red:
C>* 10.0.0.11/32 is directly connected, ppp0, weight 1, 00:00:21
K * 10.0.0.11/32 [0/0] is directly connected, ppp0, weight 1, 00:00:21
L>* 100.64.0.1/32 is directly connected, ppp0, weight 1, 00:00:21
K>* 100.64.0.11/32 [0/1] via 10.0.0.11, ppp0, weight 1, 00:00:21
vyos@r14:~$ 
vyos@r14:~$ 
vyos@r14:~$ show ipv6  route vrf red 
Codes: K - kernel route, C - connected, L - local, S - static,
       R - RIPng, O - OSPFv3, I - IS-IS, B - BGP, N - NHRP,
       T - Table, v - VNC, V - VNC-Direct, A - Babel, F - PBR,
       f - OpenFabric, t - Table-Direct,
       > - selected route, * - FIB route, q - queued, r - rejected, b - backup
       t - trapped, o - offload failure

VRF red:
K>* ::1/128 [0/256] is directly connected, red, weight 1, 00:04:00
C>* 2001:db8:8002:4::/64 is directly connected, ppp0, weight 1, 00:00:28
K * 2001:db8:8002:4::/64 [0/256] is directly connected, ppp0, weight 1, 00:00:28
L>* 2001:db8:8002:4:100::/128 is directly connected, ppp0, weight 1, 00:00:28
K>* 2001:db8:8003:300::/56 [0/1024] via fe80::f449:15ff:fe64:22e6, ppp0, weight 1, 00:00:26
C>* fe80::/64 is directly connected, ppp0, weight 1, 00:00:28
vyos@r14:~$
Unknown Object (User) edited projects, added VyOS 1.5 Circinus (1.5-stream-2025-Q3); removed VyOS 1.5 Circinus, VyOS 1.4 Sagitta.Oct 9 2025, 12:31 PM
Unknown Object (User) closed this task as Resolved.Oct 10 2025, 6:44 AM
Unknown Object (User) claimed this task.
Unknown Object (User) moved this task from Need Triage to Completed on the VyOS Rolling board.
Unknown Object (User) moved this task from Open to Finished on the VyOS 1.5 Circinus (1.5-stream-2025-Q3) board.