IPv6 Prefix Delegation does not work for PPP/L2TP with RADIUS attribute Accel-VRF-Name
RADIUS user
user2@local-host.local Cleartext-Password := "user2"
Service-Type = Framed-User,
Framed-IP-Address = "100.64.0.12",
Framed-IPv6-Prefix = "2001:db8:0:2c::/64",
Delegated-IPv6-Prefix = 2001:db8:0:ff2c::/64,
Accel-VRF-Name = "CGNAT-VRF",
Framed-Protocol = PPPWithout VRF the latest entry exists if check with sudo ip monitor route:
local 100.64.0.1 dev l2tp0 table local proto kernel scope host src 100.64.0.1 100.64.0.12 dev l2tp0 proto kernel scope link src 100.64.0.1 fe80::/64 dev l2tp0 proto kernel metric 256 pref medium local fe80::100:0:0:0 dev l2tp0 table local proto kernel metric 0 pref medium anycast fe80:: dev l2tp0 table local proto kernel metric 0 pref medium multicast ff00::/8 dev l2tp0 table local proto kernel metric 256 pref medium 2001:db8:0:2c::/64 dev l2tp0 proto kernel metric 256 pref medium local 2001:db8:0:2c:100:: dev l2tp0 table local proto kernel metric 0 pref medium anycast 2001:db8:0:2c:: dev l2tp0 table local proto kernel metric 0 pref medium 2001:db8:0:ff2c::/64 via fe80::fdc1:47ff:fec7:1e9 dev l2tp0 metric 1024 pref medium
With VRF we do not see the PrefixDelegation route.
local 100.64.0.1 dev l2tp0 table CGNAT-VRF proto kernel scope host src 100.64.0.1 100.64.0.12 dev l2tp0 table CGNAT-VRF proto kernel scope link src 100.64.0.1 fe80::/64 dev l2tp0 table CGNAT-VRF proto kernel metric 256 pref medium local fe80::100:0:0:0 dev l2tp0 table CGNAT-VRF proto kernel metric 0 pref medium anycast fe80:: dev l2tp0 table CGNAT-VRF proto kernel metric 0 pref medium multicast ff00::/8 dev l2tp0 table CGNAT-VRF proto kernel metric 256 pref medium 2001:db8:0:2c::/64 dev l2tp0 table CGNAT-VRF proto kernel metric 256 pref medium local 2001:db8:0:2c:100:: dev l2tp0 table CGNAT-VRF proto kernel metric 0 pref medium anycast 2001:db8:0:2c:: dev l2tp0 table CGNAT-VRF proto kernel metric 0 pref medium
VyOS config seems does not metter if it PPPoE server or L2TP LAC:
set container name radius allow-host-networks set container name radius image 'dchidell/radius-web' set container name radius volume accel destination '/usr/share/freeradius/dictionary.accel' set container name radius volume accel source '/usr/share/accel-ppp/radius/dictionary.accel' set container name radius volume clients destination '/etc/raddb/clients.conf' set container name radius volume clients source '/config/containers/radius/clients' set container name radius volume users destination '/etc/raddb/users' set container name radius volume users source '/config/containers/radius/users' set vpn l2tp remote-access authentication mode 'radius' set vpn l2tp remote-access authentication protocols 'chap' set vpn l2tp remote-access authentication protocols 'pap' set vpn l2tp remote-access authentication radius accounting-interim-interval '3500' set vpn l2tp remote-access authentication radius acct-timeout '0' set vpn l2tp remote-access authentication radius server 127.0.0.1 key 'vyos-secret' set vpn l2tp remote-access client-ip-pool default-range-pool range '192.168.111.1-192.168.111.100' set vpn l2tp remote-access client-ip-pool default-range-pool range '192.168.111.0/24' set vpn l2tp remote-access default-pool 'default-range-pool' set vpn l2tp remote-access gateway-address '100.64.0.1' set vpn l2tp remote-access lns host-name 'megahost' set vpn l2tp remote-access lns shared-secret 'SssEcrEttT' set vpn l2tp remote-access mtu '1500' set vpn l2tp remote-access name-server '1.0.0.1' set vpn l2tp remote-access name-server '1.1.1.1' set vpn l2tp remote-access outside-address '0.0.0.0' set vpn l2tp remote-access ppp-options disable-ccp set vpn l2tp remote-access ppp-options ipv6 'allow' set vrf name CGNAT-VRF table '100'
Routing tables
user1 without VRF
user2 with VRF
vyos@ppp-serv:~$ show l2tp-server sessions
ifname | username | ip | ip6 | ip6-dp | calling-sid | rate-limit | state | uptime | rx-bytes | tx-bytes
--------+------------------------+-------------+------------------------+----------------------+-------------+------------+--------+----------+----------+----------
l2tp0 | user2@local-host.local | 100.64.0.12 | 2001:db8:0:2c:200::/64 | 2001:db8:0:ff2c::/64 | 192.0.2.2 | | active | 00:16:25 | 2.4 KiB | 1.2 KiB
l2tp2 | user1@local-host.local | 100.64.0.10 | 2001:db8:0:2b:200::/64 | 2001:db8:0:ff2b::/64 | 192.0.2.2 | | active | 00:15:44 | 894 B | 1.4 KiB
vyos@ppp-serv:~$
vyos@ppp-serv:~$
vyos@ppp-serv:~$
vyos@ppp-serv:~$ show ipv6 route vrf all
Codes: K - kernel route, C - connected, S - static, R - RIPng,
O - OSPFv3, I - IS-IS, B - BGP, N - NHRP, T - Table,
v - VNC, V - VNC-Direct, A - Babel, F - PBR,
f - OpenFabric,
> - selected route, * - FIB route, q - queued, r - rejected, b - backup
t - trapped, o - offload failure
VRF CGNAT-VRF:
C>* 2001:db8:0:2c::/64 is directly connected, l2tp0, 00:17:23
C>* fe80::/64 is directly connected, l2tp0, 00:17:23
VRF default:
C>* 2001:db8:0:2b::/64 is directly connected, l2tp2, 00:16:42
K>* 2001:db8:0:ff2b::/64 [0/1024] via fe80::fc9f:31ff:fe84:1bb0, l2tp2, 00:16:08
C * fe80::/64 is directly connected, l2tp2, 00:16:42
C * fe80::/64 is directly connected, eth1, 01:35:45
C * fe80::/64 is directly connected, eth0, 01:35:47
C>* fe80::/64 is directly connected, lo, 01:35:49
vyos@ppp-serv:~$The bug is in the upstream https://github.com/accel-ppp/accel-ppp
Or this feature was not implemented, when VRF was implemented https://github.com/accel-ppp/accel-ppp/commit/737bf4d8b6e9e1bf50be69e8c99028bb2696190c