- Difficulty level
- Unknown (require assessment)
- Why the issue appeared?
- Will be filled on close
- Is it a breaking change?
- Perfectly compatible
- Issue type
- Feature (new functionality)
|Resolved||FEATURE REQUEST||hagbard||T742 Replace poptop and xl2tpd with accel-ppp|
|Resolved||FEATURE REQUEST||hagbard||T989 Add support for IPoE server|
|Resolved||FEATURE REQUEST||hagbard||T1494 accel-ppp: IPoE update documentation|
|Resolved||FEATURE REQUEST||hagbard||T1495 accel-ppp: IPoE implement IPv6 PD|
|Resolved||FEATURE REQUEST||hagbard||T1510 [IPoE] vlan-mon option implementation|
In case someone else finds it helpful:
Gonna start shortly with IPoE implementation.
For the ones who want to follow or having an early glimpse: https://github.com/hagbard-01/vyos-1x/tree/IPoE
It seems that local auth is impossible, all I found is to configure it against radius, user should check abills as billing system. (https://sourceforge.net/projects/abills/)
If anyone knows how to use local authentication like chap or pap or anything, let me know please. Otherwise IPoE seems a real nice option, not as robust as ppp, but quite nice.
IPoE module test connection:
Nov 26 18:35:19 accel accel-ipoe: ipoe0:eth2: recv [DHCPv4 Request xid=23249d54 chaddr=08:00:27:8d:38:56 <Message-Type Request> <Server-ID 10.1.1.250> <Request-IP 10.1.1.254> <Host-Name vyos> <Request-List Subnet,Broadcast,Router,DNS,Domain-Name,MTU>]
Nov 26 18:35:19 accel accel-ipoe: ipoe0:eth2: send [DHCPv4 Ack xid=23249d54 yiaddr=10.1.1.254 chaddr=08:00:27:8d:38:56 <Message-Type Ack> <Server-ID 10.1.1.250> <Lease-Time 300> <T1 150> <Router 10.1.1.250> <Subnet 255.255.255.255>]
Nov 26 18:35:19 accel accel-ipoe: ipoe0:eth2: ipoe: session started
Nov 26 18:35:22 accel ntpd: Listen normally on 9 ipoe0 10.1.1.250 UDP 123
Nov 26 18:35:22 accel ntpd: Listen normally on 10 ipoe0 fe80::a00:27ff:fe80:636d UDP 123
Nov 26 18:35:22 accel ntpd: peers refreshed
If I understand you correctly.
In order for accel-ppp to work with the local chap ipoe, you need to remove the radius parameter from the modules section and set chap-secrets.
Secondly, add a user to chap-secrets like this:
set service pppoe-server authentication mode local set service pppoe-server authentication local-users set service pppoe-server authentication local-users username USER_MAC password USER_MAC set service pppoe-server authentication local-users username USER_MAC static-ip USER_IP
Create a script that will select the MAC address in the username field:
accel-ppp.lua with contents:
function username (pkt) return pkt: hdr ('chaddr') end
And install in the ipoe section:
lua-file=/etc/accel-ppp/accel-ppp.lua username=lua:username password=username
Authentication is still missing, but so far is a well working prototype. DHCP relay is going to be implemented next as well as radius before I have a look into local auth.
local auth successfully tested and started to implement. nouth can be set as an option too. radius still needs to be tested, but is always has a higher priority than any other authentication module. Shaper will be the last item implemented before it is going to be released to the rolling images, after that community can test.
All done so far, still need to do the show service commands and verify() to check the values before trying to write the config. But other than that it's working well.
Will build an iso with it too, shouldn't be that much different from a functional point of view.
I was check ipoe local user authentication, with next config:
set service ipoe-server authentication interface eth1 mac-address 00:0c:29:2c:9b:d4 set service ipoe-server authentication mode 'local' set service ipoe-server dns-server server-1 '18.104.22.168' set service ipoe-server dns-server server-2 '22.214.171.124' set service ipoe-server interface eth1 client-subnet '100.64.64.0/24' set service ipoe-server interface eth1 network-mode 'L2'
How about global ip-pool without interface option?
[ip-pool] gw-ip-address=100.64.64.1/24 gw-ip-address=100.64.0.1/16 100.64.0.3/16,name=external 100.64.64.2-255,name=pool1,next=external [ipoe] gw-ip-address=100.64.64.1/24 gw-ip-address=100.64.0.1/16 ip-pool=pool1
@Dmitry What would be the benefit for that? You would lose the ability to authenticate a particular mac address via a specific interface, wouldn't you?
@hagbard I think authentication must work without any changes, but we just may use shared ip-address pool for any numbers of interfaces. If used current schemas, we will need adding ip-range for everyone interfaces.
@Dmitry that was actually I had in mind when I was implementing it. Otherwise it's hard to monitor if you want to have it down to specific ways it does route the traffic. Let's see if the community requests something like that. It would mean a whole buch of more flexibility but also way more items to configure and verify. IPv6 would be global anyway, so the only way there would to disable IPv6 on an interface, the subnets on Ipv6 are usually big enough, so it would only come down to Ipv4 anyway.