Ipoe-server over 802.1ad interfaces and zone based firewall

lele · March 17, 2025, 6:13pm

Hello,
I am kind of new to Vyos, more familiar with other routers.

I am trying to evaluate Vyos as a BNG for ethernet subscribers. My subscribers are delivered over 802.1ad, one c-tag per subscriber.

This is my setup:

interface {
    ethernet eth1 {
    [...]
     vif-s 1001 {
            protocol 802.1ad

        }
    }
}
service {
    ipoe-server {
        authentication {
            mode radius
            radius {
                nas-identifier vpr-tst
                preallocate-vif
                [...]

        }
        client-ip-pool IPOE {
            range 100.65.21.192-100.65.21.249
        }
        default-pool IPOE
        gateway-address 100.65.21.254/26
        interface eth1.1001 {
            mode l2
            network vlan
            vlan 101-199
            vlan-mon
        }
    }

This works until I configure even the most basic firewall. If I add just a simple zone based firewall to protect the router itself then the ipoe server stops receiving DHCP requests (which are there, and I can see coming in ‘monitor traffic’.

I tried:

leaving the all interfaces entirely out of the firewall and only defining rules between the public and local interfaces
putting eth1.1001 and eth1.1001.* into a specific zone with everything accepted both from and to the public and local interfaces, if this even makes sense
logging every deny in every zone, still I don’t get anything logged that pertains to the ipoe interface

I am not even sure where to begin handling this kind of traffic in the firewall. Any help?

Viacheslav · March 17, 2025, 6:17pm

I’d start with show version and minimal set of commands to reproduce

lele · March 17, 2025, 9:06pm

Thank you, here is the ‘show version’

Version:          VyOS 1.5-stream-2025-Q1
Release train:    circinus
Release flavor:   generic

Built by:         VyOS Networks Iberia S.L.U.
Built on:         Thu 13 Feb 2025 18:06 UTC
Build UUID:       b38b28e0-a516-4f56-a596-5502ae094d3b
Build commit ID:  5128f5e45cdb73-dirty

Architecture:     x86_64
Boot via:         installed image
System type:      bare metal

Hardware vendor:  Supermicro
Hardware model:   Super Server
Hardware S/N:     0123456789

The things appears to be a bit different than it seemed at first, firewall is a factor but not as I initially thought:

no firewall => ipoe-server works as intended from boot on
firewall => after boot, or config rollback, I need to manually restart the ipoe-server once before it starts processing requests

[just rebooted, waited some minutes]

lele@vyos:~$ show ipoe-server sessions 
ifname | username | calling-sid | ip | ip6 | ip6-dp | rate-limit | type | comp | state | uptime 
--------+----------+-------------+----+-----+--------+------------+------+------+-------+--------
lele@vyos:~$ restart ipoe-server 
lele@vyos:~$ show ipoe-server sessions 
ifname     |   username    |    calling-sid    |      ip       |                  ip6                 |       ip6-dp       |  rate-limit   | type | comp | state  |  uptime  
---------------+---------------+-------------------+---------------+--------------------------------------+--------------------+---------------+------+------+--------+----------
 eth1.1001.101 | eth1.1001.101 | d4:01:c3:30:f1:2f | 100.65.21.200 | fd01:200:99:1:d601:c3ff:fe30:f12f/64 | fd01:200:99:2::/64 | 100000/100000 | ipoe |      | active | 00:00:05
lele@vyos:~$ show log ipoe-server 
Mar 17 20:40:16 systemd[1]: Starting [email protected] - Accel-PPP - High performance VPN server application for Linux...
Mar 17 20:40:16 systemd[1]: Started [email protected] - Accel-PPP - High performance VPN server application for Linux.
Mar 17 20:43:24 accel-ipoe[4407]: terminate, sig = 15
Mar 17 20:43:36 accel-ipoe[5098]: eth1.1001.101:: send [RADIUS(1) Access-Request id=1 ...
Mar 17 20:43:36 accel-ipoe[5098]: eth1.1001.101:: recv [RADIUS(1) Access-Accept id=1 ...
Mar 17 20:43:36 accel-ipoe[5098]: eth1.1001.101:eth1.1001.101: ipoe: session started

The firewall is a very simple zone-based firewall, with two zones:

set zone router default-log
set zone router from untrust firewall name 'untrust-to-local'
set zone router local-zone
set zone untrust default-log
set zone untrust from router firewall name 'local-to-untrust'
set zone untrust interface 'eth3'

set ipv4 name local-to-untrust default-action 'accept'
set ipv4 name untrust-to-local default-action 'drop'
set ipv4 name untrust-to-local default-log
set ipv4 name untrust-to-local rule 1 action 'accept'
set ipv4 name untrust-to-local rule 1 state 'established'
set ipv4 name untrust-to-local rule 1 state 'related'
set ipv4 name untrust-to-local rule 2 action 'drop'
set ipv4 name untrust-to-local rule 2 log
set ipv4 name untrust-to-local rule 2 state 'invalid'
set ipv4 name untrust-to-local rule 10 action 'accept'
set ipv4 name untrust-to-local rule 10 source group network-group 'trusted'

Not sure if it’s still something I am missing. Hope it helps.

Viacheslav · March 18, 2025, 5:42am

There could be a bug with firewall, the solution described here https://forum.vyos.io/t/have-to-delete-firewall-global-options-state-policy-invalid-after-upgrading-to-1-5-stream-2025-q1/

lele · March 18, 2025, 2:18pm

Thanks a lot!

But I do not think it’s the same issue. I had seen that thread before and for that reason I am not using global policies in firewall.

Anyways, I thought I was mistaking something, while my configuration appears to work ok after I restart the ipoe-server.

If I learn anything new I’ll let everyone know.

system · April 17, 2025, 2:19pm

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.