Newbie with pppoe case

echelon · January 15, 2021, 2:08pm

I cannot quite figuring it out why my following configuration doesn’t work

vyos@Sentinel# show
 firewall {
     config-trap disable
     send-redirects enable
     twa-hazards-protection disable
 }
 interfaces {
     bridge br1 {
         address 10.10.8.1/21
         description LAN
         firewall {
             in {
             }
         }
         member {
             interface eth1 {
             }
             interface eth2 {
             }
             interface eth3 {
             }
             interface eth4 {
             }
             interface eth5 {
             }
         }
     }
     ethernet eth0 {
         description WAN
         firewall {
             in {
             }
             local {
             }
         }
         hw-id 40:62:31:0b:fc:5b
     }
     ethernet eth1 {
         hw-id 40:62:31:0b:fc:5c
     }
     ethernet eth2 {
         hw-id 40:62:31:0b:fc:5d
     }
     ethernet eth3 {
         hw-id 40:62:31:0b:fc:5e
     }
     ethernet eth4 {
         hw-id 40:62:31:0b:fc:5f
     }
     ethernet eth5 {
         hw-id 40:62:31:0b:fc:60
     }
     loopback lo {
     }
     pppoe pppoe0 {
         authentication {
             password SANITIZED
             user SANITIZED
         }
         default-route auto
         mtu 1480
         no-peer-dns
         source-interface eth0
     }
 }
 nat {
     source {
         rule 100 {
             outbound-interface pppoe0
             source {
                 address 10.10.8.0/21
             }
             translation {
                 address masquerade
             }
         }
     }
 }
 service {
     dhcp-server {
         shared-network-name LAN_POOL {
             subnet 10.10.8.0/21 {
                 default-router 10.10.8.1
                 dns-server 10.10.8.1
                 range 0 {
                     start 10.10.8.2
                     stop 10.10.15.254
                 }
             }
         }
     }
     dns {
         forwarding {
             allow-from 10.10.8.0/21
             cache-size 9048
             listen-address 10.10.8.1
             name-server 8.8.4.4
             name-server 8.8.8.8
         }
     }
     ssh {
         port 13337
     }
 }
 system {
     config-management {
         commit-revisions 100
     }
     console {
         device ttyS0 {
             speed 115200
         }
     }
     host-name Sentinel
     login {
         user vyos {
             authentication {
                 encrypted-password SANITIZED
             }
         }
     }
     name-server 8.8.4.4
     name-server 8.8.8.8
     ntp {
         server 0.pool.ntp.org {
         }
         server 1.us.pool.ntp.org {
         }
         server 1.pool.ntp.org {
         }
         server 2.pool.ntp.org {
         }
         server us.pool.ntp.org {
         }
     }
     syslog {
         global {
             facility all {
                 level info
             }
             facility protocols {
                 level debug
             }
         }
     }
 }

Tried to access internet but no access from my PC, while pinging google in the vyos working .

Version :

vyos-1.3-rolling-202012230217-amd64

jack9603301 · January 15, 2021, 2:19pm

Is there a TCP MSS problem? Please refer to docs.vyos.io Description of MSS

Dmitry · January 15, 2021, 2:48pm

Hello @echelon

At first, try to figure out what PPPoE connection state now, run on router ping 1.1.1.1.
Then try to reach 1.1.1.1 via ICMP from your PC. If you see ICMP response, try to check the nameserver, run ping example.com from you PC

echelon · January 15, 2021, 3:13pm

@jack9603301
Applied the config and restart but no luck.

@Dmitry
Pinging 1.1.1.1 on pc and router works, but named server such as google.com doesn’t work both of them, now I have updated to latest 1.4 rolling release but the same.

Also weird thing is “show interfaces pppoe pppoe0”
doesn’t shows connection status, only displaying my pppoe0 connection settings. But I can ping ipv4 directly and cannot resolve named domain.

Dmitry · January 15, 2021, 3:31pm

If you run operational commands from configuration mode, you need to use run before commands, as an example

run show interfaces pppoe pppoe0

Even if you ping the host by domain from the router?

echelon · January 15, 2021, 3:42pm

Ah, newbie mistakes.
using run now it shows connected but pppoe0 state unknown.

On /var/log/messages there are warning in pppd

Unsupported protocol ‘IPv6 Control Protocol’ (0x8057) received

And from zebra daemon

Warning: PtP interface pppoe0 with addr WAN_IP/32 needs a peer address

Yes, on rolling v1.4 now I cannot ping to domain name

Dmitry · January 15, 2021, 3:50pm

Can you provide an output of the following commands

run show interfaces pppoe 
sudo nslookup example.com

echelon · January 15, 2021, 4:00pm

run show interfaces pppoe :
pppoe0 WAN_IP/32 u/u

sudo nslookup google.com :
;; connection timed out; no servers could be reached

This give me a pointer, so I deleted no-peer-dns, and voila I can ping domain name in router but still cannot on client PC

echelon · January 15, 2021, 4:32pm

Going back to vyos-1.3-rolling-202012230217-amd64 also no change.

Dmitry · January 15, 2021, 4:42pm

Show me please sudo cat /etc/resolv.conf

echelon · January 15, 2021, 4:46pm

It contain the peer DNS :
nameserver 203.142.82.222
nameserver 203.142.84.222

Autogenerated by VyOS

echelon · January 15, 2021, 5:21pm

Managed to get it working by :

del system name-server ‘8.8.4.4’
del system name-server ‘8.8.8.8’
del service dns forwarding name-server ‘8.8.8.8’
del service dns forwarding name-server ‘8.8.4.4’
#And use peer dns
set system name-server ‘203.142.82.222’
set system name-server ‘203.142.84.222’
set service dns forwarding system

Dmitry · January 15, 2021, 6:13pm

I think you definitely need to ask your ISP about DNS blocking.

echelon · January 15, 2021, 6:49pm

Well, I have asked, it’s their policy to complies with my government rules.

This is why we need DoH / DNS over HTTPS or even DoT / DNS over TLS, Mikrotik is already implemented DoH, when we can see a light on DoH or DoT in VyOS?

phillipmcmahon · January 15, 2021, 6:53pm

it’s easy to set up pihole and use DoH.

https://docs.pi-hole.net/guides/dns-over-https/

Works great.

echelon · January 15, 2021, 7:06pm

Good idea!, but it will be better if built-in in VyOS.

Great they even blocking phabricator.vyos.net!

phillipmcmahon · January 15, 2021, 7:19pm

I would honestly keep DNS management off of your router. pihole is built for it and focuses on it.

Much prefer the great vyos team to keep enhancing the core features rather than have to deal with extra and complex additions which are already done very well elsewhere.

helushune · January 16, 2021, 3:45pm

You don’t need anything particularly fancy to do DNS over HTTPS/TLS. I’m using nginx to do provide DoH and Unbound or knot-resolver for DoT and Lets Encrypt certs for it all. I’m happy to share infrastructure notes.

phillipmcmahon · January 16, 2021, 4:49pm

That would be great to see actually.

I’m using pihole and an extra docker service to handle DoH. What upstream DNS are you talking to?

helushune · January 16, 2021, 7:05pm

My DNS servers all speak directly to the root servers. Now that I look at it, I apparently didn’t finish setting up DoH before I was in a car collision but DoT is here.

I am using the nginx stream module which is built by default in FreeBSD’s nginx pkg binary. Note, this is not the reason I am using FreeBSD over something else. Stream might be enabled in Linux repositories, I haven’t checked.

stream {
  upstream dns {
    zone dns 64k;
    server 127.0.0.1:5353;
  }
  server {
    listen 853 ssl;
    ssl_certificate /usr/local/etc/letsencrypt/live/dot0.domain.tld/fullchain.pem;
    ssl_certificate_key /usr/local/etc/letsencrypt/live/dot0.domain.tld/privkey.pem;
    proxy_pass dns;
  }
}

Unbound is then running locally on 5353 and sends unknown queries to the root servers. The roots do not currently support encryption so no matter what upstream you use your queries will ultimately be sent to root unencrypted for now. I believe there have been talks about changing this.

server:
    interface: 127.0.0.1:5353

auth-zone:
	name: "."
	primary: 199.9.14.201         # b.root-servers.net
	primary: 192.33.4.12          # c.root-servers.net
	primary: 199.7.91.13          # d.root-servers.net
	primary: 192.5.5.241          # f.root-servers.net
	primary: 192.112.36.4         # g.root-servers.net
	primary: 193.0.14.129         # k.root-servers.net
	primary: 192.0.47.132         # xfr.cjr.dns.icann.org
	primary: 192.0.32.132         # xfr.lax.dns.icann.org
	primary: 2001:500:200::b      # b.root-servers.net
	primary: 2001:500:2::c        # c.root-servers.net
	primary: 2001:500:2d::d       # d.root-servers.net
	primary: 2001:500:2f::f       # f.root-servers.net
	primary: 2001:500:12::d0d     # g.root-servers.net
	primary: 2001:7fd::1          # k.root-servers.net
	primary: 2620:0:2830:202::132 # xfr.cjr.dns.icann.org
	primary: 2620:0:2d0:202::132  # xfr.lax.dns.icann.org

On the Lets Encrypt side, I am using certbot-dns-rfc2136 to dynamically add the ACME challenge response to my domain’s servers, which are running Knot. It periodically runs under a crontab with a post hook to restart the nginx service if the certificate renewal was successful.

key:
  - id: acmekey.
    algorithm: hmac-sha512
    secret: BG==

acl:
  - id: letsencrypt_update
    key: acmekey.
    action: update

zone:
  - domain: domain.tld
    storage: /usr/local/etc/knot/zones
    file: domain.tld.zone
    ...
    acl: [ns02_transfer, ns03_transfer, letsencrypt_update]

Internally is similar but I am using a subdomain of my external (dot[0-1].local.domain.tld) for my LAN. Still left on my TODO for internal is figuring out what DHCP options need to be set for clients to auto configure DoT/DoH. My router handles DHCP and forward+reverse DNS mapping for the internal domain. I have two resolvers, one physical, the other virtual, running Unbound to forward local zone requests to my router or out to root but could be configured to ask an external server with DoH or DoT.

I am using Lets Encrypt purely for convenience of not having to push a self-signed certificate to every device I want to use my DoT servers on. Using self-signed certs would reduce the complication slightly but make the internal part more flexible or easier to adapt to an existing infrastructure that might not be set up correctly.

EDIT: Sorry to hijack your thread @echelon

There’s multiple ways to do this, the more I think about it. What I originally posted is one of many complete solutions. You could take it apart anywhere and go another direction. If you’re going to pay for a VPS anyway there’s other options, you could run a resolver and VPN software on it and use VyOS to transport DNS traffic over the VPN. If you want to keep everything local, virtualization or docker will help the most here but they’re not required.