PPPoe + zone-policy - PPPoe interface not coming up

joshy · August 18, 2022, 10:01am

Hi All

I am trying to configure vyos in the most basic form using PPPoe with a zone base firewall

eth0 - WAN (PPPoe)
eth1 - LAN 192.168.0.0/24

When I have my zone policy configured the PPPoe interface never comes up

show interfaces 
Codes: S - State, L - Link, u - Up, D - Down, A - Admin Down
Interface        IP Address                        S/L  Description
---------        ----------                        ---  -----------
eth0             -                                 u/u  internet
eth1             192.168.0.254/24                  u/D  LAN
lo               127.0.0.1/8                       u/u

If I delete the zone-policy configuration the PPPoe interface comes up.

vyos@vyos# delete zone-policy 
[edit]
vyos@vyos# commit

vyos@vyos:~$ show inter
Codes: S - State, L - Link, u - Up, D - Down, A - Admin Down
Interface        IP Address                        S/L  Description
---------        ----------                        ---  -----------
eth0             -                                 u/u  internet
eth1             192.168.0.254/24                  u/D  LAN
lo               127.0.0.1/8                       u/u                                 
pppoe0           203.202.73.210/32                 u/u  
vyos@vyos:~$

How do I configure zone policy to allow PPPoe to work? Do I need something for eth0 in addition to PPPoe running on eth0?

As the commands have change since vyos 1.3. is my PPPoe stanza correct - to dial immediately and stay permanently connected and reconnect on drop.

set interfaces pppoe pppoe0 authentication password xxxxxx
set interfaces pppoe pppoe0 authentication user xxxxxx
set interfaces pppoe pppoe0 mtu '1492'
set interfaces pppoe pppoe0 service-name 'XXXXXX'
set interfaces pppoe pppoe0 source-interface 'eth0'

Joshy

My full configuration.

set firewall name LAN-LOCAL default-action 'accept'
set firewall name LAN-WAN default-action 'accept'
set firewall name LOCAL-LAN default-action 'accept'
set firewall name LOCAL-WAN default-action 'accept'
set firewall name WAN-LAN default-action 'drop'
set firewall name WAN-LAN enable-default-log
set firewall name WAN-LAN rule 1 action 'accept'
set firewall name WAN-LAN rule 1 description 'Allow Established/Related Traffic'
set firewall name WAN-LAN rule 1 state established 'enable'
set firewall name WAN-LAN rule 1 state related 'enable'
set firewall name WAN-LAN rule 2 action 'drop'
set firewall name WAN-LAN rule 2 log 'enable'
set firewall name WAN-LAN rule 2 state invalid 'enable'
set firewall name WAN-LOCAL default-action 'drop'
set firewall name WAN-LOCAL enable-default-log
set firewall name WAN-LOCAL rule 1 action 'accept'
set firewall name WAN-LOCAL rule 1 description 'Allow Established/Related Traffic'
set firewall name WAN-LOCAL rule 1 state established 'enable'
set firewall name WAN-LOCAL rule 1 state related 'enable'
set firewall name WAN-LOCAL rule 2 action 'drop'
set firewall name WAN-LOCAL rule 2 log 'enable'
set firewall name WAN-LOCAL rule 2 state invalid 'enable'
set interfaces ethernet eth0 description 'internet'
set interfaces ethernet eth0 hw-id 'xx:xx:xx:xx:xx:7a'
set interfaces ethernet eth0 speed 'auto'
set interfaces ethernet eth1 address 'xxx.xxx.0.254/24'
set interfaces ethernet eth1 description 'LAN'
set interfaces ethernet eth1 hw-id 'xx:xx:xx:xx:xx:7b'
set interfaces loopback lo
set interfaces pppoe pppoe0 authentication password xxxxxx
set interfaces pppoe pppoe0 authentication user xxxxxx
set interfaces pppoe pppoe0 mtu '1492'
set interfaces pppoe pppoe0 service-name 'XXXXXX'
set interfaces pppoe pppoe0 source-interface 'eth0'
set nat source rule 100 outbound-interface 'pppoe0'
set nat source rule 100 source address 'xxx.xxx.0.0/24'
set nat source rule 100 translation address 'masquerade'

densha · August 19, 2022, 10:53am

Try adding the following to allow packets for pppoe to the router.

set firewall name WAN_LOCAL rule 700 action ‘accept’
set firewall name WAN_LOCAL rule 700 destination port ‘546’
set firewall name WAN_LOCAL rule 700 protocol ‘udp’
set firewall name WAN_LOCAL rule 700 source port ‘547’

16again · August 21, 2022, 9:47pm

This reads as a bug. pppoe protocol itself is NOT ipv4 nor ipv6 (so allowing udp ports makes no sense)
pppoe packets have different ethertype than IPv4, and should not be touched by IPv4 logic. (at least, not before de-encapsulation)

joshy · August 26, 2022, 11:52pm

I built a 1.3 image and that just worked with no additional configuration.

set interfaces pppoe pppoe0 authentication password xxxxxx
set interfaces pppoe pppoe0 authentication user xxxxxx
set interfaces pppoe pppoe0 default-route 'force'
set interfaces pppoe pppoe0 mtu '1492'
set interfaces pppoe pppoe0 source-interface 'eth0'

I’ll try the latest rolling 1.4 image and see if the behaviour is still the same.

joshy · August 27, 2022, 12:16am

Confirmed works okay today using latest rolling release.

system · August 29, 2022, 12:16am

This topic was automatically closed 2 days after the last reply. New replies are no longer allowed.