Vyos as BNG. pppoe client unable to connect

shivaji.dhole · January 10, 2023, 11:04am

I am trying to use vyos as BNG, but pppoe client is unable to connect.

I have done below configuration in server. please suggest is there any correction is required.

set interfaces ethernet eth0 description ‘LAN’
set interfaces ethernet eth0 vif 999 description ‘TEST’
set interfaces ethernet eth1 address ‘100.100.100.2/30’
set interfaces ethernet eth1 description ‘WAN’
set interfaces pppoe pppoe0 service-name ‘ServiceName’
set interfaces pppoe pppoe0 source-interface ‘eth0.999’
set nat source rule 10 outbound-interface ‘eth1’
set nat source rule 10 source address ‘172.20.10.0/24’
set nat source rule 10 translation address ‘200.200.200.0/28’
set protocols static route 0.0.0.0/0 next-hop 100.100.100.1
set service pppoe-server access-concentrator ‘test’
set service pppoe-server authentication mode ‘radius’
set service pppoe-server authentication radius acct-timeout ‘1’
set service pppoe-server authentication radius dynamic-author key ‘testkey’
set service pppoe-server authentication radius dynamic-author port ‘3799’
set service pppoe-server authentication radius dynamic-author server ‘50.50.50.50’
set service pppoe-server authentication radius max-try ‘20’
set service pppoe-server authentication radius nas-identifier ‘Microscan’
set service pppoe-server authentication radius nas-ip-address ‘100.100.100.2’
set service pppoe-server authentication radius server 90.90.90.90 acct-port ‘1920’
set service pppoe-server authentication radius server 90.90.90.90 key ‘testkey’
set service pppoe-server authentication radius server 90.90.90.90 port ‘1900’
set service pppoe-server authentication radius timeout ‘60’
set service pppoe-server client-ip-pool subnet ‘172.20.10.0/24’
set service pppoe-server gateway-address 100.100.100.1
set service pppoe-server interface eth0.999 vlan ‘999’
set service pppoe-server name-server ‘8.8.8.8’
set service pppoe-server service-name ‘ServiceName’

Thanks

pepe · January 10, 2023, 11:17am

You configured pppoe client and server on the same interface.

It is pppoe client interface, so remove it:

set interfaces pppoe pppoe0 service-name ‘ServiceName’
set interfaces pppoe pppoe0 source-interface ‘eth0.999’

And change:

set service pppoe-server interface eth0.999 vlan ‘999’

to

set service pppoe-server interface eth0.999

shivaji.dhole · January 12, 2023, 10:29am

hello pepe,

After the changes user is logged in.
thanks for your support.

I have some more queries; I want to bypass some specific ip pool traffic from customer Qos (rate-limit).

can you please help to achieve the same.

Thanks.

shivaji.dhole · January 12, 2023, 2:36pm

hello pepe,

After the changes user is logged in.
thanks for your support.

I have some more queries; I want to bypass some specific ip pool traffic from customer Qos (rate-limit).

can you please help to achieve the same.

Thanks.

pepe · January 12, 2023, 4:55pm

What do you mean by bypass ? Your clients are authorized by RADIUS ?

With PPPoE server you can set traffic shaping (rate-limit) per client:
https://docs.vyos.io/en/equuleus/configuration/service/pppoe-server.html#bandwidth-shaping

shivaji.dhole · January 13, 2023, 11:05am

Yes, clients are authorized by radius …
let say use1 & user2 are having rate-limit 10Mbps & 20 Mbps respectively which is assigned by radius…
Now they should get speed of 10 & 20 Mbps for all traffic except google traffic for which both should get 100Mbps speed.(will add all google route to bypass normal queue which is assigned by radius)

pepe · January 13, 2023, 5:09pm

Probably yes, but you must create all QoS rules manually.
Accel-ppp used by VyOS create simple classless QoS rules:

admin@vyos-test:~$ show pppoe-server sessions 
 ifname |  username  |       ip       | ip6 | ip6-dp |    calling-sid    |  rate-limit  | state  |  uptime  | rx-bytes | tx-bytes 
--------+------------+----------------+-----+--------+-------------------+--------------+--------+----------+----------+----------
 ppp0   | pppoetest1 | 10.254.100.254 |     |        | 96:cb:d4:af:fb:03 | 105382/52953 | active | 00:13:54 | 662 B    | 206 B

admin@vyos-test:~$ sudo tc qdisc show dev ppp0
qdisc tbf 1: root refcnt 2 rate 105382Kbit burst 1317275b lat 50ms 
qdisc ingress ffff: parent ffff:fff1 ---------------- 
admin@vyos-test:~$ sudo tc filter show dev ppp0 parent ffff:fff1
filter parent ffff: protocol all pref 100 u32 chain 0 
filter parent ffff: protocol all pref 100 u32 chain 0 fh 800: ht divisor 1 
filter parent ffff: protocol all pref 100 u32 chain 0 fh 800::1 order 1 key ht 800 bkt 0 *flowid :1 not_in_hw 
  match 00000000/00000000 at 0
	action order 1:  police 0x1 rate 52953Kbit burst 6464Kb mtu 2Kb action drop overhead 0b 
	ref 1 bind 1

In VyOS 1.3, you need to disable rate-limit setting by RADIUS and create your own traffic-policy.
You should assign IP addresses to your clients statically by RADIUS.
https://docs.vyos.io/en/equuleus/configuration/trafficpolicy/index.html

In VyOS 1.4 (I’m use 1.4-rolling-202301080317) is an options to set the script to run after client interface has been pre-up/up/down/change.

set service pppoe-server extended-scripts on-up /config/scripts/<script.sh>

A text file with data from RADIUS is created, so you can parse it with the specified script:

admin@vyos-test:~$ cat /run/accel-pppd/radattr.ppp0 
Framed-Protocol PPP
Framed-Compression Van-Jacobson-TCP-IP
Framed-IP-Address 10.254.100.254
Filter-Id 105382/52953
MS-CHAP2-Success 01533D35303046454534363430333037303432314534324138454543383839324643384239383238453136
MS-MPPE-Recv-Key D77F3F5408C65F0A421C79E926EE8BED9FAE78F5242745B2F4F8772E5656F15947A3
MS-MPPE-Send-Key DB3548962069B0E7041109F33F134ACEE2390B404C6E651892EE37166147DC7625D6
MS-MPPE-Encryption-Policy 1
MS-MPPE-Encryption-Type 6

After a quick search I found this article about ip-up/ip-down scripts in accel-ppp:
https://ixnfo.com/en/ip-up-and-ip-down-scripts-with-ipset-for-accel-ppp.html

Unfortunately, you have to experiment.
Good luck.

shivaji.dhole · January 16, 2023, 3:18am

Is there any other way by which i can bypass radius QOS without disabling rate-limit given by RADIUS.
Like by creating policy & adding all the pool in policy.
it’s fine policy is common for all customer.We can set higher rate-limit if policy is common for all customer.
If possible please help me with configuration.

shivaji.dhole · January 18, 2023, 4:33am

Is there any other way by which i can bypass radius QOS without disabling rate-limit given by RADIUS.
Like by creating policy & adding all the pool in policy.
it’s fine policy is common for all customer.We can set higher rate-limit if policy is common for all customer.
If possible please help me with configuration.

Viacheslav · January 18, 2023, 7:38am

Maybe RADIUS CoA could help you
If your billing/radius support it

pepe · January 18, 2023, 5:16pm

As I wrote earlier, in 1.4 you don’t have to disable rate-limit in RADIUS.
Just set “on-up” script. In this script you must use tc command to configure QoS.