| Both sides previous revisionPrevious revisionNext revision | Previous revision |
| en:dpi:bras_bng:bras_pppoe:pppoe_conf [2025/09/29 15:02] – elena.krasnobryzh | en:dpi:bras_bng:bras_pppoe:pppoe_conf [2025/09/29 16:21] (current) – elena.krasnobryzh |
|---|
| {{indexmenu_n>1}} | {{indexmenu_n>1}} |
| ======PPPoE configuration and commands===== | ======PPPoE configuration and commands===== |
| | <note tip>L2 PPPoE Mode Overview: {{youtube>ZmCvcSOg73k?}}</note> |
| | |
| | =====Enabling PPPoE support===== |
| | - Activate BRAS. [[dpi:bras_bng:general_setup#configuring_bras_l2_in_fastdpi|More details]]. |
| | - Configure parameters in ''fastdpi.conf'': |
| | - ''bras_pppoe_enable=1'' — enable PPPoE. |
| | - ''bras_pppoe_session=10000'' — set the maximum number of PPPoE sessions. Recommended value: 1.5-2 times the number of PPPoE subscribers. |
| | |
| | If Router is not used, then the IP and MAC addresses of the gateway/border located behind SSG (subscriber → SSG → border/gateway) must be specified: |
| | <code bash>bras_gateway_ip=192.168.0.1 |
| | bras_gateway_mac=aa:bb:cc:dd:ee:ff</code> |
| | |
| | =====Authorization configuration===== |
| | The list of allowed authorization protocols is set by the ''bras_ppp_auth_list'' parameter in ''fastdpi.conf''.\\ |
| | Possible values: |
| | * ''1'' — PAP (not recommended for use) |
| | * ''2'' — CHAP-MD5 |
| | * ''3'' — MS-CHAPv2 |
| | Protocols in the parameter's value list are arranged in order of preference: the first is the most preferred.\\ |
| | Default value: ''bras_ppp_auth_list=2,3''. |
| | |
| | If ''bras_ppp_mac_auth=1'' is specified in ''fastdpi.conf'', authorization by the subscriber's MAC address is possible. Used when the parties fail to agree on an authorization protocol. |
| | |
| | <note>[[dpi:bras_bng:bras_pppoe:pppoe_pppol2tp_parameters:bras_pppoe_radius|Authorization of PPPoE sessions on a Radius server]]</note> |
| | |
| | =====ARP handling in PPPoE===== |
| | In networks with PPPoE connections (point-to-point type), sending ARP requests from subscribers has no practical meaning. A subscriber can only send packets to the PPPoE server's address, whose MAC address is known to the subscriber within the established PPPoE connection. |
| | |
| | On the WAN side, SSG processes all ARP requests of the form "Who is IP=x.x.x.x?" if the IP address x.x.x.x corresponds to an active PPPoE session. In response to such requests, SSG returns the value of the bras_arp_mac parameter. Thus, SSG responds to ARP requests directed to the IP addresses of current PPPoE subscribers. |
| | |
| | If the [[dpi:opt_cgnat:сgnat_settings|NAT]] service is activated for a PPPoE subscriber, ARP requests from the WAN side to the corresponding PPPoE sessions are not processed. |
| | |
| | The following BRAS-level functions are implemented for PPPoE sessions: |
| | * [[dpi:bras_bng:bras_l2_options:bras_l2_vlan_ipsg|IP Source Guard]] |
| | * [[dpi:bras_bng:bras_l2_options:bras_l2_vlan_local|Local traffic closure]], including traffic between different segment types (e.g., between PPPoE and DHCP networks) |
| | |
| | =====Restoring PPPoE sessions on SSG restart===== |
| | Upon startup, fastDPI attempts to restore PPPoE subscriber sessions based on information saved in UDR. This ensures transparency of a brief service restart for subscribers. |
| | |
| | However, automatic restoration of PPPoE sessions can lead to state inconsistency between the billing system and SSG, especially in cases with dynamic IP address assignment. Such a situation is possible if the billing system expects a sequence of Access-Request → Acct-Start messages, while only Acct-Start is transmitted during session restoration. |
| | |
| | The configuration parameter ''bras_pppoe_restore_on_startup'' allows disabling automatic restoration of PPPoE sessions at startup.\\ Possible values: |
| | * ''1'' — enabled (default value). |
| | * ''0'' — disabled. Subscribers will initiate new PPPoE sessions. |
| | |
| | If restoration is disabled: |
| | * The subscriber will need to initiate a new PPPoE session and undergo re-authorization; |
| | * When attempting to continue using an old session, SSG will send the subscriber a PADT (PPP Active Discovery Terminate) to terminate the session. |
| | |
| | =====Additional PPPoE settings===== |
| | ^ Parameter ^ Description ^ Possible Values ^ |
| | | ''bras_pppoed_timeout'' | Sets the PPPoE session establishment timeout in seconds.\\ Since the PPPoE Discovery protocol is susceptible to DOS attacks, this parameter aims to limit the use of internal resources during a PPPoE DOS attack | Default value: 2 seconds. | |
| | | ''bras_pppoe_restore_on_startup'' | Allow or deny restoration of PPPoE sessions on SSG restart. For more details, see [[en:dpi:bras_bng:bras_pppoe:pppoe_conf#restoring_pppoe_sessions_on_ssg_restart|Restoring PPPoE sessions on SSG restart]] | ''1'' — allow\\ ''2'' — deny | |
| | |
| | =====CLI parameters===== |
| | ''pppoe term'' — termination of all PPPoE sessions. It is possible to specify parameters ''ip'', ''mac'', ''subs_id'', ''login'' or ''all'': |
| | <code bash>pppoe term [hard] [ip=X | mac=X | subs_id=X | login=X | all]</code> |
| | |
| | For PPPoE sessions, there is no tunnel IP (''tunnel-IP=0''). \\ |
| | CLI commands that accept ''subs_id'' as a key (''subs prop show'', ''l2tp show session'', ''l2tp term'', etc.) may return multiple records with the same ''l2subs_id''. |
