IPoE trouble with vlan per user mode (shared=0)

IPoE related questions
Post Reply
kktr
Posts: 3
Joined: 30 Jan 2016, 13:33

IPoE trouble with vlan per user mode (shared=0)

Post by kktr »

Hello

I succesfully tested IPoE with (shared=1 aka virtual ipoe interfaces) with almost identical configuration to what I have below (the only difference was setting shared=1 inside accel-ppp.conf and commented out vlan-mon since I didn't need it with a single vlan)

Then I decided to try the shared=0 mode with vlan monitor for double tagged frames.

IPoE clients have double 802.1q tagged frames where S-VLAN=3000 and C-VLAN=X. IP Address parameters are returned from Radius to accel.

1) Radius authentication is succesful:

Code: Select all

(24) Sent Access-Accept Id 1 from 127.0.0.1:1812 to 127.0.0.1:54088 length 0
(24)   Filter-Id = "8192/2048"
(24)   MS-Secondary-DNS-Server = 8.8.4.4
(24)   MS-Primary-DNS-Server = 8.8.8.8
(24)   Framed-Route = "10.10.10.0/29"
(24)   Framed-IP-Address = 10.50.50.50
2) Initial DHCP is successful:

$ tcpdump -vv -e -i eth0.3000

Code: Select all

01:26:45.311572 80:fb:06:33:ca:86 (oui Unknown) > Broadcast, ethertype 802.1Q (0x8100), length 628: vlan 3001, p 0, ethertype IPv4, (tos 0x0, ttl 64, id 0, offset 0, flags [none], proto UDP (17), length 610)
    0.0.0.0.bootpc > 255.255.255.255.bootps: [udp sum ok] BOOTP/DHCP, Request from 80:fb:06:33:ca:86 (oui Unknown), length 582, xid 0x5545403d, Flags [none] (0x0000)
          Client-Ethernet-Address 80:fb:06:33:ca:86 (oui Unknown)
          Vendor-rfc1048 Extensions
            Magic Cookie 0x63825363
            DHCP-Message Option 53, length 1: Discover
            Client-ID Option 61, length 7: ether 80:fb:06:33:ca:86
            Vendor-Class Option 60, length 12: "dslforum.org"
            Parameter-Request Option 55, length 12:
              Subnet-Mask, Default-Gateway, Domain-Name-Server, Hostname
              Domain-Name, BR, YD, YS
              NTP, Vendor-Option, Option 120, Classless-Static-Route
            Agent-Information Option 82, length 32:
              Circuit-ID SubOption 1, length 28: olt1 xpon 0/0/0/0:12.10.1000
              Remote-ID SubOption 2, length 0:
01:26:45.385970 00:21:91:8b:41:fe  (oui Unknown) > 80:fb:06:33:ca:86 (oui Unknown), ethertype 802.1Q (0x8100), length 330: vlan 3001, p 0, ethertype IPv4, (tos 0x10, ttl 128, id 0, offset 0, flags [none], proto UDP (17), length 312)
    10.50.50.1.bootps > 10.50.50.50.bootpc: [no cksum] BOOTP/DHCP, Reply, length 284, xid 0x5545403d, Flags [none] (0x0000)
          Your-IP 10.50.50.50
          Client-Ethernet-Address 80:fb:06:33:ca:86 (oui Unknown)
          Vendor-rfc1048 Extensions
            Magic Cookie 0x63825363
            DHCP-Message Option 53, length 1: Offer
            Server-ID Option 54, length 4: 110.50.50.1
            Lease-Time Option 51, length 4: 300
            RN Option 58, length 4: 300
            Default-Gateway Option 3, length 4: 10.50.50.1
            Subnet-Mask Option 1, length 4: 255.255.255.0
            Domain-Name-Server Option 6, length 8: 8.8.4.4,8.8.8.8
01:26:45.422475 80:fb:06:33:ca:86 (oui Unknown) > Broadcast, ethertype 802.1Q (0x8100), length 628: vlan 3001, p 0, ethertype IPv4, (tos 0x0, ttl 64, id 0, offset 0, flags [none], proto UDP (17), length 610)
3) Links are up and route exists:

$ ip link show

Code: Select all

3: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP mode DEFAULT group default qlen 1000
    link/ether 00:21:91:8b:41:fe  brd ff:ff:ff:ff:ff:ff
4: dummy0: <BROADCAST,NOARP,UP,LOWER_UP> mtu 1500 qdisc noqueue state UNKNOWN mode DEFAULT group default
    link/ether 92:57:3a:86:5e:0b brd ff:ff:ff:ff:ff:ff
108: eth0.3000@eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP mode DEFAULT group default
    link/ether 00:21:91:8b:41:fe brd ff:ff:ff:ff:ff:ff
116: eth0.3000.3001@eth0.3000: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP mode DEFAULT group default
    link/ether 00:21:91:8b:41:fe brd ff:ff:ff:ff:ff:ff
$ ip addr show

Code: Select all

1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host
       valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000
    link/ether 00:21:91:8b:41:fe brd ff:ff:ff:ff:ff:ff
    inet6 fe80::221:91ff:fe8b:41fe/64 scope link
       valid_lft forever preferred_lft forever
3: dummy0: <BROADCAST,NOARP,UP,LOWER_UP> mtu 1500 qdisc noqueue state UNKNOWN group default qlen 1000
    link/ether 3a:45:c3:c1:62:eb brd ff:ff:ff:ff:ff:ff
    inet 10.50.50.1/24 brd 10.50.50.1 scope global dummy0
       valid_lft forever preferred_lft forever
    inet6 fe80::3845:c3ff:fec1:62eb/64 scope link
       valid_lft forever preferred_lft forever
4: eth0.3000@eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
    link/ether 00:21:91:8b:41:fe brd ff:ff:ff:ff:ff:ff
    inet6 fe80::221:91ff:fe8b:41fe/64 scope link
       valid_lft forever preferred_lft forever
116: eth0.3000.3001@eth0.3000: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default
    link/ether 00:21:91:8b:41:fe brd ff:ff:ff:ff:ff:ff
    inet 10.50.50.1/32 scope global eth0.3000.3001
       valid_lft forever preferred_lft forever
    inet6 fe80::224:e8ff:fe41:c96e/64 scope link
       valid_lft forever preferred_lft forever
$ ip route show

Code: Select all

10.50.50.50 dev eth0.3000.3001  scope link  src 10.50.50.1
4) Ping unsuccesful:

$ ping 10.50.50.50

Code: Select all

PING 10.50.50.50 (10.50.50.50) 56(84) bytes of data.
From 10.50.50.1 icmp_seq=1 Destination Host Unreachable
From 10.50.50.1 icmp_seq=2 Destination Host Unreachable
From 10.50.50.1 icmp_seq=3 Destination Host Unreachable
$ tcpdump -i eth0.3000.3001

Code: Select all

17:16:00.275503 ARP, Request who-has 10.50.50.50 tell 10.50.50.1, length 28
17:16:01.273141 ARP, Request who-has 10.50.50.50 tell 10.50.50.1, length 28
17:16:02.273139 ARP, Request who-has 10.50.50.50 tell 10.50.50.1, length 28
17:16:03.290282 ARP, Request who-has 10.50.50.50 tell 10.50.50.1, length 28
17:16:04.289140 ARP, Request who-has 10.50.50.50 tell 10.50.50.1, length 28
17:16:05.289140 ARP, Request who-has 10.50.50.50 tell 10.50.50.1, length 28
17:16:06.306263 ARP, Request who-has 10.50.50.50 tell 10.50.50.1, length 28
5) Arp table incomplete:

$ arp

Code: Select all

Address                  HWtype  HWaddress           Flags Mask            Iface
10.50.50.50                      (incomplete)                              eth0.3000.3001

Problems noticed:

A) No arp communication between client. It's as if the ipoe client can't see the default gateway (10.50.50.1 loopback interface). How can I fix it?

B) Framed-Route (10.10.10.0/29) from Radius doesn't seem to be added at all to the routing table. It worked with shared=1 mode when I tested it before. Is this a limitation of vlan per user mode?


Thank you for an excellent piece of software.


My Settings:

Code: Select all

Version tested: accel-ppp 1.10.1
Kernel: Linux debian 4.3.0-0.bpo.1-amd64 (Debian Jessie 8.2)


/etc/accel-ppp.conf

Code: Select all

[modules]
log_file
#log_syslog
#log_tcp
#log_pgsql

#pptp
#l2tp
pppoe
ipoe

#auth_mschap_v2
#auth_mschap_v1
auth_chap_md5
#auth_pap

radius
#chap-secrets

#ippool

#pppd_compat

shaper
#net-snmp
#logwtmp
#connlimit
#vlan-mon

#ipv6_nd
#ipv6_dhcp
#ipv6pool

[core]
log-error=/var/log/accel-ppp/core.log
thread-count=4

[common]
#single-session=replace
#sid-case=upper
#sid-source=seq

[ppp]
verbose=1
min-mtu=1280
mtu=1492
mru=1492
#accomp=deny
#pcomp=deny
#check-ip=0
ccp=0
mppe=deny
ipv4=require
ipv6=deny
ipv6-intf-id=0:0:0:1
ipv6-peer-intf-id=0:0:0:2
ipv6-accept-peer-intf-id=1
lcp-echo-interval=12
#lcp-echo-failure=3
lcp-echo-timeout=60
unit-cache=1

[auth]
#any-login=0
#noauth=0

[pptp]
verbose=1
#echo-interval=30

[pppoe]
verbose=1
#ac-name=xxx
#service-name=yyy
#pado-delay=0
#pado-delay=0,100:100,200:200,-1:500
called-sid=mac
#tr101=1
#padi-limit=0
#ip-pool=pppoe
#sid-uppercase=0
#vlan-mon=eth0,10-200
#vlan-timeout=60
#vlan-name=%I.%N
#interface=eth1,padi-limit=1000
#interface=eth0

[l2tp]
verbose=1
#dictionary=/usr/local/share/accel-ppp/l2tp/dictionary
#hello-interval=60
#timeout=60
#rtimeout=1
#rtimeout-cap=16
#retransmit=5
#recv-window=16
#host-name=accel-ppp
#dir300_quirk=0
#secret=
#dataseq=allow
#reorder-timeout=0
#ip-pool=l2tp

[ipoe]
verbose=1
username=ifname
#password=username
lease-time=300
renew-time=300
max-lease-time=3600
#unit-cache=1000
#l4-redirect-table=4
#l4-redirect-ipset=l4
#l4-redirect-on-reject=300
#l4-redirect-ip-pool=pool1
shared=0
ifcfg=1
mode=L2
start=dhcpv4
#start=UP
#ip-unnumbered=1
#proxy-arp=0
#nat=0
#proto=100
#relay=10.10.10.10
attr-dhcp-client-ip=Framed-IP-Address
#attr-dhcp-router-ip=DHCP-Router-IP-Address
#attr-dhcp-mask=DHCP-Mask
#attr-dhcp-lease-time=DHCP-Lease-Time
#attr-dhcp-opt82=DHCP-Option82
#attr-dhcp-opt82-remote-id=DHCP-Agent-Remote-Id
#attr-dhcp-opt82-circuit-id=DHCP-Agent-Circuit-Id
#attr-l4-redirect=L4-Redirect
#attr-l4-redirect-table=4
#attr-l4-redirect-ipset=l4-redirect
#lua-file=/etc/accel-ppp.lua
#offer-delay=0,100:100,200:200,-1:1000
vlan-mon=eth0.3000,1-4095
vlan-timeout=60
vlan-name=%I.%N
#ip-pool=ipoe
#idle-timeout=0
#session-timeout=0
#soft-terminate=0
#check-mac-change=1
#calling-sid=mac
#local-net=192.168.0.0/16
gw-ip-address=10.50.50.1/24
interface=re:eth0\.3000\.[0-9][0-9][0-9][0-9]


[dns]
dns1=8.8.4.4
dns2=8.8.8.8

[wins]
#wins1=172.16.0.1
#wins2=172.16.1.1

[radius]
#dictionary=/usr/local/share/accel-ppp/radius/dictionary
nas-identifier=accel-ppp
nas-ip-address=127.0.0.1
gw-ip-address=172.17.1.1
server=127.0.0.1,testing123,auth-port=1812,acct-port=1813,req-limit=50,fail-timeout=0,max-fail=10,weight=1
dae-server=127.0.0.1:3799,testing123
verbose=1
#timeout=3
#max-try=3
acct-timeout=0
#acct-delay-time=0
#acct-on=0
#attr-tunnel-type=My-Tunnel-Type

[client-ip-range]
#10.0.0.0/8

[ip-pool]
gw-ip-address=192.168.0.1
#vendor=Cisco
#attr=Cisco-AVPair
attr=Framed-Pool
192.168.0.2-255
192.168.1.1-255,name=pool1
192.168.2.1-255,name=pool2
192.168.3.1-255,name=pool3
192.168.4.0/24

[log]
log-file=/var/log/accel-ppp/accel-ppp.log
log-emerg=/var/log/accel-ppp/emerg.log
log-fail-file=/var/log/accel-ppp/auth-fail.log
#log-debug=/dev/stdout
#syslog=accel-pppd,daemon
#log-tcp=127.0.0.1:3000
copy=1
#color=1
#per-user-dir=per_user
#per-session-dir=per_session
#per-session=1
level=3

[log-pgsql]
conninfo=user=log
log-table=log

[pppd-compat]
#ip-pre-up=/etc/ppp/ip-pre-up
ip-up=/etc/ppp/ip-up
ip-down=/etc/ppp/ip-down
ip-change=/etc/ppp/ip-change
radattr-prefix=/var/run/radattr
verbose=1

[chap-secrets]
gw-ip-address=192.168.100.1
#chap-secrets=/etc/ppp/chap-secrets
#encrypted=0
#username-hash=md5

[shaper]
attr=Filter-Id
#down-burst-factor=0.1
#up-burst-factor=1.0
#latency=50
#mpu=0
#mtu=0
#r2q=10
#quantum=1500
#moderate-quantum=1
#cburst=1534
#ifb=ifb0
up-limiter=police
down-limiter=tbf
#leaf-qdisc=sfq perturb 10
#leaf-qdisc=fq_codel [limit PACKETS] [flows NUMBER] [target TIME] [interval TIME] [quantum BYTES] [[no]ecn]
#rate-multiplier=1
#fwmark=1
verbose=1

[cli]
verbose=1
telnet=127.0.0.1:2000
tcp=127.0.0.1:2001
password=123

[snmp]
master=0
agent-name=accel-ppp

[connlimit]
limit=10/min
burst=3
timeout=60

[ipv6-pool]
fc00:0:1::/48,64
delegate=fc00:1::/36,48

[ipv6-dns]
#fc00:1::1
#fc00:1::2
#fc00:1::3
#dnssl=suffix1.local.net
#dnssl=suffix2.local.net.

[ipv6-dhcp]
verbose=1
pref-lifetime=604800
valid-lifetime=2592000
route-via-gw=1
Last edited by kktr on 29 Mar 2016, 22:45, edited 4 times in total.
Dmitry
Администратор
Posts: 954
Joined: 09 Oct 2014, 10:06

Re: IPoE trouble with vlan per user mode (shared=0)

Post by Dmitry »

is it ok that client's ip is 10.50.50.50 and router's ip is 172.17.1.1 ?
for me it is not
this is not good:
[ipoe]
gw-ip-address=172.17.1.1

try to specify something like:
gw-ip-address=10.50.50.1/24
kktr
Posts: 3
Joined: 30 Jan 2016, 13:33

Re: IPoE trouble with vlan per user mode (shared=0)

Post by kktr »

Thank you, didn't notice it, had some old leftover config. It works now.
Post Reply