BNG/BRAS

IPoE related questions
Post Reply
Maurice Poisson
Posts: 4
Joined: 20 Sep 2023, 15:32

BNG/BRAS

Post by Maurice Poisson »

Hello to you all:

I'm testing accel-ppp's ipoe support. My goal is to use it to authorize and shape GEPON services, without relying on pppoe and with as few special purpose hardware as possible. The host labeled BNG runs accel-ppp in debian 12. It also runs freeradius and kea.

Code: Select all

   +-------+              +-------+                 +-------+
   | GEPON |            1 |       | 254           1 |  ISP  |
   |  OLT  |--------------|  BNG  |-----------------| ROUTER|
   |       | 192.0.2.0/24 |       | 198.51.100.0/24 |       |
   +-------+         eth0 +-------+ eth1            +-------+
In this test setup, ipoe's start parameter must be up. If set to dhcpv4 then the DHCP service does not work. Also ipoe's mode parameter must be L3. If set to L2 traffic flows unchecked and unshaped through the BNG host.

Is my stated goal feasible? Am I on the right track to achieve it?

I will thankfully receive your comments.


The contents of accel-ppp's configuration file is shown below. Sections ip-pool, common, ppp, auth, pptp, pppoe, l2tp, sstp, dns, wins, log-pgsql, pppd-compat, chap-secrets, ipv6-pool, ipv6-dns and ipv6-dhcp contain no configuration lines.

Code: Select all

# Beginning of /etc/accel-ppp.conf

[modules]
log_file
ipoe
auth_mschap_v2
auth_mschap_v1
auth_chap_md5
auth_pap
radius
shaper
net-snmp

[core]
log-error=/var/log/accel-ppp/core.log
thread-count=4

[ipoe]
username=lua:if_mac
password=empty
ifcfg=0
mode=L3
start=up
lua-file=/etc/accel-ppp.lua
idle-timeout=900
local-net=192.0.2.0/24
interface=eth0

[radius]
dictionary=/usr/share/accel-ppp/radius/dictionary
nas-identifier=accel-ppp
nas-ip-address=127.0.0.1
server=127.0.0.1,testing123,auth-port=1812,acct-port=1813,req-limit=50,fail-timeout=0,max-fail=10,weight=1
dae-server=127.0.0.1:3799,testing123

[client-ip-range]
0.0.0.0/0

[log]
log-file=/var/log/accel-ppp/accel-ppp.log
log-emerg=/var/log/accel-ppp/emerg.log
log-fail-file=/var/log/accel-ppp/auth-fail.log
log-debug=/var/log/accel-ppp/debug.log
copy=1
level=5

[shaper]
attr=Filter-Id
ifb=ifb0
up-limiter=htb
down-limiter=htb

[cli]
telnet=127.0.0.1:2000
tcp=127.0.0.1:2001

[snmp]
master=0
agent-name=accel-ppp

[connlimit]
limit=10/min
burst=3
timeout=60

# End of /etc/accel-ppp.conf
The contents of the top lines of freeradius user configuration file is as follows. It authorizes 8 Mbps downstream and 2 Mbps upstream service to customer using ONU having MAC address AA:AA:AA:AA:AA:AA and 4 Mbps downstream and 1 Mbps upstream service to customer using ONU having MAC address BB:BB:BB:BB:BB:BB.

Code: Select all

# Beginning of /etc/freeradius/3.0/users

"AA:AA:AA:AA:AA:AA"	Auth-Type := Accept
			Filter-ID := "8000/2000"
"BB:BB:BB:BB:BB:BB"	Auth-Type := Accept
			Filter-ID := "4000/1000"

# End of first lines of /etc/freeradius/3.0/users.
Attachments
Pasted Graphic.png
Pasted Graphic.png (14.66 KiB) Viewed 8121 times
dimka88
Posts: 858
Joined: 13 Oct 2014, 05:51
Contact:

Re: BNG/BRAS

Post by dimka88 »

Hi, Maurice Poisson. It looks like you have to use L2 mode in this case, in your topology I dont see any PBR and also I see that client in the same L2 segment with BRAS.
Did you check logs?
Maurice Poisson
Posts: 4
Joined: 20 Sep 2023, 15:32

Re: BNG/BRAS

Post by Maurice Poisson »

Hello dimka88. Thank you.

Clients are, as you saw, in the same L2 segment as the intended BRAS. Also I have not yet implemented any explicit Policy Based Routing. It just gladly noticed that, when IPOE's mode parameter is set to L3, traffic is authorized and controlled in the prototype BRAS according to its RADIUS settings. Also I saw that if IPOE's mode is set to L2, traffic flows unrestricted through the intended BRAS. I imagine that in the latter case an explicit PBR will be needed. Maybe its time to add some FRR/Quagga bits to the mix.

Contents of /var/log/accel-ppp/accel-ppp.log and show sessions' output with IPOE's mode set to L3 are these:

Code: Select all

[2023-09-26 15:19:26]:  info: ipoe0: create interface ipoe0 parent enp3s0
[2023-09-26 15:19:26]: debug: ipoe0: radius(1): req_enter 1
[2023-09-26 15:19:26]:  info: ipoe0: send [RADIUS(1) Access-Request id=1 <User-Name "0c:4d:e9:be:13:91"> <NAS-Identifier "accel-ppp"> <NAS-IP-Address 127.0.0.1> <NAS-Port 6> <NAS-Port-Id "ipoe0"> <NAS-Port-Type Ethernet> <Calling-Station-Id "0c:4d:e9:be:13:91"> <Called-Station-Id "enp3s0"> <Framed-IP-Address 192.0.2.100> <User-Password 0x>]
[2023-09-26 15:19:26]: debug: ipoe0: radius(1): req_exit 0
[2023-09-26 15:19:26]:  info: ipoe0: recv [RADIUS(1) Access-Accept id=1 <Filter-Id "8000/2000">]
[2023-09-26 15:19:26]:  info: ipoe0: 0c:4d:e9:be:13:91: authentication succeeded
[2023-09-26 15:19:26]: debug: ipoe0: ipoe: activate session
[2023-09-26 15:19:26]: debug: ipoe0: radius(1): req_enter 1
[2023-09-26 15:19:26]:  info: ipoe0: send [RADIUS(1) Accounting-Request id=1 <User-Name "0c:4d:e9:be:13:91"> <NAS-Identifier "accel-ppp"> <NAS-IP-Address 127.0.0.1> <NAS-Port 6> <NAS-Port-Id "ipoe0"> <NAS-Port-Type Ethernet> <Calling-Station-Id "0c:4d:e9:be:13:91"> <Called-Station-Id "enp3s0"> <Acct-Status-Type Start> <Acct-Authentic RADIUS> <Acct-Session-Id "dc5b8ad33a164f1f"> <Acct-Session-Time 0> <Acct-Input-Octets 0> <Acct-Output-Octets 0> <Acct-Input-Packets 0> <Acct-Output-Packets 0> <Acct-Input-Gigawords 0> <Acct-Output-Gigawords 0> <Framed-IP-Address 192.0.2.100>]
[2023-09-26 15:19:26]: debug: ipoe0: radius(1): req_exit 0
[2023-09-26 15:19:26]:  info: ipoe0: recv [RADIUS(1) Accounting-Response id=1]
[2023-09-26 15:19:26]:  info: ipoe0: ipoe: session started

accel-ppp# show sessions
 ifname |     username      |    calling-sid    |       ip       | rate-limit | type | comp | state  |  uptime  
--------+-------------------+-------------------+----------------+------------+------+------+--------+----------
 ipoe0  | 0c:4d:e9:be:13:91 | 0c:4d:e9:be:13:91 | 192.0.2.100    | 8000/2000  | ipoe |      | active | 00:00:39 
Contents of /var/log/accel-ppp/accel-ppp.log and show sessions' output with IPOE's mode set to L2 are these:

Code: Select all

[2023-09-26 15:31:08]:  info: enp3s0: recv [ARP Request who-has 192.168.32.1 tell 192.0.2.100]
[2023-09-26 15:31:08]:  info: ipoe0: create interface ipoe0 parent enp3s0
[2023-09-26 15:31:08]: debug: ipoe0: radius(1): req_enter 1
[2023-09-26 15:31:08]:  info: ipoe0: send [RADIUS(1) Access-Request id=1 <User-Name "0c:4d:e9:be:13:91"> <NAS-Identifier "accel-ppp"> <NAS-IP-Address 127.0.0.1> <NAS-Port 6> <NAS-Port-Id "ipoe0"> <NAS-Port-Type Ethernet> <Calling-Station-Id "0c:4d:e9:be:13:91"> <Called-Station-Id "enp3s0"> <Framed-IP-Address 192.0.2.100> <User-Password 0x>]
[2023-09-26 15:31:08]: debug: ipoe0: radius(1): req_exit 0
[2023-09-26 15:31:08]:  info: ipoe0: recv [RADIUS(1) Access-Accept id=1 <Filter-Id "8000/2000">]
[2023-09-26 15:31:08]:  info: ipoe0: 0c:4d:e9:be:13:91: authentication succeeded
[2023-09-26 15:31:08]:  info: ipoe0: send [ARP Reply 192.0.2.1 is-at 60:eb:69:e4:9b:0b]
[2023-09-26 15:31:18]:  info: ipoe0: ipoe: session timed out
[2023-09-26 15:31:18]: debug: ipoe0: terminate
[2023-09-26 15:31:18]:  info: ipoe0: ipoe: session finished

root@mpoisson-hp:~# telnet localhost 2000
Trying ::1...
Connection failed: Connection refused
Trying 127.0.0.1...
Connected to localhost.
Escape character is '^]'.
accel-ppp version 1.12.0-243-geafba38
accel-ppp# show sessions
 ifname | username | calling-sid | ip | rate-limit | type | comp | state | uptime 
--------+----------+-------------+----+------------+------+------+-------+--------
In the latter case the session expires in a couple of seconds.
Maurice Poisson
Posts: 4
Joined: 20 Sep 2023, 15:32

Re: BNG/BRAS

Post by Maurice Poisson »

dimka88 wrote: 26 Sep 2023, 06:37 ... I dont see any PBR ...
Maybe the configuration line in accel-ppp's IPOE section that sets the local-net is defining a source IP address depending routing policy.
Post Reply