PPPoE Server Configuration Guide

introduction introduction this guide provides a step by step tutorial for configuring the pppoe server capability on the asterfusion open intelligent gateway running asternos vpp by following this guide, you will transform a standard layer 3 gateway into a high performance broadband network gateway (vbng) capable of handling client dial ups, centralized aaa billing, and internet access via nat what this guide will accomplish what this guide will accomplish this document is structured to reflect real world enterprise deployment priorities phase 1 enterprise radius integration (main deployment) we will configure the gateway to act as a vbng access node, integrated with an external radius server for centralized authentication, authorization, and accounting (aaa) this phase covers both local ip allocation and fully centralized radius ip pool management phase 2 standalone gateway mode (local auth & nat) configuring the gateway to rely on its internal local database for dial in access and enabling source nat (snat) this is ideal for small, isolated networks or as an emergency fallback phase 1 preparation and environmental overview network topology plan the following logical topology outlines our enterprise pppoe server setup target configuration plan device / interface ip address / subnet role asternos (eth1) 192 168 200 166/24 wan uplink (route to radius & core network) asternos (eth2) n/a (layer 2 pppoe) lan interface (pppoe dial in port) radius server 192 168 200 253/24 centralized aaa server (freeradius) dial in client pc 192 168 100 x/24 pppoe client phase 1 enterprise radius integration in this phase, we establish an enterprise grade vbng architecture to ensure a smooth deployment, we will build this in two stages baseline setup centralized radius authentication combined with asternos local ip allocation advanced setup fully centralized architecture where radius handles both authentication and dynamic ip allocation part 1 base network & radius global configuration sonic# configure terminal \# 1 configure the wan interface (required to reach the radius server) sonic(config)# interface ethernet 1 sonic(config if ethernet1)# ip address 192 168 200 166/24 sonic(config if ethernet1)# exit \# 2 define default route to core network sonic(config)# ip route 0 0 0 0/0 192 168 200 1 \# 3 define the global radius server \# critical the 'mode pppoe' attribute must be configured first sonic(config)# radius server 192 168 200 253 mode pppoe sonic(config)# radius server 192 168 200 253 auth type chap sonic(config)# radius server 192 168 200 253 passkey aster123 part 2 configure the pppoe server (baseline with local pool) in our baseline setup, asternos relies on radius for user authentication but handles ip address distribution locally \# enable pppoe server globally sonic(config)# pppoe server enable \# create the local ip pool for dial in clients sonic(config)# ip pool pppoe pool sonic(config ip pool)# ip range 192 168 100 10 192 168 100 254 sonic(config ip pool)# exit \# enter pppoe server instance 1 sonic(config)# interface pppoe server 1 sonic(config if pppoeserver 1)# service name pppoe enterprise sonic(config if pppoeserver 1)# ac name pppoe server 1 \# bind radius for authentication and accounting sonic(config if pppoeserver 1)# ppp chap radius server 192 168 200 253 sonic(config if pppoeserver 1)# nas ip 192 168 200 166 \# set virtual gateway ip and bind the local pool sonic(config if pppoeserver 1)# local ip 192 168 100 1 255 255 255 0 sonic(config if pppoeserver 1)# remote ip pool pppoe pool \# network parameters sonic(config if pppoeserver 1)# dns server 8 8 8 8 sonic(config if pppoeserver 1)# accept blank service enable sonic(config if pppoeserver 1)# exit \# bind to physical lan port sonic(config)# interface ethernet 2 sonic(config if ethernet2)# pppoe server 1 sonic(config if ethernet2)# exit ⚙️ engineering best practice mtu/mru auto negotiation the asternos pppoe server relies exclusively on mru negotiation during the lcp phase to determine the final interface mtu server side behavior manually configuring the mtu parameter on the asternos pppoe interface has no effect the vpp data plane will dynamically apply the negotiated mru if negotiation fails or is absent, the server strictly defaults to 1492 bytes client side behavior while end clients can manually set their local mtu, the dynamically negotiated mru will always take precedence recommendation do not configure mtu/mru manually on the server allow auto negotiation to ensure seamless client connectivity 📝 engineering note service name configuration rules if using accept any service enable the service name does not need to be configured on either the server or the client if using accept blank service enable the service name must be configured on the server, and the client must not configure it (leave it blank) part 3 freeradius server setup (authentication only) deploy a lightweight freeradius configuration focused strictly on aaa, without the complexity of ip pool management step 1 install freeradius sudo apt get update sudo apt get install freeradius y step 2 configure the nas client (asternos gateway) sudo nano /etc/freeradius/3 0/clients conf client asternos gateway { ipaddr = 192 168 200 166 secret = aster123 } step 3 create the user profile sudo nano /etc/freeradius/3 0/users (note ensure proper indentation for the response attributes ) "radiususer" cleartext password = "radius123" service type = framed user, framed protocol = ppp step 4 restart service sudo systemctl restart freeradius (you can now verify the connection using show pppoe session on asternos the client should receive an ip from the asternos pppoe pool ) part 4 advanced integration (centralized radius ip allocation) once the baseline authentication is verified, enterprise architectures typically migrate ip allocation to the radius server this consolidates user management and billing into a single pane of glass to upgrade from the baseline to the centralized architecture, follow these delta steps step 1 unbind the local pool on asternos shift the allocation responsibility away from the gateway sonic# configure terminal sonic(config)# interface pppoe server 1 sonic(config if pppoeserver 1)# no remote ip pool pppoe pool sonic(config if pppoeserver 1)# exit step 2 configure the radius ip pool sudo nano /etc/freeradius/3 0/mods available/ippool ippool main pool { range start = 192 168 100 10 range stop = 192 168 100 254 netmask = 255 255 255 0 \# keep the following default parameters unchanged filename = ${db dir}/db ippool ip index = ${db dir}/db ipindex override = no maximum timeout = 0 } enable the module (mandatory step) sudo ln s /etc/freeradius/3 0/mods available/ippool /etc/freeradius/3 0/mods enabled/ step 3 activate ip pool in accounting & post auth sudo nano /etc/freeradius/3 0/sites enabled/default explicitly call the main pool instance so freeradius knows when to allocate and release ips in the accounting { } block, add accounting { detail unix main pool # < add this line exec \# } in the post auth { } block, add post auth { exec main pool # < add this line \# } step 4 update user profile sudo nano /etc/freeradius/3 0/users add the pool name attribute to the first line alongside the password to instruct freeradius to assign an ip during authentication "radiususer" cleartext password = "radius123", pool name = "main pool" service type = framed user, framed protocol = ppp step 5 apply changes sudo systemctl restart freeradius part 5 final verification check the active pppoe sessions sonic# show pppoe session expected output id iface sessionid remotemac remoteip localip localif pppoeserver uptime \ 0 ethernet3 384 00\ e0 4c 68 06 0d 192 168 100 10 192 168 100 1 ppp0 pppoe server 1 0 00 37 if the remoteip aligns with your freeradius ippool range and the tunnel is active, you have successfully deployed a fully centralized vbng architecture! 💡 tips 在 phase 1 完成后，客户端已成功建立网络连接。若需实现互联网访问，请确保核心网已配置相应的 nat 转换策略，或参考 phase 2 在 asternos 本地开启 snat 功能。 phase 2 standalone gateway mode & fallback (local auth & nat) in scenarios where the enterprise radius server is unreachable, or if you are deploying the gateway as an all in one router for a small network, asternos can function independently in this mode, asternos utilizes its internal database for authentication and enables source nat (snat) to masquerade client traffic for external internet access (note this phase assumes asternos is configured to allocate ips locally using the ip pool established in the phase 1 baseline setup) part 1 local authentication (standalone / fallback) you can append local credentials directly to the pppoe server instance authentication order if a radius server is bound to the instance, asternos will attempt radius authentication first if the radius server is unreachable (timeout), it will seamlessly fall back to checking the local database if no radius server is configured, it functions purely as a standalone authenticator sonic# configure terminal sonic(config)# interface pppoe server 1 \# configure local chap credentials (username testuser, password 123456) sonic(config if pppoeserver 1)# ppp chap username testuser 123456 sonic(config if pppoeserver 1)# exit part 2 enable snat for internet access to allow the locally authenticated pppoe clients (e g , 192 168 100 x ) to browse the public internet, you must translate their private ips to the wan interface's public/uplink ip \# enable the nat engine globally sonic(config)# nat enable \# define a nat pool using the wan uplink ip (192 168 200 166) sonic(config)# nat pool wan pool 192 168 200 166 \# bind the pool to masquerade all outbound routed traffic sonic(config)# nat binding bind wan wan pool sonic(config)# exit sonic# write 📝 engineering note granular nat control the nat binding command shown above applies nat globally to all routed traffic for complex enterprise deployments requiring strict traffic control, you can append an access control list (acl) to the binding command (e g , nat binding bind wan wan pool acl my pppoe acl ) to restrict snat exclusively to the pppoe client ip range verification & troubleshooting to comprehensively verify your vbng deployment, perform the following checks from both the control plane and the data plane 1\ verify pppoe session establishment ensure the client has successfully dialed in and received an ip address sonic# show pppoe session (check if the remoteip aligns with your local pool or radius allocation, and ensure the uptime is stable) 2\ verify internet reachability (data plane) from the dial in client pc, ping a public internet address (e g , 8 8 8 8 ) c \\> ping 8 8 8 8 3\ verify nat translations while the client is actively sending traffic (e g , during the ping test), verify that asternos is successfully translating the private pppoe ip to the wan ip sonic# show nat translations expected result you should see active icmp/udp/tcp translation entries mapping the client's internal ip ( 192 168 100 x ) to the nat pool ip ( 192 168 200 166 )