Problems with FreeBSD PPPOE server
muhammad usman
usmanbsd at yahoo.com
Tue Dec 18 00:04:15 PST 2007
I guess your lqrperiod is little long, as it will send 5 lqr echos and if will not receive any responce will disconnect on time of 6th.
6 x 30 sec = 3 minutes.
If LQR still creates problems for you , may be you should try LCP Echo.
option "set ifaddr 10.0.1.1 10.0.1.2-10.0.1.255" is assigning ips within range 10.0.1.2-10.0.1.255 to clients. I dont think pppoed of freebsd supports to assign ips from a defined ip pool in radius.
you need to change it like "set ifaddr 88.85.109.1 88.85.109.2-128"
Also please make sure that you have created enough TUN devices in /dev.
Regards
usman
----- Original Message ----
From: Ljupco Vangelski <ljupco.vangelski at gmail.com>
To: freebsd-isp at freebsd.org
Sent: Wednesday, November 21, 2007 6:43:10 PM
Subject: Problems with FreeBSD PPPOE server
Hi, first I want to apologize for the size of this mail, but I want to
explain the situtation better. I'm using a FreeBSD PPPoE server and
freeRadius RADIUS server for providing dsl services to clients. My
configuratino is as follows:
- FreeBSD 6.0
- user PPP for PPPoE server
- freeRadius 1.1.6 for RADIUS server
I have multiple vlan's on one network interface, and I have different
PPPoE severs listening on each one:
/usr/libexec/pppoed -d -P /var/run/pppoed-1.pid -a PPPoE-Service-1 -l
ppppe-1 vlan1
/usr/libexec/pppoed -d -P /var/run/pppoed-2.pid -a PPPoE-Service-3 -l
ppppe-2 vlan2
/usr/libexec/pppoed -d -P /var/run/pppoed-3.pid -a PPPoE-Service-3 -l
ppppe-3 vlan3
My ppp.conf looks like this:
pppoe-1:
set log Chat Command Phase Alert Error TUN
enable pap
allow mode direct
disable ipv6cp
set mru 1492
set mtu 1492
set timeout 0
enable lqr echo
set lqrperiod 30
set ifaddr 10.0.1.1 10.0.1.2-10.0.1.255
set radius /etc/ppp/radius.conf
set rad_alive 60
set dns {ip-ns1} {ip-ns2}
accept dns
pppoe-2:
set log Chat Command Phase Alert Error TUN
enable pap
allow mode direct
disable ipv6cp
set mru 1492
set mtu 1492
set timeout 0
enable lqr echo
set lqrperiod 30
set ifaddr 10.0.2.1 10.0.2.2-10.0.2.255
set radius /etc/ppp/radius.conf
set rad_alive 60
set dns {ip-ns1} {ip-ns2}
accept dns
pppoe-3:
set log Chat Command Phase Alert Error TUN
enable pap
allow mode direct
disable ipv6cp
set mru 1492
set mtu 1492
set timeout 0
enable lqr echo
set lqrperiod 30
set ifaddr 10.0.3.1 10.0.3.2-10.0.3.255
set radius /etc/ppp/radius.conf
set rad_alive 60
set dns {ip-ns1} {ip-ns2}
accept dns
I have few problems which I cannot solve:
* 1) First is a problem with a Linksys SPA3102 Voice Gateway with
Router**** which is making an PPPoE connection to my server and
responds
with lqr packets with unexpected length. I've tried with the newest
firmware from Linksys, but the same happens. After 5 LQR Echo packets
are lost, the PPP session is terminated and the Linksys must
reestablish
it. This has something to do with the Linksys, but is there any
workaround, can I tell the PPPoE server to accept LQR packets with
length 6? In man ppp I only see parametars about lcq frequency. set
openmode passive doesn't help as well. Here is the log from my server:
pppoed ppp[22886]: tun99: LCP: deflink: SendEchoRequest(2) state =
Opened
pppoed ppp[22886]: tun99: LCP: deflink: RecvEchoReply(2) state =
Opened
pppoed ppp[22886]: tun99: Warning: lqr_RecvEcho: Got packet size 6,
expecting 12 !
* 2) Sometimes when a client gets disconnected, the ppp process stays
alive, keeping the tun interface up and the public IP address active.
So, the freeRadius assigns that IP address to another client, and
scince
the stalled connection is active, the gateway for that IP address is
the
first tun interface and not the on on which the latter client which
gets
connected. And the latter client doesn't have any service, because
previous ppp connection stays up instead of terminating when the client
is disconnected (even though the client is disconnected at the RADIUS
server, the ppp.linkdown script is executed).
Here is a log from the ppp.log file concerning this connection.
== Establishing connection ==
Nov 17 08:46:50 pppoed ppp[95701]: Phase: Using interface: tun56
Nov 17 08:46:50 pppoed ppp[95701]: tun56: Command: pppoe-2: enable pap
Nov 17 08:46:50 pppoed ppp[95701]: tun56: Command: pppoe-2: disable
ipv6cp
Nov 17 08:46:50 pppoed ppp[95701]: tun56: Command: pppoe-2: set mru
1492
Nov 17 08:46:50 pppoed ppp[95701]: tun56: Command: pppoe-2: set mtu
1492
Nov 17 08:46:50 pppoed ppp[95701]: tun56: Command: pppoe-2: set timeout
0
Nov 17 08:46:50 pppoed ppp[95701]: tun56: Command: pppoe-2: enable lqr
echo
Nov 17 08:46:50 pppoed ppp[95701]: tun56: Command: pppoe-2: set
lqrperiod 30
Nov 17 08:46:50 pppoed ppp[95701]: tun56: Command: pppoe-2: set ifaddr
10.0.2.1 10.0.2.2-10.0.2.255
Nov 17 08:46:50 pppoed ppp[95701]: tun56: Command: pppoe-2: set radius
/etc/ppp/radius.conf
Nov 17 08:46:50 pppoed ppp[95701]: tun56: Command: pppoe-2: set
rad_alive 60
Nov 17 08:46:50 pppoed ppp[95701]: tun56: Command: pppoe-2: set dns
80.77.144.10 80.77.144.11
Nov 17 08:46:50 pppoed ppp[95701]: tun56: Command: pppoe-2: accept dns
Nov 17 08:46:50 pppoed ppp[95701]: tun56: Phase: PPP Started (direct
mode).
Nov 17 08:46:50 pppoed ppp[95701]: tun56: Phase: bundle: Establish
Nov 17 08:46:50 pppoed ppp[95701]: tun56: Phase: deflink: closed ->
opening
Nov 17 08:46:50 pppoed ppp[95701]: tun56: Phase: deflink: Link is a
netgraph node
Nov 17 08:46:50 pppoed ppp[95701]: tun56: Phase: deflink: Connected!
Nov 17 08:46:50 pppoed ppp[95701]: tun56: Phase: deflink: opening ->
carrier
Nov 17 08:46:50 pppoed ppp[95701]: tun56: Phase: deflink: carrier ->
lcp
Nov 17 08:46:50 pppoed ppp[95701]: tun56: Phase: bundle: Authenticate
Nov 17 08:46:50 pppoed ppp[95701]: tun56: Phase: deflink: his = none,
mine = PAP
Nov 17 08:46:50 pppoed ppp[95701]: tun56: Phase: Pap Input: REQUEST
(almqwr14h)
Nov 17 08:46:50 pppoed ppp[95701]: tun56: Phase: Radius: Request sent
Nov 17 08:46:50 pppoed ppp[95701]: tun56: Phase: Radius(auth): ACCEPT
received
Nov 17 08:46:50 pppoed ppp[95701]: tun56: Phase: Session-Timeout 43200
Nov 17 08:46:50 pppoed ppp[95701]: tun56: Phase: IP 88.85.109.31
Nov 17 08:46:50 pppoed ppp[95701]: tun56: Phase: Netmask
255.255.255.255
Nov 17 08:46:50 pppoed ppp[95701]: tun56: Phase: Pap Output: SUCCESS
Nov 17 08:46:50 pppoed ppp[95701]: tun56: Phase: deflink: lcp -> open
Nov 17 08:46:50 pppoed ppp[95701]: tun56: Phase: bundle: Network
Nov 17 08:46:50 pppoed ppp[95701]: tun56: Phase: Radius(acct): START
data sent
Nov 17 08:46:50 pppoed ppp[95701]: tun56: Command: breezeaccess-vodno:
bg /etc/ppp/addClient.sh USER connect HISADDR INTERFACE PPPoE-Service-2
PROCESSID
Nov 17 08:46:50 pppoed ppp[95701]: tun56: Warning: ff02:45::/32: Change
route failed: errno: Network is unreachable
== Terminating connection ==
Nov 17 08:50:50 pppoed ppp[95701]: tun56: Phase: deflink: open -> lcp
Nov 17 08:50:50 pppoed ppp[95701]: tun56: Warning: ff02:45::/32: Change
route failed: errno: Network is unreachable
Nov 17 08:50:50 pppoed ppp[95701]: tun56: Phase: Radius(acct): STOP
data
sent
Nov 17 08:50:50 pppoed ppp[95701]: tun56: Command: pppoe-2: bg
/etc/ppp/removeClient.sh USER connect HISADDR INTERFACE PPPoE-Service-2
PROCESSID
Nov 17 08:50:51 pppoed ppp[95701]: tun56: Phase: bundle: Terminate
But, the process holding the interface tun56 stays up and still holds
the IP 88.85.109.31
* 3) I have ppp processes which keep tun interfaces up, but aren't
associated with any RADIUS user. For example
tun44: flags=8051<UP,POINTOPOINT,RUNNING,MULTICAST> mtu 1500
inet 10.0.2.1 --> 10.0.2.63 netmask 0xffffffff
Opened by PID 8455
tun45: flags=8051<UP,POINTOPOINT,RUNNING,MULTICAST> mtu 1500
inet 10.0.2.1 --> 10.0.2.188 netmask 0xffffffff
Opened by PID 51922
Information about the process:
[root at pppoed ~]# ps -auwx | grep 8455
root 8455 0.0 0.2 3252 1900 ?? Ss 13Nov07 0:22.31
/usr/sbin/ppp -direct pppoe-2
First the MTU is 1500 (not specified anywhere in my /etc/ppp/ppp.conf)
and the addresses are not from the ippool of the freeradius. Why do
these connections stay up and don't terminate? Can this cause a DoS
attack on my router? For example a client starts establishing may ppp
connections. Is there a way to limit the number of pppoe connections
(total or per MAC address)? If I set the timeout value, I guess that
the
connections will terminate after that amount of seconds, but can I add
priority to the Session-Timeout attribute of the RADIUS server, because
the set timeout is set for all clients.
* 4) Though I think that this is purely freeRadius issue, I would
appreciate any suggestions, scince I can't solve this annoyng problem.
The freeRadius assigns duplicate IP addresses to different clients,
even
though the requests come from the same NAS and different PORT type. I
use freeRadius 1.1.6 with ippool. The feature works great, but once in
week or so - this happens. It can be resolved only by terminating both
of the processes, restarting the radius and clearing the
Here is an extraction from my radiusd.conf concerning pools.
ippool soho-1 {
range-start = 88.85.109.1
range-stop = 88.85.109.128
netmask = 255.255.255.255
cache-size = 0
session-db = ${raddbdir}/nov-pool-soho-1
ip-index = ${raddbdir}/nov-pool-index-1
override = yes
maximum-timeout = 0
}
ippool soho-2 {
range-start = 88.85.109.129
range-stop = 88.85.109.192
netmask = 255.255.255.255
cache-size = 0
session-db = ${raddbdir}/nov-pool-soho-2
ip-index = ${raddbdir}/nov-pool-index-2
override = yes
maximum-timeout = 0
}
ippool soho-3 {
range-start = 88.85.109.193
range-stop = 88.85.109.255
netmask = 255.255.255.255
cache-size = 0
session-db = ${raddbdir}/pool-soho-3
ip-index = ${raddbdir}/pool-index-3
override = yes
maximum-timeout = 0
}
I also have them in the accounting and post-auth sections:
accounting {
...
soho-1
soho-2
soho-3
...
}
post-auth {
...
soho-1
soho-2
soho-3
...
}
Thank You very much for Your time,
--
Ljupco
_______________________________________________
freebsd-isp at freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-isp
To unsubscribe, send any mail to "freebsd-isp-unsubscribe at freebsd.org"
____________________________________________________________________________________
Be a better friend, newshound, and
know-it-all with Yahoo! Mobile. Try it now. http://mobile.yahoo.com/;_ylt=Ahu06i62sR8HDtDypao8Wcj9tAcJ
More information about the freebsd-isp
mailing list