Tagged PPPOE not working with Hyper-V
-
I'm having a bit of trouble getting vlan tagged PPPOE to work with PFsense on Hyper-V. My ISP requires that PPPOE traffic be tagged on VLAN 10
Here's how my network is laid out:
So NIC 2 on the PFsense VM is what I'm using for the PPPOE connection. In the settings of the VM I've tried specifying the VLAN for the VMs NIC as 10 and I've also left it unticked but that made no difference. Using TCPdump all I see is this on the WAN interface setup for PPPOE:
17:08:20.262217 PPPoE PADI [Host-Uniq 0xC071E70500F8FFFF] [Service-Name] [PPP-Max-Payload 0x05DC]In PFSense, I've tried two ways of setting up the PPPOE connection. The first way involved creating VLAN 10 in PFsense as shown:
And then configuring the PPPOE connection against the VLAN interface:
I also tried creating the PPPOE connection on the interface itself but to no avail. With both options I also tried them both with VLAN 10 specified in the settings of the VM's NIC and with it unspecified. I'm not really sure what I'm doing wrong at this point.
I'm fairly certain it has nothing to do with the Netgear or Cisco switches as if I plug a Mikrotik router into the same port on the Cisco switch that NIC 2 on the Hyper-V server was plugged into the connection comes up fine on the Mikrotik.
-
@matt_nz Did you get to the bottom of this buddy, I am having this issue now with Vodafone Gigafast and VLAN 911 using PPPoe credentials.
-
Wait..what? Doesn't the ONT untag it?
I have a similar setup, PPPoE servers are in the VLAN891 or something like that in the ISP's network all the way to the ONT.
I route mode, it works with it directly, J/K these devices suck in route mode but they do handle the VLAN directly, for what it's worth. In bridge mode it untags the VLAN and the ports all are access ports basically on the native VLAN (untagged 1 or 0); pfSense and other firewalls are virtualized, and since my ISP allows several connections, the ONT connects to an access port on a switch where PPPoE traffic is available to any PPPoE-cabable device with access to that VLAN.
The ONTs' and modems' bridge mode is exactly the same thing as if you'd bridge interfaces in pfSense, it bridges the VLAN ISP-side to the native one so the device that dials up the connection doesn't need to also be VLAN-aware, most client devices aren't supposed to be. I don't think the problem is on pfSense but rather in Hyper-V. If you didn't use System Center VMM to set it up, tagged VLANs in Hyper-V are only doable via PowerShell. So, when you set up pfSense to expect a tagged VLAN I think it might be expecting something like a Q-in-Q at that point. I'll assume that by Mikrotik, you meant CHR which treats these things very differently in addition of PPPoE is kind of their thing. I'm familiar with CHR and I know it's easy to get a misconfigured working router by accident — I'm not saying you did, I just mean that it's very forgiving in regards to this specific setup — if your ONT is in bridge mode, double check its settings. Mine, Huawei-branded, can even bridge the ISP-side PPPoE VLAN to specific ports on it which other modems can piggyback to access the ISP (they're handed out like hotcakes bc they double as VoIP terminals).
Just in case you didn't know, when you add enable Hyper-V, Windows is turned into a VM, so is its own networking; when you add a external switch on Hyper-V, you take away a NIC from Windows, create this virtual raw thing where all VLANs exist. Allow management operative system to share this network adapter is kind of misleading bc the switch comes first, checking that option what actually does is to create a virtual NIC for the VM Windows has become. It's the virtual switch that shares the network with Windows, not the other way around. The VLAN ID boxes are also confusing because they suggest the traffic is tagged to the guest OS to untag it on its own—not the case. I don't know how to invert Microsoft's words to explain the reasoning behind such a horribly mislabeled UI.
I think that if you select your NIC without isolating the VLAN first, it should work.
Check out how one of my boxes is set, hopefully it helps your figure things out.
If you want to set a trunk port to your VM you'll need to do it in PowerShell, remote in
Enter-PSSession {machineName}from another newer Windows machine if you can so you get color syntax, it wasn't available on Windows Server 2012 R2.Get the vNICs of your VM and convert one or more to trunk ports so you do all in pfSense and don't need to reconfigure Windows each time. Remember every Microsoft product has a tendency of failing for no reason.
If your VM only has one NIC, you can pipe the commands, e.g;
Get-VMNetworkAdapter -VMName IdentiCA | Set-VMNetworkAdapterVlan -VMName IdentiCA -VMNetworkAdapterName "Network Adapter" -Trunk -AllowedVlanIdList 1-4094 -NativeVlanId 1. :)You may already know there's an issue with Windows since WS2012R2 to present WS2022 that even when you configure a network adapter correctly it's saved without a gateway, thus locking you out unless you have console access or are in the same L2 to fix it — don't forget about it.
If that doesn't fix your issue, there's one other thing… Some time back I becamed obsessed with telecom tech and found out that PPPoE, which is somewhere between layers 2 and 3, cannot just be put reliably into VLANs, I can vouch for that myself; back when had 4 PPPoE ADSL2+/VDSL2 lines I had to maintain them separated because 1. being all mine, credentials would be accepted anywhere, but being 2. DSL they all had different physical max speeds, which the username logically limited further, so I tried a million times to send them over VLANs but only 3 would connect. I learned that there's a special kind of switch that's compatible with this thing now called PPPoEoE — not kidding — it appears only to be made by Cisco, so you might be in luck, I even posted it here somewhere, in the end it was too little information though so never was able to make it work without discrete NICs.
Good luck with your setup!
