PPPOE Differences between 1.2.3 and 2.0
-
First I want to start with I'm no PPPOE expert or authentication expert, but I have noticed something that might be a step backwards for PFSense 2.0 from 1.2.3.
I have one customer using PPPOE right now, kind of a test run. They are the only reason I still have a 1.2.3 PFSense router running, because setting up my new 2.0 router and shuting down the old router, they wont connect to the new 2.0 PPPOE server with the same username/password with there existing configuration.
For me to get them to connect, I have to change the authentication from PAP to CHAP in the mpd.conf. I started reading and from what little I read PAP is not as secure as CHAP, again can't believe everything you read on the internet so that's why I'm starting this thread. Is the new default PAP and is it beter then CHAP? Also, I see that this is a setting in /etc/inc/vpn.inc that is stored in this variable "$pppoecfg['paporchap']" but I don't see a way to set this thru the web interface.
I'm kind of wondering, since I don't see a lot of activity in the PPPOE server forum that this might be a bug and it should default to CHAP like 1.2.3 does?
-
So I have a pfsense 1.2.3 router, with pppoe server it asigns a static ip to the client from my wan interface. works great here is the log.
Oct 26 20:42:22 mpd: Incoming PPPoE connection request via em2: for service "*" from 00:0a:cd:14:d9:8e Oct 26 20:42:22 mpd: PROTOCOMP Oct 26 20:42:22 mpd: MRU 1492 Oct 26 20:42:22 mpd: MAGICNUM ec44aeac Oct 26 20:42:22 mpd: AUTHPROTO CHAP MD5 Oct 26 20:42:22 mpd: MAGICNUM 501be513 Oct 26 20:42:22 mpd: MAGICNUM 501be513 Oct 26 20:42:22 mpd: PROTOCOMP Oct 26 20:42:22 mpd: MRU 1492 Oct 26 20:42:22 mpd: MAGICNUM ec44aeac Oct 26 20:42:22 mpd: AUTHPROTO CHAP MD5 Oct 26 20:42:22 mpd: MRU 1492 Oct 26 20:42:22 mpd: MAGICNUM ec44aeac Oct 26 20:42:22 mpd: AUTHPROTO CHAP MD5 Oct 26 20:42:22 mpd: Name: "CSR" Oct 26 20:42:22 mpd: Peer name: "CSR" Oct 26 20:42:22 mpd: Response is valid Oct 26 20:42:22 mpd: IPADDR 192.168.101.2 Oct 26 20:42:24 mpd: IPADDR 192.168.101.2 Oct 26 20:42:24 mpd: IPADDR 192.168.101.2 Oct 26 20:42:24 mpd: 192.168.101.2 -> 173.160.XXX.XXX
Can ping client after connection and connect to to Remote Desktop Server. I'm using VMWare ESXI, and when I pause the 1.2.3 router and enable the pppoe server on my new 2.0 router. With the same PPPOE Server config, everything looks good (after disabling compression and changed the auth to CHAP) but it seems that I can not ping or connect to the Remote Desktop Server like I can with the 1.2.3 Router.One last note is that I can ping the PPPOE client public IP when it connects to the PPPOE Server from the web interface.
Oct 26 20:33:48 poes: Incoming PPPoE connection request via em4: for service "*" from 00:0a:cd:14:d9:8e Oct 26 20:33:48 poes: [poes10] Accepting PPPoE connection Oct 26 20:33:48 poes: [poes10] opening link "poes10"... Oct 26 20:33:48 poes: [poes10] link: OPEN event Oct 26 20:33:48 poes: [poes10] LCP: Open event Oct 26 20:33:48 poes: [poes10] LCP: state change Initial --> Starting Oct 26 20:33:48 poes: [poes10] LCP: LayerStart Oct 26 20:33:48 poes: [poes10] PPPoE: connection successful Oct 26 20:33:48 poes: [poes10] link: UP event Oct 26 20:33:48 poes: [poes10] link: origination is remote Oct 26 20:33:48 poes: [poes10] LCP: Up event Oct 26 20:33:48 poes: [poes10] LCP: state change Starting --> Req-Sent Oct 26 20:33:48 poes: [poes10] LCP: SendConfigReq #1 Oct 26 20:33:48 poes: PROTOCOMP Oct 26 20:33:48 poes: MRU 1492 Oct 26 20:33:48 poes: MAGICNUM c5d20912 Oct 26 20:33:48 poes: AUTHPROTO CHAP MD5 Oct 26 20:33:48 poes: [poes10] LCP: rec'd Configure Request #121 (Req-Sent) Oct 26 20:33:48 poes: MAGICNUM 24cbf809 Oct 26 20:33:48 poes: [poes10] LCP: SendConfigAck #121 Oct 26 20:33:48 poes: MAGICNUM 24cbf809 Oct 26 20:33:48 poes: [poes10] LCP: state change Req-Sent --> Ack-Sent Oct 26 20:33:48 poes: [poes10] LCP: rec'd Configure Reject #1 (Ack-Sent) Oct 26 20:33:48 poes: PROTOCOMP Oct 26 20:33:48 poes: [poes10] LCP: SendConfigReq #2 Oct 26 20:33:48 poes: MRU 1492 Oct 26 20:33:48 poes: MAGICNUM c5d20912 Oct 26 20:33:48 poes: AUTHPROTO CHAP MD5 Oct 26 20:33:48 poes: [poes10] LCP: rec'd Configure Ack #2 (Ack-Sent) Oct 26 20:33:48 poes: MRU 1492 Oct 26 20:33:48 poes: MAGICNUM c5d20912 Oct 26 20:33:48 poes: AUTHPROTO CHAP MD5 Oct 26 20:33:48 poes: [poes10] LCP: state change Ack-Sent --> Opened Oct 26 20:33:48 poes: [poes10] LCP: auth: peer wants nothing, I want CHAP Oct 26 20:33:48 poes: [poes10] CHAP: sending CHALLENGE len:20 Oct 26 20:33:48 poes: [poes10] LCP: LayerUp Oct 26 20:33:48 poes: [poes10] CHAP: rec'd RESPONSE #1 Oct 26 20:33:48 poes: Name: "CSR" Oct 26 20:33:48 poes: [poes10] AUTH: Auth-Thread started Oct 26 20:33:48 poes: [poes10] AUTH: Trying INTERNAL Oct 26 20:33:48 poes: [poes10] AUTH: INTERNAL returned undefined Oct 26 20:33:48 poes: [poes10] AUTH: Auth-Thread finished normally Oct 26 20:33:48 poes: [poes10] CHAP: ChapInputFinish: status undefined Oct 26 20:33:48 poes: Response is valid Oct 26 20:33:48 poes: Reply message: Welcome Oct 26 20:33:48 poes: [poes10] CHAP: sending SUCCESS len:7 Oct 26 20:33:48 poes: [poes10] LCP: authorization successful Oct 26 20:33:48 poes: [poes10] Bundle up: 1 link, total bandwidth 64000 bps Oct 26 20:33:48 poes: [poes10] IPCP: Open event Oct 26 20:33:48 poes: [poes10] IPCP: state change Initial --> Starting Oct 26 20:33:48 poes: [poes10] IPCP: LayerStart Oct 26 20:33:48 poes: [poes10] IPCP: Up event Oct 26 20:33:48 poes: [poes10] IPCP: state change Starting --> Req-Sent Oct 26 20:33:48 poes: [poes10] IPCP: SendConfigReq #1 Oct 26 20:33:48 poes: IPADDR 10.5.250.4 Oct 26 20:33:48 poes: [poes10] rec'd unexpected protocol IPV6CP, rejecting Oct 26 20:33:48 poes: [poes10] IPCP: rec'd Configure Request #123 (Req-Sent) Oct 26 20:33:48 poes: [poes10] IPCP: SendConfigAck #123 Oct 26 20:33:48 poes: [poes10] IPCP: state change Req-Sent --> Ack-Sent Oct 26 20:33:48 poes: [poes10] IPCP: rec'd Configure Ack #1 (Ack-Sent) Oct 26 20:33:48 poes: IPADDR 10.5.250.4 Oct 26 20:33:48 poes: [poes10] IPCP: state change Ack-Sent --> Opened Oct 26 20:33:48 poes: [poes10] IPCP: LayerUp Oct 26 20:33:48 poes: 10.5.250.4 -> 173.160.XXX.XXX Oct 26 20:33:48 poes: [poes10] IFACE: Up event Oct 26 20:33:48 poes: [poes10] rec'd unexpected protocol IPV6CP, rejecting Oct 26 20:33:58 poes: [poes10] rec'd unexpected protocol IPV6CP, rejecting
Here is a copy of the mpd.conf from 2.0, Disabled compression and changed to chap
pppoe_standard: set bundle no multilink #set bundle enable compression set auth max-logins 1 set iface up-script /usr/local/sbin/vpn-linkup set iface down-script /usr/local/sbin/vpn-linkdown set iface idle 0 set iface disable on-demand set iface disable proxy-arp set iface enable tcpmssfix set iface mtu 1500 set link no pap chap set link enable chap set link keep-alive 60 180 set ipcp yes vjcomp set ipcp no vjcomp set link max-redial -1 set link mtu 1492 set link mru 1492 set ccp yes mpp-e40 set ccp yes mpp-e128 set ccp yes mpp-stateless set link latency 1 #set ipcp dns 10.10.1.3 #set bundle accept encryption set ipcp dns 192.168.2.4 75.75.75.75
Questions
Am I missing some firewall change that is different then 1.2.3 and need a rule to fix this?
Why the change from CHAP to PAP as the default in 2.0?
any thoughts on why the compression was throwing an error with 2.0 or did the 1.2.3 not show errors when it could not negotiate compression?