PPPOE Differences between 1.2.3 and 2.0

salmonbaytech

First I want to start with I'm no PPPOE expert or authentication expert, but I have noticed something that might be a step backwards for PFSense 2.0 from 1.2.3.

I have one customer using PPPOE right now, kind of a test run. They are the only reason I still have a 1.2.3 PFSense router running, because setting up my new 2.0 router and shuting down the old router, they wont connect to the new 2.0 PPPOE server with the same username/password with there existing configuration.

For me to get them to connect, I have to change the authentication from PAP to CHAP in the mpd.conf.  I started reading and from what little I read PAP is not as secure as CHAP, again can't believe everything you read on the internet so that's why I'm starting this thread.  Is the new default PAP and is it beter then CHAP? Also, I see that this is a setting in /etc/inc/vpn.inc that is stored in this variable "$pppoecfg['paporchap']" but I don't see a way to set this thru the web interface.

I'm kind of wondering, since I don't see a lot of activity in the PPPOE server forum that this might be a bug and it should default to CHAP like 1.2.3 does?

salmonbaytech

So I have a pfsense 1.2.3 router, with pppoe server it asigns a static ip to the client from my wan interface. works great here is the log.

Oct 26 20:42:22	mpd: Incoming PPPoE connection request via em2: for service "*" from 00:0a:cd:14:d9:8e
Oct 26 20:42:22	mpd: PROTOCOMP
Oct 26 20:42:22	mpd: MRU 1492
Oct 26 20:42:22	mpd: MAGICNUM ec44aeac
Oct 26 20:42:22	mpd: AUTHPROTO CHAP MD5
Oct 26 20:42:22	mpd: MAGICNUM 501be513
Oct 26 20:42:22	mpd: MAGICNUM 501be513
Oct 26 20:42:22	mpd: PROTOCOMP
Oct 26 20:42:22	mpd: MRU 1492
Oct 26 20:42:22	mpd: MAGICNUM ec44aeac
Oct 26 20:42:22	mpd: AUTHPROTO CHAP MD5
Oct 26 20:42:22	mpd: MRU 1492
Oct 26 20:42:22	mpd: MAGICNUM ec44aeac
Oct 26 20:42:22	mpd: AUTHPROTO CHAP MD5
Oct 26 20:42:22	mpd: Name: "CSR"
Oct 26 20:42:22	mpd: Peer name: "CSR"
Oct 26 20:42:22	mpd: Response is valid
Oct 26 20:42:22	mpd: IPADDR 192.168.101.2
Oct 26 20:42:24	mpd: IPADDR 192.168.101.2
Oct 26 20:42:24	mpd: IPADDR 192.168.101.2
Oct 26 20:42:24	mpd: 192.168.101.2 -> 173.160.XXX.XXX

Can ping client after connection and connect to to Remote Desktop Server. I'm using VMWare ESXI, and when I pause the 1.2.3 router and enable the pppoe server on my new 2.0 router. With the same PPPOE Server config, everything looks good (after disabling compression and changed the auth to CHAP) but it seems that I can not ping or connect to the Remote Desktop Server like I can with the 1.2.3 Router.One last note is that I can ping the PPPOE client public IP when it connects to the PPPOE Server from the web interface.

Oct 26 20:33:48	poes: Incoming PPPoE connection request via em4: for service "*" from 00:0a:cd:14:d9:8e
Oct 26 20:33:48	poes: [poes10] Accepting PPPoE connection
Oct 26 20:33:48	poes: [poes10] opening link "poes10"...
Oct 26 20:33:48	poes: [poes10] link: OPEN event
Oct 26 20:33:48	poes: [poes10] LCP: Open event
Oct 26 20:33:48	poes: [poes10] LCP: state change Initial --> Starting
Oct 26 20:33:48	poes: [poes10] LCP: LayerStart
Oct 26 20:33:48	poes: [poes10] PPPoE: connection successful
Oct 26 20:33:48	poes: [poes10] link: UP event
Oct 26 20:33:48	poes: [poes10] link: origination is remote
Oct 26 20:33:48	poes: [poes10] LCP: Up event
Oct 26 20:33:48	poes: [poes10] LCP: state change Starting --> Req-Sent
Oct 26 20:33:48	poes: [poes10] LCP: SendConfigReq #1
Oct 26 20:33:48	poes: PROTOCOMP
Oct 26 20:33:48	poes: MRU 1492
Oct 26 20:33:48	poes: MAGICNUM c5d20912
Oct 26 20:33:48	poes: AUTHPROTO CHAP MD5
Oct 26 20:33:48	poes: [poes10] LCP: rec'd Configure Request #121 (Req-Sent)
Oct 26 20:33:48	poes: MAGICNUM 24cbf809
Oct 26 20:33:48	poes: [poes10] LCP: SendConfigAck #121
Oct 26 20:33:48	poes: MAGICNUM 24cbf809
Oct 26 20:33:48	poes: [poes10] LCP: state change Req-Sent --> Ack-Sent
Oct 26 20:33:48	poes: [poes10] LCP: rec'd Configure Reject #1 (Ack-Sent)
Oct 26 20:33:48	poes: PROTOCOMP
Oct 26 20:33:48	poes: [poes10] LCP: SendConfigReq #2
Oct 26 20:33:48	poes: MRU 1492
Oct 26 20:33:48	poes: MAGICNUM c5d20912
Oct 26 20:33:48	poes: AUTHPROTO CHAP MD5
Oct 26 20:33:48	poes: [poes10] LCP: rec'd Configure Ack #2 (Ack-Sent)
Oct 26 20:33:48	poes: MRU 1492
Oct 26 20:33:48	poes: MAGICNUM c5d20912
Oct 26 20:33:48	poes: AUTHPROTO CHAP MD5
Oct 26 20:33:48	poes: [poes10] LCP: state change Ack-Sent --> Opened
Oct 26 20:33:48	poes: [poes10] LCP: auth: peer wants nothing, I want CHAP
Oct 26 20:33:48	poes: [poes10] CHAP: sending CHALLENGE len:20
Oct 26 20:33:48	poes: [poes10] LCP: LayerUp
Oct 26 20:33:48	poes: [poes10] CHAP: rec'd RESPONSE #1
Oct 26 20:33:48	poes: Name: "CSR"
Oct 26 20:33:48	poes: [poes10] AUTH: Auth-Thread started
Oct 26 20:33:48	poes: [poes10] AUTH: Trying INTERNAL
Oct 26 20:33:48	poes: [poes10] AUTH: INTERNAL returned undefined
Oct 26 20:33:48	poes: [poes10] AUTH: Auth-Thread finished normally
Oct 26 20:33:48	poes: [poes10] CHAP: ChapInputFinish: status undefined
Oct 26 20:33:48	poes: Response is valid
Oct 26 20:33:48	poes: Reply message: Welcome
Oct 26 20:33:48	poes: [poes10] CHAP: sending SUCCESS len:7
Oct 26 20:33:48	poes: [poes10] LCP: authorization successful
Oct 26 20:33:48	poes: [poes10] Bundle up: 1 link, total bandwidth 64000 bps
Oct 26 20:33:48	poes: [poes10] IPCP: Open event
Oct 26 20:33:48	poes: [poes10] IPCP: state change Initial --> Starting
Oct 26 20:33:48	poes: [poes10] IPCP: LayerStart
Oct 26 20:33:48	poes: [poes10] IPCP: Up event
Oct 26 20:33:48	poes: [poes10] IPCP: state change Starting --> Req-Sent
Oct 26 20:33:48	poes: [poes10] IPCP: SendConfigReq #1
Oct 26 20:33:48	poes: IPADDR 10.5.250.4
Oct 26 20:33:48	poes: [poes10] rec'd unexpected protocol IPV6CP, rejecting
Oct 26 20:33:48	poes: [poes10] IPCP: rec'd Configure Request #123 (Req-Sent)
Oct 26 20:33:48	poes: [poes10] IPCP: SendConfigAck #123
Oct 26 20:33:48	poes: [poes10] IPCP: state change Req-Sent --> Ack-Sent
Oct 26 20:33:48	poes: [poes10] IPCP: rec'd Configure Ack #1 (Ack-Sent)
Oct 26 20:33:48	poes: IPADDR 10.5.250.4
Oct 26 20:33:48	poes: [poes10] IPCP: state change Ack-Sent --> Opened
Oct 26 20:33:48	poes: [poes10] IPCP: LayerUp
Oct 26 20:33:48	poes: 10.5.250.4 -> 173.160.XXX.XXX
Oct 26 20:33:48	poes: [poes10] IFACE: Up event
Oct 26 20:33:48	poes: [poes10] rec'd unexpected protocol IPV6CP, rejecting
Oct 26 20:33:58	poes: [poes10] rec'd unexpected protocol IPV6CP, rejecting

Here is a copy of the mpd.conf from 2.0, Disabled compression and changed to chap

pppoe_standard:
        set bundle no multilink
        #set bundle enable compression
        set auth max-logins 1
        set iface up-script /usr/local/sbin/vpn-linkup
        set iface down-script /usr/local/sbin/vpn-linkdown
        set iface idle 0
        set iface disable on-demand
        set iface disable proxy-arp
        set iface enable tcpmssfix
        set iface mtu 1500
        set link no pap chap
        set link enable chap
        set link keep-alive 60 180
        set ipcp yes vjcomp
        set ipcp no vjcomp
        set link max-redial -1
        set link mtu 1492
        set link mru 1492
        set ccp yes mpp-e40
        set ccp yes mpp-e128
        set ccp yes mpp-stateless
        set link latency 1
        #set ipcp dns 10.10.1.3
        #set bundle accept encryption
        set ipcp dns 192.168.2.4 75.75.75.75

Questions
Am I missing some firewall change that is different then 1.2.3 and need a rule to fix this?
Why the change from CHAP to PAP as the default in 2.0?
any thoughts on why the compression was throwing an error with 2.0 or did the 1.2.3 not show errors when it could not negotiate compression?