PPPoE host-uniq
-
Re: Setting host-uniq for PPPoE
Hi everyone, I have an issue that seems related to the mentioned thread.
My ISP use host-uniq, but if I fill the field in the GUI, wireshark show that values are sent in EBCDIC.PFsense config (example):
-Wireshark:
-Wireshark from ISP router (a Fritz Box, the erased bytes correspond to the WAN mac address):
-If I try to insert the ASCII string (like F!BOX) in the GUI it says that only HEX values are allowed.
I am not sure if it's a bug or I am missing something.
Version: 2.5.1-RELEASE (amd64)
Thanks,
Andrea -
Hmm, interesting. Entering an ascii string there converts it to hex and
!should be valid. Looks like there's an input check bug there.
However you can also enter hex values there directly. I tested with0x74657374, "test".
You can see the generated mpd conf file in /var/etc to check. It just uses the hex value directly so you should be able to enter it that way.If that still doesn't work you can use an entirely custom mpd .conf file by simply putting it in /conf. Just copy the correctly named file from /var/etc, for example
mpd_wan.conf, and edit it directly.
Using that method allows you to do pretty much anything mpd is capable of.Steve
-
Actually the input validation is correct for the expected data there. If you need to enter anything other than Letters and Numbers you need to enter it as hex directly.
Steve
-
Hi Steve,
thanks, I will give it a try in the WE. It seems my ISP is doing something non-standard so do you have any official documentation about host-uniq? Haven't found much except RFC 2516.Andrea
-
I don't think there is anything in the pfSense docs about it dircetly.
The information in the two threads and the redmine feature request is probably all there is.
It's not that complex though. You enter it in the gui as either hex dircetly or as ascii (limited to numbers and letters) and that value is prepended to the pppoe service value in mpd.conf like:
set pppoe service "0x61616161|test"Resulting in:
Frame 66: 67 bytes on wire (536 bits), 67 bytes captured (536 bits) Ethernet II, Src: ADIEngin_12:17:7c (00:08:a2:12:17:7c), Dst: silicom_0f:74:48 (90:ec:77:0f:74:48) PPP-over-Ethernet Discovery 0001 .... = Version: 1 .... 0001 = Type: 1 Code: Active Discovery Offer (PADO) (0x07) Session ID: 0x0000 Payload Length: 47 PPPoE Tags AC-Name: test_box1.stevew.lan Service-Name: test Host-Uniq: 61616161 AC-Cookie: c015738801f8ffffI expect to see something here but there's nothing.
Edit: In fact this is documented here:
https://www.freebsd.org/cgi/man.cgi?query=ng_pppoe#CONTROL%09MESSAGESSteve
-
Hi Steve,
thanks for you reply.your explanation was enough, thank you, I need the documentation to argue with my ISP, in case.
Anyway I was able to reproduce the string from my ISP but it's still not working, the only difference I can see between my dump and the one from ISP (and yours) is that the TAGS are sent in the reverse order. Service-name should be sent first I guess, could it be the reason why I got a timeout?set pppoe service "0xaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa|Test"Payload Length: 40 PPPoE Tags Tag: Host-Uniq (0x0103) Tag Length: 28 Host-Uniq: aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa... Tag: Service-Name (0x0101) Tag Length: 4 Service-Name: TestIt seems I also found an issue with Tag length, if I add one byte to the host-uniq, two bytes are stripped from service-name. This does not affect me, since service-name is not required by my IPS, it's just to ley you know.
set pppoe service "0xaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa|Test"Payload length decrease by 1
Payload Length: 39 PPPoE Tags Tag: Host-Uniq (0x0103) Tag Length: 29 Host-Uniq: aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa... Tag: Service-Name (0x0101) Tag Length: 2 Service-Name: TeAndrea
-
Hmm, 32B limit maybe?
I can't imagine the tag order makes any difference. The server replies with a different order here.
-
Hi,
I tried OpenWRT that send the packet in the same order of my ISP router, but I still have timeout. The ISP is obviously doing something nasty to prevent use of non-proprietary router, but packets from ISP and oWRT are identical from what I can see, do you have any suggestion?About the 32B limit, yes, I think it could be that, but Host-Uniq could be of any lenght as far as I can understand. But again, it's not an issue for me, just something weird that I found out.
Thanks again for your patience
Andrea
-
Spoof the MAC address of the parent interface to match the ISP router?
-
Already done, it was the first thing... (sigh)
-
@trollshiro said in PPPoE host-uniq:
My ISP use host-uniq, but if I fill the field in the GUI, wireshark show that values are sent in EBCDIC.
Actually, it's ASCII. aaaa = 61 ASCII and 81 EBCDIC.
BTW, I started my telecom career as a bench tech overhauling Teletype machines and worked with ASCII and Baudot codes daily. I still have the code card somewhere. There was one system I used to work on, for CN Rail, where the computer worked with ASCII, Baudot, EBCDIC and Hollerith codes, depending on which circuit or device it was talking to.
-
After some debugging I found that the ISP router sent out PADI packets with a weird timing
11:24:53.046530 XX:XX:XX:XX:XX:XX Broadcast PPPoED 58 Active Discovery Initiation (PADI) 11:24:53.707597 XX:XX:XX:XX:XX:XX Broadcast PPPoED 58 Active Discovery Initiation (PADI) 11:24:54.707684 XX:XX:XX:XX:XX:XX Broadcast PPPoED 58 Active Discovery Initiation (PADI) 11:25:06.707842 XX:XX:XX:XX:XX:XX Broadcast PPPoED 58 Active Discovery Initiation (PADI)And it always start working after the the 4th packet is sent. I cannot see the PADO anyway, probably it's filtered by the ONT.
There is also a sort of counter in the corresponding host-uniq field.
Host-Uniq:XXXXXXXXXXXXaaaaaaaa01000000aaaaaaaa4621426f7820... Host-Uniq:XXXXXXXXXXXXaaaaaaaa01000000aaaaaaaa4621426f7820... Host-Uniq:XXXXXXXXXXXXaaaaaaaa01000000aaaaaaaa4621426f7820... Host-Uniq:XXXXXXXXXXXXaaaaaaaa02000000aaaaaaaa4621426f7820...So I gave up, it's completely out of standard.
Do you think it's possibile to use the ISP router only for PPPoE authentication and pfsense as an actual router? -
Possibly if it has some sort of bridging mode. I would not hold my breath though.
Is that "counter" always the same? Have you tried just using the 4 packet string?
Steve
-
It increase by one after 3 packets and then by another one, so it's something like this:
01000000 (0.5 sec)
01000000 (1 sec)
01000000 (12 sec)
02000000 (15 sec) -> here I got connectivity
03000000
03000000
03000000
04000000So I tried to replicate that with a stupid shell script that called mpd5, sleep xx, kill, and do that again with a different mpd.conf file (with another string) but it lead nowhere (timing is not so accurate).
-
Hi,
it's solved now.After some fights with the IPS they changed some settings and I was able to connect directly from my PC (Windows, no MAC spoofing required) but not yet from PFsense. After some debug I found they accept only PAP and they drop the connection with any other protocol so I changed this line in mpd_wan.conf
set link accept chap pap eapto
set link accept papNow it connects smoothly, thanks a lot for your help Hope this could be useful to someone else.
Note: my provider requires also that VLAN is setted to 835, I guess it has something to do with VPI-VCI
-
Still need to send the host-uniq value?
Steve
-
No, it's not needed anymore. The only difference with a standard config is PAP.
