Transparent firewall + PPPoE dialer with dynamic addressing

  • I've been trying this for quite a while now but si far I haven't been able to achieve it, maybe it isn't possible.

    I want to set a middle router between a xDSL modem and main router down the line. In this setup, I know I need to link the end devices as if the middle one didn't exist; so far so good. Problem is, a modem doesn't have DHCP or any mechanism that I know of to let the main router know about what IP address was assigned, so I don't know how to configure.

    I thought about setting the inner device to a virtual IP pointing to the PPPoE interface on the middle router but I don't think it would work because of the transparent bridge and all.

    What I definitely do not want it NATting on the middle device, and since it's the opposite of what I want I thought the best place to post this would be here. :)

    Can this be done? Technically it's a single /32* IP address, the difference between another type of always-on connection is that it's terminated at the PPPoE interface on the middle firewall instead of being on the edge device like fiber or cable would be so I'm convinced it should work.

    I don't really need to solve a problem (I did had it though) I'm just really curious about how's it done and why.

    Thanks !

    *: ...and also a /64 subnet but I'm taking it one step at a time.

  • Netgate Administrator

    Hmm, I'm thinking that probably cannot work. I'm also wondering why you're trying to do it. Does your main router not support PPPoE?


  • Yeah it does, it's also a virtualized pfSense, right in the middle of the VM traffic. The problem was that this server running the router has every port occupied, physical space is at a premium, the alternative would probably be PPPoEoE, but I could only find snippets of old Cisco documentation, just too much. To top it off it after a embarrassingly long time of not getting it, it finally sank in that PPP is not E.

    So...instead of trying my luck looking for more outdated super-technical Cisco docs on how to properly encapsulate PPP on ethernet frames I went for second best, translating the frames before they'd reach the ethernet media so it would be easy for it to be routed through VLANs without finding the right MTUs and possibly timing--I don't know--so the pure stream would get ready to be NATted, compressed, dropped, blocked, all those awesome thing pfSense do.

    Before I could find the solution though, there was an ISP network upgrade I didn't need that many lines anymore. But I'm still curious on what could've been done in this scenario. It did pushed me to get creative with the routing situation; since this router has no physical ethernet ports of its own I set up another virtualized instance on a workstation handling the edge stuff and on vSphere it all becomes one single crazy fast network, I didn't want the edge router to route between subnets though because it only had a single 10G card, wheareas in the core router it doesn't matter because most of the heavy traffic between subnets never leaves the hypervisor. It's very cool to see the dashboards with the traffic and tons of indicators when it's working, thanks to the core pfSense. <3

    Sometimes I feel like taking the CCNA online or whatever that test, certification, voodoo I don't know what all these cisco people are mentioning all the time just to solve the puzzle.

  • Netgate Administrator

    Mmm, I mean I would just use a VLAN if you have no spare ports and run it straight to the dsl 'modem'. Having the PPP session terminated on the main pfSense device is likely to be far easier than anything else.

    However it probably is possible in some way. You can get dsl 'modem' style devices that can operate in a full bridge or semi bridge mode where the ppp login session is handled on the modem itself. I don't think you could do that in pfSense though.
    As soon as you assign the PPP interface to bridge it with another interface (which I don't think you can do anyway with dissimilar interface types) that interface gets the IP address and you would want the IP on the remote router.


  • I see, I wouldn't have gone though all of this but, these are VDSL2 lines and modems are very rare. The ISP's suck in router mode randomly injecting parental control pages and in bridge mode it's every man for himself as tech support literally consists on somebody asking you how are the little lights doing and "press the reset button for 30 seconds."

    I did send a line over ethernet and it did work...for a while. It would start disconnecting and redialing. I then thought maybe other data was being filtered into the VLAN carrying the PPP data link since in the main switches all ports are trunk ports but after isolating the ports an VLAN it kept dropping the link.

    I still have lines with VDSL2 on remote locations connected directly over long-distance wireless links, I'm gonna give it another go whenever I get the chance, I tried it before but I was even more ignorant on the whole thing--it did work though, at least before it disconnected. I find it extremely interesting how all these carrier technologies work, like, ATM, I read it's old and inefficient but in the case of things like xDSL it's the best; or how do I get IPv6 over a VLAN over a PPP link and how is it that it's set up in pfSense as to get DHCP6 and it won't happen until IPv4 is up.

    It's so confusing and complicated I love it. Too bad there's not much digestible information available outside of RFCs or proprietary. :/

    You mentioned another interface. The modem delivers IPv6 over a VLAN, it's configurable when it's in router mode before switching its "smarts" off, in PPP, are there layer or channels or how do both protocol versions are delivered? I mean, IP is on L3, ethernet and PPP

  • Netgate Administrator

    Here in the UK that's exactlky how I have this setup at home. VLAN over a LAGG group to a switch. The VLAN is untagged at the switch and connected to a VDSL2 "modem". The PPP session runs over the VLAN to the modem, v6 comes up using dhvpv6 over the pppoe session.

    The "modem" device is in fact a Huawei router in bridge modem supplied that way and locked by default.


Log in to reply