PPoE down - LCP: authorization failed

peter_b

Hello all,
I've recently setup pfsense 2.4.5 on my esxi and have huge issues with PPOE. As original setup, I've been using Orbi rkb50, where all works without an issue and PPOE was used for authentification. I wanted to add this extra element (firewall) into my network and connected the WAN link into one of my NICs on the esxi.
As you can see, the line is up, but for some reason it cant complete the authentication. I'm 100% sure that the name/password is correct as I use/used the same for the Orbi setup.
Any idea please, what can be the issue? thank you very much

Apr 17 23:36:21 pfSense ppp: [wan_link0] Link: reconnection attempt 110 in 1 seconds
Apr 17 23:36:22 pfSense ppp: [wan_link0] Link: reconnection attempt 110
Apr 17 23:36:22 pfSense ppp: [wan_link0] PPPoE: Connecting to ''
Apr 17 23:36:22 pfSense ppp: PPPoE: rec'd ACNAME "*******GW"
Apr 17 23:36:22 pfSense ppp: [wan_link0] PPPoE: connection successful
Apr 17 23:36:22 pfSense ppp: [wan_link0] Link: UP event
Apr 17 23:36:22 pfSense ppp: [wan_link0] LCP: Up event
Apr 17 23:36:22 pfSense ppp: [wan_link0] LCP: state change Starting --> Req-Sent
Apr 17 23:36:22 pfSense ppp: [wan_link0] LCP: SendConfigReq #185
Apr 17 23:36:22 pfSense ppp: [wan_link0]   PROTOCOMP
Apr 17 23:36:22 pfSense ppp: [wan_link0]   MRU 1492
Apr 17 23:36:22 pfSense ppp: [wan_link0]   MAGICNUM 0x537bc9db
Apr 17 23:36:22 pfSense ppp: [wan_link0] LCP: rec'd Configure Request #1 (Req-Sent)
Apr 17 23:36:22 pfSense ppp: [wan_link0]   AUTHPROTO CHAP MSOFTv2
Apr 17 23:36:22 pfSense ppp: [wan_link0]   MRU 1480
Apr 17 23:36:22 pfSense ppp: [wan_link0]   MAGICNUM 0xd8a2c457
Apr 17 23:36:22 pfSense ppp: [wan_link0]   MP MRRU 1600
Apr 17 23:36:22 pfSense ppp: [wan_link0] LCP: SendConfigRej #1
Apr 17 23:36:22 pfSense ppp: [wan_link0]   MP MRRU 1600
Apr 17 23:36:22 pfSense ppp: [wan_link0] LCP: rec'd Configure Reject #185 (Req-Sent)
Apr 17 23:36:22 pfSense ppp: [wan_link0]   PROTOCOMP
Apr 17 23:36:22 pfSense ppp: [wan_link0] LCP: SendConfigReq #186
Apr 17 23:36:22 pfSense ppp: [wan_link0]   MRU 1492
Apr 17 23:36:22 pfSense ppp: [wan_link0]   MAGICNUM 0x537bc9db
Apr 17 23:36:22 pfSense ppp: [wan_link0] LCP: rec'd Configure Request #2 (Req-Sent)
Apr 17 23:36:22 pfSense ppp: [wan_link0]   AUTHPROTO CHAP MSOFTv2
Apr 17 23:36:22 pfSense ppp: [wan_link0]   MRU 1480
Apr 17 23:36:22 pfSense ppp: [wan_link0]   MAGICNUM 0xd8a2c457
Apr 17 23:36:22 pfSense ppp: [wan_link0] LCP: SendConfigAck #2
Apr 17 23:36:22 pfSense ppp: [wan_link0]   AUTHPROTO CHAP MSOFTv2
Apr 17 23:36:22 pfSense ppp: [wan_link0]   MRU 1480
Apr 17 23:36:22 pfSense ppp: [wan_link0]   MAGICNUM 0xd8a2c457
Apr 17 23:36:22 pfSense ppp: [wan_link0] LCP: state change Req-Sent --> Ack-Sent
Apr 17 23:36:22 pfSense ppp: [wan_link0] LCP: rec'd Configure Ack #186 (Ack-Sent)
Apr 17 23:36:22 pfSense ppp: [wan_link0]   MRU 1492
Apr 17 23:36:22 pfSense ppp: [wan_link0]   MAGICNUM 0x537bc9db
Apr 17 23:36:22 pfSense ppp: [wan_link0] LCP: state change Ack-Sent --> Opened
Apr 17 23:36:22 pfSense ppp: [wan_link0] LCP: auth: peer wants CHAP, I want nothing
Apr 17 23:36:22 pfSense ppp: [wan_link0] LCP: LayerUp
Apr 17 23:36:22 pfSense ppp: [wan_link0] CHAP: rec'd CHALLENGE #1 len: 29
Apr 17 23:36:22 pfSense ppp: [wan_link0]   Name: "*******GW"
Apr 17 23:36:22 pfSense ppp: [wan_link0] CHAP: Using authname "***USERNAME***"
Apr 17 23:36:22 pfSense ppp: [wan_link0] CHAP: sending RESPONSE #1 len: 66
Apr 17 23:36:22 pfSense ppp: [wan_link0] CHAP: rec'd FAILURE #1 len: 79
Apr 17 23:36:22 pfSense ppp: [wan_link0]   MESG: E=691 R=0 C=C38A80CCEB5665367AB755A1CB05BE37 V=3 M=bad username or password
Apr 17 23:36:22 pfSense ppp: [wan_link0] LCP: authorization failed
Apr 17 23:36:22 pfSense ppp: [wan_link0] LCP: parameter negotiation failed
Apr 17 23:36:22 pfSense ppp: [wan_link0] LCP: state change Opened --> Stopping
Apr 17 23:36:22 pfSense ppp: [wan_link0] LCP: SendTerminateReq #187
Apr 17 23:36:22 pfSense ppp: [wan_link0] LCP: LayerDown
Apr 17 23:36:22 pfSense ppp: [wan_link0] LCP: rec'd Terminate Request #3 (Stopping)
Apr 17 23:36:22 pfSense ppp: [wan_link0] LCP: SendTerminateAck #188
Apr 17 23:36:22 pfSense ppp: [wan_link0] LCP: rec'd Terminate Ack #187 (Stopping)
Apr 17 23:36:22 pfSense ppp: [wan_link0] LCP: state change Stopping --> Stopped
Apr 17 23:36:22 pfSense ppp: [wan_link0] LCP: LayerFinish
Apr 17 23:36:22 pfSense ppp: [wan_link0] PPPoE: connection closed
Apr 17 23:36:22 pfSense ppp: [wan_link0] Link: DOWN event
Apr 17 23:36:22 pfSense ppp: [wan_link0] LCP: Down event
Apr 17 23:36:22 pfSense ppp: [wan_link0] LCP: state change Stopped --> Starting
Apr 17 23:36:22 pfSense ppp: [wan_link0] LCP: LayerStart

stephenw10

Hmm, that's sure what it looks like.

Has PPPoE worked with anything else besides the Orbi? pfSense on bare metal?

Does it ever connect? If you reboot does it connect one time and then fail for example?
We have seen some interesting failures of that sort in the past but I'm not aware of anything in 2.4.5.

Steve

peter_b

@stephenw10 - I've also send email to my ISP if there is something more specific that I have to set except name/password on PPPoE that I was provided. Unfortunately this is just a local ISP - quite small.

Has PPPoE worked with anything else besides the Orbi? pfSense on bare metal?
Yes, I had PPPoE working on a previous router before I bought Orbi. To be honest, I faced issues with a router that had only 100mb uplink port. Orbi has 1gb uplink, so this is working fine. That could be related to fiber to copper converter that has 1gb SFP. I dont suppose that this is the issue here, as the bare metal NIC has 1gb port and also shows it as 1gb speed full duplex negotiated. Also the Cisco discovery protocol shows the "other side" (provider) showing Device ID, port, IP etc. So the connectivity is there.

Does it ever connect? If you reboot does it connect one time and then fail for example?
No, unfortunately it doesnt connect at all. Even from the log it looks very promising before the authentication.

To me, it rather looks like that it cant authenticate correctly towards the ISP PPPoE. I'm not really familiar with PPPoE, but looking at the log I can see that the authentication is failing at the CHAP element. Not sure what that means. Is there any more detailed config inside of PFsense that I can try? Any idea pls?

stephenw10

@peter_b said in PPoE down - LCP: authorization failed:

[wan_link0] PPPoE: Connecting to ''

It looks like you have no service name configured? Most ISPs do not require it. There's also an option to send a NULL service name in the PPP advanced settings.
That's about the only gui setting that might make any difference there.

It is possible to create a custom conf file for ppp connections that allows more things to be set. You would need to know what though.

You might need to put the Orbi back in and try to pcap what it's sending on a switch mirror port. Or get logs from it if you can.

Or maybe try connecting from a laptop directly. That should give you some connection logs.

Steve

peter_b

Hi @stephenw10, I've managed to create pcap which is attached. Honestly, I'm not much more clever from it ...

wan_pcap.pcap

Yes, the Service name is marked as NULL. I've tried both options - on and off. None worked.

I suppose, that the configuration of Radius (or whatever the ISP uses) is somehow wrong based on the error message below. Maybe if I could use different authentication method instead of CHAP. Is there any way, how I can force PAP authentication please? Via some custom config file?

Apr 17 23:36:22 pfSense ppp: [wan_link0] CHAP: rec'd FAILURE #1 len: 79
Apr 17 23:36:22 pfSense ppp: [wan_link0]   MESG: E=691 R=0 C=C38A80CCEB5665367AB755A1CB05BE37 V=3 M=bad username or password

peter_b

Yesterday, I've tried to connect using different devices, W10, W7 and both are having the same issues. Exactly the same message from wireshark.
I'm unable to get anything reasonable communication from Orbi, even I've been doing wireshark, storing pcap (as above), and mirroring WAN port, but in any of those "sniffing's" I was able to find ppp protocol. That is really strange and I dont get it. I've been rebooting the Orbi, changing password and name, failing and starting the communication, but I wasnt able to find where the communication is being initiated and authenticated.
I remember, some time ago, I was able to initiate the connection using pure W7 and login/password. Now it doesnt work.
So secondarily, I was thinking that there is MAC filter, but I did changed MAC on the devices to use the same as Orbi.
I'm clueless and only have patiently wait till the ISP replies .... if ever.
thanks for your help @stephenw10

peter_b

Just finished call with ISP. They have MAC filter I remember cloning MAC from router, but I must have made typo, so will try later today again.

stephenw10

Ah, yes that would do it. Unusual on the PPPoE connection though. I guess the bad username or password response is just confusing, it may be a generic failure message.

Steve

peter_b

I can confirm, that by cloning the MAC address everything is working !!!! thanks for the support @stephenw10, its much appreciated. Let the fun begin now !