PPPoE client problem behind Draytek modem/router in PPPoE pass-through mode
Originally, this post was going to be a request for assistance, but I seem to have diagnosed the problem well enough already, so this is more to inform other pfSense PPPoE client users, especially those with Draytek ADSL modem/routers, of a potential problem.
Through trial and error I discovered that there is an incompatibility between pfSense's PPPoE client (and, it seems, any other external PPPoE client) and my Draytek 2600Plus modem/router when in PPPoE pass-through mode. I do not know whether newer Draytek modem/routers experience the same issue with their PPPoE pass-through mode, although I have read that some people seem to have it working OK in other models. (Newer Draytek modem/routers also offer an alternative mode called "True IP DMZ", which apparently acts like a half-bridge modem for one device while preserving NAT/PAT for other devices).
Before deploying pfSense 1.2.2 (embedded) in an ALIX platform, I used the Draytek as modem, router and firewall. This setup performed very well, with PPPoE sessions typically lasting several weeks without a single dropout (and just to make it clear, I was completely satisfied with both performance and reliability of the Draytek in its normal modem/router mode). With pfSense's PPPoE client in use (and the Draytek in PPPoE pass-through mode) pfSense experiences PPPoE dropouts and some delay in re-connecting. PPPoE dropouts occur at hourly intervals after Draytek startup or configuration change, but occasionally the PPPoE session lasts 2 or 3 hours. Dropout events are surprisingly regular - almost to the second. Each pfSense PPPoE dropout begins with missed ping responses in sequence: typically 1, 2, 3 then 4 missed ping responses, repeated 5 times over a 5 minute period, which then causes PPPoE connection closure and re-open events. Once the pinging sequence is complete and the PPPoE connection closed, the re-connection process is a bit slow and can take as long as 15 minutes, though is typically less than 5 minutes.
Note that my pfSense settings are for continuous PPPoE sessions with no periodic reset, and my ISP only permits one PPPoE session and allocates only one public IP address. To make the Draytek internal PPPoE client inactive and use PPPoE pass-through mode, Draytek's advice is: set PPPoE client to "enabled", with username and password blank, "Always On" unchecked and "PPPoE pass-through" enabled - these settings effectively disable the built-in client.
To further investigate, I competely disabled (by setting to "disabled") the Draytek PPPoE client after pfSense had successfully connected. The pfSense PPPoE login then remained up solidly for 48+ hours. But, when I eventually power-cycled the ALIX (pfSense) box, further PPPoE login was impossible - for pfSense PPPoE login to be successful, the Draytek's settings must be as described above (exactly what Draytek advise). Re-enabling the Draytek PPPoE client allowed pfSense to complete PPPoE login, but hourly dropouts returned. I repeated this process: after observing about a dozen hourly dropouts, I waited until after the next successful PPPoE login by pfSense then completely disabled the Draytek PPPoE client. pfSense again remained logged in for 48+ hours with no problems.
I checked the same setup using a Windows XP PPPoE client in lieu of pfSense (with all other settings the same). The Windows PPPoE client experienced the same hourly dropouts with the same pattern, although reconnecting with Windows PPPoE was a bit faster than with pfSense (usually 1 - 3 minutes). The Windows PPPoE client gave the following errors when trying to reconnect, before succeeding:
a. Error 772: The remote computer network hardware is incompatible with the type of call requested; and,
b. Error 678: The remote computer did not respond.
The following points are also relevant:
(1) ADSL connection/line quality is not an issue. With pfSense's PPPoE client in use, over several hours, I observed at least six pfSense PPPoE dropouts during which ADSL line statistics (seen via the Online Status page of the modem web interface) remained excellent with no loss of sync. ADSL statistics were updated at 5 second intervals while PPPoE dropout events lasted up to 15 minutes. My ADSL parameters include 17db SNR margin and 23dB line attenuation - very good.
(2) My ISP login history page shows PPPoE sessions corresponding exactly with pfSense PPPoE or Windows PPPoE logins (and no others).
(3) I had previously had the Draytek SNTP client enabled, so, in a separate test, I disabled that. As expected, it made no difference to the hourly dropouts.
So, there seems to be incompatibility between any external PPPoE client (including pfSense) and the Draytek Vigor 2600Plus when using PPPoE pass-through mode, even when the Draytek client is inactive (set according to Draytek's advice). It looks pretty clear that it is the Draytek modem/router that is at fault - somehow, it interferes with the pfSense PPPoE session at multiples of one hour after start-up or configuration change. The problem can be reliably avoided by completely disabling (set to "disable") the Draytek internal PPPoE client after a successful pfSense PPPoE login, but this will prevent the pfSense PPPoE client from automatically re-connecting in the event of, say, loss of ADSL line sync.
Can anyone confirm that they have pfSense's PPPoE client working reliably through a newer Draytek modem in PPPoE pass-through mode, and, if so, what Draytek model is that?
Oh, and BTW, other than the above issue, I'm loving pfSense! :)
I bought a new ADSL2+ modem (a Netcomm NB6 modem/router, configured in full-bridge mode, i.e. used as a modem only), and substituted it for the Draytek Vigor 2600Plus.
What a contrast! The complete pfSense PPPoE connection and login sequence was successfully completed in under 6 seconds - everything first time. The "power on" to "internet available" time was less than 45 seconds. Now that's more like it. :)
I think that proves beyond reasonable doubt that there's nothing wrong with the pfSense PPPoE client and that my problems were 100% related to interference from the Draytek's PPPoE pass-through mode.