New PPPoE backend, some feedback

RobbieTT

@louis2

To be clear, those are your individual issues that need to be understood and hopefully resolved. They are not facts as to how if_pppoe behaves generally. You know this, you have been shown examples from various users where the IPv6 gateway is indeed responding correctly.

️

stephenw10

Also I think there may be some language barrier confusion here. Obviously the WAN gateway should be pingable from within the same layer 2 segment, even if the gateway doesn't chose to respond.

In pfSense the 'LAN' interface is taken to be an internal interface on a different layer 2 segment than the PPPoE connection. From a client on that segment it will not be possible to ping a link local address on the PPPoE segement, gateway or otherwise, becaue lik-local traffic is not routable.

RobbieTT

@stephenw10
I'd go further as PPPoE, when used for wholesale connections or subscriber access, is Layer 3. It uses both logical and defined routing instances to partition the traffic. The routing table is there, albeit in a stricter form (specifying PP0 interface etc). As such it becomes an exception to the 'normal' link-local rules.

All from the books of Juniper and Cisco of course, albeit the Juniper version is easier to digest. Personally I think the OSI Model has had its day but what do I know...

@louis2
You have an issue that is not fully understood, is not being seen by others and may be somewhat unique. I think it is best for now to avoid terms such as Layer 2 or 3 as it may not be helpful and can only add confusion.

Response to ping is not mandatory or enforced, no matter what the RFCs originally intended.

️

louis2

@RobbieTT

Be aware that I am not at all saying that a user can directly access the ISP-node, but I am sure that PPOE interface can !!

Whats ever I it helps, I am absolutely OK to activate PPOE debug logging for a short period!

Note that my actual config is like this
ISP => ISP-fiber-interface => one of my small switches => pfSense.

Internet should arrive via VLAN 6, IPTV via VLAN4 and (Old) VoIP via VLAN7.
Untagged routed to vlan1 and vlans (internet) are routed to pfSense.

I did add vlan1 to be quite sure that even untagged messages are passing to pfSense. Normally I would simply have blocked untagged. However the PPPOE is assigned to VLAN6.

Phil2025

@stephenw10

I've updated to the BETA 2.8.1, and the issue with the IPv6 Gateway monitoring is not fixed for me. I still need to restart the gateway service in order for monitoring to start on the IPv6 gateway.

If I can provide any more information or logs let me know.

stephenw10

Does the interface get an IPv6 address or is it link-local with PD only?

Phil2025

@stephenw10 I get a 'WAN_DHCP6' Gateway listed with a link local address (something like fe80::a96:adff:febb:f800%pppoe1), and Status is Unknown on the dashboard. I have IPv6 connectivity all okay though. Restarting the Gateway service brings the monitoring up and it goes to Online.

The DHCP6 client settings for the WAN is below. Hope that helps.

RobbieTT

@Phil2025
Mine, for reference:

️

stephenw10

Hmm, I would expect that to work. It's pretty much exactly what I run myself.

What do you see logged at boot compared with when you restart dpinger?

azalea

I'm seeing the IPv6 gateway monitoring issue, too. (2.8.1-RC)

But my situation is a little different. IPv6 address is set but is not reachable.

My ISP uses separate PPPoE sessions for IPv4 and IPv6.
(IPv4 username and IPv6 username are different.)

DHCP6 Client Configuration is the same as Phil2025.

Below is an IPv6-only situation. These are picked out from the perspective of the differences between if_pppoe and mpd5.

Gateways Status

[if_pppoe]
<WAN_DHCP6>
Gateway	:not displayed
Status	:Pending
<WAN_PPPOE>
Gateway	:not displayed
Status	:Pending

[mpd5]
<WAN_DHCP6(default)>
Gateway	:displayed
Status	:Online
<WAN_PPPOE>
Gateway	:not displayed
Status	:Pending

Gateways Widget

[if_pppoe]
<WAN_DHCP6>
Gateway IP Address:not displayed (tilde symbol)
Status:Unknown
<WAN_PPPOE>
Gateway IP Address:not displayed (tilde symbol)
Status:Unknown

[mpd5]
<WAN_DHCP6(Default gateway)>
Gateway IP Address:displayed
Status:Online
<WAN_PPPOE>
Gateway IP Address:not displayed (tilde symbol)
Status:Unknown

Services Status

[if_pppoe]
dpinger:Stopped (can not start)

[mpd5]
dpinger:Running

Interfaces Status

[if_pppoe]
<WAN Interface>
IPv6 Link Local	:displayed
Gateway IPv6	:not exist
<LAN Interface>
IPv6 Address	:displayed (no reachability)

[mpd5]
<WAN Interface>
IPv6 Link Local	:displayed
Gateway IPv6	:displayed
<LAN Interface>
IPv6 Address	:displayed

NDP Table
(The following is the same situation for IPv4-only.)

[if_pppoe]
WAN Interface IPv6 Link Local:not exist

[mpd5]
WAN Interface IPv6 Link Local:displayed

PPP Log

[if_pppoe]
if_pppoe: pppoe0: failed to clear IP address: 49

[mpd5]
No errors

stephenw10

@azalea said in New PPPoE backend, some feedback:

My ISP uses separate PPPoE sessions for IPv4 and IPv6.

Hmm, how exactly is that configured?

azalea

I used an IPv6-only configuration in my first report. This configuration used pppoe0 and the WAN interface for IPv6.

Below is the configuration for IPv4 and IPv6. This configuration uses pppoe0 and the WAN interface for IPv4, and pppoe1 and the OPT1 interface for IPv6.

PPP Configuration

[pppoe0]
Link Type:PPPoE
Link Interface(s):WAN port device (for example, em0)
Username:username for IPv4
Password:password for IPv4

[pppoe1]
Link Type:PPPoE
Link Interface(s):WAN port device (for example, em0)
Username:username for IPv6
Password:password for IPv6

Interface Assignments Configuration

WAN Interface:PPPOE0(em0)
LAN Interface:LAN port device (for example, em1)
OPT1 Interface:PPPOE1(em0)

WAN Interface Configuration

[General Configuration]
IPv4 Configuration Type:PPPoE
IPv6 Configuration Type:None
Others:blank

[PPPoE Configuration]
Username:username for IPv4
Password:password for IPv4
Others:blank or disabled

[Reserved Networks]
Block private networks and loopback addresses:checked
Block bogon networks:checked

LAN Interface Configuration

[General Configuration]
IPv4 Configuration Type:Static IPv4
IPv6 Configuration Type:Track Interface
Others:blank or default

[Static IPv4 Configuration]
IPv4 Address:192.168.0.254/24
IPv4 Upstream gateway:Npne

[Track IPv6 Interface]
IPv6 Interface:OPT1
IPv6 Prefix ID:0

[Reserved Networks]
Block private networks and loopback addresses:unchecked
Block bogon networks:unchecked

OPT1 Interface Configuration

[General Configuration]
IPv4 Configuration Type:PPPoE
IPv6 Configuration Type:DHCP6
Others:blank

[DHCP6 Client Configuration]
Use IPv4 connectivity as parent interface:checked
Request only an IPv6 prefix:checked
DHCPv6 Prefix Delegation size:56
Others:unchecked

[PPPoE Configuration]
Username:username for IPv6
Password:password for IPv6
Others:blank or disabled

[Reserved Networks]
Block private networks and loopback addresses:checked
Block bogon networks:checked

Gateways Configuration

[Default gateway]
Default gateway IPv4:Automatic
Default gateway IPv6:Automatic

Although it is not related to the issue, there is a mismatch in wording.
In the Gateways Status, the status of WAN_PPPOE is displayed as "Pending".
In the Gateways Widget, the status of WAN_PPPOE is displayed as "Unknown".
I think it would be better to align the expression to "Pending".

stephenw10

Hmm that's an interesting setup. I don't think I've ever seen that before. I assume it was working previously with mpd5/negraph?

Can you say which ISP that is?

azalea

I assume it was working previously with mpd5/negraph?

Yes, it is working with mpd5/negraph. And it is working with if_pppoe for IPv4, but not for IPv6.

Can you say which ISP that is?

ISP is "plala" in Japan. To be precise, it is a combination of a network enabler (NTT FLET'S) and an ISP (plala).

The separation of IPv4 and IPv6 is a specification of "NTT FLET'S". The purpose of this specification is to allow users to choose between IPv4 and IPv6 ISPs separately. I choose plala for both IPv4 and IPv6.

stephenw10

Hmm, so I assume the IPv6 only pppoe connection does not have Use IPv4 connectivity as parent interface set?

Do you see anything logged from the dhcp6c client?

I suspect it never gets triggered if there is no IPv4 address ever set.

azalea

I suspect it never gets triggered if there is no IPv4 address ever set.

PPP is a protocol that can support IPv4-only, IPv6-only, IPv4 and IPv6.

Hmm, so I assume the IPv6 only pppoe connection does not have Use IPv4 connectivity as parent interface set?

"Use IPv4 connectivity as parent interface" is required. However, for "IPv6 only pppoe connection", "Use IPv4 connectivity as parent interface" means "Use IPv6 connectivity as parent interface". Therefore, in the PPP configuration for "IPv4 connectivity", set the IPv6 username and IPv6 password.

This PPP configuration is used to construct PPPoE tunnels for IPv6 and not to set IPv4 address. ("Use IPv4 connectivity" reminds you of IPv4 address settings, but that's not the case.)

In fact, IPv6CP is accepted and IPCP is rejected in PPPoE negotiation, so IPv6 Link Local is set, PPPoE is connected, but IPv4 address is not set.

Below is the PPP log where IPCP was rejected.

PPP log

mpd5:
ppp 	23292 	[wan] IPCP: protocol was rejected by peer

if_pppoe:
if_pppoe: pppoe0: lcp input(opened): <proto-rej id=0x1 len=28
if_pppoe: pppoe0: lcp: RXJ+ (proto-rej) for proto 0x8021 (ipcp/req-sent)

For reference, there is information related to "Use IPv4 connectivity as parent interface".

OPNsense (25.1 and later) has revised the architecture, and "IPv6 only pppoe connection" no longer requires "Use IPv4 connectivity as parent interface". "IPv6 only pppoe connection" is directly linked to a PPPoE connection.
-> Restructure PPP to allow complex IPv6-only deployments with all implications

Do you see anything logged from the dhcp6c client?

Below is the log when using if_pppoe. There is no difference from mpd5.

DHCP log

Sep 4 04:16:24 	dhcp6c 	36830 	failed to open /usr/local/etc/dhcp6cctlkey: No such file or directory
Sep 4 04:16:24 	dhcp6c 	36830 	failed initialize control message authentication
Sep 4 04:16:24 	dhcp6c 	36830 	skip opening control port
Sep 4 04:16:25 	dhcp6c 	36979 	Sending Solicit
Sep 4 04:16:26 	dhcp6c 	36979 	Sending Request
Sep 4 04:16:26 	dhcp6c 	36979 	dhcp6c Received REQUEST
Sep 4 04:16:26 	dhcp6c 	36979 	add an address [IPv6 Address]/64 on em1

I'll check the PPP log in debug mode, so please take a little time.

w0w

@azalea
This doesn’t look like a problem with PPPoE or DHCPv6 itself.
It seems more like dpinger isn’t starting for some known reason. Your log shows that you successfully obtained an IPv6 address, so I assume that if you go to System → Routing, edit your IPv6 PPPoE gateway, and disable gateway monitoring, your IPv6 should work again. This looks similar to the issue described here: https://forum.netgate.com/topic/198627/struggling-to-get-if_pppoe-kernel-module-working