How do I discover ISP's PPPoE credentials and connection settings?

scilek

I'm having a problem with a certain ISP.

I'm trying to replace the ISP modem with a pfSense box. If it were another ISP, things would be very simple; I'd configure the VLAN and MACs and then provide the PPPoE credentials and I'd be done. (I once personally went to the biggest ISP's local HQ and talked to the engineer in charge, who told me they didn't like the said setup but they didn't mind as long as it worked for the customer.)

But this particular ISP maintains that they are not obliged to give the customer any details concerning the service they provide and that he is obliged to use the modem/router he is provided. It is not possible to configure their device and they won't give him his PPPoE credentials. They even refuse to put the modem/router in bridge mode! They say we can, of course, put our own router behind theirs and be done with it, and you know why I don't want to do that.

This is how they provide their service:

Though I've heard at some sites, it's like this:

So my thinking is:
When the modem/router is reset, it loses all information stored on it. But when it is back online, it connects to the ISP in a matter of seconds. Since the ISP cannot embed the connection information into each and every device before they ship, it has to be obtaining its configuration data from the ISP, and all the information necessary must be contained in ethernet frames.

My question is:
How can I pull out this information using pfSense? (i.e. MAC addresses and PPPoE credentials)

Gblenn

@scilek said in How do I discover ISP's PPPoE credentials and connection settings?:

So my thinking is:
When the modem/router is reset, it loses all information stored on it. But when it is back online, it connects to the ISP in a matter of seconds. Since the ISP cannot embed the connection information into each and every device before they ship it, it has to be obtaining its configuration data from the ISP, and all the information necessary must be contained in ethernet frames.

I don't think that is how it works...

PPPoE includes username and password which can not be automatically read from the connection, in plain text. That would defeat the purpose.

1. each device is actually set up with credentials. Either batch loading before delivery, but more likely it's done via remote management (automatically). Meaning the device is set up to call into a server, and identifies itself as the device in question (MAC, Serial etc?) and then receives the credentials.
2. it is not necessarily lost at reboot, it is stored in non volatile memory.

I'm not sure but it might be possible to set up your own device to behave like the modem and get the settings automatically. Assuming you can figure out how the ISP has set things up, since it needs to be identified and accepted as a if it is the ISP modem basically.

scilek

@Gblenn said in How do I discover ISP's PPPoE credentials and connection settings?:

it is not necessarily lost at reboot, it is stored in non volatile memory.

I was referring to hard reset, not a reboot.

@Gblenn said in How do I discover ISP's PPPoE credentials and connection settings?:

I'm not sure but it might be possible to set up your own device to behave like the modem and get the settings automatically.

The ISP device must be initiate a conversation with their system, right?

Gblenn

@scilek said in How do I discover ISP's PPPoE credentials and connection settings?:

The ISP device must be initiate a conversation with their system, right?

Yes, it needs to know the destination, and the "credentials" in order to identifiy itself to the ISP server. It is most likely secured in a way that you can not simply copy the process. Even if MAC and Serial can be cloned, there may be a certificate embedded in their devices.

scilek

@Gblenn
Some guy managed to retrieve the PPPoE credentials using an off-the-shelf router. (I do not want to mention from what vendor.) As it happens, there is no VLAN. I was able to connect without even cloning the MAC. I guess they put too much trust in their setup.

We should be able to do the same on pfSense too.

stephenw10

I assume you have no access to the ISP device config interface? What device is that exactly?

You can put a switch that supports port mirroring upstream of it and capture the PPPoE connection. The ISP doesn't have to use encryption for the credentials, but they probably do.

The ISP doesn't actually have to use individual credentials at all. BT in the UK for example use the same login for all devices. They know who you are by what line you're connecting on.

You could probably also bridge some ports in pfSense and use that instead of the switch mirror port to pcap on.

scilek

@stephenw10 said in How do I discover ISP's PPPoE credentials and connection settings?:

I assume you have no access to the ISP device config interface? What device is that exactly?

The site is in another city, but I guess it's a ZTE. It allows access on the LAN, but you cannot configure WAN, or view configuration.

@stephenw10 said in How do I discover ISP's PPPoE credentials and connection settings?:

The ISP doesn't actually have to use individual credentials at all. BT in the UK for example use the same login for all devices. They know who you are by what line you're connecting on.

This one does use credentials. But they probably know who you are by the line.

@stephenw10 said in How do I discover ISP's PPPoE credentials and connection settings?:

You could probably also bridge some ports in pfSense and use that instead of the switch mirror port to pcap on.

That was my thinking exactly. I'll try that the next time. I cannot call and ask them to undo what they've just done.

scilek

I think I've solved the riddle.

I have had this issue in my mind for a long time and the revelation came when I watched a short Youtube tutorial in which the presenter connects the ISP router's WAN to a certain router's 4th port and retrieves the credentials.

That got me thinking... Why the 4th port? Well, because it runs the PPPoE server on that port when it is asked to retrieve the credentials! The credentials are already stored in the ISP router! They had been uploaded to the router when the ISP employee sent its MAC address to the HQ. The HQ, using the router's management interface (which I think was on VLAN 100 or something), ran some sort of code and uploaded the credentials to it. Hence, whenever the device loses its WAN connectivity, the PPPoE client tries to reconnect with the ISP PPPoE server.

So the pfSense solution is fairly simple:
Run a bogus PPPoE server on one of the enabled ports, connect the ISP router's WAN to the said port and watch the PPPoE server log. Everything should be there.

I have not had the pleasure of trying it myself but I'm sure it will work. Could someone try that and confirm?

stephenw10

You might need to set a server ID of some sort for the client to accept it. I don't think pfSense exposed that as configurable for it's server config.

scilek

@stephenw10 Yes, you were right; it is not in the PPPoE Server log. It is in the packet sent by the PPPoE Client:

I had to configure FreeRADIUS and then listen using tcpdump.

Edit: I have not tried but maybe you don't even need FreeRADIUS. My guess is that the client has to send the password in clear text because there is no other way the server can authenticate.

stephenw10

Yup for PAP it's in clear text. If it was CHAP you wouldn't see it there.

scilek

@stephenw10 Yes, the FreeRADIUS messages did not show it in clear text. But on the other hand, it was the PPPoE server that sent it to FreeRADIUS, not the client.

Edit: You don't need FreeRADIUS, but you do need the PPPoE server.

eagle61

@scilek said in How do I discover ISP's PPPoE credentials and connection settings?:

modem/router he is provided

Well you never mentioned what modem/router your ISP is providing. But for some of them are hacks available to read the in it stored credentials in clear text.

One example for this Router are the in Germany most popular Fritz!Box, no matter Fiber, DSL or Cable. Those allow to create backupfiles (in case a factory reset is needed) of its configs and export that to you local devices. All credentials in this export-file are encrypted. But with a small php-tool its possible to decrypt it and have it in a clear text file.

scilek

@eagle61 said in How do I discover ISP's PPPoE credentials and connection settings?:

Well you never mentioned what modem/router your ISP is providing. But for some of them are hacks available to read the in it stored credentials in clear text.

That does not really matter, does it? All routers are basically the same, maybe with the exception of Cisco, perhaps. They all run some variant of Linux or BSD and the same basic networking tools and utilities.

@eagle61 said in How do I discover ISP's PPPoE credentials and connection settings?:

One example for this Router are the in Germany most popular Fritz!Box, no matter Fiber, DSL or Cable. Those allow to create backupfiles (in case a factory reset is needed) of its configs and export that to you local devices. All credentials in this export-file are encrypted. But with a small php-tool its possible to decrypt it and have it in a clear text file.

Good for them! Long live Germany and their liberal and user-friendly ISPs!