PPPOE Differences between 1.2.3 and 2.0



  • First I want to start with I'm no PPPOE expert or authentication expert, but I have noticed something that might be a step backwards for PFSense 2.0 from 1.2.3.

    I have one customer using PPPOE right now, kind of a test run. They are the only reason I still have a 1.2.3 PFSense router running, because setting up my new 2.0 router and shuting down the old router, they wont connect to the new 2.0 PPPOE server with the same username/password with there existing configuration.

    For me to get them to connect, I have to change the authentication from PAP to CHAP in the mpd.conf.  I started reading and from what little I read PAP is not as secure as CHAP, again can't believe everything you read on the internet so that's why I'm starting this thread.  Is the new default PAP and is it beter then CHAP? Also, I see that this is a setting in /etc/inc/vpn.inc that is stored in this variable "$pppoecfg['paporchap']" but I don't see a way to set this thru the web interface.

    I'm kind of wondering, since I don't see a lot of activity in the PPPOE server forum that this might be a bug and it should default to CHAP like 1.2.3 does?



  • So I have a pfsense 1.2.3 router, with pppoe server it asigns a static ip to the client from my wan interface. works great here is the log.

    
    Oct 26 20:42:22	mpd: Incoming PPPoE connection request via em2: for service "*" from 00:0a:cd:14:d9:8e
    Oct 26 20:42:22	mpd: PROTOCOMP
    Oct 26 20:42:22	mpd: MRU 1492
    Oct 26 20:42:22	mpd: MAGICNUM ec44aeac
    Oct 26 20:42:22	mpd: AUTHPROTO CHAP MD5
    Oct 26 20:42:22	mpd: MAGICNUM 501be513
    Oct 26 20:42:22	mpd: MAGICNUM 501be513
    Oct 26 20:42:22	mpd: PROTOCOMP
    Oct 26 20:42:22	mpd: MRU 1492
    Oct 26 20:42:22	mpd: MAGICNUM ec44aeac
    Oct 26 20:42:22	mpd: AUTHPROTO CHAP MD5
    Oct 26 20:42:22	mpd: MRU 1492
    Oct 26 20:42:22	mpd: MAGICNUM ec44aeac
    Oct 26 20:42:22	mpd: AUTHPROTO CHAP MD5
    Oct 26 20:42:22	mpd: Name: "CSR"
    Oct 26 20:42:22	mpd: Peer name: "CSR"
    Oct 26 20:42:22	mpd: Response is valid
    Oct 26 20:42:22	mpd: IPADDR 192.168.101.2
    Oct 26 20:42:24	mpd: IPADDR 192.168.101.2
    Oct 26 20:42:24	mpd: IPADDR 192.168.101.2
    Oct 26 20:42:24	mpd: 192.168.101.2 -> 173.160.XXX.XXX
    
    

    Can ping client after connection and connect to to Remote Desktop Server. I'm using VMWare ESXI, and when I pause the 1.2.3 router and enable the pppoe server on my new 2.0 router. With the same PPPOE Server config, everything looks good (after disabling compression and changed the auth to CHAP) but it seems that I can not ping or connect to the Remote Desktop Server like I can with the 1.2.3 Router.One last note is that I can ping the PPPOE client public IP when it connects to the PPPOE Server from the web interface.

    
    Oct 26 20:33:48	poes: Incoming PPPoE connection request via em4: for service "*" from 00:0a:cd:14:d9:8e
    Oct 26 20:33:48	poes: [poes10] Accepting PPPoE connection
    Oct 26 20:33:48	poes: [poes10] opening link "poes10"...
    Oct 26 20:33:48	poes: [poes10] link: OPEN event
    Oct 26 20:33:48	poes: [poes10] LCP: Open event
    Oct 26 20:33:48	poes: [poes10] LCP: state change Initial --> Starting
    Oct 26 20:33:48	poes: [poes10] LCP: LayerStart
    Oct 26 20:33:48	poes: [poes10] PPPoE: connection successful
    Oct 26 20:33:48	poes: [poes10] link: UP event
    Oct 26 20:33:48	poes: [poes10] link: origination is remote
    Oct 26 20:33:48	poes: [poes10] LCP: Up event
    Oct 26 20:33:48	poes: [poes10] LCP: state change Starting --> Req-Sent
    Oct 26 20:33:48	poes: [poes10] LCP: SendConfigReq #1
    Oct 26 20:33:48	poes: PROTOCOMP
    Oct 26 20:33:48	poes: MRU 1492
    Oct 26 20:33:48	poes: MAGICNUM c5d20912
    Oct 26 20:33:48	poes: AUTHPROTO CHAP MD5
    Oct 26 20:33:48	poes: [poes10] LCP: rec'd Configure Request #121 (Req-Sent)
    Oct 26 20:33:48	poes: MAGICNUM 24cbf809
    Oct 26 20:33:48	poes: [poes10] LCP: SendConfigAck #121
    Oct 26 20:33:48	poes: MAGICNUM 24cbf809
    Oct 26 20:33:48	poes: [poes10] LCP: state change Req-Sent --> Ack-Sent
    Oct 26 20:33:48	poes: [poes10] LCP: rec'd Configure Reject #1 (Ack-Sent)
    Oct 26 20:33:48	poes: PROTOCOMP
    Oct 26 20:33:48	poes: [poes10] LCP: SendConfigReq #2
    Oct 26 20:33:48	poes: MRU 1492
    Oct 26 20:33:48	poes: MAGICNUM c5d20912
    Oct 26 20:33:48	poes: AUTHPROTO CHAP MD5
    Oct 26 20:33:48	poes: [poes10] LCP: rec'd Configure Ack #2 (Ack-Sent)
    Oct 26 20:33:48	poes: MRU 1492
    Oct 26 20:33:48	poes: MAGICNUM c5d20912
    Oct 26 20:33:48	poes: AUTHPROTO CHAP MD5
    Oct 26 20:33:48	poes: [poes10] LCP: state change Ack-Sent --> Opened
    Oct 26 20:33:48	poes: [poes10] LCP: auth: peer wants nothing, I want CHAP
    Oct 26 20:33:48	poes: [poes10] CHAP: sending CHALLENGE len:20
    Oct 26 20:33:48	poes: [poes10] LCP: LayerUp
    Oct 26 20:33:48	poes: [poes10] CHAP: rec'd RESPONSE #1
    Oct 26 20:33:48	poes: Name: "CSR"
    Oct 26 20:33:48	poes: [poes10] AUTH: Auth-Thread started
    Oct 26 20:33:48	poes: [poes10] AUTH: Trying INTERNAL
    Oct 26 20:33:48	poes: [poes10] AUTH: INTERNAL returned undefined
    Oct 26 20:33:48	poes: [poes10] AUTH: Auth-Thread finished normally
    Oct 26 20:33:48	poes: [poes10] CHAP: ChapInputFinish: status undefined
    Oct 26 20:33:48	poes: Response is valid
    Oct 26 20:33:48	poes: Reply message: Welcome
    Oct 26 20:33:48	poes: [poes10] CHAP: sending SUCCESS len:7
    Oct 26 20:33:48	poes: [poes10] LCP: authorization successful
    Oct 26 20:33:48	poes: [poes10] Bundle up: 1 link, total bandwidth 64000 bps
    Oct 26 20:33:48	poes: [poes10] IPCP: Open event
    Oct 26 20:33:48	poes: [poes10] IPCP: state change Initial --> Starting
    Oct 26 20:33:48	poes: [poes10] IPCP: LayerStart
    Oct 26 20:33:48	poes: [poes10] IPCP: Up event
    Oct 26 20:33:48	poes: [poes10] IPCP: state change Starting --> Req-Sent
    Oct 26 20:33:48	poes: [poes10] IPCP: SendConfigReq #1
    Oct 26 20:33:48	poes: IPADDR 10.5.250.4
    Oct 26 20:33:48	poes: [poes10] rec'd unexpected protocol IPV6CP, rejecting
    Oct 26 20:33:48	poes: [poes10] IPCP: rec'd Configure Request #123 (Req-Sent)
    Oct 26 20:33:48	poes: [poes10] IPCP: SendConfigAck #123
    Oct 26 20:33:48	poes: [poes10] IPCP: state change Req-Sent --> Ack-Sent
    Oct 26 20:33:48	poes: [poes10] IPCP: rec'd Configure Ack #1 (Ack-Sent)
    Oct 26 20:33:48	poes: IPADDR 10.5.250.4
    Oct 26 20:33:48	poes: [poes10] IPCP: state change Ack-Sent --> Opened
    Oct 26 20:33:48	poes: [poes10] IPCP: LayerUp
    Oct 26 20:33:48	poes: 10.5.250.4 -> 173.160.XXX.XXX
    Oct 26 20:33:48	poes: [poes10] IFACE: Up event
    Oct 26 20:33:48	poes: [poes10] rec'd unexpected protocol IPV6CP, rejecting
    Oct 26 20:33:58	poes: [poes10] rec'd unexpected protocol IPV6CP, rejecting
    
    

    Here is a copy of the mpd.conf from 2.0, Disabled compression and changed to chap

    
    pppoe_standard:
            set bundle no multilink
            #set bundle enable compression
            set auth max-logins 1
            set iface up-script /usr/local/sbin/vpn-linkup
            set iface down-script /usr/local/sbin/vpn-linkdown
            set iface idle 0
            set iface disable on-demand
            set iface disable proxy-arp
            set iface enable tcpmssfix
            set iface mtu 1500
            set link no pap chap
            set link enable chap
            set link keep-alive 60 180
            set ipcp yes vjcomp
            set ipcp no vjcomp
            set link max-redial -1
            set link mtu 1492
            set link mru 1492
            set ccp yes mpp-e40
            set ccp yes mpp-e128
            set ccp yes mpp-stateless
            set link latency 1
            #set ipcp dns 10.10.1.3
            #set bundle accept encryption
            set ipcp dns 192.168.2.4 75.75.75.75
    
    

    Questions
    Am I missing some firewall change that is different then 1.2.3 and need a rule to fix this?
    Why the change from CHAP to PAP as the default in 2.0?
    any thoughts on why the compression was throwing an error with 2.0 or did the 1.2.3 not show errors when it could not negotiate compression?


Log in to reply