Sky Fibre to the Cabinet Rollout - PfSense support?



  • Hi all,

    Over in the UK Sky have released their fibre service, which uses MER authentication.

    The guys over at Billion have already modified their routers firmware to allow it to connect: http://www.billion.uk.com/forum/viewtopic.php?f=9&t=343

    Sky use a modified 1483MER encapsulation method. Normal connections do negotiate successfully but fail to get an IP.

    Does anyone on this board know whether PfSense has support for this type of encapsulation? Or has anyone tried it with Sky fibre?

    Many thanks

    Edit: Someone has put an excellent guide here detailing the specifics:
    http://wiki.ph-mb.com/wiki/MER


  • Netgate Administrator

    This is interesting!
    The Billion 7800N and the Draytek V120 (mentioned on the page you linked to) are both ADSL2+ devices and hence capable of 24Mbps. It seems unlikely either of those would be used with a FTTC service.
    Since pfSense doesn't support XXXoA directly you would need some other device. MER seems to be be a combination of MPoA and sending DHCP client options.

    The real question seems to be can pfSense send DHCP client options? (specifically 60 and 61)

    Steve


  • Netgate Administrator

    Ok, I'm thinking it almost certainly can via dhclient.conf. There may not be a nice box for it in pfSense (yet!).

    Steve



  • Whilst the 7800N and the V120 are ADSL modems, that functionality isn't used.

    Sky use BT Open Reach modems and then plug them into the switch port of the router, which handles connection via PPPoE.

    http://imageshack.us/photo/my-images/818/20120221155404.jpg/


  • Netgate Administrator

    Ah Ok so same as BT Infinity, which sense. Sky don't have their own cabinets in the road.
    Presumably though they are using MER instead of PPPoE? (seems like it)

    Steve



  • Kind of. Although the option is there, the MAC address doesn't need to be spoofed on the Billion routers to get a connection. It is simply the weird DHCP option number that needs to be resolved!


  • Netgate Administrator

    Indeed it looks like it need to see username and password information in the option 61 field: PPPUsername|PPPPassword

    Should be possible. Do you have this service?

    Steve


  • Netgate Administrator

    Just reading though the code I'm unsure if you can just set this information in the DHCP hostname field. This seems to be the client identifier but I can't see it labled '61' anywhere. No idea if it would need coding in hex or what.

    Steve



  • Hi there,

    The suggested underneath would more be welcome!
    @stephenw10:

    The real question seems to be can pfSense send DHCP client options? (specifically 60 and 61)
    Ok, I'm thinking it almost certainly can via dhclient.conf. There may not be a nice box for it in pfSense (yet!).
    Steve

    A GUI is always nice. Perhaps already any estimate/building plans?
    Is there a building/wishlist availiable? If yes, can somebody move it towards and inform me?

    Are there any examples how to configure 'dhclient.conf' in pfSense? Planning to use it soon.

    Thx,
    Canefield


  • Netgate Administrator

    I believe this can be done with the hostname field already present in the gui. Usually you would leave the hostname empty however if you set an interface (OPT5 here) to dhcp and fill in the field (I used testdhcphost) you then get a custom dhclient conf file. This is generated by pfSense so if you alter it manually it probably won't last long!

    /var/etc/dhclient_opt5.conf

    
    interface "fxp0" {
    timeout 60;
    retry 1;
    select-timeout 0;
    initial-interval 1;
    	send dhcp-client-identifier "testdhcphost";
    	send host-name "testdhcphost";
    
    	script "/sbin/dhclient-script";
    }
    

    DHCP client identifier is 'option 61'. See: http://www.iana.org/assignments/bootp-dhcp-parameters/bootp-dhcp-parameters.xml#options

    I can't test this since I'm not on Sky. Seems likely to work though.

    Steve



  • Thanks Stephen, very helpful. My install date isn't until May 04th, would be good to get some one to test this otherwise I will do it around then.

    I assume we could always change the permission of the dhclient_opt5.conf file so it cannot be over written. A dirty fix, but should work at least.


  • Netgate Administrator

    That would be a bad idea since pfSense generates that file at boot or whenever the config is changed. If it couldn't do it for some reason I imagine some errors would result!  ;)
    I'm sure a work around in the code that generates it would be relatively easy until something more permanent could be produced. If it's needed.

    Steve



  • I am also on sky and currently am using pppoe passthrough via my mode.
    I fear that when i do upgrade to fibre my pfsense alix board will become redundant.

    Is there a plan for pfsense to implement 1483 MER ?



  • Pfsense supports MER, however we need to determine how to use option 61. The guys at billion have figured it out for their routers.

    We simply need a way to add option 61 info to the DHCP that gets sent to the WAN.



  • but on wan dhcp. there is a field for hostname authentication

    I assume this is where you can paste the hex key to authenticate


  • Netgate Administrator

    That's what it looks like, yes.
    You could check for sure by looking at a packet capture on the interface and see what the dhcp client is sending. Or just wait and try it!

    Are either of you on sky already? From reading the forums it looks like they are running both authentication systems in parallel in existing adsl lines.

    Steve



  • I haven't ordered it yet, however i am using llu pppoa for normal adsl2+
    which uses both methods for authentication either mer/pppoa.



  • @stephenw10:

    That's what it looks like, yes.
    You could check for sure by looking at a packet capture on the interface and see what the dhcp client is sending. Or just wait and try it!

    Are either of you on sky already? From reading the forums it looks like they are running both authentication systems in parallel in existing adsl lines.

    Steve

    May 4th. There is a guy on another forum who has fibre a little sooner than me, and Pfsense, so i'll pass him the link and see if he has any luck.



  • Hey guys,

    So the task has been completed by some clever folks:

    –-------------------------------------------------------
    WRT54G & Similar running Tomato
    Some versions of Tomato support '-c' client ID option (option 61), however others do not. Where 'udhcpcd' supports '-c' then you may enter '-c PPPusername|PPPpassword' in DHCPC options. An alternate method using '-x' to specify additional DHCPC options (incl option 61) may be used. Where '-x' is used the username & password fields must be translated into a HEX string (see below)
    It is not necessary to spoof your original Sky router's MAC address in order to obtain an IP address.

    1. Convert your PPPusername|PPPpassword string into HEX - I used http://www.string-functions.com/string-hex.aspx
      e.g. 1a2b3c4d5e6f@skydsl|zzc7Zovbt5Fpa7B turns into 31613262336334643565366640736b7964736c7c7a7a63375a6f766274354670613742
    2. In 'Advanced->DHCP/DNS DHCPC options enter '-x 61:00' immediately followed by the converted string from above. e.g. '-x 61:0031613262336334643565366640736b7964736c7c7a7a63375a6f766274354670613742' & save.
    3. In 'Basic->Network set your network type to DHCP, default MTU & save

    Does anyone know how I would go about implementing this on PfSense?


  • Netgate Administrator

    That's what I have been basing my speculation on.
    To implement this on pfSense you need to enter your "PPPusername|PPPpassword" in the hostname field on the dhcp setup. Try it and see.
    You will not have to enter it as HEX since pfSense sends this as '61', client identifier.

    Steve



  • Hey Stephen,

    Unfortunately I am still without Sky fibre (roll on Friday!) however I may not attempt much messing about as it will cause the DLM (Sky line monitoring) to flag my connection as flapping and then get throttled.

    There is an awesome plugin here tho:
    http://forum.pfsense.org/index.php?topic=40194.0

    That seems to fit the bill exactly to what we need to do to accomplish this if your suggestion doesn't work.

    I will be trying to negotiate an MER connection tonight with my current unlimited broadband, however


  • Netgate Administrator

    Yes that mod will definitely do it but it shouldn't be required at the moment. However if Sky subsequently decide to require option 60 as well you can easily do it with that. Nice.  :)

    DLM is done based on line disconnection i.e. actually unplugging the modem. There should be no need for you to that to test pfSense. You can leave the Openreach modem connected to the VDSL line and just replace Skys router with pfSense.

    Steve



  • Awesome Stephen, thanks very much for the help so far.

    May I ask what your day job is?


  • Netgate Administrator

    Ha! Well it depends who you ask.
    Technically I'm an electrical/electronics engineer but I left my job a few years ago to do some travelling and have been decorating on and off while I think of something better to do.  ::)
    Hence plenty of free time for commenting!

    Steve



  • @dLockers:

    Hey Stephen,

    Unfortunately I am still without Sky fibre (roll on Friday!) however I may not attempt much messing about as it will cause the DLM (Sky line monitoring) to flag my connection as flapping and then get throttled.

    There is an awesome plugin here tho:
    http://forum.pfsense.org/index.php?topic=40194.0

    That seems to fit the bill exactly to what we need to do to accomplish this if your suggestion doesn't work.

    I will be trying to negotiate an MER connection tonight with my current unlimited broadband, however

    really cool. do let me know if you get it working without the patch. It makes sense it should work just with the existing dhcp hostname and mac cloning on wan.

    A guide written up would be really cool for anyone new to this once we getting it working.


  • Netgate Administrator

    No need to spoof the MAC on WAN even.

    @http://www.billion.uk.com/forum/viewtopic.php?f=9&t=343&start=20#p1492:

    Sky MER authentication don't use Option 60, so mac spoofing is not needed.

    Steve



  • Is there a way to check if my exchange even supports MER?

    I tried it last night, both spoofing MAC and not - using the PPPuser|PPPpass - no good, never got an IP.

    Now my connection even on traditional PPPoA won't connect…


  • Netgate Administrator

    What modem are you using? It has to be set to MpoA to use MER.
    As detailed: http://wiki.ph-mb.com/wiki/MER#WRT54G_.26_Similar_running_Tomato

    Steve



  • @stephenw10:

    What modem are you using? It has to be set to MpoA to use MER.
    As detailed: http://wiki.ph-mb.com/wiki/MER#WRT54G_.26_Similar_running_Tomato

    Steve

    I set it to MER, still no go.

    Unsure what's happened. Going to try my spare pfsense build and see if it's because I'm messed so much with the WAN settings its corrupt it.



  • @dLockers:

    Is there a way to check if my exchange even supports MER?

    I tried it last night, both spoofing MAC and not - using the PPPuser|PPPpass - no good, never got an IP.

    Now my connection even on traditional PPPoA won't connect…

    please post dhcp log from systems log, so we can see what is happening



  • @sandman06:

    @dLockers:

    Is there a way to check if my exchange even supports MER?

    I tried it last night, both spoofing MAC and not - using the PPPuser|PPPpass - no good, never got an IP.

    Now my connection even on traditional PPPoA won't connect…

    please post dhcp log from systems log, so we can see what is happening

    Does it save after a reboot?



  • Okay, small update to this.

    I tried again last night with the correct modem settings, the DHCP log kept showing DISCOVER but no offer.

    Maybe my exchange isn't MER enabled - I don't know how to confirm this.


  • Netgate Administrator

    Hmm, I don't think it's the exchange that has to be MER enabled. The authentication servers are not in the exchange.
    They probably do have to support MPoA at the exchange though.
    Edit: Nope probably just ticking a check box on some central server.

    Unless you managed to get hold of a friendly sky engineer I don't know how you could find out. How likely is that!  ::)
    Until you are sure you can connect via MER any results you get may just be more confusing than useful.
    Only one more day to wait.

    Steve



  • May have been a modem issue (or firmware)

    Fibre dropped today, will be attempting to get it up and running tonight!



  • Boom.

    First pfsense install on MER/Fibre

    All you do is use the tool here>http://www.ph-mb.com/products/sky-calc and ensure you select the Sagem one.

    Then in hostname under DHCP on the WAN connection add your username|password (with the bar).

    Connected first time. Well happy!


  • Netgate Administrator

    Ha. Nice.  ;D

    Steve



  • @stephenw10:

    Ha. Nice.  ;D

    Steve

    Couldn't have done it without you, thanks stephen.



  • glad to hear.

    was the MER only enabled when you switched to fibre?, or was it enabled all along.

    Do you mind posting a brief guide for all sky users that may wish to use pfsense as their firewall/router



  • @sandman06:

    glad to hear.

    was the MER only enabled when you switched to fibre?, or was it enabled all along.

    Do you mind posting a brief guide for all sky users that may wish to use pfsense as their firewall/router

    Yes. For me anyway, I know some users have been using MER for ages on their ADSL line.

    I was with Sky since 2008 for broadband though so I was using the legacy PPPoA mechanism with no possibility to use MER.

    All you need to do is enter your router username and password (like this (with the | bar) -> USER|PASS) with the bar that you get from the ph-mb website (http://www.ph-mb.com/products/sky-calc) using your fibre routers LAN MAC and wireless key (8 LETTERS).

    Drop it into the DHCP connections 'hostname' field:

    Simple as that.

    Please Note: It is NOT your previous sky adsl username and password



  • thank you very much both of you.


Locked