What's the use of MAC spoofing on PPPoE interface?



  • The PPPoE interface page also has a MAC Address field. I assume that the PPPoE connection is made using the MAC address of the em0 interface and not the PPPoE interface. So if spoofing is required in order to connect, the em0 MAC address would need to be changed and not the PPPoE interface's.

    Once the connection is made, AFAIK PPP does not even use MAC so what is the purpose of the MAC Address field on the PPPoE interface page?



  • NIC clients (e.g. VLAN interfaces, bridge, PPP etc) can all specify their own MAC address to be used as source MAC address in frames they send. That MAC address is also used in filters applied to incoming MAC frames to determine the appropriate client to receive incoming frames.

    I would expect any MAC address specified for the parent interface (e.g. em0) to be used as a default MAC address (used IF the client doesn't doesn't specify a particular MAC address).



  • What about in the case of PPP specifically. PPP doesn't use MAC addresses right? Only the host NIC's MAC is used while setting up PPPoE. What's the use of a MAC address on the PPPoE interface? Is it even conceptually valid?



  • @KurianOfBorg:

    What about in the case of PPP specifically. PPP doesn't use MAC addresses right? Only the host NIC's MAC is used while setting up PPPoE. What's the use of a MAC address on the PPPoE interface? Is it even conceptually valid?

    Sometimes it can be helpful to be pendantic. When you talk PPP and NICs you are talking PPPoE (PPP over Ethernet), right? That means PPP is carried in Ethernet frames. Ethernet frames have Destination MAC address and Source MAC address.



  • @wallabybob:

    Sometimes it can be helpful to be pendantic. When you talk PPP and NICs you are talking PPPoE (PPP over Ethernet), right? That means PPP is carried in Ethernet frames. Ethernet frames have Destination MAC address and Source MAC address.

    Yes and the em0 interface's MAC address is used for that since the "over Ethernet" part is over em0. What is the use of the MAC address field in the virtual PPPoE interface? Is it even used at all? Is it there simply because the HTML page is common for all interfaces?



  • @KurianOfBorg:

    Yes and the em0 interface's MAC address is used for that since the "over Ethernet" part is over em0.
    [/.quote]
    What is your evidence for that? I have a bridge interface on which I have set a specific MAC address. Outgoing traffic on bridge members uses the MAC address of the bridge as the source MAC address rather than the MAC address of the physical interface sending it. I expect PPPoE would behave similarly.

    @KurianOfBorg:

    What is the use of the MAC address field in the virtual PPPoE interface?

    To specify the source MAC address to used for the PPPoE conversation - some other devices care about the source MAC address.

    @KurianOfBorg:

    Is it even used at all?

    Personally, I don't currently care. But I might care one day: some readers have reported that their modems are very fussy about source MAC address in PPPoE traffic they receive. My modem isn't fussy in that way.

    @KurianOfBorg:

    Is it there simply because the HTML page is common for all interfaces?

    I doubt it. I expect it is there because it is useful to some pfSense users. I imagine it could be useful in a circumstance like the following:
    your pfSense device has limited ports. You have two WAN ports talking PPPoE to "fussy" modems which want specific source MAC addresses and different MAC addresses. You could talk with the two modems over VLANs (and a VLAN capable switch) on a single NIC and use the PPPoE configuration to set the relevant MAC addresses.



  • I analysed traffic with WireShark and PPPoE packets continue to use the em0 MAC address even when a different MAC address is set in the PPPoE interface page. Nowhere inside the data contained in the Ethernet frames (the PPPoE protocol) is there any mention of any other address at all.

    Bridge interfaces do have their own virtual MAC addresses because they usually allow the device doing the bridging to also communicate on the network like another host. If this was the case with PPPoE, it would need to broadcast fake ARP packets and use that MAC address to send the PADI request. However the PADI packet always uses the em0 address even if I set a MAC address on the PPPoE interface page.

    I understand that the logical intention is to spoof the PPPoE client's address to the modem/DSL-AC. The whole reason I asked the question is because it's not doing this. It's always using the em0 address which I verified with WireShark. Bug in pfSense?

    No matter what address I specify on the PPPoE page, PPPoE is initiated by broadcasting PADI from em0 address to FF:FF:FF:FF:FF:FF and then the DSL-AC responds back with a PADO to the em0 address.



  • @KurianOfBorg:

    It's always using the em0 address which I verified with WireShark. Bug in pfSense?

    Maybe. Maybe pfSense is not telling PPPoE.

    Maybe its a FreeBSD bug in mpd, the PPP daemon, ignoring MAC address configured by pfSense. Maybe its a FreeBSD bug in the em driver.



  • I have done a bit of research and haven't found evidence that pfSense put the PPPoE configured MAC address in the mpd configuration file. A quick scan of the mpd documentation didn't reveal a way to configure a MAC address for PPPoE to use. Perhaps that configuration item is a left over from previous use of a different PPP implementation.



  • @wallabybob:

    I have done a bit of research and haven't found evidence that pfSense put the PPPoE configured MAC address in the mpd configuration file. A quick scan of the mpd documentation didn't reveal a way to configure a MAC address for PPPoE to use. Perhaps that configuration item is a left over from previous use of a different PPP implementation.

    That's obvious because you cannot have two MAC addresses on one logical interface. You'd need to create a new virtual interface bridged to em0 and set the PPPoE spoofed MAC address on that. There's no way MPD is going to do all that. It would need to be pre-configured by whatever is invoking MPD and MPD would simply have to be told to use the pre-configured virtual interface.



  • @KurianOfBorg:

    That's obvious because you cannot have two MAC addresses on one logical interface.

    What "one logical interface" do you mean? And why do you think I'm suggesting there would be two MAC addresses on that interface?



  • @wallabybob:

    What "one logical interface" do you mean? And why do you think I'm suggesting there would be two MAC addresses on that interface?

    In my case it would be em0. You implied it would be a trivial process for MPD to connect with a different MAC address. Since you can't have two MAC addresses on an interface, it would need to create a new virtual interface with the spoofed MAC address, bridge the interface to em0, broadcast fake ARP packets to the switch so that the PADO response from the DSL-AC actually travels all the way back from the switch to the virtual interface through em0.

    Further more your physical switch (or vSwitch on ESXi) security policies may even disallow this.



  • If you want to retain em0's original address but still use spoofing for PPPoE, I guess a workaround would be to create a bridge interface first with the desired MAC address and then create a new PPPoE connection over that (if pfSense allows it).

    Otherwise just changing em0's address works.


Locked