Alternatives to PPPOA?
-
Hi,
Great to hear there is a patch for PPPoA! In New Zealand our nationwide Telecom ADSL network only supports PPPoA, (with the exception of Telstraclear’s small metro network which uses PPPoE).
I'm running pfSense 1.2 embedded, my question is how do I apply this patch. I have downloaded pppoa_diff.txt, do I manually have to edit the files specified in pppoa_diff.txt, or is there another way? ???
Sorry I'm pretty green when it comes to this sort of thing, but I am really excited about getting PPPoA working! :)
Any help or pointers would be appreciated?
-
I can't possibly see how Ermal's patch can work - it appears to be setting up PPTP ("set link type pptp"), not PPPoA. There are some ISPs that deliver links over PPTP, so it's a worthwhile option to have, but it's not PPPoA! Further evidence that this is not PPPoA is that there's no facility added to the user interface to enter the VPI, VCI and encapsulation type, all of which are essential for a PPPoA connection.
You can't bridge PPPoA (PPP over ATM AAL5) to Ethernet and pick it up at the other end as PPPoE. In PPPoA, PPP is overlaid on ATM AAL5; the PPP is inside ATM frames. You need an ATM stack to recover the PPP frames. All the details are in RFC 2364.
PPPoE is the version of PPP designed to be carried over Ethernet. You could come up with a schema to encapsulate PPPoA in Ethernet frames, carry it over Ethernet to another device and unencapsulate it - but you'd still need an ATM stack to recover the PPP frames.
Those that say "just use PPPoE" are on ISPs that allow you to use PPPoE as an alternative as PPPoA - this includes all IPstream based ISPs in the UK, where BT Openworld specify PPPoA as the preferred connection type, though PPPoE will work in almost every case and is now officially documented in the BT SINs. ISPs can disable the ability to use PPPoE on their RADIUS servers; I don't know of any that do.
However, there are four possible ways to deal with this situation. This message comes to you over a PPPoA connection via pfSense!
If you have a single IP address PPPoA account, find an ADSL router that offers PPP "half bridge" and support PPPoA (check Westell and Thomson Speedtouch manuals for this support; Conexant chipset routers also tend to offer this but some Conexant chipset routers are bargain basement junk). In this case, the router terminates the PPPoA and offers the WAN IP address on the LAN side via DHCP. You set pfSense to DHCP on the WAN side (or static IP if you have a static IP from the ISP - though beware of the situation where the gateway address changes from connection to connection as is the case on the BT IPstream platform - you need to use DHCP even with static IP in that case to pick up the correct gateway address).
If you have a PPPoA account with multiple IP addresses, find an ADSL router that allows no-NAT routing and the firewall to be disabled - ZyXEL Prestige P660H series are suitable; I'm using a P660H-61.
Leave the WAN side of the router on dynamic IP - it will pick up the correct details from your ISP (again, on the UK BT IPstream platform, the gateway address changes from connection to connection). Your ISP assigned gateway address must not change from connection to connection - though that's usually no problem, as it's typically one of the addresses in your netblock.
The router takes your ISP assigned gateway address on the WAN side - you configure the LAN side of the router to that same address, and set the netmask according to your netblock (you can subnet the block on a ZyXEL Prestige if you wish; use static routes on the Prestige's telnet menu interface to route these subnet blocks).
You set pfSense's WAN screen to another IP address in your netblock, the netmask the same as the netblock you configured on the LAN side of the router and the gateway address to be the router's LAN address. Proxy ARP in the virtual IP screens of pfSense will allow you to use the other addresses in your netblock.
This approach costs you one address more than terminating the connection directly on pfSense. If you do use a ZyXEL router, you probably need to install WAN packet filters on TCP/UDP ports 53, 161 and 162 to block WAN access to the recursive DNS server and SNMP features of the router (dumb design by ZyXEL, but the filter isn't hard to set up). I can write a 'how to' if necessary - indeed, if people are interested in a 'how to' on this second option using a ZyXEL P660 series router, I'll write one when I have some time.
The third option is to terminate the WAN connection directly on your main router - for example, using a PCI ADSL card. Unfortunately this really isn't possible in pfSense; the ATM code in FreeBSD has become rather moribund, and the supply of DSL cards (and ATM NICs) is drying up.
The fourth way is to use a router that breaks the PPPoA encapsulation and re-encapsulates the PPP as PPPoE (this is not just encapsulating PPPoA as Ethernet - the PPPoA is unencapsulated to PPP, then re-encapsulated as PPPoE). 3Com used to make an ADSL router that did this - but it's long discontinued and I believe it wasn't very reliable.
For all the hassles of PPPoA, it can offer lower overheads on ATM connections, especially in the VC-mux variant (one reason why BT Openworld specify PPPoA as their preferred connection type for IPstream), also it allows a 1500 byte WAN MTU whereas 1492 is the maximum MTU for Ethernet because of the 8 byte PPPoE header.
-
Hi,
The ADSL router I'm trying to use is a SMC7904BRA2, it supports RFC 1483 Bridging, RFC 1483 Routing, IP over RFC 1483 Bridged, PPPoA and PPPoE.
PPPoE is out as it’s not supported in NZ. I’ve successfully used PPPoA half bridge before on other routers, but this one doesn’t seem to support it.
Hence why I would like to use PPPoA bridged. As a side note, when I select the configuration for RFC 1483 Bridged/Routing/IP extension, I can set the encapsulation (VM MUX) and VPI/VCI (0/100) in the routers configuration, so I assume this wouldn’t have to be set in the pfSense configuration?
-
As a side note you can always DMZ an ip to pfSense. That's what i had to do.
-
RFC 1483 bridged is not RFC 2364 PPPoA. RFC 1483 defines various encapsulation methods for ATM AAL5, but not a PPP one - that's the PPPoA that came along in RFC 2364. On many ISPs the RFC 1483 methods, which are essentially IP on ATM AAL5, are being obsoleted and replaced by PPPoA for greater flexibility in the ISP network.
You can't use any of the RFC 1483 methods to bridge PPPoA - there's no way of terminating the PPP session.
Meanwhile, there's no way that you'll need to set ATM settings like VPI and VCI in pfSense - pfSense has no ATM stack.
If you need PPPoA, you need a router that has PPPoA half bridge for a single IP account, or supports no NAT routing for an IP netblock account. You may be able to get away with 1:1 NAT and port forwarding for a single IP account, but that's a messy solution that may not work perfectly.
I'd ditch the ADSL router and replace it with one that has half bridge if you have a single IP ADSL account - ADSL routers are inexpensive now. If you can post a current model that has suitable support, that would be helpful. Googling around, Netgear DM111P might be a suitable device, complete with ADSL2+ support.
With the DM111P, it sounds as if you select the WAN protocol to "PPPoA bridging", enter the rest of the details in the DM111P, then set pfSense to DHCP and things will work, but I can't verify this and I can't find a full user manual for this device. It's worth a look.
(Edited to correct a couple of typos that impaired meaning)
-
It is based on this http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/pppoa.html.
While you speak about atm stack, if you need that you need even place a ATM card in pfSense which most people do not do since you need to find a supported card and not many people do that. VPI, VCI and a whole lot of other parameters you can configure for pppoa can be done on the modem.
I used the 2 parts of those tutorials obn FreeBSD but after some pain kept the USB configuration since it does not have another device to be monitored that can go wrong and it seemed that the pppoa modem to be used with mpd was a crap one and the directly connected usb modem was more reliable(though it needed a lot of hacking back than on FreeBSD 5.[4,5]-RELEASE till FreeBSD 6-CURRENT at the time).
It is limited to devices/routers that need this special pptp connection between them. For the others the standard connection would work.
-
And Bruce explains it better than me the limitation that PPPoA has in order to be used on normal pc
http://unix.derkeiler.com/Mailing-Lists/FreeBSD/net/2007-10/msg00241.htmlBe aware, that i do not think that many people would have a PCI adsl card at home and will mess around with the setting up of it.
As i said you need to have patience and knowledge of what you are doing to set it up right. -
@ermal:
It is based on this http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/pppoa.html.
I'd regard the hardware mentioned there as barely worth supporting now. That handbook chapter represents the position as it was several years ago - its age is clear by the reference to Alcatel Speedtouch rather than Thomson Speedtouch (as it has been for some time).
The Speedtouch Home could be configured to terminate the PPPoA connection and offered the connection onwards as PPTP (rather than the PPPoE that 3Com chose in their long obsolete router that I mentioned in my original post). The Speedtouch Home is long discontinued, replaced by hardware that supports ADSL 2+. It was old even amongst the 'original ADSL only' Speedtouch products.
The nearest equivalent to the Speedtouch Home these days is the Speedtouch 546 v6. As this hardware is so cheap, I may well pick one up to experiment with; I need to order some GBICs and I could always add it to the order.
It appears that Thomson refer to this PPPoA to PPTP connection as "Relayed PPPoA" - see here for configuration details for the business Speedtouch routers. Google also suggests that a Relayed PPPoA configuration profile is available for the Speedtouch 546 v6, but I can't confirm it.
Certainly adding the option to terminate such a connection on pfSense makes sense - but maybe it should appear as "Relayed PPPoA (Speedtouch routers)" or similar in the GUI.
I would regard the USB modem as utterly obsolete - the price of basic Ethernet ADSL devices is so low that USB devices have disappeared from the market. PCI ADSL cards have disappeared for pretty much the same reasons.
I was talking about an ATM stack in the context of a PCI ADSL card, whilst commenting that the ATM stack in FreeBSD may not have the interest it once did as ATM networking in general is becoming less common. It's rare to come across an ATM NICs these days. For all the hope of ATM, it's increasingly being replaced by other technologies that have lesser overheads such as MPLS.
Please don't think I'm trying to start an "I'm right, you're wrong" sort of argument here. My interest is in setting out the options as clearly as possible, and in talking about and supporting DSL hardware that's available today.
It seems that the options for ADSL delivered using PPPoA are:
"Half Bridge" and similar techniques such as the one mentioned in the the post from Bruce that Ermal mentioned (isn't the 'one up' IP address via DHCP that Bruce mentions what D-Link calls zipb?). This is suitable for single IP address PPPoA accounts. Netgear DM111P might be a suitable ADSL 2+ modem. Configure pfSense for DHCP on the WAN side - or if the (often very short) DHCP lease time is an issue, use DHCP to figure out the details then configure pfSense to the static IP - assuming that your WAN IP is static.
Use an ADSL router with NAT and the firewall disabled. This needs a routed IP account, and uses one IP address from your pool of public addresses. ZyXEL P660H series are suitable ADSL 2+ routers. (If you have another flavour of DSL, such as SDSL or VDSL, the chances are that the corresponding ZyXEL Prestige router will work, though I can't guarantee it). Configure the router and pfSense as I mentioned in my original post.
Speedtouch "Relayed PPPoA" with your pfSense patch, Ermal. Speedtouch 546 v6 might be a suitable ADSL 2+ router. Configure pfSense as Ermal describes.
Any ADSL router you choose with one LAN IP address set as the DMZ address with all ports open to that address (or just turn the router's firewall off). This will work for single IP address PPPoA accounts, but you can get problems from this being 'double NAT' - also it's possible to exhaust the state table on the router. Configure pfSense to the IP address you set up in the router's DMZ feature. I would regard this as a less than ideal approach, but if it's the only one open to you, go for it!
-
Hi all,
I'm in the same boat - set up a pfsense/route-modem configuration using PPPoE at home, and spent hours trying to work out why it didn't work when I installed it at work. Turns out the work line only supports PPPoA, whereas my home line supports both (but advocates PPPoA).
Anyway…. after this week I've already forgotten far more about modems, encapsulation methods, DSLAMs, pure/half/RFC1483-bridge modes, double-NAT than I ever wanted to... argh :o
But I may have found a solution. It does involve throwing money at the problem, but at this point if it saves what remains of my hair....
http://www.draytek.co.uk/products/vigor110.html
I'm in no way affiliated, and make no claim as to the suitability of this device to solve any problems you may or may not have! But it does claim to specifically fix our PPPoA woes. Might be worth a punt?
Hope this helps.
sim
-
After 3 days of messing around with various ways to work around the problem of pfSense not being able to work with a PPPoA QWest ADSL line I hunted down the tech support for DrayTek in the US and talked to the guy about the Vigor 110.
It really sounds like the right device. It is an ADSL modem and PPPoE/PPPoA bridge. It lets the ethernet device (my pfSense WAN interface in this case) pass authentication information to it in PPPoE and it re-encapsulates the information in PPPoA and sends it up to the DSLAM. From then on the ethernet device is directly bridged to the ADSL line and gets the public IP address by DHCP.
The problem now is that the one place I found in the U.S. that sells them wants a minimum order of 1000 pieces. About 999 more than I have a need for right now. Has anyone found a U.S. source for these?
Thanks, Bill