Setting up a PPPoE server on Linux (CentOS)

Source: Internet
Author: User
Tags iptables

Tag: Build a PPPoE server on Linux (CentOS)

Build PPPoE, success, I think the TM super simple, in CentOS is about 5 steps can be done

1, install PPPoE, after the installation is complete, there will be pppoe-server command

Yum Install Rp-pppoe

2, after the installation is completed, will be in the/ETC/PPP directory generated pppoe-server-options files, the contents of the file as follows, according to change can be

# PPP options for the PPPoE server
lcp-echo-interval 10
lcp-echo-failure 2
logfile /var/log/pppoe.log

3, add the user name password, modify the/etc/chap-secrets file, add the following line

PPPoE * "123456" *

Very popular, user name: PPPoE, password is: 123456

4, add firewall rules, do NAT conversion

iptables -A POSTROUTING -t nat -s -j MASQUERADE
iptables -A FORWARD -p tcp --syn -s -j TCPMSS --set-mss 1256
echo 1 > /proc/sys/net/ipv4/ip_forward
sysctl -w net.ipv4.ip_forward=1

The first is to add NAT to convert the IP from the network segment

The next day is to modify the MTU, according to their own needs changed

Third Turn on forwarding

Fourth is to modify the forwarding file

5. Start PPPoE

Pppoe-server-i eth0-l

The function of this command is:-I eth0 detect PPPoE Discover packet on Eth0 port

-L Virtual Gateway means that the PPPoE server-side virtual gateway IP

-R Assigning virtual IPs, to, respectively

There are some other parameters you can refer to, direct man pppoe-server himself, each parameter has a default value

Successfully completed the above steps, completed the setup of the PPPoE server side, the following is the Windows authentication

My is Windows XP system, win7 or router should be all fine

However, to change the authentication method, in the "Properties"-"security"-"advanced-Settings"-"The Data Encryption" to "optional encryption", and then check the CHAP or PAP authentication can be

Enter the user name password, you can not accidentally connect successfully

But only the local area network, the significance is not big.

By the way, the principle of PPPoE is established.

The verification process for PPPoE

The verification process for PPPoE consists of 2 phases, Discovery phase and PPP session stage.

The Discovery phase, which consists of 4 steps:

Step 1:padi

The PPPoE client sends the active Discovery initial package (PPPoE active Discovery Initiation,padi), the destination address in the Ethernet header is the CODE for 0x09 in the Ethernet address Ff:ff:ff:ff:ff:ff,pppoe header, The session_id value must be 0, and the payload portion must contain only one service-name type of tag representing the requested service type, and can contain other tags, and the entire PPPOE packet cannot exceed 1484 bytes;

Step 2:pado

Server-side PPPoE process after hearing the PADI packet on the network interface, send unsolicited discovery proposal Package (Pppoeactive Discovery offer, Pado), to respond to the client's PADI package, the destination address in the Ethernet header is the client's MAC address, the PPPoE header CODE is 0x07, the session_id value must be 0, the payload portion must contain a ac-name type of tag that indicates the name of the AC, a tag for the service-name specified in the PADI package, and other Service -name's TAG. If AC does not serve the client, AC does not respond to the Pado packet.

Step 3:padr

After the PPPoE client receives the Pado packet, select one in the Pado package (there may be more than one PPPoE server, usually pick the fastest one) to send the active Discovery request package (pppoeactive Discovery request,padr). The destination address in the Ethernet header is the source Ethernet header address of the selected Pado packet (that is, the MAC address of the PPPoE server), the CODE in the PPPoE header must be a value of 0, and the payload portion must contain only one service-name type of TAG Represents the requested service type and can also contain additional tags.

Step 4:pads

After the MAC address matches the PPPoE server receives the PADR packet, sends the active Discovery Session Confirmation package (PPPoE active Discovery session-confirmation, PADS), which will produce a seession_id value used to flag this PPP Session, sent to the client in Padr package mode. The destination address in the Ethernet header is the client's MAC address, and the CODE in the PPPOE header must be the 0x65,session_id value of the generated session_id, and the payload portion must contain only one service-name type of TAG, indicating that the service type is PP The PoE server is accepted, and additional tags can be included. If the PPPoE server does not accept the PADR in the

The server-name,pads contains a TAG of type Service-name-error, when session_id is set to 0.

PPP Session Phase:

When the client and the server end up into the discovery phase, that is, into the session phase, in the PPP session phase, the PPP packet is encapsulated in the PPPOE Ethernet frame, the Ethernet packet destination address is single, the Ethernet protocol for the 0X8864,PPPOE header code must be 0,session_ The ID must always be negotiated for the discovery phase of the seesion_id value, and the payload of the PPPoE is the entire PPP package, which is a two-byte PPP protocol ID value before the PPP packet.

At the session stage, either the host or the server can send Padt (PPPoE Active Discovery Terminate) messages to notify the other party to end the session.

The authentication of PPPoE occurs during the session (PPP session) phase. The RP-PPPOE packet is responsible for the discovery and session termination PADT,PPP packet is responsible for the session phase of data transfer.

This article from "Nicol Lock Silk Sorrow" blog, please make sure to keep this source

Setting up a PPPoE server on Linux (CentOS)

Alibaba Cloud Hot Products

Elastic Compute Service (ECS) Dedicated Host (DDH) ApsaraDB RDS for MySQL (RDS) ApsaraDB for PolarDB(PolarDB) AnalyticDB for PostgreSQL (ADB for PG)
AnalyticDB for MySQL(ADB for MySQL) Data Transmission Service (DTS) Server Load Balancer (SLB) Global Accelerator (GA) Cloud Enterprise Network (CEN)
Object Storage Service (OSS) Content Delivery Network (CDN) Short Message Service (SMS) Container Service for Kubernetes (ACK) Data Lake Analytics (DLA)

ApsaraDB for Redis (Redis)

ApsaraDB for MongoDB (MongoDB) NAT Gateway VPN Gateway Cloud Firewall
Anti-DDoS Web Application Firewall (WAF) Log Service DataWorks MaxCompute
Elastic MapReduce (EMR) Elasticsearch

Alibaba Cloud Free Trail

Related Article

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.