Summary of building PPPoE Server in Linux
Note: This record applies to Debian Linux operating systems. It is successfully verified in Ubuntu 14.10 and Linux Mint 17.
During the building of PPPoE Server in the integrated course design, I and my team members encountered various problems. This is a summary for future use.
Install and configure the PPPoE Program During setup
The PPPoE program should be included in the Debian operating system. Availablepppoe-server -h
Command to view the version. Availablesudo apt-cache search pppoe
Find related software.
The configuration file is stored in/etc/ppp
Folder. Set firstoptions
File:
- Set the ms-dns value. The IP address of a DNS server that can be used, for example
114.114.114.114
This is the DNS address allocated for Windows Host dial-up connections.
- Comment out + pap and cancel-pap comments, which means that the pap authentication method is not used. At the same time, the + chap annotation is canceled, indicating that the chap authentication method is used.
Next, Setchap-secrets
File:
Enter the server name and password IP address respectively according to the file comment. For example, insert a line at the end:
testing * password *
The username is testing, the server name is arbitrary, the password is password, and the IP address is any IP address.
Editpppoe-server-options
File (if not, create 1)
Add the following to pppoe-server-options:
authrequire-chaplogfile /var/log/pppd.log
The configuration is complete.
Set the system ip policy to enable ip forwarding.
Use the Super User identity. Note that the Super User identity must be used, and sudo does not have this permission. Run the following command:
cat 1 > /proc/sys/net/ipv4/ip_forward
If you execute this command only, the IP forwarding function is temporarily enabled. It is automatically disabled after restart. If you want to open it all the time, edit it./etc/sysctl.conf
File, cancelnet.ipv4.ip_forward=1
And then executesudo sysctl -p
You can enable the IP forwarding function permanently.
Set iptables IP policy
Run the following command as a Super User:
iptables -A POSTROUTING -t nat -s 10.10.10.0/24 -j MASQUERADE
Note: The network address next to the-s parameter is the network address set for pppoe-server to be enabled later. You can set this address as needed, as long as the iptables and pppoe-server match.
Run PPPoE Server
Input:
sudo pppoe-server -I wlan0 -L 10.10.10.1 -R 10.10.10.100 -N 100
Note:
- -The-I parameter is used to specify the network port to listen. You can use the ifconfig command to view the name of the currently working port. Because my laptop uses a wireless network, it is a wlan0 port.
- The-L parameter is used to specify the IP address of the PPPoE server in a PPP connection. Because I assume the Ethernet network address is 10.10.0/24, the first IP address of the network address is used as the server address.
- The-R parameter is used to specify the IP address from which a customer connects to the server.
- -N is used to specify the maximum number of customers that can connect to the server at the same time.
If everything goes smoothly, establish a dial-up connection on Windows. The username and password are testing and password respectively. You should be able to connect to the PPPoE Server in linux and access the Internet normally.
PPPoE Protocol process analysis process diagram
The PPPoE protocol mainly involves the following processes:
Created with Rapha rjl 2.1.2 explanation of PADIPADOPADRPADS on the client server
- Host broadcast initiation group (PADI). The destination address of the group is the Ethernet broadcast address 0 × ffffffffffff, the CODE field value is 0 × 09, and the SESSION-ID (session id) the field value is 0 × 0000. The PADI group must contain at least one service name type tag (the value of the label type field is 0 × 0101) and provide the required service to the Access Concentrator.
- The Access Concentrator receives the PADI group within the service scope and sends the PADO group for PPPoE effective discovery to respond to the request. The value of the CODE field is 0 × 07, and the value of the SESSION-ID field is still 0 × 0000. The PADO group must contain one Access Concentrator name type tag (the tag type field value is 0 × 0102) and one or more service name type tags, indicates the type of service that can be provided to the host.
- The host selects an appropriate PADO group from multiple PADO groups that may be received, and then sends the PPPoE valid Discovery request group (PADR) to the selected Access Concentrator ). The CODE field is 0 × 19, and the SESSION_ID field value is still 0 × 0000. The PADR group must contain a service name type label to determine the service type requested from the Access Hub (or vswitch. When the host does not receive PADO within the specified time, it should resend its PADI group and double the wait time. This process will be repeated as expected.
- After receiving the PADR group, the Access Concentrator prepares to start the PPP session. It sends a valid PPPoE session to confirm the PADS group. The value of the CODE field is 0 × 65, and the value of the SESSION-ID field is a unique PPPoE session id number generated by the Access Concentrator. The PADS group must also contain a label of the Access Concentrator name type to confirm the services provided to the host. When the host receives the PADS group confirmation, both parties enter the PPP session phase.
- PPPoE also has a PADT group, which can be sent at any time after the session is established to terminate the PPPoE session, that is, the session is released. It can be sent by the host or Access Concentrator. When the recipient receives a PADT group, this session is no longer allowed to send PPP services. No tags are required for the PADT group. The value of the CODE field is 0 × a7, and the value of the SESSION-ID field is the session id number of the ppp session to be terminated. After sending or receiving PADT, you do not have to send it even if the normal PPP terminates the group. The PPP peer end should use the PPP protocol itself to terminate the PPPoE session. However, when the PPP cannot be used, the PADT can be used.
Problem Analysis connection error Windows dial-up connection error 651
The possible cause is that the server is not properly opened. You can see from WireShark packet capture that Windows reports an error after four PADI messages are sent without PADO replies.
Therefore, it may be inpppoe-server
The correct Nic is not specified when it is enabled. It may also be because the VM is not configured with the Internet connection mode. If the bridge mode is not used but the NAT mode is used, this problem may also occur.
At the same time, if nopppoe-server-options
File or the file does not haveauth
Andrequire-chap
This problem also occurs when the options are set.
At the same time, this problem may also be caused by a Server specified in the property during Windows dial-up connection, which is different from the PPPoE Server Name Enabled in linux.
In pppoe-server, the-S parameter is used to specify the server name.
Windows dial-up connection error 734
Error message:
PPP Connection Control Protocol termination
This may be becausepppoe-server-options
File addedlogin
. If this option is set, the login user name must be the same as the user name in linux; otherwise, this error occurs.
Windows dial-up connection error 628
Error message:
The connection is terminated by the remote computer before the connection is complete.
Through WireShark packet capture analysis, we can see that a PADT packet is received immediately after the four phases of the principle analysis are completed. The content of the PADT message is described as follows:
Generic-Error: RP-PPPOE: child pppd process terminated
This description is very misleading. Someone on the Internet even said that pppoe needs to be compiled into the kernel so that the-k parameter of the pppoe-server command can be used. Later, I found that it was a configuration problem, and there was a configuration error. Generally, there was a configuration that could not be identified by the program. This error is very troublesome. You should use the configured logfile and comment out some uncertain commands to troubleshoot the error.
Unrecognized user name and password
It is likely that the user name and password are incorrect, or the setting is incorrect. Note: When setting the user name and password, the two asterisks cannot be omitted.
Internet Access Error
This type of error occurs when a dial-up connection is successful in Windows but the Internet access fails. Mainly used in linuxtcpdump
Orwireshark
Program for troubleshooting.
Run the following command:
tcpdump -i wlan0 host 10.10.10.100
We can see that only the packets sent from the host 10.10.10.100 are not sent to the 10.10.100.
The cause of this error may be that the IP forwarding function is not enabled. Therefore, when a packet is sent to a linux host, the linux host does not forward the packet to the Windows host, but directly discards the packet because the destination address is not its own.
At the same time, it may be that no settings are set.iptables
POSTROUTING.
Network Topology Problems
Generally, a linux operating system is installed on a virtual machine and PPPoE Server is set up. Then perform a connection test on the host machine. There are the following problems:
- If the virtual machine adopts the NAT mode, the host cannot log on. In NAT mode, the host cannot communicate with the virtual machine. For the communication functions in various modes, see:
- If you are using a wired network, you cannot use the bridge mode. Because the wired network is a fixed IP address, you cannot assign an IP address to the bridge. Therefore, the best way is to use a wireless network.
- If the Host is a linux operating system, you can use Windows XP and the Host-Only mode to set the corresponding network address without enabling the DHCP server, in Windows XP, set your own IP address and subnet mask so that you can communicate with the host machine. In this case, you cannot access the Internet without a dial-up connection. If the dial-up connection is good, you can access the Internet. This is a recent simulation of the experiment environment.
This is the current problem. You can add it later. The most important thing is to understand the principles of each step and protocol so that you can quickly troubleshoot the cause of the error.
- This problem has plagued me for a long time. This file was edited on the Internet, but it was not found in the operating system. I thought it was a version problem and later I found that I needed to create it myself. This file is the same as. vimrc and. bashrc files.
- -I is used to specify the port. The ip address specified by the host should be viewed in ipconfig in windows, which may be different.
This article permanently updates the link address: