Summary of building PPPoEServer in Linux

Summary of building PPPoEServer in Linux

Note: This record applies to Debian Linux operating systems. It is successfully verified in Ubuntu 14.10 and Linux Mint 17.

During the building of PPPoE Server in the integrated course design, I and my team members encountered various problems. This is a summary for future use.

Install and configure the PPPoE Program During setup

The PPPoE program should be included in the Debian operating system. You can run the pppoe-server-h command to view the version. You can use sudo apt-cache search pppoe to find related software.

The configuration file is stored in the/etc/ppp folder. Set the options file first:

Set the ms-dns value. The IP address of the DNS server that can be used. For example, 114.114.114.114 is the DNS address allocated for Windows Host dial-up connections. Comment out + pap and cancel-pap comments, which means that the pap authentication method is not used. At the same time, the + chap annotation is canceled, indicating that the chap authentication method is used.

Next, set the chap-secrets file:

Enter the server name and password IP address respectively according to the file comment. For example, insert a line at the end:

Testing * password *

The username is testing, the server name is arbitrary, the password is password, and the IP address is any IP address.

Edit the pppoe-server-options file (If no, create a new1)
Add the following to pppoe-server-options:

authrequire-chaplogfile /var/log/pppd.log

The configuration is complete.

Set the system ip policy to enable ip forwarding.

Use the Super User identity. Note that the Super User identity must be used, and sudo does not have this permission. Run the following command:

Cat 1>/proc/sys/net/ipv4/ip_forward

If you execute this command only, the IP forwarding function is temporarily enabled. It is automatically disabled after restart. If you want to open it all the time, edit/etc/sysctl. conf file, cancel net. comment on ipv4.ip _ forward = 1, and then run sudo sysctl-p to enable the IP forwarding function permanently.

Set iptables IP policy

Run the following command as a Super User:

Iptables-a postrouting-t nat-s 10.10.10.0/24-j MASQUERADE

Note: The network address next to the-s parameter is the network address set for pppoe-server to be enabled later. You can set this address as needed, as long as the iptables and pppoe-server match.

Run PPPoE Server

Input:

Sudo pppoe-server-I wlan0-L 10.10.10.1-R 10.10.10.100-N 100

Note:

-The-I parameter is used to specify the network port to listen. You can use the ifconfig command to view the name of the currently working port. Because my laptop uses a wireless network, it is a wlan0 port. The-L parameter is used to specify the IP address of the PPPoE server in a PPP connection. Because I assume the Ethernet network address is 10.10.0/24, the first IP address of the network address is used as the server address. The-R parameter is used to specify the IP address from which a customer connects to the server. -N is used to specify the maximum number of customers that can connect to the server at the same time.

If everything goes smoothly, establish a dial-up connection on Windows. The username and password are testing and password respectively. You should be able to connect to the PPPoE Server in linux and access the Internet normally.

PPPoE Protocol process analysis process diagram

The PPPoE protocol mainly involves the following processes:

Created with Rapha? L 2.1.2 Customer Customer Server Server PADI PADO PADR PADS Description: host broadcast initiation group (PADI). The destination address of the group is the Ethernet broadcast address 0 × ffffffffffff, the CODE field value is 0 × 09, and the SESSION-ID (session id) the field value is 0 × 0000. The PADI group must contain at least one service name type tag (the value of the label type field is 0 × 0101) and provide the required service to the Access Concentrator. The Access Concentrator receives the PADI group within the service scope and sends the PADO group for PPPoE effective discovery to respond to the request. The value of the CODE field is 0 × 07, and the value of the SESSION-ID field is still 0 × 0000. The PADO group must contain one Access Concentrator name type tag (the tag type field value is 0 × 0102) and one or more service name type tags, indicates the type of service that can be provided to the host. The host selects an appropriate PADO group from multiple PADO groups that may be received, and then sends the PPPoE valid Discovery request group (PADR) to the selected Access Concentrator ). The CODE field is 0 × 19, and the SESSION_ID field value is still 0 × 0000. The PADR group must contain a service name type label to determine the service type requested from the Access Hub (or vswitch. When the host does not receive PADO within the specified time, it should resend its PADI group and double the wait time. This process will be repeated as expected. After receiving the PADR group, the Access Concentrator prepares to start the PPP session. It sends a valid PPPoE session to confirm the PADS group. The value of the CODE field is 0 × 65, and the value of the SESSION-ID field is a unique PPPoE session id number generated by the Access Concentrator. The PADS group must also contain a label of the Access Concentrator name type to confirm the services provided to the host. When the host receives the PADS group confirmation, both parties enter the PPP session phase. PPPoE also has a PADT group, which can be sent at any time after the session is established to terminate the PPPoE session, that is, the session is released. It can be sent by the host or Access Concentrator. When the recipient receives a PADT group, this session is no longer allowed to send PPP services. No tags are required for the PADT group. The value of the CODE field is 0 × a7, and the value of the SESSION-ID field is the session id number of the ppp session to be terminated. After sending or receiving PADT, you do not have to send it even if the normal PPP terminates the group. The PPP peer end should use the PPP protocol itself to terminate the PPPoE session. However, when the PPP cannot be used, the PADT can be used. Problem Analysis connection error Windows dial-up connection error 651

The possible cause is that the server is not properly opened. You can see from WireShark packet capture that Windows reports an error after four PADI messages are sent without PADO replies.

Therefore, the correct Nic may not be specified when pppoe-server is enabled. It may also be because the VM is not configured with the Internet connection mode. If the bridge mode is not used but the NAT mode is used, this problem may also occur.

If the pppoe-server-options file does not exist or the file does not have the auth and require-chap options, this problem also occurs.

At the same time, this problem may also be caused by a Server specified in the property during Windows dial-up connection, which is different from the PPPoE Server Name Enabled in linux.

In pppoe-server, the-S parameter is used to specify the server name.

Windows dial-up connection error 734

Error message:

PPP Connection Control Protocol termination

This may be because the login option is added to the pppoe-server-options file. If this option is set, the login user name must be the same as the user name in linux; otherwise, this error occurs.

Windows dial-up connection error 628

Error message:

The connection is terminated by the remote computer before the connection is complete.

Through WireShark packet capture analysis, we can see that a PADT packet is received immediately after the four phases of the principle analysis are completed. The content of the PADT message is described as follows:

Generic-Error: RP-PPPOE: child pppd process terminated

This description is very misleading. Someone on the Internet even said that pppoe needs to be compiled into the kernel so that the-k parameter of the pppoe-server command can be used. Later, I found that it was a configuration problem, and there was a configuration error. Generally, there was a configuration that could not be identified by the program. This error is very troublesome. You should use the configured logfile and comment out some uncertain commands to troubleshoot the error.

Unrecognized user name and password

It is likely that the user name and password are incorrect, or the setting is incorrect. Note: When setting the user name and passwordAsteriskIt cannot be omitted.

Internet Access Error

This type of error occurs when a dial-up connection is successful in Windows but the Internet access fails. It mainly uses tcpdump or wireshark programs in linux for troubleshooting.

Run the following command:

Tcpdump-I wlan0 host 10.10.10.1002
We can see that only the packets sent from the host 10.10.10.100 are not sent to the 10.10.100.

The cause of this error may be that the IP forwarding function is not enabled. Therefore, when a packet is sent to a linux host, the linux host does not forward the packet to the Windows host, but directly discards the packet because the destination address is not its own.

At the same time, it may be because no iptables POSTROUTING nat rule is set.

Network Topology Problems

Generally, a linux operating system is installed on a virtual machine and PPPoE Server is set up. Then perform a connection test on the host machine. There are the following problems:

If the virtual machine adopts the NAT mode, the host cannot log on. In NAT mode, the host cannot communicate with the virtual machine. For more information about communication functions in various modes, see vc7KzOLU2cztvNOwyaGj1 + fill + bLFxNy/fill "fn: footnote"> This problem has plagued me for a long time. This file was edited on the Internet, but it was not found in the operating system. I thought it was a version problem and later I found that I needed to create a new file myself. This file is the same as. vimrc and. bashrc files. ?

-I is used to specify the port. The ip address specified by the host should be viewed in ipconfig in windows, which may be different. ?