Today I noticed that one of my neighbors is using my wireless connection. One way to forbid him from using my really low bandwidth internet connection would be to encrypt the wireless connection, but that will also affect the transfer speed between the computers connected to the LAN and my cheap router will fail at some point (This did happen before…).
Another way was to use MAC address based access control to the wireless device, but since the MAC address can be easily spoofed I decided that it is a bad idea also.
The only thing remaining was to implement a user/password based authentication and I remembered that I did install a PPPoE server a few years ago. So this is how it works:
On the Linux box that splits the internet connection I have 2 network cards (eth0 – WAN, eth1 – LAN).
You will need ppp and rp-pppoe server from Roaring Penguin.
1. Make sure you have an active internet connection. If not, set it up by using your favorite text editor (I use vim):
vim /etc/network/interfaces
auto lo iface lo inet loopback iface eth0 inet static address 89.xxx.yyy.zzz #Your public IP address netmask 255.255.255.240 #Your subnet mask gateway 89.xxx.xxx.xxx #Your gateway iface eth1 inet static address 192.168.1.254 netmask 255.255.255.0
Set up one or more nameservers (I use the free ones provided by Google):
echo "nameserver 8.8.8.8" > /etc/resolv.conf echo "nameserver 8.8.4.4" >> /etc/resolv.conf
Ping some website to make sure your internet connection is working:
cristian@desktop:~$ ping google.com PING google.com (209.85.229.147) 56(84) bytes of data. 64 bytes from ww-in-f147.1e100.net (209.85.229.147): icmp_req=1 ttl=52 time=83.0 ms
2. Install ppp daemon:
sudo apt-get install ppp
3. Now get rp-pppoe from here.
wget http://www.roaringpenguin.com/files/download/rp-pppoe-3.10.tar.gz
And extract it
tar -zxvf rp-pppoe-3.10.tar.gz
Now compile it
cd rp-pppoe-3.10/src/ ./configure make && make install
4. Now, we shall edit the PPPoE server options:
vim /etc/ppp/pppoe-server-options
require-chap login lcp-echo-interval 10 lcp-echo-failure 2 ms-dns 8.8.8.8 ms-dns 8.8.4.4 netmask 255.255.255.0 defaultroute noipdefault usepeerdns
5. Add usernames and passwords:
vim /etc/ppp/chap-secrets
# Secrets for authentication using CHAP # client server secret IP addresses #USERNAME SERVER PASSWORD CLIENT IP ADDRESS "cristanhuza" * "My_s3cret_pa$$w0rd" 192.168.1.1 "friend1" * "My_friend's_s3cret_pa$sW0rd" 192.168.1.2
6. Set up the IP addresses pool:
echo "192.168.1.1-20" > /etc/ppp/allip
This will assign the future clients one IP address from the 192.168.1.1 until 192.168.1.20 range.
7. Start the PPPoE server:
pppoe-server -C isp -L 192.168.1.254 -p /etc/ppp/allip -I eth1
8. Enable packet forwarding between network interfaces:
echo 1 > /proc/sys/net/ipv4/ip_forward
9. Set up NAT in order to provide internet access to the LAN computers:
iptables -t nat -A POSTROUTING -s 192.168.1.0/24 -o eth0 -j MASQUERADE
Congratulations! You have just set up a PPPoE server and you can be worry free now that nobody else will be able to use your internet connection without permission.
Good tutorial
The tutorial is good.Can you help for pppoe-server over wireless.
Thank you
Hello hochel,
What are you trying to obtain? Authenticate users over a wireless network?
You have 2 options:
1. Set the linux machine to act as a Wireless Acess Point and then configure the pppoe server (I have never tested this before, but theoretically it should work). The downside of this is the fact that you will still have to provide them access to the wireless network before they can connect to the pppoe server.
2. Set up a captive portal ( http://en.wikipedia.org/wiki/Captive_portal ). Most likely this is what you are trying to achieve, the captive portal is a common way of controlling who can access your network and is mostly used in hotels, bars, clubs, etc.
PS: If you have any kind of security (WEP/WPA) the whole pppoe idea is kind of pointless. Your users need to know the secret key in order to authenticate and you may use multiple unique keys.
If you need extra information let me know.
how to connect client machines to this pppoe server? what are the procedures?
It depends on what operating system or distribution you are using.
In Microsoft Windows, you set up a pppoe connection from network settings, in GNU/Linux you can do it from the network manager if you have a GUI, or from the console using
sudo pppoeconfi have created pppoe server but i want to block some websites to pppoe clients using iptables or anything but i can’t do it. Can you help me with this.
You can use iptables for this, for example:
iptables -A FORWARD -s 192.168.1.X -d forbiddensite.com -j DROPThough, I would recommend you to check all IP addresses for site and block by IP instead of domain.
Other options are using a proxy or force all clients to use custom DNS server.
pourriez vous m’aider j’ai pas compris le rôle de ce code
configuration du serveur ssh
– Se placer sous le repertoire if-up.d : /etc/network/if-up.d
– Ouvrir le fichier /etc/network/if-up.d/openssh-serveur, puis ajouter les lignes du
codes :
if [`expr substr $IFACE 1 3 ‘ = ‘’lo :’’] ;then
exit 0
fi
Hi, I do not understand French, but I assume you want to know what that code does. Where did you get it from? It basically checks if the interface you’re trying to bring up is “lo” (local interface).
Can’t help you with this unless you tell me at least what you’re trying to obtain.
About filtering traffic for pppoe or others clients that forward traffic to other sites use FORWARD filter not INPUT … input filter it is apply to your local machine (router, concentrator)
if u use forward rule .. is from clinet to website that you wana filtrer and traffic pass tru (pppoe-server)
Ionut, thank you very much for noticing the mistake I have updated the post with the right FORWARD chain instead of INPUT.
how can i setup my PPPOE client ? i use ubuntu 12.04 version
Just use
sudo pppoeconfit does not matter if you use Unity, KDE, Gnome3 or XFCE, it will work 😉That’s how you configure your pppoe session.
Thank you,another question,can i enable pppoe-server “pppoe-server -C isp -L 192.168.1.254 -p /etc/ppp/allip -I eth1” on boot ? without writing this command each time i make reboot? thank you
Hi, just add that line at the bottom of /etc/rc.local but make sure you add it before “exit 0” if that line is present.
How to provide defaultroute details to client
What do you mean by defaultroute details (what do you want to obtain exactly)? The default route is passed by using the “defaultroute” option in pppoe server config file.
Its working now . The client was not getting default gw info from pppoe server which is the ip address assigned to eth1 in my case . Thought we have to explicitly type defaultroute details in server config file
Glad to hear it was sorted out for you, usually the issue with default gateway comes on Windows systems due to stupid UAC, a workaround is to disable UAC and re enable it after you create the PPPoE connection.
I am using pap-secrets for my work . I am getting “PAP peer authentication failed for user123” . I have entered same details in pap-secrets file as shown for chap in this website . Any configuration to be added in /etc/ppp/options or any other file ?
You have to remove this option from server config: require-chap
I need pap authentication . I have enabled require-pap in pppoe server config file
It worked for me after commenting out login from pppoe server config file
Hi,
Thanks for the gr8 post. PPPoE server starts working within 5 minutes.
One query how can we have service based authentication along with username and password within this setup?
Sorry it is service based authorization and authentication with username and password.
hi i am new to this world so i need some help
i have an ubuntu virtual machine using vmware which i set up the pppoe server on…
on the client side i have my other laptop connected by a network cable to the laptop that has the server but i didnt figure out how to do the connection
do i just need to connect and use a username and password from those i filled in the secret file?
Hello, yes, that’s basically all you have to do. You have to set up a regular PPPoE connection and use the right credentials.
Make sure you set up the vmware network adapter as bridge to the network interface your other laptop is connected to, otherwise PPPoE will not work.
Nice tutorial ……………….
How to manage bandwidth or how to create user profile?????????????
Thanks
For bandwidth management you can easily do that with TC or HTB tools. I think there is also a nice web interface called webhtb or something similar.
Hey guys,
I’ve encotered some issues with this. For some reason the only valid login user/password is test/1234567. Below you can see the content of the chap file.
is there someting that i may have missed?
I must specify that if I rename the “test” user none will work. If i only change the password for user “test” then i can login via ppoe with the new password. still i caanot use any usernames beside “test”.
#------------------------------------------------------------# Secrets for authentication using CHAP
# client server secret IP addresses
"testaa" * "1234567" *
"test" * "1234567" *
"user" * "1234567" *
"user1" * "1234567" *
#------------------------------------------------------------
Hi just forgot the endif statement on line 25!! or just implement a radius server or enable it on the openwrt or ddwrt firmware; this is for backend implementation of the service not the implementation. Thanks thou; end if instructions are unrelated!!
Hi!.need help
iptables -t nat -A POSTROUTING -s 192.168.1.0/24 -o eth0 -j MASQUERADE
iptables v1.4.21: can’t initialize iptables table `nat’: Permission denied (you must be root)
Perhaps iptables or your kernel needs to be upgraded.
thanks
Hi, are you running these commands as root? is this a physical machine or a virtual machine?
If not, first try to run the commands as root (or using sudo in front of each). If you still encounter issues, please provide more details about the environment.
Hi Cristian,
After a very long I stuck up with one situation. Basically I want to simulate the situation where PPPoE session should reconnect after every 24 hours. Right now it stays connected for long till I reconnect it.
So how we can do that?
Awesome tutorial
hi christian, thanks for you tutorial. For the last few days i am trying to implement pppoe server but unfortunately i am not able to run it. I have followed this tutorial as well as some other but there is no success and the issue is same with all these tutorials i guess. When u try to start the server using this command “pppoe-server -C isp -L 192.168.1.254 -p /etc/ppp/allip -I eth1” nothing shows up,, just the command runs without any errors …nothing shows up in the system log if the pppoe service has started or not thanks. I am using linux version 14.04 and pppoe version 3.11
Hello Malik,
Try to run an strace on the pppoe-server and let me know the output of
pppoe-server -vHi Cristian and all,
Could you please tell me if there is any way to configure PPPoE server with unsecured mode? – That mean client can receive IP address without username/password.
I have some routers that have PPPoE as default settings but without username/password on it. I want to verify if PPPoE function works well or not without touch PPPoE configuration on router.
So how we can do that.
Hi Bean, the whole point of pppoe is to have the users authenticate by providing a password, otherwise you can simply assign IP addresses over DHCP.
Hi Cristian,
Below is my setup details,
PC —— Cisco Switch —— PPPoE (Server) ——– Internet link
In the above test setup, when PC is initiating the PPPoE request the request is not broadcast to PPPoE server is this an issue with the switch.? or any other special configuration needs to be updated for this to work.?
Pugazhenthi switches pass PPPoE frames like any other traffic, did you try to connect a PC/Laptop directly to the server and see if you can connect over PPPoE? this is the simplest method of debugging at this point.
HI Cristian,
In the above topology, PPPoE Server is running on the Ubuntu VM which is running on the XenServer 6.5 machine.
The steps are very clear but it seems the article is missing extra information to make it complete. Please answer these questions in your article, but maybe first as a reply to my comment,
(0)
So whats the end result? What have you achieved? How do you connect now? What does your neighbor see now?
(1)
Does your wifi stealing neighbor still see the SSID? Can they connect to it like before? If they do, I assume they cant get thru your PPPoE because they dont know the username and password that you setup for CHAP.
Is this correct?
(2)
Also how do you connect? Do you connect to your SSID and then run your PPPoE client? Which in windows you can use “Network Settings” and from GNU you can use “sudo pppoeconf” per your other comment.
(3) step 6 has some html char conversion garbage
this: echo "192.168.1.1-20" > /etc/ppp/allip
should be: echo “192.168.1.1-20” > /etc/ppp/allip
I’m sorry if this has been said this thing has a lot of comments! But I think I’m missing something. How is this secure? The LAN interface is configured to forward/NAT on the IP level. So can someone not simply associate with the AP then do something like:
> ifconfig wlan0 192.168.1.19 255.255.255.0 gw 192.168.1.254
And the machine will happily forward the packets?
I mean sure they’d have to play around and guess the addresses a bit but…
What am i missing? How does this force someone to authenticate?
If i do static ip for client without pppoe , tc works fine, but with pppoe
Tc doesn`t work with pppoe server, are there other solutions for traffic shaping?
Hi Bogdan,
Most likely you need to change the device on which the outbound (aka client download) limit is set. PPPoE creates a pppoe0 device on the server, it’s not normal eth0 or eth1 that you’re used to.
Hey Cristian, I’m trying to become a small rural wisp and ive never really use pppoe before but it seems like it would be a great security measure to my network. My question would be how would a accomplish allowing the server assigning public ip address’s? I dont know if its possible but i would to be able to authenticate customer access point with pppoe and assign them a public ip as well. I do have blocks of ip address from my bandwidth provider.
Christopher, you just need to exclude the iptables SNAT/MASQUERADE rules, and set the IP address provided to customers to be part of your assigned range.
You will basically be doing simple routing and not NATing over PPPoE.
one thing it’s not clear, if we use step 9: iptables -t nat -A POSTROUTING -s 192.168.1.0/24 -o eth0 -j MASQUERADE
every PC with manual IP address setting from that pool will get internet without our control, this is not good.
Marian, you are doing something wrong then, no client that is not authenticated over PPPoE should have internet access, that range is assigned over the ppp interface only.
So if the client is not authenticated, it can’t communicate with the system, though should not have access.
Please dump here in the CODE tags the output of
ifconfig -aandiptables -t nat -nvLThank you, I have one question,can i set -L 192.168.1.254 option same as ip address of users. i.e want same ip address at the both end of tunnel is it possible?
Thanks.
Hello RP, no, this is not possible, what would even be the purpose of that?
hi,
have an issue .
You should post more detailed information about the issue. What’s the problem exactly?
Hi, would you know how to connect this to a ADSL DSLAM?
Sorry forgot to mention, we config the ubuntu pppoe server but can get it to work with the DSLAM
There are 2 different things here, a diagram of your network might help, but from my understanding, it’s something like this:
INTERNET — (your adsl modem) —> your linux box <---switch/router ---- clients Take the step by step approach: 1. Make sure your linux box has internet access (I believe you need to use pppoe CLIENT for this - see pppoe-conf in ubuntu, not sure exactly how it's called) 2. Once you have internet on the linux box, do an ip link or ifconfig -a and post the output here. Your OUT interface might have a different name than eth0 as it's described in this tutorial - I'm referring to this line - you might need to replace eth0 with ppp0 or ppp1:
iptables -t nat -A POSTROUTING -s 192.168.1.0/24 -o eth0 -j MASQUERADE3. Try to bring up the pppoe SERVER – check the logs and see what happens exactly, do your best to understand what you’re doing!
Thanks,
Right now im stuck on the port forwarding command line i keep getting “permission denied” anyway aroud this? Thanks
What commands did you issue exactly? did you ran these as root? Which porward are you trying to forward and to what exactly?
the command I was trying to write was – echo 1 > /proc/sys/net/ipv4/ip_forward
from your instructions above for some reason I get Permission denied.
You need to become superuser first with:
or
Hi Christian,
Thank you for the tutorial. I am having some difficulties setting up the server. I have posted the details about the problem at askubuntu. Would you please have a look at it?
https://askubuntu.com/questions/934685/pppoe-server-on-ubuntu-14-04-not-working-no-ppp0-created-even-after-authorizat
Hi ,
How can i test server is working fine or not?
Hi, its an excellent tutorial, my PPPoE is working fine, is there any way to bind MAC address along with the usernames defined in the chap-secrets.
Thanks
works same way with Centos 7.4
I commented the authentication at server configuration.
with centos use: yum install rp-pppoe-3.11-7.el7.x86_64
Hi Christian,
I am having both PAP and CHAP and I am using a tool to test the server . The tool basically sends PADI packets with PAP and CHAP both.
I don’t see PADO being sent from the server. Can you please help me out here ASAP ?
What’s the tool name? Run a tcpdump/wireshark on the interface and make sure this is actually the case, maybe the packets have the wrong format or are corrupted?
Hi Cristian,
Really hoping you’re still checking out this page, I’m trying to connect 2 lans using pppoe, as such I want to set the destination for my ppp0 interface to be the same subnet as my client address. where do I add this? Also how do I set the client I.P’s as static.
Regards,
Darren,
p.s If I could email you and get talking to you directly I’d love a chance to pick your brain on this one
Hi Cristian,
I’m trying to connect 2 lans using pppoe, I’m struggling with finding where to set my remote i.p, I’m also looking to setup freeradius for authentication can I talk to you sometime just to pick your brain on this?
Hi Cristian, I had follow your tutorial on my vm Ubuntu to run the pppoe-server, may I know if it is possible for the host pc to connect to the vm, the host is running Windows 10
Hi Christian,
I’m testing PPPOE connections for this I have 2 ubuntu laptops, from where I run rp-pppoe-server on one and rp-pppoe-client on another, I’m able to see that both are connected to each other and I’m able to ping both the server and client pppoe- ips, Now that the server laptop is connected to the internet using a WiFi interface, I want the internet to be available on the PPPOE-client laptop, what should be the IP route that needs to be added, I’m a newbie in are of routing. I have connected both the laptops through an ethernet cable.
Hi, it’s a pretty late reply as I have not checked out this site in a very long time…
You can’t simply route local traffic to the internet, you need to adjust the SNAT rule as follows – your wifi interface is the wlan0 most likely (if you have one of the newer kernels it will be something like wlxxx), feel free to adjust accordingly
Make sure the range is the one used by the pppoe network. This will make all the packages coming from the pppoe network as originating from the laptop connected to the internet.