My ISP, XS4ALL, delivers IPv4/IPv6 over fiber via VLAN-tagged PPPoE. Normally, you would use the (excellent) WiFi-router they lend you, but if you want a little more control you can install your own computer as router. In this post I will explain how to do this with Ubuntu 15.04. Some steps are specific to my ISP, but most of it will also apply to any other provider using PPPoE.
Rename interfaces
The router should have at least two interfaces: one to connect to the fiber-modem and the other for the LAN. It is convenient to rename the interfaces. Create a file /etc/udev/rules.d/10-persistent-network-names.rules containing
SUBSYSTEM=="net", ACTION=="add", KERNEL=="em1", ATTRS{address}=="12:34:45:67:89:0a", NAME="modem"
SUBSYSTEM=="net", ACTION=="add", KERNEL=="eth0", ATTRS{address}=="12:34:45:67:89:0a", NAME="modem"
SUBSYSTEM=="net", ACTION=="add", ATTRS{address}=="0a:89:67:45:23:12", NAME="lan"
Replace the MAC addresses by the corresponding MAC addresses of your interfaces (you can find them using ifconfig | grep HWaddr) and em1 by the current name of the interface connected to the modem. Note that we have two rules for the modem interface: this is to prevent udev form renaming the VLAN interface. If you know a nicer way, please let me know. Reboot and test whether this worked.
Configure interfaces
Add the following to /etc/network/interfaces
auto modem
iface modem inet manual
mtu 1508
auto modem.6
iface modem.6 inet manual
vlan-raw-device modem
mtu 1508
auto lan
iface lan inet static
address 10.0.0.1
netmask 255.255.255.0
auto wan
iface wan inet ppp
pre-up /bin/ip link set modem.6 up
provider xs4all
iface wan inet6 auto
The block for modem is only used to set its MTU to 1508. We need this if we want to set the MTU of the PPPoE connection to the normal 1500 (and compensate for the 8 bytes PPPoE uses). If you run into trouble, you can leave all MTU declarations out.
The block modem.6 configures an interface for packets on modem tagged with VLAN ID 6. XS4ALL uses VLAN tagging such that it can deliver different services (internet on 6, TV on 4, …) via the same modem.
The block lan sets up the interface for a LAN on 10.0.0.x.
Finally, the wan block tells the system to set-up a PPP-interface using the configuration named xs4all. We will set that up in a moment.
Set-up PPPoE
Install the package pppoe and create /etc/ppp/peers/xs4all with the contents
ifname wan noipdefault +ipv6 ipv6cp-use-ipaddr defaultroute connect /bin/true noauth persist mtu 1500 mru 1500 noaccomp default-asyncmap plugin rp-pppoe.so modem.6 user "someuser@xs4all.nl"
Also create /etc/ppp/chap-secrets with
"someuser@xs4all.nl" * "somepassword"
My ISP requires the authentication step, but (intentionally) does not check the username and password — you can fill in anything you like.
Reboot. You should have IPv4 on the router. (The rest: DNS, IPv6, IPv4 on the LAN shouldn’t work.)
LAN
We’re ready to set up the LAN. We will use dnsmasq as it will act as (caching) DNS server, DHCP server and RA (IPv6’s alternative to DHCP) server. Install dnsmasq and write the following to /etc/dnsmasq.conf
domain-needed bogus-priv filterwin2k resolv-file=/etc/resolv.conf-dnsmasq local=/lan/ expand-hosts domain=lan interface=lan dhcp-range=lan,10.0.0.50,10.0.0.150,255.255.255.0,12h dhcp-option=tag:lan,option:router,10.0.0.1 dhcp-authoritative enable-ra dhcp-range=::1,constructor:lan,ra-stateless,ra-names,12h
In /etc/resolv.conf, put:
nameserver 10.0.0.1
You might want to remove the package resolvconf as it might interfere. Now, in /etc/resolv.conf-dnsmasq, put the actual DNS server you would like to use. For Google’s public DNS, write:
nameserver 8.8.8.8
We’re almost done with the IPv4 LAN. To /etc/sysctl.conf append
net.ipv4.ip_forward=1 net.ipv6.conf.all.forwarding=1
This will allow the kernel to forward packages between all interfaces. If you have more interfaces, you might want to restrict the forwarding to lan and wan, but to configure this requires running a script at the creation of the interfaces.
And finally, install iptables-persistent and write to /etc/iptables/rules.v4, the following for the IPv4 NAT:
*nat :POSTROUTING ACCEPT [0:0] -A POSTROUTING -o wan -j MASQUERADE COMMIT
Note that this will allow any connections from outside to the router on any port. Also, without configuration ip6tables, no connection is blocked form the outside. If you like a firewall (that is: whitelist which connections are allowed), you want to add some rules here.
Reboot. You should have IPv4 & DNS on the router and LAN.
IPv6
My ISP assigns a /48 via DHCPv6. Install wide-dhcpv6-client. Change /etc/wide-dhcpv6/dhcp6c.conf to
profile default
{
script "/etc/wide-dhcpv6/dhcp6c-script";
};
interface wan {
send ia-pd 0;
};
id-assoc pd 0 {
prefix-interface lan {
sla-len 16;
sla-id 0;
ifid 1;
};
};
This will request a subnet and assign it to the lan interface. The IP of the router will be thesubnet::1 due to the ifid setting.
That’s it: reboot and enjoy your IPv4 & IPv6 connection.
Hi there
In your example the ‘modem’ MTU is 1508. Shouldn’t this be 1512 (8 for PPPoE + 4 for VLAN)?
Regards,
Rob
I’m not sure. At the moment my router is working fine with the MTU of both the physical interface (modem) and its derived VLAN interface (modem.6) set to 1508. Does it break for you?
Hi there
I have to configure this on the 21st. And I want to be able to use a 1500 byte PPP MTU.
Regards,
Rob
Hi – when we try this we get in syslog:
pppd[1614]: Plugin rp-pppoe.so loaded.
ifup[1361]: Plugin rp-pppoe.so loaded.
pppd[1615]: pppd 2.4.7 started by root, uid 0
ifup[1361]: Cannot find device “wan”
ifup[1361]: Failed to bring up wan.
pppd[1615]: Timeout waiting for PADO packets
pppd[1615]: Unable to complete PPPoE Discovery
pppd[1615]: Terminating on signal 15
pppd[1615]: Exit.
This is on ubuntu 16.x
Isn’t pppd supposed to create an interface called “wan” as specified at the top line of /etc/ppp/peers/xs4all:
ifname wan
or “wan” is supposed to be already existing in the output of ifconfig -a or somewhere else defined?
It’s hard to tell at the moment if the problem is with our config and with pppd finding a device to listen on, or whether the subsequent “Timeout waiting for PADO packets” represents something physical on the wire…
Any pointers would be much appreciated!
Hi Liam. The line
plugin rp-pppoe.so modem.6should directpppdto make the connection on the ifacemodem.6and from it create a new interface calledwan. Doesrp-pppoe.soexist?Hi Bas! Thanks for the great guide! This got me 90% of the way there. Ubuntu 18.04 throws a few curve balls (see below)
I can verify this works w/ CenturyLink FTTH in Seattle. Specific notes specific to CenturyLink (hopefully helpful to others):
a) CenturyLink does not (yet?) support IPv6, so I disabled those blocks and the wide-client
b) I ran into “Timeout waiting for PADO packets” once I got everything almost working. Symptom, I would get about 10 seconds of connectivity, then that error. The issue was the MTU setting. I removed all the MTU statements in interfaces AND in /peers/your_client_name (I eventually added mtu/mru to 1492 just for completeness).
c) I got a CHAP auth error (due to a type), then for some reason a SAP auth error (so I copied my credentials over there), and that seemed to resolve it. However, I’m certain my connection is using CHAP (never figured this out).
d) FYI: vlan for centurylink is 201
Specific notes for Ubuntu 18.04 (I’m using Ubuntu Server LTS):
1) This setup requires ifupdown AND (I would recommend) removing netplan and disabling networkd management (Follow this: https://askubuntu.com/a/1052023)
2) I did not end up renaming my interfaces. Ubuntu now a-days provides consistent naming. It’s not as readable, but I had udev issues…
3) In interfaces file, “auto wan” with the pre-up line caused me trouble, with the interface coming up, but then for some reason udev was shutting it down just as it was getting going (causing a “term requested by signal 15” in the /var/log/syslog). This is apparently a known issue … for the last decade?! udev+interfaces have always been super confusing to me. So, I followed this advice: https://bugs.launchpad.net/ubuntu/+source/ifupdown/+bug/78043 comment #14. My modifications to interfaces look like (adapted to be a diff from above):
auto modem.6
iface modem.6 inet manual
vlan-raw-device modem
# New:
post-up ifup wan
pre-down ifdown wan
# Comment out or remove:
# auto wan
iface wan inet ppp
# pre-up /bin/ip link set modem.201 up
provider xs4all
4) I added the loopback (lo) interface. For some reason it was missing in ifconfig after everything was said and done. Simply:
auto lo
iface lo inet loopback
5) I have a router that sits behind this box, and is the only client of my dnsmasqd. As such, I added a DHCP reservation for that host so it basically has a static IP. Lets assume that address is 10.0.0.88 (required for 6 to make sense)
6) I added some NAT rules to forward all traffic destined for my public/WAN IP to be forwarded onto my router (IP is known in advance from (5). This requires knowing your WAN ip address… which only happens AFTER the pppoe connection succeeds. So, I added these lines to the end of /etc/ppp/ip-up (file already exists):
WAN_IP=”`ifconfig wan | sed -n -e ‘s/.*inet \([0-9]\+.[0-9]\+.[0-9]\+.[0-9]\+\).*/\1/p’`”
DMZ_IP=”10.0.0.88″
iptables -t nat -A PREROUTING -d $WAN_IP -p tcp -j DNAT –to-destination $DMZ_IP
iptables -t nat -A POSTROUTING -s 10.0.0.0/24 -d ${DMZ_IP}/32 -p tcp -j MASQUERADE
7) Since this is a somewhat public facing machine, I would highly recommend installing unattended-upgrades
I hope this helps the next person in some way or fashion!!!
One last piece required to make my setup complete. Some sites/games do not work correctly. A example: google.com works great! But netflix.com does not. This turned out to be a MTU issue. All the clients by default assume mtu 1500. Since the pppoe is 1492, there are several mechanism to let all the LAN clients know to down-size to 1492. However _NONE_ of them are “enabled” by default. Read here for details: https://www.tldp.org/HOWTO/IP-Masquerade-HOWTO/mtu-issues.html
I went with the “7.15.2. Clamping the MSS via IPTABLES” approach. Very simply, edit your /etc/iptables/rules.v4 and update the main *filter section:
*filter
:INPUT ACCEPT [1:373]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
# Add this line! Important
-A FORWARD -p tcp -m tcp –tcp-flags SYN,RST SYN -j TCPMSS –clamp-mss-to-pmtu
COMMIT
I’ve been nearly a year on this setup with rock solid performance! Only one minor addition/followup:
– Every time my router renewed it’s DHCP lease to the dnsmasq-dns, it seemed to cause a multi-minute period of downtime. I fixed this by giving my router a static IP and that cleared up the issue. I also played with expiry, but nothing seemed to do the trick.