How to PPPOE server in FreeBSD?

[kriptomahsun]

VERY SHORT SUMMARY. So I've got a laptop, which gets the internet via wlan0 interface, I want it to serve an pppoe server, and give internet to it's client connected via ethernet(called re0). Also this needs to be vlan 35. Something like re0.35 like in Linux?

I've asked the chatgpt and other ai assistants. I am pasting those here, because none is going to write me these walls of texts from scratch, at least you people then could correct my mistakes here? I am pasting these to make it easier for you to help, if any help could be done. If not, that's alright too.

First it told me to do this:

ifconfig vlan35 create

ifconfig vlan35 vlan 35 vlandev re0

ifconfig vlan35 up


sysctl net.inet.ip.forwarding=1

sysrc pf_enable="YES">

Add /etc/pf.conf this:

ext_if="wlan0"
int_if="vlan35"
nat on $ext_if from $int_if:network to any -> ($ext_if)

Then these:

service pf start
pfctl -f /etc/pf.conf

They advise the software called mpd5. So my /usr/local/etc/mpd5/mpd.conf is like this:

startup:

    # Genel başlatma komutları (gerekirse ekleyebilirsin)

    set user admin admin admin


pppoe:

    create bundle static B1

    set ipcp ranges 192.168.8.1/32 192.168.8.10/24

    set ipcp dns 8.8.8.8

    create link static L1 pppoe

    set link enable incoming

    set link mtu 1492

    set link mru 1492

    set link accept chap pap

    set auth authname user1

    set auth password pass1

    set link action bundle B1

    set link enable multilink

    set link keep-alive 10 60

    set link max-redial -1

    set pppoe iface vlan35

Then this:

echo 'user1 "pass1"' > /usr/local/etc/mpd5/mpd.secret
chmod 600 /usr/local/etc/mpd5/mpd.secret

service mpd5 start

So this is not something I am not unfamiliar with. I've done this with success on Debian 12, trying to do with FreeBSD. But couldn't do so. I get PADI packets, but no ip was given to the router connected to the laptop.

 

[SirDice]

The vlan35 interface needs an IP address, I suspect you only have an IP address on re0? But why add the vlan(4) encapsulation? Is re0 connected to a switch? Is this a run-of-the-mill (unmanaged) switch? Then it's not going to support VLANs.

Something like re0.35 like in Linux?

FreeBSD supports the same kind of notation for vlan(4) interfaces, mpd5 however does not. So stick with the vlan35 naming convention.

ifconfig vlan35 create

ifconfig vlan35 vlan 35 vlandev re0

ifconfig vlan35 up

This 'translates' to the following rc.conf settings:

vlans_re0="vlan35"
create_args_vlan35="vlan 35"
ifconfig_re0="up" # parent interface needs to be 'up' 
ifconfig_vlan35="inet 1.2.3.4 netmask 255.255.255.0"

sysctl net.inet.ip.forwarding=1

Make this permanent: sysrc gateway_enable="YES"

 

[SirDice]

Also, old post but should still be valid: https://forums.freebsd.org/threads/freebsd-10-router-pf-problems-with-mpd5-as-a-pppoe-server.48318/

 

[covacat]

try this

freebsd-mpd5-ppp-ipv6/server/mpd5/mpd.conf at master · neelchauhan/freebsd-mpd5-ppp-ipv6

IPv6 Scripts for FreeBSD MPD5 PPPoE/L2TP servers. Contribute to neelchauhan/freebsd-mpd5-ppp-ipv6 development by creating an account on GitHub.

github.com

ignore up/down scripts and create mpd.secret (same dir as .conf)

mpd.secret

you dont need ip on vlan35 (i think) it will create a ng iface and will use the ip in the ipcp line

 

[kriptomahsun]

Also, old post but should still be valid: https://forums.freebsd.org/threads/freebsd-10-router-pf-problems-with-mpd5-as-a-pppoe-server.48318/

Ok thanks I've done it. But I wanna ask something, I don't always do this stuff on my FreeBSD PC. I am trying to make these all into a script, so run everything then shut off when not in use. Like, run pf and mpd5 and vlan stuff when I want?
I've done this script, but here, without sleep 30 it doesn't work. So, I've researched some and pf only accounts interfaces that EXIST ONLY WHEN IN RUNTIME, is that true? I only asked chatgpt though, which sometimes makes stuff up. But is this the default behaviour for pf? So thus I added 30 seconds sleep to make it wait, so ng0 is created. Like this:
~> cat pppoe-chatgpt.sh
#!/bin/sh

echo "PPPoE sunucusu başlatılıyor..."

# Ağ ayarları
ifconfig ue0 up


ifconfig vlan35 create
ifconfig vlan35 vlan 35 vlandev ue0
ifconfig vlan35 up


sysctl net.inet.ip.forwarding=1

# pf.conf'yi pppoe kurallarıyla değiştir
cp /etc/pf.conf.pppoe /etc/pf.conf

# mpd5 başlat
service mpd5 onestart


sleep 30 #this one
pfctl -f /etc/pf.conf
pfctl -e

 

[kriptomahsun]

Also it works but every 20 minutes there is no default route, thus no internet on the PC. WHY?

 

[sko]

give internet to it's client connected via ethernet(called re0).

Then why on earth would you need PPPoE for that?

 

[kriptomahsun]

Then why on earth would you need PPPoE for that?

Some corporate software needs it, can't give much information. Sorry. It's just what it is. Very complicated stuff. Only this setup works the best.

 

[kriptomahsun]

SirDice Sir may I ask something? This is my pf.conf, so I run mpd5 only when I need. But since ng0 is only created when mpd5 is run, then I have to restart pf when ng0 is created? Also can you give me a simple pf.conf? I won't be using this pppoe server thing all the time. Only when neccessary.

ext_if = "ue0" #interface that internet comes from
int_if = "ng0" #goes through here, with msk0 with vlan35
set skip on lo
# NAT kuralı (tüm internal ağ için)
nat on ue0 from 192.168.0.0/24 to any -> (ue0)

 

[SirDice]

But since ng0 is only created when mpd5 is run, then I have to restart pf when ng0 is created?

Yes, that's the same issue when running it as a client. One way to solve it is by using the up-script and down-script.

        set iface   up-script /usr/local/etc/mpd5/linkup.sh
        set iface down-script /usr/local/etc/mpd5/linkdown.sh

In those scripts you could reload PF, or even nicer, add/remove rules dynamically using an anchor.

 

[kriptomahsun]

Yes, that's the same issue when running it as a client. One way to solve it is by using the up-script and down-script.

        set iface   up-script /usr/local/etc/mpd5/linkup.sh
        set iface down-script /usr/local/etc/mpd5/linkdown.sh

In those scripts you could reload PF, or even nicer, add/remove rules dynamically using an anchor.

That's very not like Linux. So this is purposefully done like this to be more secure, right?

 

[SirDice]

Well, how could a firewall apply rules if the interface doesn't exist when those rules are loaded? There's a bit of a chicken and egg problem here.

On Linux you might dynamically add/remove a couple of chains with iptables. With PF you can do something similar by using a so-called anchor.

SImple pf.conf example:

block all
anchor myanchor

You can add rules to that myanchor, they get 'inserted' at that anchor point in pf.conf (order is important of course). Then something like echo "pass in on ng0 from any to any" | pfctl -a myanchor -f - can be used to dynamically add one or more rules at that anchor point. Removing, pfctl -a myanchor -F rules will remove all the rules of that anchor, while leaving the rest of the firewall rules in place. There's a lot more you can do with anchors, definitely look through pfctl(8) and pf.conf(5).