I hate PPPoA

Sin_Chase · 9 May 2012 at 02:02

As per subject.

It can go take a flying jump off some cliff somewhere. Unsupported pos!

Only way you can interface a crappy PPPoA connection with anything else is with half-baked 'bridge' modes and PPPoA to PPPoE proxies that are only supported on a handful of devices (Read - Like One.)

Spent the best part of 6 hours messing about with 4 different router models trying to get just ONE to pass on an unmolested, un-natted, unfirewalled connection but no - totally and utterly broken.

/rant off

bremen1874 · 9 May 2012 at 04:13

If you're after something to allow a PPPoE only device to connect to a PPPoA connection then the Vigor 120 could fit the bill.

Christmas themed thank · 9 May 2012 at 07:08

The BT network does actually allow PPPoE. In fact, I have used it before and it worked fine. Something to think about.

PistolPete · 9 May 2012 at 07:28

Not sure I understand as I've had an "unmolested, un-natted, unfirewalled connection" over PPPoA with several routers over the years.

Sin_Chase · 9 May 2012 at 09:40

PistolPete said:
Not sure I understand as I've had an "unmolested, un-natted, unfirewalled connection" over PPPoA with several routers over the years.

Using what? Vigor 100/120 is pretty much the only product that will present PPPoA as PPPoE. At £50 a pop it's not worth the money.

No ISP locally has PPPoE so it cannot be used directly - If it was available, I would be using it.

PistolPete · 9 May 2012 at 09:59

I really must have been missing your point here as didn't actually understand what you are trying to achieve.

You have a piece of PPPoE kit and a PPPoA line and need something in between?
If this is the case then I apologise, all my connections have always been a PPPoA bit of kit and ethernet on the other into my firewall and then out to my subnets.

Sin_Chase · 9 May 2012 at 13:36

Correct.

PPPoA DSL Line > magic equipment here > Ethernet Interface on Firewall/Router > Internal LAN

I want to use a dedicated system for firewalling/routing duties as I am sick of consumer grade kit on combined modem/routers.

To do this I need to present the dedicated system with PPPoE for it to dial. This would be a clean stream of data that ahs not been TOUCHED by my modem at all because that is what the dedicated system is there for. It's basically doing a consumer router/firewalls duties without the modem (but much faster, better and with more features) - hence the need for something to dial the connection and pass it on.

Without that the alternatives are messy which involve 1:1/Double NATing or ridiculous port forwards - all of which negate the point of moving all the processing off to a dedicated unit.

Something like a Vigor 120 will connect a PPPoA connection as a modem then proxy across PPPoE to a firewall. But they are expensive for what they are and provide little to no control. I am not investing £50 on a 120 only to find it trains my line at less that my current kit can with zero SnR Target control to try fix it.

Lots of modem/routers supposedly support Half-bridging but the reality is they do not.

PistolPete · 9 May 2012 at 17:01

I see.

I currently run a Billion 7800n which is stripped down to basically be an ADSL modem as best I can (firewall off, wireless off and straight routing for my /27 and /29) into Pfsense which I use as the proper routing / firewall platform.

It does mean I have a /32 for the WAN on the Billion, a /30 for the Billion LAN and firewall untrusted interfaces and then a /27 on the LAN and /29 on the DMZ of Pfsense.

I have the option of changing the WAN on pfsense to PPPoE later when fibre comes my way.

Sin_Chase · 9 May 2012 at 17:31

I only have a single allocated usable fixed IP, not a block.

If you know of a config I can use with any of the following I would be up for suggestions:

Billion 7300G
DG834
DG834GT

I am sure it will require double NATing however as I cannot allocate any additional usable public IPs beyond the single 255.255.255.255 address I have.

ADSL <> eth0[WAN] PPPoA Dialup/Modem eth1[LAN] <> eth0[WAN] Router/Firewall [LAN]eth1 <> Internal LAN

I've done some brief reading on 'jipping' the subnets in this way to force routing but never got my head around it and the IPs that need to be assigned to which interfaces. It all got confusing though.

My Modem WAN IP is a /32 single usable IP. (213.133.215.xxx/32)
The Modem WAN Gateway however is 213.133.223.xxx

Can I do a similar setup to yourself with this or not?

213.133.215.xx5/32 as ISP assigned Modem WAN IP (unchangable)
213.133.215.xx5/30 on the Router/Modem LAN interface
213.133.215.xx6/30 on the firewall WAN Interface

Does this require NATing/Forwarding of any kind on the router or should the router in "dumb modem" NAT off configuration route this properly as the traffic coming out of the firewall WAN interface is on the same range as it's WAN assigned IP?

What do I do with the internal LAN firewall interface, whatever I want? Surely the router should route this appropriately as per my config?

Phemo · 9 May 2012 at 17:45

I did it with a DG834GT ages ago but that was running a custom firmware - DGTeam I think and I had a static IP. I basically used the DG834GT as a modem only, it had no public facing IP address of its own and was plugged into a Netscreen 5GT firewall at the time. I had a single static IP address from my ISP which I set on my 5GT and all was fine.

However, this was with Be as my ISP for which no authentication is required. I recall some weird things happening in modem mode (with regards to authentication) which are probably the issues you're seeing

However this was 2 or 3 years ago now.

Sin_Chase · 9 May 2012 at 17:49

Phemo said:
I did it with a DG834GT ages ago but that was running a custom firmware - DGTeam I think and I had a static IP. I basically used the DG834GT as a modem only, it had no public facing IP address of its own and was plugged into a Netscreen 5GT firewall at the time. I had a single static IP address from my ISP which I set on my 5GT and all was fine.

However, this was with Be as my ISP for which no authentication is required. I recall some weird things happening in modem mode (with regards to authentication) which are probably the issues you're seeing However this was 2 or 3 years ago now.

This would be fine and I could do this but as I am forced to use PPPoA as the dialup I am stuck. Either it needs to be proxied on as PPPoE (Expensive Vigor Ethernet modem) or the modem needs to establish the PPPoA connection/authentication and pass on the data unmolested (preferably).

Sin_Chase · 9 May 2012 at 20:57

I give up

Scougar · 9 May 2012 at 21:05

Surely if the Vigor does the job it IS worth the money? 2nd hand?

Zarf · 9 May 2012 at 21:20

I've done this before with my DG834GT (which are cheap as chips second hand since loads of ISPs used to bundle them). Set it up in "Modem only" mode then had it connected to my Cisco 877 which had all my ISP authentication details in its dialer.

As to why I did this when the 877 has a built in DSL modem, the 834 had faster stable sync speeds on my line.

KIA · 9 May 2012 at 21:31

Vigor 120
DG834GT

Don't know what the issue is.

Sin_Chase · 9 May 2012 at 21:34

KIA said:
Vigor 120
DG834GT

Don't know what the issue is.

PPPoA is the issue.

A firewall cannot dial a PPPoA connection, it's not ethernet - It's ATM.

A DG834GT does not present PPPoE to the firewall when connecting to a PPPoA service. Unless there is hidden litreture on the itnernet that not even Google knows about.

When you enable Modem mode on a DG834GT you have no PPPoA options. The modem NEEDS to be able to dial the PPPoA connection the pass it on as PPPoE to the firewall. It does not, or does it? If so, where is the documentation?

The Vigor 120 does do it with PPPoE pass-Thru, is officially supported and is documented. I cannot find anything, official or 3rd party that lets a DG834GT do what a Vigor 120 can.

Phemo · 9 May 2012 at 21:38

Well no it doesn't have to pass it off as PPPoE as such. If the modem handles the PPPoA side of things then it just needs to be Ethernet from then on. In the scenarios I've seen this done with (with dedicated ADSL modems, not hacked bodge jobs) the firewall WAN interface (used Juniper Netscreens and SRX) has simply been set to either obtain a public facing IP from DHCP or had its static IP assigned and the modem has done the job of palming it off to the firewall, without any nasty double NAT or without needing to involve PPPoE at all.

KIA · 9 May 2012 at 21:40

Phemo hit the nail on the head.

Sin_Chase · 9 May 2012 at 21:48

I don't want the DG834/modem doing any firewalling at all. Putting a DG834 into modem only mode removes all PPPoA options.

Just how are you suggesting this is done?

I want my PPPoA modem to do nothing
No NAT
No Firewalling
No Packet inspection

I want my dedicated firewall to:
NAT
Firewall
Etc etc

As said, DG834 in modem only mode has no PPPoA options. In Router+Modem mode I have to manually disable NAT and Firewall at which point what do I do with the modem LAN and firewall WAN interfaces? The only DHCP the modem gives out is from the LAN IP section, giving an internal IP to my firewalls WAN interface which does sod all. Nothing routes out of the DSL interface.

#Chri5# · 9 May 2012 at 21:52

I've done this for SonicWalls with a lot of Vigor 1x0s (with the WAN interface on the SonicWall configured for PPPoE). Works well but have occasionally seen weird drop-outs where the modem is sync'd but the PPP is down. Also, with the current Vigor 120s only having a single 10/100 port, if you want to do anything on them, even something as minor as checking the sync rates, you have to drop the line :rolleyes:

We did try a few of the NetGear DM111Ps. IIRC, that did the PPPoA as you bunged the ADSL credentials into that and it then lobbed the public IP to the firewall via DHCP. There's probably one of them gathering dust in our cupboard at work...

PS. Half bridge mode on consumer routers is the Devils Work.

I hate PPPoA

Mobster