Creating PPPoE Tunnels for DSL Support

By using PPPoE, you can provide PPP over high-speed digital services to multiple clients that are using one or more DSL modems. PPPoE implements these services by creating an Ethernet tunnel through three participants: the enterprise, the telephone company, and the service provider.

• For an overview and description of how PPPoE works, see PPPoE Overview.

• For tasks for setting up PPPoE tunnels, see Chapter 20, Setting Up a PPPoE Tunnel (Tasks).

This section contains detailed information about PPPoE commands and files, which is summarized in the next table.

Table 22-2 PPPoE Commands and Configuration Files

File or Command	Description	For Instructions
/etc/ppp/pppoe	A file that contains characteristics that are applied by default to all tunnels that were set up by PPPoE on the system	/etc/ppp/pppoe File
/etc/ppp/pppoe.device	A file that contains characteristics of a particular interface that is used by PPPoE for a tunnel	/etc/ppp/pppoe.device File
/etc/ppp/pppoe.if	File that lists the Ethernet interface over which runs the tunnel that is set up by PPPoE	/etc/ppp/pppoe.if File
/usr/sbin/sppptun	Command for configuring the Ethernet interfaces that are involved in a PPPoE tunnel	/usr/sbin/sppptun Command
/usr/lib/inet/pppoed	Command and options for using PPPoE to set up a tunnel	/usr/lib/inet/pppoed Daemon

Files for Configuring Interfaces for PPPoE

The interfaces that are used at either end of the PPPoE tunnel must be configured before the tunnel can support PPP communications. Use /usr/sbin/sppptun and /etc/ppp/pppoe.if files for this purpose. You must use these tools to configure Ethernet interfaces on all Solaris PPPoE clients and PPPoE access servers.

/etc/ppp/pppoe.if File

The /etc/ppp/pppoe.if file lists the names of all Ethernet interfaces on a host to be used for the PPPoE tunnels. This file is processed during system boot when the interfaces that are listed are plumbed for use in PPPoE tunnels.

You need to create explicitly /etc/ppp/pppoe.if. Type the name of one interface to be configured for PPPoE on each line.

The following example shows an /etc/ppp/pppoe.if file for a server that offers three interfaces for PPPoE tunnels.

# cat /etc/ppp/pppoe.if
hme1
hme2
hme3

PPPoE clients usually have only one interface that is listed in /etc/ppp/pppoe.if.

/usr/sbin/sppptun Command

You can use the /usr/sbin/sppptun command to manually plumb and unplumb the Ethernet interfaces to be used for PPPoE tunnels. By contrast, /etc/ppp/pppoe.if is only read when the system boots. These interfaces should correspond to the interfaces that are listed in /etc/ppp/pppoe.if.

sppptun plumbs the Ethernet interfaces that are used in PPPoE tunnels in a manner that is similar to the ifconfig command. Unlike ifconfig, you must plumb interfaces twice to support PPPoE because two Ethernet protocol numbers are involved.

The basic syntax for sppptun is as follows:

# /usr/sbin/sppptun plumb pppoed device-name
     device-name:pppoed
# /usr/sbin/sppptun plumb pppoe device-name
     device-name:pppoe

In this syntax, device-name is the name of the device to be plumbed for PPPoE.

The first time that you issue the sppptun command, the discovery protocol pppoed is plumbed on the interface. The second time that you run sppptun, the session protocol pppoe is plumbed. sppptun prints the name of the interface that was just plumbed. You use this name to unplumb the interface, when necessary.

For more information, refer to the sppptun(1M) man page.

Examples of sppptun Commands for Administering Interfaces

The following example shows how to manually plumb an interface for PPPoE by using /usr/sbin/sppptun.

# /usr/sbin/sppptun plumb pppoed hme0
hme0:pppoed
# /dev/sppptun plumb pppoe hme0
 hme0:pppoe

This example shows how to list the interfaces on an access server that was plumbed for PPPoE.

# /usr/sbin/sppptun query
hme0:pppoe
hme0:pppoed
hme1:pppoe
hme1:pppoed
hme2:pppoe
hme2:pppoed

This example shows how to unplumb an interface.

# sppptun unplumb hme0:pppoed
# sppptun unplumb hme0:pppoe

PPPoE Access Server Commands and Files

A service provider that offers DSL services or support to customers can use an access server that is running Solaris PPPoE. The PPPoE access server and client do function in the traditional client-server relationship. This relationship is similar to the relationship of the dial-out machine and dial-in server on a dial-up link. One PPPoE system initiates communications and one PPPoE system answers. By contrast, the PPP protocol has no notion of the client-server relationship. PPP considers both systems equal peers.

The commands and files that set up a PPPoE access server include the following:

• /usr/sbin/sppptun Command

• /usr/lib/inet/pppoed Daemon

• /etc/ppp/pppoe File

• /etc/ppp/pppoe.device File

• pppoe.so Shared Object

/usr/lib/inet/pppoed Daemon

The pppoed daemon accepts broadcasts for services from prospective PPPoE clients. Additionally, pppoed negotiates the server side of the PPPoE tunnel and runs pppd, the PPP daemon, over that tunnel.

You configure pppoed services in the /etc/ppp/pppoe and /etc/ppp/pppoe.device files. If /etc/ppp/pppoe exists when the system boots, pppoed runs automatically. You can also explicitly run the pppoed daemon on the command line by typing /usr/lib/inet/pppoed.

/etc/ppp/pppoe File

The /etc/ppp/pppoe file describes the services that are offered by an access server plus options that define how PPP runs over the PPPoE tunnel. You can define services for individual interfaces, or globally, that is, for all interfaces on the access server. The access server sends the information in the /etc/ppp/pppoe file in response to a broadcast from a potential PPPoE client.

The following is the basic syntax of /etc/ppp/pppoe:

global-options
service service-name
    service-specific-options
    device interface-name
  

The parameters have the following meanings.

global-options

Sets the default options for the /etc/ppp/pppoe file. These options can be any options that are available through pppoed or pppd. For complete lists of options, see the man pages pppoed(1M) and pppd(1M).

For example, you must list the Ethernet interfaces that are available for the PPPoE tunnel as part of global options. If you do not define devices in /etc/ppp/pppoe, the services are not offered on any interface.

To define devices as a global option, use the following form:

device interface <,interface>

interface specifies the interface where the service listens for potential PPPoE clients. If more than one interface is associated with the service, separate each name with a comma.

service service-name

Starts the definition of the service service-name. service-name is a string that can be any phrase that is appropriate to the services that are provided.

service-specific-options

Lists the PPPoE and PPP options specific to this service.

device interface-name

Specifies the interface where the previously listed service is available.

For additional options to /etc/ppp/pppoe, refer to the pppoed(1M) and pppd(1M) man pages.

A typical /etc/ppp/pppoe file might resemble the following.

Example 22-2 Basic /etc/ppp/pppoe File

device hme1,hme2,hme3
service internet
   pppd "name internet-server"
service intranet
   pppd "192.168.1.1:"
service debug
   device hme1
   pppd "debug name internet-server"

In this file, the following values apply.

hme1,hme2,hme3

Three interfaces on the access server to be used for PPPoE tunnels.

service internet

Advertises a service that is called internet to prospective clients. The provider that offers the service also determines how internet is defined. For example, a provider might interpret internet to mean various IP services, as well as access to the Internet.

pppd

Sets the command-line options that are used when the caller invokes pppd. The option "name internet-server" gives the name of the local machine, the access server, as internet-server.

service intranet

Advertises another service that is called intranet to prospective clients.

pppd "192.168.1.1:"

Sets the command-line options that are used when the caller invokes pppd. When the caller invokes pppd, 192.168.1.1 is set as the IP address for the local machine, the access server.

service debug

Advertises a third service, debugging, on the interfaces that are defined for PPPoE.

device hme1

Restricts debugging to PPPoE tunnels to hme1.

pppd "debug name internet-server"

Sets the command-line options that are used when the caller invokes pppd, in this instance, PPP debugging on internet-server, the local machine.

/etc/ppp/pppoe.device File

The /etc/ppp/pppoe.device file describes the services that are offered on one interface of a PPPoE access server. /etc/ppp/pppoe.device also includes options that define how PPP runs over the PPPoE tunnel. /etc/ppp/pppoe.device is an optional file, which operates exactly like the global /etc/ppp/pppoe. However, if /etc/ppp/pppoe.device is defined for an interface, its parameters have precedence for that interface over the global parameters that are defined in /etc/ppp/pppoe.

The basic syntax of /etc/ppp/pppoe.device is as follows:

service service-name
     service-specific-options
service another-service-name
      service-specific-options    

The only difference between this syntax and the syntax of /etc/ppp/pppoe is that you cannot use the device option that is shown in /etc/ppp/pppoe File.

pppoe.so Plugin

pppoe.so is the PPPoE shared object file that must be invoked by PPPoE access servers and clients. This file limits MTU and MRU to 1492, filters packets from the driver, and negotiates the PPPoE tunnel, along with pppoed. On the access server side, pppoe.so is automatically invoked by the pppd daemon.

Using PPPoE and PPP Files to Configure an Access Server

This section contains samples of all files that are used to configure an access server. The access server is multihomed. The server is attached to three subnets: green, orange, and purple. pppoed runs as root on the server, which is the default.

PPPoE clients can access the orange and purple networks through interfaces hme0 and hme1. Clients log in to the server by using the standard UNIX login. The server authenticates the clients by using PAP.

The green network is not advertised to clients. The only way clients can access green is by directly specifying “green-net” and supplying CHAP authentication credentials. Moreover, only clients joe and mary are allowed to access the green network by using static IP addresses.

Example 22-3 /etc/ppp/pppoe File for an Access Server

service orange-net
     device hme0,hme1
     pppd "require-pap login name orange-server orange-server:"
service purple-net
     device hme0,hme1 
     pppd "require-pap login name purple-server purple-server:"
service green-net
     device hme1 
     pppd "require-chap name green-server green-server:"
     nowildcard

This sample describes the services that are available from the access server. The first service section describes the services of the orange network.

service orange-net
     device hme0,hme1
     pppd "require-pap login name orange-server orange-server:"

Clients access the orange network over interfaces hme0 and hme1. The options that are given to the pppd command force the server to require PAP credentials from potential clients. The pppd options also set the server's name to orange-server, as used in the pap-secrets file.

The service section for the purple network is identical to the service section of the orange network except for the network and server names.

The next section describes the services of the green network:

service green-net
     device hme1 
     pppd "require-chap name green-server green-server:"
     nowildcard

This section restricts client access to interface hme1. Options that are given to the pppd command force the server to require CHAP credentials from prospective clients. The pppd options also set the server name to green-server, to be used in the chap-secrets file. The nowildcard option specifies that the existence of the green network is not advertised to clients.

For this access server scenario just discussed, you might set up the following /etc/ppp/options file.

Example 22-4 /etc/ppp/options File for an Access Server

     auth
     proxyarp
     nodefaultroute
     name no-service    # don't authenticate otherwise

The option name no-service overrides the server name that is normally searched for during PAP or CHAP authentication. The server's default name is the one found by the /usr/bin/hostname command. The name option in the previous example changes the server's name to no-service. The name no-service is not likely to be found in a pap or chap-secrets file. This action prevents a random user from running pppd and overriding the auth and name options that are set in /etc/ppp/options. pppd then fails because no secrets can be found for the client with a server name of no-service.

The access server scenario uses the following /etc/hosts file.

Example 22-5 /etc/hosts File for an Access Server

     172.16.0.1    orange-server
     172.17.0.1    purple-server
     172.18.0.1    green-server
     172.18.0.2    joes-pc
     172.18.0.3    marys-pc

Here is the /etc/ppp/pap-secrets file that is used for PAP authentication for clients that attempt to access the orange and purple networks.

Example 22-6 /etc/ppp/pap-secrets File for an Access Server

* orange-server "" 172.16.0.2/16+
* purple-server "" 172.17.0.2/16+

Here is the /etc/ppp/chap-secrets file that is used for CHAP authentication. Note that only clients joe and mary are listed in the file.

Example 22-7 /etc/ppp/chap-secrets File for an Access Server

 joe green-server "joe's secret" joes-pc
mary green-server "mary's secret" marys-pc

PPPoE Client Commands and Files

To run PPP over a DSL modem, a machine must become a PPPoE client. You have to plumb an interface to run PPPoE, and then use the pppoec utility to “discover” the existence of an access server. Thereafter, the client can create the PPPoE tunnel over the DSL modem and run PPP.

The PPPoE client relates to the access server in the traditional client-server model. The PPPoE tunnel is not a dial-up link, but the tunnel is configured and operated in much the same manner.

The commands and files that set up a PPPoE client include the following:

• /usr/sbin/sppptun Command

• /usr/lib/inet/pppoec Utility

• pppoe.so Shared Object

• /etc/ppp/peers/peer-name File

• /etc/ppp/options Configuration File

/usr/lib/inet/pppoec Utility

The /usr/lib/inet/pppoec utility is responsible for negotiating the client side of a PPPoE tunnel. pppoec is similar to the Solaris PPP 4.0 chat utility. You do not invoke pppoec directly. Rather, you start /usr/lib/inet/pppoec as an argument to the connect option of pppd.

pppoe.so Shared Object

pppoe.so is the PPPoE shared object that must be loaded by PPPoE to provide PPPoE capability to access servers and clients. The pppoe.so shared object limits MTU and MRU to 1492, filters packets from the driver, and handles runtime PPPoE messages.

On the client side, pppd loads pppoe.so when the user specifies the plugin pppoe.so option.

/etc/ppp/peers/peer-name File for Defining an Access Server Peer

When you define an access server to be discovered by pppoec, you use options that apply to both pppoec and the pppd daemon. An /etc/ppp/peers/peer-name file for an access server requires the following parameters:

• sppptun – Name for the serial device that is used by the PPPoE tunnel.

• plugin pppoe.so – Instructs pppd to load the pppoe.so shared object.

• connect "/usr/lib/inet/pppoec device" – Starts a connection. connect then invokes the pppoec utility over device, the interface that is plumbed for PPPoE.

The remaining parameters in the /etc/ppp/peers/peer-name file should apply to the PPP link on the server. Use the same options that you would for /etc/ppp/peers/peer-name on a dial-out machine. Try to limit the number of options to the minimum you need for the PPP link.

The following example is introduced in How to Define a PPPoE Access Server Peer.

Example 22-8 /etc/ppp/peers/peer-name to Define a Remote Access Server

# cat /etc/ppp/peers/dslserve
sppptun
plugin pppoe.so
connect "/usr/lib/inet/pppoec hme0"
noccp
noauth
user Red
password redsecret
noipdefault
defaultroute

This file defines parameters to be used when setting up a PPPoE tunnel and PPP link to access server dslserve. The options that are included are as follows.

Option	Description
sppptun	Defines sppptun as the name of the serial device.
plugin pppoe.so	Instructs pppd to load the pppoe.so shared object.
connect "/usr/lib/inet/pppoec hme0"	Runs pppoec and designates hme0 as the interface for the PPPoE tunnel and PPP link.
noccp	Turns off CCP compression on the link. Note - Many ISPs use only proprietary compression algorithms. Turning off the publicly available CCP algorithm saves negotiation time and avoids very occasional interoperability problems.
noauth	Stops pppd from demanding authentication credentials from the access server. Most ISPs do not provide authentication credentials to customers.
user Red	Sets the name Red as the user name for the client, which is required for PAP authentication by the access server.
password redsecret	Defines redsecret as the password to be provided to the access server for PAP authentication.
noipdefault	Assigns 0.0.0.0 as the initial IP address.
defaultroute	Tells pppd to install a default IPv4 route after IPCP negotiation. You should include defaultroute in /etc/ppp/peers/peer-name when the link is the system's link to the Internet, which is true for a PPPoE client.