In previous articles, setting up VPN tunnels in pfSense was discussed, but not how to set up a server using Point-to-Point Protocol over Ethernet for a VPN. In this article, I will describe how to set up a pfSense PPPoE server.
Point-to-Point Protocol Explained
The Point-to-Point Protocol over Ethernet is a network protocol for encapsulating PPP frames inside Ethernet frames. It was defined in RFC 2516 in February 1999. PPPoE was developed to solve a problem DSL service providers were encountering. In the mid and late 1990s, dialup service using Point-to-Point Protocol (PPP) was the dominant means of connecting to the internet for home users, whereas small office/home office (SOHO) users who did not require or could not afford a T1 or faster but found dialup insufficient gravitated towards Integrated Services Digital Network (ISDN) connections. By 1998, DSL technology was becoming more affordable, but a protocol that would work with DSL and meet the requirements of the typical small business customer that DSL providers envisioned as their typical users did not exist. Such a protocol would have to allow for easily connecting an entire LAN to the internet, providing services on a local LAN accessible from the far side of the connection, and simultaneous access to multiple data sources, among other requirements.
DSL providers, hoping to build upon PPP, already ubiquitous with dialup services, soon gravitated towards PPPoE. Essentially all operating systems at the time had a PPP stack, and the design of PPPoE allowed for a simple shim at the line-encoding stage to convert from PPP to PPPoE, thus enabling vendors to heavily leverage their existing software and deliver products quickly. Moreover, since PPPoE used a different frame type, the DSL hardware could act as a simple bridge, passing some frames and ignoring others. As a result, DSL modems could be much simpler than routers. As of 2013, PPPoE seems to be on the way out, as many providers are implementing other methods of broadband delivery. However, PPPoE continues to be in wide use.
Configuring a pfSense PPPoE Server
To enable a pfSense PPPoE server, first navigate to Services -> PPPoE Server, then click on the “plus” button to add a new PPPoE instance. On the next page, check “Enable PPPoE Server“. At “Interface“, choose an interface (you probably want to set it to the WAN interface), and at “Subnet Mask“, input the subnet mask. At “No. PPPoE Users“, enter the maximum number of clients you wish to allow. At “Server Address“, set the address to an unused IP address that pfSense will use to serve PPPoE clients. At “Remote Address Range“, set the range range to the starting unused IP address. The range will run as far as the maximum number of clients specified at “No. PPPoE Users“. At “Description“, enter an appropriate description. At “DNS Servers“, you can enter a set of DNS servers or leave it blank if you want the defaults to be used. Unless you want to use a RADIUS server for authentication, skip past the RADIUS settings and scroll down to “User(s)“. Click on the “plus” button and add at least one username, password, and IP address. When you are done, press the “Save” button to save the settings and the next page, press “Apply changes” button to apply the changes.
Now, all that remains to be done is to add a firewall rule to allow traffic to permit traffic from PPPoE clients. Navigate to Firewall -> Rules and click on the “PPPoE Server” tab. Once there, click on the “plus” button to add a new rule. At “Action“, choose “Pass“, and at “Interface“, choose “PPPoE VPN“. For “Protocol“, select “any”, and for “Destination“, select the target destination for PPPoE clients (e.g. LAN subnet). You can probably keep “Log packets that are handled by this rule” unchecked, and at “Description“, enter an appropriate description. Finally, press the “Save” button to save changes, and “Apply changes” to apply the changes. Once the rule has been created, our pfSense PPPoE server will be ready for to be accessed.