[HowTo] - PPPoE, VLAN & RFC4638

[panseit]

@netnut Any reason that you have the WAN interface disabled? Also can you please elaborate your assignments on picture 5? Currently my assignments are these https://i.ibb.co/fHF7cVY/Assignments.png.

[netnut]

@netnut Any reason that you have the WAN interface disabled?

The WAN interface isn't disabled (as seen at screenshot 1), I just renamed my physical WAN interfaces to WAN_1 and WAN_2 because I use multiple WAN uplinks. Be aware that interface naming is arbitrary with OPNsense, so you could name them anyway you want, of course it makes sense to select reasonable names.
In this example I used the physical WAN_1 interface for the PPPoE config with the two vlans.

Also can you please elaborate your assignments on picture 5? Currently my assignments are these https://i.ibb.co/fHF7cVY/Assignments.png.

The screenshots slightly differs from yours because these were made with an older version of OPNsense. I believe somewhere in 22.07 OPNsense switched from a one-to-one VLAN Interface <-> VLAN ID naming to a much more flexible naming where the VLAN interfaces are named incremental and don't have a fixed relation with the VLAN ID.

Will update the screenshots to avoid confusion, thanks for the reminder  8)

[panseit]

@netnut Any reason that you have the WAN interface disabled?

The WAN interface isn't disabled (as seen at screenshot 1), I just renamed my physical WAN interfaces to WAN_1 and WAN_2 because I use multiple WAN uplinks. Be aware that interface naming is arbitrary with OPNsense, so you could name them anyway you want, of course it makes sense to select reasonable names.
In this example I used the physical WAN_1 interface for the PPPoE config with the two vlans.

Also can you please elaborate your assignments on picture 5? Currently my assignments are these https://i.ibb.co/fHF7cVY/Assignments.png.

The screenshots slightly differs from yours because these were made with an older version of OPNsense. I believe somewhere in 22.07 OPNsense switched from a one-to-one VLAN Interface <-> VLAN ID naming to a much more flexible naming where the VLAN interfaces are named incremental and don't have a fixed relation with the VLAN ID.

Will update the screenshots to avoid confusion, thanks for the reminder  8)

I meant the Ipv4 and IPv6 Configuration on WAN_1. Then you just configure wan_ftth. Couldn't you just configure wan_1?

[hazizirasib]

Where do I configured unnumbered IP from ISP? My ISP provide me with /29 static IP address.

[Dinez]

Thx for the guide.
I have a question my PPPoE seems to connect most of the times. They is times where it just doesnt wanna connect. If i reboot a couple times it works. What can that be?

[Mindflayer]

5 - Assign the configured Service VLAN Interfaces

Login to view screenshot:

From a security perspective: Is it important to leave one Interface assignment (in your case WAN_1) on the physical and untagged network interface (in your case igb4). Maybe to block untagged traffic or so?!
Or could you also reassign your [WAN] Interface to the pppoe device?

[Patrick M. Hausen]

From a security perspective: Is it important to leave one Interface assignment (in your case WAN_1) on the physical and untagged network interface (in your case igb4). Maybe to block untagged traffic or so?!
Or could you also reassign your [WAN] Interface to the pppoe device?

OPNsense will silently drop any traffic arriving on an unassigned interface.

Not using/assigning untagged together with tagged VLANs on the same physical IF has been the general recommendation as long as I remember.

A trunk port is a trunk port and an access port is an access port. On switches that demand *some* "native VLAN" or "PVID" whatever they call it, I usually assign something like 99 or 999 which is not used to carry traffic anywhere in my network.

But even Mikrotik has got an "only tagged" setting for ports.

[netnut]

From a security perspective: Is it important to leave one Interface assignment (in your case WAN_1) on the physical and untagged network interface (in your case igb4). Maybe to block untagged traffic or so?!
Or could you also reassign your [WAN] Interface to the pppoe device?

I'm not sure if I understand your question completley, but a pppoe device is assigned TO an interface. Because this HowTo is about PPPoE in combination with a provider based service VLAN, the pppoe device is assigned to the VLAN interface derived from the physical WAN interface. It's basically like a layered cake:

You start with a physical WAN interface, in this HowTo that's "igb4". Because multiple WAN interfaces are used (two different providers) this physical interface is renamed to WAN_1 (the other one WAN_2, but out of scope in this example). This interface is specifically enabled in OPNsense to assign custom MAC and MTU values, but at least the MTU can be calculated in other ways with recent OPNsense versions. (instructions are made on older version).

Because you need to match the VLAN of your provider you now need to create a (tagged) VLAN interface on top of the igb4 / WAN_1 interface AND name it too, in this example the specific VLAN interface is named WAN_1_FTTH for generic ISP IP services.

The actual PPPoE interface (pppoe0) is configured on top of this new VLAN interface (WAN_1_FTTH) and named/assigned automatically by OPNsense. In the example there's also a second VLAN interface on the same physical WAN interface for IPTV services, this doesn't use PPPoE but raw Ethernet/IP.

So the full example ends up with three interfaces that are ISP oriented, the raw ethernet WAN interface and two VLAN interfaces, one using PPPoE for generic IP services (ie. Internet) and one standard VLAN IP interface. Yes, the raw ethernet WAN interface can be seen as an untagged interface towards your ISP, but it's unnumbered (doesn't have an active IP address assigned) so can't be used in > Layer 3 communication. I can't think of a Layer 2 attack surface that compromises the security of the WAN interface in this scenario, except for some L2 DOS stuff, but that would compromise the core service of my ISP, they probably detect that earlier than I can/do.

So your layered PPPoE VLAN Cake looks like this:
Raw Ethernet Interface -> VLAN Interface -> PPPoE Interface -> IP

[cookiemonster]

@netnut this last post is incredibly good to understand the architectural principles of the setup.
May I suggest you add them to the original post? It will only enrich it, greatly.
p.s. my connections are FTTP aka FTTH and luckily without PPP nor VLANs. I still find it useful as reference.

[Mindflayer]

I'm not sure if I understand your question completley, but a pppoe device is assigned TO an interface. Because this HowTo is about PPPoE in combination with a provider based service VLAN, the pppoe device is assigned to the VLAN interface derived from the physical WAN interface.

...

@netnut: First of all: Thank you for your fast answer!

I think you really did not understand my question completely, but may be my fault.

What I means is:

On this picture: https://forum.opnsense.org/index.php?action=dlattach;topic=21207.0;attach=14911;image

I can see that you created a VLAN named "WAN_1_FTTH" AND you assigned that VLAN to a new interface (unfortunately) also named "WAN_1_FTTH". I tried around for a very long time with the Interfaces in OPNsense, and I think that this second step of creating an Interface for the VLAN is not necessary when you want to use PPPoE.

The layered cake is a good analogy.

• You have a physical adapter called "igb4". It is not necessary to assign that physical adapter to an interface.
• Then you create a VLAN ontop of that physical adapter. It is again not necessary to assign that VLAN to an Interface.
• Then you create a Point-To-Point device (configured as PPPoE) ontop of the VLAN. Only this Point-To-Point device, you have to assign to a (new) Interface.
• OPNsense then automatically detects/creates a Gateway, which is based on that Interface, which is based on the Point-To-Point device.

And now my question is: Does it have any downsides, from a security perspective, if I dont assign/create an Interface for the igb4 (step 1) AND the VLAN (step 2)?

[Patrick M. Hausen]

No it does not and you need not and IMHO should not assign these interfaces.

[Mindflayer]

No it does not and you need not and IMHO should not assign these interfaces.

What's the reason that you think it should not be done? Only because you have 1 (or 2) more (unused) Interfaces?

[netnut]

And now my question is: Does it have any downsides, from a security perspective, if I dont assign/create an Interface for the igb4 (step 1) AND the VLAN (step 2)?

No. The only reason you would assign the interface is if you want to change any property, like the MAC address or MTU.

Although there's already an option in OPNsense to calculate / compensate for the MTU size with PPP connections, it assumes PPPoE over a raw ethernet interface (1500 (ethernet) + 8 (ppp) = 1508). Where I like to set the raw parent at 1512 (1500 (ethernet) + 8 (ppp) + 4 (vlan) = 1512), for this I need to enable the parent to set these values. I didn't look into recent OPNsense versions regarding automagic PPP MTU settings (I beiieve introduced in 24.07), still using my original install from years ago (and upgraded it with every release instead of fresh install).


@cookiemonster

A slightly updated version with screenshots of a more recent OPNsense version (with the changed internal VLAN assignment logic)  is on my todo list. Will be busy for some more weeks, maybe a nice task when I try to avoid my mother-in-law during christmas dinner... ;-)

[Patrick M. Hausen]

No it does not and you need not and IMHO should not assign these interfaces.

What's the reason that you think it should not be done? Only because you have 1 (or 2) more (unused) Interfaces?

That and a possible way for accidental misconfiguration that might weaken your setup. What isn't assigned will not carry traffic.