Setting Up a PPPoE Access Server
If your company is a service provider, you can offer Internet and other services
to clients that reach your site through DSL connections. The procedure involves determining which interfaces
on the server to involve in the PPPoE tunnel and defining which services are
made available to the users.
How to Set Up a PPPoE Access Server
Use this procedure to define the Ethernet interface to be used for the PPPoE
tunnel and to configure the services that the access server offers.
- Become superuser on the access server or assume an equivalent role.
Roles contain authorizations and privileged commands. For more information about roles, see Configuring RBAC (Task Map) in System Administration Guide: Security Services. To configure a
role with the Primary Administrator profile, see Chapter 2, Working With the Solaris Management Console (Tasks), in System Administration Guide: Basic Administration.
- Add the name of the Ethernet interfaces that are dedicated to the PPPoE tunnels to
the /etc/ppp/pppoe.if file.
For example, you would use the following /etc/ppp/pppoe.if file for the access server
dslserve that is shown in Example of a Configuration for a PPPoE Tunnel.
# cat /etc/ppp/pppoe.if
hme1
hme2
- Define global services that are provided by the access server in the /etc/ppp/pppoe file.
The following /etc/ppp/pppoe file lists the services that are provided by access server
dslserve, which was shown in Figure 16-5.
device hme1,hme2
service internet
pppd "proxyarp 192.168.1.1:"
service debugging
pppd "debug proxyarp 192.168.1.1:"
In the file example, Internet service is announced for dslserve's Ethernet interfaces hme1
and hme2. Debugging is turned on for PPP links on the Ethernet interfaces.
- Set up the PPP configuration files in the same way that you would for
a dial-in server.
For more information, refer to Creating an IP Addressing Scheme for Callers.
- Start the pppoed daemon.
# /etc/init.d/pppd start
pppd also plumbs the interfaces that are listed in /etc/ppp/pppoe.if.
- (Optional) Verify that the interfaces on the server are plumbed for PPPoE.
# /usr/sbin/sppptun query
hme1:pppoe
hme1:pppoed
hme2:pppoe
hme2:pppoed
The previous sample shows that interfaces hme1 and hme2 are currently plumbed for PPPoE.
You can also use the /usr/sbin/sppptun command to manually plumb interfaces for PPPoE. For
instructions, refer to /usr/sbin/sppptun Command.
How to Modify an Existing /etc/ppp/pppoe File
- Become superuser on the access server or assume an equivalent role.
Roles contain authorizations and privileged commands. For more information about roles, see Configuring RBAC (Task Map) in System Administration Guide: Security Services. To configure a
role with the Primary Administrator profile, see Chapter 2, Working With the Solaris Management Console (Tasks), in System Administration Guide: Basic Administration.
- Modify /etc/ppp/pppoe, as needed.
- Cause the pppoed daemon to recognize the new services.
# pkill -HUP pppoed
How to Restrict the Use of an Interface to Particular Clients
The next procedure shows how to restrict an interface to a group of PPPoE
clients. Before performing this task, you need to obtain the real Ethernet MAC addresses
of the clients you are assigning to the interface.
Note - Some systems allow you to change the MAC address on the Ethernet interface. You
should view this ability as a convenience factor, not a security measure.
Using the example that is shown in Example of a Configuration for a PPPoE Tunnel, these steps show how to reserve
one of dslserve's interfaces, hme1, for clients at MiddleCo.
- Configure the access server's interfaces and define the services, as shown in How to Set Up a PPPoE Access Server.
- Create entries for clients in the server's /etc/ethers database.
Here is a sample entry for clients Red, Blue, and Yellow.
8:0:20:1:40:30 redether
8:0:20:1:40:10 yellowether
8:0:20:1:40:25 blueether
The sample assigns the symbolic names redether, yellowether, and blueether to the Ethernet
addresses of clients Red, Yellow, and Blue. The assignment of symbolic names to the MAC
addresses is optional.
- Restrict services that are provided on a specific interface by defining the following information in
the /etc/ppp/pppoe.device file.
In this file, device is the name of the device to be defined.
# cat /etc/ppp/pppoe.hme1
service internet
pppd "name dslserve-hme1"
clients redether,yellowether,blueether
dslserve-hme1 is the access server's name, which is used in matching entries in the
pap-secrets file. The clients option restricts the use of interface hme1 to clients with
the symbolic Ethernet names redether, yellowether, and blueether.
If you did not define symbolic names for client's MAC addresses in /etc/ethers, you can
use the numeric addresses as arguments for the clients option. Wildcards are allowed.
For example, you can specify the numeric address clients 8:0:20:*:*:*. By using wildcards, all matching addresses in
/etc/ethers are accepted.
- Create the /etc/ppp/pap-secrets file for the access server:
Red dslserve-hme1 redpasswd *
Blue dslserve-hme1 bluepasswd *
Yellow dslserve-hme1 yellowpassd *
The entries are the PAP names and passwords of clients that are allowed to
run PPP over dslserve's hme1 interface.
For more information about PAP authentication, see Configuring PAP Authentication.
See Also
The following list provides references to related information.