Stour Valley Wireless - Community Networks bridging the digital divide...
 
 

How to build a PPPoE Access Concentrator

When building this network, we had a number of worries

  1. How to log a user's web activity so that potential criminal activity could be tracked
  2. How to stop abuse of the network
  3. How to encrypt and protect our user's wireless traffic
  4. How to minimise risk to the user
  5. How to manage bandwidth

We first looked at NoCatAuth -a captive portal system- as an authentication mechanism. This allowed username/password access but nothing else + required a pop under web page to be loaded whilst browsing. Excellent for use in a hotspot e.g. cafe environment, but a little clumsy for day to day web usage.

 

Banning/ allowing users according to MAC address was unrealistic as we did not want to keep updating our ACLs (access control lists) every time somebody changed or added onto their network hardware. We also had issues with managing MAC addresses of SVW's own network hardware... nightmare!

 

PPPoE (Point to Point Protocol across Ethernet) seemed the answer. It is an extension of the PPP protocol that is used when a modem dials into a modem pool. A PPPoE client on the user's computer makes contact with a PPPoE server (commonly called an Access Concentrator) across network hardware (wired or wireless) and negotiates the setting up of a PPP tunnel between the client and server based on the client's supplied username/password. PPPoE works at a lower level even than TCP/IP: a separate PPP connection can be seen under ipconfig:

 

Most ISPs world-wide now use this system across the ADSL network. PPPoE simplifies matters as:

  • users can be authenticated via a username/password
  • a user can be assigned an IP address based on their supplied username/password. If we hand out the same REAL ip address to each user each time they log in, then we can log their web activity, and more importantly so can the ISP that provides us with connectivity. If SVW is the source of any criminal activity, then there will be two sets of logs for the police to investigate.
  • Users do not need to get their hands dirty tinkering under the bonnet with the IP addresses of their network hardware
  • users are used to dialling into their Internet provider. The PPPoE connection can be left open as long as they want
  • the tunnel between the user and AC (access concentrator) can be encrypted; thus worries about the weaknesses of WEP are dispelled. The authentication mechanism can also be encrypted by using CHAP or some such protocol
  • security on the network is improved by reducing the amount of TCP/IP traffic. If the users unbind all protocols from their network hardware, then they are less likely to be subject to an attack.

There are 3 main options when building an AC

  • FreeBSD- this OS has a PPPoE server built into the kernel
  • Linux- Roaring Penguin produces a free PPPoE client that also acts as a PPPoE server
  • Dedicated router OS

After getting nowhere with the first two options due to lack of UNIX knowledge ;) we decided to test Mikrotik's router software. The demo version was limited to 4 PPPoE tunnels but we soon upgraded to their full license ($45) when we saw what it could do:

  1. We downloaded the OS and installed it on a source machine- 30 mins
  2. We followed the instructions on how to set up a PPPoE server- 10 mins

Perceived benefits:

  • Very quick and easy to set up. We built an AC on an old PC (HP Vectra) with 2 NICs within an hour
  • Cheap
  • The router can be configured either on the command line or via a proprietary GUI

Additional benefits:

  • Router can limit bandwidth based on username, i.e. somebody can pay less and when they sign in they may only get a 128kb/s connection
  • Router also accounts all web traffic against username- soon spot any bandwidth hogs.
  • 128 bit tunnel and authentication procedure encryption
  • Max of 100000(!) PPPoE tunnels
  • The router also provides a web proxy, DNS cache and other services (have a look at the website for the whole list)
  • if needed, one can authenticate users against a particular MAC address as well as their username
  • the router can provide a hotspot service- i.e. all non authenticated users are redirected towards a captive web page that informs them of the service available and how to get connected
  • the router integrates with a RADIUS server if required to provide authentication details/ logging facility/ accounting facility- these can also be done on the router

Remember when setting up your PPPoE server:

  • the internal interface should have no IP address assigned to it for security reasons
  • enable encryption for authentication and the PPP tunnel; we do not require it- it is the responsibility of the user to look after their own data
  • we only allow 1 host (MAC address) per connection
  • we only allow a username to be signed in once per session; this stops distribution of passwords to get a free service

We recommend you have a look; coming from a GUI background, pointing and clicking to set up our AC made our lives much easier.

 

 

Last update Wednesday, March 14, 2007 2:24 PM