PPPoE Server

pfSense® software can act as a PPPoE server, accepting and authenticating connections from PPPoE clients on a local interface, in the role of an access concentrator (LAC). This feature can be used to force users to authenticate before gaining network access, or otherwise control their login behavior.

The PPPoE Server is located at Services > PPPoE Server.

PPPoE Server Settings

The PPPoE Server page has several options, which fall into multiple categories.

Server Settings

These options control the general behavior of the PPPoE Server.

Enable

When checked, this PPPoE Server instance will be active.

Interface

The single interface upon which PPPoE service will be available.

Total User Count

Determines how many clients in total are allowed to connect to this instance.

User Max Logins

Determines how many times a single client may login concurrently.

Server Address

The IP address which the firewall will send to the PPPoE clients to use as their gateway.

Warning

This IP address must not be an IP address currently in use on the firewall.

Remote Address Range

The IP address for the start of the PPPoE client subnet. Together with the Subnet Mask it defines the network used by the PPPoE clients.

Subnet Mask

Defines the CIDR mask assigned to PPPoE clients.

Description

Optional explanatory text for this server instance.

DNS Servers

Optional fields used to send specific DNS servers to the PPPoE clients, otherwise the firewall IP address will be sent to the client for DNS if the DNS Forwarder or DNS Resolver are enabled. If the DNS Forwarder and DNS Resolver are both disabled, then the DNS servers configured on the firewall will be sent instead.

RADIUS Settings

These options configure RADIUS authentication for the server.

Use RADIUS Authentication

Check to configure the PPPoE server to use at least one RADIUS server for Authentication instead of local users.

Use RADIUS Accounting

Optional, sends RADIUS accounting data to the RADIUS server to note items such as login and logout times, and bandwidth used.

Use a Backup RADIUS Authentication Server

A second RADIUS server to use if the primary RADIUS server fails.

NAS IP Address

Optional, sends a specific IP address to the RADIUS server for the NAS-IP-Address attribute.

RADIUS Accounting Update

The interval at which accounting data is sent to the RADIUS server, in seconds.

RADIUS Issued IP Addresses

When checked, IP addresses can be assigned to users via RADIUS reply attributes.

Primary RADIUS Server

The preferred RADIUS server to use for Authentication.

IP Address

The IP address of the RADIUS server.

Authentication Port

The port used for authentication (typically 1812).

Accounting Port

The port used for accounting data (typically 1813).

Primary RADIUS Server Shared Secret

The shared secret configured for this firewall on the RADIUS server. The same value must be entered in the Confirm box.

Secondary RADIUS Server

Same type of settings as the primary, but defines the secondary RADIUS server.

Users

The user list defines account credentials the server will allow when not using RADIUS authentication.

Username

The username for the user account.

Password

The password for the user account.

IP Address

An optional static IP address to assign the user at login.

PPPoE Server Configuration

Multiple PPPoE servers may be configured on separate interfaces. Each of the available options are covered above.

To begin setting up a PPPoE server:

  • Navigate to Services > PPPoE Server

  • Click fa-plus Add to add a new server entry

  • Configure the PPPoE Server settings

  • Choose an authentication source, either RADIUS or manually defined users

    • Configure RADIUS if that will be utilized for user authentication

    • Add users to the server to utilize local authentication if not using RADIUS

      • Click fa-plus Add User

      • Fill in the credentials and settings for the user.

      • Repeat as needed

  • Click Save