Friday, August 19, 2016

Re-Purposing VisionNet M505N Modems as Wireless Access Points, Part One: PPPoE Server

Building on my earlier topics of an "Internet of Things" isolated network and "Guest" wireless at my residence, I am now providing some details of how I use the "PPPoE Server" functionality of the pfSense firewall along with VisionNet M505N DSL modems as Wireless Access Points. The "re-purposed" (using something differently than it was intended) modems have some very good features that can easily be used to lock down the security and isolate those wireless networks. Follow me in this multi-part series as I show the configuration I have in place.

Setting up the PPPoE Server on pfSense

For this first step, I'm showing how to activate the "PPPoE Server" functionality on a pfSense firewall. If you don't have a DMZ network yet just follow along for the concepts and plan to add one. From within the interface of pfSense, go to the 'Services' menu, then select 'PPPoE Server'. Click on the 'Add' button on the right-hand side.

A "PPPoE Server" only means that we are adding a feature to the firewall that uses the authentication of a username and password to establish an Ethernet connection from another device. It may even be likely that your Internet Service Provider (ISP) uses this method over the DSL or cable Internet connection you have (but using DSL or coax cable instead of Ethernet, the 'E' in "PPPoE"). It is the same concept here, where the re-purposed DSL modem connects to the Internet through the pfSense firewall, but being isolated from the other connections to the same firewall (as you are from the other customers of your ISP).

Other concepts that I want to reinforce are planning and documentation. Open a spreadsheet to track the settings that you are going to enter. Every time you make changes to the plan, update that documentation. Here is the table we are going to use as a guide:

If you don't understand "subnetting", I plan to have future blog entries for learning that network skill. For now, you can mimic my example of a small subnet of six usable IP addresses, and another address outside that group.  Keep in mind that these are addresses within your DMZ interface IP space:

Back to our PPPoE Server configuration. Check the box to 'Enable PPPoE Server". It will be in your 'DMZ' (or a network you have named for the same purpose). I've chosen to have the values of '4' as the 'Total User Count' and 'User Max Login' for now. These do not need to be very high values. For the 'Server Address' use the "unused IP" address from the chart we made (in my example, ""). The "Remote Address Range" is the "Network Address" of the subnet ("" in my example). The 'Subnet mask' is in a form called "CIDR notation", and slightly confusing because it doesn't show the leading slash ("/29" in my example to denote the size of the address block, equivalent to the form "" you may see elsewhere).

Your choice of a 'Server Address' and the subnet for the clients ('Remote Address Range' and 'Subnet mask') is required to be within the DMZ address space, but should not overlap the address of the firewall on that interface. What that means is if your firewall interface address is at the lower end of that address space (for example, 192.168.x.1, the subnet (a '/29' in our example) cannot be at the lowest possible range of the DMZ address space. A possible recommendation is to have the address of your DMZ interface at 192.168.x.254 and the 'Remote Address Range' set as "192.168.x.0".

You can use your public-side DNS server addresses (I lock my DMZ interface to only allowing that for DNS resolution), at a later time I am going to relocate a couple NAS appliances to my DMZ interface that will be running DNS services (and will likely be covered in a blog entry). Scroll to the bottom of the page. This is where you will enter the PPPoE usernames, passwords, and IP addresses you documented for the subnet above. 'Save' and 'Apply' the changes.

PPPoE Client on VisionNet M505N Modem

At a later time, we will change the default username and password, as well as other network settings of the M505N. The default for the units I have is "admin" as a username, "0123456789" as a password. Once you log in to the web interface (Internet Explorer is typically needed for this task because of an older HTML standard, and we want to plug into any of the '1' - '3' Ethernet ports, not '4', the "Omni-Port") you are presented with a device information screen.

Click on the "WAN" menu item on the left. "ETH Interfaces" should be selected for being the first menu item. Select the following choices and 'Apply' the changes:

Now select the "WAN Services" menu item below that. If you have a DSL entry, check the "Remove" box in the table, then on the 'Remove' button. Remove the entry from "DSL Services" the same way, and return here. Click on the 'Add' button.

Make sure 'eth3/ENET4' is selected in the combo box, then click on the 'Next' button:

Make sure "PPP over Ethernet (PPPoE)" is selected, then click on the 'Next' button:

On this screen you will put in the username and password you set in pfSense earlier. 'Enable NAT' and 'Enable Firewall". Note, if you want to "daisy-chain" another WAP set up for PPPoE authentication in the same way (I haven't experimented with further possible IoT isolation this way) check 'Bridge PPPoE Frames Between WAN and Local Ports' to make this possible. Click on the 'Next' button once you are ready to advance.

Make sure 'ppp0" is in the first pane on the left for both the Default Gateway and DNS pages, and click the 'Next' button on each page in turn. 'Apply/Save' the settings. When you are returned to the WAN Services page, select the "Omni-Port Interface" and click on the 'Apply" button:

You should now be able to connect an Ethernet cable from the "Omni-Port" of the M505N to your DMZ interface, and it should authenticate. Verify connectivity and wait for the next article on further M505N settings. It's coming soon!

No comments:

Post a Comment