Let’s say you’re an customer of an Oklahoma ISP with ADSL2 service and you use a Ubiquiti EdgeRouter for your router instead of the one they supplied. One day they decide to upgrade their customers to VDSL2, send out BEC Technologies BEC 8920NE gateways to the customer, and now use PPPoE. Your old ADSL2 modem no longer works because of the wider frequency bands on the wire used by VDSL2. Further, their DSLAM no longer uses ATM, but instead packet transfer mode (PTM), so your DSL gear at home needs to support that.
Let’s also say you want to usurp your ISP’s declaration of your new home router (the BEC 8920NE) because they lock the configuration and you have needs dammit (port forwardings, a Hurricane Electric 6in4 tunnel because the ISP doesn’t support IPv6, and site-to-site management VPN) that they’re never going to help you with. And frankly putting your router behind their router and doing double-NAT is stupid and breaks 6in4. So you want to continue using your awesome EdgeRouter as the main router for your home.
Because xDSL finding gear that supports PTM is annoying, I want to use my BEC gateway to move my bits from the phone line to Ethernet, and then use my EdgeRouter to handle the IP portion of things to my home network
To make all of this work you’re going to need to find/get/figure out things (*mystery hand wavy gesture*):
- Your PPPoE username/password for your connection
- Is your traffic to the ISP VLAN tagged? If so, which VLAN ID is it using?
- Set up the BEC 8920NE into bridged mode
- Set up the EdgeRouter for PPPoE
BEC 8920 configuration
When you first look at your BEC 8920NE configuration, it’s more than likely setup in router mode, runs a DHCP server for your home LAN, and probably a wireless network too. If you have login access to it, you’ll want to look at the Configuration -> WAN -> WAN Service -> [Edit] screen for details about your xDSL service.
Of particular note, the “type” here is “PPP over Ethernet (PPPoE)”, the 802.1Q VLAN ID is 35, your PPPoE username is foo, the BEC is going to learn DNS servers from the ISP, and the MTU is set to 1492. The BEC is also going to act as a DHCP client to get its WAN IP address from the ISP.
The VLAN ID can vary from ISP to ISP, altho a de facto standard seems to be using VLAN ID 35. This is something they set on their side, your gear has to match it. In this case the BEC will take care of taking tagged VLAN 35 traffic from your ISP, untagging it, and passing plain Ethernet frames out of the LAN interface.
To change the BEC from routed mode to plain bridging mode, change the “type” of the WAN service to “DSL” and keep the “Layer2 interface” as “PTM”. This will pass all PPPoE and IP termination on to your EdgeRouter.
Of special note here, don’t fiddle with the LAN settings on the BEC. It’s okay to leave the device/management IP address the same (usually 192.168.1.254). This will let you log back into the BEC configuration page later in case you want to change things or go back to router mode. In other words, switching to bridged mode isn’t going to lock you out of the BEC configuration. You’ll just need to configure a laptop or something with a 192.168.1.x IP address, and plug it into one of the BEC’s LAN ports, then you can go back to 192.168.1.254.
EdgeRouter configuration
Let’s say eth0 of your EdgeRouter is what faces your ISP. Before the configuration looked pretty basic, something like this (ignoring any sort of firewall bindings):
interfaces { ethernet eth0 { address dhcp description ISP-name duplex auto speed auto } }
What we need to do next is configure a PPPoE sub-interface. We’ll also need to configure TCP MSS clamping to account for the PPPoE overhead. I’ve seen some terrible configurations on the Ubnt forums that go like “here, dump this random configuration with a ton of firewall stuff that I’ve copy pasted from everywhere”. There’s a much simpler way to do this and you’re not bringing in somebody else’s fucked up configuration.
What about the VLAN ID from earlier? Remember, the BEC is taking care of tagging/untagging traffic to your ISP, so the Ethernet connection between your BEC and EdgeRouter will have plain, untagged Ethernet frames there. No need to configure a vif sub-interface on the EdgeRouter too.
Change the eth0 configuration on the EdgeRouter to look something like this:
interfaces { ethernet eth0 { address dhcp description ISP-name duplex auto speed auto pppoe 0 { default-route auto mtu 1492 name-server auto user-id <your PPPoE username> password <your PPPoE password> } } }
Then configure the firewall subsystem to enable MSS clamping on pppoe interfaces. Doing it this way avoids the whole complicated business of building some firewall rule to match SYN packets and fiddle with them. I’m lazy and used 1452 (not 1492!) from another example somewhere for the MSS clamp, someday I need to do the arithmetic of packet size to see if that’s correct and optimal. If you set this wrong/too-high, you’ll see weird behavior with your Internet traffic, maybe TCP won’t establish at all and web pages hang, or maybe HTTPS/SSL connections hang.
firewall { options { mss-clamp { interface-type pppoe mss 1452 } } }
This will now give us a new “pppoe0” interface when we do “show interfaces”:
[bwann@home-gw1 ~]$ show interfaces Codes: S - State, L - Link, u - Up, D - Down, A - Admin Down Interface IP Address S/L Description --------- ---------- --- ----------- eth0 - u/u ISP-name eth1 192.168.10.1/24 u/u homenet ... pppoe0 x.x.x.x u/u ... [bwann@home-gw1 ~]$ show interfaces pppoe pppoe0 pppoe0: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1492 qdisc pfifo_fast state UNKNOWN group default qlen 100 link/ppp inet x.x.x.x peer y.y.y.y/32 scope global pppoe0 valid_lft forever preferred_lft forever RX: bytes packets errors dropped overrun mcast 219190063 1298261 0 0 0 0 TX: bytes packets errors dropped carrier collsns 55727821 886979 0 0 0 0 ...
If pppoe0 status is “UP, LOWER_UP“, and we’ve got a “inet x.x.x.x peer y.y.y.y/32” address, this means our EdgeRouter has gotten an IP address from the ISP and has established the PPPoE connection.
The interface status of eth0 is going to change because we’ve moved the IP configuration to the PPPoE interface:
[bwann@home-gw1 ~]$ show interfaces ethernet eth0 eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default link/ether 04:11:d6:f1:07:ff brd ff:ff:ff:ff:ff:ff inet6 fe80::611:d6ff:fef1:07ff/64 scope link valid_lft forever preferred_lft forever Description: ISP-name
This also means we need to go adjust any NAT, port forwarding, firewall, or masquerade rules on the EdgeRouter to account for the fact that we’re now using pppoe instead of eth0.
For instance, an outbound NAT for our home->internet traffic looks like this, we need to change outbound-interface:
service { nat { rule 5003 { description homenet-nat outbound-interface pppoe0 <<< was eth0 protocol all source { ... } type masquerade } } }
At this point your home network should be able to use the Internet. The EdgeRouter is once again handling your routing, firewall, VPNs, tunnels, etc. The BEC gateway is simply briding traffic from the phone line to the EdgeRouter.
All the way awesome…
so, I’m sitting in much the same situation. BEC 8920NE provided from my ISP (rural area DSL) and im locked out. cant even setup a simple port forwarding for christ sake. and tech support is laughable. their advice was “you prolly don’t need to setup anything that advanced for a home network, And our tech guy will cost you about $300 for a home visit… But if you really want to schedule that I’ll get you setup”
Anyway, you have suggestions on how to obtain access to the BEC web interface? If I reset it to defaults im pretty sure I’ll lose vital setup info that I dont have… If I could get at the data another way Im pretty sure I could factory reset and just do the setup myself..
I don’t have any good alternative options to get at the webUI, social engineering a tech? You could tell them you want port forwarding so you can get at your security system/cameras, that’s a pretty popular and legit reason these days. (Ask them why they hate home security if they balk)
If you’re lucky, see if UPNP is enabled on the device. You could try telnetting to port 1900 on your router to see if it establishes TCP, which is a good sign. And/or you could use a UPNP app to setup your own port forwardings on your router.
I hear you on the braindead ISP, that’s totally the line I would get from the one I used. You could buy a used BEC off eBay (they’re cheap if you can find one) and use it to figure out the settings. Some ISPs configure their BECs to have a less-privileged login so end-users can customize their wireless AP settings; this may let you see enough of the config to give you clues onto the DSL setup, e.g. is it using PPPoE, PPPoATM, which VLAN it’s using, what the PPP account name is. A PPP account name could be your standard ISP login if they have something where you can log onto online billing. Then you could transfer those settings to your 2nd BEC and see if it flies.
The BEC manual is online if you want to Google for it. Port forwarding will be called “Virtual Servers” on the web UI, if you feel like looking it up and spoon feeding your idiot ISP over the phone on how to set it up.
any help using this router and a cisco rv325-k9 router. I’m attempting to use the vpn capabilities to remote into the office and file share as well as remote desktop.
Hi Bryan, very nice write-up. I have a similar setup with the exception of VLAN ID mine being -1 which appears to indicate untagged. My ISP tech support suggested I use the Wireless Bridge setting under wireless sub menu. What is the difference in that and what you’ve described here.
I’m mainly interested in taking advantage of my router’s QoS.
Thanks,
~ Tony