D-Link NetDefend DFL-210 User Manual page 57

3.3.4. PPPoE
DSL line, wireless device or cable modem. All the users on the Ethernet share a common connec-
tion, while access control can be done on a per-user basis.
Internet server providers (ISPs) often require customers to connect through PPPoE to their broad-
band service. Using PPPoE the provider can:
• Implement security and access-control using username/password authentication
• Trace IP addresses to a specific user
• Allocate IP address automatically for PC users (similar to DHCP). IP address provisioning can
be per user group
3.3.4.1. Overview of PPP
Point-to-Point Protocol (PPP), is a protocol for communication between two computers using a seri-
al interface, such as the case of a personal computer connected through a switched telephone line to
an ISP. In terms of the OSI model, PPP provides a layer 2 encapsulation mechanism to allow pack-
ets of any protocol to travel through IP networks. PPP uses Link Control Protocol (LCP) for link es-
tablishment, configuration and testing. Once the LCP is initialized, one or several Network Control
Protocols (NCPs) can be used to transport traffic for a particular protocol suite, so that multiple pro-
tocols can interoperate on the same link, for example, both IP and IPX traffic can share a PPP link.
Authentication is an option with PPP. Authentication protocols supported are Password Authentica-
tion Protocol (PAP), Challenge Handshake Authentication Protocol (CHAP), Microsoft CHAP
(version 1 and 2). If authentication is used, at least one of the peers has to authenticate itself before
the network layer protocol parameters can be negotiated using NCP. During the LCP and NCP ne-
gotiation, optional parameters such as encryption, can be negotiated.
3.3.4.2. PPPoE Client Configuration
The PPPoE interface
Since the PPPoE protocol runs PPP over Ethernet, the firewall needs to use one of the normal Ether-
net interfaces to run PPPoE over. Each PPPoE Tunnel is interpreted as a logical interface by the
NetDefendOS, with the same routing and configuration capabilities as regular interfaces, with the IP
rule-set being applied to all traffic. Network traffic arriving at the firewall through the PPPoE tunnel
will have the PPPoE tunnel interface as its source interface. For outbound traffic, the PPPoE tunnel
interface will be the destination interface. As with any interface, one or more routes are defined so
NetDefendOS knows what IP addresses it should accept traffic from and which to send traffic to
through the PPPoE tunnel. The PPPoE client can be configured to use a service name to distinguish
between different servers on the same Ethernet network.
IP address information
PPPoE uses automatic IP address allocation which is similar to DHCP. When NetDefendOS re-
ceives this IP address information from the ISP, it stores it in a network object and uses it as the IP
address of the interface.
User authentication
If user authentication is required by the ISP, the username and password can be setup in NetDefen-
dOS for automatic sending to the PPPoE server.
Dial-on-demand
44
Chapter 3. Fundamentals