Controllerless Networks

Hello guys,

This is my first post here on Aruba Community, but you guys already help me a lot while setting up Aruba devices and software.

I'm trying to setup an Aruba AP-203R in Instant AP mode to dial up my ISP through PPPoE. In the past, I get it working successfully with another PPPoE provider, but I changed it to another ISP that requires a specific VLAN to DSL through PPPoE successfully.

It uses Fiber so I bought a GPON (Huawei EG8010H) to convert Fiber to Ethernet and connect it to AP-203R eth0 port and set up the PPPoE credentials at Configuration page of Instant AP, but it fails. I checked the GPON authentication at my GPON and it's password is correct, but my GPN do not allow set up a specific VLAN and I believe that I could not found a way to set up it at AP-203R neither. My ISP provider requires the Internet traffic to go through VLAN ID 600. I already tried to set up "Uplink switch VLAN" (enet-vlan) to VLAN ID 600 and set up it as a Admin UP and Native VLAN at "Wired Profile", but it still do not work. I believe it's not working because for some reason the Instant AP isn't tagging the traffic with VLAN ID 600, because if I set up my ISP router to Bridge mode (it has a Fiber port, so it has a built-in ONU) with VLAN 600 tagged and set up the PPPoE credentials from my ISP provider, it works just fine. It fails only when I use an external GPON.

If I try to use my external GPON and my Linux machine to connect through DSL PPPoE it fails too, even when I spoof the ISP router mac-address, but it also works just fine with my ISP router in bridge mode (instead of using my external GPON) when I DSL PPPoE through my Linux machine.

I noticed that every reboot it changes the "pppoe-password" hash every time the AP restart, but it doesn't seems to be an issue because it changes even when using my ISP router at bridge mode and it works just fine.

So I would like to know if it's possible to tag VLAN traffic at eth0 port. There's seems that TP-Link, ASUS and other home providers allows to setup a VLAN ID to Internet, Telephone (VoIP) and IPTV traffic, as most providers seems to offer those features through Fiber instead of Sattelite (TV) and ADSL/RJ-11 (Telephone). So it seems to be a great feature to be added at PPPoE mode at Aruba Instant AP and Aruba Instant On product line, so it could possibly replace the ISP router using a ONU.

A thing that I am willing to test into the future is to buy another GPON that offers VLAN tagging and Bridge mode if Instant AP do not allow VLAN tagging to PPPoE, so I could replace my ISP router using less Power (Watt) in comparision to my ISP router, and less space too.

Sorry for my bad english. English isn't my native language.

Here's the config that I tried to setup the eth0 to VLAN ID 600, but it fails to connect not PPPoE server (show pppoe status). The pppd debug log (show pppoe debug-log) seems to return empty even when I enable IAP debug logs.

20:4c:03:1a:fd:8c# show running-config
version 8.9.0.0-8.9.0
virtual-controller-country BR
virtual-controller-key 008d4f0401adb6436e944042aff47409cd5ee2feb8cc8b08ee
name SetMeUp-1A:FD:8C
terminal-access
clock timezone none 00 00
rf-band all

allow-new-aps

allowed-ap 20:4c:03:1a:fd:8c



arm
wide-bands 24ghz,5ghz
80mhz-support
min-tx-power 12
max-tx-power 127
band-steering-mode prefer-higher-band
air-time-fairness-mode default-access
channel-quality-aware-arm-disable
client-aware
scanning
client-match

rf dot11g-radio-profile
max-distance 0
max-tx-power 9
min-tx-power 6
disable-arm-wids-functions off
free-channel-index 40

rf dot11a-radio-profile
max-distance 0
max-tx-power 18
min-tx-power 12
disable-arm-wids-functions off


syslog-level warn ap-debug
syslog-level warn network
syslog-level warn security
syslog-level warn system
syslog-level warn user
syslog-level warn user-debug
syslog-level warn wireless



extended-ssid
web-server
ssl-protocol tlsv1_2















hash-mgmt-password
hash-mgmt-user admin password hash 085a42f902590c789904ac2d639e6fa0dbc53ac183fc1 247227d7371206685b46303f63328


wlan access-rule default_wired_port_profile
index 0
rule any any match any any any permit

wlan access-rule wired-SetMeUp
index 1
rule masterip 0.0.0.0 match tcp 80 80 permit
rule masterip 0.0.0.0 match tcp 4343 4343 permit
rule any any match udp 67 68 permit
rule any any match udp 53 53 permit

wlan access-rule HOMEOLIVEIRA
index 2
rule any any match any any any permit

wlan ssid-profile HOMEOLIVEIRA
enable
index 0
type employee
essid HOMEOLIVEIRA
wpa-passphrase 8443743fc1848ba609a17d5d53f64a984a79d6c2da2faf19
opmode wpa2-psk-aes
max-authentication-failures 0
vlan guest
rf-band all
captive-portal disable
dtim-period 1
broadcast-filter arp
dmo-channel-utilization-threshold 90
local-probe-req-thresh 0
max-clients-threshold 64

enet-vlan 600
auth-survivability cache-time-out 24






wlan external-captive-portal
server localhost
port 80
url "/"
auth-text "Authenticated"
auto-whitelist-disable
https


blacklist-time 3600
auth-failure-blacklist-time 3600


ids
wireless-containment none



wired-port-profile wired-SetMeUp
switchport-mode access
allowed-vlan all
native-vlan guest
no shutdown
access-rule-name wired-SetMeUp
speed auto
duplex auto
no poe
type guest
captive-portal disable
no dot1x

wired-port-profile default_wired_port_profile
switchport-mode trunk
allowed-vlan all
native-vlan 600
no shutdown
access-rule-name default_wired_port_profile
speed auto
duplex full
no poe
type employee
auth-server InternalServer
captive-portal disable
no dot1x


enet0-port-profile default_wired_port_profile

uplink
preemption
enforce none
failover-internet-pkt-lost-cnt 10
failover-internet-pkt-send-freq 30
failover-vpn-timeout 180

pppoe-uplink-profile
pppoe-username cliente@cliente
pppoe-passwd 498241d46d7800940651d78e4a339875



airgroup
disable

airgroupservice airplay
disable

airgroupservice airprint
disable






cluster-security
allow-low-assurance-devices





----------------------------------------------------------------------------------------------------------------------------------------

Here's the config that is working at Bridge mode:

version 8.9.0.0-8.9.0
virtual-controller-country BR
virtual-controller-key f4f742b801f46824b50b250a6d5a7a024b68dd1ee9a4c50a10
name SetMeUp-1A:FD:8C
terminal-access
clock timezone none 00 00
rf-band all

allow-new-aps

allowed-ap 20:4c:03:1a:fd:8c



arm
wide-bands 24ghz,5ghz
80mhz-support
min-tx-power 15
max-tx-power 127
band-steering-mode prefer-higher-band
air-time-fairness-mode default-access
channel-quality-aware-arm-disable
client-aware
scanning

rf dot11g-radio-profile
max-distance 0
max-tx-power 9
min-tx-power 6
disable-arm-wids-functions off
free-channel-index 40

rf dot11a-radio-profile
max-distance 0
max-tx-power 18
min-tx-power 12
disable-arm-wids-functions off


syslog-level warn ap-debug
syslog-level warn network
syslog-level warn security
syslog-level warn system
syslog-level warn user
syslog-level warn user-debug
syslog-level warn wireless



extended-ssid
web-server
ssl-protocol tlsv1_2















hash-mgmt-password
hash-mgmt-user admin password hash f064423f0262b5d11cc1fe0a84855f55ce137f21972a91a509cd9eafed398f3eed359c2bf2


wlan access-rule default_wired_port_profile
index 0
rule any any match any any any permit

wlan access-rule wired-SetMeUp
index 1
rule masterip 0.0.0.0 match tcp 80 80 permit
rule masterip 0.0.0.0 match tcp 4343 4343 permit
rule any any match udp 67 68 permit
rule any any match udp 53 53 permit

wlan access-rule HOMEOLIVEIRA
index 2
rule any any match any any any permit

wlan ssid-profile HOMEOLIVEIRA
enable
index 0
type employee
essid HOMEOLIVEIRA
wpa-passphrase eb6be60185db83d0605bd65112f466f602376390b69375ae
opmode wpa2-psk-aes
max-authentication-failures 0
vlan guest
rf-band all
captive-portal disable
dtim-period 1
broadcast-filter arp
dmo-channel-utilization-threshold 90
local-probe-req-thresh 0
max-clients-threshold 64

auth-survivability cache-time-out 24






wlan external-captive-portal
server localhost
port 80
url "/"
auth-text "Authenticated"
auto-whitelist-disable
https


blacklist-time 3600
auth-failure-blacklist-time 3600


ids
wireless-containment none



wired-port-profile wired-SetMeUp
switchport-mode access
allowed-vlan all
native-vlan guest
no shutdown
access-rule-name wired-SetMeUp
speed auto
duplex auto
no poe
type guest
captive-portal disable
no dot1x

wired-port-profile default_wired_port_profile
switchport-mode trunk
allowed-vlan all
native-vlan 1
shutdown
access-rule-name default_wired_port_profile
speed auto
duplex full
no poe
type employee
captive-portal disable
no dot1x


enet0-port-profile default_wired_port_profile

uplink
preemption
enforce none
failover-internet-pkt-lost-cnt 10
failover-internet-pkt-send-freq 30
failover-vpn-timeout 180

pppoe-uplink-profile
pppoe-username cliente@cliente
pppoe-passwd fe343b7bb4c45c7ebf4ca722258b4834



airgroup
disable

airgroupservice airplay
disable

airgroupservice airprint
disable






cluster-security
allow-low-assurance-devices

you can tag the mgmt VLAN of the Aruba Instant in this way.


Ensure that Virtual Controller VLAN is not the same as native VLAN of the IAP.

------------------------------
Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba.
------------------------------

Original Message:
Sent: Jul 31, 2022 08:13 PM
From: Eduardo Mozart de Oliveira
Subject: IAP PPPoE VLAN

Hello guys,

This is my first post here on Aruba Community, but you guys already help me a lot while setting up Aruba devices and software.

I'm trying to setup an Aruba AP-203R in Instant AP mode to dial up my ISP through PPPoE. In the past, I get it working successfully with another PPPoE provider, but I changed it to another ISP that requires a specific VLAN to DSL through PPPoE successfully.

It uses Fiber so I bought a GPON (Huawei EG8010H) to convert Fiber to Ethernet and connect it to AP-203R eth0 port and set up the PPPoE credentials at Configuration page of Instant AP, but it fails. I checked the GPON authentication at my GPON and it's password is correct, but my GPN do not allow set up a specific VLAN and I believe that I could not found a way to set up it at AP-203R neither. My ISP provider requires the Internet traffic to go through VLAN ID 600. I already tried to set up "Uplink switch VLAN" (enet-vlan) to VLAN ID 600 and set up it as a Admin UP and Native VLAN at "Wired Profile", but it still do not work. I believe it's not working because for some reason the Instant AP isn't tagging the traffic with VLAN ID 600, because if I set up my ISP router to Bridge mode (it has a Fiber port, so it has a built-in ONU) with VLAN 600 tagged and set up the PPPoE credentials from my ISP provider, it works just fine. It fails only when I use an external GPON.

If I try to use my external GPON and my Linux machine to connect through DSL PPPoE it fails too, even when I spoof the ISP router mac-address, but it also works just fine with my ISP router in bridge mode (instead of using my external GPON) when I DSL PPPoE through my Linux machine.

I noticed that every reboot it changes the "pppoe-password" hash every time the AP restart, but it doesn't seems to be an issue because it changes even when using my ISP router at bridge mode and it works just fine.

So I would like to know if it's possible to tag VLAN traffic at eth0 port. There's seems that TP-Link, ASUS and other home providers allows to setup a VLAN ID to Internet, Telephone (VoIP) and IPTV traffic, as most providers seems to offer those features through Fiber instead of Sattelite (TV) and ADSL/RJ-11 (Telephone). So it seems to be a great feature to be added at PPPoE mode at Aruba Instant AP and Aruba Instant On product line, so it could possibly replace the ISP router using a ONU.

A thing that I am willing to test into the future is to buy another GPON that offers VLAN tagging and Bridge mode if Instant AP do not allow VLAN tagging to PPPoE, so I could replace my ISP router using less Power (Watt) in comparision to my ISP router, and less space too.

Sorry for my bad english. English isn't my native language.

Here's the config that I tried to setup the eth0 to VLAN ID 600, but it fails to connect not PPPoE server (show pppoe status). The pppd debug log (show pppoe debug-log) seems to return empty even when I enable IAP debug logs.

20:4c:03:1a:fd:8c# show running-config
version 8.9.0.0-8.9.0
virtual-controller-country BR
virtual-controller-key 008d4f0401adb6436e944042aff47409cd5ee2feb8cc8b08ee
name SetMeUp-1A:FD:8C
terminal-access
clock timezone none 00 00
rf-band all

allow-new-aps

allowed-ap 20:4c:03:1a:fd:8c



arm
wide-bands 24ghz,5ghz
80mhz-support
min-tx-power 12
max-tx-power 127
band-steering-mode prefer-higher-band
air-time-fairness-mode default-access
channel-quality-aware-arm-disable
client-aware
scanning
client-match

rf dot11g-radio-profile
max-distance 0
max-tx-power 9
min-tx-power 6
disable-arm-wids-functions off
free-channel-index 40

rf dot11a-radio-profile
max-distance 0
max-tx-power 18
min-tx-power 12
disable-arm-wids-functions off


syslog-level warn ap-debug
syslog-level warn network
syslog-level warn security
syslog-level warn system
syslog-level warn user
syslog-level warn user-debug
syslog-level warn wireless



extended-ssid
web-server
ssl-protocol tlsv1_2















hash-mgmt-password
hash-mgmt-user admin password hash 085a42f902590c789904ac2d639e6fa0dbc53ac183fc1 247227d7371206685b46303f63328


wlan access-rule default_wired_port_profile
index 0
rule any any match any any any permit

wlan access-rule wired-SetMeUp
index 1
rule masterip 0.0.0.0 match tcp 80 80 permit
rule masterip 0.0.0.0 match tcp 4343 4343 permit
rule any any match udp 67 68 permit
rule any any match udp 53 53 permit

wlan access-rule HOMEOLIVEIRA
index 2
rule any any match any any any permit

wlan ssid-profile HOMEOLIVEIRA
enable
index 0
type employee
essid HOMEOLIVEIRA
wpa-passphrase 8443743fc1848ba609a17d5d53f64a984a79d6c2da2faf19
opmode wpa2-psk-aes
max-authentication-failures 0
vlan guest
rf-band all
captive-portal disable
dtim-period 1
broadcast-filter arp
dmo-channel-utilization-threshold 90
local-probe-req-thresh 0
max-clients-threshold 64

enet-vlan 600
auth-survivability cache-time-out 24






wlan external-captive-portal
server localhost
port 80
url "/"
auth-text "Authenticated"
auto-whitelist-disable
https


blacklist-time 3600
auth-failure-blacklist-time 3600


ids
wireless-containment none



wired-port-profile wired-SetMeUp
switchport-mode access
allowed-vlan all
native-vlan guest
no shutdown
access-rule-name wired-SetMeUp
speed auto
duplex auto
no poe
type guest
captive-portal disable
no dot1x

wired-port-profile default_wired_port_profile
switchport-mode trunk
allowed-vlan all
native-vlan 600
no shutdown
access-rule-name default_wired_port_profile
speed auto
duplex full
no poe
type employee
auth-server InternalServer
captive-portal disable
no dot1x


enet0-port-profile default_wired_port_profile

uplink
preemption
enforce none
failover-internet-pkt-lost-cnt 10
failover-internet-pkt-send-freq 30
failover-vpn-timeout 180

pppoe-uplink-profile
pppoe-username cliente@cliente
pppoe-passwd 498241d46d7800940651d78e4a339875



airgroup
disable

airgroupservice airplay
disable

airgroupservice airprint
disable






cluster-security
allow-low-assurance-devices





----------------------------------------------------------------------------------------------------------------------------------------

Here's the config that is working at Bridge mode:

version 8.9.0.0-8.9.0
virtual-controller-country BR
virtual-controller-key f4f742b801f46824b50b250a6d5a7a024b68dd1ee9a4c50a10
name SetMeUp-1A:FD:8C
terminal-access
clock timezone none 00 00
rf-band all

allow-new-aps

allowed-ap 20:4c:03:1a:fd:8c



arm
wide-bands 24ghz,5ghz
80mhz-support
min-tx-power 15
max-tx-power 127
band-steering-mode prefer-higher-band
air-time-fairness-mode default-access
channel-quality-aware-arm-disable
client-aware
scanning

rf dot11g-radio-profile
max-distance 0
max-tx-power 9
min-tx-power 6
disable-arm-wids-functions off
free-channel-index 40

rf dot11a-radio-profile
max-distance 0
max-tx-power 18
min-tx-power 12
disable-arm-wids-functions off


syslog-level warn ap-debug
syslog-level warn network
syslog-level warn security
syslog-level warn system
syslog-level warn user
syslog-level warn user-debug
syslog-level warn wireless



extended-ssid
web-server
ssl-protocol tlsv1_2















hash-mgmt-password
hash-mgmt-user admin password hash f064423f0262b5d11cc1fe0a84855f55ce137f21972a91a509cd9eafed398f3eed359c2bf2


wlan access-rule default_wired_port_profile
index 0
rule any any match any any any permit

wlan access-rule wired-SetMeUp
index 1
rule masterip 0.0.0.0 match tcp 80 80 permit
rule masterip 0.0.0.0 match tcp 4343 4343 permit
rule any any match udp 67 68 permit
rule any any match udp 53 53 permit

wlan access-rule HOMEOLIVEIRA
index 2
rule any any match any any any permit

wlan ssid-profile HOMEOLIVEIRA
enable
index 0
type employee
essid HOMEOLIVEIRA
wpa-passphrase eb6be60185db83d0605bd65112f466f602376390b69375ae
opmode wpa2-psk-aes
max-authentication-failures 0
vlan guest
rf-band all
captive-portal disable
dtim-period 1
broadcast-filter arp
dmo-channel-utilization-threshold 90
local-probe-req-thresh 0
max-clients-threshold 64

auth-survivability cache-time-out 24






wlan external-captive-portal
server localhost
port 80
url "/"
auth-text "Authenticated"
auto-whitelist-disable
https


blacklist-time 3600
auth-failure-blacklist-time 3600


ids
wireless-containment none



wired-port-profile wired-SetMeUp
switchport-mode access
allowed-vlan all
native-vlan guest
no shutdown
access-rule-name wired-SetMeUp
speed auto
duplex auto
no poe
type guest
captive-portal disable
no dot1x

wired-port-profile default_wired_port_profile
switchport-mode trunk
allowed-vlan all
native-vlan 1
shutdown
access-rule-name default_wired_port_profile
speed auto
duplex full
no poe
type employee
captive-portal disable
no dot1x


enet0-port-profile default_wired_port_profile

uplink
preemption
enforce none
failover-internet-pkt-lost-cnt 10
failover-internet-pkt-send-freq 30
failover-vpn-timeout 180

pppoe-uplink-profile
pppoe-username cliente@cliente
pppoe-passwd fe343b7bb4c45c7ebf4ca722258b4834



airgroup
disable

airgroupservice airplay
disable

airgroupservice airprint
disable






cluster-security
allow-low-assurance-devices