PPPoE Setup

General Instructions for All Routers

1) Verify that router firmware is up to date (see Links To Router Support Pages below)

2) Configure router for PPPoE:

2a) *Clear* all static IP configuration in the router (DNS, gateway, mask,…). Sometimes clear means put in zeroes; depends on the router.

2b) *Clear* DNS info supplied to LAN-side clients and verify that WAN-side DNS info is passed on the DHCP clients (many routers do this automatically, some require a separate checkbox)

2c) Enter PPPoE username/password.  Your PPPoE user name and password can be obtained from the LCWA Treasurer. Write the password down and keep it in a safe, but easily accessible place.

2d) Set the MTU to “Manual” and enter 1480 in the box

2e) If there is a checkbox labeled “Connection Keep Alive” or “Always Stay Connected”, make sure that this is enabled. If there is the option to enter a “Keep Alive Redial Time” or similar, set this to 60 seconds.

2f) Do *not* enter any information in the box labeled “Service Name” (or similar). This *must* be left empty (no spaces, nothing, nada, zilch).

2g) Make sure router is a DHCP *server* for the LAN

3) Save all settings.

4) Navigate to router’s status page and verify PPPoE connectivity; click the Connect button if necessary.

4a) verify that MTU is 1480

4b) Verify that DNS servers listed are 4.2.2.4 and 8.8.8.8 … if the only things showing are the 10.181.0.31 and 10.181.0.30 that we use for static IP addressing, go back to 2a and clear them; re-check everything else.

5) Clear DNS info in all computers/devices on the member LAN. On Macs it is usually sufficient to disconnect from the network and reconnect (if wired, unplug ethernet cable, count slowly to 10, re-plug; if AirPort, select “Turn Airport Off” from the AirPort menu, count to 10, turn back on). See below for Windows computers.

NOTES: 2a/b can be accomplished by resetting the router to factory defaults. I prefer not to do that as a first step, only as last resort. If you go this route, you *must* re-enable any security settings (SSID, WPA2 keys, etc.) and advanced settings that were in the router before you

Cisco/Linksys Routers

Newer Cisco/Linksys routers are more insistent about using the “Cisco Connect” software (on the CD) to do installation than older models were. The documentation (PDF) from Cisco includes instructions for how to configure the router via the web interface.
0) Read the following instructions completely.

1) Don’t fall for the “use installation CD” trap.

2) Do not insert the CD into your CD drive. Throw the CD in the trash. As added protection, break it into tiny pieces first (wear eye protection). Some home shredders will do a nice job at this.

3) Point your browser to the Cisco web site for your router, probably found at

<http://homesupport.cisco.com/en-us/support/routers/E1000>

or

<http://homesupport.cisco.com/en-us/support/routers/E1200>

or

<http://homesupport.cisco.com/en-us/support/routers/E2500>

(or change that last part to the model number of your router; failing that, google is your friend).

Download the PDF User Guide from Cisco (right there at the top at “View User Guide”. Skip to the “Advanced Configuration” or “Setting Up: Advanced” section (depending on router model). Do not retrieve the CD from the trash.

3a) While there (Cisco web site for your router), locate and download any firmware update (via the “Downloads” tab). Save this for step 8 below.

4) Connect to the web interface of the router at 192.168.1.1, which will try again to get you to use the CD (you broke it in pieces, right?). Log in with blank user name and password ‘admin’ (no quotes).

5) Read everything on this screen carefully. It will try to convince you to use Cisco Connect. Don’t give in. Choose the option for manual/advanced configuration (which is near the bottom and slightly obfuscated, as I recall).

6) The next screen will make all sorts of dire warnings about using the web interface for configuration, including implied threats that every computer you own might be bricked in the process, your car will never run properly again, your hair will fall out, teeth will rot, and Earth will be plunged into perpetual darkness. Ignore them. Choose the “yes, I really am sure I want to do this” (or similar) option.

7) Once you get to this point, you should see a familiar shades-of-blue-and-gray screen we all know and love. Don’t start any configuration settings, just yet.

8) Skip this step if there was no new firmware for your router. Locate the firmware you downloaded in step 3a. Choose the “Administration” tab and update the firmware.

9) After rebooting and re-connecting to the router web interface, proceed with configuration.

10) Proceed tab by tab, screen by screen to ensure that everything is as you want it. Most defaults will be adequate, but you MUST change passwords and a few other settings as noted below.

11) Be sure to change the administrator password.

12) For wireless settings, set the SSID to something you like and choose a WPA2 password/passphrase for your wireless network.

13) Disable “Wi-Fi Protected Setup” (WPS). It sounds nice, but there are newly-discovered vulnerabilities that essentially allow unauthorized access to your wireless network when WPS is enabled. Bite the bullet and manually enter the SSID and password/passphrase on each wireless device you want to allow to use your network. You only need to do it one time for each device unless/until you decide to change the SSID and/or the password/passphrase.

And many devices are not WPS-enable, so you will be doing manual configurations anyway; it's a good way to get your SSID and password/passphrase embedded in gray matter.

DISCLAIMER #1: I configured a new E1200 for a new member on Sunday. I don’t have one of these on hand to verify some details above (e.g., what the prompts/buttons are on the first few screens of the web configuration). If I can get my hands on one of these and return it to factory defaults, I will happily enhance above instructions with screen captures.

DISCLAIMER #2: The PDF manual for the E1200, E1500, E2500, E320, E4200 is the same file, suggesting that my instructions above will work for any of those. Jerry Zollars reported that the only way he could configure a new E2500 was via Cisco Connect from the CD. YMMV. Same comment w.r.t. to screen shots.

Netgear Routers: Step-by-Step Conversion to PPPoE

If you are an LCWA member (client) and want to switch your home computer(s) to PPPoE, it is only necessary to make a few changes in the configuration settings of your home router. Normally, no changes are required for your rooftop wireless transceiver (e.g., Tranzeo), unless you also plan to change your Access Point (e.g., from LCWNetDuende to LCWNetSpurRanch), in which case you should consult first with the AP manager of the new access point. Here, it is assumed that the client only wishes to convert to PPPoE, AND that the client’s router is the Netgear brand. What follows are step-by-step instructions for making the conversion. Important: Don’t change any settings that aren’t specifically mentioned below.

1. Log into the Netgear router at 192.168.1.1. User is “admin”, PW is “password”.

2. Click on the box the asks if you want to check on a firmware update. It takes a minute or so for it to check. Update the firmware if new version is detected.

3. Go to the WAN Setup Page under the “Advanced Menu” (on the left of the screen)

-Under “MTU Size (in bytes)” fill in 1480

-Click on “Apply” at bottom of page

3. In the “Basic Settings” page under the “Setup” heading, click on or fill in the following:

-Does your router require a login? “YES”

– Internet Service Provider: “PPPoE”

-Login: (get user name from the LCWA Treasurer, Jerry Zollars)

-Password: (also get password from Jerry)

-Connection Mode: “Always On”

-Internet IP Address: check “Get Dynamically from ISP” (When you check this, the existing IP information will be grayed out)

-Domain Name Server (DNS) Address: check “Get Automatically from ISP” (The existing DNS addresses will be grayed out)

-click APPLY

4. Wait a few minutes for the network to recognize the router and send it the data it needs. Be patient.

5.  Check that everything is working properly by clicking on “Router Status” under the “Maintenance” heading on the left of the router webpage.Look

for the entry that says “Internet Port Connection” and verify that it says “PPPoE.”  This completes the conversion.

General Setup for NEW routers

Generally, new routers are set up out-of-the-box to use DHCP. In the router’s main Setup tab, this needs to be changed to PPPoE. Enter the member’s PPPoE UserId and Password and save these settings. If there is a checkbox labeled “Connection Keep Alive” or “Always Stay Connected”, make sure that this is enabled. If there is the option to enter a “Keep Alive Redial Time” or similar, set this to 60 seconds.

Be sure the MTU setting is set manually to 1480. Relying on your router’s “auto” setting for the MTU has been shown repeatedly not to work correctly.

No other WAN or ISP information needs to be entered anywhere else in the router.

The PPPoE Access Concentrator (one of our two PPPoE “servers”) will automatically assign values for DNS servers and the default gateway. Usually, the default router settings for the local LAN and WLAN network will be sufficient. These are usually set up for a 192.168.100.0/24 or a 192.168.1.0/24 network with DHCP enabled for wireless clients.

After a minute or so, check the PPPoE Status pages below to see if you are connected. The PPPoE Servers are always on-line and you will connect to whichever server first responds to the router’s PPPoE service “discovery” packet. This will depend on where in the network you are connected and what the traffic load is for that segment at the time you attempt to connect.

General Setup for EXISTING routers:

Be sure the MTU setting is set manually to 1480. Relying on your router’s “auto” setting for the MTU has been shown repeatedly not to work correctly.

The procedure for existing routers is much the same as for new however, it is important to clear out any static DNS and Default Route information that is present before attempting a PPPoE connection. There are two options for this: reset the router to factory defaults; or remove the info manually, usually by entering “0.0.0.0” for the IP address of any servers/gateways that are listed. Sometimes, static DNS and/or routing information will be present in both the WAN (ISP) and WLAN setup sections and the information should be cleared from both. After verifying that DNS and Default Gateway info is gone, proceed as above for a new router install.

Setup for Airport Base Stations

Open Airport Utility, located in the Utilities folder in Applications.

Upon opening, Airport Utility will show a list of found base stations:
File:scan.jpg

Select the base station you want to configure and click on Manual Setup (not Continue).

RECOMMENDATION: If the AirPort has been used on the LCWA network, backup your current configuration. Under the File menu, select Export Configuration File and save the resulting file to your hard drive. If you ever need to return to that configuration, just use the Import Configuration File in the same menu. You can do the same at the end of these steps to save your PPPoE configuration settings. Save the two configuration files with names that will identify which configuration is which.

On the next screen, click on the Internet icon at the top of the window:
File:PPPoE.jpg
From the “Connect Using:” menu, select PPPoE.
Enter your Username and Password as indicated.
Set “Connection” and “Disconnect if Idle” as shown.

Next, click on TCP/IP tab:
File:DNS.jpg
If there are entries in the DNS Server boxes, follow the note on the screen shot above.

Once all settings are complete, click on Update. Quit Airport Utility, then open it again (to force it to display the new status).
Select the base station you just configured and click on Manual Setup.
At the bottom of the screen should be the PPPoE IP address (normally 62.233.xxx.xxx or 63.229.xxx.xxx) 

MTU Setting for AirPort Base Stations

There is no MTU setting in AirPort Base Stations! To date we have not seen verifiable instances of this causing any issues on our network.
However, if you suspect that this may be causing an issue, you can manually set the MTU for your computer.

Open Network preferences (in System Preferences).
Select the connection you are using to your AirPort (Ethernet, i.e. wired, or AirPort, i.e wireless).
Click on Advanced, then Ethernet:
File:MTU.jpg

In the “Configure” menu, select Manually.
In the “MTU” menu, select Custom and enter 1480.
Click OK.

Setting DNS On Windows Computers

On all Microsoft operating systems Windows 95, Windows 98, XP, Vista, Windows 7 it is necessary to check that the operating system “Local Area Connection” and/or “Wireless Network Connection” used to connect to the router.

First, ensure that you are logged on to an account with Administrator privileges if you are using Windows XP or later.

Then open the Control Panel, navigate to the properties page for the connection, and edit the properties of the TCP/IP protocol.

Ensure that the connection is set to get DNS automatically from DHCP.

Entering fixed DNS addresses on the computer used to speed things up a little bit – this should be avoided with the PPPoE connections.

After verifying that the network connections are getting DNS automatically from DHCP, it is necessary to either restart the computer or to use the command prompt to use ipconfig /release and ipconfig /renew to force the DHCP lease to be renewed, thereby refreshing the DNS settings.

In homes with several networked devices, the use of a fixed public DNS address can sometimes interfere with the various devices seeing each other.

If you are operating your own local DNS server, or the DNS service or role on a Domain Server, don’t forget to ensure that 208.67.222.222 and 8.8.8.8 are used in all places where the server previously used 10.181.0.31 and/or 10.181.0.30, as the 10. servers will no longer be visible.

Security

While configuring a router for PPPoE members should review the security-related settings on their routers, as all member routers will now have a static, internet-accessable IP address. Some filtering will be done by the routers at the LCWA Internet Portal; however, it is best practice to block illicit traffic at the member router to the greatest extent possible.  This not only provides a defense-in-depth against threats from the Internet at large, but also provide defense against possible compromised hardware within the LCWA network.

The following settings should be verified if possible (the exact labels seem to vary by router manufacturer; these are from Linksys and/or DD-WRT routers):

Under Wireless:

  • Enable Wireless Security.  The distances at which modern wireless routers are accessible can be quite surprising.  It is important to take basic measures to restict access to the LCWA network to members and authorized persons.
  • Avoid the use of WEP if possible – it is much to easy to hack
  • Select a memorable WPA-2 passphrase of at least 8 characters. Please do not use any of the LCWA canonical passwords! Write the password down and keep it in a safe, but easily accessable place.

Under Security/Firewall:

  • Enable Firewall
  • Block (or Filter) Anonymous traffic/requests (usually blocks incoming ping and hides any open ports)
  • Filter Multicast (blocks multicast transit from LAN to WAN; does not interfere with Bonjour, UPnP, mdns on the LAN)
  • Filter IDENT (port 113)

Under Administration/Management:

  • Router Password – Must be set to something other than the factory default. Should be strong – two or more dictionary words with mixed case and separated by punctuation characters, at least 8-13 characters, more is better. Purposely mispeled wurds can be used, but DO NOT rely on l33t spelling alone as any kind of effective obfuscation. It’s n0t 4s cl3ver 4s many f0lks th1nk.  Please do not use any of the LCWA canonical passwords!  Write the password down and keep it in a safe, but easily accessable place.
  • Web utility access via wireless – Should be disabled. If the member only uses wireless in the house then this obviously can be enabled.
  • Remote Management/Access – Should be disabled unless absolutely necessary.

While checking that router security settings are good, it is also worth verifying that the member’s LCWA radio is plugged into the router WAN port, not the LAN ports.

Known Router Issues

Converting Linkys Router from Static IP address to PPPoE

When converting an existing Linksys router from static IP addressing to PPPoE, many people have had trouble clearing the gateway and DNS settings on the Static IP page. Jerry Zollars notes the following:

Do not start at Static IP page. Rather, start with the PPPoE page (selelct PPPoE from the pop-down menu). Enter the username and password and change the MTU to 1480, then scroll down the page to the DNS settings below. Now it is very easy to replace the DNS settings with zeros. After you save settings, a look at the Status page will show you are setup on PPPoE.
Linksys WRT54

Paradoxically, earlier models of this router may be superior to later models, when upgraded to current firmware. This is because the manufacturer has been reducing costs by reducing the memory capacity of the devices. The recommended model is WRT54GL with 16MB of memory.

PPPoE is known to work on Linksys WRT54G Ver.2 with DD-WRT v24-sp1.
Linksys Space-Ship Routers (WRT54G2, WRT160N, E1000, etc.)

File:Space-ship.pngWhen configuring these routers from a Mac, use Safari. Firefox does not always work (in one case FF could update firmware, but not change settings; in another case, the reverse).

Another approach from either Windows or Mac is to use Chrome (the Google browser) which is backward compatible with the old Linksys firmware, and refreshes and saves settings properly.

Links to Router Support Pages

Belkin: http://en-us-support.belkin.com/app/product/list/q/routers/

D-Link: http://www.dlink.com/support/products/default.aspx

Linksys/Cisco: http://homesupport.cisco.com/en-us/support/linksys

Netgear: http://support.netgear.com/app/home

AirPort: Software Update (under the Apple logo on the menu bar) will automatically determine if you need an AirPort update.

PPPoE Status

Status and router traffic information for the the PPPoE servers is available at the Network Status page