Thread Info
  • State Verified Answer
  • Locked Locked
  • Replies 7 replies
  • Answers 1 answer
  • Subscribers 4 subscribers
  • Views 10015 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

UTM WAN connection to broadband PPPOe help

kieranfame

My ISP is SKY Broadband in the UK - The largest broadband supplier in the UK (6 Million users)

The setup they use is fairly standard except for 1 thing; they authenticate using something called DHCP option 61 - Client identifier.
Many routers support this out of the box, for others there is a way to add a custom script to the router.

My current router has a custom scripts page, under "Run after initialising" I add the following script:

#!/bin/sh

/sbin/udhcpc -i eth2.2 -x 0x3d:3777890865644535346633326769999964736c7a78394b6f6e4498796d498765366d95
### Custom user script
### Called after router started and network is ready

With this in place everything is fine. (the long code is my username and password in hex but anything will work in the correct format)
With DDWRT you simply click edit on the WAN connection, make sure it's set to DHCP client and under the advanced section, enter the script into the client id and vendor id fields as appropriate.

The question is, how can this be achieved with Sophos UTM 9?

 


This thread was automatically locked due to age.
  • 0

    If this isn't just specifying username and password in a PPPoE Interface definition, Kieran, please share Sophos Support's response to this question.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • 0 in reply to BAlfson

    Sophos response was basically "We don't support this". But that would mean running

        MODEM > SKY ROUTER > SOPHOS > NETWORK >

    And if PFsense and DDwrt and even my current router can do it, then I'm sure it is possible with the UTM.

    From what I can gather, unless the Sophos unit can supply a hex string in roughly the correct format at handshake, the SKY servers won't assign me an IP.

    The Hex string is basically just username@dslsky.co.uk and a password. - I don't think it even has to be a valid username.

    This is a thread on option 61 from the XG sw-   https://community.sophos.com/products/xg-firewall/f/network-and-routing/82853/xg-software-appliance---modify-dhcp-option-61-dhcp_client_identifier-61-when-acting-as-a-client  - Would editing this work?

  • 0 in reply to kieranfame

    If the option is defined on the box already, how can I edit it to add my hex username and password?

    console> system dhcp dhcp-options list
    Option Name Option Data Type
    =========================================================================================
    [...]
    DHCP_Client_Identifier(61)                                  String


  • 0 in reply to kieranfame

    I added this to the var/sec/chroot-dhcpc/dhclient.ifaces file:

    send dhcp-client-identifier 3777890865644535346633326769999964736c7a78394b6f6e4498796d498765366d95;

    But it did not connect up. 

    How would the UTM know which interface to use for this request?

    Can anyone suggest what might be wrong with this string?

  • 0 in reply to kieranfame

    Years ago, da_merlin, one of the original developers, gave a different prescription: https://community.sophos.com/products/unified-threat-management/astaroorg/f/asg-v8-300-beta-closed/71340/8-285-notabug-closed-external-interface-won-t-come-up-when-using-dhcp/276676#276676. Any luck with that?

    Cheers - Bob
    PS I just found that after doing a Google on site:community.sophos.com DHCP "client identifier"

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • +1 in reply to BAlfson

    Success! 

    I was probably over thinking this one slightly because in the end it was simple. 

    Firstly thanks to BAIFson for the links.

    1, Change Wan interface to Ethernet not PPPoE

    2, Add 
                  send dhcp-client-identifier 345678902345678904567.....................;
    to the  /var/chroot-dhcpc/etc/default.conf 

    3, Reboot, you probably only need to turn off the interface and turn it back on again. But SKY broadband seems to have a 1-3 minute timeout on ip renew/ release if the device changes. I'm using an Openreach modem which might cause this.

    4, That's it, your interface should connect and shell changes will survive a reboot.

    5, Now need to find out if it will survive an update..... and why I'm getting a poor ping and low bandwidth (20/5) when it should be (40/20).

  • +1 in reply to kieranfame

    Just to close this topic off. If your setting up Sky broadband on the UTM you may well have SKY Q too (4k satellite TV system).

    If so you will also need to do this.

    SKY Q boxes need to authenticate and use certain ports for downloads, catch-up, apps and the images of recorded programs.
    1, You have to add the Sky Box to the Transparent mode skip list under Web filtering, if enabled
    2, Define SKY Q service 1 > 3700 udp
    3, Define SKY Q service 2 > 33224 udp 
    4, Setup firewall rule to say: internal network > service 1+2 > Any
     
    Note: you can tie the rule down further to just a SKY devices group, but that will also include any iPads Xboxes etc, that want to use the Q app.
Unfiltered HTML