Bypassing Vodafone's FTTH router: part I Internet

We want to replace that boring Vodafone branded router with our full-featured tp-link Archer C7v2 running OpenWRT to manage our LAN and Internet access.

We don't know much about how all that FTTH stuff is configured, the fiber arrives to a little white box and then connects to the wan port of the router that we want to replace. There's also a iptv stb connected to a random LAN port.

You'll find lots of contradictory information on the net about vlans, pppoe and FTTH, your configuration may also change depending on your location. Lets gather some information with our Ubuntu laptop.

Just disconnect the WAN cable from the FTTH box and connect-it to our Ubuntu computer and launch tcpdump.

$ sudo tcpdump -i eth0 --vv -e vlan 19:24:25.345773 1a:3b:5c:cd:ef (oui Unknown) > Broadcast, ethertype 802.1Q (0x8100), length 60: vlan 24, p 0, ethertype PPPoE D, PPPoE PADI [Service-Name] [Host-Uniq "E0000ABCD00000"] 19:24:27.362832 1a:3b:5c:cd:ef (oui Unknown) > Broadcast, ethertype 802.1Q (0x8100), length 60: vlan 24, p 0, ethertype PPPoE D, PPPoE PADI [Service-Name] [Host-Uniq "E0000ABCD00000"] 19:24:31.368782 1a:3b:5c:cd:ef (oui Unknown) > Broadcast, ethertype 802.1Q (0x8100), length 60: vlan 24, p 0, ethertype PPPoE D, PPPoE PADI [Service-Name] [Host-Uniq "E0000ABCD00000"]

We can see that the router is trying to establish a PPPOE connection and sending a weird Host-Uniq tag with our router serial number E0000ABCD00000 to the VLAN 24. Maybe it's all we need to log-in, we can replicate that on OpenWRT.

We edit our /etc/config/network to change our vlans:

config switch_vlan                                     
        option device 'switch0'
        option vlan '1'
        option ports '2 3 4 5 0'
        option igmp_snooping '1'                                                       
config switch_vlan
        option device 'switch0'
        option vlan '24'
        option ports '1t 6t'

Our router has a configurable switch with 5 ports, 1 blue the one labeled as WAN and the rest are yellow meant for the LAN. Ports 0 and 6 are cpu ones and they appear as eth0 and eth1 on Openwrt. We can connect a CPU port to more than one lan if we tagg-it adding the t after the port number. In that case we will be able to use eth0 in vlan 24 using eth0.24 as our interface.

So let's run PPPoE and surf the net!

We edit our wan interface on /etc/config/network to use PPPoE and set that host_uniq tag. Note that we have to convert our host_uniq to hex, use your favorite online asccii2hex converter. ( don't have one? just google-it)

config interface 'wan'
        option ifname 'eth0.24'
        option proto 'pppoe'
        option ipv6 'auto'
        option host_uniq '4530303030414243443030303030'

So lets restart network and enjoy our broadband connection.

# /etc/init.d/network restart
# logread -f
20:16:04 daemon.notice pppd[3769]: pppd 2.4.7 started by root, uid 0
20:16:04 daemon.info pppd[3769]: PPP session is 1
20:16:04 daemon.warn pppd[3769]: Connected to 00:00:1e:00:02:8e via interface eth0.24
20:16:04 kern.info kernel: [ 2365.660626] pppoe-wan: renamed from ppp0
20:16:04 daemon.info pppd[3769]: Using interface pppoe-wan
20:16:04 daemon.notice pppd[3769]: Connect: pppoe-wan <--> eth0.24
20:16:04 daemon.info odhcpd[1046]: Using a RA lifetime of 0 seconds on br-lan
20:16:07 daemon.notice pppd[3769]: peer from calling number 00:00:1E:00:02:8E authorized
20:16:07 daemon.info pppd[3769]: LCP terminated by peer
20:16:07 daemon.notice pppd[3769]: Modem hangup
20:16:07 daemon.notice pppd[3769]: Connection terminated.
20:16:07 daemon.info pppd[3769]: Sent PADT
20:16:07 daemon.info pppd[3769]: Exit.

As you can see Vodafone PPPoE server hasn't enough with our host_uniq tag and denies our connection. I found on the net that you can reset the router and sniff the configuration that's sent from Vodafone but that's too much work and we don't really need-it unless we want to get the voip configuration.

We need a way to to get that PPPoE user and password from our Vodafone router. Let's impersonate a PPPoE server on our ubuntu box and sniff the password. I got the idea from here.

Set-up a pppoe-server on ubuntu

We need a device to communicate in vlan 24 on eth0.

sudo apt-get install vlan
sudo vconfig add eth0 24
# sudo ip addr add 10.0.0.1/24 dev eth0.24 
sudo ip link set up eth0.24

Now impersonate the PPPoE server...

apt install -y pppoe tshark
touch /etc/ppp/pppoe-server-options
echo "require-pap" > /etc/ppp/pppoe-server-options
echo "lcp-echo-interval 10" >> /etc/ppp/pppoe-server-options
echo "lcp-echo-failure 2" >> /etc/ppp/pppoe-server-options

echo "* * * *" > /etc/ppp/pap-secrets

All ready, connect the router wan port to our Ubuntu box and get the secrets:

/usr/sbin/pppoe-server -L 10.5.5.1 -R 10.5.5.10 -I eth0.24 -S yyf
tshark -i eth0.24 -Y "pap.password" -l -T fields -e pap.peer_id -e pap.password

This will dump something like:

VFAB0000000000000@vodafone AABBCCD0

Now we can update our wan config with those values:

config interface 'wan'
        option ifname 'eth0.24'
        option proto 'pppoe'
        option ipv6 'auto'
        option host_uniq '4530303030414243443030303030'
        option username 'VFAB0000000000000@vodafone'
        option password 'AABBCCD0'

Restart our network /etc/network/restart and now we're done and surfing the web.

Tomorrow IPTV!

© 2019 Joan Pérez i Cauhé. All rights reserved.