Some providers (like init7.ch which already uses the Swisscom XGS-PON) do encapsulate their PPPoE traffic into a VLAN Tag (802.1Q or Q-Tagged). The reason for this is, that in the majority of the cases the provider is using a layer 2 network (last mile) of another provider, which uses VLAN tagging to differentiate the traffic to different service providers.
The configuration of the FortiGate is not too complicated in those cases. It is even possible to make the whole configuration directly off the WebGUI.
- Navigate to “Network” and then to the “Interfaces” page on the WebGUI of your FortiGate.
- Create a new Interface:
- Change the Type of the Interface to “VLAN” and set a name for the interface.
- Choose the physical port where the VLAN is terminated.
- Enter the VLAN ID and set the ID which your provider tells you.
- Set the PPPoE Login and save the configuration.
Wait a minute or two until the PPPoE connection is shown as “up”.
If you like to configure it on the CLI, you may use this block as a template:
config system interface
set mode pppoe
set role wan
set username "email@example.com"
set password mypppoepassword
set interface "wan1"
set vlanid 11
For all that are interested in a wireshark trace, here we made one for you. You can see clearly, that the PPPoE is placed inside the VLAN Tag:
And we have even one more secret for you: Any traffic passing a PPPoE interface (including VPN tunnels) can not be hardware accelerated by neither of the security processor chipsets (We also have more details regarding this topic here). Please keep this detail in mind when you think about the sizing of a PPPoE based setup.
– PPPoE topic closed –
In Switzerland, usually you have to decide if you want to use DHCP or PPPoE for DSL connections. DHCP has a bit less overhead (because the PPP header is not needed), but you can not set static IP addresses over DHCP (that is when PPP is necessary).
If you decide to use DHCP, the following information may be interesting for you:
The last important information that may be of interest for you is the following: The FortiGate is supporting the use of DHCP client options since FortiOS 6.4. Therefore it is now possible to set the DHCP client option number 60, which is the vendor class identifier (short: VCI).
On the Swisscom information page for the “configuration of third-party routers” you can find all the settings you need to set for a swisscom DSL and FTTH line. In the Fortinet new feature guide for FortiOS 6.4 is a guide how to configure the DHCP client option.
In the case that you are using a bridge or the Fortinet own SFP DSL transceiver (SKU: FN-TRAN-DSL), the configuration on the WAN interface looks like following:
config system interface edit "wan1" set mode dhcp config client-options edit 60 set code 60 set type string set value "100008,0001" next end next end
Some people found out, that you can prevent a re-registration of the internet connection if you set the MAC address of your old modem on the FortiGate WAN interface like following:
config system interface edit "wan1" set macaddr 00:11:22:33:44:55 next end