What's new

Asus RT-AC88U - PPPoE WAN Connection problem

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

Nadeem Ahmed

Occasional Visitor
I have just got a FiberOptic internet connection installed through an EPON ONU. I am able to get internet working when I configure my TPLink router using PPPoE. Settings attached.

I actually want to replace my TPLink with AC88U Asus router running Merlin 384.9. Trying to setup PPPoE connection on AC88U. No success so far. Badly looking for some help.

Few relevant lines from syslog say:

May 5 05:12:16 nat: apply redirect rules error!
May 5 05:12:18 pppd[1986]: PPP session is 8781 (0x224d)
May 5 05:12:18 pppd[1986]: Connected to 00:0a:f7:31:5a:00 via interface eth0
May 5 05:12:18 pppd[1986]: Using interface ppp0
May 5 05:12:18 pppd[1986]: Connect: ppp0 <--> eth0
May 5 05:12:19 pppd[1986]: Remote message: Login incorrect
May 5 05:12:19 pppd[1986]: PAP authentication failed
May 5 05:12:19 pppd[1986]: Connection terminated.
May 5 05:12:19 pppd[1986]: Sent PADT
May 5 05:12:20 ntp: start NTP update
May 5 05:12:22 nat: apply redirect rules error!
May 5 05:12:27 nat: apply redirect rules error!
May 5 05:12:29 pppd[1986]: PPP session is 8783 (0x224f)
May 5 05:12:29 pppd[1986]: Connected to 00:0a:f7:31:5a:00 via interface eth0
May 5 05:12:29 pppd[1986]: Using interface ppp0
May 5 05:12:29 pppd[1986]: Connect: ppp0 <--> eth0
May 5 05:12:32 nat: apply redirect rules error!
May 5 05:12:35 ntp: start NTP update
May 5 05:12:35 pppd[1986]: Remote message: Login incorrect
May 5 05:12:35 pppd[1986]: PAP authentication failed
May 5 05:12:35 pppd[1986]: Connection terminated.
May 5 05:12:35 pppd[1986]: Sent PADT
May 5 05:12:37 nat: apply redirect rules error!

I can share full syslog if somebody needs to have a look.

Looking for help.
 

Attachments

  • PPPoE_2.jpg
    PPPoE_2.jpg
    35.8 KB · Views: 1,001
  • PPPoE_1.jpg
    PPPoE_1.jpg
    43.4 KB · Views: 924
Last edited:
I have just got a FiberOptic internet connection installed through an EPON ONU. I am able to get internet working when I configure my TPLink router using PPPoE. Settings attached.

I actually want to replace my TPLink with AC88U Asus router running Merlin 384.9. Trying to setup PPPoE connection on AC88U. No success so far. Badly looking for some help.

Few relevant lines from syslog say:

May 5 05:12:16 nat: apply redirect rules error!
May 5 05:12:18 pppd[1986]: PPP session is 8781 (0x224d)
May 5 05:12:18 pppd[1986]: Connected to 00:0a:f7:31:5a:00 via interface eth0
May 5 05:12:18 pppd[1986]: Using interface ppp0
May 5 05:12:18 pppd[1986]: Connect: ppp0 <--> eth0
May 5 05:12:19 pppd[1986]: Remote message: Login incorrect
May 5 05:12:19 pppd[1986]: PAP authentication failed
May 5 05:12:19 pppd[1986]: Connection terminated.
May 5 05:12:19 pppd[1986]: Sent PADT
May 5 05:12:20 ntp: start NTP update
May 5 05:12:22 nat: apply redirect rules error!
May 5 05:12:27 nat: apply redirect rules error!
May 5 05:12:29 pppd[1986]: PPP session is 8783 (0x224f)
May 5 05:12:29 pppd[1986]: Connected to 00:0a:f7:31:5a:00 via interface eth0
May 5 05:12:29 pppd[1986]: Using interface ppp0
May 5 05:12:29 pppd[1986]: Connect: ppp0 <--> eth0
May 5 05:12:32 nat: apply redirect rules error!
May 5 05:12:35 ntp: start NTP update
May 5 05:12:35 pppd[1986]: Remote message: Login incorrect
May 5 05:12:35 pppd[1986]: PAP authentication failed
May 5 05:12:35 pppd[1986]: Connection terminated.
May 5 05:12:35 pppd[1986]: Sent PADT
May 5 05:12:37 nat: apply redirect rules error!

I can share full syslog if somebody needs to have a look.

Looking for help.

Anybody? If there is any other post where similar problem has been discussed and its solution was also provided please point me toward that,
 
Code:
May 5 05:12:19 pppd[1986]: PAP authentication failed

You have a username/password authentication issue.
 
Code:
May 5 05:12:19 pppd[1986]: PAP authentication failed

You have a username/password authentication issue.

Thanks for your response.

The same username/password are working on my other TPLink router. Why they are not working on this router?
 
NOTE: The attached Capture.pdf needs to be renamed to Capture.zip and then it can be unzipped to extract two packet capture files.

I have been able to capture initial PPPoE packets for both scenarios i.e. when my TPLink routers initiates PPPoE connection and when my ASUS initiates PPPoE connection. Hopefully some genius guy can sort out the difference in both scenarios and will be able to suggest me something. The attached file is Capture.pdf which need to be renamed to Capture.zip and then you can Unzip this file to get two Wireshark files with (.pcapng) extension.
 

Attachments

  • Capture.pdf
    45.9 KB · Views: 391
Last edited:
I know PAP is not very widely used and is least preferred. But since my ISP is using it I don't have any control over it. Since these routers automatically detect the authentication mechanism to be used and then act accordingly, so to me it apparently seems like a bug in PAP implementation in ASUS RT-AC88U. I mentioned it earlier too that I am using latest Merlin firmware 384.9.

Please help.
 
I kept looking for the problem and found very interesting facts. In PAP Authenticate-Request packet sent by my Asus AC88U has padding of random non-zero bytes whereas my TP-Link router is sending the same request with appropriate padding of all zero's. Check the attached two images for details. Moreover ASUS is sending 64 byte packet whereas TPlink is sending 60 byte packet but I don't think this difference is significant here.

Wireshark's packet analyzer is also raising a warning that the packet is malformed. The problematic area it is highlighting is the payload length which is set to 17 which is true as it should be 17. But due to unexpected non-zero bytes at the end of password is something abnormal. If we count all those bytes as well till the end that makes it 44. That is why packet analyzer is suggesting that payload should be 44.

These non-zero bytes maybe interpretted as part of the password which might be causing 'Login incorrect' error. Now if this is true statement, this must be a BUG in firmware.
 

Attachments

  • TPLink.jpg
    TPLink.jpg
    50.3 KB · Views: 807
  • ASUS.jpg
    ASUS.jpg
    52.6 KB · Views: 868
  • ASUS2.jpg
    ASUS2.jpg
    80.5 KB · Views: 500
Last edited:
Low-level protocol debugging is quite outside my skill set (the authentication should be handled by the PPP daemon, not the firmware itself), but I've forwarded the info to someone with better expertise.

One thing worth trying is to disable CTF (hardware acceleration) on the LAN page, in case it might interfere.
 
Your ISP (and TP-Link) are using a non-standard PPP LCP extension, which could be part of the problem. It's a pretty bad hackish implementation.

It's also possible they use the MAC as part of the authentication. Try cloning the TP-Link's MAC on the WAN page.
 
Last edited:
Just want to add what merlin said, I am using pppoe as well and have no problem with fiber connection. One thing I will suggest is make sure mtu and mru is set to 1480 like what you see tp-link setting, Asus default to 1492. There are few countries which are already announced of using non standard pppoe connection, Russia come to mind.
 
One thing I will suggest is make sure mtu and mru is set to 1480 like what you see tp-link setting, Asus default to 1492. There are few countries which are already announced of using non standard pppoe connection, Russia come to mind.

I have already tried setting 1480 for MTU and MRU. But yes, my TPLink router detects the connection something like PPPoE/Russia.
 
lcp-ident support was implemented by a collaborator (https://github.com/RMerl/asuswrt-merlin.ng/commit/7ea734eaa6db7188e968106791fbea90f0b9615a). With the next release of my firmware you should be able to enable it by providing the option as an additional pppd parameter on the WAN page.

No idea if Asus will want to pick that one up for stock firmware however, that will be up to them.

Thank you. Once it is available, I will need your help in how to specify/use this option. I saw there is a text field saying "Additional pppd options" which I believe you are referring to.

Will it help using the same "non-standard" PPP LCP extension that my ISP and other router is using?
 
I saw there is a text field saying "Additional pppd options" which I believe you are referring to.

Yes, this is where you will have to add "lcp-ident". I'm not sure if you will also need to provide an actual parameter after that keyword, and if you do what that would be. You'd have to either check the traces to figure out the value required, or ask your ISP.
 
https://yadi.sk/d/q7YVwjjpok4OrA
SOP:
1. clone mac from tplink, check if it can connect now
2. add "lcp-ident MSRAS-0-a4b999" to Additonal pppd options, check if it can connect now (a4b999 is low half of wan mac)
3. if step 2 was succesfull, remove mac cloning, check if it can connect now
4. if set 3 was not succesful, change ident to MSRAS-0-xxxxxx, where xxxxxx is low half of your asus wan mac.
would be good to have traffic captures for all this steps
 
Just in case you are wondering, yes, you can trust that firmware image. Themiron is a long-time contributor, and he's the one you can thank for implementing lcp-ident support.
 
https://yadi.sk/d/q7YVwjjpok4OrA
SOP:
1. clone mac from tplink, check if it can connect now
2. add "lcp-ident MSRAS-0-a4b999" to Additonal pppd options, check if it can connect now (a4b999 is low half of wan mac)
3. if step 2 was succesfull, remove mac cloning, check if it can connect now
4. if set 3 was not succesful, change ident to MSRAS-0-xxxxxx, where xxxxxx is low half of your asus wan mac.
would be good to have traffic captures for all this steps

Thanks a lot Themiron for the implementation of lcp-ident and these detailed instructions. I will certainly be trying them over the weekend. Will post the update back here. Thank you once again.
 
https://yadi.sk/d/q7YVwjjpok4OrA
SOP:
1. clone mac from tplink, check if it can connect now
2. add "lcp-ident MSRAS-0-a4b999" to Additonal pppd options, check if it can connect now (a4b999 is low half of wan mac)
3. if step 2 was succesfull, remove mac cloning, check if it can connect now
4. if set 3 was not succesful, change ident to MSRAS-0-xxxxxx, where xxxxxx is low half of your asus wan mac.
would be good to have traffic captures for all this steps

Hurray!

I got success right on step 1.

I was kind of surprised with that. I had ruled out MAC address binding by using 2 different tplink routers and both of them were connecting successfully. Now under these circumstances, I think ISP is somehow allowing only TP-Link devices only, because initial part of all TPLink routers is same (AFAIK).

Thanks a lot Themiron and Merlin. Highly appreciate your help.

One last thing, I want to donate something using my credit card. When I tried doing that it asks for a Zip code. I am in Pakistan and I cannot provide any zip code. It is not allowing me to proceed without it. Please tell me a way to do that. Paypal is not an option for me.
 
Odd indeed that they would only specificaly whitelist TP-Link routers...

I don't have any other method for you to donate unfortunately, so just don't worry about it.
 

Support SNBForums w/ Amazon

If you'd like to support SNBForums, just use this link and buy anything on Amazon. Thanks!

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top