Technical Details Regarding PPPoE Support

Technical Details Regarding PPPoE Support

Created On 09/25/18 19:10 PM - Last Updated 04/20/20 22:37 PM



Basic Information

  • RFC1661 and RFC2516 are supported
  • Per physical-interface configuration
    • The maximum number of PPPoE instances on a device is the number of physical interfaces of the device
    • Only one PPPoE instance can be configured on each physical interface
      Note: Cannot configure PPPoE on a VLAN tagged sub-interface
  • PPPoE redundant path can be configured by use of multiple physical interfaces
    Note: PBF (Policy Base Forwarding) settings is needed for redundant path
  • Static IP Address settings
    • Static IP Address of PPPoE settings allows IP address with 32 bit mask only
    • Normally (if there's no SSL-VPN settings), Static IP Address settings is unnecessary
  • IP range assignment by ISP can be used with NAT settings
  • MTU negotiation
  • PAP/CHAP authentication



  • For the termination of SSL-VPN to loopback I/F with private IP address via physical I/F with IP address assigned by PPPoE
    • With SSL mode, use destination NAT for the traffic of TCP/443 to PAN device in order to connect to SSL-VPN portal
    • With IPsec mode, we cannot connect to SSL-VPN portal
  • For the termination of SSL-VPN to the physical I/F with PPPoE assigned IP address
    • By use of "Static IP Address" setting, both IPsec and SSL mode can be worked
      • When "IP range" is assigned from ISP, set Static IP address as the lowest IP address (see [IP range assignment])
    • There are 2 options to terminate SSL-VPN to dynamically assigned IP address. In such case, Dynamic DNS (DDNS) is typically used to provide the URL of SSL-VPN portal to clients
      • Use Destination NAT to loopback I/F with private IP address
      • With PAN-OS 3.1.7 or later, when IP range is assigned, use destination NAT to loopback I/F with an IP address available in the IP range (except the lowest IP address)



  • Default route from PPPoE can be re-distribute to dynamic routing protocol
    • If PPPoE connection fails, the re-distributed route will be purged immediately



  • PAN-OS sends LCP keep-alive every 3 seconds, and PPPoE link will be disconnected if the keep-alive fails 5 times
  • The interval and the number of times of keep-alive is not configurable
  • After PPPoE link goes down, PAN-OS will try to reconnect every 10 seconds



  • Passive device will take over the PPPoE connection from Active device when failover happens
    • There is no need to re-connect PPPoE at Passive device when failover happens
  • When Active device is functional, if  the "passive link state" settings is "auto", PPPoE is not connected at Passive device
    Note: In this case, the physical I/F of Passive device will be up, but no PPPoE process is worked


owner: kmiwa

  • Print
  • Copy Link

Choose Language