From f4ca88a7b02865f6a7edb7cc73d526d78da6456e Mon Sep 17 00:00:00 2001
From: aapostoliuk <a.apostoliuk@vyos.io>
Date: Fri, 23 Feb 2024 15:27:44 +0200
Subject: [PATCH] Rewritten the PPPoE server documentation

Fully rewritten PPPoE server documentation.
---
 docs/configuration/service/pppoe-server.rst | 590 ++++++++++++++------
 1 file changed, 421 insertions(+), 169 deletions(-)

diff --git a/docs/configuration/service/pppoe-server.rst b/docs/configuration/service/pppoe-server.rst
index 56fcb968..04113666 100644
--- a/docs/configuration/service/pppoe-server.rst
+++ b/docs/configuration/service/pppoe-server.rst
@@ -13,13 +13,20 @@ be used with local authentication or a connected RADIUS server.
    changes/commits will restart the ppp daemon and will reset existing
    PPPoE connections from connected users, in order to become effective.
 
-Configuration
-=============
+************************
+Configuring PPPoE Server
+************************
 
+.. code-block:: none
 
-First steps
------------
-
+  set service pppoe-server access-concentrator PPPoE-Server
+  set service pppoe-server authentication mode local
+  set service pppoe-server authentication local-users username test password 'test'
+  set service pppoe-server client-ip-pool PPPOE-POOL range 192.168.255.2-192.168.255.254
+  set service pppoe-server default-pool 'PPPOE-POOL'
+  set service pppoe-server outside-address 192.0.2.2
+  set service pppoe-server gateway-address 192.168.255.1
+  set service pppoe-server interface eth0
 
 .. cfgcmd:: set service pppoe-server access-concentrator <name>
 
@@ -28,14 +35,30 @@ First steps
 
 .. cfgcmd:: set service pppoe-server authentication mode <local | radius>
 
-   Use this command to define whether your PPPoE clients will locally
-   authenticate in your VyOS system or in RADIUS server.
+  Set authentication backend. The configured authentication backend is used
+  for all queries.
+
+  * **radius**: All authentication queries are handled by a configured RADIUS
+    server.
+  * **local**: All authentication queries are handled locally.
+  * **noauth**: Authentication disabled.
 
 .. cfgcmd:: set service pppoe-server authentication local-users username
    <name> password <password>
 
-   Use this command to configure the username and the password of a
-   locally configured user.
+  Create `<user>` for local authentication on this system. The users password
+  will be set to `<pass>`.
+
+.. cfgcmd:: set service pppoe-server client-ip-pool <POOL-NAME> range <x.x.x.x-x.x.x.x | x.x.x.x/x>
+
+   Use this command to define the first IP address of a pool of
+   addresses to be given to pppoe clients. If notation ``x.x.x.x-x.x.x.x``,
+   it must be within a /24 subnet. If notation ``x.x.x.x/x`` is
+   used there is possibility to set host/netmask.
+
+.. cfgcmd:: set service pppoe-server default-pool <POOL-NAME>
+
+   Use this command to define default address pool name.
 
 .. cfgcmd:: set service pppoe-server interface <interface>
 
@@ -44,124 +67,170 @@ First steps
 
 .. cfgcmd:: set service pppoe-server gateway-address <address>
 
-   Use this command to configure the local gateway IP address.
-
-.. cfgcmd:: set service pppoe-server name-server <address>
-
-   Use this command to set the IPv4 or IPv6 address of every Doman Name
-   Server you want to configure. They will be propagated to PPPoE
-   clients.
+   Specifies single `<gateway>` IP address to be used as local address of PPP
+   interfaces.
 
 
-Client Address Pools
---------------------
+*********************************
+Configuring RADIUS authentication
+*********************************
 
-To automatically assign the client an IP address as tunnel endpoint, a
-client IP pool is needed. The source can be either RADIUS or a
-named pool. There is possibility to create multiple named pools.
-Each named pool can include only one address range. To use multiple
-address ranges configure ``next-pool`` option.
-
-
-**Client IP address via IP range definition**
-
-.. cfgcmd:: set service pppoe-server client-ip-pool <POOL-NAME> range <x.x.x.x-x.x.x.x | x.x.x.x/x>
-
-   Use this command to define the IP address range to be given
-   to PPPoE clients. If notation ``x.x.x.x-x.x.x.x``,
-   it must be within a /24 subnet. If notation ``x.x.x.x/x`` is
-   used there is possibility to set host/netmask.
-
-.. cfgcmd:: set service pppoe-server client-ip-pool <POOL-NAME> next-pool <NEXT-POOL-NAME>
-
-   Use this command to define the next address pool name.
-
-.. cfgcmd:: set service pppoe-server default-pool <POOL-NAME>
-
-   Use this command to define default address pool name.
+To enable RADIUS based authentication, the authentication mode needs to be
+changed within the configuration. Previous settings like the local users, still
+exists within the configuration, however they are not used if the mode has been
+changed from local to radius. Once changed back to local, it will use all local
+accounts again.
 
 .. code-block:: none
 
-  set service pppoe-server client-ip-pool IP-POOL next-pool 'IP-POOL2'
-  set service pppoe-server client-ip-pool IP-POOL range '10.0.10.5/24'
-  set service pppoe-server client-ip-pool IP-POOL2 range '10.0.0.10-10.0.0.12'
-  set service pppoe-server default-pool 'IP-POOL'
+  set service pppoe-server authentication mode radius
 
+.. cfgcmd:: set service pppoe-server authentication radius server <server> key <secret>
 
-**RADIUS based IP pools (Framed-IP-Address)**
-
-To use a radius server, you need to switch to authentication mode RADIUS
-and then configure it.
-
-.. cfgcmd:: set service pppoe-server authentication radius server <address>
-   key <secret>
-
-   Use this command to configure the IP address and the shared secret
-   key of your RADIUS server.  You can have multiple RADIUS servers
-   configured if you wish to achieve redundancy.
+  Configure RADIUS `<server>` and its required shared `<secret>` for
+  communicating with the RADIUS server.
 
+Since the RADIUS server would be a single point of failure, multiple RADIUS
+servers can be setup and will be used subsequentially.
+For example:
 
 .. code-block:: none
 
-  set service pppoe-server access-concentrator 'ACN'
-  set service pppoe-server authentication mode 'radius'
-  set service pppoe-server authentication radius server 10.1.100.1 key 'secret'
-  set service pppoe-server interface 'eth1'
-  set service pppoe-server gateway-address '10.1.1.2'
+  set service pppoe-server authentication radius server 10.0.0.1 key 'foo'
+  set service pppoe-server authentication radius server 10.0.0.2 key 'foo'
 
-RADIUS provides the IP addresses in the example above via
-Framed-IP-Address.
+.. note:: Some RADIUS severs use an access control list which allows or denies
+   queries, make sure to add your VyOS router to the allowed client list.
 
-**RADIUS sessions management DM/CoA**
+RADIUS source address
+=====================
 
-.. cfgcmd:: set service pppoe-server authentication radius dynamic-author
-   <key | port | server>
+If you are using OSPF as IGP, always the closest interface connected to the
+RADIUS server is used. With VyOS 1.2 you can bind all outgoing RADIUS requests
+to a single source IP e.g. the loopback interface.
 
-   Use this command to configure Dynamic Authorization Extensions to
-   RADIUS so that you can remotely disconnect sessions and change some
-   authentication parameters.
+.. cfgcmd:: set service pppoe-server authentication radius source-address <address>
 
-.. code-block:: none
+  Source IPv4 address used in all RADIUS server queires.
 
-  set service pppoe-server authentication radius dynamic-author key 'secret123'
-  set service pppoe-server authentication radius dynamic-author port '3799'
-  set service pppoe-server authentication radius dynamic-author server '10.1.1.2'
+.. note:: The ``source-address`` must be configured on one of VyOS interface.
+   Best practice would be a loopback or dummy interface.
+
+RADIUS advanced options
+=======================
+
+.. cfgcmd:: set service pppoe-server authentication radius server <server> port <port>
+
+  Configure RADIUS `<server>` and its required port for authentication requests.
+
+.. cfgcmd:: set service pppoe-server authentication radius server <server> fail-time <time>
+
+  Mark RADIUS server as offline for this given `<time>` in seconds.
+
+.. cfgcmd:: set service pppoe-server authentication radius server <server> disable
+
+  Temporary disable this RADIUS server.
+
+.. cfgcmd:: set service pppoe-server authentication radius acct-timeout <timeout>
+
+  Timeout to wait reply for Interim-Update packets. (default 3 seconds)
+
+.. cfgcmd:: set service pppoe-server authentication radius dynamic-author server <address>
+
+  Specifies IP address for Dynamic Authorization Extension server (DM/CoA)
+
+.. cfgcmd:: set service pppoe-server authentication radius dynamic-author port <port>
+
+  Port for Dynamic Authorization Extension server (DM/CoA)
+
+.. cfgcmd:: set service pppoe-server authentication radius dynamic-author key <secret>
+
+  Secret for Dynamic Authorization Extension server (DM/CoA)
+
+.. cfgcmd:: set service pppoe-server authentication radius max-try <number>
+
+  Maximum number of tries to send Access-Request/Accounting-Request queries
+
+.. cfgcmd:: set service pppoe-server authentication radius timeout <timeout>
+
+  Timeout to wait response from server (seconds)
+
+.. cfgcmd:: set service pppoe-server authentication radius nas-identifier <identifier>
+
+  Value to send to RADIUS server in NAS-Identifier attribute and to be matched
+  in DM/CoA requests.
+
+.. cfgcmd:: set service pppoe-server authentication radius nas-ip-address <address>
+
+  Value to send to RADIUS server in NAS-IP-Address attribute and to be matched
+  in DM/CoA requests. Also DM/CoA server will bind to that address.
+
+.. cfgcmd:: set service pppoe-server authentication radius source-address <address>
+
+  Source IPv4 address used in all RADIUS server queires.
+
+.. cfgcmd:: set service pppoe-server authentication radius rate-limit attribute <attribute>
+
+  Specifies which RADIUS server attribute contains the rate limit information.
+  The default attribute is ``Filter-Id``.
+
+.. note:: If you set a custom RADIUS attribute you must define it on both
+   dictionaries at RADIUS server and client.
+
+.. cfgcmd:: set service pppoe-server authentication radius rate-limit enable
+
+  Enables bandwidth shaping via RADIUS.
+
+.. cfgcmd:: set service pppoe-server authentication radius rate-limit vendor
+
+  Specifies the vendor dictionary, dictionary needs to be in
+  /usr/share/accel-ppp/radius.
+
+Received RADIUS attributes have a higher priority than parameters defined within
+the CLI configuration, refer to the explanation below.
+
+Allocation clients ip addresses by RADIUS
+=========================================
+
+If the RADIUS server sends the attribute ``Framed-IP-Address`` then this IP
+address will be allocated to the client and the option ``default-pool`` within the CLI
+config is being ignored.
+
+If the RADIUS server sends the attribute ``Framed-Pool``, IP address will be allocated
+from a predefined IP pool whose name equals the attribute value.
+
+If the RADIUS server sends the attribute ``Stateful-IPv6-Address-Pool``, IPv6 address
+will be allocated from a predefined IPv6 pool ``prefix`` whose name equals the attribute value.
+
+If the RADIUS server sends the attribute ``Delegated-IPv6-Prefix-Pool``, IPv6
+delegation pefix will be allocated from a predefined IPv6 pool ``delegate``
+whose name equals the attribute value.
+
+.. note:: ``Stateful-IPv6-Address-Pool`` and ``Delegated-IPv6-Prefix-Pool`` are defined in
+          RFC6911. If they are not defined in your RADIUS server, add new dictionary_.
+
+User interface can be put to VRF context via RADIUS Access-Accept packet, or change
+it via RADIUS CoA. ``Accel-VRF-Name`` is used from these purposes. It is custom `ACCEL-PPP attribute`_.
+Define it in your RADIUS server.
+
+Renaming clients interfaces by RADIUS
+=====================================
+
+If the RADIUS server uses the attribute ``NAS-Port-Id``, ppp tunnels will be
+renamed.
+
+.. note:: The value of the attribute ``NAS-Port-Id`` must be less than 16
+   characters, otherwise the interface won't be renamed.
 
 
-Example, from radius-server send command for disconnect client with
-username test
-
-.. code-block:: none
-
-  root@radius-server:~# echo "User-Name=test" | radclient -x 10.1.1.2:3799
-  disconnect secret123
-
-You can also use another attributes for identify client for disconnect,
-like Framed-IP-Address, Acct-Session-Id, etc. Result commands appears in
-log.
-
-.. code-block:: none
-
-  show log | match Disconnect*
-
-Example for changing rate-limit via RADIUS CoA.
-
-.. code-block:: none
-
-  echo "User-Name=test,Filter-Id=5000/4000" | radclient 10.1.1.2:3799 coa
-  secret123
-
-Filter-Id=5000/4000 (means 5000Kbit down-stream rate and 4000Kbit
-up-stream rate) If attribute Filter-Id redefined, replace it in RADIUS
-CoA request.
-
+***********************
 Automatic VLAN Creation
------------------------
+***********************
 
 .. cfgcmd:: set service pppoe-server interface <interface> vlan <id | range>
 
    VLAN's can be created by Accel-ppp on the fly via the use of a Kernel module
-   named `vlan_mon`, which is monitoring incoming vlans and creates the
+   named ``vlan_mon``, which is monitoring incoming vlans and creates the
    necessary VLAN if required and allowed. VyOS supports the use of either
    VLAN ID's or entire ranges, both values can be defined at the same time for
    an interface.
@@ -177,21 +246,26 @@ Automatic VLAN Creation
   set service pppoe-server interface eth3 vlan 500-1000
   set service pppoe-server interface eth3 vlan 2000-3000
 
-
+*****************
 Bandwidth Shaping
------------------
+*****************
 
 Bandwidth rate limits can be set for local users or RADIUS based
 attributes.
 
 For Local Users
-^^^^^^^^^^^^^^^
+===============
 
-.. cfgcmd:: set service pppoe-server authentication local-users username <name>
-   rate-limit <download | upload>
+.. cfgcmd:: set service pppoe-server authentication local-users username <user> rate-limit
+   download <bandwidth>
+
+  Download bandwidth limit in kbit/s for `<user>`.
+
+.. cfgcmd:: set service pppoe-server authentication local-users username <user> rate-limit
+   upload <bandwidth>
+
+  Upload bandwidth limit in kbit/s for `<user>`.
 
-   Use this command to configure a data-rate limit to PPPOoE clients for
-   traffic download or upload. The rate-limit is set in kbit/sec.
 
 .. code-block:: none
 
@@ -209,7 +283,7 @@ For Local Users
 
 
 Once the user is connected, the user session is using the set limits and
-can be displayed via 'show pppoe-server sessions'.
+can be displayed via ``show pppoe-server sessions``.
 
 .. code-block:: none
 
@@ -220,9 +294,9 @@ can be displayed via 'show pppoe-server sessions'.
 
 
 For RADIUS users
-^^^^^^^^^^^^^^^^
+================
 
-The current attribute 'Filter-Id' is being used as default and can be
+The current attribute ``Filter-Id`` is being used as default and can be
 setup within RADIUS:
 
 Filter-Id=2000/3000 (means 2000Kbit down-stream rate and 3000Kbit
@@ -238,9 +312,9 @@ setup and is working.
 Other attributes can be used, but they have to be in one of the
 dictionaries in */usr/share/accel-ppp/radius*.
 
-
+**************
 Load Balancing
---------------
+**************
 
 
 .. cfgcmd:: set service pppoe-server pado-delay <number-of-ms>
@@ -262,58 +336,252 @@ allows other PPPoE servers send PADO faster and clients will connect to
 other servers. Last command says that this PPPoE server can serve only
 3000 clients.
 
-
+****
 IPv6
-----
+****
 
-IPv6 client's prefix
-^^^^^^^^^^^^^^^^^^^^
+.. cfgcmd:: set service pppoe-server ppp-options ipv6 <require | prefer | allow | deny>
 
-.. cfgcmd:: set service pppoe-server client-ipv6-pool <IPv6-POOL-NAME>
-   prefix <address> mask <number-of-bits>
+  Specifies IPv6 negotiation preference.
 
-   Use this comand to set the IPv6 address pool from which a PPPoE
-   client will get an IPv6 prefix of your defined length (mask) to
-   terminate the PPPoE endpoint at their side. The mask length can be
-   set from 48 to 128 bit long, the default value is 64.
+  * **require** - Require IPv6 negotiation
+  * **prefer** - Ask client for IPv6 negotiation, do not fail if it rejects
+  * **allow** - Negotiate IPv6 only if client requests
+  * **deny** - Do not negotiate IPv6 (default value)
 
+.. cfgcmd:: set service pppoe-server client-ipv6-pool <IPv6-POOL-NAME> prefix <address>
+   mask <number-of-bits>
 
-IPv6 Prefix Delegation
-^^^^^^^^^^^^^^^^^^^^^^
+  Use this comand to set the IPv6 address pool from which an l2tp client
+  will get an IPv6 prefix of your defined length (mask) to terminate the
+  l2tp endpoint at their side. The mask length can be set from 48 to 128
+  bit long, the default value is 64.
 
-.. cfgcmd:: set service pppoe-server client-ipv6-pool <IPv6-POOL-NAME>
-   delegate <address> delegation-prefix <number-of-bits>
+.. cfgcmd:: set service pppoe-server client-ipv6-pool <IPv6-POOL-NAME> delegate <address>
+   delegation-prefix <number-of-bits>
 
-   Use this command to configure DHCPv6 Prefix Delegation (RFC3633). You
-   will have to set your IPv6 pool and the length of the delegation
-   prefix. From the defined IPv6 pool you will be handing out networks
-   of the defined length (delegation-prefix). The length of the
-   delegation prefix can be set from 32 to 64 bit long.
+  Use this command to configure DHCPv6 Prefix Delegation (RFC3633) on
+  l2tp. You will have to set your IPv6 pool and the length of the
+  delegation prefix. From the defined IPv6 pool you will be handing out
+  networks of the defined length (delegation-prefix). The length of the
+  delegation prefix can be set from 32 to 64 bit long.
 
-
-IPv6 default client's pool assignment
-^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
-
-.. cfgcmd:: set service pppoe-server default-ipv6-pool <POOL-NAME>
+.. cfgcmd:: set service pppoe-server default-ipv6-pool <IPv6-POOL-NAME>
 
    Use this command to define default IPv6 address pool name.
 
+.. code-block:: none
 
-Maintenance mode
-================
+  set service pppoe-server ppp-options ipv6 allow
+  set service pppoe-server client-ipv6-pool IPv6-POOL delegate '2001:db8:8003::/48' delegation-prefix '56'
+  set service pppoe-server client-ipv6-pool IPV6-POOL prefix '2001:db8:8002::/48' mask '64'
+  set service pppoe-server default-ipv6-pool IPv6-POOL
 
-.. opcmd:: set pppoe-server maintenance-mode <enable | disable>
+IPv6 Advanced Options
+=====================
+.. cfgcmd:: set service pppoe-server ppp-options ipv6-accept-peer-interface-id
 
-   For network maintenance, it's a good idea to direct users to a backup
-   server so that the primary server can be safely taken out of service.
-   It's possible to switch your PPPoE server to maintenance mode where
-   it maintains already established connections, but refuses new
-   connection attempts.
+  Accept peer interface identifier. By default is not defined.
 
+.. cfgcmd:: set service pppoe-server ppp-options ipv6-interface-id <random | x:x:x:x>
 
-Checking connections
+  Specifies fixed or random interface identifier for IPv6.
+  By default is fixed.
+
+  * **random** - Random interface identifier for IPv6
+  * **x:x:x:x** - Specify interface identifier for IPv6
+
+.. cfgcmd:: set service pppoe-server ppp-options ipv6-interface-id <random | x:x:x:x>
+
+  Specifies peer interface identifier for IPv6. By default is fixed.
+
+  * **random** - Random interface identifier for IPv6
+  * **x:x:x:x** - Specify interface identifier for IPv6
+  * **ipv4-addr** - Calculate interface identifier from IPv4 address.
+  * **calling-sid** - Calculate interface identifier from calling-station-id.
+
+*********
+Scripting
+*********
+
+.. cfgcmd:: set service pppoe-server extended-scripts on-change <path_to_script>
+
+  Script to run when session interface changed by RADIUS CoA handling
+
+.. cfgcmd:: set service pppoe-server extended-scripts on-down <path_to_script>
+
+  Script to run when session interface going to terminate
+
+.. cfgcmd:: set service pppoe-server extended-scripts on-pre-up <path_to_script>
+
+  Script to run before session interface comes up
+
+.. cfgcmd:: set service pppoe-server extended-scripts on-up <path_to_script>
+
+  Script to run when session interface is completely configured and started
+
+****************
+Advanced Options
+****************
+
+Authentication Advanced Options
+===============================
+
+.. cfgcmd:: set service pppoe-server authentication local-users username <user> disable
+
+  Disable `<user>` account.
+
+.. cfgcmd:: set service pppoe-server authentication local-users username <user> static-ip
+   <address>
+
+  Assign static IP address to `<user>` account.
+
+.. cfgcmd:: set service pppoe-server authentication protocols
+   <pap | chap | mschap | mschap-v2>
+
+  Require the peer to authenticate itself using one of the following protocols:
+  pap, chap, mschap, mschap-v2.
+
+Client IP Pool Advanced Options
+===============================
+
+.. cfgcmd:: set service pppoe-server client-ip-pool <POOL-NAME> next-pool <NEXT-POOL-NAME>
+
+   Use this command to define the next address pool name.
+
+PPP Advanced Options
 ====================
 
+.. cfgcmd:: set service pppoe-server ppp-options disable-ccp
+
+  Disable Compression Control Protocol (CCP).
+  CCP is enabled by default.
+
+.. cfgcmd:: set service pppoe-server ppp-options interface-cache <number>
+
+  Specifies number of interfaces to keep in cache. It means that don’t
+  destroy interface after corresponding session is destroyed, instead
+  place it to cache and use it later for new sessions repeatedly.
+  This should reduce kernel-level interface creation/deletion rate lack.
+  Default value is **0**.
+
+.. cfgcmd:: set service pppoe-server ppp-options ipv4 <require | prefer | allow | deny>
+
+  Specifies IPv4 negotiation preference.
+
+  * **require** - Require IPv4 negotiation
+  * **prefer** - Ask client for IPv4 negotiation, do not fail if it rejects
+  * **allow** - Negotiate IPv4 only if client requests (Default value)
+  * **deny** - Do not negotiate IPv4
+
+.. cfgcmd:: set service pppoe-server ppp-options lcp-echo-failure <number>
+
+  Defines the maximum `<number>` of unanswered echo requests. Upon reaching the
+  value `<number>`, the session will be reset. Default value is **3**.
+
+.. cfgcmd:: set service pppoe-server ppp-options lcp-echo-interval <interval>
+
+  If this option is specified and is greater than 0, then the PPP module will
+  send LCP pings of the echo request every `<interval>` seconds.
+  Default value is **30**.
+
+.. cfgcmd:: set service pppoe-server ppp-options lcp-echo-timeout
+
+  Specifies timeout in seconds to wait for any peer activity. If this option
+  specified it turns on adaptive lcp echo functionality and "lcp-echo-failure"
+  is not used. Default value is **0**.
+
+.. cfgcmd:: set service pppoe-server ppp-options min-mtu <number>
+
+  Defines minimum acceptable MTU. If client will try to negotiate less then
+  specified MTU then it will be NAKed or disconnected if rejects greater MTU.
+  Default value is **100**.
+
+.. cfgcmd:: set service pppoe-server ppp-options mppe <require | prefer | deny>
+
+  Specifies :abbr:`MPPE (Microsoft Point-to-Point Encryption)` negotiation
+  preference.
+
+  * **require** - ask client for mppe, if it rejects drop connection
+  * **prefer** - ask client for mppe, if it rejects don't fail. (Default value)
+  * **deny** - deny mppe
+
+  Default behavior - don't ask client for mppe, but allow it if client wants.
+  Please note that RADIUS may override this option by MS-MPPE-Encryption-Policy
+  attribute.
+
+.. cfgcmd:: set service pppoe-server ppp-options mru <number>
+
+  Defines preferred MRU. By default is not defined.
+
+Global Advanced options
+=======================
+
+.. cfgcmd:: set service pppoe-server description <description>
+
+  Set description.
+
+.. cfgcmd::  set service pppoe-server limits burst <value>
+
+  Burst count
+
+.. cfgcmd:: set service pppoe-server limits connection-limit <value>
+
+  Acceptable rate of connections (e.g. 1/min, 60/sec)
+
+.. cfgcmd:: set service pppoe-server limits timeout <value>
+
+  Timeout in seconds
+
+.. cfgcmd:: set service pppoe-server mtu
+
+  Maximum Transmission Unit (MTU) (default: **1492**)
+
+.. cfgcmd:: set service pppoe-server max-concurrent-sessions
+
+  Maximum number of concurrent session start attempts
+
+.. cfgcmd:: set service pppoe-server name-server <address>
+
+  Connected client should use `<address>` as their DNS server. This
+  command accepts both IPv4 and IPv6 addresses. Up to two nameservers
+  can be configured for IPv4, up to three for IPv6.
+
+.. cfgcmd:: set service pppoe-server service-name <names>
+
+  Specifies Service-Name to respond. If absent any Service-Name is
+  acceptable and client’s Service-Name will be sent back. Also possible
+  set multiple service-names: `sn1,sn2,sn3`
+
+Per default the user session is being replaced if a second
+authentication request succeeds. Such session requests can be either
+denied or allowed entirely, which would allow multiple sessions for a
+user in the latter case. If it is denied, the second session is being
+rejected even if the authentication succeeds, the user has to terminate
+its first session and can then authentication again.
+
+.. cfgcmd:: set service pppoe-server session-control
+
+  * **disable**: Disables session control.
+  * **deny**: Deny second session authorization.
+  * **replace**: Terminate first session when second is authorized **(default)**
+
+.. cfgcmd:: set service pppoe-server shaper fwmark <1-2147483647>
+
+  Match firewall mark value
+
+.. cfgcmd:: set service pppoe-server snmp master-agent
+
+  Enable SNMP
+
+.. cfgcmd:: set service pppoe-server wins-server <address>
+
+  Windows Internet Name Service (WINS) servers propagated to client
+
+**********
+Monitoring
+**********
+
 .. opcmd:: show pppoe-server sessions
 
    Use this command to locally check the active sessions in the PPPoE
@@ -328,30 +596,12 @@ Checking connections
   ppp0   | foo      | 10.1.1.100 | 00:53:00:ba:db:15 | 20480/10240 | active | 00:00:11 | 214 B    | 76 B
 
 
-Per default the user session is being replaced if a second
-authentication request succeeds. Such session requests can be either
-denied or allowed entirely, which would allow multiple sessions for a
-user in the latter case. If it is denied, the second session is being
-rejected even if the authentication succeeds, the user has to terminate
-its first session and can then authentication again.
-
-.. code-block:: none
-
-  vyos@# set service pppoe-server session-control
-    Possible completions:
-    disable      Disables session control
-    deny         Deny second session authorization
-
-
-
-
-
-
+********
 Examples
-========
+********
 
 IPv4
-----
+====
 
 The example below uses ACN as access-concentrator name, assigns an
 address from the pool 10.1.1.100-111, terminates at the local endpoint
@@ -372,7 +622,7 @@ address from the pool 10.1.1.100-111, terminates at the local endpoint
 
 
 Dual-Stack IPv4/IPv6 provisioning with Prefix Delegation
---------------------------------------------------------
+========================================================
 
 The example below covers a dual-stack configuration via pppoe-server.
 
@@ -403,3 +653,5 @@ a /56 subnet for the clients internal use.
    ppp0   | test     | 192.168.0.1 | 2001:db8:8002:0:200::/64 | 2001:db8:8003::1/56 | 00:53:00:12:42:eb |            | active | 00:00:49 | 875 B    | 2.1 KiB
 
 .. include:: /_include/common-references.txt
+.. _dictionary: https://github.com/accel-ppp/accel-ppp/blob/master/accel-pppd/radius/dict/dictionary.rfc6911
+.. _`ACCEL-PPP attribute`: https://github.com/accel-ppp/accel-ppp/blob/master/accel-pppd/radius/dict/dictionary.accel
\ No newline at end of file