
Open your router's admin page. You'll see something like this:
Connection Name IP Method IP Address Subnet Mask
INTERNET_R_VID_ PPPoE 10.1.1.143 255.0.0.0IP Method: PPPoE. Not DHCP, not a static IP — it says "dial-up."
You might wonder: the fiber is plugged in, the Ethernet cable is connected — why does it still need to "dial"? What does this have to do with the screeching modem sounds of the 90s? And what exactly is the ISP doing during this dial-up process?
This article tears down the complete PPPoE workflow, frame by frame, from the moment you plug in the fiber to the moment your router gets an IP address.
tcpdump
Basic understanding of IP address allocation (how DHCP assigns IPs)
Familiarity with VLAN concepts (helpful but not required)
Imagine you've just moved into a new apartment. The ISP technician plugs the fiber into your ONT (Optical Network Terminal). You power it on. In the router admin page, the WAN port status says "Connecting..."
A few seconds later, "Connecting..." becomes "Connected," and the IP address field shows 10.1.1.143. Your phone connects to Wi-Fi, and you're online.
The question is: in those few seconds, what information did your ONT and the ISP's equipment exchange?
You might think: it's just a DHCP broadcast, the ISP replies with an IP, done. But it's more nuanced than that — the ISP needs to know who you are, whether you've paid your bill, and which IP range to assign you. DHCP alone can't do any of this. That's the problem PPPoE solves.
In a LAN, a device broadcasts a DHCP discover, and the router casually assigns an available IP. This model doesn't cut it for an ISP:
① Authentication is required. The ISP needs to know "which paying customer is this?" DHCP only looks at MAC addresses, and MAC addresses can be spoofed — swap your router and you can impersonate your neighbor.
② Precise accounting is required. Billing by time or by data volume? DHCP only handles the one-time IP assignment and doesn't track subsequent usage.
③ Precise control is required. If your payment is overdue, the ISP needs to kick you off. With DHCP, they'd have to wait for the lease to expire before reclaiming the IP — during which time you'd still have access.
PPPoE, designed in 1999, solves all three. It wraps PPP (Point-to-Point Protocol) inside Ethernet, using PPP for authentication and IP assignment, and Ethernet for the underlying transport.
An analogy:
DHCP = Walking into a mall. Nobody asks who you are.
You get a visitor badge and can browse.
PPPoE = Walking into a bank. Show your ID (authentication).
The teller verifies you're a customer (authorization).
They give you a queue number (IP assignment).
Every transaction is logged (accounting).PPPoE frame structure is like a Russian nesting doll. A normal IP packet destined for the internet goes through this encapsulation:
┌──────────────────────────────────────────┐
│ Ethernet Header │
│ Dest MAC: BRAS MAC │
│ Src MAC: ONT WAN port MAC │
│ Type: 0x8864 (PPPoE Session) │
├──────────────────────────────────────────┤
│ PPPoE Header │
│ Version: 1 │
│ Type: 0x00 (data) │
│ Code: 0x00 │
│ Session ID: 0x0003 │
├──────────────────────────────────────────┤
│ PPP Header │
│ Protocol: 0x0021 (IPv4) │
├──────────────────────────────────────────┤
│ IP Packet │
│ Src: 10.1.1.143 │
│ Dest: 151.101.2.133 (github) │
├──────────────────────────────────────────┤
│ TCP Segment + HTTP Data │
└──────────────────────────────────────────┘Compare with a normal LAN frame:
Normal LAN frame: [Ethernet Header | IP | TCP]
PPPoE frame: [Ethernet Header | PPPoE | PPP | IP | TCP]
↑ two extra layers ↑The Ethernet type field changes from 0x0800 (IPv4) to 0x8864 (PPPoE Session) or 0x8863 (PPPoE Discovery). When a router or BRAS sees this value, it knows: "This isn't a normal IP packet. It's a PPPoE packet — I need to strip two headers before I reach the IP layer."
When the ONT first powers on, its WAN port has only a MAC address, no IP. It has no idea which device on the ISP side to talk to. Step one is paging — broadcasting on Ethernet: "Is there a PPPoE server out there?"
This phase uses four packet types, all with Ethernet type 0x8863 (PPPoE Discovery):
Your ONT ISP BRAS
│ │
│──── PADI (broadcast) ─────────────────────→│
│ Dest MAC: FF:FF:FF:FF:FF:FF │
│ "Is there a PPPoE server?" │
│ │
│←── PADO (unicast) ────────────────────────│
│ "I'm here. I offer PPPoE. My MAC is XX"│
│ ← ONT now knows the BRAS MAC address │
│ │
│──── PADR (unicast) ───────────────────────→│
│ "OK, I want to connect to you" │
│ │
│←── PADS (unicast) ────────────────────────│
│ "Accepted. Your Session ID is 0x0003" │
│ ← Discovery phase ends. Session begins │Why is PADI a broadcast? Because the ONT has no idea where the BRAS is when it starts. This is the same logic as DHCP discovery — shout first, and the one that answers becomes your target. But unlike DHCP, once the BRAS is found and its MAC is known, all subsequent communication is unicast.
MAC addresses used by each packet:
PADI: Dest MAC = FF:FF:FF:FF:FF:FF (broadcast) ← the only broadcast
PADO: Dest MAC = ONT MAC ← directed reply
PADR: Dest MAC = BRAS MAC ← directed request
PADS: Dest MAC = ONT MAC ← directed confirmationAfter the Discovery phase, the ONT and BRAS share a Session ID. From this point forward, all frames use type 0x8864 (PPPoE Session), and the payload is PPP protocol data.
Before any IP packet can be transmitted, the PPP layer must complete three tasks:
Similar to TCP's three-way handshake, but much simpler. Both sides' PPP modules exchange Configure-Request/Ack messages to negotiate the Maximum Receive Unit (MRU), compression options, and authentication protocol:
ONT BRAS
│── LCP Configure-Request ────────────→│ "I support MRU=1492, Auth=PAP"
│←── LCP Configure-Ack ───────────────│ "Agreed"
│←── LCP Configure-Request ───────────│ "I support MRU=1492, Auth=PAP"
│── LCP Configure-Ack ────────────────→│ "Agreed"
│ │
│ LCP complete. Link established. │Authentication is the core reason PPPoE exists. Two options:
PAP (Password Authentication Protocol) — plaintext:
ONT ──→ "Username: 075512345678, Password: 123456" ──→ BRAS
↑ transmitted in plaintext over the wireSimple and straightforward. In theory, an intermediate device could read the password.
CHAP (Challenge Handshake Authentication Protocol) — salted hash:
ONT ←── BRAS sends a random challenge
ONT: md5(challenge + password) = hash
ONT ──→ "Username: 075512345678, Hash: a3f2b8..." ──→ BRAS
BRAS computes the same hash, compares → match = approved
↑ the password itself never appears on the wireMost residential broadband in China uses PAP. In practice, this is not a concern — the PPPoE session runs over a dedicated physical fiber between you and the BRAS. There are no intermediate devices eavesdropping, unless someone physically taps into your fiber line (and if they can do that, they have bigger ways to cause trouble than stealing your broadband password).
After authentication passes, the ONT still has no IP address. This step does not use DHCP broadcasts. Instead, it uses IPCP, a protocol within the PPP stack, negotiated directly inside the PPPoE session:
ONT BRAS
│── IPCP Configure-Request ──────────→│ "Please give me an IP (0.0.0.0)"
│←── IPCP Configure-NAK ─────────────│ "Here you go: 10.1.1.143"
│── IPCP Configure-Request ──────────→│ "OK, I'll use 10.1.1.143"
│←── IPCP Configure-Ack ─────────────│ "Confirmed"DHCP vs. IPCP comparison:
| DHCP | IPCP | |
|---|---|---|
| Communication | Broadcast | Directed within PPPoE session |
| Underlying protocol | UDP (ports 67/68) | Part of the PPP protocol stack |
| What it assigns | IP, mask, gateway, DNS | Primarily IP (gateway & DNS via additional options) |
| Use case | Plug-and-play LAN | Authenticated broadband access |
From ONT power-on to your phone being able to browse:
0ms: ONT powers on, WAN port initializes
100ms: PADI broadcast → "Any PPPoE server?"
120ms: PADO unicast ← "I'm here"
140ms: PADR → "I want to connect"
160ms: PADS ← Session ID = 0x0003
── Discovery phase complete ──
170ms: LCP Configure-Request → "Here are my capabilities"
190ms: LCP negotiation complete, link established
── LCP complete ──
200ms: PAP Request → "Username + Password"
220ms: PAP Success ← "Authenticated"
── Authentication complete ──
230ms: IPCP Request → "Give me an IP"
250ms: IPCP NAK ← "Here's 10.1.1.143"
270ms: ONT receives IP: 10.1.1.143
── All done. Total: ~300ms ──10.1.1.143 Is Not a Public IPNotice the ONT receives 10.1.1.143 — this is an RFC 1918 private address. This means you're behind Carrier-Grade NAT (CG-NAT):
Your ONT (10.1.1.143)
│
▼ NAT #1 (by your ONT — maps 192.168.1.x → 10.1.1.143)
│
ISP BRAS (10.1.1.1)
│
▼ NAT #2 (by the ISP — maps 10.1.1.143 → public IP)
│
The Internet (github.com)Your data passes through two layers of NAT. The public IP belongs to the ISP, not to your home. This is why:
curl ifconfig.me shows a different IP than your router's 10.1.1.143If your router config shows something like this:
Connection Name VLAN/Priority IP Method
TR069_R_VID_4015 4015/7 DHCP
INTERNET_R_VID_ -/- PPPoEThe first connection is the ISP's remote management channel:
Check your WAN connection type
Log into your router admin page (usually 192.168.1.1), find "WAN Settings" or "Network Settings":
10.x or 100.x?Check PPPoE status on OpenWRT (via SSH)
# View PPPoE connection status
ifconfig pppoe-wan
# View full PPPoE logs
logread | grep pppd
# You'll see output like:
# pppd[1234]: Connect: pppoe-wan <--> vlan2Capture PPPoE discovery/session frames
If your router runs OpenWRT or your PC is directly connected to the ONT for dial-up, capture PPPoE frames:
# Capture all PPPoE traffic (discovery + session)
sudo tcpdump -i eth0 'ether proto 0x8863 or ether proto 0x8864' -n -v
# Capture discovery phase only
sudo tcpdump -i eth0 'ether proto 0x8863' -n -vReboot your ONT and watch the packet capture — you'll see the complete PADI/PADO/PADR/PADS exchange.
Confirm whether your WAN IP is private
# Check your router's WAN IP
# (find it in the admin page, or SSH and run ifconfig)
# Compare with your public IP
curl ifconfig.meIf the two IPs differ, you're behind CG-NAT. Check the gateway address your router received — it's usually 10.x.x.1 or 100.x.x.1.
0x8863 (Discovery) or 0x8864 (Session).10.x, 100.x), meaning you're behind Carrier-Grade NAT.PPPoE PPP BRAS LCP IPCP PAP CHAP CG-NAT Session ID PADI PADO PADR PADS
PPPoE solves the problem of "how to connect to the ISP." The 10.1.1.143 you receive may be a private IP, but once you have it, how does your data traverse the ISP's network, pass through multiple routers, and ultimately reach the internet? That's exactly what our network layer section covers.
Continue reading: