PPPwn over 2 routers.

[aasd6574]

I have an openwrt router in my room, and want to jailbreak my ps4 in the livingroom.
Openwrt IP address : 192.168.2.0/24
ISP modem Local IP address: 192.168.1.0/24
I have the local networks route together, so it can ping each other, works fine with any other device (SMB share, ssh, etc.)

The openwrt router start the payload, it goes this and get stuck.

[+] PPPwn++ - PlayStation 4 PPPoE RCE by theflow
[+] args: interface=wan fw=1100 stage1=/root/PPPwn_WRT-main/stage1_1100.bin stage2=/root/PPPwn_WRT-main/stage2_1100.bin timeout=0 wait-after-pin=1 groom-delay=4 auto-retry=on no-wait-padi=off real_sleep=off

[+] STAGE 0: Initialization
[] Waiting for PADI...
[] Waiting for PADI...
[+] pppoe_softc: 0xffff970b3cacb200
[+] Target MAC: f8:XX:XX:XX:XX:XX (spoofed for reasons)
[+] Source MAC: 07:XX:XX:XX:XX:XX (spoofed for reasons)
[+] AC cookie length: 4e0
[] Sending PADO...
[] Waiting for PADR...

The payload goes from the second router (Openwrt) 192.168.2.1 -> wan port -> First router (ISP modem LAN port) 192.168.1.100 -> ISP Other lan port -> PS4.
So it can communicate.
But gets stuck... any idea how to fix it, maybe firewall on the ISP modem for getting the packets back or any other settings?
Any of you got the same issue from getting the payload through 2 router/network?

[aasd6574]

Forgot to mention, it works when the openwrt router is directly connected to my ps4.. but I don't want to disconnect it from my room and power on it in my livingroom.

[Tokarak]

That's correct, PPPoe only works when the host is directly connected by ethernet to the client. That means you can have at most a layer 2 ethernet switch in between (which is what I have). A router in between your exploit host and ps4 is a layer 3 ethernet switch, which simply won't do. I haven't checked your network topology, but one solution is installing a PPPoe relay on your router between your exploit host and your ps4.