Here is the setup:

# 1 MT on RB532 with 2 Wireless cards and one lan connected to "Internet" router (WAN, ip:10.0.0.1).
# Both cards are in AP-bridge mode with static WDS (2 APs connected to first and 1 AP to second wifi card).
# All APs in network (some connected thru WDS some as Clients) have static IP addresses - 10.1.0.x and 10.2.0.x depending to wich wireless card they are connected.
# wifi card and its WDS clients are in the bridge (so there are two bridges) with ip:10.1.0.1 and 10.2.0.1
# there are DHCP Servers on both bridges, leasing addresses to clients in their pool (10.1.0.100-10.1.0.200 and 10.2.0.100-10.2.0.200) - e.g. client get an ip:10.1.0.195, mask:255.255.255.0 and gw:10.1.0.1 (ip of the bridge)
# on WAN interface (lan conn. to Internet) arp is set to Proxy-Arp
# no rules in Firewall-NAT, and some basic security rules in Firewall-Filter Rules
# only one Simple Queue limmiting WAN connection
# default ROUTE is 10.0.0.nn (ip of Internet Gateway), 10.0.0.0/24 to 10.0.0.1 for WAN, 10.1.0.0/24 to 10.1.0.1 for bridge1 and 10.2.0.0/24 to 10.2.0.1 for bridge2

problem is : USERS DO SEE Internet BEFORE connecting to PPPoE !!!!
question is : W H Y ??

Where did I go wrong While I had only ONE wireless card everythig worked just fine ... and now, First I tryed to put both wireless interfaces and all of WDS APs in one bridge - and since then, I have this problem... I solved it by DROPping all the trafic going from 10.1.0.x and 10.2.0.x to the router and just leaving PPPoE connections (they get 10.0.0.x addresses) ....

HELP,
Dejan

Help? Someone? Please!

<< USERS DO SEE Internet BEFORE connecting to PPPoE >>

We have a similar problem we are trying to figure out for weeks now.
Mikrotik support has been of little help.

Good luck...


SMA

<< USERS DO SEE Internet BEFORE connecting to PPPoE >>

We have a similar problem we are trying to figure out for weeks now.
Mikrotik support has been of little help.

Good luck...


SMA

--------
Hai, Friends,
Oooooo very dangers...!

I thing better you will try with 'dynamic ip' to supply all network from base to other base [e.g: ap-to-station or ap-to-ap], don't use dhcp on default route base, cause that dhcp make auto config to your user. and better too when your senario with difference subnet to manage your network, and has any rule.

why you don't use hotspot server as dhcp methode....?, and you can use hotspot and pppoe with one phisical NIC. of course..

here, we are running in one NIC: static, dynamic, dhcp[hotspot], and pppoe supply to any clients public and private IPs over ethernet & wireless, and manage all user with 'mikrotik-userman' as Radius Server.

from begin until now, we don't have problem like yours...?

again, that's very dangers..

regards
Hasbullah.com
------------

<< USERS DO SEE Internet BEFORE connecting to PPPoE >>

We have a similar problem we are trying to figure out for weeks now.
Mikrotik support has been of little help.
SMA

--------
Hai, Friends,
Oooooo very dangers...!

I thing better you will try with 'dynamic ip' to supply all network from base to other base [e.g: ap-to-station or ap-to-ap], don't use dhcp on default route base, cause that dhcp make auto config to your user. and better too when your senario with difference subnet to manage your network, and has any rule.

why you don't use hotspot server as dhcp methode....?, and you can use hotspot and pppoe with one phisical NIC. of course..

here, we are running in one NIC: static, dynamic, dhcp[hotspot], and pppoe supply to any clients public and private IPs over ethernet & wireless, and manage all user with 'mikrotik-userman' as Radius Server.

from begin until now, we don't have problem like yours...?
------------

If I understand well, you suggest not to use DHCP Server on MT (because it automaticly adds routes for addresses it leases?) but to use DHCP Server<s> on APs or somewhere else???

Interesting - I think that, if, one puts FIXED ip - it doesn't "see" Internet before logging to PPPoE...

Maybe, I (we?) should bring down DHCP server and just use PPPoE (since it works w/o specific IP addresses assigned) ... ???

Dejan.

- ip - firewall - ...

on serbian - mislim sta vishe reci .. pobi govna korisnichka u firewall-u bre..
on english - try to stop dear customer's using firewall rulez ...

on serbian - stvarno si lik ... bre... znachi u podeshavanju DHCP-a izbrishi stavku GW .. znachi ako nemaju izlaz ka tebi i ne znaju gde da shalju podatke ...
on english - your error is that you have enter GW in DHCP configuration ...


on seribian - upali malo mozak ako vec hocesh budesh provajder ...
on english - best luck ..

If you are running dhcp on an interface and PPPoE then the users ethernet interface will try to connect dhcp while the PPPoE virtual interface will connect seperately from DHCP. DHCP is not needed with PPPoE because you can assign ips out of pools and be dynamic anyway. I personally use bogus addresses in my PPPoE Local IP since it does not matter and an off network IP for my Interface IP. Without a route for return traffic, they can not get to the internet connecting through that interface unless they connect PPPoE. Unfortunately DHCP and PPPoE dont mix well because DHCP is open.

As tr said, you can have DHCP as long as you do not give it a gateway. That can help catch dhcp requests. I just do not personally use any dhcp at all and I block everything coming in my interface.

...
As tr said, you can have DHCP as long as you do not give it a gateway. That can help catch dhcp requests. I just do not personally use any dhcp at all and I block everything coming in my interface.

Right! I got it!

Still I'll have to change something in case they "remembered" what gateway was ... change local address ranges!

Will try today, write if successfull

on serbian - mislim sta vishe reci .. pobi govna korisnichka u firewall-u bre..
on english - try to stop dear customer's using firewall rulez ...

Right, I did that, but I don't feel that solution is right

on serbian - stvarno si lik ... bre... znachi u podeshavanju DHCP-a izbrishi stavku GW .. znachi ako nemaju izlaz ka tebi i ne znaju gde da shalju podatke ...
on english - your error is that you have enter GW in DHCP configuration ...

Will try - guess someone could still manualy put GW - so I gotta change set of IPs used!!?

on seribian - upali malo mozak ako vec hocesh budesh provajder ...
on english - best luck ..

Same to you trt!

If you use an off network IP on your interface (ex. 10.31.89.7) and you do not have a masquerade rule for 10.31.89.0/24 or whatever, then the user will have to connect via a 10.31.89.0 rule to get on and no matter what gateway they type they will not make it out because they are not masqueraded.
Plus, what is the chance of them picking the right ip range and such.

i know official language is english .. but it will be faster on serbian ...

sam problem dolazi od toga sto se tvoja wireless kartica ponasha kao hub..
znachi za pochetak .. NEMORASH korisnicima da dodeljujesh IP preko DHCP-a ako idesh samo na PPPoE ali preduslov tome mora biti da im se ne sudaraju IP a kako ti postignesh .. iskljuchish DEFAULT FORWARD na samoj kartici .. i korisnici i ne znaju jedni za druge ako im kartica ( wireless ) ne forwarduje pakete a ona to nece raditi jerbo je a) iskluchen forward + b) iskljuchena IP ..

tako to rade ISP ...
znachi chitaj bre uputstva imash fantastichan serijal negde na netu .. how to become a ISP ..

mali hint ... ako zelish recimo imate dupli unutrashnji saobracaj itd...
definishesh vishe razlichitih IP klasa za svaki profil .. home64, home128 ...
i onda odreadish queue -> simple -> i za svaku IP generishsh pravilo koje kaze da prema unutrashnjoj mrezi ima duplo vishe saobracaja...
i posle kada svoje pravilo doda sam PPPoE service za neku IP koju je dobio user .. .. prvo pravilo je za unutrashnji itd..
znachi ako imash josh pitanja ... zpetar na bauk tachkica net

i know official language is english .. but it will be faster on serbian ...

sam problem dolazi od toga sto se tvoja wireless kartica ponasha kao hub..
znachi za pochetak .. NEMORASH korisnicima da dodeljujesh IP preko DHCP-a ako idesh samo na PPPoE ali preduslov tome mora biti da im se ne sudaraju IP a kako ti postignesh .. iskljuchish DEFAULT FORWARD na samoj kartici .. i korisnici i ne znaju jedni za druge ako im kartica ( wireless ) ne forwarduje pakete a ona to nece raditi jerbo je a) iskluchen forward + b) iskljuchena IP ..

Jašta, samo što sam ja *glup* pa ne umem da isključim ovo forwardowanje što ga ti pomenu - gde, kome, kako??? Btw, ne kače se svi WiFi karticama već ih ima i u malim mrežama preko switcha i nekog APa stavljenog u klijentski odnosno WDS mod (da bi prošla 2 ili više PPPoE-a) ...

tako to rade ISP ...
znachi chitaj bre uputstva imash fantastichan serijal negde na netu .. how to become a ISP ..

Moraću da ga nađem

mali hint ... ako zelish recimo imate dupli unutrashnji saobracaj itd...
definishesh vishe razlichitih IP klasa za svaki profil .. home64, home128 ...
i onda odreadish queue -> simple -> i za svaku IP generishsh pravilo koje kaze da prema unutrashnjoj mrezi ima duplo vishe saobracaja...
i posle kada svoje pravilo doda sam PPPoE service za neku IP koju je dobio user .. .. prvo pravilo je za unutrashnji itd..

Ovo ću morati još pe'-šes' puta da pročitam dok shvatim šta je pisac hteo da kaže ... a baš sam se pitao kako da im dam "veći" u lokalu

znachi ako imash josh pitanja ... zpetar na bauk tachkica net

Puštio sam ti emajla!

Jašta, samo što sam ja *glup* pa ne umem da isključim ovo forwardowanje što ga ti pomenu - gde, kome, kako??? Btw, ne kače se svi WiFi karticama već ih ima i u malim mrežama preko switcha i nekog APa stavljenog u klijentski odnosno WDS mod (da bi prošla 2 ili više PPPoE-a) ...

znachi winbox, interface, wlan1, wireless ... dole pred kraj imash
opciju [Default Forward]
...

a za ostale ... morash da odlichish jesi li komnjuniti ili si ISP ... znachi ako si ISP onda morash da postavish mrezu tako da imash kontrolu ...
sto se tiche switcheva... imash sad jeftine 8 portne za 40e koji imaju opciju MTU ... da se nevide medjusobom portovi nego sve ide preko tebe pa kome ti dozvolish i koliko mrzo medj sobom da rade itd..

Ovo ću morati još pe'-šes' puta da pročitam dok shvatim šta je pisac hteo da kaže ... a baš sam se pitao kako da im dam "veći" u lokalu

zapravo je veoma jednostavno .. morash prochitati celo ono uputstvo za mt ..

Puštio sam ti emajla!

nema nishta josh ...

If you use an off network IP on your interface (ex. 10.31.89.7) and you do not have a masquerade rule for 10.31.89.0/24 or whatever, then the user will have to connect via a 10.31.89.0 rule to get on and no matter what gateway they type they will not make it out because they are not masqueraded.
Plus, what is the chance of them picking the right ip range and such.

I think I've done this now OK (I didn't have any masquarading rules at all) - I also put one firewall rule to *accept* packets, just for counting packets/kb with source-address as address range of IPs users get (for wireless connection) - 1MB per day it counts, so, it's OK, users don't have access to Internet before they log into PPPoE

I also added, as trtmrt suggested, no forwarding to my wireless adapters...

The question I have is - is the internet gateway also in a bridge?

If you need the WDS to connect the AP's together (mesh type) then why not try enabling a virtual AP for the clients and don't bridge it.
Add the PPPoE server and the DHCP server on the MT with bogus IP's to the virtual AP.