Beginner PPPoE setup trouble [SOLVED]

RouterOS Beginner Basics
1

This is my first experience doing anything with PPPoE so sorry for the ignorance. I didn’t even know what it was until today. Hopefully my problem is just a simple misconfiguration.

I have a Zyxel VMG4927-B50A in bridge mode, used as a modem for ADSL connection. When the Zyxel is in routing mode, it successfully connects to the ISP Access Concentrator and everything works normally, so connection is proven good. But I would prefer to use the modem in bridge mode and configure my MT devices as the LAN backbone.

Can anyone help me understand why I am not able to connect my hAP AC2 to the ISP network? It gets into an endless loop of “initializing…”, “connecting…”, “authenticated”, “terminating… - hungup” and “disconnected”. I know that bridge mode on the Zyxel is configured correctly, because I can connect a laptop client to it directly and get a good connection using pppoeconf.

I created this MT config by doing a factory reset and not changing the defaults as much as possible. (Basically, just trying different PPPoE settings and eventually realizing I needed to remove the DHCP client).

Configuration:

/export compact
# oct/10/2023 04:02:04 by RouterOS 7.1.3
# software id = N85R-PLG9
#
# model = RBD52G-5HacD2HnD
# serial number = F66B0FA7873F
/interface bridge
add admin-mac=DC:2C:6E:C7:6F:B9 auto-mac=no comment=defconf name=bridge
/interface wireless
set [ find default-name=wlan1 ] band=2ghz-b/g/n channel-width=20/40mhz-XX \
    disabled=no distance=indoors frequency=auto installation=indoor mode=\
    ap-bridge ssid=MikroTik-C76FBD wireless-protocol=802.11
set [ find default-name=wlan2 ] band=5ghz-a/n/ac channel-width=20/40/80mhz-XXXX \
    disabled=no distance=indoors frequency=auto installation=indoor mode=\
    ap-bridge ssid=MikroTik-C76FBE wireless-protocol=802.11
/interface pppoe-client
add add-default-route=yes disabled=no interface=ether1 keepalive-timeout=120 \
    max-mtu=1492 name=pppoe-out1 use-peer-dns=yes user=[REDACTED]
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=default-dhcp ranges=192.168.88.10-192.168.88.254
/ip dhcp-server
add address-pool=default-dhcp interface=bridge name=defconf
/ppp profile
set *0 bridge=bridge use-ipv6=default
/interface bridge port
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=ether5
add bridge=bridge comment=defconf interface=wlan1
add bridge=bridge comment=defconf interface=wlan2
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
/ip address
add address=192.168.88.1/24 comment=defconf interface=bridge network=\
    192.168.88.0
/ip dhcp-server network
add address=192.168.88.0/24 comment=defconf dns-server=192.168.88.1 gateway=\
    192.168.88.1
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=192.168.88.1 comment=defconf name=router.lan
/ip firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
    "defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
    in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
    ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
    ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related hw-offload=yes
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=\
    invalid
add action=drop chain=forward comment="defconf: drop all from WAN not DSTNATed" \
    connection-nat-state=!dstnat connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=\
    out,none out-interface-list=WAN
/ipv6 firewall address-list
add address=::/128 comment="defconf: unspecified address" list=bad_ipv6
add address=::1/128 comment="defconf: lo" list=bad_ipv6
add address=fec0::/10 comment="defconf: site-local" list=bad_ipv6
add address=::ffff:0.0.0.0/96 comment="defconf: ipv4-mapped" list=bad_ipv6
add address=::/96 comment="defconf: ipv4 compat" list=bad_ipv6
add address=100::/64 comment="defconf: discard only " list=bad_ipv6
add address=2001:db8::/32 comment="defconf: documentation" list=bad_ipv6
add address=2001:10::/28 comment="defconf: ORCHID" list=bad_ipv6
add address=3ffe::/16 comment="defconf: 6bone" list=bad_ipv6
/ipv6 firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMPv6" protocol=icmpv6
add action=accept chain=input comment="defconf: accept UDP traceroute" port=\
    33434-33534 protocol=udp
add action=accept chain=input comment=\
    "defconf: accept DHCPv6-Client prefix delegation." dst-port=546 protocol=\
    udp src-address=fe80::/10
add action=accept chain=input comment="defconf: accept IKE" dst-port=500,4500 \
    protocol=udp
add action=accept chain=input comment="defconf: accept ipsec AH" protocol=\
    ipsec-ah
add action=accept chain=input comment="defconf: accept ipsec ESP" protocol=\
    ipsec-esp
add action=accept chain=input comment=\
    "defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=input comment=\
    "defconf: drop everything else not coming from LAN" in-interface-list=!LAN
add action=accept chain=forward comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=\
    invalid
add action=drop chain=forward comment="defconf: drop packets with bad src ipv6" \
    src-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: drop packets with bad dst ipv6" \
    dst-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: rfc4890 drop hop-limit=1" \
    hop-limit=equal:1 protocol=icmpv6
add action=accept chain=forward comment="defconf: accept ICMPv6" protocol=\
    icmpv6
add action=accept chain=forward comment="defconf: accept HIP" protocol=139
add action=accept chain=forward comment="defconf: accept IKE" dst-port=500,4500 \
    protocol=udp
add action=accept chain=forward comment="defconf: accept ipsec AH" protocol=\
    ipsec-ah
add action=accept chain=forward comment="defconf: accept ipsec ESP" protocol=\
    ipsec-esp
add action=accept chain=forward comment=\
    "defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=forward comment=\
    "defconf: drop everything else not coming from LAN" in-interface-list=!LAN
/system routerboard settings
set cpu-frequency=auto
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN

Doing a scan
/interface pppoe-client scan ether1
successfully finds the appropriate AC

And the log is just these lines over, and over again:

/log print
 04:03:21 pppoe,ppp,info pppoe-out1: terminating... - hungup
 04:03:21 pppoe,ppp,info pppoe-out1: disconnected
 04:03:31 pppoe,ppp,info pppoe-out1: initializing...
 04:03:31 pppoe,ppp,info pppoe-out1: connecting...
 04:03:37 pppoe,ppp,info pppoe-out1: authenticated
 04:03:38 pppoe,ppp,info pppoe-out1: terminating... - hungup
 04:03:38 pppoe,ppp,info pppoe-out1: disconnected
 04:03:48 pppoe,ppp,info pppoe-out1: initializing...
 04:03:48 pppoe,ppp,info pppoe-out1: connecting...
 04:03:54 pppoe,ppp,info pppoe-out1: authenticated
 04:03:54 pppoe,ppp,info pppoe-out1: terminating... - hungup
 04:03:54 pppoe,ppp,info pppoe-out1: disconnected

And my sorrow:

/ping 8.8.8.8
  SEQ HOST                                     SIZE TTL TIME       STATUS        
    0 8.8.8.8                                                      timeout       
    1                                                              no route to...
    2                                                              no route to...
    3                                                              no route to...
    sent=4 received=0 packet-loss=100%

All help or suggestions greatly appreciated! Thank you

2

If it’s anything like my ISP there seems to be some sort of a restriction on the MAC or Device Identifier that can connect. You may need to wait for it to expire before trying again.

I usually have to wait 30 minutes and then try again if I change my router.

3

That’s a good idea, but it doesn’t seem to fix it. My ISP confirmed that shouldn’t be an issue, and I also tested it by logging in with another device and that MAC was accepted immediately. I also tried my MT device after waiting overnight and it still wasn’t connecting.

4

Well, I think I found the problem. My pppoe-out1 interface was configured with max MTU of 1492 as required, but ether1 (WAN port of course) was configured with MTU of 1500. I changed ether1 to 1492 and then it was able to get a good connection. If I change ether1 mtu back and forth between 1500 and 1492, I can reliably break or fix the connection. Interesting that I had not seen note of this requirement anywhere else.

5

If you have a contact in your ISP ask them if they support Baby Jumbos

If they do you can set your ether1 MTU to 1508 and then your ppp-out1 interface to have an MTU of 1500

Will reduce packet fragmentation if they do support it.

FWIW I never had to change the interface MTU before. Just the MTU of the PPPoE interface. Interesting.

6

Thanks for this tip, I will ask them!

Also to anyone troubleshooting this in the future, remember to make sure that pppoe-out1 (or whatever you call your pppoe interface) is added to the WAN list, or else the firewall will block return traffic to your LAN clients (though your MT router will appear to work).