correct order of interfaces for PPPoE/VLAN-ISP connections?

LeMoi · September 20, 2024, 6:44am

Hi everyone,

Quick one:
I’m dealing with an ISP who’s providing PPPoE connections and requires VLAN7. Using a hEX on ROS7.13.5
Can’t test yet because the link activation will follow the next days and I’m working in preparation.

So, my current idea is
Interface contains
is attached to
is running on
is running on feeding an IPv6 pool of /64 from a /56 prefix delegation
Interfaces to are member of
Traffic is routed between and

Does the setup make sense?
Not sure if the PPPoE-client needs to be inside the VLAN-interface or on the port element…

rplant · September 20, 2024, 7:35am

Hi,
I would suggest you start off with the default mikrotik config.
Then

Interface contains
is attached to
Enable dns client on , (review settings of pppoe-out1)

is running on ** Changed **
and both made to be members of the WAN interface list.
Disable the default dhcp client on

Also change LAN ip address settings and dhcp server settings as required.

Disable detect internet.

** not this is running on ** pppoe has its own ip address assignment **

mkx · September 20, 2024, 2:47pm

Trying to clear the picture of proper interface order. Think of layers:

you’re trying to send IP packets. PPPoE offers WAN IP interface. So PPPoE wraps IP packet in pppoe “box”.
your ISP requires you to use VLAN to transport pppoe “boxes”, so pppoe has to be pipelined to vlan interface. Vlan interface wraps whatever payload (in your case pppoe “boxes”) with vlan wrapper
you want to connect ISP CPE and that device uses ethernet RJ45 ports. So you have to connect that gadget to one of ethernet ports, ether1 is a very good selection. And those vlan-wrapped “boxes” have to be pipelined to the chosen ethernet port (which then wraps ethernet wrap around vlan wrapped pppoe “box” …)

So in your case: ether1 → vlan → pppoe → IP/IPv6 (e.g. dhcpv6 client)

Now when it comes to firewall and it’s default use of interface lists: firewall works with IP packets. In your use case, those packets come out of (and go into) PPPoE interface. All of the above mentioned boxing and wrapping is irrelevant to IP packets at this stage so for “proper packet flow” only pppoe interface has to be member of WAN interface list.
But: all the wrappers and boxers can deliver also something not expected and that something may drop out of wrapping pipelines into router’s packet processing engine. One should create firewall rules which block those “fall-outs” … default firewall already does it (the ultimate “action=drop in-interface-list=!LAN” rule). Adding “pipeline interfaces” to WAN interface list doesn’t change this behaviour, it only helps with NAT to allow communication with devices behind those layers (e.g. management access to CPE which is most often possible via untagged access over same interface which carries tagged pppoe boxes).

LeMoi · September 22, 2024, 2:54pm

Thanks guys
Both very good answers.

I’ve figured it out as well by now.

@rplant:
Started with a Quick Set setup.