I had no success to make a PPPoE connection, when the wan interface is bridged to bridge1 the pppoe-client turns red saying it should not be on a slave interface..
But there is no reason to put the interface named wan to a bridge. The hierarchy is ether1 (physical interface) to which the tagged side of /interface vlan name=wan is connected, and to the tagless side of that /interface vlan the /interface pppoe-client name=pppoe-out1 is connected. The /interface pppoe-client gets an IP address from the ISP (check that using /ip address print) and the routing together with NAT will provide connection of devices in the VLANs to internet.
The internet connections was terminated when i plugged the router, i had to reboot it to make it run again.
I have removed the ether1 from the bridge and still can not establish a PPPoE connection.
You’ve plugged the router in parallel to existing one? Show a diagram of the existing setup, the new setup and how you interconnect them. My whole understanding so far was that you connect ether1 to the wire coming from the ISP on which the PPPoE is in vlan 959 instead of the original router. You usually cannot have several PPPoE clients using the same account simultaneously.
The diagram that i posted earlier is what the setup should look like, i tested the setup via a switch (not router) connected to the ISP as you said in parallel, the reason for this is i didn’t want any unnecessary down time for the network. So, i understand from you that i should test it directly to ISP.
I don’t know how to explain that if I don’t understand the current setup, I cannot suggest one for the Mikrotik replacing/extending the current setup.
If you connect the Cisco to the cable from the ISP box directly, instead of putting Mikrotik in between, does it work? Where is the PPPoE client in the current setup? On the Cisco, in the ISP box, in one of the PCs connected to Cisco?
If i connect a PC directly to the cable from the ISP the PPPoE will work, if i plug the cable into a switch and connect a PC to that switch the PPPoE works, if i separate internal networks via physical ports like how i did here>> Connecting multiple networks. - #26 by digitalinee the PPPoE will work again. The problems starts when VLANS involve in the equation.
The cisco switch if plugged directly to the isp distribution switch will work okay and provide service as well but it will keep showing notifications every minute in the CLI of native vlan mismatch 959, it will gone if i switchport all the ports to vlan 959.
So does it mean tagged or untagged?
As all the PPPoE clients run on the PCs directly, all the PCs must be connected directly into VLAN959. This was not clear from the initial information, so I was expecting that the PCs have normal static or DHCP IP configuration and there is a router between the private IP subnets each living on one of the VLANs and the uplink subnet.
More than that, I’m not sure how it could actually work in the original state (without the Mikrotik) and what do you want to achieve by inserting the Mikrotik into the scheme. Please post the output of show running-config from the central Cisco in the picture and any single one of those to which the PC client is connected, and separately give the names/numbers of the ports used (to which port of the satellite Cisco the PC is connected, which ports of the sattellite Cisco and the central one are used for their interconnection, which port of the central Cisco is connected to the ISP Cisco).
It seems to me that the VLANs on the Ciscos are actually unused and everything actually lives because the default VLAN is the same on all the Ciscos, so the PPPoE communication runs tagless on all cables.
It is my bad that i didn’t told you that what i’m asking here is for upgrading the current network, it is not what the actual current network setup is.
The current setup is a simple layer 2 switch environment for all clients on default VLANs i didn’t even switch them to VLAN 959, and they work just fine to connect to PPPoE server.
All what i was posting here was happening in a test environment with totally different physical devices for testing purposes only away from the actual network devices, so as soon as it works i will transfer the setup to the actual network.
This is the current actual setup:
Note that the clients are over 100 but for demonstration and simplicity i use 9 only.
OK, so we’re getting somewhere. The purpose of ID-based VLANs is to isolate several L2 address spaces using the same physical infrastructure from each other, but all the PPPoE clients and their PPPoE server must all share the same L2 address space. So in the current configuration, all the PPPoE clients must be connected to VLAN 959 directly, or some of the elements would have to translate between VLAN ID 959 on one side and some other VLAN ID on the other side. But you can not use any kind of VLAN translation to make all the PCs see the PPPoE server but not see each other.
As most Windows network card drivers do not understand the idea of VLAN tagging, you also cannot let the PPPoE clients on the Windows to use one VLAN ID and attach some other IP address to another VLAN ID on the same Ethernet interface of the PC, allowing the internal communication between the PCs to use that other VLAN ID (or more VLAN IDs if you would like to set some restrictions on which PCs can talk to which other ones).
So one possibility would be to set the Mikrotik to run one PPPoE server in each of the 10 VLANs, let the PCs from that VLAN to connect to that Mikrotik using PPPoE, and let the Mikrotik use its local PPPoE clients to connect to the ISP’s server in the name of each of the PCs. Another possibility could be to let only the PPPoE frames leak between the VLANs using some kind of bridge filters, but it is only a theoretical idea I haven’t thought through thoroughly.
So please provide the description regarding the application layer purpose of partitioning your network for which you wanted to use the VLANs so that we could find an optimal method of achieving that goal.
Hi Sindy!!
Please consider this setup that works perfectly, it uses physical interfaces so it is limited to the number of ports on the router .
My requirement is a duplicate setup that uses VLANs instead of physical interfaces.
That’s nice, as it confirms what I’ve expected - the PPPoE clients are all in the same VLAN like the PPPoE server. But this setup would work even without the IP addresses. So the question is what is the role of the IP addresses you’ve assigned to interfaces given that the PCs get their IP addresses from the PPPoE server. Leaving aside that IP addresses assigned to interfaces which are member ports of bridges do not work, or rather half-work.
The IP addresses are needed in order to communicate via layer 3 between these networks, ether1 (WAN) horizon is 1, ether2 horizon is 2, others are 3, ether2 is for admin for now so he could access all networks.
The PPPoE IPs are received from the ISP PPPoE server and they are not concerning me, all i want is to clear the way between the client and the ISP PPPoE server.
So the goal is to maintain communication between the PCs at L3 on the subnet addresses and additionaly isolate these subnets at L2 using VLANs, but at the same time preserve the visibility between all the PPPoE clients and the PPPoE server, which would mean to use another VLAN ID for the PPPoE traffic than for the L3 one, while the PCs send both the frames carrying L3 packets the frames carrying PPPoE untagged.
I could imagine how to do this at the switch ports to which the PCs are connected, where the ingress frames could be tagged to the correct VLAN depending on their ethertype, i.e. frames with one of the PPPoE ethertypes would be tagged with VLAN 959 and frames with IP ethertype would be tagged with e.g. VLAN 10. On egress, frames with either VID would be untagged. This would of course require that such L2 translation capability would be supported by the switch.
The same could still be achieved at the ports of the central Cisco if each satellite Cisco would serve only one VLAN, as the translation rules could be individual for each port.
But I have no idea how to achieve this at the central element where already several VLANs come in through the same port. In the PC->ISP direction, you could still remove or rewrite the VLAN tag for PPPoE packets using _/interface ethernet switch rule_s if your Mikrotik model has a switch chip which supports them; but in the ISP->PC direction, no information is available which would allow to choose the correct VID so that the central Cisco switch could forward the frame to the correct satellite Cisco. At L2, there is no equivalent of L3 connection tracking which would allow to dynamically create a mapping context between the MAC address and the VID.
So the only solution I can imagine is the one described earlier, to cut each PPPoE session into two, one between the PC and the Mikrotik and another one between the Mikrotik and the ISP’s PPPoE server, but in this case the Mikrotik would have to “know” all the PPPoE usernames and passwords.
