Failing to vlan tag pppoe-server response

wmike01 · September 9, 2023, 9:50pm

I have been trying to configure my hapAC² to run a pppoe-server on a vlan for several hours. I am failiing at moving the working pppoe-server configuration into the vlan specifically. I want to require my client notebook to use vlan 7 before pppoeing into the network. The use case is academic.

# RouterOS 7.11
# software id = **ELIDED**
# model = RBD52G-5HacD2HnD

/interface bridge
add ageing-time=5m arp=proxy-arp arp-timeout=auto auto-mac=yes dhcp-snooping=no disabled=no ether-type=0x8100 fast-forward=no frame-types=admit-all \
    igmp-snooping=no ingress-filtering=yes mtu=auto name=pppoe-bridge protocol-mode=none pvid=7 vlan-filtering=yes

/interface bridge port
add auto-isolate=no bpdu-guard=no bridge=pppoe-bridge broadcast-flood=yes disabled=no edge=auto fast-leave=no frame-types=admit-only-vlan-tagged \
    horizon=none hw=yes ingress-filtering=yes interface=ether4 internal-path-cost=10 learn=auto multicast-router=temporary-query path-cost=10 \
    point-to-point=auto priority=0x80 pvid=7 restricted-role=no restricted-tcn=no tag-stacking=no trusted=no unknown-multicast-flood=yes \
    unknown-unicast-flood=yes
    
# egress rule
/interface bridge vlan
add bridge=pppoe-bridge disabled=no tagged=ether4,pppoe-bridge untagged="" vlan-ids=7

and a pppoe-server on that bridge:

/interface pppoe-server server
add default-profile=profile1 disabled=no interface=pppoe-bridge max-mtu=1492 one-session-per-host=yes service-name=ppoe-service

I have a linux connected to ether4 with a wireshark on the pyhsical eth2 (watching both tagged and untagged traffic) while trying to pppoe-discover on vlan 7 (eth2.7).

What I would expect is that vlan 7 gets stripped from the request then answered by the pppoe-server. The untagged reply should then be tagget before being sent out through ether4 due to the egress rule.

What I see on wireshark is a request on VLAN 7 but an untagged reply.

I did try to create a VLAN7 interface on the bridge and run the pppoe-server on that instead with no success. All switch port settings are on their default (vlan-mode disabled, vlan-header leave-as-is). I followed the very detailed setup explanation at https://www.youtube.com/watch?v=YMwOrc0LDP8.

What am I missing?

mkx · September 10, 2023, 8:57am

You configured pppoe-bridge with pvid=7, you’re using pppoe-bridge to bind pppoe-server (so indeed pppoe-bridge is used as access port) … so you should configure pppoe-bridge as untagged port of VLAN 7 in /interface/bridge/vlan.

BTW, each bridge port (excluding pppoe-bridge CPU-facing bridge port) has its own ingess settings (under /interface/bridge/port, for CPU-facing bridge port they are part of bridge definition under /interface/bridge, the ones whose names match properties for other bridge ports) and egress settings (under /interface/bridge/vlan, which includes CPU-facing bridge port).

wmike01 · September 10, 2023, 5:15pm

The idea that pppoe-brdige should be tagget was from the mentioned video (12:54).

I changed it to untagged and tried both same entry and two entries variants:

# trial 1
Columns: BRIDGE, VLAN-IDS, CURRENT-TAGGED, CURRENT-UNTAGGED
# BRIDGE        VLAN-IDS  CURRENT-TAGGED  CURRENT-UNTAGGED
0 pppoe-bridge         7  ether4                          
1 pppoe-bridge         7                  pppoe-bridge   

# trial 2
Columns: BRIDGE, VLAN-IDS, CURRENT-TAGGED, CURRENT-UNTAGGED
# BRIDGE        VLAN-IDS  CURRENT-TAGGED  CURRENT-UNTAGGED
0 pppoe-bridge         7  ether4          pppoe-bridge

Still the same - replies being sent untagged.