OK, first a little background. I have a cable based internet and a DSL based internet. The cable is a single DHCP address and until today my DSL was eight static IP addresses that connect to three separate MT routers. Today, my DSL was changed to a single DHCP addresses with PPPoE (the change was forced on my). I have never dealt with PPPoE before and having trouble making it work. My ISP provides this page to assist in setting up a PPPoE onnection:
https://secure.dslextreme.com/support/kb/dsl-support/dynamic-ip-pppoe
I set up a new PPP interface in my router with the appropriate data entered and told it to use the interface of my DSL connection. Initially i could not get it to show “Running” at all, until I selected “Dial on demand”. After that the interface shows running and the PPPoE shows a Dynamic IP address. I also set a DHCP client for the DSL connection and that also shows a Dynamic address. If I try to ping 8.8.8.8 from the router using the PPPoE interface, the pings fail, but if I use the DSL as the interface, the pings work. If I try to ping either the DSL address or the PPPoE address from the internet, the pings fail. My firewall rules should allow them.
I can not get any traffic to route through the router via the DSL or PPPoE interfaces. However I don’t expect that to work if I can’t even get pings to work. Note that there are several of the VLANs that I have not configured, so I know they wont work (until today, they were in a different router). Once I am done, only one of the routers will be used.
I’m sure this is just something I don’t understand about PPPoE. Below is a thinned out version of my config. I took out a whole bunch that should make no difference or redacted for security. Any ideas what I am missing???
# mar/13/2019 21:28:21 by RouterOS 6.43.2
#
# model = RouterBOARD 750G r3
/interface ethernet
set [ find default-name=ether1 ] comment="Spectrum cable internet" name=\
E1-p2_Cable_Internet speed=100Mbps
set [ find default-name=ether2 ] comment="Main cable home LAN" name=E2-p4_101 \
speed=100Mbps
set [ find default-name=ether3 ] comment="Cable Private WiFi" name=E3-p6_103 \
speed=100Mbps
set [ find default-name=ether4 ] comment="802.1Q trunk" name=E4-p8_802.1Q \
speed=100Mbps
set [ find default-name=ether5 ] comment="Router to Router tie" name=\
"E5 to Router 2" speed=100Mbps
/interface vlan
add comment="Cable Public WiFi" interface=E4-p8_802.1Q name=VLAN_102 vlan-id=\
102
add comment="Cactus/Red Cross" interface=E4-p8_802.1Q name=VLAN_104 vlan-id=\
104
add comment="Scanner feed" interface=E4-p8_802.1Q name=VLAN_105 vlan-id=105
add comment="Wyze cameras" interface=E4-p8_802.1Q name=VLAN_106 vlan-id=106
add comment="DSL / Cable protected LAN" interface=E4-p8_802.1Q name=VLAN_151 \
vlan-id=151
add comment="DSL internet" interface=E4-p8_802.1Q name=VLAN_200 vlan-id=200
add comment="DSL Public WiFi" interface=E4-p8_802.1Q name=VLAN_202 vlan-id=\
202
add comment="DSL Private WiFi" interface=E4-p8_802.1Q name=VLAN_203 vlan-id=\
203
add comment="HarpUSA DMR" interface=E4-p8_802.1Q name=VLAN_209 vlan-id=209
/interface pppoe-client
add add-default-route=yes comment="DSL internet PPPoE link" dial-on-demand=\
yes disabled=no interface=VLAN_200 name="DSL PPPoE" password=<redacted> \
use-peer-dns=yes user=<redacted>
/interface ethernet switch port
set 0 default-vlan-id=0 vlan-mode=disabled
set 1 default-vlan-id=0 vlan-mode=disabled
set 2 default-vlan-id=0 vlan-mode=disabled
set 3 default-vlan-id=0 vlan-mode=disabled
set 4 default-vlan-id=0 vlan-mode=disabled
set 5 default-vlan-id=0 vlan-mode=disabled
/interface list
add exclude=dynamic name=discover
add name=mactel
add name=mac-winbox
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip hotspot profile
set [ find default=yes ] html-directory=flash/hotspot
/ip ipsec proposal
set [ find default=yes ] enc-algorithms=aes-128-cbc
/ip pool
add name=".101 DHCP pool" ranges=192.168.101.100-192.168.101.119
add name=".102 DHCP pool" ranges=192.168.102.100-192.168.102.119
add name=".103 DHCP pool" ranges=192.168.103.100-192.168.103.119
add name=".104 DHCP pool" ranges=192.168.104.100-192.168.104.109
add name=".106 DHCP pool" ranges=192.168.106.100-192.168.106.109
add name=".105 DHCP pool" ranges=192.168.105.100-192.168.105.109
add name=".151 DHCP pool" ranges=192.168.151.100-192.168.151.119
add name=".209 DHCP pool" ranges=192.168.209.100-192.168.209.119
add name=".202 DHCP pool" ranges=192.168.202.100-192.168.202.119
add name=".203 DHCP pool" ranges=192.168.203.100-192.168.203.119
/ip dhcp-server
add address-pool=".101 DHCP pool" authoritative=after-2sec-delay disabled=no \
interface=E2-p4_101 lease-time=3h name=".101 DHCP server"
add address-pool=".102 DHCP pool" authoritative=after-2sec-delay disabled=no \
interface=VLAN_102 lease-time=3h name=".102 DHCP server"
add address-pool=".103 DHCP pool" authoritative=after-2sec-delay disabled=no \
interface=E3-p6_103 lease-time=3h name=".103 DHCP server"
add address-pool=".104 DHCP pool" authoritative=after-2sec-delay disabled=no \
interface=VLAN_104 lease-time=3h name=".104 DHCP server"
add address-pool=".106 DHCP pool" authoritative=after-2sec-delay disabled=no \
interface=VLAN_106 lease-time=3h name=".106 DHCP server"
add address-pool=".105 DHCP pool" authoritative=after-2sec-delay disabled=no \
interface=VLAN_105 lease-time=3h name=".105 DHCP server"
add address-pool=".151 DHCP pool" authoritative=after-2sec-delay disabled=no \
interface=VLAN_151 lease-time=3h name=".151 DHCP server"
add address-pool=".209 DHCP pool" disabled=no interface=VLAN_209 lease-time=\
3h name=".209 DHCP server"
add address-pool=".202 DHCP pool" authoritative=after-2sec-delay disabled=no \
interface=VLAN_202 lease-time=3h name=".202 DHCP server"
add address-pool=".203 DHCP pool" authoritative=after-2sec-delay disabled=no \
interface=VLAN_203 lease-time=3h name=".203 DHCP server"
/snmp community
set [ find default=yes ] addresses=0.0.0.0/0
/ip neighbor discovery-settings
set discover-interface-list=discover
/interface list member
add interface=E2-p4_101 list=mactel
add interface=E2-p4_101 list=mac-winbox
/ip accounting
set account-local-traffic=yes enabled=yes
/ip accounting web-access
set accessible-via-web=yes address=192.168.101.0/26
/ip address
add address=192.168.101.251/24 interface=E2-p4_101 network=192.168.101.0
add address=192.168.102.251/24 interface=VLAN_102 network=192.168.102.0
add address=192.168.103.251/24 interface=E3-p6_103 network=192.168.103.0
add address=192.168.211.251/24 interface="E5 to Router 2" network=\
192.168.211.0
add address=192.168.104.251/24 interface=VLAN_104 network=192.168.104.0
add address=192.168.105.251/24 interface=VLAN_105 network=192.168.105.0
add address=192.168.106.251/24 interface=VLAN_106 network=192.168.106.0
add address=192.168.151.251/24 interface=VLAN_151 network=192.168.151.0
add address=192.168.204.250/24 interface=VLAN_104 network=192.168.204.0
add address=192.168.209.251/24 interface=VLAN_209 network=192.168.209.0
add address=192.168.202.251/24 interface=VLAN_202 network=192.168.202.0
add address=192.168.203.251/24 interface=VLAN_203 network=192.168.203.0
/ip cloud
set update-time=no
/ip dhcp-client
add comment=defconf dhcp-options=hostname,clientid disabled=no interface=\
E1-p2_Cable_Internet
add dhcp-options=hostname,clientid disabled=no interface=VLAN_200
/ip dhcp-server lease
<deleted as it should not relate>
/ip dns
set allow-remote-requests=yes servers=8.8.8.8,42.2.0.2
/ip dns static
add address=192.168.88.1 name=router
/ip firewall address-list
<redacted>
/ip firewall filter
add action=jump chain=input comment=\
"Jump to Attack chain to prevent Port scan and DoS attacks" in-interface=\
E1-p2_Cable_Internet jump-target=Attack
add action=jump chain=input comment=\
"Jump to Attack chain to prevent Port scan and DoS attacks" in-interface=\
VLAN_200 jump-target=Attack
add action=jump chain=input comment=\
"Jump to ICMP chain to prevent being ping flooded." in-interface=\
E1-p2_Cable_Internet jump-target=ICMP protocol=icmp
add action=jump chain=input comment=\
"Jump to ICMP chain to prevent being ping flooded." in-interface=VLAN_200 \
jump-target=ICMP protocol=icmp
add action=accept chain=input comment=\
"Allow PING on all non-internet interfaces." protocol=icmp
add action=drop chain=input comment=\
"Drop TCP DNS packets from cable internet" dst-port=53 in-interface=\
E1-p2_Cable_Internet protocol=tcp
add action=drop chain=input comment=\
"Drop UPD DNS packets from cable internet" dst-port=53 in-interface=\
E1-p2_Cable_Internet protocol=udp
add action=drop chain=input comment="Drop TCP DNS packets from DSL internet" \
dst-port=53 in-interface=VLAN_200 protocol=tcp
add action=drop chain=input comment="Drop UPD DNS packets from DSL internet" \
dst-port=53 in-interface=VLAN_200 protocol=udp
add action=accept chain=input comment=\
"Allow WinBox access to router from IPs on the Priviledged list" \
connection-state=established,related,new dst-port=7591 in-interface=\
!E1-p2_Cable_Internet protocol=tcp src-address-list=Priviledged
add action=accept chain=input comment=\
"Allow established and related connections to router" connection-state=\
established,related
add action=drop chain=input comment=\
"Drop any other input packets that get this far" log-prefix=\
"Dropped connection"
add action=drop chain=forward comment="Drop invalid packets" \
connection-state=invalid
add action=accept chain=forward comment="Accept all that is DST NATed" \
connection-nat-state=dstnat connection-state=new
add action=accept chain=forward comment="Accept all that is Source NATed" \
connection-nat-state=srcnat connection-state=new
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
connection-state=established,related
add action=accept chain=forward comment=\
"Accept established and related packets" connection-state=\
established,related
add action=accept chain=forward comment=\
"Allow outbound SMTP traffic from Jupiter to DSL internet" dst-port=25 \
in-interface=E2-p4_101 out-interface=VLAN_200 protocol=tcp src-address=\
192.168.101.11
add action=accept chain=forward comment=\
"Allow outbound traffic from .101 to Cable internet" in-interface=\
E2-p4_101 out-interface=E1-p2_Cable_Internet
add action=accept chain=forward comment=\
"Allow outbound traffic from .102 to Cable internet" in-interface=\
VLAN_102 out-interface=E1-p2_Cable_Internet
add action=accept chain=forward comment=\
"Allow outbound traffic from .103 to Cable internet" in-interface=\
E3-p6_103 out-interface=E1-p2_Cable_Internet
add action=accept chain=forward comment=\
"Allow outbound traffic from .104 to Cable internet" in-interface=\
VLAN_104 out-interface=E1-p2_Cable_Internet
add action=accept chain=forward comment=\
"Allow outbound traffic from .105 to Cable internet" in-interface=\
VLAN_105 out-interface=E1-p2_Cable_Internet
add action=accept chain=forward comment=\
"Allow outbound traffic from .106 to Cable internet" in-interface=\
VLAN_106 out-interface=E1-p2_Cable_Internet
add action=accept chain=forward comment=\
"Allow outbound traffic from .202 to DSL internet" in-interface=VLAN_202 \
out-interface=VLAN_200
add action=accept chain=forward comment=\
"Allow outbound traffic from .202 to DSL internet" in-interface=VLAN_203 \
out-interface=VLAN_200
add action=accept chain=forward comment=\
"Allow outbound traffic from .209 to DSL internet" in-interface=VLAN_209 \
out-interface=VLAN_200
add action=drop chain=forward comment=\
"Drop any forward packets that get this far"
add action=drop chain=Attack comment=\
"Drop all packets from IPs on the Manual Blacklist" log=yes log-prefix=\
"Manual Blacklist" src-address-list="Manual Blacklist"
add action=drop chain=Attack comment=\
"Detect and drop TCP port scan connections" protocol=tcp psd=21,3s,3,1
add action=drop chain=Attack comment=\
"Detect and drop UDP port scan connections" protocol=udp psd=21,3s,3,1
add action=return chain=Attack comment=\
"Prevent safe IPs from getting tarpitted." src-address-list=Safe
add action=tarpit chain=Attack comment="Suppress DoS attackby tarpitting" \
connection-limit=3,32 protocol=tcp src-address-list=Black_list
add action=add-src-to-address-list address-list=Black_list \
address-list-timeout=1d chain=Attack comment="Detect DoS attack" \
connection-limit=10,32 log=yes log-prefix="Black list" protocol=tcp
add action=return chain=Attack comment="Return from Attack chain"
add action=accept chain=ICMP comment=\
"Accept ICMP type 0:0 (Echo reply) and limit to 5 packets / sec" \
icmp-options=0:0-255 limit=5,5 protocol=icmp
add action=accept chain=ICMP comment="Accept ICMP type 3:3 (Destination host u\
nreachable) and limit to 5 packets / sec" icmp-options=3:3 limit=5,5 \
protocol=icmp
add action=accept chain=ICMP comment="Accept ICMP type 3:4 (Fragmentation requ\
ired) and limit to 5 packets / sec" icmp-options=3:4 limit=5,5 protocol=\
icmp
add action=accept chain=ICMP comment=\
"Accept ICMP type 8:0 (Echo request) and limit to 5 packets / sec" \
icmp-options=8:0-255 limit=5,5 protocol=icmp
add action=accept chain=ICMP comment=\
"Accept ICMP type 11:0 (Time exceeded) and limit to 5 packets / sec" \
icmp-options=11:0-255 limit=5,5 protocol=icmp
add action=drop chain=ICMP comment="Drop all other ICMP packets" protocol=\
icmp
add action=return chain=ICMP comment="Return from ICMP chain"
/ip firewall mangle
add action=mark-connection chain=prerouting comment=\
"Set SMTP connection mark for outbound SMTP from Jupiter." \
connection-mark=no-mark dst-port=25 new-connection-mark=SMTP passthrough=\
yes protocol=tcp src-address=192.168.101.11
add action=mark-routing chain=prerouting comment=\
"Set SMTP routing mark for packets with SMTP connection mark." \
connection-mark=SMTP new-routing-mark=SMTP passthrough=yes protocol=tcp
add action=mark-routing chain=prerouting comment=\
"Set SMTP routing mark for outbound reply SMTP from Jupiter." disabled=\
yes new-routing-mark=SMTP passthrough=yes protocol=tcp src-address=\
192.168.101.11 src-port=25
add action=mark-connection chain=prerouting comment=\
"Set DSL connection mark for inbound packets from DSL." connection-mark=\
no-mark in-interface=VLAN_200 new-connection-mark=DSL passthrough=yes
add action=mark-routing chain=prerouting comment=\
"Set DSL routing mark for packets with DSL connection mark." \
connection-mark=DSL new-routing-mark=DSL passthrough=yes
add action=mark-connection chain=prerouting comment=\
"Set DSL connection mark for outbound packets from VLAN 209 to DSL." \
in-interface=VLAN_209 new-connection-mark=DSL passthrough=yes
add action=mark-routing chain=prerouting comment=\
"Set DSL routing mark for packets with DSL connection mark." \
connection-mark=DSL new-routing-mark=DSL passthrough=yes
/ip firewall nat
add action=masquerade chain=srcnat comment="Masquerade for cable" \
out-interface=E1-p2_Cable_Internet
add action=masquerade chain=srcnat comment="Masquerade for DSL" \
out-interface=VLAN_200
add action=masquerade chain=srcnat comment="Harpin NAT for HTTP on Jupiter" \
dst-address=192.168.101.11 dst-port=80 out-interface=E2-p4_101 protocol=\
tcp src-address=192.168.101.0/24
add action=masquerade chain=srcnat comment=\
"Harpin NAT to Port 587 on Jupiter" dst-address=192.168.101.11 dst-port=\
587 out-interface=E2-p4_101 protocol=tcp src-address=192.168.101.0/24
add action=dst-nat chain=dstnat comment="Web Server on Jupiter." \
dst-address-type=local dst-port=80 protocol=tcp to-addresses=\
192.168.101.11 to-ports=80
add action=dst-nat chain=dstnat comment=\
"E-Mail SMTP to SmarterMail on Jupiter from cable." dst-address-type=\
local dst-port=25 in-interface=E1-p2_Cable_Internet protocol=tcp \
to-addresses=192.168.101.11
add action=dst-nat chain=dstnat comment=\
"E-Mail SMTP to SmarterMail on Jupiter from DSL." dst-address-type=local \
dst-port=25 in-interface=VLAN_200 protocol=tcp to-addresses=\
192.168.101.11
add action=dst-nat chain=dstnat comment=\
"E-Mail submission to SmarterMail on Jupiter." dst-address-type=local \
dst-port=587 protocol=tcp to-addresses=192.168.101.11
/ip firewall service-port
set ftp disabled=yes
set tftp disabled=yes
set irc disabled=yes
set h323 disabled=yes
set sip disabled=yes
set pptp disabled=yes
set udplite disabled=yes
set dccp disabled=yes
set sctp disabled=yes
/ip route
add distance=1 gateway=66.51.204.1 pref-src=66.51.204.115 routing-mark=DSL
add distance=1 dst-address=66.51.204.0/24 gateway=VLAN_200 routing-mark=DSL
add distance=1 gateway=66.51.204.1 pref-src=66.51.204.115 routing-mark=SMTP
add distance=1 dst-address=66.51.204.0/24 gateway=VLAN_200 routing-mark=SMTP
add distance=1 dst-address=192.168.101.8/29 gateway=E2-p4_101 routing-mark=\
SMTP
add distance=1 dst-address=192.168.0.96/28 gateway=192.168.211.250
add distance=1 dst-address=192.168.1.0/24 gateway=192.168.211.250
add comment="Default Mikrotik address range" distance=1 dst-address=\
192.168.88.0/24 gateway=192.168.211.250
add distance=1 dst-address=192.168.131.0/24 gateway=192.168.211.252
add distance=1 dst-address=192.168.201.0/24 gateway=192.168.211.252
add distance=1 dst-address=192.168.202.0/24 gateway=192.168.211.252
add distance=1 dst-address=192.168.203.0/24 gateway=192.168.211.252
add distance=1 dst-address=192.168.204.0/24 gateway=192.168.211.252
add distance=1 dst-address=192.168.205.0/24 gateway=192.168.211.252
add distance=1 dst-address=192.168.209.0/24 gateway=192.168.211.252
/ip service
<redacted>/ip smb shares
set [ find default=yes ] directory=/pub
/system clock
set time-zone-name=America/Los_Angeles
/system identity
set name="RB750Gr3 #1"
/system leds
add interface=VLAN_200 leds="" type=interface-activity
/system ntp client
<redacted>
/system resource irq rps
set E1-p2_Cable_Internet disabled=no
set E2-p4_101 disabled=no
set E3-p6_103 disabled=no
set E4-p8_802.1Q disabled=no
set "E5 to Router 2" disabled=no
/system routerboard settings
set silent-boot=no
/system scheduler
<redacted>
/system script
<redacted>
/tool e-mail
<redacted>
/tool mac-server
set allowed-interface-list=mactel
/tool mac-server mac-winbox
set allowed-interface-list=mac-winbox