Hi,
I am trying to setup a PPPOE on SFP. I know there is no issue with the SFP/fibre/ISP end as it works on a TPLINK with fibre to lan converter. The PADI packets is the problem. I got it working once briefly but on a reboot it stopped. This is a brand new HEX S 2025. I spoke to ISP and all settings are correct (no VLAN needed or servicename, mtu ios 1492 etc.) I have attached the PPOE debug log and RIF file in the ZIP
log.0.txt (32.2 KB)
Any help is appreciated.
Thanks
Hi,
please remove supout file. We, as forum users, do not need it as we do not have tools to analyze it.
It is designed for Mikrotik's support.
If you want help, then show your router's configuration.
Update - internet access is available on the Hex S - ping and dns resolution work, but no network client can access the internet or ping the router on 192.168.88.1. Is this what is needed?
[alex@Mikrotik-GW] > /ip route print
Flags: D - DYNAMIC; A - ACTIVE; c - CONNECT, v - VPN
Columns: DST-ADDRESS, GATEWAY, ROUTING-TABLE, DISTANCE
DST-ADDRESS GATEWAY ROUTING-TABLE DISTANCE
DAv 0.0.0.0/0 pppoe-out1 main 1
DAc 100.93.255.255/32 pppoe-out1 main 0
DAc 192.168.88.0/24 bridge-lan main 0
[alex@Mikrotik-GW] > /ip dhcp-server network print
Columns: ADDRESS, GATEWAY, DNS-SERVER
0 192.168.88.0/24 192.168.88.1 192.168.88.241
[alex@Mikrotik-GW] > /export show-sensitive
/interface bridge
add name=bridge-lan
/interface ethernet
set [ find default-name=sfp1 ] auto-negotiation=no l2mtu=2048 mtu=1492 speed=1G-baseX
/interface pppoe-client
add add-default-route=yes disabled=no interface=sfp1 max-mtu=1492 name=pppoe-out1 password=0524124239 use-peer-dns=yes user=xxxxxx
/interface list
add name=WAN
add name=LAN
/interface wifi channel
add band=2ghz-ax name=ch-2.4ghz skip-dfs-channels=all width=20mhz
add band=2ghz-ax name=ch-2.4 skip-dfs-channels=all width=20mhz
add band=5ghz-ax name=ch-5 skip-dfs-channels=all width=20/40/80mhz
/interface wifi datapath
add bridge=bridge-lan name=datapath-main
/interface wifi security
add authentication-types=wpa2-psk,wpa3-psk disabled=no name=xxx-sec passphrase=xxxxx
add authentication-types=wpa2-psk,wpa3-psk name=sec-xxxx passphrase=xxxx
/interface wifi configuration
add channel=ch-2.4ghz country=Israel datapath=datapath-main name=cfg-xxx security=sec-xxx ssid=xxxxxx
add channel=ch-2.4 country=Israel datapath=datapath-main name=cfg-2.4ghz-xxxx security=sec-patnick ssid=xxxxxx
add channel=ch-5 country=Israel datapath=datapath-main name=cfg-5ghz-xxxxxx security=sec-xxxx ssid=xxxxx
/ip pool
add name=dhcp-pool ranges=192.168.88.10-192.168.88.200
add name=lan-pool ranges=192.168.88.10-192.168.88.200
/ip dhcp-server
add address-pool=dhcp-pool interface=bridge-lan lease-time=12h name=dhcp-lan
/interface bridge port
add bridge=bridge-lan interface=ether2
add bridge=bridge-lan interface=ether3
add bridge=bridge-lan interface=ether4
add bridge=bridge-lan interface=ether5
add bridge=bridge-lan interface=*10
add bridge=bridge-lan interface=*11
/interface list member
add interface=pppoe-out1 list=WAN
add interface=bridge-lan list=LAN
/interface wifi capsman
set enabled=yes
/interface wifi provisioning
add action=create-dynamic-enabled master-configuration=cfg-5ghz-xxxxxx supported-bands=5ghz-ax,5ghz-ac
add action=create-dynamic-enabled master-configuration=cfg-2.4ghz-xxxxxx supported-bands=2ghz-ax,2ghz-n
/ip address
add address=192.168.88.1/24 interface=bridge-lan network=192.168.88.0
/ip dhcp-client
add default-route-tables=main disabled=yes interface=sfp1
/ip dhcp-server network
add address=192.168.88.0/24 dns-server=192.168.88.241 gateway=192.168.88.1
/ip dns
set allow-remote-requests=yes servers=192.168.88.241
/ip firewall filter
add action=accept chain=input connection-state=established,related
add action=accept chain=input in-interface-list=LAN
add action=drop chain=input
add action=accept chain=input connection-state=established,related
add action=accept chain=input in-interface-list=LAN
add action=drop chain=input
/ip firewall nat
add action=masquerade chain=srcnat out-interface-list=WAN
/system clock
set time-zone-name=Asia/Jerusalem
/system identity
set name=Mikrotik-GW
/system logging
add action=disk topics=pppoe,debug
add topics=interface,debug
[alex@Mikrotik-GW] > ping dns.google.com
SEQ HOST SIZE TTL TIME STATUS
0 8.8.8.8 56 119 2ms475us
1 8.8.8.8 56 119 2ms606us
2 8.8.8.8 56 119 2ms724us
sent=3 received=3 packet-loss=0% min-rtt=2ms475us avg-rtt=2ms601us max-rtt=2ms724us
[alex@Mikrotik-GW] >
I cannot see anything blatantly wrong.
Do the clients receive correctly an IP address from the DHCP server in range 192.168.88.10-192.168.88.200?
Are you testing with a cabled (via ethernet) device or from Wifi? (in case test connectivity first through ethernet)
What does a traceroute/tracert to dns.gooogle.com show from a client device?
There are a few things to clean/correct (but unrelated to the issue you are having) in your configuration:
Duplicate pools:
/ip pool
add name=dhcp-pool ranges=192.168.88.10-192.168.88.200
add name=lan-pool ranges=192.168.88.10-192.168.88.200 <- unused and same as previous one
Leftovers frome moving or renaming interfaces:
/interface bridge port
...
add bridge=bridge-lan interface=*10 <- leftover to be removed
add bridge=bridge-lan interface=*11 <- leftover to be removed
you have only some input rules in firewall, are you sure-sure that you want to run the router without firewall forward rules?
(you really should start from the default Mikrotik firewall set of rules for SOHO devices[1])
In any case you have some duplicated rules among the few input ones:
/ip firewall filter
add action=accept chain=input connection-state=established,related
add action=accept chain=input in-interface-list=LAN
add action=drop chain=input <- this is a "drop all else" anything after this in the same chain will be ignored
add action=accept chain=input connection-state=established,related <-duplicated, remove
add action=accept chain=input in-interface-list=LAN <-duplicated, remove
add action=drop chain=input <-duplicated, remove
it is advised to have a MAC set explicitly on the bridge
[1] that would be Rule #8:
The twelve Rules of Mikrotik Club
I'm new to mikrotik configured. I've done some more tests. i have a tplink archer ax1500 that shows no internet but when a laptop is connected to it and dns is set manually to 8.8.8.8 it can connect to the internet and browse. It sees and can ping the Hex S on 192.168.88.1. There is something blocking communication between the hex s and the ax3. I’d appreciate some help in working out what is blocking the connection
I figured out that my HEX S connects to the ISP, but my LAN clients cannot reach the router or the internet because of a bridge or firewall issue. I made sure all LAN ports are in the bridge, my DHCP server is on the bridge, and I adjusted the firewall to allow traffic from LAN to WAN. After that, my clients got IPs, the default gateway is correct, and they can now access the internet.
Well, the Ax3 is a new entry (you talked of the Hex S only till now).
At this point you need to post also this Ax3 configuration and possibly a sketch of your network setup.
You have this "strange" DNS server:
/ip dhcp-server network
add address=192.168.88.0/24 dns-server=192.168.88.241 gateway=192.168.88.1
/ip dns
set allow-remote-requests=yes servers=192.168.88.241
Is that the Ax3?
The above is a question, strangely enough I make them to try and better understand your setup, and ultimately assist you in solving the problem.
These previous ones remain unanswered:
Do the clients receive correctly an IP address from the DHCP server in range 192.168.88.10-192.168.88.200?
Are you testing with a cabled (via ethernet) device or from Wifi? (in case test connectivity first through ethernet)
What does a traceroute/tracert to dns.gooogle.com show from a client device?
That is my pihole address.
Good. 