Good day

I have a Mikrotik Powerbox Pro connected to a few sectors. I have setup the Powerbox as a PPPoE server for my clients to authenticate and connect to the internet. On ether 2 to ether 5 I have sectors connected and configured the ports as PPPoE ports. How can I setup the Powerbox in order to access the web interface on the sectors?

I have a backhaul feeding the Powerbox. What I would like to achieve is to access the sectors over the backhaul for maintenance / monitoring purposes.

Going in to detail here is my setup: I have a RB3011 on my side which has IP 192.168.88.1. There is a backhaul connected to the RB3011 with the AP with IP 172.20.100.10 on my side and the station IP 172.20.100.11. I have setup a NAT rule with masquerade on the RB3011 so I can access the 172.20.100.0/24 range from the 192.168.88.0/24 range. The Powerbox has IP 172.20.100.14. I can access the backhaul and the Powerbox. The sectors have IP’s 172.20.100.15, 172.20.100.16, 172.20.100.17 and 172.20.100.18 which are connected to the Powerbox, but the ports are set as PPPoE ports. The sectors LAN and WLAN ports are setup in bridge mode. When the client connects from their CPE device the PPPoE server uses an IP pool depending on the package they signed up for (20MB, 30MB, 40MB, etc) The pool for these packages are as follow: 20MB - 192.168.20.10 - 192.168.20.250, 30MB - 192.168.30.10 - 192.168.30.250 and 40MB - 192.168.40.10 - 192.168.40.250. These PPPoE accounts have profiles assigned to them as well to set the rate limit for the package they signed up for.

I hope the information makes sense and I will appreciate any help as I have been searching the forums and did a Google search too with no luck.

Thanks in advance.

Here is my current configuration on the PowerBox:

jan/05/1970 15:59:22 by RouterOS 6.45.9

software id = 9X4D-UD5Q

model = RB960PGS-PB

serial number = D5320D968DEE

/interface bridge
add name="PPPoE Bridge"
add name=bridge
/interface ethernet
set [ find default-name=ether1 ] name="ether1 - WAN"
set [ find default-name=ether2 ] name="ether2 - Sector1"
set [ find default-name=ether3 ] name="ether3 - Sector2"
set [ find default-name=ether4 ] name="ether4 - Sector3"
set [ find default-name=ether5 ] name="ether5 - Backhaul to Karen"
/interface list
add comment="WAN To Backhaul" name=WAN
add name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add comment="************************** IP lease pool for 40MB clients
" name="Botha's Hill 40MB Pool" ranges=
192.168.40.10-192.168.40.250
/interface bridge port
add bridge=bridge interface="ether1 - WAN"
add bridge="PPPoE Bridge" interface="ether2 - Sector1"
add bridge="PPPoE Bridge" interface="ether3 - Sector2"
add bridge=bridge interface="ether4 - Sector3"
add bridge=bridge interface="ether5 - Backhaul to Karen"
/interface list member
add interface="ether1 - WAN" list=WAN
add interface="PPPoE Bridge" list=LAN
/interface pppoe-server server
add authentication=pap disabled=no interface="PPPoE Bridge"
keepalive-timeout=disabled one-session-per-host=yes service-name=
"PPPoE Service"
/ip address
add address=172.20.100.14 interface="ether1 - WAN" network=172.20.100.1
add address=192.168.40.1/24 comment=" Default gatewa
y for 40MB clients " interface="PPPoE Bridge"
network=192.168.40.0
/ip firewall nat
add action=masquerade chain=srcnat comment=
" Masquerade WAN "
ipsec-policy=out,none out-interface-list=WAN
add action=masquerade chain=srcnat comment=" Masquer
ade 40MB clients " src-address=192.168.40.0/24
/ip route
add distance=1 gateway="ether1 - WAN"
/ppp profile
add comment=" 40MB Profile for 40MB clients ********
******************" dns-server=192.168.40.1,8.8.8.8 local-address=
192.168.40.1 name=40MB only-one=yes parent-queue=none queue-type=
default-small rate-limit=45M/45M remote-address="Botha's Hill 40MB Pool"
/ppp secret
add name=xxxx@xxxx password=xxxx@xxxx profile=40MB
service=pppoe
/system identity
set name="xxxxx"
/system ntp client
set enabled=yes primary-ntp=196.10.55.57 secondary-ntp=196.10.52.58

There is nothing wrong about attaching an IP configuration to the same interface at which a PPPoE server is listening.

The thing is that you have to make sure that bare IP packets from customers’ devices (i.e. those not encapsulated inside the PPPoE ones) will not be let in to the Powerbox and the radios, or forwarded further to the network. This can be ensured e.g. using bridge filter rules on the radios, allowing only pppoe and pppoe-discovery frames to pass from the wireless interface to the Ethernet one. Or you can use a VLAN for the management and permit that VLAN only on the Ethernet port of the radios, not on the wireless port.