How to tunnel PPPoE over L2TP (cont'd)

RouterOS General
1

Hi guys,

I’m completely new to this Mikrotik stuff. I purchased a RouterBOARD 1000 with RouterOS on it as well as a current Level-6 license to see if it can do what I want them to do. The RouterBOARD runs Version 3.10 of RouterOS and the Level-6 License is the latest Version 3.16. In the first step, I want to setup the following:

+--------------+                         +-------+              +-------+                         +--------------+
|   Customer/  | <--- Ethernet Link ---> | L2TP/ | <==========> | L2TP/ | <--- Ethernet Link ---> | PPPoE Server |
| PPPoE Client |                         | LAC   |              | LNS   |                         +--------------+
+--------------+                         +-------+              +-------+

The customers have an ethernet connection to the LAC, which in turn got a connection to the internet and got a public IP address. The LNS resides on a data center and also has got a public IP, so they can reach each other using standard IP communication. Similar setups were already discussed in http://forum.mikrotik.com/t/pppoe-over-l2tp/16123/1 and http://forum.mikrotik.com/t/bcp-in-3-0beta10-sample-config/14516/1 but finally without providing a solution or configuration example. Now, I’ll try to do it here…

After getting the above working, the second step would be to aggregate two or more ISP-links (between LAC and LNS) for the L2TP tunnel to get a cheap broadband link. At the moment the LAC is the RouterBOARD 1000 and the LNS a dedicated server running RouterOS.

The third and last step will be to add traffic prioritization to make this setup capable of handling VoIP regardless of bandwidth consumption. But that’s another story, I think. :laughing:

Currently my setup on the LNS looks like this:

/ip address add interface=ether1 address=192.168.0.210 netmask=255.255.255.0
/interface bridge add name=lns_bridge0
/interface bridge port add bridge=lns_bridge0 interface=ether2
/ppp profile add name=noipaddr bridge=lns_bridge0
/ppp secret add name=lac_user1 password=secret profile=noipaddr service=l2tp
/interface l2tp-server server set enabled=yes
/interface l2tp-server add user=lac_user1

And on the LAC:

/ip address add interface=ether1 address=192.168.0.211 netmask=255.255.255.0
/interface bridge add name=lac_bridge0
/interface bridge port add bridge=lac_bridge0 interface=ether2
/ppp profile add name=noipaddr bridge=lac_bridge0
/interface l2tp-client add connect-to=192.168.0.210 user=lac_user1 password=secret profile=noipaddr disabled=no

The LAC has the IP address 192.168.0.211 and the LNS gets the IP address 192.168.0.210, later this IP addresses could be the one assigned by the local ISP where the LAC resides and the public IP of the LNS in the data center.
The connection seems to work; on the LAC:

/interface l2tp-client monitor l2tp-out1
     status: "connected"
     uptime: 3m7s
  idle-time: 38s
        mtu: 1460
        mru: 1460

/interface bridge port print
Flags: X - disabled, I - inactive, D - dynamic
 #    INTERFACE              BRIDGE              PRIORITY PATH-COST  HORIZON
 0  I ether2                 lac_bridge0         0x80     10         none
 1  D (unknown)              lac_bridge0         0x80     10         none

And on the LNS:

/interface l2tp-server print
Flags: X - disabled, D - dynamic, R - running
 #     NAME      USER         MTU        CLIENT-ADDRESS     UPTIME    ENCODING
 0   R l2tp-in1  lac_user1    1460       192.168.0.211      5m12s

/interface bridge port print
Flags: X - disabled, I - inactive, D - dynamic
 #    INTERFACE              BRIDGE               PRIORITY PATH-COST  HORIZON
 0    ether2                 lns_bridge0          0x80     10         none
 1  D (unknown)              lns_bridge0          0x80     10         none

Looks like half way done for the first step. Just wondering about the “(unknown)” ports on the Ethernet bridges… somebody has an explanation?

Anyway, now I’ll configure a PPPoE server listening on the bridge interface (lns_bridge0) with a sample user on the LNS:

/ip pool add name=pppoe ranges=10.0.0.10-10.0.0.20
/ppp profile set default local-address=10.0.0.1 remote-address=pppoe
/ppp secret add name=customer1 password=customer1 service=pppoe
/interface pppoe-server server add interface=lns_bridge0 default-profile=default disabled=no

Now the PPPoE server is up and running… Connecting a Windows XP laptop to the ether2 interface of the LNS and trying to connect with the built-in PPPoE client succeeds:

/interface pppoe-server print
Flags: X - disabled, D - dynamic, R - running
 #     NAME   USER   SERVICE   REMOTE-ADDRESS   ENCODING   UPTIME
 0  DR <pp... cus...           00:C0:9F:96:3...            5s

But if I connect the same laptop on the ether2 interface of the LAC, which should tunnel the PPPoE stuff over the L2TP tunnel to the LAC which in turn should finally terminate the PPPoE sessions, fails.

Am I missing something? I think this setup should work like this, shouldn’t it?
Help to get this ready would really be appreciated!


Bye, Robert.

PPPoE Over L2TP?
2

Has anyone got this working?

3

Make the l2tp tunnels have a MRRU > 1540. You cannot bridge a vpn that is < 1500 bytes. MRRU of 1514 didnt seem to work reliably, so we chose 1600.

Sam

4

I tried the configuration above on a MikroTik functioning as LAC. LNS is a Cisco router with this config:

vpdn-group lac-lns
! Default L2TP VPDN group
 accept-dialin
  protocol l2tp
  virtual-template 1
 no l2tp tunnel authentication

The LAC does connect to the LNS, but the connection is immediately dropped. I expected the session only to be built up from the moment an incoming PPPoE session was seen on the routerboard.
LNS log:

Aug 30 10:19:20.060 GMT: L2TP: I SCCRQ from LAC tnl 802
Aug 30 10:19:20.060 GMT:  Tnl 3837 L2TP: Tunnel Authorization started for host LAC
Aug 30 10:19:20.060 GMT:  Tnl 3837 L2TP: New tunnel created for remote LAC, address 172.25.14.4
Aug 30 10:19:20.060 GMT:  Tnl 3837 L2TP: O SCCRP  to LAC tnlid 802
Aug 30 10:19:20.064 GMT:  Tnl 3837 L2TP: Control channel retransmit delay set to 1 seconds
Aug 30 10:19:20.064 GMT:  Tnl 3837 L2TP: Tunnel state change from idle to wait-ctl-reply
Aug 30 10:19:20.100 GMT:  Tnl 3837 L2TP: Update ns/nr, peer ns/nr 1/1, our ns/nr 1/1
Aug 30 10:19:20.100 GMT:  Tnl 3837 L2TP: Peer acknowledging through 1
Aug 30 10:19:20.100 GMT:  Tnl 3837 L2TP: Process ctrl pkt peer ns/nr 1/1, our ns/nr 1/2, tunnel->peer_nr 1
Aug 30 10:19:20.100 GMT:  Tnl 3837 L2TP: Clean resendQ, peer_nr 1, last_rx_nr 0
Aug 30 10:19:20.100 GMT:  Tnl 3837 L2TP: Cleaned ns 0 from resendQ
Aug 30 10:19:20.100 GMT:  Tnl 3837 L2TP: Currently 0 messages on the resend queue
Aug 30 10:19:20.100 GMT:  Tnl 3837 L2TP: Sending ZLB ACK ns/nr 1/2
Aug 30 10:19:20.100 GMT:  Tnl 3837 L2TP: I StopCCN from LAC tnl 802
Aug 30 10:19:20.104 GMT:  Tnl 3837 L2TP: Tunnel state change from wait-ctl-reply to shutting-down
Aug 30 10:19:20.104 GMT:  Tnl 3837 L2TP: Shutdown tunnel
Aug 30 10:19:20.104 GMT:  Tnl 3837 L2TP: Tunnel state change from shutting-down to idle

I assume the tunnel goes down since there is no active PPPoE session at this point (which should trigger the L2TP session). So incoming PPPoE traffic is the next step.

Looking at rborz’s configuration: how is the PPPoE traffic picked up from interface ether1?

If anyone got a routerboard working as a LAC in combination with a Cisco LNS, please post! I’m aware that tunnel selection is not supported (yet).

5

AFAIK MT doesn’t support LAC and LNS features, and tbh i don’t see any reason for it.

Each MikroTik device can be perfect small PPPoE server close to Customers and all these small PPPoE servers can be managed by single RADIUS server.

This way functionality stays the same, all network doesn’t relay on one server. Devices can remain small and cheep. Client’s upload are limited at the edge of your network - not allowing it to get to main router and only then been dropped.

6

if you use Mikrotik-Address-List attribute in radius , the dynamic address list creates in each router and there is no simple way to centralize all of those address lists in one place . it is just one example to say that in some situations we should use one pppoe server .