Hi,

I’ve been trying to get my new router board hex to work with a Draytek vigor 130, so far painful doesn’t even come close, perhaps more like torture.

All I want is a basic setup, which so far has totally not worked.

I’ve managed to get a PPPOE session running on the router board, as in I could see it fetched some IP addresses from the WAN interface and tried the simple quick start setup several times, zero internet connectivity. All I’m after is NAT with eth1 -the WAN connecting to my Darytek Vigor with some basic firewall rules, in fact I’d settle for just NAT and it initially working.

So does anyone have a fool proof set of Router board commands I can issue and what settings I need for my Draytek vigor, I see conflicting internet advise, the only way I could get the PPPOE session to even start was to enable PPPOE client on my Draytek Vigor, which seemed odd because the router board was supposed to be doing PPPOE. There’s no clear setting on the Draytek Vigor 130 that says “dumb modem” mode.

So I’m pulling my hair out and will probably just return the router board seeing as I can;t figure it out - I’m desperate for a noob setup script and some Draytek advise or a better VDSL modem to buy that makes a bit more sense ?

Thanks

AFAIK the newer versions of RouterOS have a Quickset which supports PPPoE as a WAN address acquisition mode.

It is generally a bad idea to go back to Quickset and make changes if Webfig/Winbox have been used to make any subsequent changes - it is best to reset to factory defaults, perform Quickset with a mode/settings closest to those you require, then use Webfig/Winbox to fine-tune the settings.

I’ve installed dozens of Mikrotiks with Vigor 120 and 130 modems and they work fine, the modems required no settings changes - the UK model has the correct settings for the most common ADSL2+/VDSL2 services.

I’ve not used Quickset, but done all the configuration through Winbox:
Factory reset
Connect with Winbox, accept the default configuration
Add a PPPoE client on ether1 with appropriate credentials
Add the PPPoE client interface to the WAN interface list (note 1)
Change the DHCP client on ether1 - untick ‘Use peer DNS’ & 'Use peer ‘NTP’, set ‘Add Default Route’ to no (note 2)

Note 1: Unless the PPPoE client is added to the WAN interface list no NAT is applied and the firewall will block traffic.
Note 2: The modem has a DHCP server, however this is purely for modem management access, not internet connectivity so the default route via this must be removed.

Yes I used Quickset many times, and several times cleared all the settings out, even kept all the LAN IP addresses default on the 192.168.88.x subnet.

I was assuming Quickset would do every thing for me seeing as there was a PPPoE option on Quickset.

Thanks for the tip on adding the pppoe client to the WAN interfaces, I’ll check that, I’ll have 1 last bash at it tonight and if I can’t get any where I think I’ll give up and just return them to Amazon i.e. too time consuming, I’ll just stick to all in one router / modems. The reason I’m interested in a separate router / modem setup is low buffer bloat / low latency.

I get the feeling it’s how the Draytek Vigor is setup, seeing as I also couldn’t get a Draytek router to work with the Vigor 130, this is a ADSL router / modem but with a 2nd WAN port. Even after about an hour of getting the Draytek router to show WAN2 as connected this also didn’t want to route any traffic via the Vigor, as with the Mikrotek went through every setting about 10 times.

According to the Draytek website to get the Vigor 130 in modem / bridge mode I need to enable ‘MPoA static or dynamic’ but I’m fairly sure when I did that I couldn’t establish a PPPoE session.

I’ve used Vigor 130 modems with their non-VDSL routers too, so it sounds more like a modem issue if it is not working with either a Mikrotik or Draytek Router.

I’ve never had to change any modem settings to get PPPoE passthrough to work. Also, which ISP as not all use PPPoE?

Yes the ISP is PPPoE, it’s not an ISP issue, I’ve got 3 other all in one router modems configured and working perfectly with the ISP, including a Draytek 2760, the Draytek is the best performer in terms of latency which is why I had high hopes for this setup in terms of latency. Possibly not in terms of faster packet delivery more in terms of consistent packet delivery across all different sized packets and perhaps less chance of other delays by all of your traditional router software bloat.

Yes at the moment it feels like the Vigor 130 might be at fault, although there isn’t many options on it, I did notice there’s different firmware for it, one build is labelled as ‘BT’ so first port of call later is to make sure I’ve got the latest ‘BT’ version of firmware.Plus I’m going to focus on the documented mode of how I should be using it i.e. MPoA, perhaps also a factory reset and see what mode it starts off in - I assume this must be the mode that’s being used when you say I just plug it in and it works.

I am using the Draytek 130 with a MikroTik router and it works without issue.
First configure the 130 according to your ISP’s requirements so you can verify it connects and you can use the internet connection from a PC.
Then set it to PPPoE passthrough, connect the MikroTik and configure it for PPPoE.
You can additionally setup a DHCP client on the ether1 port to be able to monitor the Draytek while the PPPoE is up.
Make sure the LAN address range on the Draytek is not 192.168.88.x (the default is OK)

Yes this should work and it should be simple, what you describe is what I expected the experience to be but obviously not what I encountered.

Ok so I have applied the ‘recommended’ ‘BT’ firmware to the Vigor 130, I used the rst file so all settings would be erased so I can see the default settings.

The default appears to be ‘PPPoE / PPPoA Client Mode’, the mode I was going to use was ‘MPoA / Static or dynamic IP’ - this is set to disabled, according to Draytek this is how you set the Vigor 130 to bridged mode which I’m taking as I’m a dumb modem mode i.e. packet on the Vigor 130 Ethernet doesn’t get touched it’s just put on the DSL. The ‘MPoA / Static or dynamic IP’ mode has a ‘Enable Bridge Mode’ check box which is greyed out and ticked but kind of confirms that’s what the mode is.

So seeing as I believe I established a PPPoE session in ‘PPPoE / PPPoA Client Mode’ but no internet connection but appears to be the default mode that would be used for people claiming I just plugged it in and it worked I guess that should be the mode to use. Even though as I’ve said the client to my mind is the Router board not the Vigor 130.

The changes from the default I’m going to make are ‘DSL mode’ from Auto to VDSL2 only - it’s a FTTC connection, on the ‘PPPoE / PPPoA Client Mode’ page there’s Protocol option set to PPPoA, I’m changing that to PPPoE.

Also the default is a VLAN tag insertion under service, tag 101, that’s how my Draytek 2760 is setup which works perfectly, although it has no ‘Customer’ and ‘Service’ columns for the tag insertion, I think I did read up on this and Service sounded correct, it’s the default so again I’m going with it.

It’s not plugged into my phone line yet but the WAN status has a connection column and it’s shown as PPPoE, still doesn’t make sense but I’m going to go with it. I have to assume it’s a ‘mode’ and the PPPoE is the connection it’s expecting.

Router board time now, my modem 'should' work

Winbox->System->Reset Configuration -> keep nothing, all setup will be default IP, as safe as possible.

MikroTik RB reboots, I hear the beep, making sense so far, happy days.

On reboot a default setup has been applied, retried ticking 'no default' config.

New terminal and /export

/export

jan/02/1970 00:01:40 by RouterOS 6.42.12

software id = SFQD-HJ6K

model = RB750Gr3

serial number = XXXXXXX

It's definitely got no config.

Quick set-> PPPoE radio button.

PPPoE username and password set, 100% sure these are correct, service name blank.

Local Network is 0.0.0.0, setting this to default of 192.168.88.1, subnet to 255.255.255.0 / 24

Ticked 'Bridge all LAN ports' although I don't need this as I have a 8 port switch, I only need 1 LAN port but I think this might be safer.
NAT ticked, I need NAT, VPN not ticked obviously. That's it, nothing else to set, clicked apply.

/export the setup, kind of makes sense, WAN eth1, any other port for local LAN, they are bridged, this should work, right ?

PC will be set to 192.168.88.100, subnet of 255.255.255.0, Gateway of 192.168.88.1, DNS of 8.8.8.8

/interface bridge
add name=bridge1
/interface pppoe-client
add add-default-route=yes disabled=no interface=ether1 name=pppoe-out1
password=******* use-peer-dns=yes user=********
/interface list
add name=WAN
add name=LAN
/ip hotspot profile
set [ find default=yes ] html-directory=flash/hotspot
/interface bridge port
add bridge=bridge1 interface=ether2
add bridge=bridge1 interface=ether3
add bridge=bridge1 interface=ether4
add bridge=bridge1 interface=ether5
/interface list member
add interface=pppoe-out1 list=WAN
add interface=bridge1 list=LAN
/ip address
add address=192.168.88.1/24 interface=ether2 network=192.168.88.0
/ip dhcp-client
add dhcp-options=hostname,clientid interface=ether1
/ip firewall nat
add action=masquerade chain=srcnat out-interface-list=WAN
[admin@MikroTik] >

Looking at the interface list I see 1 line with ‘LAN and bridge1 under the interface column’ and a 2nd line of 'WAN and ‘pppoe-out1’ in the interface column, that kind of makes sense i.e. WAN interface is pppoe-out1.

No firewall rules, I can add these later if I manage to see a working connection, again this is safer, obviously there;s a NAT rule, this seems correct as per the numerous you tube videos I’ve watched and articles read.

So I think I’m good to go, this better work

You already have two, potentially fatal, problems:

1. router is running very old, vulnerable ROS version
2. router is running no firewall what so ever, making it open for any attacker … and is bound to be hacked within minutes after it connects to internet

I’m not very familiar with different quick-set modes so I can’t suggest which one would be best starting point for you, but I definitely recomend you to start with one of those configurations and not from empty state. I’d suggest you to upgrade to some recent version (i.e. long-term, at the moment that’s 6.45., then reset config to factory default (selecting e.g. HomeAP mode or whatever it might be called) and then make any needed alternations to config but try to kerp them to minimum (until you get acquainted with ROS).

Managed to get everything working, phew, got there in the end, although there’s one thing that’s bothering me, when I connected the router to the correctly setup Vigor 130 with no firewall rules, which I know is risky but I was desperate to prove I could get an internet connection. What happened within about 1 minute or so of connecting the WAN port is that the router board rebooted, the router board was already up, so it shouldn’t have rebooted.

Anyhow it now has version 6.46 firmware but I only downloaded 6.45, I know the router board has some sort of in built firmware updater. So do you think it has been compromised and someone has uploaded 6.46 with hacks or is this normal behaviour i.e. to auto update the firmware and reboot.

The risk of a hacked router when using old firmware and no firewall or the default firewall of old firmware is quite real!
In any case, go back to system->packages, select the “stable” channel and download&install 6.46.2
Then, reset the router to defaults. Make the PPPoE connection again, using the Quick Setup wizard.
It is important that the reset to defaults is being done by a recent firmware version, not by the old one you had before. The new one has a more reliable firewall.
DO NOT follow Youtube videos that tell you how to do this, many of them are made by clueless people who bought their router the day before and think they can help others by explaining what they did.
DO NOT open admin access (telnet, ssh, winbox, webfig) from internet! Only manage it from your LAN. That is the default setting after reset to defaults.

When you are worried that the router may have been hacked at low level and is not fully controlled by you, download the “netinstall” program and the package for 6.46.2 and do a full format and netinstall.

Thanks, that’s good advise, indeed I’d never expose router management to the internet, I think though I may have issued some terminal commands in an attempt to update the firmware that may have caused the auto update, I can’t remember what the commands were /system ‘something’. Initially I was uploading the wrong firmware - firmware for the wrong hardware, hence the attempt on the terminal to get the firmware to update.

It does seem apparent that you really need to know what you’re doing with the RouterOS otherwise you could easily end up opening ports or creating a route that exposes something i.e. creates a security risk.I wonder if an Edgerouter may be better - easier management, even though I’ve got everything working I’m still wondering if I should return the router board.

This sounds worrying

https://borncity.com/win/2019/11/05/mikrotik-router-update-fr-schwachstelle/

This is exactly the reason to keep firmware on any internet-exposed device current. And one of greatest things about Mikrotik is that ROS updates/upgrades are available for really old devices, long time after they are not sold any more (unlike some other vendors who stop developing firmware updates as soon as they officially stop selling some device model).

I do like the fasttrack that’s added to the firewall and the concept, I’ll do some more testing later but for a quick gaming session last night I could feel the difference, so on that basis it’s been worth while. It has added 1 to 2 ms to my base ping although this may be because I’ve not added the DSCP QoS tagging yet, that may bring my ping down, certainly does when I apply this to my Draytek router.

While in general it is true that MikroTik routers are more geared towards people who know what they are doing, this does not mean they are much less secure than other types.
When you open ports, it is a risk with any router.

Yes agreed but I think what I see here is a little knowledge can be dangerous, as in just getting a rule wrong because I or whoever thinks it should work or thinks they know what they’re doing.

I got to the bottom of my 2ms jump, one of my LAN connections wasn’t running at 1Gb, I didn’t bother checking what it negotiated at I just moved the RB to in effect shorten the Ethernet cable run then fixed both sides of the RB connections to 1Gb and no negotiation. I did mess around with DSCP / QoS but the rules seemed to increase latency so I’m keeping my RB mean and lean. At the moment I’m well happy with it and the thoughts of returning it have gone.

Thanks all for your help, I think just slowing down and approaching it carefully was the general solution and of course with all your input and reassurance that it should work.