I’m new to PPPoE.
We have only one pool of IPv4 addresses with a mask /24, for example I’ll use 10.10.10.0/24. We don’t want to divide it to a smaller subnets.
We have a regular IPv4 routing for our users to reach internet, they’re getting IP addresses from DHCP.
Now we want to use PPPoE.
We can’t configure all the clients hardware fast. So we need DHCP and PPPoE to work at the same time and let them use the same pool for some time.
So we have some PPPoE client with an address 10.10.10.222 and we have another client who got his 10.10.10.220 address using DHCP. They can see the internet without problems, but they can’t see each other. PPPoE users can’t see the servers on 10.10.10.2 and 10.10.10.3 (servers are not PPPoE clients), but can see 10.10.10.1 (IP-address of the mikrotik).
I think that’s because of PPPoE clients are on some “virtual interface”. So is there posibility to bridge PPPoE users to the regular IPv4 users, so they can see servers?
PPPoE interfaces will never be in “the same subnet”. PPPoE is a point-to-point tunnel that uses 2 IP addresses for “identification”, they don’t even have a netmask, or if they have you can think of their netmask as /32.
What you would have to do is to forward traffic from PPPoE interface to your ethernet interfaces. You must have IP Forward enabled, and it will be done automaticaly, unless you mess it up with firewall rules.
If you have IP Forward enabled, you must go to your filter rules and see if the forwarding are not being droped/rejected by any rule. Then you also must go to your mangle rules and make sure that internal connections are not beeing marked with any routing mark, because it would make mikrotik unable to use dynamic routes already set by those IP addresses you added for interfaces nor dynamic routings created by pppoe clients.
Hmm, maybe we need the help of some more experienced ROS user then.
It’s not the normal behavier not to let you forward traffic from one network to another. If IP Forward is enabled, traffic from any subnet will e forwarded to any known subnet to mikrotik, and if destination is not any known subnet, it will go through your default route gateway.
I can tell you that I use PPPoE and I also have PCs connected with Static IP addresses (like my own PC) and I can reach every subnet on the mikrotik, even those dynamic PPPoE interfaces.
Have you specifiec an IP address for Local Address, in the PPP Profile you use for your PPPoE server?
EDIT: Well, I don’t use IP for PPPoE server that could be in the subnet of an ethernet. Like, if your PPPoE client receives the IP 10.10.10.100 and you try to ping it, maybe ROS is trying to use the route 10.10.10.0/24 that was dynamic added to route list when you specified that address to the ethernet interface. But I’m not sure.
Yes, our PPPoE and ethernet users have access to another local subnets (technical) and the internet.
I think PPPoE user can see ethernet user on the same subnet, but ethernet user or server can’t see PPPoE user.
Mainly because PPPoE user has a different interface, and to reach it from the ethernet user or server, there must be a route here. But when PPPoE user IP-address are ‘inside’ ethernet subnet, ethernet user is trying to find it using an ARP broadcast, not even trying to query a router, so ethernet user can’t reach PPPoE user.
Am I right?
TLDR short answer:
The ethernet interface that’s part of the original subnet needs to have arp=proxy-arp set.
This will fix the problem for you.
Explanation why:
So if ether1 = 10.10.10.1/24 and PPPoE clients all appear with 10.10.10.210, 10.10.10.211, etc… To the client, EVERYTHING is through the PPPoE session, even other hosts on the same subnet. It’s essentially a /32 to the client.
The PPPoE server has a /32 route for each client - 10.10.10.210 → pppoe210, 10.10.10.211 → pppoe211, etc.
So this communication is all fine and dandy.
It’s the ethernet clients that have a problem. They’re expecting to send an ARP and have the other host reply.
So if 10.10.10.212 wants to talk to 10.10.10.211, It’s just going to send an ARP request for 211 to reply with its MAC address. Nobody on the segment has that IP, the router doesn’t (and shouldn’t) send this broadcast to the PPPoE client, so nobody ever answers the ARP, and 212 feels sad and lonely.
With proxy-arp, the router will notice there is an arp request on ether1 from 10.10.10.212 wanting to know what MAC address to use when sending packets to 10.10.10.211 - since the router knows how to reach host 10.10.10.211, it will answer the ARP request with its own MAC address on behalf of host 211. After that, host 10.10.10.212 will send its packet to the router’s MAC address - the switch(es) in the middle will deliver packet into the router’s hands. The router will then forward the packet to the PPPoE client at 10.10.10.211
Of course host 211 never uses ARP at all - PPP only has “me and the other end” so there is no broadcast, etc. If it has a packet for 212, then its routing table says that hosts 212 lies on the other end of the PPP interface, so it forwards the packet across the link - to the router. The router, of course, knows that 10.10.10.0/24 is on ether1, so it will send out an ARP to learn host 212’s MAC address, and send the packet the rest of the way as normal.
And I was trying to understand BGP, OSPF, OGRP and another things (that I’m not really need at the moment) just to find something about how to set up something like this “proxy-ARP” functionality.
It was so easy and so close! I did even play with this option, but it didn’t help me for some reason - maybe another settings were wrong. Now it works!
I answered before reading the whole thread - I’ve done so much w/ proxy arp it jumped right off the page.
Then I noticed your last post where you were so close, and almost replied that you were almost there on your own.
Glad it fixed the problem for ya!
And finally I understand what the hell that proxy-arp does
Till now I was facing it as some kind of devil’s only configuration not meant for humans to mess with it’s supernatural ability.
It has super-natural powers. I deployed it to conserve IP addresses with a network services provider where I was chief engineer. Each customer has a unique VLAN to deliver their connection. Using proxy arp, I could put the same /24 everywhere in our network, clients configure as 190.0.2.X/24 with .1 as gateway. But you would see this:
Of course there were real public IPs everywhere in the actual deployment.
And in this case, host 1 was in New Orleans, and host 2 was in Alabama.
This saved us from having to use a /30 for each customer. 4:1 compression on IP consumption.
