Mikrotik PPPOE SERVER WAN Addresses

RouterOS General
1

Hi,

I have multiple customers in one building.
Now all customers use their own adsl line.
We have recently been able to get a fiber connection there.
On this fiber we connect with PPPOE and we get 8 IPs
I want to distribute the IP’s to the customers via PPPOE

When i set this this up with WAN IP’s i’am not able to get internet access.
When i set LAN ip’s in the pppoe pool it works fine but than everybody is using the same WAN IP

Does anyone know how to set this up?

Thanks,

Matthijs

2

I think CGNAT would be the way to go, or try setting up manually different IP ranges and srcnat them with each one of your public IP’s.

3

I wouldn’t bother trying to distribute PPPoE to the customers, although I’m not sure exactly what you mean there.

I would just do the following -


  • Assign all the addresses to the Mikrotik. (you can just use as /32 netmask for all but the first address)


  • Have a separate lan port for each customer (not a member of any bridge)


  • For each customer interface, assign a lan address to it and set up a dhcp server (if needed). The customer can use that address as their gateway


  • Set up src-nat rules to match traffic from the customer lan range going out the wan port, and src-nat it to one of the public addresses

You may also need an input allow rule for udp/53 if you want the customers to use router as dns.

4

If you want to give each customer their own public IP on the PPPoE link, the best would be to have a separate subnet for connection to the ISP; in that case, the ISP would use your end of the subnet as a gateway to the /29 subnet with those 8 addresses, and you could give all 8 of them to the customers. If the ISP gives you a /29 public subnet as the only one, you can only give to customers 4 IPs from that subnet, as .0 is the network address, .7 is the broadcast address, and you need one address for your Mikrotik and another one for the ISP side gateway. The separate connection subnet need not be a public one and if it is, it may be completely unrelated to the /29 one.

5

of my isp I get a / 24 subnet with 8 useful addresses

As an example I get the following.

40.40.40.1 Router of the ISP

40.40.40.11 IP for the mikrotik
40.40.40.12 Customer 1
40.40.40.13 Customer 2
40.40.40.14 Customer 3
40.40.40.15 Customer 4
40.40.40.16 Customer 5
40.40.40.17 Customer 6
40.40.40.18 Customer 7

The other addresses in the /24 are not mine.
they are not going to change anything on the side of the ISP
My original idea was to create a DHCP pool with the IP’s 40.40.40.12 - 40.40.40.18.
Then add the 40.40.40.11 as router in the PPPOE Profile.
This works fine with internal IP’s but sadly not with the WAN IP’s

the customers also use routed voip on another vlan this vlan is going on the ISP network to our datacenter
The only thing the Mikrotik has to do for this to work is have the the vlan on de Bridge-local. I have tested this and it works fine.

The PPPOE server runs in my case on VLAN 6 so it wont interrupt the VOIP running on vlan 1515

Connecting the customers directly on the mikrotik without there own router is not going to work because of the voip connection.

6

In this case do NOT put the customers’ addresses up on the Mikrotik itself, but switch on the arp=proxy-arp functionality on the WAN interface. This way, the Mikrotik will start responding to arp requests for IP addresses in its connected subnets, so when a customer’s PPPoE link will be up with one of those addresses, the ISP’s router will get an ARP response from your WAN and send the real packet to you, and you’ll forward it to the customer.

7

The project was delayed for a while and yesterday I finally was able to proceed.
So the customer router behind the PPPOE is now able to gain internet access.
From another location I`am able to ping the router on IP 40.40.40.12
if I connect my laptop to the customers router and check what my external IP is on https://www.watismijnip.nl/ is see 40.40.40.11 instead of 40.40.40.12

I think it’s a small thing but I can’t find it

8

It must be something in your /ip firewall nat. Show us the output of /ip firewall nat export, or better an export of the complete configuration, see my automatic signature on how to anonymize it.

9

The only thing in the ip firewall nat is the following.

/ip firewall nat
add action=masquerade chain=srcnat

# nov/14/2018 17:08:38 by RouterOS 6.43.4
# software id = PEIW-SF6Z
#
# model = RouterBOARD 3011UiAS
# serial number = 8EED08ADA210
/interface bridge
add fast-forward=no name=bridge1
/interface ethernet
set [ find default-name=ether1 ] speed=100Mbps
set [ find default-name=ether2 ] speed=100Mbps
set [ find default-name=ether3 ] speed=100Mbps
set [ find default-name=ether4 ] speed=100Mbps
set [ find default-name=ether5 ] speed=100Mbps
set [ find default-name=ether6 ] speed=100Mbps
set [ find default-name=ether7 ] speed=100Mbps
set [ find default-name=ether8 ] speed=100Mbps
set [ find default-name=ether9 ] speed=100Mbps
set [ find default-name=ether10 ] speed=100Mbps
set [ find default-name=sfp1 ] advertise=\
    10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full arp=proxy-arp
/interface vlan
add interface=bridge1 name=VLAN21-Internet vlan-id=21
add arp=proxy-arp interface=sfp1 name=VLAN101-WESERVE vlan-id=101
add interface=bridge1 name=VLAN2580-IPVPN vlan-id=2580
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ppp profile
add local-address=***.***.***.168 name=Internet-50MB rate-limit=50M/50M
add local-address=***.***.***.168 name=Internet-100MB rate-limit=100M/100M
add local-address=***.***.***.168 name=Internet-250MB rate-limit=250M/250M
/interface bridge port
add bridge=bridge1 interface=ether10
add bridge=bridge1 interface=ether9
add bridge=bridge1 interface=ether8
add bridge=bridge1 interface=ether7
add bridge=bridge1 interface=ether6
add bridge=bridge1 interface=ether5
add bridge=bridge1 interface=ether4
add bridge=bridge1 interface=ether3
add bridge=bridge1 interface=ether1
add bridge=bridge1 interface=ether2
/interface pppoe-server server
add default-profile=Internet-50MB disabled=no interface=VLAN21-Internet \
    max-mru=1488 max-mtu=1488 one-session-per-host=yes service-name=\
    VLAN21-Internet
/ip address
add address=***.***.***.168/24 interface=VLAN101-WESERVE network=46.243.198.0
add address=10.101.124.1/24 interface=bridge1 network=10.101.124.0
/ip dns
set servers=8.8.8.8
/ip dns static
add address=192.168.88.1 name=router.lan
/ip firewall filter
add action=fasttrack-connection chain=forward connection-state=\
    established,related disabled=yes src-address=10.101.125.0/24
add action=accept chain=forward connection-state=established,related \
    disabled=yes
/ip firewall nat
add action=masquerade chain=srcnat
/ip route
add distance=1 gateway=***.***.***.1
/ppp profile
set *0 parent-queue=*1
/ppp secret
add name=dvdh-7391AK21-3 password=123 profile=Internet-50MB remote-address=\
    ***.***.***.169 service=pppoe
/system clock
set time-zone-name=Europe/Amsterdam
/system routerboard settings
set silent-boot=no
10

Problem solved. It was in the firewall rules.
Added the out interface for the masqurade rule and added a internal address to the source

add action=masquerade chain=srcnat comment=“Internet” out-interface=
WAN src-address=10.101.124.0/24

thanks Sindy for your help.

11

OK, so you’ve found it yourself faster than I could react. However, I would probably use less restrictive conditions in the action=masquerade rule. Assuming that the public subnet in question is x.x.x.0/24 and your WAN interface is ether456, I would modify the rule to say

/ip firewall nat
add action=masquerade chain=srcnat scr-address=**!**x.x.x.0/24 out-interface=ether456

Other than that, the absence of any firewall on your routerboard makes it an easy target, so if it has been running on a public IP for more than a couple of minutes, it is likely already infected.