i bought mikrotik router 750r2 and my isp ogero in lebanon gave me internet efm with 5 real ip

they install their modem in bridge mode

and tell me to configure my router using PPPoe and to disable nat and enable ripv2 so i can connect to internet and get access to my real ip.



Hello, When fixed public IP is required by the customer, the modem must then be place in bridge mode, and the PPPoE must be handled behind it on your separate Ethernet-only router. Note that the router must support the required configuration, that is you must enable RIP V2 and disable NAT. You (eventually your IT) are solely responsible for the configuration of your firewall/router, and we at OGERO do not get involved and cannot provide support to this task nor do we get involved in the router selection task.



Here’s your account credentials as well as the assigned public IP subnet that was readily assigned to your account.



subnet mask: 255.255.255.248 (29)

gateway: 77.42.216.33

Usable ip address: 77.42.216.xx 5 ips

dns servers: dns1: 77.42.128.32

dns2: 77.42.130.32



they gave me username and password to create PPPoe connecting and the ips

i know how to create PPPoe connection but i dont know how to configure the ripv2 and other

can you help me to configure it???

When you configure and enable the PPPoE connection, I suppose the PPPoE server assigns some address outside the public range to that pppoe-outX interface, is that true?

After disabling NAT on PPPoE interface, You need to setup RIP, but still details are missing.

To set up RIP:

routing rip> set redistribute-connected=yes redistribute-static=yes
routing rip interface> add interface=YOURPPPoE_interface receive=v2 send=v2 passive=no
routing rip network> add network=77.42.216.xx/29

You need first to have your public IPs assigned, this is usually done on the own router on empty bridge(s) (loopback device), using dst-nat afterwards to connect internal services to Internet.

Can you post a /ip print once PPPoE is connected? is 77.42.216.33 the remote IP of the tunnel? (appears as network on IP > Addresses)

I’d be cautious to set redistribute-connected to yes just like that, without filtering on prefixes, you never know how the ISP will handle the incoming advertisement of RFC1918 networks eventually connected at OP’s side.

dear
i did that the internet work but without my real ip

Dear,

there was a question in both mine and @Pukkita’s post and you happily ignored it

The point is that your ISP is a bit cryptic on how exactly he expects you to set your side up, there are several ways how it could be done, and from the data they gave you it is not clear which one they choose on their side and expect you to follow. So we need to know the output of /ip address print and /ip route print when the PPPoE interface is up. Don’t forget to replace your public addresses by some alias names but leave private addresses, if any, unchanged.

each time i connect pppoe it gave me ip like 94.187.61.165 and dns 77.42.128.32 and 77.42.130.32

And what is the remote IP? I gave you the exact commands not for fun, sending the complete output will save us a lot of time. Press “terminal” button in Winbox or Webfig and paste the commands to the window which opens, then copy-paste the response here (no point in obfuscating the addresses as you have disclosed them in the first post anyway).

dear sir
i have same problem like najifares and my isp is the same one and gave me this email that is not clear at all
now i have created pppoe connection and the rip settings as stated above but the problem the real ip i got is not mine and its dynamic and changes every time i connect
i did ip address print
the remote address is 77.42.129.xx and the local address is 94.187.28.154 while mine are different
the ISP is not willing to help or give information i don’t know why.
the only information they give is disable NAT, enable ripv2 and use loopback

is there anything i can do ?
another question how do i disable NAT on my pppoe connection ?
thank you in advance

That’s a misunderstanding. The address provided to you using PPPoE (in this run, 94.187.28.154) is used only for the inteconnection, so it can be any address, public or private, except the one(s) assigned to you. So it is not important what it is and that it changes.

The whole idea is that you manually assign “your” public address(es) to one of the interfaces of your Mikrotik (other than the PPPoE one!), and you use RIP to inform the router behind the PPPoE channel that this address is accessible via that channel.

The background is that while you only have got a single static public IP, e.g. the OP has got a whole subnet, and a subnet cannot be assigned using PPPoE as the name suggests. But on the other hand, PPPoE is the only way how to use commodity ADSL modems. So the ISP has everything based on PPPoE.

Almost correct.

• “Disable NAT” should have actually read “disable NAT on the PPPoE interface” because otherwise packets sent from your static public address would be NATed to the dynamically changing one assigned to the PPPoE. But you may want to NAT everything to your static public IP, and it is possible of course.
• “enable ripv2” means that you will inform the neigbour (the PPPoE server) that your static public address can be routed to via your PPPoE client address. The PPPoE server will update its routing tables accordingly.
• “use loopback” is there because they don’t know you use Mikrotik (and don’t care either), so what they actually tell you is that you have to assign the static public address to some other interface than the PPPoE one, and if you don’t have any (which can be the case where a PC has a single Ethernet port connected to the modem), you should use the virtual interface called loopback or lo on unix-like systems. So in your case, you have to create an /interface bridge name=my-public-ip-holder protocol-mode=none and assign your static public address to it (/ip address add address=your.static.public.ip/32 interface=my-public-ip-holder). Do not make any other interfaces member ports of that bridge.
  
  
  

I assume you use the default firewall and in /ip firewall nat, the is a rule saying chain=srcnat action=masquerade out-interface=pppoe-out1 (or maybe out-interface-list=WAN).

By removing (or disabling) that rule, you disable the NAT.

To NAT packets from your LAN subnet to your static public IP while preserving the RIPv2 packets from getting modified, you have to replace that rule by
chain=srcnat action=src-nat src-address=your.lan.subnet/mask to-addresses=your.static.public.ip out-interface=pppoe-out1

If it doesn’t work, follow the suggestion in my automatic signature.

So dear
What should be my configuration step by step?
Thank you

If I don’t know the starting point, I cannot give you a step-by-step guide. Press the [terminal] button in WebFig or Winbox and follow the instructions in my automatic signature.

And tell me how you are going to use your 5 public addresses, i.e. whether you are going to assign them to some other devices connected to the LAN side of your Mikrotik, or to your own PPPoE clients, or all of them will be only used to NAT the private addresses of the devices on the LAN.

Plus if you can, revoke the marking of the post by @rabienz as a solution, it is clearly not a solution of your OP.

dear there is my configuration that i did
should it work?
also i need that when i connect a pc to a port of mikrotik i should put real static ip on pc lan to get internet

/interface bridge
add name=EFM protocol-mode=none
/interface pppoe-client
add add-default-route=yes disabled=no interface=ether1 name=pppoe-out1
password=XXXXXXXXXXXXXX use-peer-dns=yes user=
L407722@ogeronet-2M.com
/ip hotspot profile
set [ find default=yes ] html-directory=flash/hotspot
/ip address
add address=192.168.88.1/24 interface=ether2 network=192.168.88.0
add address=77.42.216.32/29 interface=EFM network=77.42.216.32
/ip firewall nat

pppoe-out1 not ready

add action=src-nat chain=srcnat out-interface=pppoe-out1 src-address=
192.168.88.1 to-addresses=77.42.216.32/29
/routing rip interface
add interface=pppoe-out1 receive=v2
add disabled=yes receive=v2
/routing rip network
add network=77.42.216.32/29
add network=192.168.88.0/24
/system identity
set name="EFM Jieh"
/system routerboard settings
set cpu-frequency=850MHz protected-routerboot=disabled

Thank you

dear Rabih can you send me your phone number??
thank you

Dear
I want to use my public real ip on each ethernet port on mikrotik so the pc connected to mikrotik should have static real ip address to work
Thank you

Sent from my iPhone using Tapatalk

Thank you sindy for the reply
i also have /29 subnet
that means 5 addresses i must use
i want to be able to use them on a separate devices on LAN
should i add each public address to interface and add it to the bridge?
please if you can send step by step configuration in order to solve this confusion

after your post i knew some facts on what is happening
thank you in advance

So you both have about the same configuration and requirements in terms that you both want to connect something to the LAN ports which has to get one of those public addresses.
(I could call you too but all my Arabic consists of "mumke bukra" so it wouldn't be helpful )

So based on the configuration posted by @Najifares:

First remove this bridge or keep it in place but use its name everywhere below instead of the public-ip-lan:
/interface bridge
add name=EFM protocol-mode=none

Add two bridges (or reuse the one above for one of them). You'll connect devices which need a public address to one of them and devices for which a private address is enough to the other one.
/interface bridge add name=public-ip-lan protocol-mode=none
/interface bridge add name=private-ip-lan protocol-mode=none

Now unless you are connected using Winbox via MAC address of the Mikrotik, you must enter the two following commands on a single line in the terminal window (you cannot do it by clicking) exactly as written here (except the name of the bridge if you have chosen another one, and except @rabienz as your current state may be different). And before doing it, press Ctrl-X to enter safe mode - if something fails, the change will revert after about a minute and you'll be able to get back again:

/ip address set interface=private-ip-lan [find interface=ether2];/interface bridge port add bridge=private-ip-lan interface=ether2

If the change was successful, /ip address print should show you that address 192.168.88.1/24 is on interface private-ip-lan and /interface bridge port print should show you that interface ether2 is a member port of bridge private-ip-lan. If this is true, you may press Ctrl-X again to exit safe mode.

Next, as you will be connecting the box to public addresses, define tight firewall rules limiting access to Mikrotik itself, otherwise some malware will conquer the box in no time:
/ip firewall filter
action=accept chain=input connection-state=established,related
action=drop chain=input connection-state=invalid
action=accept protocol=icmp
action=accept chain=input in-interface=public-ip-lan disabled=yes comment="permit any access from LAN with public IPs if really sure you need it"
action=accept chain=input in-interface=private-ip-lan comment="permit any access from LAN with private IPs"
action=accept chain=input in-interface=pppoe-out1 protocol=udp dst-port=520 comment="permit incoming RIP packets"
action=drop chain=input

Provide also firewall filter rules protecting the LAN devices, once everything starts working you may add rules permitting access from the internet side to those addresses for some services:
/ip firewall filter
action=fasttrack-connection chain=forward connection-state=established,related
action=accept chain=forward connection-state=established,related,untracked
action=drop chain=forward connection-state=invalid
action=accept chain=forward in-interface=public-ip-lan
action=accept chain=forward in-interface=private-ip-lan
action=drop chain=forward

Keep this in place:
_**/interface pppoe-client
add add-default-route=yes disabled=no interface=ether1 name=pppoe-out1 password=XXXXXXXXXXXXXX use-peer-dns=yes user=L407722@ogeronet-2M.com

/ip hotspot profile
set [ find default=yes ] html-directory=flash/hotspot**_

This has been already changed above:
/ip address
add address=192.168.88.1/24 interface=ether2 network=192.168.88.0

so now it says
/ip address
add address=192.168.88.1/24 interface=private-ip-lan network=192.168.88.0

replace this line
add address=77.42.216.32/29 interface=EFM network=77.42.216.32
by the following one:
add address=77.42.216.33/29 interface=public-ip-lan network=77.42.216.32
The address must be the one out of the /29 subnet which has not been assigned to you - the idea behind is that this will be the gateway in that public subnet. So maybe it is actually not 77.42.216.33 but 77.42.216.38, I cannot know.

replace this NAT rule
_**/ip firewall nat

pppoe-out1 not ready

add action=src-nat chain=srcnat out-interface=pppoe-out1 src-address=192.168.88.1 to-addresses=77.42.216.32/29**_

by the following one, so that you would only NAT addresses from private-ip-lan as they will access internet, to the address dynamically assigned by the ISP:
/ip firewall nat
add action=masquerade chain=srcnat out-interface=pppoe-out1 src-address=192.168.88.0/24

replace the following
/routing rip interface
add interface=pppoe-out1 receive=v2
add disabled=yes receive=v2
by just this:
/routing rip interface
add interface=pppoe-out1 receive=v2 transmit=v2 passive=no

Keep this:
/routing rip network
add network=77.42.216.32/29

but remove this:
add network=192.168.88.0/24

Now, add an ethernet interface or more (I don't know your device model so cannot be more precise) to the bridge named public-ip-lan:

/interface bridge port
add bridge=public-ip-lan interface=ether3


By now it should work, so if you connect a PC to ether3 and manually set one of the public IPs from the /29 subnet on it, with Mikrotik's address on the bridge as gateway, and open some "what's my IP" web page, it should show that PC's public address.

Dear Sindy
i make the configuration but when i connect the pc with static ip (one of my real ip) to ether3 i didn't get internet to my pc

jul/25/2018 12:20:50 by RouterOS 6.35.4

software id = Q5RM-NL4J

/interface bridge
add name=private-ip-lan protocol-mode=none
add name=public-ip-lan protocol-mode=none
/interface pppoe-client
add add-default-route=yes disabled=no interface=ether1 name=pppoe-out1
password=xxxxxxxxxxxxxxxxxxxxxxxxx use-peer-dns=yes user=
L407722@ogeronet-2M.com
/ip hotspot profile
set [ find default=yes ] html-directory=flash/hotspot
/interface bridge port
add bridge=private-ip-lan interface=ether2
add bridge=public-ip-lan interface=ether3
/ip address
add address=192.168.88.1/24 interface=private-ip-lan network=192.168.88.0
add address=77.42.216.33/29 interface=public-ip-lan network=77.42.216.32
/ip firewall filter
add chain=input protocol=icmp
add chain=input connection-state=established
add chain=input connection-state=related
add action=drop chain=input in-interface=pppoe-out1
add chain=input comment=" permit incoming RIP packets" dst-port=520
in-interface=pppoe-out1 protocol=udp
add action=drop chain=input
add action=fasttrack-connection chain=forward connection-state=
established,related
add chain=forward connection-state=established,related
add action=drop chain=forward connection-state=invalid
add chain=forward in-interface=public-ip-lan
add chain=forward in-interface=private-ip-lan
add action=drop chain=forward
/ip firewall nat
add action=masquerade chain=srcnat out-interface=pppoe-out1 src-address=
192.168.88.0/24
/routing rip interface
add interface=pppoe-out1 receive=v2
/routing rip network
add network=77.42.216.32/29
/system clock
set time-zone-name=Asia/Beirut
/system identity
set name=" EFM Jieh"
/system routerboard settings
set cpu-frequency=850MHz protected-routerboot=disabled

Before I start digging into it:

• have you set the public address on the PC manually or did you leave “automatic” there?
• if manually, have you configured any DNS server IPs?
• can you ping the Mikrotik’s IP (77.42.216.33) from the PC?

And to speed it up, regardless the answers above, what do the four following command line commands return?

/routing rip print
/routing rip neighbor print
/routing rip interface print
/routing rip network print