I’m preparing to move to a new ISP that will be installing a Cisco router that they’ll control (fully managed by them as part of their SLA). I’ve said that we want to continue using our MikroTik RB2011UiAS-2HnD-IN router for firewalling and VPN so we’d be connecting the two routers together. The ISP is happy to do this and has sent me PPPoE details to input on the Mikrotik.
My question is that our current configuration using the quickset page was set in the ‘Address Acquisition’ section as “static” and I can see there is a radio button to change to “PPPoE” but it appears to only allow me to put in the new PPPoE username and password, not other bits that the ISP has provided - in particular, VLAN tag 101
—These are the additional setting from the ISP—
VLAN tag:101
Carrier Modulation: G.993.2
Multiplexing: VC based
Encapsulation: PPPoE
Authentication: CHAP
IP address Assignment: Dynamic
A member, Ingdaka, provided a useful snippet of code which I could adapt it to work for my situation. Here’s what I think would work for me, am I right in thinking that it is just two lines to make it work with VLAN101 - not sure where to put in CHAP authentication or VP multiplexing or is that all done automagically??
interface vlan add vlan-id=101 interface=ether1 name=vlan101
interface pppoe-client add interface=vlan101 name=PPPoE_Out user=xxxxx password=yyyyyy use-peer-dns=yes add-default-route=yes
This is my the current working (obscured) configuration script:-
Caution, I do not have pppoe and thus not an expert but based on what I have seen/read!
DO NOT USE QUICKSET… go to the pppoe menu selections in winbox Problaby under PPP menu selection ----> INTERFACE (add).
(1) Dont need this… remove! The pppoe dhcp client stuff is done all through the ppoe client section!!
/ip dhcp-client
add comment=“default configuration” dhcp-options=hostname,clientid interface=
ether1-gateway
(2) From the wiki [admin@MikroTik] > interface pppoe-client add interface=ether2 password=StrongPass service-name=pppoeservice name=PPPoE-Out disabled=no user=MT-User
[admin@MikroTik] > interface pppoe-client print
Flags: X - disabled, I - invalid, R - running
0 R name=“PPPoE-Out” max-mtu=auto max-mru=auto mrru=disabled interface=ether2 user=“MT-User”
password=“StrongPass” profile=default keepalive-timeout=10 service-name=“pppoeservice” ac-name=“”
add-default-route=no dial-on-demand=no use-peer-dns=no allow=pap,chap,mschap1,mschap2
Its clear that HERE is where you associated the ETHERPORT with the PPPOE Client.
(3) If additionally the ISP provides the pppoe via a VLAN, then
add vlan-id=XX interface=pppoe-Out name=ISP-VLAN
a. create the vlan add vlan-id=101 interface=pppoe-Out name=ISP-VLAN
and thus the vlan is associated with the PPPOE client.
(4) Be sure to do the following for wan interface.
add interface=pppoe-Out list=WAN
(5) Lastly, it does look like, from the terminal window print out, that there are other available settings such as chap if you need to do so…
Only use quickset once. If any other changes are made through winbox/webfig using it again will break your configuration in random ways.
As there are master-port=ether2-master-local statements in your configuration you are running an old, insecure, remotely exploitable version of RouterOS. There may not be any signs of compromise, it would be safest to to netinstall the latest long-term stable version after making both a backup and configuration export, plus exports of any certificates generated on the Mikrotik itself (if any), and reconfiguring based on the configuration export NOT the .backup file.
The additional setting information appears to be for a UK FTTC connection. A modem handles Carrier Modulation: G.993.2 and also often the VLAN tag:101 so you are presented an untagged PPPoE connection. The Multiplexing: VC based is erroneous, it only applies to ADSL, not VDSL.
It seems most odd that you are configuring a PPPoE connection if you are being provided a managed service, the ISP router would typically handle the PPPoE WAN connection and provide IPoE to you either with DHCP or a static IP configuration which they would provide.
@fevr just create a VLAN interface under /interfaces VLAN, use as interface the Interface the ISPs Router is connected and set as VID= the Vlan ID your ISP needs for communication …
Then on your PPPoE connection use as Interface the one created under /interfaces VLAN…
You mean something like this… TURKEY…
(3) If additionally the ISP provides the pppoe via a VLAN, then
add vlan-id=XX interface=pppoe-Out name=ISP-VLAN
a. create the vlan
add vlan-id=101 interface=pppoe-Out name=ISP-VLAN
The easiest way to solve this issue is to use a dedicated modem which does the VLAN tagging by itself.
The classical modem products like Draytek Vigor 165 or 167 or the Zyxel VMG3006 is doing that !
Many thanks to everyone for all your replies, a really great response!
Firstly, security-wise, I have an identical Mikrotik router to which is on RouterOS 6.49.2 Stable. This will now be the router for use with the new ISP circuit. Thank you for pointing
out the security risk.
@tdw - you’re right that it is a UK FTTC connection, in fact, there are going to be two lines going into the CISCO C1117-MP4 $$$ box so there is a backup “fail-over” line. I did try and speak with the support people at the ISP last night but he didn’t really understand if that was the reason that I’m required to do the PPPoE setup on the MikroTik. I’ll call someone who is a bit more senior before the Friday line installs.
My plan on Friday :-
(1) Get the ISP to confirm that they can access the CISCO remotely and that the line/s is active when BT Openreach have installed the lines onsite.
(1) I think because the script I have shared with you is from an old insecure (6.29) Mikrotik I should start on the new router (6.49.4) with the new factory default config and build on that.
(2) create the new VLAN
(3) create the PPPoE client setup @Anav - newbie question - you said that I should do this? Be sure to do the following for wan interface.
add interface=pppoe-Out list=WAN
If I am able to able to use the new broadband after that-
(5) import the VPN setup I had before - I’m guessing that I should be able to do this in the console command line rather than doing it in Winbox.
Mistake already.
The ppooe client setup is priority, you set that to ether4. So assuming ether 4 is connected to your ISP provider?
This is confusing because previously you were using ether2
Also the vlan you just assigned for some reason to ether3.
So will the REAL ethernet port to the ISP provider please stand up!!!
As for the vlan WRONGO… its not attached to a port interface
/interface vlan
add interface=pppoe-out-ISP vlan-id=101 name=vlan-ISP
++++++++++++++++++++++++++++++++++
Your config is missing the interface list and the corresponding interface list members, entries ?? That is what I was referring too.
They are important for use in default firewall rules for example.
I really wouldn’t expect you to have to configure anything related to the external connections into the Cisco, they are all behind the scenes of the managed service. I would expect you to be provided with the details of a static IP, gateway and netmask to configure, I’ve never seen PPPoE for client handover on managed circuits.
If tdw is correct, then
a. you wont need such a vlan
b. you wont need to use pppoe client
c. you would use IP DHCP client OR just assign the static Ip address to the etheport under interfaces.
d. you would still have a WAN INTERFACE LIST
and the member would be that etherport.
OK, so the ISP request for VLAN tagging wasn’t needed. Bit annoying being told the wrong thing but it’s connecting to the ISP modem anyways with PPPoE with the instruction you guys sent.
Before doing, I took tdw’s advice here and upgraded to the latest RouterOS 6.49.4 and worked with the default setup to build again.
Almost be working but I have a problem with the default config VPN setup. I can connect to the VPN but can’t see/ping anything on the LAN - or log onto the Mikrotik web admin page??
# mar/21/2022 17:55:16 by RouterOS 6.49.4
# software id = XXXXXXXXX
#
# model = 2011UiAS-2HnD
# serial number = XXXXXXXXXXXX
/interface bridge
add admin-mac=XX:XX:XX:XX:XX:XX auto-mac=no comment=defconf name=bridge
/interface pppoe-client
add add-default-route=yes disabled=no interface=ether1 name=pppoe-out1 \
password=topsecretpassword use-peer-dns=yes user=userpppoe@bigisp.net
/interface wireless
set [ find default-name=wlan1 ] band=2ghz-b/g/n channel-width=20/40mhz-XX \
disabled=no distance=indoors frequency=auto installation=indoor mode=\
ap-bridge ssid=MikroTik-XXXXX wireless-protocol=802.11
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=dhcp ranges=192.168.88.10-192.168.88.254
add name=vpn ranges=192.168.89.2-192.168.89.255
/ip dhcp-server
add address-pool=dhcp disabled=no interface=bridge name=defconf
/ppp profile
set *FFFFFFFE local-address=192.168.89.1 remote-address=vpn
/interface bridge port
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=ether5
add bridge=bridge comment=defconf interface=ether6
add bridge=bridge comment=defconf interface=ether7
add bridge=bridge comment=defconf interface=ether8
add bridge=bridge comment=defconf interface=ether9
add bridge=bridge comment=defconf interface=ether10
add bridge=bridge comment=defconf interface=sfp1
add bridge=bridge comment=defconf interface=wlan1
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface l2tp-server server
set enabled=yes ipsec-secret=TESTsetup use-ipsec=yes
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
add interface=pppoe-out1 list=WAN
/interface pptp-server server
set enabled=yes
/interface sstp-server server
set default-profile=default-encryption enabled=yes
/ip address
add address=192.168.88.1/24 comment=defconf interface=bridge network=\
192.168.88.0
/ip cloud
set ddns-enabled=yes
/ip dhcp-client
add comment=defconf interface=ether1
/ip dhcp-server network
add address=192.168.88.0/24 comment=defconf dns-server=192.168.88.1 gateway=\
192.168.88.1
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=192.168.88.1 comment=defconf name=router.lan
/ip firewall filter
add action=accept chain=input comment=\
"defconf: accept established,related,untracked" connection-state=\
established,related,untracked
add action=accept chain=input comment="allow IPsec NAT" dst-port=4500 \
protocol=udp
add action=accept chain=input comment="allow IKE" dst-port=500 protocol=udp
add action=accept chain=input comment="allow l2tp" dst-port=1701 protocol=udp
add action=accept chain=input comment="allow pptp" dst-port=1723 protocol=tcp
add action=accept chain=input comment="allow sstp" dst-port=443 protocol=tcp
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
"defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
connection-state=established,related
add action=accept chain=forward comment=\
"defconf: accept established,related, untracked" connection-state=\
established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
connection-state=invalid
add action=drop chain=forward comment=\
"defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
ipsec-policy=out,none out-interface-list=WAN
add action=masquerade chain=srcnat comment="masq. vpn traffic" src-address=\
192.168.89.0/24
/ppp secret
add name=vpn password=TESTsetup
/system clock
set time-zone-name=Europe/London
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN
You will not be able to access the Mikrotik itself as the VPN connections are not part of the LAN interface list due to
add action=drop chain=input comment=“defconf: drop all not coming from LAN” in-interface-list=!LAN
You can either allow input from everything other than the WAN by replacing that rule with
add action=drop chain=input comment=drop all coming from WAN" in-interface-list=WAN
or create an interface list, e.g. VPN, a PPP profile for use by VPN connections (this is better than using the default profiles which may cause unexpected side-effects) including interface-list=VPN, and firewall rules to permit/drop traffic as required.
You do not say which VPN protocol you are trying, IPsec will not work as you are missing
add action=accept chain=input comment=“allow IPsec ESP” protocol=ipsec-esp
I would suggest removing the PPTP settings & firewall rule, it has been insecure for a decade.
SSTP is only secure with authentication=mschap2 and a certificate, ideally also with force-aes=yes pfs=yes tls-version=only-1.2 (this does work with Windows, despite what the help pages say).
The minimum suggested settings for IPsec are AES with SHA256 and MODP2048.
You do not say which VPN protocol you are trying, IPsec will not work as you are missing
add action=accept chain=input comment=“allow IPsec ESP” protocol=ipsec-esp
It depends…
If NAT-T is supported and used by both sides then ESP packet will be encapsulated inside UDP Port 4500 packet…
So you don’t need to allow ESP at all…
