My ISP is going to upgrade their service to optical. They’ll setup a device that’ll be bridgeing (no double-NAT) internet queries for my network soon.
I’ll need to setup PPPoE on my WAN interface.
Currently, the interface I use for this ISP’s service is configured as a DHCP client, and NAT is enabled.
I’ve found the following code on the MikroTik wiki, which seems fairly straightforward:
My question is this:
Apart from setting up PPPoE client on my WAN interface, will I need to alter any other settings (namely the DHCP client)?
AFAIK, I won’t get a static IP.
Topology wise. there is no panned change on the LAN.
The current WAN interface would stay the same (basically, a Cat6 cable that goes into the current modem will be plugged into a new device), so why do I need to alter NAT or filter rules?
Also, do I keep the DHCP client setup?
Now your WAN interface is (assuming) ether1 and you’re running DHCP client on it to receive your public IP address and default gateway (and DHCP server address and …).
When you’ll switch to fiber and PPPoE, your WAN interface will be pppoe-user-mike (or whatever you’ll name it) and you will not run DHCP client as PPPoE connection procedure includes this functionality.
You will need to revise FW rules to change the name of your WAN interface … or else your network could become completely exposed to the internet (if FW rules aee written in unlucky way - to put it mildly).
ether1 will become only interface to carry PPPoE traffiic and will not have any IP functionality. Well, this statement might not be entirely true, plain IP over ethernet could still be used over ether1 interface to have management access to the fibre2ethernet converting device.
The thing is, I won’t have internet to check for help online when the change from the ISP happens. I configured this mikrotik routerOS device for the place I work at (an elementary school).
So, let me try to sum things up as I understand them now:
I set the PPPoE client pseudo interface and apply it to my WAN interface (ether1 currently).
I remove DHCP client configuration from that given interface.
Currently my NAT rule is, as you have guessed configured on out interface WAN, so I change that to new pseudo PPPoE pseudo-interface name.
Currently I do not have any firewall rules set. Security of the device is done through allowing access from LAN, and a given private IPv4 network only.
Does this sound right, or would you add anything to this checklist?
“- Currently I do not have any firewall rules set. Security of the device is done through allowing access from LAN, and a given private IPv4 network only.”
Security of the device should not just be from the LAN, but also from internet side, else you might be heading for a disaster
Hey there matey!
Thanks for PPPoE heads up, and also:
What I’ve meant is, every outside login attempt is blocked basically.
/ip service
set telnet disabled=yes
set ftp address=LAN/Network
set www disabled=yes
set ssh address=LAN/Network
set api disabled=yes
set winbox address=LAN/Network
set api-ssl disabled=yes
Or do you have any suggestions I should build into mangle or filters? Currently they are empty.
I thought that firewalls block everything that is not directly allowed by default.
*Edit:
I’ve also added the following rules to the mix, because you’ve scared me a bit!
input chain:
1 accept established, related, untracked
2 drop invalid
3 drop * except LAN
Forward chain:
4 fasttrack
5 accept established, related, untracked
6 drop invalid
7 drop * from WAN interface list
