PPPoE config with ADSL modem... beginner questions

lorenzo · February 12, 2014, 8:34am

Hi! I just got a RB951G-2HnD with ROS 6.9 and I’d like to know if my settings for PPPoE via an ADSL modem are correct.
Here’s my full export:

[admin@nietzsche] > export
# feb/12/2014 09:25:35 by RouterOS 6.9
# software id = DP0K-P9C8
#
/interface wireless
set [ find default-name=wlan1 ] band=2ghz-b/g/n channel-width=20/40mhz-ht-above distance=indoors l2mtu=2290 mode=ap-bridge \
    ssid=MikroTik-BBB5D5
/interface ethernet
set [ find default-name=ether1 ] name=ether1-wan
set [ find default-name=ether2 ] name=ether2-clients
set [ find default-name=ether3 ] name=ether3-servers
set [ find default-name=ether4 ] disabled=yes name=ether4-temp
set [ find default-name=ether5 ] disabled=yes name=ether5-temp
/ip neighbor discovery
set ether1-wan discover=no
/interface wireless security-profiles
set [ find default=yes ] authentication-types=wpa-psk,wpa2-psk mode=dynamic-keys supplicant-identity=MikroTik \
    wpa-pre-shared-key=418402BC7279 wpa2-pre-shared-key=418402BC7279
/ip hotspot user profile
set [ find default=yes ] idle-timeout=none keepalive-timeout=2m mac-cookie-timeout=3d
/ip pool
add name=ether2-clients-dhcp-pool ranges=192.168.2.21-192.168.2.254
/ip dhcp-server
add address-pool=ether2-clients-dhcp-pool disabled=no interface=ether2-clients name=ether2-clients-dhcp
/interface pppoe-client
add ac-name="" add-default-route=yes allow=pap,chap,mschap1,mschap2 default-route-distance=1 dial-on-demand=no disabled=no \
    interface=ether1-wan keepalive-timeout=disabled max-mru=1480 max-mtu=1480 mrru=disabled name=pppoe-out1 password=\
    xxx profile=default service-name="" use-peer-dns=no user=xxx
/interface bridge port
add interface=ether2-clients
add interface=wlan1
/ip address
add address=192.168.2.1/24 comment="default configuration" interface=ether2-clients network=192.168.2.0
add address=192.168.3.1/24 interface=ether3-servers network=192.168.3.0
add address=192.168.0.1/24 interface=ether4-temp network=192.168.0.0
add address=192.168.88.1/24 interface=ether5-temp network=192.168.88.0
/ip dhcp-client
add comment="default configuration" dhcp-options=hostname,clientid disabled=no interface=ether1-wan
/ip dhcp-server lease
add address=192.168.2.253 mac-address=2C:27:D7:CF:24:B0 server=ether2-clients-dhcp
/ip dhcp-server network
add address=192.168.2.0/24 comment="default configuration" dns-server=192.168.2.1,8.8.8.8,8.8.4.4 gateway=192.168.2.1 \
    netmask=24 ntp-server=0.0.0.0
/ip dns
set allow-remote-requests=yes servers=8.8.8.8,8.8.4.4
/ip firewall filter
add chain=input comment="default configuration" protocol=icmp
add chain=input comment="default configuration" connection-state=established
add chain=input comment="default configuration" connection-state=related
add action=drop chain=input comment="default configuration" in-interface=ether1-wan
add chain=forward comment="default configuration" connection-state=established
add chain=forward comment="default configuration" connection-state=related
add action=drop chain=forward comment="default configuration" connection-state=invalid
add action=drop chain=input comment="Drop invalid connections" connection-state=invalid
add chain=input comment="Clients LAN" in-interface=ether2-clients src-address=192.168.2.0/24
add action=drop chain=input comment="Drop everything else"
/ip firewall nat
add action=masquerade chain=srcnat comment="default configuration" out-interface=pppoe-out1
add action=masquerade chain=srcnat src-address=192.168.2.0/24
add action=masquerade chain=srcnat src-address=192.168.3.0/24
add action=dst-nat chain=dstnat dst-port=22 in-interface=pppoe-out1 protocol=tcp to-addresses=192.168.3.21 to-ports=22
/ip service
set telnet address=192.168.3.0/24,192.168.2.0/24
set ftp address=192.168.3.0/24,192.168.2.0/24
set www address=192.168.3.0/24,192.168.2.0/24
set ssh address=192.168.3.0/24,192.168.2.0/24 disabled=yes
set www-ssl address=192.168.3.0/24,192.168.2.0/24
set api address=192.168.3.0/24,192.168.2.0/24 disabled=yes
set winbox address=192.168.3.0/24,192.168.2.0/24
set api-ssl address=192.168.3.0/24,192.168.2.0/24 disabled=yes
/ip upnp
set allow-disable-external-interface=no
/system clock
set time-zone-name=Europe/Rome
/system identity
set name=nietzsche
/system leds
set 0 interface=wlan1
/system ntp client
set enabled=yes mode=unicast primary-ntp=193.204.114.232 secondary-ntp=193.204.114.233
/tool graphing interface
add interface=ether1-wan
add interface=ether2-clients
add interface=ether3-servers
/tool graphing resource
add
/tool mac-server
set [ find default=yes ] disabled=yes
add interface=ether2-clients
add interface=ether3-servers
add interface=ether4-temp
add interface=ether5-temp
add interface=wlan1
add
/tool mac-server mac-winbox
set [ find default=yes ] disabled=yes
add interface=ether2-clients
add interface=ether3-servers
add interface=ether4-temp
add interface=ether5-temp
add interface=wlan1
add

Here’s my ip route print:

[admin@nietzsche] /ip route> print
Flags: X - disabled, A - active, D - dynamic, C - connect, S - static, r - rip, b - bgp, o - ospf, m - mme, 
B - blackhole, U - unreachable, P - prohibit 
 #      DST-ADDRESS        PREF-SRC        GATEWAY            DISTANCE
 0 ADS  0.0.0.0/0                          192.168.100.1             1
 1 ADC  192.168.1.0/27     192.168.1.20    ether1-wan                0
 2 ADC  192.168.2.0/24     192.168.2.1     ether2-clients            0
 3 ADC  192.168.3.0/24     192.168.3.1     ether3-servers            0
 4 ADC  192.168.100.1/32   87.4.65.92      pppoe-out1                0

As you can see, ether1-wan (where the modem is attached to) is getting an IP from it (192.168.1.20), so I can still access the modem configuration page on 192.168.1.1. Traffic is routed via pppoe-out1 and the masquerading is done on that interface too.
Is that how it should be or am I under double NAT? I have no control over the ADSL modem and I’m not sure if it’s correctly operating in bridged mode or not. Anyway, the internet is working fine with this configuration.
Second question is: is my DNS setting correct for DHCP? I want my clients to look into the static DNS pool of my router before querying 8.8.8.8 and 8.8.4.4…
Also, I can’t really figure out the need for a line like “add chain=input comment=“Clients LAN” in-interface=ether2-clients src-address=192.168.2.0/24” in my firewall … I’ve copied that config straight from the http://wiki.mikrotik.com/wiki/How_to_Connect_your_Home_Network_to_xDSL_Line page, but my network works anyway even without that.

Thanks a lot for your help!

rickfrey · February 12, 2014, 4:52pm

The PPPoE client settings look right and you said you were online, so they are probably fine. The firewall does not help you get online, but if you don’t understand it can cause problems. Your firewall rules are pretty basic and they basically say protect the router and allow traffic that the LAN initiates. As far as DNS, you will want to remove the 8.8.8.8 and 8.8.4.4 entries and only leave the router as the DNS to keep the clients pointing towards the router.

lorenzo · February 13, 2014, 10:12am

Good to see my configuration is correct. Thanks!