pppoe mikrotik with radius server and firewall

kingkk110 · June 28, 2019, 11:51am

Hello

I am using pppoe on mikrotik with radius server as the diagram below and working good.
Untitled Diagram (1).jpg
the router has masquerade rule with src-address range 192.168.10.0/24; all connections received on the firewall are with source address 192.168.10.3, this can’t let me filter according to pppoe users’ ip in the firewall.

I try to change the rule to accept but the packets from a pppoe user will not be transmitted to the firewall.
How can I forward the traffic from the mikrotik router to the firewall and keep the source ip as the pppoe user ip?

Thanks
Regards

tdw · June 28, 2019, 12:19pm

It is difficult to say exactly as it isn’t clear exactly how devices are connected (hint post the output of /export hide-sensitive and redact any public IPs, etc.).

That said stop masquerading your PPPoE clients (as this replaces the PPPoE client address with 192.168.10.3), and as you appear to be using the same subnet for both your PPPoE clients and router-to-firewall connection enable proxy-arp on the router-to-firewall interface.

Ideally it would be better to use a different subnet for the PPPoE client pool, plus a static route on the firewall.

kingkk110 · June 28, 2019, 1:13pm

here is the mikrotik config:

/interface ethernet
set [ find default-name=ether1 ] name=ether1-WAN
set [ find default-name=ether2 ] name=ether2-PPPOE
/ppp profile
set *0 dns-server=192.200.200.254 local-address=192.168.10.3 only-one=yes
add local-address=192.168.10.4 name="PPTP Profile"
/interface pppoe-server server
add disabled=no interface=ether2-PPPOE keepalive-timeout=60 max-mru=1480 max-mtu=1480 mrru=1600 one-session-per-host=yes service-name=service1
/ip address
add address=192.200.200.254/24 comment=LAN interface=ether2-PPPOE network=192.200.200.0
add address=192.168.10.3/24 comment=WAN interface=ether1-WAN network=192.168.10.0
/ip firewall nat
add action=masquerade chain=srcnat src-address=192.168.10.0/24
/ip route
add distance=1 gateway=192.168.10.1
/radius
add address=192.168.10.2 service=ppp timeout=2s
/radius incoming
set accept=yes port=1700

tdw · June 28, 2019, 5:18pm

OK, you appear to be statically assigning client PPPoE addresses in your RADIUS server rather than using a dynamic IP pool, the method doesn’t change - enable proxy ARP on ether1 /interface ethernet set [ find default-name=ether1 ] arp=proxy-arp and disable/remove the masquerade rule.

What is the 192.168.200.0/24 subnet for? Unless you have some non-PPPoE devices attached to ether2 it can be removed and the PPP profile changed /ppp profile
set *0 dns-server=192.168.10.3 local-address=192.168.10.3 only-one=yes

kingkk110 · June 29, 2019, 12:09am

Yes I am assigning static ip as you said.
And the subnet 192.200.200.0 is used for another reason.
You mean if I enable the proxy ARP on ether1 /interface ethernet set [ find default-name=ether1 ] arp=proxy-arp and disable/remove the masquerade rule then the packet will reach the firewall with the pppoe ip address assigned from the radius?

tdw · June 29, 2019, 10:08am

Yes. Removing the masquerade rule leaves the source address of the PPPoE client unchanged, enabling proxy ARP allows the router to reply to ARP requests from the firewall for 192.168.10.x PPPoE client addresses so traffic may be returned.

kingkk110 · July 18, 2019, 10:55am

Thanks @tdw
It worked like a charm and I kept the subnets as they are.

Thanks a lot.