PPPoE network design

Superdust · August 10, 2011, 1:31pm

Hi

Im setting up a new PPPoE network, based on RB1100AH as PPPoE concentrator and Usermanager, with RB1200 as routers on each site.
see the attached image.

Do I have to route public subnets to each site (for clients), and assign users on each site to these.
Example if user1 is connected at site A, he belongs to pool_A, user2 is connected at site B, belongs to pool_B and so on.
Or will it be routed automatically, so I do not have to assign subnets to each site, just one big pool?
PPPoE setup.png

fewi · August 10, 2011, 4:24pm

You should route the IP networks that the PPPoE servers are to give to users via their IP pools to the PPPoE servers.

Davis · August 10, 2011, 6:24pm

If you will use RB1100AH as PPPoE server/concentrator then you don’t need to route public subnets anywhere beyond it. But the question is how you will pass PPPoE through your RB1200 routers? PPPoE is layer 2 protocol so it is not going to pass through routers. What is the reason of these RB1200 (isolating IP networks or just providing link failover)?
If you need only link failover, may be it is better to use STP aware switches instead of those RB1200 routers?
Another option, of course, is to configure each RB1200 as PPPoE server and route a public IP range to it.

rodolfo · August 10, 2011, 6:45pm

how users connect to rb1200?

Superdust · August 10, 2011, 7:45pm

Thank you for replys.

The reason for the RB1200s is to not have a to large L2 network, witch I have bad experience with
I did not think about the PPPoE not passing through the routers.
Guess this mean that I have to segment and route to each site then.

Any other ideas/input?

sup5 · August 10, 2011, 8:18pm

just set up a routed and meshed network like you wish between all your routers (RB1100AH & RB1200).
then you easily can span EoIP-tunnels or VPLS-tunnels from your PPPoE access concentrator (RB1100AH) to your customer edge ports.

this way you’ll completely hide your routed network from the customer.
also you can just set up a big ip-pool of public IPs without any site related overheads.

fewi · August 10, 2011, 8:29pm

I’d rather use the RB1200s as PPPoE servers, authenticating users via a central RADIUS solution (maybe UserManager, if you want). Then I’d just route between the RB1100 and the RB1200s.

Superdust · August 11, 2011, 6:09am

Thanks for more input here.

Using EoIP or VPLS, would this not also just create a big L2 network, and the troubles that comes with it?

rodolfo · August 11, 2011, 12:07pm

no, using eoip or vpls does not create a big L2 network.
the network is all routed.
in the concentrator, if you create a pppoe server for each tunnel, you have only single segments L2 not broadcasting each other

Superdust · August 11, 2011, 12:47pm

Thanks, but L2 broadcasts will travel all the way to the core PPPoE concentrator?
As with regular routing it will stop at the sites local router…

If I use the RB1200s as PPPoE servers, authenticating users via a central Usermanager, do I still have to route public subnets to each site, or will this be taken care of between the routers automatically?

The reason I ask is that if I have to route a subnet to each site, much overhead in used public IPs is created.

netrat · August 11, 2011, 12:57pm

Yes if you use the RB1200 as PPPoE servers you will have to route public IPs to each site, but this can be taken care of automatically with OSPF. You probably want to setup route summaries in OSPF so you don’t have a bunch of /32 routes.

Superdust · August 11, 2011, 1:09pm

Ok, thanks, how would this OSPF setup be, do you have an example?

netrat · August 11, 2011, 1:10pm

http://wiki.mikrotik.com/wiki/OSPF_and_Area_summaries
http://wiki.mikrotik.com/wiki/Category:Routing

rodolfo · August 12, 2011, 6:27am

L2 tunnels, connect only one interface of rb1200 with pppoe server to your concentrator then the broadcast stop, it will not travel everywhere.
having a single concentrator coud be more secure for your network

Superdust · August 12, 2011, 9:58am

But, still it will go across all links, and in to where the concentrator is (core).
When using routed network, the broadcast etc will not leave the site, right?

If I can achieve this using L2 links, I will rather do that than setting up OSPF etc, as it will be a simpler setup.

sup5 · August 12, 2011, 12:32pm

If you use tunneling to transport PPPoE from a central PPPoE access concentrator to your distant sites, of course there will be broadcast traffic from these sites to the central station.

But this is VERY limited broadcast traffic, because:

you can discard everything that is not PPPoE at the customer point
you can limit the amount of pppoe-discovery frames per second (broadcast) at the customer interface
you can disable Mikrotik Neighboring within all tunneling interfaces and tunnel bridges.
you should enable horizon bridging at the central station to separate the broadcast domains or:
you can just setup a PPPoE-Service per Tunnel.

netrat · August 12, 2011, 1:34pm

In addition to what sup5 said you can disable ARP on the PPPoE interface(s).

Bongo · August 12, 2011, 3:48pm

hi , can anybody help me as im a begginner, i got some basic network & mikrotik skills

i already setup a pppoe server , ip-pool, firewall, mangle etc…
pppoe server works fine

i just need advise on what extras are there or changes i can do to make my network
more secure protecting my network & router from bad stuff, clients & internet

sup5 · August 12, 2011, 4:48pm

There is no need to disable ARP on the PPPoE Interfaces of the access concentrator, because you don’t want to setup IP adresses here.

netrat · August 12, 2011, 5:06pm

That’s exactly the reasoning for disabling arp on the pppoe interface, is because there is no need for it. That gives you one less security concern.