Looking for some config examples on doing the following:
\
I get a Q-in-Q (lets say for example VLANID 400 on ether1)
In this trunk, for each new customer they are assigned a new VLAN within that Q-in-Q tunnel (lets say 5 customers, 10,20,30,40,50)
I want all these customers to ‘auth’ via PPPoE server
OK so, I could create VLAN interface on ether1 with VLANID400 and use service tag enabled. This creates the Q-in-Q.
I could also manually create each vlan interface under that for each customer, so 5 seperate interfaces.
Then I could also set up a PPPoE Server listening on each of those VLAN interfaces. Which then would create a dynamic interface under that for the pppoe when user successfully auths.
This would be OK if we were only talking 10-15 users but this could scale to many thousands, and I’d like to use VRRP and other scripting to have failover for this between 2 RouterOS based routers.
Doing it this way seems it would be an absolute NIGHTMARE for config maintenance/management, and even the possible performance overheads.
I’m looking for examples of ways to have a single PPP service listen on perhaps the Q-in-Q tunnel and attach itself to every inner VLAN and successfully terminate the customers? Or some other dynamic way of managing such a set-up?
All help appreciated, and I’ll be sure to try wiki my outcomes (if not already around)
Well I might at least have an idea how you could terminate all customers on only one pppoe server…
Create a bridge where your pppoe server will listen on, and add a bridge filter rule for that bridge, chain=forward, action=drop.
Now add every customer vlan interface to this bridge.
What this does, is enable your pppoe server to talk to every client (because that traffic is handled by input and output chains), but block the clients from talking to each other. This filter rule also effectively prevents that bridge from shorting together the different vlans, because traffic from e.g. vlan 10 will never be forwarded to vlan 20.
Caveat: You will still have to manually add and remove vlan interfaces, and add/remove them from/to the pppoe server bridge.
Maybe this at least makes your life with q-in-q a little less miserable…
Thanks for the tip. I had thought of it this way but was worried about cross talk, didn’t think about filtering the VLAN forward chain, I suppose when they create the PPP connection it is a layer above the VLAN so if 2 PPP connections want to talk to each other via their public IP’s it would work OK.
With thousands of possible customers, it still feels a massive configuration and management overhead to add a new vlan interface for each customer. Perhaps a metro ethernet switch to sit between provider and MikroTik to strip the vlan tags and deliver all sessions accross a single trunk. I know this is a bit more dynamically easier in Cisco, but not sure to the extent I am looking at.
By my understanding of split horizon, I’d still need to create each virtual interface? I can’t see split horizon being any easier than a simple single line firewall rule, but could be best practise and will take it under advisement.
I am mostly looking for a way to not have to manage all the VLAN interfaces.
This solution, like bridge filters work fine.
I need to add one or more bridge interface to group some VLANs.
But, if I add a secondo Bridge and a secon PPPoE Server active on this… PPPoE Clinet not go up
I have a huawei Switch where i recieve QINQ vlan tags such as 3601:101 , 3602:102 and so on
I need the following on mikrotik
I need to run single pppoe server on a bridge with QINQ enabled , and user should get ip from External radius server and radius server authenticate user only if he belongs to particular outer:inner vlan . I woud also like to load balance Ip pools based on Outer vlan tags from radius server
so what i should configure on mikrotik as well as radius server , how to send Outer:inner vlan information to radius server
