Setting two ISP connections on 2 vlans, same ISP cable

RouterOS Beginner Basics
1

I need help please (I am kind of a beginner I guess).

ISP gave me two separate PPPoE accounts but they are both set on same ISP ethernet cable, I get a dedicated public IP on each connection.
I want to separate the two connections so that I have one group of computers for home use and the other group of computers for office/business use, each group using a different public IP (and local ip class I guess ?!).

It works OK if I put a switch at the ISP cable, then have one PPPOE on the Mikrotik and one PPPOE on another router (see attached image), but I want to just use the mikrotik and remove the switch and the extra router.

I assume I need to create two vlans for this ? (unless there is an easier and more reliable way), I also did it with connection marking but I thought it was too complicated (now I find vlans method complicated).

  • made two different dhcp servers, two different classes of local IPs: 192.168.3.0/16 192.168.4.0/16, I thought /16 instead of /24 would also allow computers from two networks to see each other, I am lost here.
  • made two bridges and added second vlan on the second bridge
  • tried to move the internet ISP eth port/interface on the second bridge, but it doesn’t work in “slave” mode, I am lost :confused:
  • under main menu bridge > ports, I linked one ETH (eth3) port with bridge-2, expecting for computers connected here to get second ISP connection (not working).

Maybe without getting in the details…

  • does the “one cable” thing prevent me from properly separating these two connections ?
  • do I (can I) somehow mirror the actual cable port into two and then associate each one with one of the vlans ?
  • is “tagged port” something that should be used in this case ?
  • what do I need in order for computers from the two subnets see each other ? (e.g 192.168.3.11 and 192.168.4.11) ?

This one is a HAPac2, another one I have appears to have two separate hardware “switches” in it, that might help in this case ?!

Edit, the config, I tried to edit-out some parts for simplicity and privacy:

/interface bridge
add admin-mac=48:8F:XX:XX:XX:28 auto-mac=no comment=defconf name=bridge-1-home
add name=bridge-2-for-vlan-business
/interface ethernet
set [ find default-name=ether1 ] name=ether1-rds
set [ find default-name=ether2 ] advertise=1000M-half,1000M-full disabled=yes \
    mac-address=B0:95:XX:XX:XX:62 name=ether2-SOME-OTHER-ISP
/interface pppoe-client
add add-default-route=yes disabled=no interface=ether1-rds name=\
    pppoe-rds-business user=CRPTM13592XXXX
add add-default-route=yes disabled=no interface=ether1-rds name=pppoe-rds-home \
    user=TM18839XXXX
/interface vlan
add interface=bridge-2-for-vlan-business name=vlan-2-business vlan-id=1
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/ip pool
add name=adr-dhcp-pool ranges=192.168.3.101-192.168.3.255
add name=adr-dhcp-pool-business ranges=192.168.4.100-192.168.4.255
/ip dhcp-server
add address-pool=adr-dhcp-pool disabled=no interface=bridge-1-home name=\
    adr-dhcp-server-1
add address-pool=adr-dhcp-pool-business disabled=no interface=\
    bridge-2-for-vlan-business name=adr-dhcp-server-2-business
/ppp profile
set *FFFFFFFE local-address=adr-dhcp-pool remote-address=adr-dhcp-pool
/interface bridge port
add bridge=bridge-2-for-vlan-business interface=ether3
add bridge=bridge-1-home interface=ether4
add bridge=bridge-1-home interface=ether5
add bridge=bridge-1-home disabled=yes interface=wlan1_2g_interface
add bridge=bridge-1-home disabled=yes interface=wlan2_5g_interface
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface l2tp-server server
set allow-fast-path=yes enabled=yes use-ipsec=required
/interface list member
add comment=defconf interface=bridge-1-home list=LAN
add interface=ether2-SOME-OTHER-ISP list=WAN
add list=WAN
add list=WAN
add interface=pppoe-rds-home list=WAN
add interface=ether1-rds list=WAN
add interface=pppoe-rds-business list=WAN
add list=WAN
/interface ovpn-server server
set certificate=EXAMPLE_cert.pem_0 cipher=blowfish128,aes128,aes256 \
    enabled=yes require-client-certificate=yes
/interface sstp-server server
set default-profile=default-encryption
/ip address
add address=192.168.88.1/24 comment=defconf interface=bridge-1-home network=\
    192.168.88.0
add address=192.168.3.1/24 interface=bridge-1-home network=192.168.3.0
add address=192.168.4.1/24 interface=bridge-2-for-vlan-business network=\
    192.168.4.0
/ip arp
add address=192.168.3.10 interface=bridge-1-home mac-address=64:76:XX:XX:XX:02
add address=192.168.3.16 interface=bridge-1-home mac-address=88:D7:F6:XX:XX:D1
add address=192.168.3.9 interface=bridge-1-home mac-address=D0:37:XX:XX:XX:85
add address=192.168.3.100 interface=bridge-1-home mac-address=B0:95:XX:XX:XX:B1
/ip cloud
set ddns-enabled=yes ddns-update-interval=1m
/ip dhcp-client
add disabled=no interface=ether2-SOME-OTHER-ISP use-peer-dns=no use-peer-ntp=no
/ip dhcp-server lease
add address=192.168.3.10 mac-address=64:76:XX:XX:XX:02 server=adr-dhcp-server-1
add address=192.168.3.16 client-id=1:88:D7:F6:XX:XX:D1 mac-address=\
    88:D7:F6:XX:XX:D1 server=adr-dhcp-server-1
add address=192.168.4.0/24 dns-server=192.168.4.1,8.8.8.8,1.1.1.1 gateway=\
    192.168.4.1 netmask=16
add address=192.168.88.0/24 dns-server=192.168.88.1,8.8.8.8,1.1.1.1 gateway=\
    192.168.88.1 netmask=16
/ip dns
set allow-remote-requests=yes cache-size=8192KiB servers=8.8.8.8,1.1.1.1
/ip dns static
add address=192.168.88.1 comment=defconf name=router.lan
/ip firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="allow OpenVPN  ?!" dst-port=1194 \
    protocol=tcp
add action=accept chain=input comment="UDP vpn ports  ?!" dst-port=500,4500 \
    protocol=udp
add action=accept chain=input comment="UDP vpn ports  ?!" dst-port=1723 \
    protocol=tcp
add action=accept chain=input comment=\
    "UDP vpn port with additional IPsec condition ?!" dst-port=1701 \
    ipsec-policy=in,ipsec protocol=udp
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
    "defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
    ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
    ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=\
    invalid
add action=drop chain=forward comment="defconf: drop all from WAN not DSTNATed" \
    connection-nat-state=!dstnat connection-state=new in-interface-list=WAN
add action=drop chain=forward dst-port="" protocol=udp src-address=\
    192.168.0.0/16 src-port=67
add action=drop chain=forward dst-port="" protocol=udp src-address=\
    192.168.0.0/16 src-port=68
add action=drop chain=forward comment="trying to block a rogue UPC dhcp server" \
    disabled=yes src-mac-address=90:5C:XX:XX:XX:F1
add action=drop chain=input disabled=yes src-address-type="" src-mac-address=\
    90:5C:XX:XX:XX:F1
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
    in-interface-list=!LAN
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=\
    out,none out-interface-list=WAN
add action=masquerade chain=srcnat comment="masquerade for wifi repeater" \
    disabled=yes ipsec-policy=out,none out-interface=bridge-1-home
2

I assume you can use a simple setup …

  • you have one ISP ethernet cable (this will support the PPPoE connections)
  • you have 2 independent PPPoe client interfaces, one each for your ISP PPPoE accounts
  • This is your WAN side, with 2 interfaces. WAN and LAN normally are not bridged. So this ethernet interface, nor the 2 PPPoe interfaces are connected to a bridge

The traversal from LAN to WAN is with the default NAT rules of the firewall. You will need 2 NAT rules instead of one. You will also need 2 default routes.

  • If you need a bridge or VLAN for the LAN side of the network, depends on the design there.
    Many possibilities for the LAN side. It can perfectly be done with just 2 ethernet interfaces , or 2 bridges with some ethernet interfaces, or one bridge with or without 2 VLAN

-Take 2 LAN interfaces …

  • one IP address per interface (192.168.3.1 and 192.168.4.1)

  • one DHCP server per ethernet interface (serving 192.168.3.0/24 and 192.168.4.0/24)

  • 2 NAT rules in firewall with source IP address filter

  • 2 default IP routes with source IP address filter

  • 2 bridges … very similar setup (LAN IP address and DHCP server on the bridges)

  • bridge with VLAN also similar

  • bridge without VLAN or just one ethernet … a bid more complicated to handle the DHCP leases , as there is only one DHCP server


    You can have a smarter setup, with preferred and failover PPPoE paths (but they probably fail both at the same time) http://forum.mikrotik.com/t/advanced-routing-failover-without-scripting/136599/1
    There are many variations on this. Some ideas here … https://mum.mikrotik.com/presentations/US12/tomas.pdf

3

To use vlans, is dependent upon the use of your router ports more than anything, but since you want to use them please read this reference…
to understand the config!!
http://forum.mikrotik.com/t/using-routeros-to-vlan-your-network/126489/1

/interface ethernet
set [ find default-name=ether1 ] name=ether1-ISP
/interface vlan
add interface=bridge name=home_users10 vlan-id=10
add interface=bridge name=work_office20 vlan-id=20
/interface bridge
add  name=bridge vlan-filtering=no  {until config is complete and then enable}
/interface pppoe-client
add add-default-route=yes disabled=no interface=ether1-ISP name=pppoe1-home profile=\
    MyhomePPPoE user=xxxxx@xxxxx.xxx
/interface pptp-client
add add-default-route=yes disabled=no interface=ether1-ISp name=pppoe2-work profile=\
    MyworkPPPoE user=yyyyy@xxxxx.xxx
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/ip pool
add name=pool-home ranges=192.168.10.2-192.168.10.150
add name=pool-work ranges=192.168.20.2-192.168.20.150
/ip dhcp-server
add address-pool=pool-home disabled=no interface=home_users10
add address-pool=pool-work disabled=no interface=work_office20
/interface bridge port  {settings depend upon the purpose of each port --> what devices traffic on port is going to}
add bridge=bridge comment=defconf interface=ether2 ingress-filtering=yes frame-type=only allow tagged frames   {goes to a smart switch for both vlans}
add bridge=bridge comment=defconf interface=ether3 ingress-filtering=yes frame-type=only allow untagged and priority frames pvid=10  {goes to a home device}
add bridge=bridge comment=defconf interface=ether4 ingress-filtering=yes frame-type=only allow untagged and priority frames pvid=10
add bridge=bridge comment=defconf interface=ether5 ingress-filtering=yes frame-type=only allow untagged and priority frames pvid=20
/interface bridge vlan  {depend on bridge port settings}
add bridge=bridge tagged=bridge,ether2  untagged=ether5 vlan-ids=20
add bridge=bridge tagged=bridge,ether2, untagged=ether3,ether4 vlan-ids=10
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface detect-internet
set detect-interface-list=NONE
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf disabled=yes interface=ether1 list=WAN
add interface=pppoe1-home list=WAN
add interface=pppoe2-work list=WAN
/ip address
add address=192.168.10.1/24 interface=home_users10 network=192.168.10.0
add address=192.168.20.1/24 interface=work_office20 network=192.168.20.0
/ip dhcp-server network
add address=192.168.10.0/24 comment=defconf dns-server=192.168.10.1 gateway=192.168.10.1
add address=192.168.20.0/24 comment=defconf dns-server=192.168.20.1 gateway=192.168.20.1
/ip dns
set allow-remote-requests=yes servers=1.1.1.1,1.0.0.1
/ip firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
    in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
    ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
    ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related disabled=yes
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward connection-nat-state=!dstnat \
    connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=out,none out-interface=pppoe1-home
add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=out,none out-interface=pppoe2-work
/tool mac-server
set allowed-interface-list=NONE
/tool mac-server mac-winbox
set allowed-interface-list=LAN

You will note that there is one important piece missing in the config and that is ip routes and it should be discussed separately.
You need two routes, they will be created by the config pppoe client setup in the config.
Not sure of their view but will call them generically.

router created pppoe1-home route
router created pppoe2-work route

Next create two identical copies and
add a “Routing Mark” entry of home-network for the ppoe1-home copy
add a “Routing Mark” entry of work-network for the ppoe2-work copy

Then you will need two create two route rules.
In the first one make the selections:
“interface” = home-users10
“Table” = home-network
“Action” lookup

In the second one,
“interface” = work-office20
“Table” = work-network
“Action” lookup

What this should do is tell the router, to use the specified table based on which vlan is being utilized and thus routing.
If the table is unavailable, lets say you had a different ISP, then the router would divert the traffic to any other available route in the main table.
IN this case they are the same ISP so makes not difference.

The other option for 'Action" is Lookup ONLY in TABLE. My understanding here is that if you do that and the table you created is unavailable (the ISP is offline), the router will NOT route the traffic at all (it will not then look for the next available route in the main table.

So in this case there is no difference between LOOKUP and LOOKUP ONLY IN< because its the same ISP.
If you do find that LOOKUP does not work then use LOOKUP ONLY IN and this should only be the case where I have misunderstood how the router uses these special route rules.

4

@anav : coincidence or not? I see two times in a short time an example with 2 ppp interfaces : ppoe-out1 and pptp-out1 (your example, and the referenced text from Chupaka on “Routing failover without scripting”)

Let’s suppose that we have two uplinks: GW1, GW2. It can be addresses of ADSL modems (like 192.168.1.1 and 192.168.2.1), or addresses of PPP interfaces (like pppoe-out1 and pptp-out1).

Is there a reason that I don’t see right now to use pppoe and pptp , and not just 2 times pppoe-out (1&2) . Or is “pptp-client” just a typo ?

Thanks for the code anyway. Would not try this (yet) without the example :slight_smile: .

5

hi bpwl
No this was from scratch basically
I have no idea how pppoe works so I made some assumptions.
I am assuming each distributed public IP needs a client identification/assignment ??
I know that like a vlan ISP connection,
its separate and has to be included in the interface members list for example

Without the ops config, not much to work with :frowning:

6

I appreciate the help, but I am so lost, I understand just small fragments of your recommendations.
And I work with the WinBox UI, I am trying to translate/understand what the console commands do.
What Anav posted looks a bit like my config, I edited my initial post and included my current config at the end, maybe I can get tips on what looks wrong, or what I need to add.
I think this part could be wrong:

add bridge=bridge-2-for-vlan-business interface=ether3

And I probably need to edit the firewall rules ? I didn’t touch these since I tried this vlan thing.
I know you both mentioned firewall rules but I guess I am asking if that is the next step or anything else is very wrong.
In my config, ether3 is the one port I attempt to associate with vlan2, that is actually the single vlan that I created in attempt to separate from default network.
The ether3 has wifi AP and more computers attached.
And on ether2 there is another isp that should be ignored.

7

On short, your config is total mess for me, but before you continue, two things:

  1. both pppoe-client can’t be master at same time, one must have “default route distance different” (like main 10, other 20)
    (really connection with “lower” IP is selected as main)

  2. for my knowledge, can’t be two pppoe-client on same interface, because have same MAC address and the remote pppoe-server can’t accept two username for the same MAC
    (MRRU is another question, have same username)

/interface pppoe-client
add add-default-route=yes disabled=no interface=ether1-rds name=pppoe-rds-business user=CRPTM13592XXXX inherit from default: default-route-distance=1
add add-default-route=yes disabled=no interface=ether1-rds name=pppoe-rds-home user=TM18839XXXX inherit from default: default-route-distance=1

And if, at the end, for some reason both work, the next step is the routing…

8

you meant “connection with lower distance” ?
I was unsure on what “distance” does. I now set one to “1” and another to “2” under pppoe connection settings.


That part seems to work fine, I was surprised to see that it also works if one router has a pppoe connected to ISP and another computer connected to that router (so already connected to internet) can also make a separate PPPOE connection under the parent one.


These are now set to distance 1 and 2, above were you pointing my mistakes or is it a recommended setup ? Not sure what “inherit from default” is/does.

9

DID You read the reference for vlans??

post your config
/export hide-sensitive file=anynameyouwish

If you are uneasy about information presented, I believe the only thing to worry about is
the actual WANIP and gateway IP of you router connections.

With hide-sensitive there should be no username or wifi security information etc. as these are stripped.
Also just start on the first line of the config no need to see serial number of router etc…

10

you meant “connection with lower distance” ?
no, I mean what I have writed: connection with “lower” IP is selected as main
for example 145.23.25.71 is selected against 205.48.75.61 because first have “lower” IP value

I was surprised to see that it also works if one router has a pppoe connected to ISP and another computer connected to that router (so already connected to internet) can also make a separate PPPOE connection under the parent one.<<<
ANOTHER, not the same interface, but is another pppoe or is pptp on PC?

recommended setup ?
I reccomend 10 and 20 because you can add also 9,8,7,6… 12,13,14… without change 10 and 20, you can’t add lower than 1 or between 1 and 2.
Better have space

Not sure what “inherit from default” is/does
Is the value, if you do not change them, when create a pppoe-client

11

I’ll try to understand … and eliminate what I can (there is no need for a VLAN, nor for a second bridge as there is only ether3 connected)

ether1-rds : ethernet connection to your ISP
ppoe-rds-home: your first account interface
ppoe-rds-work: your second account interface

ether3 : ethernet to your business environment
bridge-1 : with ether4,ether5,wlan1, wlan2 ports for your home environment.

OK not all details (it’s late here, over midnight)

  1. Interface lists
  • ether1,ppoe-rds-home, ppoe-rds-work should be member of the WAN interface list
  • bridge1 and ether3 should be member of the LAN interface list
    This is because WAN and LAN words are used in the firewall and other lines in the config. (If you insist on using a second bridge, bridge2 should be in the LAN interface list. Ports follow the bridge value not their own value) Actually bridge2 or ether3 (if no 2nd bridge) is missing in the interface lists membership. There are also some empty lines.
  1. IP firewall NAT
  • the out interfaces are ppoe-rds-home and ppoe-rds-work.
    Not the bridge as out interface, and the interface list WAN might work for the NAT of both interfaces, but you can specify the output interfaces separately in 2 rules.
  1. Policy routing

4 Separate home and work.

  • using VLANs here does not make much sense to me, as the work and home traffic goes to different ethernet interfaces.
  • the router and firewall will connect (route and NAT) the ‘home LAN to the home pppoe interface’, and the ‘work LAN to the work pppoe interface’
  • however the router will route what it can , and if not blocked by the firewall the ‘work’ and ‘home’ LAN will have a working route to each other.
  • So the forwarding between LAN subnets (or interfaces) must be stopped in the firewall.
    (Even with a VLAN , the router would route to and from the defined VLAN if not denied to do so).
  • Rule with the IP address ranges or the interfaces. Something like : “chain=forward action=drop in-interface=ether3 out-interface=bridge-1-home” , and the reverse rule also, both high enough in the forward rules to be selected before the accept rule, that could allow the route between both LAN’s.
12

Is there a reason that I don’t see right now to use pppoe and pptp , and not just 2 times pppoe-out (1&2) . Or is “pptp-client” just a typo ?

Aaaarg, never used PPPoE on Mikrotik or 2 PPPoE to the same provider. I see the problem, and the workaround is not so easy: http://forum.mikrotik.com/t/multiple-concurrent-pppoe-over-single-ethernet/134030/1

13

HI bpwl concur if there is only one use per port!!
However the vlan structure allows one to add a smart Access point or smart switch at any time with ease.

If I was to do this with only four ports and two subnets and no vlans, in use as depicted it would look like.

/interface ethernet
set [ find default-name=ether1 ] name=ether1-ISP

/interface bridge
add  name=bridgehome
add  name=bridgework
/interface pppoe-client
add add-default-route=yes disabled=no interface=ether1-ISP name=pppoe1-home profile=\
    MyhomePPPoE user=xxxxx@xxxxx.xxx
/interface pppoe-client
add add-default-route=yes disabled=no interface=ether1-ISp name=pppoe2-work profile=\
    MyworkPPPoE user=yyyyy@xxxxx.xxx
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/ip pool
add name=pool-home ranges=192.168.10.2-192.168.10.150
add name=pool-work ranges=192.168.20.2-192.168.20.150
/ip dhcp-server
add address-pool=pool-home disabled=no interface=bridgehome
add address-pool=pool-work disabled=no interface=bridgework
/interface bridge port  
add bridge=bridgehome comment=defconf interface=ether2   {pc 1 home}
add bridge=bridgehome comment=defconf interface=ether3   {pc 2 home}
add bridge=bridgework comment=defconf interface=ether4   {pc 3 work}
add bridge=bridgework  comment=defconf interface=ether5   {pc 4 work}
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface detect-internet
set detect-interface-list=NONE
/interface list member
add interface=bridgehome list=LAN
add interface=bridgework list=LAN
add interface=ether1 list=WAN
add interface=pppoe1-home list=WAN
add interface=pppoe2-work list=WAN
/ip address
add address=192.168.10.1/24 interface=bridgehome network=192.168.10.0
add address=192.168.20.1/24 interface=bridgework network=192.168.20.0
/ip dhcp-server network
add address=192.168.10.0/24 comment=defconf dns-server=192.168.10.1 gateway=192.168.10.1
add address=192.168.20.0/24 comment=defconf dns-server=192.168.20.1 gateway=192.168.20.1
/ip dns
set allow-remote-requests=yes servers=1.1.1.1,1.0.0.1
/ip firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
    in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
    ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
    ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related disabled=yes
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward connection-nat-state=!dstnat \
    connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=out,none out-interface=pppoe1-home
add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=out,none out-interface=pppoe2-work
/tool mac-server
set allowed-interface-list=NONE
/tool mac-server mac-winbox
set allowed-interface-list=LAN
14

Uhm… what the hell… nice Idea to add virtual ethernet… instead to add a switch and plug ether1 for pppoe-out1 and ether2 for pppoe-out2
/interface vrrp
add interface=ether1 name=vrrp1 v3-protocol=ipv6 vrid=1
and add the second pppoe-client on vrrp1 instead of ether1

Just tested and is working!!!
Thanks to all, I find a solution after years…

15

Nice @anav.

16

/interface vrrp
add interface=vlan1 name=vrrp1 v3-protocol=ipv6 vrid=1
Just tested and work also on vlan

17

VERY THANKS bpwl !!!

I use VRRP from 2007 and I’ve not notice that use till now…

THANKS!!!

18

Maybe I should have mentioned that the two groups of computers (home vs office) do get the right IPs from different subnets and both connect to internet, the only thing left was for each use separate pppoe.

Just to rule this out: ISP does allow both pppoe to connect on same cable, and I get the public IP in status of both pppoe connections.

@anav you said to post the config, I am not sure if you seen the config I later added to my first post.

@bpwl I corrected the interface lists as you mentioned.

Now from what you said afterwards at 2,3,4 …
I thought vlans would help in a way that it would simplify things and simply by bridging each pppoe with it’s own vlan, I would have separate public IP on each.
But if I still need to create routing rules, then vlans are not needed. I think that is also what you said.

I actually did this before with multiple pppoe (no vlans) and used routing marks to associate with different computers, but I thought that is too complicated (silly me), that is why I turned to vlans.
I think vlans might have been the wrong approach and not worth the complications for me.
The image attached is how I did this without vlans, I don’t think vlans can make it simpler than that, no ?

19

@anav the code you attached above, is the same approach I was advised to setup here, no ?

20

To be frank I dont understand the VRRR application I would need to see diagrams and config to understand it but it does seem cool…


Okay I see now that the PPOE Client setting pages includes everything you need its a combo page that is also like the dhcp client page.
So except the defaults and ensure that default route is set to YES for both.

Please show me the route as per a jpeg from winbox
and also the as per config text for ip routes.
and the address block.(but change the numbers so we dont see the actual ones…)

What i suspect is that you will have two entries for address in IP address that look like.
address=172.16.1.250 gateway=172.16.1.213 interface=pppoe-1out
address=172.16.1.249 gateway=172.16.1.213 interface=pppoe-2out

You will have two default routes that look like.
0.0.0.0/0 gateway=172.16.1.213 reachable pppoe-1out distance=1
0.0.0.0/0 gateway=172.16.1.213 reachable pppoe-2out distance=1

Please confirm this is the format shown, obviously the numbers will be different