Telekom ONT + hAP ac lite: PPPoE problems?

RouterOS Beginner Basics
1

Hi there, I'm new to Mikrotik and am currently trying to set up hAP ac lite as a home router/AP. The connection is directly to the fiber modem (by Deutsche Telekom) in my apartment. I've tried to piece together information from several guides online, but likely missed something. The current symptom is that PPPoE connections seems to be established successfully, however "ping 8.8.8.8" (from the router terminal) times out every time. Currently on my second day of headbanging, and would very much appreciate any tips/suggestions.

The configuration looks like this:
[admin@MikroTik] > /export compact hide-sensitive

jan/02/1970 00:40:49 by RouterOS 6.44.1

software id = 3GNC-QS21

model = RB952Ui-5ac2nD

serial number = B87F0A975FED

/interface bridge
add admin-mac=74:4D:28:9A:6A:80 auto-mac=no comment=defconf mtu=1500 name=bridge
/interface ethernet
set [ find default-name=ether1 ] advertise=100M-half,100M-full
/interface wireless
set [ find default-name=wlan1 ] band=2ghz-b/g/n channel-width=20/40mhz-XX disabled=no distance=indoors frequency=auto l2mtu=1598 mode=ap-bridge ssid=MikroTik-9A6A85 wireless-protocol=802.11
set [ find default-name=wlan2 ] band=5ghz-a/n/ac channel-width=20/40/80mhz-XXXX disabled=no distance=indoors frequency=auto mode=ap-bridge ssid=MikroTik-9A6A84 wireless-protocol=802.11
/interface vlan
add interface=ether1 name=vlan7 use-service-tag=yes vlan-id=7
/interface pppoe-client
add add-default-route=yes allow=pap disabled=no interface=vlan7 max-mtu=1492 name=pppoe-out1 user=XXXXXXXXXXXXYYYYYYYYYYYYZZZZ@t-online.de
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip hotspot profile
set [ find default=yes ] html-directory=flash/hotspot
/ip pool
add name=dhcp ranges=192.168.88.10-192.168.88.254
/ip dhcp-server
add address-pool=dhcp disabled=no interface=bridge name=defconf
/interface bridge port
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=ether5
add bridge=bridge comment=defconf interface=wlan1
add bridge=bridge comment=defconf interface=wlan2
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface detect-internet
set detect-interface-list=LAN
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
/ip address
add address=192.168.88.1/24 comment=defconf interface=ether2 network=192.168.88.0
/ip dhcp-client
add comment=defconf dhcp-options=hostname,clientid disabled=no interface=ether1
/ip dhcp-server network
add address=192.168.88.0/24 comment=defconf gateway=192.168.88.1
/ip dns
set allow-remote-requests=yes servers=8.8.8.8
/ip dns static
add address=192.168.88.1 name=router.lan
/ip firewall filter
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=drop chain=input comment="defconf: drop all not coming from LAN" disabled=yes in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related
add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=forward comment="defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat ipsec-policy=out,none out-interface=pppoe-out1
/system logging
add topics=debug
add topics=debug
add topics=info,pppoe
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN
And here are the firewall entries:
[admin@MikroTik] > /ip firewall filter print
Flags: X - disabled, I - invalid, D - dynamic
0 D ;;; special dummy rule to show fasttrack counters
chain=forward action=passthrough

1 ;;; defconf: accept established,related,untracked
chain=input action=accept connection-state=established,related,untracked

2 ;;; defconf: drop invalid
chain=input action=drop connection-state=invalid

3 ;;; defconf: accept ICMP
chain=input action=accept protocol=icmp

4 X ;;; defconf: drop all not coming from LAN
chain=input action=drop in-interface-list=!LAN

5 ;;; defconf: accept in ipsec policy
chain=forward action=accept ipsec-policy=in,ipsec

6 ;;; defconf: accept out ipsec policy
chain=forward action=accept ipsec-policy=out,ipsec

7 ;;; defconf: fasttrack
chain=forward action=fasttrack-connection connection-state=established,related

8 ;;; defconf: accept established,related, untracked
chain=forward action=accept connection-state=established,related,untracked

9 ;;; defconf: drop invalid
chain=forward action=drop connection-state=invalid

10 ;;; defconf: drop all from WAN not DSTNATed
chain=forward action=drop connection-state=new connection-nat-state=!dstnat in-interface-list=WAN


[admin@MikroTik] > /ip firewall nat print
Flags: X - disabled, I - invalid, D - dynamic
0 chain=srcnat action=masquerade out-interface=pppoe-out1 ipsec-policy=out,none

2

Hey I am not an expert, but have managed to configure a CCR as router with a Fritz!Box as DSL-modem/bridge and PPPoe. Could you please check that you have a default route pointing at the PPPoe-Interface? What does “ip route print” show? I have an entry like this

 1 A S  0.0.0.0/0  pppoe-out1   1

Then in my case the VLAN and PPPOE-client lines look like this:


/interface vlan
add comment="Telekom VLAN-Tag" interface=combo1-gateway name=vlan-ppp vlan-id=7

and

/interface pppoe-client
add disabled=no interface=vlan-ppp max-mru=1492 max-mtu=1492 name=pppoe-out1 password=XXX use-peer-dns=yes user=XXX

I did not use “add-default-route=yes” because I have two gateways and policy based routing, but there should be a default route to 0.0.0.0 through the ppp-interface. And I think you need both user and password entries under pppoe-client but they are arbitrary.

You don’t need this line:

/ip dhcp-client
add comment=defconf dhcp-options=hostname,clientid disabled=no interface=ether1

And the IP-address should be on the bridge, imo:

/ip address
add address=192.168.88.1/24 comment=defconf interface=ether2 network=192.168.88.0
3

In addition to what @petertosh wrote:

  • add pppoe-out1 interface to WAN interface list
/interface list member add interface=pppoe-out1 list=WAN

This makes firewall (if not changed from default) effective with advent of different WAN interface.

  • revert NAT rule to the original
/ip firewall nat add chain=srcnat out-interface-list=WAN ipsec-policy=out,none action=masquerade

it works just fine with interface list WAN membership kept current …