i cant seem to figure this out my provider says its on my end to fix
they map several public ips ranges to me user authenticate via pppoe to my mikrotik router which gives them a public ip
and everything works fine now if the user logs off and the ip is no longer mapped on the mikrotik box packets dont drop on its wan interface they bounce between
my gateway and the mikrotik pppoe box till you get the message ttl expired traceroute confirms its just goes .254 --> .253 --> .254 in a loop till ttl expires
how do i get the pppoe box to just drop these packets rather than letting them loop around so i would get if i pinged that offline ip i would get request timed out
instead of ttl expired

\

Router edited config below

dec/03/2010 07:25:54 by RouterOS 3.19

software id = 5V15-PTT

/interface ethernet
set 0 arp=enabled auto-negotiation=yes comment="" disabled=no full-duplex=yes
mac-address=00:0C:42:20:9C:3C mtu=1500 name=ether1 speed=100Mbps
set 1 arp=enabled auto-negotiation=yes comment="" disabled=no full-duplex=yes
mac-address=00:0C:42:20:9C:3D mtu=1500 name=ether2 speed=100Mbps
set 2 arp=enabled auto-negotiation=yes comment="" disabled=no full-duplex=yes
mac-address=00:0C:42:20:9C:3E mtu=1500 name=ether3 speed=100Mbps
set 3 arp=enabled auto-negotiation=yes comment="" disabled=no full-duplex=yes
mac-address=00:0C:42:20:9C:3F mtu=1500 name=ether4 speed=100Mbps
/ip ipsec proposal
set default auth-algorithms=sha1 disabled=no enc-algorithms=3des lifetime=30m
name=default pfs-group=modp1024
/ip pool
add name="net dynamic 3" ranges=x.x.2.1-x.x.2.125
add name="dynamic 2" next-pool="net dynamic 3" ranges=x.x.92.128/25
add name=net-dynamic next-pool="dynamic 2" ranges=x.x.92.60-x.x.92.127
/port
set 0 baud-rate=115200 data-bits=8 flow-control=hardware name=serial0 parity=
none stop-bits=1
/ppp profile
set default change-tcp-mss=yes comment="" name=default only-one=default
remote-address=net-dynamic use-compression=default use-encryption=
default use-vj-compression=default
add change-tcp-mss=default comment="" dns-server=x.x.65.2,x.x.66.2
local-address=x.x.x.254 name=net-default only-one=no
remote-address=net-dynamic use-compression=no use-encryption=default
use-vj-compression=no

/queue type

/queue simple

/routing bgp instance
set default as=1 client-to-client-reflection=yes comment="" disabled=no
ignore-as-path-len=no name=default out-filter="" redistribute-connected=
no redistribute-ospf=no redistribute-other-bgp=no redistribute-rip=no
redistribute-static=no router-id=0.0.0.0
/routing ospf area
add area-id=0.0.0.0 authentication=none disabled=no name=backbone type=
default
/snmp
set contact="" enabled=no engine-boots=18 engine-id="" location=""
time-window=0 trap-sink=0.0.0.0 trap-version=1
/snmp community

/system logging action

/user group
"
/user

/interface bridge settings
set use-ip-firewall=no use-ip-firewall-for-vlan=no
/interface ethernet mirror
set
/interface l2tp-server server
set authentication=pap,chap,mschap1,mschap2 default-profile=
default-encryption enabled=no max-mru=1460 max-mtu=1460 mrru=disabled
/interface ovpn-server server
set auth=sha1,md5 certificate=none cipher=blowfish128,aes128 default-profile=
default enabled=no keepalive-timeout=60 mac-address=FE:1B:DD:6A:08:6C
max-mtu=1500 mode=ip netmask=24 port=1194 require-client-certificate=no
/interface pppoe-server server
add authentication=chap default-profile=net-default disabled=no interface=
ether2 keepalive-timeout=10 max-mru=1460 max-mtu=1460 max-sessions=0
mrru=disabled one-session-per-host=no service-name=net
add authentication=chap default-profile=net-default disabled=no interface=
ether3 keepalive-timeout=10 max-mru=1460 max-mtu=1460 max-sessions=0
mrru=disabled one-session-per-host=no service-name=net
add authentication=chap default-profile=net-default disabled=no interface=
ether1 keepalive-timeout=10 max-mru=1460 max-mtu=1460 max-sessions=0
mrru=disabled one-session-per-host=no service-name=net
/interface pptp-server server
set authentication=mschap1,mschap2 default-profile=default-encryption
enabled=no keepalive-timeout=30 max-mru=1460 max-mtu=1460 mrru=disabled
/ip accounting
set account-local-traffic=yes enabled=yes threshold=256
/ip accounting web-access
set accessible-via-web=no address=0.0.0.0/0
/ip address
add address=x.x.x.254/29 broadcast=x.x.x.255 comment=backbone
disabled=no interface=ether4 network=x.x.x.248
add address=172.29.x.x/16 broadcast=172.29.255.255 comment=main disabled=
no interface=ether1 network=172.29.0.0
add address=172.28.x.x/16 broadcast=172.28.255.255 comment=spencer
disabled=no interface=ether3 network=172.28.0.0
add address=172.29.x.x/16 broadcast=172.27.255.255 comment=roa
disabled=no interface=ether2 network=172.27.0.0
/ip dhcp-server config
set store-leases-disk=5m
/ip dns
set allow-remote-requests=no cache-max-ttl=1w cache-size=2048KiB
max-udp-packet-size=512 primary-dns=x.x.66.2 secondary-dns=x.x.65.2

/ip firewall service-port
set ftp disabled=yes ports=21
set tftp disabled=yes ports=69
set irc disabled=yes ports=6667
set h323 disabled=yes
set sip disabled=yes ports=5060,5061
set pptp disabled=yes
/ip neighbor discovery
set ether1 discover=no
set ether2 discover=yes
set ether3 discover=yes
set ether4 discover=no
/ip packing
add aggregated-size=1500 disabled=yes packing=compress-all unpacking=
compress-all
add aggregated-size=1500 disabled=yes packing=compress-all unpacking=
compress-all

/ip route
add comment="" disabled=no distance=1 dst-address=0.0.0.0/0 gateway=
x.x.x.253 scope=255 target-scope=10
/ip service
set telnet address=0.0.0.0/0 disabled=yes port=23
set ftp address=0.0.0.0/0 disabled=yes port=21
set www address=x.x.92.x/32 disabled=no port=8181
set ssh address=0.0.0.0/0 disabled=yes port=22
set www-ssl address=0.0.0.0/0 certificate=none disabled=yes port=443
set api address=0.0.0.0/0 disabled=yes port=8728
set winbox address=x.x.x.x/x disabled=no port=8291
/ip socks
set connection-idle-timeout=2m enabled=no max-connections=200 port=1080
/ip traffic-flow
set active-flow-timeout=30m cache-entries=4k enabled=no
inactive-flow-timeout=15s interfaces=all
/ip upnp
set allow-disable-external-interface=no enabled=no show-dummy-rule=no
/ipv6 nd
add advertise-dns=no advertise-mac-address=yes disabled=no hop-limit=
unspecified interface=all mtu=unspecified ra-delay=3s ra-interval=
3m20s-10m ra-lifetime=30m reachable-time=unspecified retransmit-interval=
unspecified
/ipv6 nd prefix default
set autoconfig=yes on-link=yes preferred-lifetime=1w valid-lifetime=4w2d
/mpls
set dynamic-label-range=16-1048575
/mpls interface
add comment="" disabled=no interface=all mpls-mtu=1508
/mpls ldp
set distribute-for-default-route=no enabled=no hop-limit=255 loop-detect=no
lsr-id=0.0.0.0 path-vector-limit=255 transport-address=0.0.0.0
use-explicit-null=no
/ppp aaa
set accounting=yes interim-update=5m use-radius=yes
/ppp secret

/queue interface
set ether1 queue=ethernet-default
set ether2 queue=ethernet-default
set ether3 queue=ethernet-default
set ether4 queue=ethernet-default
/radius
add accounting-backup=no accounting-port=1813 address=xxxx
authentication-port=1812 called-id="" comment="" disabled=no domain=""
realm="x" secret=xxxx service=ppp timeout=4s
/radius incoming
set accept=yes port=1700
/routing mme
set bidirectional-timeout=2 gateway-class=none gateway-keepalive=1m
gateway-selection=no-gateway origination-interval=5s preferred-gateway=
0.0.0.0 timeout=1m ttl=50
/routing ospf
set distribute-default=never metric-bgp=20 metric-connected=20
metric-default=1 metric-rip=20 metric-static=20 mpls-te-area=unspecified
mpls-te-router-id=unspecified redistribute-bgp=no redistribute-connected=
no redistribute-rip=no redistribute-static=no router-id=0.0.0.0
/routing rip
set distribute-default=never garbage-timer=2m metric-bgp=1 metric-connected=1
metric-default=1 metric-ospf=1 metric-static=1 redistribute-bgp=no
redistribute-connected=no redistribute-ospf=no redistribute-static=no
timeout-timer=3m update-timer=30s
/routing ripng
set distribute-default=never garbage-timer=2m metric-bgp=1 metric-connected=1
metric-default=1 metric-ospf=1 metric-static=1 redistribute-bgp=no
redistribute-connected=no redistribute-ospf=no redistribute-static=no
timeout-timer=3m update-timer=30s
/store
add comment="" disabled=no disk=system name=user-manager1 type=user-manager
add comment="" disabled=no disk=system name=web-proxy1 type=web-proxy
add comment="" disabled=no disk=CF1 name=dude1 type=dude
add comment="" disabled=no disk=CF1 name=user-manager2 type=user-manager
/system clock manual
set dst-delta=+00:00 dst-end="jan/01/1970 00:00:00" dst-start=
"jan/01/1970 00:00:00" time-zone=+00:00
/system console
add disabled=no port=serial0 term=vt102
set [ find ] disabled=no term=linux
set [ find ] disabled=no term=linux
set [ find ] disabled=no term=linux
set [ find ] disabled=no term=linux
set [ find ] disabled=no term=linux
set [ find ] disabled=no term=linux
set [ find ] disabled=no term=linux
set [ find ] disabled=no term=linux
/system health
set fan-mode=auto use-fan=main
/system identity
set name=net-PPPoE
/system logging

add action=remote disabled=no prefix="" topics=pppoe
add action=remote disabled=yes prefix="" topics=debug
/system note
set note="" show-at-login=yes
/system ntp client
set enabled=yes mode=unicast primary-ntp=203.109.252.7 secondary-ntp=
202.78.240.38
/system routerboard settings
set baud-rate=115200 boot-delay=2s boot-device=nand-only boot-protocol=bootp
enable-jumper-reset=yes enter-setup-on=any-key
/system upgrade mirror
set check-interval=1d enabled=no primary-server=0.0.0.0 secondary-server=
0.0.0.0 user=""
/system watchdog
set auto-send-supout=no automatic-supout=no no-ping-delay=5m watch-address=
none watchdog-timer=yes
/tool bandwidth-server
set allocate-udp-ports-from=2000 authenticate=no enabled=no max-sessions=10
/tool e-mail
set from=pppoe server=xxxxxx
/tool graphing
set store-every=5min
/tool graphing interface
add allow-address=0.0.0.0/0 disabled=no interface=all store-on-disk=yes
/tool mac-server ping
set enabled=yes
/tool sniffer
set file-limit=1000 file-name="" filter-address1=0.0.0.0/0:0-65535
filter-address2=0.0.0.0/0:0-65535 filter-protocol=all-frames
filter-stream=no memory-limit=200000 only-headers=no streaming-enabled=no
streaming-server=0.0.0.0
/user aaa
set accounting=yes default-group=read interim-update=0s use-radius=no

You have a routing loop. .253 thinks the IP is reachable via .254, and vice versa. Your ISP must have a route to the subnet via your router, and since your router - when the IP is disconnected - doesn’t have a route to it since no /32 is assigned to a user, it uses the default route to send it back to the ISP. The ISP has a route back through you, and so on.

Add a null route to the larger subnet on your router, something like “/ip route add dst-address=1.1.1.0/24 type=blackhole”. That way the router has a specific route to that IP pool that is more specific than a default route and will discard traffic. When a user signs in and gets assigned an address from the pool and an even more specific route to a /32 exists that will take precedence.

Legend that worked a treat thankyou
on a side note looking at my config there’s no firewall on the ppp box is there a way i can protect it a bit more
without filtering the ppp clients at all ? or do u think its fine as is

The ‘forward’ chain is for traffic through the router (clients), the ‘input’ and ‘output’ chains are for traffic generated by the router or destined to the router. Write your ruleset for those chains only and it won’t affect client traffic.