Using RB5009 in bridge mode

Hello,

I was recently given an RB5009 as my current Ubiquiti device blows with PPPoE and fiber, and is dropping a considerable amount of performance. I was told to put the RB5009 in bridge mode and let it create the PPPoE connection, and then put the other router behind it in DHCP mode to let it get the IP and avoid double NAT shenanigans. I can successfully use the RB5009 in router mode and get a connection and get full 2,5G down, but once in bridge mode it will not forward the IP to the second router in DHCP mode. Been reading the docs and some other places on the internet that “supposedly”, mikrotik bridge mode is not a classic bridge mode, which to me sounds sus. What’s the correct way to get this work?

Again, setup is ONT → Rb50009 (bridge mode, handle PPPoE) → second router in DHCP (avoid double NAT) → clients/lan/rest of network

PPPoE can’t really be in bridge mode because bridge is L2 and PPPoE is L3. IP address is “integral part” of L3 interface, it can’t be “forwarded” elsewhere.

What usually “put in bridge mode” means is that that device is L2-transparrent … passing either DHCP handshake or PPOoE frames left and right. Any (dumb) ethernet switch does this perfectly.

The reason for popularity of “bridge mode” on ISP devices is that those often work with “weird” L1 technology on WAN side (e.g. xDSL, DOCSIS, GPON, etc.) which many “off the shelf” home routers can’t. So when put in bridge mode, those ISP devices act only as (large and expensive) media converters between “weird” L1 technology and UTP (where both sides transport normal ethernet frames as L2 protocol). ONT is a bit more than simple media converter, usually it also does authentication (I’m talking about simple ONT devices, some are ONT/router combo).

So I wonder what makes connection of “second router” directly to ONT impossible/impractical?

If you read the post you would have noticed I said the performance is awful and there is loss.

I was told to put another device in front of this router since it can’t handle the performance over PPPoE or to deal with it, I was given this RB5009 and told it could be bridged to handle the WAN and give it back to the second router behind it in DHCP mode and it would acquire the WAN. Even Ubuiqiti support told me to put the router in DHCP and put another router in front of it to be the main PPPoE interface.

If you’re telling me that’s not possible then I will gladly give this device back since I’m not ready to ditch my entire Unifi system just yet, I was testing a potential stop gap.

What you need to figure out or tell us, is what is the internet signal coming from?
Does the ISP provide a modem or ONT, from which an ethernet cable is used to connection to the RB5009?

If so, then the RB5009 can do everything you need and you should throw the second router into the garbage, (or use it as a back up )

why this second router?

To answer everyone’s question, because I’ve had a dream machine pro for the last 4-5 years and now that I upgraded from gigabit to 2,5, the pppoe performance is awful leaving a gigabit on the table in loss (~40%). Before I gave up on Ubiquiti completely, I got hold of an Rb5009 and was told I could put it in bridge, setup pppoe and with the dream machine pro in DHCP mode it would acquire the IP from the mikrotik and avoid the performance issues. I have a large unifi environment, including LTE failover, and at the moment I can’t replace everything and budget this upgrade/switch until the summer, so I was trying to guinea pig this setup into holding me over until I make a decision.

You only need ISP/ONT ↔ (PPPoE) Rb50009 ↔ LAN (unless the ‘second router’ has a magical feature set you can’t live without). The Rb50009 will manage both PPP and DHCP.

I think TheWeegee is asking for a way to offload only the pppoe stuff to the RB5009 and than pass through the public ip by dhcp to the UDM. The UDM should stay because his whole network is build around Unifi.

I think this should be possible with two VRF instances and two mangle rules.

Not teste btw.

/ip vrf
add interfaces=pppoe-out1 name=vrf-wan
add interfaces=ether2 name=vrf-lan
/ip address
add address=100.64.1.1/24 interface=ether2 network=100.64.1.0
/ip firewall mangle
add action=mark-routing chain=prerouting dst-address=!100.64.1.1 in-interface=ether2 log=yes log-prefix=LAN new-routing-mark=vrf-wan passthrough=no
add action=mark-routing chain=prerouting in-interface=pppoe-out1 new-routing-mark=vrf-lan passthrough=no
/ip dhcp-server
add add-arp=yes interface=ether2 name=server-lan
/ip dhcp-server lease
add address=<public ip> mac-address=<mac of UDM> server=server-lan

This is the closest I’ve managed to get it to work, PPPoE is up but once I do this ping timeouts all the time saying no route to host, and while it says my public ISP IP is bound to my UDM and “working”, the DHCP for server-lan is red and I have no traffic activity in interfaces for the SFP port which I’m using instead of ether2. What you described makes sense, I guess I’ve been accustomed to easy-mode with GUIs for far too long.

Maybe you should share the config with

export hide-sensitive

Also i missed something in the last post. You need to also add a route to your public ip in the “vrf-lan” instance.
add dst-address= gateway=ether2@vrf-lan routing-table=vrf-lan

This should work. 100.64.0.24 is the public ip in this example.

/interface ethernet
set [ find default-name=ether1 ] name=ether1-ont
set [ find default-name=ether2 ] name=ether2-udmp
set [ find default-name=ether3 ] name=ether3-lan
/interface pppoe-client
add add-default-route=yes disabled=no interface=ether1-ont name=pppoe-out1 user=user1
/ip dhcp-server
add add-arp=yes interface=ether2-udmp lease-time=5m name=server-lan
/ip vrf
add interfaces=pppoe-out1 name=vrf-wan
add interfaces=ether2-udmp name=vrf-lan
/ip address
add address=100.64.1.1 interface=ether2-udmp network=100.64.1.1
/ip dhcp-client
add interface=ether3-lan
/ip dhcp-server lease
add address=100.64.0.24 mac-address=0C:48:07:B6:00:00 server=server-lan
/ip firewall mangle
add action=mark-routing chain=prerouting dst-address=!100.64.1.1 in-interface=ether2-udmp log-prefix=LAN new-routing-mark=vrf-wan passthrough=yes
add action=mark-routing chain=prerouting in-interface=pppoe-out1 new-routing-mark=vrf-lan passthrough=yes
/ip route
add dst-address=100.64.0.24 gateway=ether2-udmp@vrf-lan routing-table=vrf-lan
/system identity
set name=PPPoE-Client

A red marked dhcp server usually means that the dhcp server interface is on a slave port, e.g. form a bridge, or the port is disabled.

A problem that could also occur is, if you have a dynamic IPv4 address via pppoe because the the dhcp lease will not automatically change. But this could be easily solved with scripting.

I had a play with this and it works, with a bit of fiddling. Cool

Note on mine I also added the following (The dhcp client I am using is windows 10 though)

/ip dhcp-server network
add address=STATIC_PPPOE_IP/32 comment=“for pppoe passthru” dns-server=
DNS_SERVER_IP gateway=100.64.1.1

I thought about some scripting for dynamic IP, and discovered (again) there is no on-Up Script functionality in the pppoe client

But there is. You just have to go to PPP → Profiles, and make a new one (or a copy of default). In the profile you can put your On Up/On Down scripts. Next step is to edit the pppoe-out interface to use the new profie.

Note on mine I also added the following (The dhcp client I am using is windows 10 though)

/ip dhcp-server network
add address=STATIC_PPPOE_IP/32 comment=“for pppoe passthru” dns-server=
DNS_SERVER_IP gateway=100.64.1.1

Yeah for a Windows 10 client this shoud be fine but for a router i would specify a public dns resolver manuell on the pass through device. Cascading dns resolvers with there own cache is a bad idea in my opinion.

I think this should do the trick. passMACAddress can be empty. Then the first device asking for an ip will get the public ip. Change to the /ip/dhcp/network, for example to the dns server, are persistent.

UP Script

:local passInterface "ether2-udmp";
:local passMACAddress "0C:48:07:B6:00:00";

### Internal varaibles

:local ip $"local-address";
:local passVRFName [ /ip/vrf/get [ find interfaces=$passInterface ] name ];
:local dhcpServerName [ /ip/dhcp-server/get [ find interface=$passInterface ] name ];
:local ipPoolName "pass-through-ip";
:local gatewayVRF ($passInterface . "@" . $passVRFName);
:local gatewayAddressCidr [ /ip/address/get [ ( [ find interface=ether2-udmp]->0 ) ] address ];
:local gatewayAddress [ :pick $gatewayAddressCidr 0 [ :find $gatewayAddressCidr "/" ] ];
:local dhcpServerPool [ /ip/dhcp-server/get [ find interface=$passInterface ] address-pool ];
:local commentIdentifier "pppoe pass through script";

### Code

/ip/dhcp-server/lease/remove [ find server=$dhcpServerName ];
/log/info message="Removing old dhcp leases from server $dhcpServerName";

:if ( [ :len $passMACAddress ] = 0 ) do={

    :if ( $dhcpServerPool = "static-only" ) do={
    
        /ip/pool/add name=$ipPoolName ranges=$ip;
        /ip/dhcp-server/set [ find interface=$passInterface ] address-pool=$ipPoolName;
    } else={
        /ip/pool/set [ find name=$dhcpServerPool ] ranges=$ip;
    }
    
    /log/info message="Updated dhcp range to $ip";
    
} else={
    /ip/dhcp-server/lease/add server=$dhcpServerName mac-address=$passMACAddress address=$ip;
    /ip/dhcp-server/set [ find interface=$passInterface ] address-pool="static-only";
    /ip/pool/remove [ find name=$ipPoolName ];
    /log/info message="Added dhcp lease for pass through device ($passMACAddress)";
}

:local dhcpNetworks [ /ip/dhcp-server/network/find comment=$commentIdentifier ];

:if ( [ :len $dhcpNetworks ] > 0) do={
    
    :local first [ :toid ($dhcpNetworks->0)];
    /ip/dhcp-server/network/remove [ find comment!=$commentIdentifier address="$ip/32" ];
    /ip/dhcp-server/network/set $first address="$ip/32" comment=$commentIdentifier gateway=$gatewayAddress netmask=32
} else={
    /ip/dhcp-server/network/add comment=$commentIdentifier address="$ip/32" gateway=$gatewayAddress netmask=32;
}

/ip/dhcp-server/network/remove [ find comment=$commentIdentifier address!="$ip/32" ];

/ip/route/remove [ find routing-table=$passVRFName static=yes ];
/ip/route/add dst-address=$ip gateway=$gatewayVRF routing-table=$passVRFName;

/ip/dhcp-server/enable [ find interface=$passInterface disabled=yes ];

Down Script

:local passInterface "ether2-udmp";

## Code

/ip/dhcp-server/disable [ find interface=$passInterface disabled=no ]

That works thanks. Ironically this proved either the UDM itself is a hunk of junk or mine being a first day one is a hunk of junk as htop paints a grim picture with CPU usage even in DHCP mode. I will admit I did not give this the time and energy it deserved and could have figure that out myself, my head has been full steam ahead in dealing with a non IT related issue so I did not give this setup much love over the last few weeks.

Yay, Thank you

@TheWeegee

can i get the full concept please.

Have the pppoe & the pub ip-address (100.64.1.0) been provided from the same ISP?

Concur, dont understand what is being done here?
There is only one termination point for a public IP, is it the RB5009 or the UG etc…

I’m not totally sure what is done here either.

add address=100.64.1.1 interface=ether2-udmp network=100.64.1.1
Is that the local address of the interface?

Then what does the udmp gets in this case?

What makes sense to me is the following
RB5009 terminates the PPPOE connection
RB5009 creates private subnet to send to UDM ( and thus we have WAN2 for UDM )
RB5009 via vlan100 marks the fiber traffic and simply passes it to the USG for termination aka WAN1 for the UDM

What is unknown to me, is

• what can this second router handle as incoming.
• how many ethernet cables are located between the two routers.

Clearly it would be easier to be able to use different ports on both devices for this transfer (clean).
5009
ether1 - pppoe termination
ether2 - capture fiber output (riding on vlan100 lets say)
ether3 - pass private subnet to USG ( WAN2 for UDM)
ether4 - pass vlan100 to UDM
ether5 - LAN (source pppoe connection)
ether6 - etc…

UDM
ether1 - incoming vlan100 for termination of fiber output
ether2 - incoming WAN 2 private IP from 5009
ether3 - LAN
ether4 - LAN

I am not sure of why we need to complicate matters and use vrf or mangles for that matter if the OP is happy with having two WANs available to UDM and the one pppoe wan available to the 5009 ( and by private IP also WAN2 to the uDM).

Here is the config that I am using for this I have changed the MAC address and IP addresses but otherwise it’s a working example

/interface ethernet
set [ find default-name=ether1 ] comment="LAN MGMT"
set [ find default-name=ether2 ] comment="FTTP ONT" mtu=1508
set [ find default-name=ether3 ] comment="Fortigate WAN1"
/ip dhcp-server
add add-arp=yes interface=ether3 lease-time=5m name=server-wan
/ip vrf
add interfaces=ether3 name=vrf-wan
/ppp profile
add name=pppoe on-down=":local passInterface \"ether3\";\r\
    \n\r\
    \n## Code\r\
    \n\r\
    \n/ip/dhcp-server/disable [ find interface=\$passInterface disabled=no ]" on-up=":local passInterface \"ether3\";\r\
    \n:local passMACAddress \"94:ff:3c:xx:xx:xx\";\r\
    \n\r\
    \n### Internal varaibles\r\
    \n\r\
    \n:local ip \$\"local-address\";\r\
    \n:local passVRFName [ /ip/vrf/get [ find interfaces=\$passInterface ] name ];\r\
    \n:local dhcpServerName [ /ip/dhcp-server/get [ find interface=\$passInterface ] name ];\r\
    \n:local ipPoolName \"pass-through-ip\";\r\
    \n:local gatewayVRF (\$passInterface . \"@\" . \$passVRFName);\r\
    \n:local gatewayAddressCidr [ /ip/address/get [ ( [ find interface=\$passInterface]->0 ) ] address ];\r\
    \n:local gatewayAddress [ :pick \$gatewayAddressCidr 0 [ :find \$gatewayAddressCidr \"/\" ] ];\r\
    \n:local dhcpServerPool [ /ip/dhcp-server/get [ find interface=\$passInterface ] address-pool ];\r\
    \n:local commentIdentifier \"pppoe pass through script\";\r\
    \n\r\
    \n### Code\r\
    \n\r\
    \n/ip/dhcp-server/lease/remove [ find server=\$dhcpServerName ];\r\
    \n/log/info message=\"Removing old dhcp leases from server \$dhcpServerName\";\r\
    \n\r\
    \n:if ( [ :len \$passMACAddress ] = 0 ) do={\r\
    \n\r\
    \n    :if ( \$dhcpServerPool = \"static-only\" ) do={\r\
    \n    \r\
    \n        /ip/pool/add name=\$ipPoolName ranges=\$ip;\r\
    \n        /ip/dhcp-server/set [ find interface=\$passInterface ] address-pool=\$ipPoolName;\r\
    \n    } else={\r\
    \n        /ip/pool/set [ find name=\$dhcpServerPool ] ranges=\$ip;\r\
    \n    }\r\
    \n    \r\
    \n    /log/info message=\"Updated dhcp range to \$ip\";\r\
    \n    \r\
    \n} else={\r\
    \n    /ip/dhcp-server/lease/add server=\$dhcpServerName mac-address=\$passMACAddress address=\$ip;\r\
    \n    /ip/dhcp-server/set [ find interface=\$passInterface ] address-pool=\"static-only\";\r\
    \n    /ip/pool/remove [ find name=\$ipPoolName ];\r\
    \n    /log/info message=\"Added dhcp lease for pass through device (\$passMACAddress)\";\r\
    \n}\r\
    \n\r\
    \n:local dhcpNetworks [ /ip/dhcp-server/network/find comment=\$commentIdentifier ];\r\
    \n\r\
    \n:if ( [ :len \$dhcpNetworks ] > 0) do={\r\
    \n    \r\
    \n    :local first [ :toid (\$dhcpNetworks->0)];\r\
    \n    /ip/dhcp-server/network/remove [ find comment!=\$commentIdentifier address=\"\$ip/32\" ];\r\
    \n    /ip/dhcp-server/network/set \$first address=\"\$ip/32\" comment=\$commentIdentifier gateway=\$gatewayAddress netmask=32;\r\
    \n} else={\r\
    \n    /ip/dhcp-server/network/add comment=\$commentIdentifier address=\"\$ip/32\" gateway=\$gatewayAddress netmask=32 dns-server=8.8.8.8;\r\
    \n}\r\
    \n\r\
    \n/ip/dhcp-server/network/remove [ find comment=\$commentIdentifier address!=\"\$ip/32\" ];\r\
    \n\r\
    \n/ip/route/remove [ find routing-table=\$passVRFName static=yes ];\r\
    \n/ip/route/add dst-address=\$ip gateway=\$gatewayVRF routing-table=\$passVRFName;\r\
    \n\r\
    \n/ip/dhcp-server/enable [ find interface=\$passInterface disabled=yes ];"
/interface pppoe-client
add add-default-route=yes disabled=no interface=ether2 max-mru=1500 max-mtu=1500 name=pppoe-vodafone profile=pppoe user=pppoeuser
/ip address
add address=192.168.0.2/24 interface=ether1 network=192.168.0.0
add address=100.64.1.1 interface=ether3 network=100.64.1.1
/ip dns
set servers=192.168.0.1
/ip vrf
add interfaces=ether2,pppoe-vodafone name=vrf-ont
/ip firewall mangle
add action=mark-routing chain=prerouting dst-address=!100.64.1.1 in-interface=ether3 log-prefix=WAN new-routing-mark=vrf-ont
add action=mark-routing chain=prerouting in-interface=pppoe-vodafone log-prefix=PPPOE new-routing-mark=vrf-wan
/ip route
add disabled=no dst-address=0.0.0.0/0 gateway=192.168.0.1 routing-table=main suppress-hw-offload=no
/system identity
set name=PPPoE_Client