Community discussions

 
User avatar
k6ccc
Member
Member
Topic Author
Posts: 479
Joined: Fri May 13, 2016 12:01 am
Location: Glendora, CA, USA (near Los Angeles)

Help with PPPoE client setup

Thu Mar 14, 2019 7:15 am

OK, first a little background. I have a cable based internet and a DSL based internet. The cable is a single DHCP address and until today my DSL was eight static IP addresses that connect to three separate MT routers. Today, my DSL was changed to a single DHCP addresses with PPPoE (the change was forced on my). I have never dealt with PPPoE before and having trouble making it work. My ISP provides this page to assist in setting up a PPPoE onnection:
https://secure.dslextreme.com/support/ ... -ip-pppoe

I set up a new PPP interface in my router with the appropriate data entered and told it to use the interface of my DSL connection. Initially i could not get it to show "Running" at all, until I selected "Dial on demand". After that the interface shows running and the PPPoE shows a Dynamic IP address. I also set a DHCP client for the DSL connection and that also shows a Dynamic address. If I try to ping 8.8.8.8 from the router using the PPPoE interface, the pings fail, but if I use the DSL as the interface, the pings work. If I try to ping either the DSL address or the PPPoE address from the internet, the pings fail. My firewall rules should allow them.
I can not get any traffic to route through the router via the DSL or PPPoE interfaces. However I don't expect that to work if I can't even get pings to work. Note that there are several of the VLANs that I have not configured, so I know they wont work (until today, they were in a different router). Once I am done, only one of the routers will be used.
I'm sure this is just something I don't understand about PPPoE. Below is a thinned out version of my config. I took out a whole bunch that should make no difference or redacted for security. Any ideas what I am missing???
# mar/13/2019 21:28:21 by RouterOS 6.43.2
#
# model = RouterBOARD 750G r3
/interface ethernet
set [ find default-name=ether1 ] comment="Spectrum cable internet" name=\
    E1-p2_Cable_Internet speed=100Mbps
set [ find default-name=ether2 ] comment="Main cable home LAN" name=E2-p4_101 \
    speed=100Mbps
set [ find default-name=ether3 ] comment="Cable Private WiFi" name=E3-p6_103 \
    speed=100Mbps
set [ find default-name=ether4 ] comment="802.1Q trunk" name=E4-p8_802.1Q \
    speed=100Mbps
set [ find default-name=ether5 ] comment="Router to Router tie" name=\
    "E5 to Router 2" speed=100Mbps
/interface vlan
add comment="Cable Public WiFi" interface=E4-p8_802.1Q name=VLAN_102 vlan-id=\
    102
add comment="Cactus/Red Cross" interface=E4-p8_802.1Q name=VLAN_104 vlan-id=\
    104
add comment="Scanner feed" interface=E4-p8_802.1Q name=VLAN_105 vlan-id=105
add comment="Wyze cameras" interface=E4-p8_802.1Q name=VLAN_106 vlan-id=106
add comment="DSL / Cable protected LAN" interface=E4-p8_802.1Q name=VLAN_151 \
    vlan-id=151
add comment="DSL internet" interface=E4-p8_802.1Q name=VLAN_200 vlan-id=200
add comment="DSL Public WiFi" interface=E4-p8_802.1Q name=VLAN_202 vlan-id=\
    202
add comment="DSL Private WiFi" interface=E4-p8_802.1Q name=VLAN_203 vlan-id=\
    203
add comment="HarpUSA DMR" interface=E4-p8_802.1Q name=VLAN_209 vlan-id=209
/interface pppoe-client
add add-default-route=yes comment="DSL internet PPPoE link" dial-on-demand=\
    yes disabled=no interface=VLAN_200 name="DSL PPPoE" password=<redacted> \
    use-peer-dns=yes user=<redacted>
/interface ethernet switch port
set 0 default-vlan-id=0 vlan-mode=disabled
set 1 default-vlan-id=0 vlan-mode=disabled
set 2 default-vlan-id=0 vlan-mode=disabled
set 3 default-vlan-id=0 vlan-mode=disabled
set 4 default-vlan-id=0 vlan-mode=disabled
set 5 default-vlan-id=0 vlan-mode=disabled
/interface list
add exclude=dynamic name=discover
add name=mactel
add name=mac-winbox
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip hotspot profile
set [ find default=yes ] html-directory=flash/hotspot
/ip ipsec proposal
set [ find default=yes ] enc-algorithms=aes-128-cbc
/ip pool
add name=".101 DHCP pool" ranges=192.168.101.100-192.168.101.119
add name=".102 DHCP pool" ranges=192.168.102.100-192.168.102.119
add name=".103 DHCP pool" ranges=192.168.103.100-192.168.103.119
add name=".104 DHCP pool" ranges=192.168.104.100-192.168.104.109
add name=".106 DHCP pool" ranges=192.168.106.100-192.168.106.109
add name=".105 DHCP pool" ranges=192.168.105.100-192.168.105.109
add name=".151 DHCP pool" ranges=192.168.151.100-192.168.151.119
add name=".209 DHCP pool" ranges=192.168.209.100-192.168.209.119
add name=".202 DHCP pool" ranges=192.168.202.100-192.168.202.119
add name=".203 DHCP pool" ranges=192.168.203.100-192.168.203.119
/ip dhcp-server
add address-pool=".101 DHCP pool" authoritative=after-2sec-delay disabled=no \
    interface=E2-p4_101 lease-time=3h name=".101 DHCP server"
add address-pool=".102 DHCP pool" authoritative=after-2sec-delay disabled=no \
    interface=VLAN_102 lease-time=3h name=".102 DHCP server"
add address-pool=".103 DHCP pool" authoritative=after-2sec-delay disabled=no \
    interface=E3-p6_103 lease-time=3h name=".103 DHCP server"
add address-pool=".104 DHCP pool" authoritative=after-2sec-delay disabled=no \
    interface=VLAN_104 lease-time=3h name=".104 DHCP server"
add address-pool=".106 DHCP pool" authoritative=after-2sec-delay disabled=no \
    interface=VLAN_106 lease-time=3h name=".106 DHCP server"
add address-pool=".105 DHCP pool" authoritative=after-2sec-delay disabled=no \
    interface=VLAN_105 lease-time=3h name=".105 DHCP server"
add address-pool=".151 DHCP pool" authoritative=after-2sec-delay disabled=no \
    interface=VLAN_151 lease-time=3h name=".151 DHCP server"
add address-pool=".209 DHCP pool" disabled=no interface=VLAN_209 lease-time=\
    3h name=".209 DHCP server"
add address-pool=".202 DHCP pool" authoritative=after-2sec-delay disabled=no \
    interface=VLAN_202 lease-time=3h name=".202 DHCP server"
add address-pool=".203 DHCP pool" authoritative=after-2sec-delay disabled=no \
    interface=VLAN_203 lease-time=3h name=".203 DHCP server"
/snmp community
set [ find default=yes ] addresses=0.0.0.0/0
/ip neighbor discovery-settings
set discover-interface-list=discover
/interface list member
add interface=E2-p4_101 list=mactel
add interface=E2-p4_101 list=mac-winbox
/ip accounting
set account-local-traffic=yes enabled=yes
/ip accounting web-access
set accessible-via-web=yes address=192.168.101.0/26
/ip address
add address=192.168.101.251/24 interface=E2-p4_101 network=192.168.101.0
add address=192.168.102.251/24 interface=VLAN_102 network=192.168.102.0
add address=192.168.103.251/24 interface=E3-p6_103 network=192.168.103.0
add address=192.168.211.251/24 interface="E5 to Router 2" network=\
    192.168.211.0
add address=192.168.104.251/24 interface=VLAN_104 network=192.168.104.0
add address=192.168.105.251/24 interface=VLAN_105 network=192.168.105.0
add address=192.168.106.251/24 interface=VLAN_106 network=192.168.106.0
add address=192.168.151.251/24 interface=VLAN_151 network=192.168.151.0
add address=192.168.204.250/24 interface=VLAN_104 network=192.168.204.0
add address=192.168.209.251/24 interface=VLAN_209 network=192.168.209.0
add address=192.168.202.251/24 interface=VLAN_202 network=192.168.202.0
add address=192.168.203.251/24 interface=VLAN_203 network=192.168.203.0
/ip cloud
set update-time=no
/ip dhcp-client
add comment=defconf dhcp-options=hostname,clientid disabled=no interface=\
    E1-p2_Cable_Internet
add dhcp-options=hostname,clientid disabled=no interface=VLAN_200
/ip dhcp-server lease
  <deleted as it should not relate>
/ip dns
set allow-remote-requests=yes servers=8.8.8.8,42.2.0.2
/ip dns static
add address=192.168.88.1 name=router
/ip firewall address-list
  <redacted>
/ip firewall filter
add action=jump chain=input comment=\
    "Jump to Attack chain to prevent Port scan and DoS attacks" in-interface=\
    E1-p2_Cable_Internet jump-target=Attack
add action=jump chain=input comment=\
    "Jump to Attack chain to prevent Port scan and DoS attacks" in-interface=\
    VLAN_200 jump-target=Attack
add action=jump chain=input comment=\
    "Jump to ICMP chain to prevent being ping flooded." in-interface=\
    E1-p2_Cable_Internet jump-target=ICMP protocol=icmp
add action=jump chain=input comment=\
    "Jump to ICMP chain to prevent being ping flooded." in-interface=VLAN_200 \
    jump-target=ICMP protocol=icmp
add action=accept chain=input comment=\
    "Allow PING on all non-internet interfaces." protocol=icmp
add action=drop chain=input comment=\
    "Drop TCP DNS packets from cable internet" dst-port=53 in-interface=\
    E1-p2_Cable_Internet protocol=tcp
add action=drop chain=input comment=\
    "Drop UPD DNS packets from cable internet" dst-port=53 in-interface=\
    E1-p2_Cable_Internet protocol=udp
add action=drop chain=input comment="Drop TCP DNS packets from DSL internet" \
    dst-port=53 in-interface=VLAN_200 protocol=tcp
add action=drop chain=input comment="Drop UPD DNS packets from DSL internet" \
    dst-port=53 in-interface=VLAN_200 protocol=udp
add action=accept chain=input comment=\
    "Allow WinBox access to router from IPs on the Priviledged list" \
    connection-state=established,related,new dst-port=7591 in-interface=\
    !E1-p2_Cable_Internet protocol=tcp src-address-list=Priviledged
add action=accept chain=input comment=\
    "Allow established and related connections to router" connection-state=\
    established,related
add action=drop chain=input comment=\
    "Drop any other input packets that get this far" log-prefix=\
    "Dropped connection"
add action=drop chain=forward comment="Drop invalid packets" \
    connection-state=invalid
add action=accept chain=forward comment="Accept all that is DST NATed" \
    connection-nat-state=dstnat connection-state=new
add action=accept chain=forward comment="Accept all that is Source NATed" \
    connection-nat-state=srcnat connection-state=new
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related
add action=accept chain=forward comment=\
    "Accept established and related packets" connection-state=\
    established,related
add action=accept chain=forward comment=\
    "Allow outbound SMTP traffic from Jupiter to DSL internet" dst-port=25 \
    in-interface=E2-p4_101 out-interface=VLAN_200 protocol=tcp src-address=\
    192.168.101.11
add action=accept chain=forward comment=\
    "Allow outbound traffic from .101 to Cable internet" in-interface=\
    E2-p4_101 out-interface=E1-p2_Cable_Internet
add action=accept chain=forward comment=\
    "Allow outbound traffic from .102 to Cable internet" in-interface=\
    VLAN_102 out-interface=E1-p2_Cable_Internet
add action=accept chain=forward comment=\
    "Allow outbound traffic from .103 to Cable internet" in-interface=\
    E3-p6_103 out-interface=E1-p2_Cable_Internet
add action=accept chain=forward comment=\
    "Allow outbound traffic from .104 to Cable internet" in-interface=\
    VLAN_104 out-interface=E1-p2_Cable_Internet
add action=accept chain=forward comment=\
    "Allow outbound traffic from .105 to Cable internet" in-interface=\
    VLAN_105 out-interface=E1-p2_Cable_Internet
add action=accept chain=forward comment=\
    "Allow outbound traffic from .106 to Cable internet" in-interface=\
    VLAN_106 out-interface=E1-p2_Cable_Internet
add action=accept chain=forward comment=\
    "Allow outbound traffic from .202 to DSL internet" in-interface=VLAN_202 \
    out-interface=VLAN_200
add action=accept chain=forward comment=\
    "Allow outbound traffic from .202 to DSL internet" in-interface=VLAN_203 \
    out-interface=VLAN_200
add action=accept chain=forward comment=\
    "Allow outbound traffic from .209 to DSL internet" in-interface=VLAN_209 \
    out-interface=VLAN_200
add action=drop chain=forward comment=\
    "Drop any forward packets that get this far"
add action=drop chain=Attack comment=\
    "Drop all packets from IPs on the Manual Blacklist" log=yes log-prefix=\
    "Manual Blacklist" src-address-list="Manual Blacklist"
add action=drop chain=Attack comment=\
    "Detect and drop TCP port scan connections" protocol=tcp psd=21,3s,3,1
add action=drop chain=Attack comment=\
    "Detect and drop UDP port scan connections" protocol=udp psd=21,3s,3,1
add action=return chain=Attack comment=\
    "Prevent safe IPs from getting tarpitted." src-address-list=Safe
add action=tarpit chain=Attack comment="Suppress DoS attackby tarpitting" \
    connection-limit=3,32 protocol=tcp src-address-list=Black_list
add action=add-src-to-address-list address-list=Black_list \
    address-list-timeout=1d chain=Attack comment="Detect DoS attack" \
    connection-limit=10,32 log=yes log-prefix="Black list" protocol=tcp
add action=return chain=Attack comment="Return from Attack chain"
add action=accept chain=ICMP comment=\
    "Accept ICMP type 0:0 (Echo reply) and limit to 5 packets / sec" \
    icmp-options=0:0-255 limit=5,5 protocol=icmp
add action=accept chain=ICMP comment="Accept ICMP type 3:3 (Destination host u\
    nreachable) and limit to 5 packets / sec" icmp-options=3:3 limit=5,5 \
    protocol=icmp
add action=accept chain=ICMP comment="Accept ICMP type 3:4 (Fragmentation requ\
    ired) and limit to 5 packets / sec" icmp-options=3:4 limit=5,5 protocol=\
    icmp
add action=accept chain=ICMP comment=\
    "Accept ICMP type 8:0 (Echo request) and limit to 5 packets / sec" \
    icmp-options=8:0-255 limit=5,5 protocol=icmp
add action=accept chain=ICMP comment=\
    "Accept ICMP type 11:0 (Time exceeded) and limit to 5 packets / sec" \
    icmp-options=11:0-255 limit=5,5 protocol=icmp
add action=drop chain=ICMP comment="Drop all other ICMP packets" protocol=\
    icmp
add action=return chain=ICMP comment="Return from ICMP chain"
/ip firewall mangle
add action=mark-connection chain=prerouting comment=\
    "Set SMTP connection mark for outbound SMTP from Jupiter." \
    connection-mark=no-mark dst-port=25 new-connection-mark=SMTP passthrough=\
    yes protocol=tcp src-address=192.168.101.11
add action=mark-routing chain=prerouting comment=\
    "Set SMTP routing mark for packets with SMTP connection mark." \
    connection-mark=SMTP new-routing-mark=SMTP passthrough=yes protocol=tcp
add action=mark-routing chain=prerouting comment=\
    "Set SMTP routing mark for outbound reply SMTP from Jupiter." disabled=\
    yes new-routing-mark=SMTP passthrough=yes protocol=tcp src-address=\
    192.168.101.11 src-port=25
add action=mark-connection chain=prerouting comment=\
    "Set DSL connection mark for inbound packets from DSL." connection-mark=\
    no-mark in-interface=VLAN_200 new-connection-mark=DSL passthrough=yes
add action=mark-routing chain=prerouting comment=\
    "Set DSL routing mark for packets with DSL connection mark." \
    connection-mark=DSL new-routing-mark=DSL passthrough=yes
add action=mark-connection chain=prerouting comment=\
    "Set DSL connection mark for outbound packets from VLAN 209 to DSL." \
    in-interface=VLAN_209 new-connection-mark=DSL passthrough=yes
add action=mark-routing chain=prerouting comment=\
    "Set DSL routing mark for packets with DSL connection mark." \
    connection-mark=DSL new-routing-mark=DSL passthrough=yes
/ip firewall nat
add action=masquerade chain=srcnat comment="Masquerade for cable" \
    out-interface=E1-p2_Cable_Internet
add action=masquerade chain=srcnat comment="Masquerade for DSL" \
    out-interface=VLAN_200
add action=masquerade chain=srcnat comment="Harpin NAT for HTTP on Jupiter" \
    dst-address=192.168.101.11 dst-port=80 out-interface=E2-p4_101 protocol=\
    tcp src-address=192.168.101.0/24
add action=masquerade chain=srcnat comment=\
    "Harpin NAT to Port 587 on Jupiter" dst-address=192.168.101.11 dst-port=\
    587 out-interface=E2-p4_101 protocol=tcp src-address=192.168.101.0/24
add action=dst-nat chain=dstnat comment="Web Server on Jupiter." \
    dst-address-type=local dst-port=80 protocol=tcp to-addresses=\
    192.168.101.11 to-ports=80
add action=dst-nat chain=dstnat comment=\
    "E-Mail SMTP to SmarterMail on Jupiter from cable." dst-address-type=\
    local dst-port=25 in-interface=E1-p2_Cable_Internet protocol=tcp \
    to-addresses=192.168.101.11
add action=dst-nat chain=dstnat comment=\
    "E-Mail SMTP to SmarterMail on Jupiter from DSL." dst-address-type=local \
    dst-port=25 in-interface=VLAN_200 protocol=tcp to-addresses=\
    192.168.101.11
add action=dst-nat chain=dstnat comment=\
    "E-Mail submission to SmarterMail on Jupiter." dst-address-type=local \
    dst-port=587 protocol=tcp to-addresses=192.168.101.11
/ip firewall service-port
set ftp disabled=yes
set tftp disabled=yes
set irc disabled=yes
set h323 disabled=yes
set sip disabled=yes
set pptp disabled=yes
set udplite disabled=yes
set dccp disabled=yes
set sctp disabled=yes
/ip route
add distance=1 gateway=66.51.204.1 pref-src=66.51.204.115 routing-mark=DSL
add distance=1 dst-address=66.51.204.0/24 gateway=VLAN_200 routing-mark=DSL
add distance=1 gateway=66.51.204.1 pref-src=66.51.204.115 routing-mark=SMTP
add distance=1 dst-address=66.51.204.0/24 gateway=VLAN_200 routing-mark=SMTP
add distance=1 dst-address=192.168.101.8/29 gateway=E2-p4_101 routing-mark=\
    SMTP
add distance=1 dst-address=192.168.0.96/28 gateway=192.168.211.250
add distance=1 dst-address=192.168.1.0/24 gateway=192.168.211.250
add comment="Default Mikrotik address range" distance=1 dst-address=\
    192.168.88.0/24 gateway=192.168.211.250
add distance=1 dst-address=192.168.131.0/24 gateway=192.168.211.252
add distance=1 dst-address=192.168.201.0/24 gateway=192.168.211.252
add distance=1 dst-address=192.168.202.0/24 gateway=192.168.211.252
add distance=1 dst-address=192.168.203.0/24 gateway=192.168.211.252
add distance=1 dst-address=192.168.204.0/24 gateway=192.168.211.252
add distance=1 dst-address=192.168.205.0/24 gateway=192.168.211.252
add distance=1 dst-address=192.168.209.0/24 gateway=192.168.211.252
/ip service
<redacted>/ip smb shares
set [ find default=yes ] directory=/pub
/system clock
set time-zone-name=America/Los_Angeles
/system identity
set name="RB750Gr3 #1"
/system leds
add interface=VLAN_200 leds="" type=interface-activity
/system ntp client
<redacted>
/system resource irq rps
set E1-p2_Cable_Internet disabled=no
set E2-p4_101 disabled=no
set E3-p6_103 disabled=no
set E4-p8_802.1Q disabled=no
set "E5 to Router 2" disabled=no
/system routerboard settings
set silent-boot=no
/system scheduler
<redacted>
/system script
<redacted>
/tool e-mail
<redacted>
/tool mac-server
set allowed-interface-list=mactel
/tool mac-server mac-winbox
set allowed-interface-list=mac-winbox
RB750Gr3, RB750r2, CRS326-24G-2S (in SwitchOS), CSS326-24G-2S, CSS106-5G-1S, RB260GS
Not sure if I beat them in submission, or they beat me into submission


Jim
 
mkx
Forum Guru
Forum Guru
Posts: 2912
Joined: Thu Mar 03, 2016 10:23 pm

Re: Help with PPPoE client setup

Thu Mar 14, 2019 8:27 pm

Assuming you have everything configured correctly on your managed switch, hooked to eth4 (DSL modem connected to access port for VLAN VID=200) it should work. And it shouldn't be necessary to have dial-on-demand=yes ...

One test to be done with this regard: even if DSL modem is set to bridge mode it's likely to have IP address set to its ethernet bridge (LAN ports). Try to assign IP address in same subnet to VLAN_200 interface on your router and check for ping response ...

Another thing: what type is the device tagging traffic from DSL modem? RBD52G (hAP ac2) having VLANs configured in hardware (IPQ4000 SoC) misbehaves in this particular case due to bug in hardware ...
BR,
Metod
 
User avatar
k6ccc
Member
Member
Topic Author
Posts: 479
Joined: Fri May 13, 2016 12:01 am
Location: Glendora, CA, USA (near Los Angeles)

Re: Help with PPPoE client setup

Thu Mar 14, 2019 11:32 pm

Assuming you have everything configured correctly on your managed switch, hooked to eth4 (DSL modem connected to access port for VLAN VID=200) it should work. And it shouldn't be necessary to have dial-on-demand=yes ...

Yes, it is. Every VLAN shows up on that trunk port except 100 (the cable internet), 101 (normal house LAN via cable), & 103 (private WiFi via cable) Let me explain my network in a little more detail. Both my DSL and Cable internet modems are in my family room. They both plug into separate ports on different VLANs of a CSS326. There is a 1G Ethernet trunk from the Family Room CSS326 to my Garage data cabinet where there is another CSS326. Until the DSL change yesterday, Router 2 took five IPs from the DSL to drive various LANs, Router 1 used two DSL IPs primarily for remote access and monitoring. Primarily Router 1 used the cable internet to drive various LANs. With the DSL change, Router 2 is functionally unused with all ports turned off except a router to router tie so I can still access it to compare settings for functions that are being moved to Router 1. Once I'm all migrated, both the DSL and Cable internet connections, and all the LANs will be fed from Router 1.

And I agree, it did not make any sense that I needed to turn on Dial-on-demand

One test to be done with this regard: even if DSL modem is set to bridge mode it's likely to have IP address set to its ethernet bridge (LAN ports). Try to assign IP address in same subnet to VLAN_200 interface on your router and check for ping response ...

I will play with that tonight. Thanks
RB750Gr3, RB750r2, CRS326-24G-2S (in SwitchOS), CSS326-24G-2S, CSS106-5G-1S, RB260GS
Not sure if I beat them in submission, or they beat me into submission


Jim

Who is online

Users browsing this forum: No registered users and 15 guests