Community discussions

MUM Europe 2020
 
inSaNo
newbie
Topic Author
Posts: 35
Joined: Fri Nov 23, 2012 9:23 am

Beginner needs help on: Mikrotik RB2011UAS-2HnD-in

Fri Nov 23, 2012 10:13 am

Hi all,

I've recently purchased a Mikrotik RB2011UAS-2HnD-in to replace the ZTE H220N provided by my ISP.
The ZTE has almost no configurable options since the ISP has completely locked it down.
I have some Cisco/Foundry networking experience, but configuring this Mikrotik is proving a bit difficult.

I want to sign up for MTCNA course next year, but I wouldn't want to wait until then to install my new router here at home.
I think it's pretty simple for an experienced mikrotik user to setup this configuration. So could anyone help?

The situation is as follows: I have a Genexis fiber uplink which contains two vlans (4 and 6).
vlan 4 is for television, vlan 6 is for internet. Also there is another vlan for voip but I don't use that.
My ISP requires to use PPPOE via vlan6 to authenticate and setup the internet connection.

Currently i've got the television working:
i've created an ether1.vlan4 interface to get the vlan4 packets untagged
i've created a vlan4 bridge and connected ether1.vlan4 and ether2
and plugged in the tv receiver units on ether2.
So far so good!

But now the more difficult part, how to setup internet? I've been messing around with it for the last couple of days and I came up with the following which doesnt work:

i've created an ether1.vlan6 interface to get the vlan6 packets untagged.
i've created pppoe interface with the settings from my ISP and connected it to ether1.vlan6
The pppoe interface tries to connect but gets disconnected all the time, so something is wrong here.

Can anybody help?
Router: Mikrotik RB2011UAS-2HnD-in
Speedtest.net: 93.22Mb/s download | 72.11Mb/s upload | 4ms ping
 
fxx
newbie
Posts: 33
Joined: Tue Nov 20, 2012 11:54 am
Location: Prague - Czech Republic

Re: Beginner needs help on: Mikrotik RB2011UAS-2HnD-in

Fri Nov 23, 2012 1:02 pm

If you create the vlan interface, the packet is always tagged. The switch "Use service tag" means something different: http://wiki.mikrotik.com/wiki/Manual:In ... LAN#Q-in-Q
Untagged are only packets on the physical interfaces.
 
inSaNo
newbie
Topic Author
Posts: 35
Joined: Fri Nov 23, 2012 9:23 am

Re: Beginner needs help on: Mikrotik RB2011UAS-2HnD-in

Sat Nov 24, 2012 12:31 am

Today I've gotten a lot further with some "outside" help.. :D (tnx Peter!)

I'll post what I did to make it work so that others (beginners) like me can benefit of this knowledge.
This applies for dutch fiber connection like KPN, Xs4all etc..

First create two vlan interfaces on ether1-gateway (or whatever interface you've connected the Genexis Fiber NTU on):
#    NAME                                                                               MTU ARP        VLAN-ID INTERFACE                                                                           
 0 R  vlan4                                                                             1500 enabled          4 ether1-gateway                                                                      
 1 R  vlan6                                                                             1500 enabled          6 ether1-gateway
In my setup I decided to keep bridge-local for "untagged" vlan6 (internet) traffic. And i've created a new bridge for vlan4 (TV) traffic.
 0  R name="bridge-local" mtu=1500 l2mtu=1598 arp=enabled mac-address=XX:XX:XX:XX:XX:XX protocol-mode=rstp priority=0x8000 auto-mac=no admin-mac=XX:XX:XX:XX:XX:XX max-message-age=20s 
      forward-delay=15s transmit-hold-count=6 ageing-time=5m 

 1  R name="bridge-vlan4" mtu=1500 l2mtu=1594 arp=enabled mac-address=XX:XX:XX:XX:XX:XX protocol-mode=none priority=0x8000 auto-mac=yes admin-mac=00:00:00:00:00:00 max-message-age=20s 
      forward-delay=15s transmit-hold-count=6 ageing-time=5m 
Then add the ports to the bridges.. Since I use bridge-local for "internet" traffic, I only need to add ports to bridge-vlan4 for TV.
 5    ether2                                                                            bridge-vlan4                                                                      0x80         10       none
 6    vlan4                                                                             bridge-vlan4                                                                      0x80         10       none
5: interface on which the TV receivers are connected.
6: interface for vlan4 on ether1-gateway

Then you need to create a pppoe interface on the vlan6 interface to authenticate with the ISP.
Retrieve the settings from your ISP supplied modem, the following example is for KPN fiber:
/interface pppoe-client
add ac-name="" add-default-route=yes allow=pap,chap,mschap1,mschap2 dial-on-demand=no disabled=no 
interface=<vlan6 interface> max-mru=1480 max-mtu=1480 mrru=disabled name=<interface name> password=kpn profile=default service-name="" use-peer-dns=no user=<username>
KPN username is the mac-addr of the modem in following format: XX-XX-XX-XX-XX-XX@direct-adsl
password is "kpn" or anything else, but cannot be empty.
Also make sure that the time of de device is accurately set, and that ether1-gateway has the same mac-address as the ISP supplied modem.

The pppoe client will start after creating, and it will fail. (connecting, disconnected, connecting, disconnected).. Let this go for a while and suddenly it will be connected. Strange behavior, but my "outside help" told me that this is normal behavior.

After the connection is established add the masquerade rule:
/ip firewall nat
add action=masquerade chain=srcnat disabled=no out-interface=<jouw pppoe interface van hierboven> src-address=192.168.0.0/16 to-addresses=0.0.0.0
Then you should be able to access the internet and start configuring the rest of the unit.
The filter settings are the most important since the mikrotik is currently accessible from the internet.

This is an example of my first (basic) filter set.
 0   chain=input action=drop protocol=icmp in-interface=pppoe-kpn 
 1   chain=input action=accept src-address=192.168.0.0/16 in-interface=bridge-local 
 2   chain=forward action=accept protocol=tcp dst-address=192.186.xx.xx in-interface=pppoe-kpn dst-port=22 
 3   chain=input action=accept connection-state=established 
 4   chain=input action=accept connection-state=related 
 5   chain=input action=drop in-interface=sfp1-gateway 
 6   chain=input action=drop in-interface=ether1-gateway 
 7   chain=input action=drop in-interface=pppoe-kpn 
0: drop icmp (ping)
1: allow input to the mikrotik from local subnet
2: forward ssh from "outside" to a local (openVZ) system.
3: accept established (default rule)
4: accept related (default rule)
5: drop input on sfp1-gateway (default rule)
6: drop input on ether1-gateway (default rule)
7: drop input on pppoe-kpn

Also configure things like DNS and DHCP:
[admin@MikroTik] /ip dns> print
                servers: 8.8.8.8,8.8.4.4
        dynamic-servers: 
  allow-remote-requests: yes
    max-udp-packet-size: 4096
             cache-size: 2048KiB
          cache-max-ttl: 1w
             cache-used: 54KiB
[admin@MikroTik] /ip dhcp-server> network print
 # ADDRESS                 GATEWAY          DNS-SERVER      WINS-SERVER     DOMAIN                                                                                                                        
 0 192.168.xx.xx/xx    192.168.xx.xx    192.168.xx.xx                          lan.example.com example.com                                                                                 
And that's about it to get "KPN glasvezel" running properly so you can (bin/trash/destroy/mutilate/return to ISP/put on shelf) the ZTE H220N "KPN Experiabox" router. :-)

Again: I'm also only a beginner, and this is what I've learned today and I like to share my newly found knowledge. But note: there could be errors in this configuration! I hope (dutch) readers of this post will find this helpful in setting up their own Mikrotik as a replacement for their locked down ISP router.

Personally I'm thinking of following a MTCNA course next year.. I'm really starting to like Mikrotik stuff :) Too bad there are no training facilities here in the netherlands, but that's also a good reason to make a nice trip abroad!
Router: Mikrotik RB2011UAS-2HnD-in
Speedtest.net: 93.22Mb/s download | 72.11Mb/s upload | 4ms ping
 
pdegeus
just joined
Posts: 3
Joined: Thu Nov 22, 2012 6:52 pm

Re: Beginner needs help on: Mikrotik RB2011UAS-2HnD-in

Sat Nov 24, 2012 4:38 pm

Hi inSaNo,

I've exactly the same problem, you wouldn't happen to be a KPN Glasvezel user, hm? :)
Today was wasted by trying to solve my problem. Did you manage to get it up in the meantime?

Thanks,
Pepijn
 
inSaNo
newbie
Topic Author
Posts: 35
Joined: Fri Nov 23, 2012 9:23 am

Re: Beginner needs help on: Mikrotik RB2011UAS-2HnD-in

Sun Nov 25, 2012 2:29 pm

Yes, KPN Glasvezel indeed, my earlier post with all the information one needs to configure it was just approved by the moderators. :D
Router: Mikrotik RB2011UAS-2HnD-in
Speedtest.net: 93.22Mb/s download | 72.11Mb/s upload | 4ms ping
 
pdegeus
just joined
Posts: 3
Joined: Thu Nov 22, 2012 6:52 pm

Re: Beginner needs help on: Mikrotik RB2011UAS-2HnD-in

Mon Nov 26, 2012 11:06 am

I noticed your post was already in moderation when I wrote mine, oh well.
Thanks for the info, but unfortunately I can't get it to work: the PPPoE interface keeps trying to connect even after an hour.
Can you post a dump of your configuration so I can spot any differences? You can do this by logging in using SSH and typing "export compact".
Don't forget to strip out any passwords. Would be very helpful!
 
pdegeus
just joined
Posts: 3
Joined: Thu Nov 22, 2012 6:52 pm

Re: Beginner needs help on: Mikrotik RB2011UAS-2HnD-in

Wed Nov 28, 2012 1:57 pm

In the meantime (while not seeing my last reply yet) my problem was fixed.
I played around with the connection, bridging the traffic to the Experiabox modem so I could sniff it and found out the PPPoE connected fine when using a 100Mbps ethernet port on the second internal switch. Don't ask me why, but without any other differences using this port works fine. Thanks for the help!
 
inSaNo
newbie
Topic Author
Posts: 35
Joined: Fri Nov 23, 2012 9:23 am

Re: Beginner needs help on: Mikrotik RB2011UAS-2HnD-in

Thu Nov 29, 2012 9:44 am

Hmm thats odd.. I have mine connected on ether1 but it's set at 100Mbit.
Also did you set the time correctly? In my configuration that was the deal breaker for me..
pppoe didn't connect at first, but when I set the time and date correctly it was fixed.

Good that it's running now, but it shouldn't be a problem on ether1.
But the second internal switch is also fine.. The WAN speed doesn't exceed 96Mbit anyway.
Router: Mikrotik RB2011UAS-2HnD-in
Speedtest.net: 93.22Mb/s download | 72.11Mb/s upload | 4ms ping
 
BuffPuff
just joined
Posts: 2
Joined: Tue Dec 18, 2012 10:47 am

Re: Beginner needs help on: Mikrotik RB2011UAS-2HnD-in

Tue Dec 18, 2012 11:37 am

Hi,

First thanks for the post, I have an XS4all fiber to the home and I like the Routerboards much more with the supplied Fritzbox 7390.

Originally I had an RB751U-2HnD, over which I tried your above config. I created only vlan 6 because I use only the internet connection without the TV (vlan 4), and I attached the vlan 6 to the gateway eth1. I then created a pppoe and associated it with the vlan 6 interface.

After hooking up the 751 to the fiber, I saw the pppoe trying to dial and disconnecting constantly. I also saw that it's useless for the pppoe to try to connect since there was no RX traffic on the gateway eth1. Therefore xs4all doesn't respond to the RB vlan 6 for some reason. I did see TX traffic on eth1, so the interface is enabled. FW rules completely open to input, output and forward (for now), mac address of eth1=mac of Fritzbox. This does not resolve over time with waiting, RX traffic from the genesix fiber box just doesn't arrive at all.

In my attempts to get the vlan to be recognized I also did some specific switch related command regarding the eth port:
interface ethernet switch vlan add switch=switch1 ports=ether1-gateway vlan-id=6
Which gives an error "this command isnt supported" in the RB751.

I decided to try an RB2011, same model as you used, configured it the same way I did the RB751 with vlan6 interface on eth1, open FW, and xs4all pppoe. The result was the same, no RX from the fiber on eth1 and constant reconnect attempts from the pppoe. I also tried separating the eth1 with dialer and vlan to a separate bridge interface from the lan, but still no RX on eth1.

In the case of the RB2011, I was allowed to use the switch vlan command which isn't invoked when creating the interface vlan, but it doesn't change the RX issue:

[admin@KoolThing] > interface ethernet switch vlan add switch=switch1 ports=ether1-gateway vlan-id=6
[admin@KoolThing] > interface ethernet switch vlan print
Flags: X - disabled, I - invalid
# SWITCH VLAN-ID PORTS
0 switch1 6 ether1-gateway
[admin@KoolThing] > interface ethernet switch


The Fritz connects straight away, I have a neighbor (Ams east) with a BSD box connected to an xs4all fiber, it's just the RB that we can't get to connect using vlans.
On a KPN fiber in Ams west a friend of mine placed a managed LAN switch between the RB and the genesix which handled the vlan tagging, it solved the issue, but the RB should do vlans without an extra LAN switch.

I wonder is this a bug or a feature? ;-)
I tried with the latest stable 5.22 and the 6 RC4. Bellow are some screenshots that show the 0 RX.

If anyone else encountered and solved this, please post info.
eth1.png
VLAN6.png
eth1-traffic.png
You do not have the required permissions to view the files attached to this post.
 
gj67
just joined
Posts: 3
Joined: Fri Mar 01, 2013 11:12 pm

Re: Beginner needs help on: Mikrotik RB2011UAS-2HnD-in

Sat Mar 02, 2013 12:01 am

Hi,

I have the same setup as you (xs4all fiber with a 7390 fritz). Trying to replace it with a RB2011LS-IN but having issues with PPPoE as well.
As far as I can track, it has to do with the way the vlan (6) is handled. I have setup a virtual machine with ESX and the same routeros
version with ESX handling the vlan id on the vswitch and this works fine with the same PPPoE config.
I'll do some further testing tomorrow to see if I can get this fixed but I hoped you would have fixed it in the meantime.

Cheers,
GJ.
 
inSaNo
newbie
Topic Author
Posts: 35
Joined: Fri Nov 23, 2012 9:23 am

Re: Beginner needs help on: Mikrotik RB2011UAS-2HnD-in

Sat Apr 06, 2013 4:13 pm

I'll try to clarify my setup.. I haven't been messing around with switch configuration.

1) connect the genexis fiber-to-ether thing to ether1 on the mikrotik.

2) create two VLAN's on ether1:
/interface vlan add arp=enabled disabled=no interface=ether1-gateway l2mtu=1594 mtu=1500 name=vlan4 use-service-tag=no vlan-id=4
/interface vlan add arp=enabled disabled=no interface=ether1-gateway l2mtu=1594 mtu=1500 name=vlan6 use-service-tag=no vlan-id=6
3) create the pppoe-client, make sure the interface is vlan6 (one you just created), and change the mac-addr to your old device (eg: experiabox, fritzbox)
/interface pppoe-client add ac-name="" add-default-route=yes allow=pap,chap,mschap1,mschap2 dial-on-demand=no disabled=no interface=vlan6 max-mru=1480 max-mtu=1480 mrru=disabled name=pppoe-kpn password=kpn profile=default service-name="" use-peer-dns=no user=XX-XX-XX-XX-XX-XX@direct-adsl
4) it can take a while for pppoe to connect properly.. let it try for 10 minutes or so.. then it should be up.

5) your routing table should look something like this:
#           DST-ADDRESS        PREF-SRC        GATEWAY            DISTANCE
 0 ADS   0.0.0.0/0                                      195.xx.xx.xx       1
 1 ADC  192.168.88.0/24   192.168.88.1  bridge-local         0
 2 ADC  195.xx.xx.xx/32   80.xx.xx.xx     pppoe-kpn           0
6) add masquerade rule:
/ip firewall nat add action=masquerade chain=srcnat disabled=no out-interface=pppoe-kpn src-address=192.168.0.0/16 to-addresses=0.0.0.0
7) check if your firewall looks something like this:
/ip firewall filter
add action=accept chain=input disabled=no in-interface=bridge-local src-address=192.168.0.0/16
add action=accept chain=input connection-state=established disabled=no
add action=accept chain=input connection-state=related disabled=no
add action=accept chain=forward disabled=no
add action=drop chain=input disabled=no in-interface=sfp1-gateway
add action=drop chain=input disabled=no in-interface=ether1-gateway
add action=drop chain=input disabled=no in-interface=pppoe-kpn
8) your internet connectivity should be set.. try a ping to the outside world:
[admin@MikroTik] > ping 8.8.4.4
HOST                                     SIZE TTL TIME  STATUS
8.8.4.4                                    56  50 9ms
8.8.4.4                                    56  50 11ms
    sent=2 received=2 packet-loss=0% min-rtt=9ms avg-rtt=10ms max-rtt=11ms
9) just add the ether ports for your local lan to bridge-local, and hookup the rest of your network.

Next you want TV to work. remember the vlan4 you created earlier?

10) create a bridge with a connection to that vlan4 interface:
/interface bridge add bridge=bridge-vlan4 interface=vlan4
That's it! Just add an ether interface to this bridge (make sure that interface isn't connected on bridge-local anymore)..
11) hookup tv receiver and watch tv.
Router: Mikrotik RB2011UAS-2HnD-in
Speedtest.net: 93.22Mb/s download | 72.11Mb/s upload | 4ms ping
 
gj67
just joined
Posts: 3
Joined: Fri Mar 01, 2013 11:12 pm

Re: Beginner needs help on: Mikrotik RB2011UAS-2HnD-in

Sun Apr 07, 2013 1:31 am

Hi,

This might work fine for KPN but either does not work for Xs4all or does not work when you only have internet (without iptv). Either way, I have tested this numerous times and when you use an untagged vlan6 connection, it works within 1 minute, with a tagged connection and MT handling the vlan conversion, it simply does not work.
I still have an open support call with MT and will do some network captures to further troubleshoot what's going on (no pppoe traffic being returned).
Btw, I did another test with a Ubiquiti edgerouter lite and this worked fine (exact same setup with the edgerouter handling the vlan conversion).
 
mvdijck
just joined
Posts: 21
Joined: Sun Sep 22, 2013 12:34 am

Re: Beginner needs help on: Mikrotik RB2011UAS-2HnD-in

Sun Oct 06, 2013 6:30 pm

KPN username is the mac-addr of the modem in following format: XX-XX-XX-XX-XX-XX@direct-adsl
password is "kpn" or anything else, but cannot be empty.
Also make sure that the time of de device is accurately set, and that ether1-gateway has the same mac-address as the ISP supplied modem.
I'm trying to solve the pppoe problem to but how do you set the mac of the ether1-gateway to the mac of the modem?
this is the only differance in my setup and i can not get it to work.

thx
martijn
 
gj67
just joined
Posts: 3
Joined: Fri Mar 01, 2013 11:12 pm

Re: Beginner needs help on: Mikrotik RB2011UAS-2HnD-in

Mon Oct 07, 2013 10:11 am

KPN username is the mac-addr of the modem in following format: XX-XX-XX-XX-XX-XX@direct-adsl
password is "kpn" or anything else, but cannot be empty.
Also make sure that the time of de device is accurately set, and that ether1-gateway has the same mac-address as the ISP supplied modem.
I'm trying to solve the pppoe problem to but how do you set the mac of the ether1-gateway to the mac of the modem?
this is the only differance in my setup and i can not get it to work.

thx
martijn
I would seriously doubt this would fix your problem (but feel free to prove me wrong :) ) As already stated, I have hooked up several other devices, did not modify any mac address at all and they all worked fine (expect for the Mikrotik).
I'm convinced this is a bug in the PPPoE implementation when using a vlan.
 
TGIF
just joined
Posts: 2
Joined: Thu Sep 26, 2013 3:44 pm

Re: Beginner needs help on: Mikrotik RB2011UAS-2HnD-in

Fri Oct 11, 2013 9:16 pm

This topic is from a while ago, but its relevant to me: I got my xs4all connection delivered today and im running into this issue. Any updates?
 
Pebu
just joined
Posts: 4
Joined: Sat Nov 10, 2012 5:05 pm

Re: Beginner needs help on: Mikrotik RB2011UAS-2HnD-in

Fri Oct 11, 2013 10:00 pm

Tip: don't clone your mac address. It's not needed for the setup to work, and it will for sure disturb your network if the ISP modem is also still somewhere in the network for some reason. This because you will have twice the same mac in your network, and that should never happen in any network.

I would be interested in seeing a full config dump, the debug logs or a packet sniffer file from a pppoe handshake, that actually tells us what is going on beyond the 'it doesn't work' observation. :)

Also, don't forget to go to http://netwerkje.com/eigen-router that holds all the settings and examples for KPN Glasvezel, which in some way XS4ALL resells. It works for KPN, if it doesn't work for XS4ALL debug logs and a sniffer file will provide a better understanding why not. I'm interested to find out.
 
mvdijck
just joined
Posts: 21
Joined: Sun Sep 22, 2013 12:34 am

Re: Beginner needs help on: Mikrotik RB2011UAS-2HnD-in

Fri Oct 11, 2013 10:26 pm

Tip: don't clone your mac address. It's not needed for the setup to work, and it will for sure disturb your network if the ISP modem is also still somewhere in the network for some reason. This because you will have twice the same mac in your network, and that should never happen in any network.

I would be interested in seeing a full config dump, the debug logs or a packet sniffer file from a pppoe handshake, that actually tells us what is going on beyond the 'it doesn't work' observation. :)

Also, don't forget to go to http://netwerkje.com/eigen-router that holds all the settings and examples for KPN Glasvezel, which in some way XS4ALL resells. It works for KPN, if it doesn't work for XS4ALL debug logs and a sniffer file will provide a better understanding why not. I'm interested to find out.

next week i will give it a try again.
i used the manual on http://netwerkje.com/eigen-router but many i forgot some thing in the config.
With a managed switch connected the IPTV and viop worked on the experiabox.
thnx
 
TGIF
just joined
Posts: 2
Joined: Thu Sep 26, 2013 3:44 pm

Re: Beginner needs help on: Mikrotik RB2011UAS-2HnD-in

Mon Feb 10, 2014 12:55 am

Any updates? I tried to configure according to netwerkje.com but no solution. (sfp1 was not available as an device) i tried with no configuration (reset router, connect on mac adres to port 2). And i tried with an existing configuration and change that to the settings suggested on netwerkje.com. No solution.
 
msatter
Forum Guru
Forum Guru
Posts: 1393
Joined: Tue Feb 18, 2014 12:56 am
Location: Netherlands / Nīderlande

Re: Beginner needs help on: Mikrotik RB2011UAS-2HnD-in

Fri Feb 21, 2014 3:16 pm

Any updates? I tried to configure according to netwerkje.com but no solution. (sfp1 was not available as an device) i tried with no configuration (reset router, connect on mac adres to port 2). And i tried with an existing configuration and change that to the settings suggested on netwerkje.com. No solution.
You could look at the bottom of this page about Jumbo frames if that will solve your problem with Xs4all fiber. The router they use for fiber are MX960 and they are supporting RFC4638.

http://wiki.aa.org.uk/index.php/RouterO ... mbo_frames

I am holding off on the moment to buy a MikroTik router because of the problem with Xs4all fiber and I don't want to use the an-other-vlan-switch-in-between solution to have it all working NTU<-->vlan switch<-->MikroTik.
Two RB760iGS (hEX S) in series. One does PPPoE and both do IKEv2.
Running:
RouterOS 6.47.beta.x / Winbox 3.21 / MikroTik APP 1.3.11
Android device owners, use https://github.com/M66B/NetGuard/releases (no root required)
 
artem87
just joined
Posts: 1
Joined: Thu Aug 28, 2014 9:54 am

Re: Beginner needs help on: Mikrotik RB2011UAS-2HnD-in

Thu Aug 28, 2014 10:25 am

inSaNo,

thanks a lot for your tutorial :D

Who is online

Users browsing this forum: Google [Bot] and 33 guests