Community discussions

MikroTik App
 
joegoldman
Forum Veteran
Forum Veteran
Topic Author
Posts: 766
Joined: Mon May 27, 2013 2:05 am

PPPoE over Q-in-Q tunnel

Tue Sep 03, 2013 2:31 am

Hi Forum,

Looking for some config examples on doing the following:


- I get a Q-in-Q (lets say for example VLANID 400 on ether1)
- In this trunk, for each new customer they are assigned a new VLAN within that Q-in-Q tunnel (lets say 5 customers, 10,20,30,40,50)
- I want all these customers to 'auth' via PPPoE server

OK so, I could create VLAN interface on ether1 with VLANID400 and use service tag enabled. This creates the Q-in-Q.
I could also manually create each vlan interface under that for each customer, so 5 seperate interfaces.
Then I could also set up a PPPoE Server listening on each of those VLAN interfaces. Which then would create a dynamic interface under that for the pppoe when user successfully auths.

This would be OK if we were only talking 10-15 users but this could scale to many thousands, and I'd like to use VRRP and other scripting to have failover for this between 2 RouterOS based routers.
Doing it this way seems it would be an absolute NIGHTMARE for config maintenance/management, and even the possible performance overheads.

I'm looking for examples of ways to have a single PPP service listen on perhaps the Q-in-Q tunnel and attach itself to every inner VLAN and successfully terminate the customers? Or some other dynamic way of managing such a set-up?

All help appreciated, and I'll be sure to try wiki my outcomes (if not already around)

Thanks,
Joe
 
hedele
Member
Member
Posts: 338
Joined: Tue Feb 24, 2009 11:23 pm

Re: PPPoE over Q-in-Q tunnel

Tue Sep 03, 2013 2:53 pm

Well I might at least have an idea how you could terminate all customers on only one pppoe server...

Create a bridge where your pppoe server will listen on, and add a bridge filter rule for that bridge, chain=forward, action=drop.
Now add every customer vlan interface to this bridge.

What this does, is enable your pppoe server to talk to every client (because that traffic is handled by input and output chains), but block the clients from talking to each other. This filter rule also effectively prevents that bridge from shorting together the different vlans, because traffic from e.g. vlan 10 will never be forwarded to vlan 20.

Caveat: You will still have to manually add and remove vlan interfaces, and add/remove them from/to the pppoe server bridge.

Maybe this at least makes your life with q-in-q a little less miserable... :)
 
joegoldman
Forum Veteran
Forum Veteran
Topic Author
Posts: 766
Joined: Mon May 27, 2013 2:05 am

Re: PPPoE over Q-in-Q tunnel

Thu Sep 05, 2013 7:21 am

Thanks for the tip. I had thought of it this way but was worried about cross talk, didn't think about filtering the VLAN forward chain, I suppose when they create the PPP connection it is a layer above the VLAN so if 2 PPP connections want to talk to each other via their public IP's it would work OK.

With thousands of possible customers, it still feels a massive configuration and management overhead to add a new vlan interface for each customer. Perhaps a metro ethernet switch to sit between provider and MikroTik to strip the vlan tags and deliver all sessions accross a single trunk. I know this is a bit more dynamically easier in Cisco, but not sure to the extent I am looking at.

Ahh fun times. Thanks for the help :)
 
User avatar
tomaskir
Trainer
Trainer
Posts: 1162
Joined: Sat Sep 24, 2011 2:32 pm
Location: Slovakia

Re: PPPoE over Q-in-Q tunnel

Thu Sep 05, 2013 10:59 am

Create a bridge, and use split horizon to isolate the VLANs inside the bridge.
Build the PPPoE server on top of the bridge.

Quick, simple, and no bridge firewall needed.
 
joegoldman
Forum Veteran
Forum Veteran
Topic Author
Posts: 766
Joined: Mon May 27, 2013 2:05 am

Re: PPPoE over Q-in-Q tunnel

Thu Sep 05, 2013 3:18 pm

Create a bridge, and use split horizon to isolate the VLANs inside the bridge.
Build the PPPoE server on top of the bridge.

Quick, simple, and no bridge firewall needed.
Hi,

By my understanding of split horizon, I'd still need to create each virtual interface? I can't see split horizon being any easier than a simple single line firewall rule, but could be best practise and will take it under advisement.

I am mostly looking for a way to not have to manage all the VLAN interfaces.
 
User avatar
tomaskir
Trainer
Trainer
Posts: 1162
Joined: Sat Sep 24, 2011 2:32 pm
Location: Slovakia

Re: PPPoE over Q-in-Q tunnel

Thu Sep 05, 2013 3:35 pm

You will have to add the ports to the bridge anyway, so adding a horizon to the bridge port is, imo, easier then involving the firewall.

Its also much more CPU friendly, since if you look at the packet flow diagram, the bridge firewall doesnt have to even get involved.
 
magnavox
Member
Member
Posts: 357
Joined: Thu Jun 14, 2007 1:03 pm

Re: PPPoE over Q-in-Q tunnel

Fri Aug 14, 2015 12:40 pm

Create a bridge, and use split horizon to isolate the VLANs inside the bridge.
Build the PPPoE server on top of the bridge.

Quick, simple, and no bridge firewall needed.
This solution, like bridge filters work fine.
I need to add one or more bridge interface to group some VLANs.
But, if I add a secondo Bridge and a secon PPPoE Server active on this... PPPoE Clinet not go up :(

Anyone can help me?
 
magnavox
Member
Member
Posts: 357
Joined: Thu Jun 14, 2007 1:03 pm

Re: PPPoE over Q-in-Q tunnel

Fri Aug 14, 2015 12:50 pm

Seem to work leaving original MAC of Ethernet... in my setup I was set two fake MACs on the bridges.... using same MAC on all bridges... it work!
 
mdnzrn
just joined
Posts: 1
Joined: Wed Sep 23, 2020 8:05 pm

Re: PPPoE over Q-in-Q tunnel

Wed Sep 23, 2020 8:08 pm

Hello,

My scenario is like this

I have a huawei Switch where i recieve QINQ vlan tags such as 3601:101 , 3602:102 and so on

I need the following on mikrotik
I need to run single pppoe server on a bridge with QINQ enabled , and user should get ip from External radius server and radius server authenticate user only if he belongs to particular outer:inner vlan . I woud also like to load balance Ip pools based on Outer vlan tags from radius server

so what i should configure on mikrotik as well as radius server , how to send Outer:inner vlan information to radius server

any help highly appriciated.

Who is online

Users browsing this forum: No registered users and 17 guests