OK, here is what I would recommend:loopback address range is must be in 172.16.255.0/24 .
All of my point to point links between routers have /30 and /29 block size from 172.16.0.0/24 and 172.16.1.0/24 , this two is my network . (/29 for wireless links & /30 for direct Ethernet)
The important thing that is I don't know how can I include just my network range to trough OSPF and not any other like PPPoE sessions from routing over OSFP .(I don't see a example of this .)
I'm using the local IP of PPPoE profiles with 1.1.1.1 and the remote is public IP pool (146.146.46.0/22 , 155.155.55.0/24 , 179.179.79.0/22 and ... )
Sets default interface type to passive, so that you do not send hello packets to customers, important for security! The only interfaces that should not be passive are interfaces where you want to form neighbor relationships with other routers./routing ospf interface
add network-type=broadcast passive=yes
This 'overrides' the passive default for these two PtP interfaces connecting to your router, so that you can form neighbor with other routers over ptp interfaces, plus also adds security, so that a hacker cannot unplug your router and plug in their own and get an OSPF neighbor relationship forming, if they do not have the ospf auth keyadd authentication=md5 authentication-key=somesecretkey interface=someptpinterface network-type=broadcast
add authentication=md5 authentication-key=somesecretkey interface=someotherptpinterface network-type=broadcast
Those advertise the loopbacks and ptp subnets/routing ospf network
add area=backbone comment="Loopback IP" network=someloopbackip
add area=backbone comment="Point to Point connection to Router X" network=someptpsubnet/30
add area=backbone comment="Point to Point connection to Router Y" network=someptpsubnet/30
That creates a second OSPF area for your PPPoE customers onlyOn your core PPPoE router, the same thing, but also, do this for advertising your PPPoE customer subnet:
/routing ospf area add area-id=0.0.0.1 name=pppoe-area type=stub
That advertises the PPPoE customer IPs, which would normally create a route for every PPPoE customer, EXCEPT then you add the following below:/routing ospf network add area=pppoe-area network=somepppoecustomersubnet/23
That does the magic - the PPPoE area is summarized to the backbone as a single route rather than one per customer IP. You still get hundreds of OSPF routes but only on your core router itself, the other routers just get the area range./routing ospf area range add area=pppoe-area range=somepppoecustomersubnet/23 cost=default advertise=yes
add area=backbone comment="Loopback IP" network=someloopbackip
No, the individual /32 for that router. On each router you have to individually advertise the loopback IP. Best to set that loopback IP as the OSPF router ID as well.Loopback network must be my /24 class in my situation ?Code: Select alladd area=backbone comment="Loopback IP" network=someloopbackip
No. OSPF only forms adjacencies with directly-connected neighbors, and you do not have anything attached to a loopback interface, so no adjacencies can form there. Passive just means that the router doesn't send hellos or listen to them. Since there is nothing else on a loopback bridge, there's no way for any adjacency to form anyway, so there's no danger in it being active. (unless you bridge that loop interface to something, but you shouldn't do that anyway)@ mducharme , one thing will remain about the security .
when we specify the OSPF interfaces with a security , always a dynamic passive interface with loopback interface will remain as none security ,
Is this make the OSPF insecure ?
In your case this is correct, since your PPPoE concentrator is also the only core router. If you ever split these functions, as is more common, you would have to set up the stub area.1. If I understand correctly , when using redistribute connected & redistribute static as "no" , then no need to specify the PPPoE pool as network stub at CoreRouter ? and this make no any different of security from adding it or not . ?
You only add to 'networks' the locally connected networks to that router that should be advertised. The router needs to have an IP on that subnet as well in order for the network to actually get advertised. There is no need to add networks not locally on that router, since it will not have any effect if the router doesn't have an IP on that network.2. The last thing about the individually subnets in OSPF networks , If we comeback to the first diagram , all of routers in the path between R1 to R11 must have their /30 subnets in their OSPF networks list . but the question is the routers is not in the path need it too ? (for example : R4 need subnet of R10 to R11 too)
Missed the last part - it makes no difference in security b/c by making the interfaces default to 'passive', if you advertise it, your PPPoE interfaces will appear as passive interfaces in OSPF (on the core router only) and your customers will not receive hello packets and will not be able to establish OSPF adjacency, so there is no security issue. If your config was missing the line to make the default interface type passive, there would be a potential security issue.1. If I understand correctly , when using redistribute connected & redistribute static as "no" , then no need to specify the PPPoE pool as network stub at CoreRouter ? and this make no any different of security from adding it or not . ?
R1 to R2 --> 172.16.1.0/30
R2 to R3 --> 172.16.1.4/30
R3 to R4 --> 172.16.1.8/30
network=172.16.1.0/30
network=172.16.1.0/30
network=172.16.1.4/30
network=172.16.1.4/30
network=172.16.1.8/30
Yes, I believe so1. Double check about the networks , if the example subnets like below :
Is it correct ?
Each /30 can use its own password if you like. We use the same password for all. You only need auth on interfaces that connect to other OSPF routers (non-passive) where you want to form adjacency.2. Authentication on all of OSPF network must be same or just the direct connected interfaces ?
No3. Is there any performance issue on enabling the security of OSPF interfaces ?
Not usually, the default is normally 1598 or 1600 or around there, and that is more than enough. As long as it is above your MPLS MTU with room for a VLAN tag on top possibly, that should be enough.At this example , what's the best MTU settings when I don't using VLAN ?
When just using MPLS / VPLS tunnels for extend PPPoE servers and want a 1500 L3 MTU for PPPoE Clients.
Do I need to change L2MTU of ethernet interfaces ?
Set MTU and MRU to 1500 for PPPoE server, that will enable RFC4638 support as long as the PPPoE client is set for 1500 MTU similarly and supports RFC4638.Whats the best MTU of PPPoE servers ?
We use 1550, enough for VPLS plus PPPoE overhead with room to spareWhats the best MTU of MPLS interface ?
Yes, change 'advertised L2MTU' for VPLS tunnels to 1508 so that RFC4638 will work.Do I need to change MTU of VPLS tunnels ?
It is probably happening due to lack of advertise filter. The advertise filter is good to set up, you can set it up so that labels are only added for packets going to/from the loopback interfaces. Without that you have MPLS labels added for any packet going to the router on any IP.I got a new problem at MPLS remote bindings , now any of my routers in OSPF/MPLS network includes all of "core router" routes + PPPoE clients IP (their dynamic routes) at "remote bindings" .
/routing ospf network
add area=backbone network=10.200.200.2/32
Thanks zerobyte. Thanks again and again for your wonderful info.. i care all your suggestion and done them. I add loop-back ip to all devices as you said and i start to use loop-back ip on radius, pppoe local ip, ospf router-id as you said.Always add loopback IPs to routers. It's a habit you should establish so that it's not even a question. You always do it.
The loopback IP is the router's IP. That's the address you put into your network monitoring systems. That's the IP you put into your winbox saved sessions list / putty sessions list / etc.
That's the IP you use for RADIUS, SNMP, etc. That's the interface that all point-to-point interface types use as the local address (tunnels, pppoe sessions, vpn local/remote IP, etc) and you use the other router's loopback IP as the destination IP - the exception to this on p2p links would be /30 links on ethernet - those are networks that require you to use interface addresses.
The interface IPs are just there because they're needed to make the various locally-attached networks.
One thing I've seen that doesn't work well in this regime is if the router is also a central DHCP server for other routers to use in DHCP relay. The DHCP server process doesn't receive packets on the loopback interface, so that's a bit broken, but other than that, the loopback interface is the go-to interface.
Obviously if the Mikrotik is not being used as a router per-se, or if it's in a simple configuration such as a CPE device, then the loopback IP isn't necessary but all infrastructure routers should use them.
/routing ospf network
add area=backbone network=10.200.200.2/32
imagine that if have 5 pppoe server and some ip ranges assigned by radius for some reasons ( like puplic ip ) and thesee ip ranges at diffirent pppoe server by /32 what can be the solution ?
In general, I'd recommend as best practices that you never use redistribute connected unless it's just unavoidable for some reason (I can't imagine many such scenarios), and don't redistribute static routes except at the very edge of your OSPF domain - on access routers mostly - and in those routers, use a filter that allows you to explicitly label routes for redistribution or not.
add distance=1 dst-address=172.38.0.0/24 gateway=10.255.254.35,10.255.254.34,10.255.254.33
Thanks for your answer,The answer is NSSA and filters.
you mean pppoe_server's should be in area with nssa and routing filter's should use for discard thesee ip's ?The answer is NSSA and filters.