RB2011UiAS-2HnD / Draytek Vigor 130 - PPPoE connection problems

byteflip · Sat Jan 09, 2021 3:07 am

Hello everyone,

I have used a RB951Ui-2nD in combination with a Draytek Vigor 130 successfully for almost two years now. After a rather unfortunate accident I had to replace my former Mikrotik hardware. Therefore I ordered a RB2011UiAS-2HnD and after receiving it today tried to install it. So far I was unsuccessful. In general I tried set up the Vigor 130 in bridge mode and configured the Routerboard to use a PPPoE client while keeping the device at almost factory settings - other than different WLAN and administrator passwords and the default firewall rules. Unfortunately I don't get any successful internet connection. Testing the Vigor 130 directly in PPPoE-mode showed that a ping to servers is possible which leads me to believe that my PPPoE credentials are correct. It also seems like the router is successfully translating local IPs and forwarding packets to external IPs, but their replies never reach the RB for some reason

I have attached logs and screenshots which might be useful for a diagnosis, but I am clueless at this point.

Thank you very much in advance.

[admin@MikroTik] > export hide-sensitive
# jan/02/1970 01:29:57 by RouterOS 6.48
# software id = D3TK-UWQR
#
# model = RB2011UiAS-2HnD
# serial number = ---
/interface bridge
add admin-mac=--- auto-mac=no comment=defconf name=bridge
/interface ethernet
set [ find default-name=ether2 ] disabled=yes
set [ find default-name=ether3 ] disabled=yes
set [ find default-name=ether4 ] disabled=yes
set [ find default-name=ether5 ] disabled=yes
set [ find default-name=ether6 ] disabled=yes
set [ find default-name=ether7 ] disabled=yes
set [ find default-name=ether8 ] disabled=yes
set [ find default-name=ether9 ] disabled=yes
set [ find default-name=ether10 ] disabled=yes
set [ find default-name=sfp1 ] disabled=yes
/interface pppoe-client
add add-default-route=yes disabled=no interface=ether1 name=pppoe-out1 use-peer-dns=yes user=---
/interface wireless
set [ find default-name=wlan1 ] band=2ghz-b/g/n channel-width=20/40mhz-XX disabled=no distance=indoors frequency=auto installation=indoor mode=ap-bridge ssid=MikroTik---- wireless-protocol=802.11
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] authentication-types=wpa-psk,wpa2-psk mode=dynamic-keys supplicant-identity=MikroTik
/ip pool
add name=dhcp ranges=192.168.88.10-192.168.88.254
/ip dhcp-server
add address-pool=dhcp disabled=no interface=bridge name=defconf
/interface bridge port
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=ether5
add bridge=bridge comment=defconf interface=ether6
add bridge=bridge comment=defconf interface=ether7
add bridge=bridge comment=defconf interface=ether8
add bridge=bridge comment=defconf interface=ether9
add bridge=bridge comment=defconf interface=ether10
add bridge=bridge comment=defconf interface=sfp1
add bridge=bridge comment=defconf interface=wlan1
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
add interface=pppoe-out1 list=WAN
/ip address
add address=192.168.88.1/24 comment=defconf interface=bridge network=192.168.88.0
add address=192.168.1.2/24 interface=ether1 network=192.168.1.0
/ip dhcp-client
add comment=defconf interface=ether1
/ip dhcp-server network
add address=192.168.88.0/24 comment=defconf gateway=192.168.88.1
/ip dns
set allow-remote-requests=yes servers=1.1.1.1
/ip dns static
add address=192.168.88.1 comment=defconf name=router.lan
/ip firewall filter
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment="defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" in-interface-list=!LAN log=yes log-prefix=dropped-nolan
add action=accept chain=forward comment="defconf: accept in ipsec policy" ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related
add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=forward comment="defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=out,none out-interface-list=WAN
/ip firewall service-port
set ftp disabled=yes
set tftp disabled=yes
set irc disabled=yes
set h323 disabled=yes
set sip disabled=yes
set pptp disabled=yes
set udplite disabled=yes
set dccp disabled=yes
set sctp disabled=yes
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN

sindy · Sat Jan 09, 2021 6:50 pm

What does /ip dhcp-client print detail show?

From the ping window it seems to me that the pings are actually blocked in the ISP network and the ICMP notifications about that do arrive to your device.

So I assume that since you haven't disabled the /ip dhcp client associated to the uplink port, the ether1 on the 2011 has got an address and route also via DHCP, and is sending traffic from the DHCP-assigned address via the DHCP-assigned route rather than using the PPPoE-assigned ones. So disable the DHCP client (no need to reboot, the address and gateway will disappear once you disable it) and try again.

If that doesn't help, run /tool sniffer quick interface=pppoe-out1 protocol=icmp in a terminal window, ping 8.8.8.8 again, and show the result of the sniff.

byteflip · Sat Jan 09, 2021 11:22 pm

Hello sindy and thank you for your reply.

I have now disabled the DHCP client for the uplink port. Unfortunately that didn't help so far. All ping request from the Routerboard still return "port unreachable" or "timeout". There is no HTTPS connection possible from clients behind the Mikrotik router.

Please note that I have changed the port 1:1 to ether2 at the moment so the screenshots above are a bit outdated. Other than that I did not change anything.

sindy · Sun Jan 10, 2021 12:26 pm

It's really weird, as the PPPoE interface is obviously (augensichtlich) up and both sending and receiving, but the traffic is not passing through further in the ISP network. The ICMP "port unreachable" messages shown as responses to the ping are most likely not related to the ping and shown by mistake (ICMP echo has no notion of ports) and as your sniff from the time you don't ping shows some ICMP packets to come from the same IP address too, I assume they are sent in response to some normal traffic (non-ICMP) which tries to get through.

So it all looks like an issue at the ISP side, but since it works when the PPPoE client is up on the Vigor, that issue must be somehow related to the identity of the 2011.

So a question - do you get the same WAN IP via PPPoE at each disabling and re-enabling the PPPoE client interface, say, 20 minutes later? Btw, 100.64.0.0/10 are not public IPs, they are "carrier grade NAT" addresses whose role is not to overlap with any RFC1918 private range nor with any public IP, so the ISP doesn't have to deal with conflicts with LAN subnets no matter what ones the subscriber chooses to use.

Another question, are you perhaps able to remember (or even retrieve) the MAC address the RB951Ui-2nD was using on its WAN interface, and try to set that MAC address on the 2011's ether1?

Yet another one, could it be that some VLAN must be set for the PPPoE?

byteflip · Sun Jan 10, 2021 3:55 pm

It's really weird, as the PPPoE interface is obviously (augensichtlich) up and both sending and receiving, but the traffic is not passing through further in the ISP network. The ICMP "port unreachable" messages shown as responses to the ping are most likely not related to the ping and shown by mistake (ICMP echo has no notion of ports) and as your sniff from the time you don't ping shows some ICMP packets to come from the same IP address too, I assume they are sent in response to some normal traffic (non-ICMP) which tries to get through.

So it all looks like an issue at the ISP side, but since it works when the PPPoE client is up on the Vigor, that issue must be somehow related to the identity of the 2011.

So a question - do you get the same WAN IP via PPPoE at each disabling and re-enabling the PPPoE client interface, say, 20 minutes later? Btw, 100.64.0.0/10 are not public IPs, they are "carrier grade NAT" addresses whose role is not to overlap with any RFC1918 private range nor with any public IP, so the ISP doesn't have to deal with conflicts with LAN subnets no matter what ones the subscriber chooses to use.

I see thanks for the information regarding carrier NAT adresses. I am sometimes rather careful when it comes to publishing IP adresses on the internet :)
The results of this test are the following:
- The local 100.64.0.0/10 ip changed with every re-connect. Usually just the last octet.
- The remote WAN IP was identical each time - even switching between the 2011 and the Vigor 130.

Another question, are you perhaps able to remember (or even retrieve) the MAC address the RB951Ui-2nD was using on its WAN interface, and try to set that MAC address on the 2011's ether1?

Yes I still have the sticker with all information like ETH1, WLAN MAC addresses and the SN of the RB951Ui-2nD and changed the MAC address of the ether1 of the 2011. Unfortunately nothing happened here as well.

Yet another one, could it be that some VLAN must be set for the PPPoE?

You are correct. Deutsche Telekom / T-Online requires a VLAN 7 tag, which I have enabled in the Vigor 130 which should untag it on the LAN port going to the 2011. This worked in the past with the RB951Ui-2nD.

sindy · Sun Jan 10, 2021 4:15 pm

OK, since the tagging and untagging is done in the Draytek, that's also not the explanation.

If you ping the "remote address" (called "gateway address" on the Draytek), does it respond?

mkx · Sun Jan 10, 2021 8:02 pm

Just shooting fish in a barrel: check if Drytek has PPPoE session active and if yes, disable it.

Longer story: my ISP provides me with xDSL modem / router combo, which I tend to use in bridge mode. Internet service is provided via PPPoE and (due to having static address) there can only be one PPPoE session established at any time. ISP router can run PPPoE session, but I have it disabled. However, whenever ISP does anything (either software upgrade or some change in settings) via TR069, PPPoE client on xDSL router gets enabled (and WiFi AP as well). Next time my RB drops PPPoE session it's the matter of odds that xDSL router makes PPPoE session first and thus blocks RB from making one. In my case I can actually see RB failing to establish PPPoE session in ROS logs.

byteflip · Sun Jan 10, 2021 11:05 pm

OK, since the tagging and untagging is done in the Draytek, that's also not the explanation.

If you ping the "remote address" (called "gateway address" on the Draytek), does it respond?

Yes pinging it from the Vigor 130 and the 2011 is working fine:

Pinging WAN.ip with 64 bytes of Data through WAN1:
Receive reply from WAN.ip, time<1ms
Receive reply from WAN.ip, time<1ms
Receive reply from WAN.ip, time<1ms
Receive reply from WAN.ip, time<1ms
Receive reply from WAN.ip, time<1ms
Packets: Sent = 5, Received = 5, Lost = 0 (0% loss)

[admin@MikroTik] > ping WAN.ip                                       
  SEQ HOST                                     SIZE TTL TIME  STATUS                                                                                
    0 WAN.ip                            56 255 11ms 
    1 WAN.ip                            56 255 20ms 
    2 WAN.ip                            56 255 22ms 
    3 WAN.ip                            56 255 10ms 
    4 WAN.ip                            56 255 11ms 
    sent=5 received=5 packet-loss=0% min-rtt=10ms avg-rtt=14ms max-rtt=22ms

byteflip · Sun Jan 10, 2021 11:11 pm

Just shooting fish in a barrel: check if Drytek has PPPoE session active and if yes, disable it.
...

Yes it’s usually disabled other than for debugging.

sindy · Sun Jan 10, 2021 11:18 pm

Are you pinging the gateway address (the remote end of the PPPoE tunnel) in both cases? The <1 ms in case of Vigor vs. 10-22 ms in case of Mikrotik looks weird to me.

Also, can you try to run /tool traceroute 8.8.8.8, to see how far the request gets, and then do the same to some other public IP you know? E.g. 104.103.92.177, just a random .de fqdn which came to my mind (www.mdr.de).

byteflip · Sun Jan 10, 2021 11:27 pm

You are right... that sounds weird indeed.

But it was both times the same IP shown as "Remote IP" in the Mikrotik router.

traceroute does not look very good:

[admin@MikroTik] >> /tool traceroute 8.8.8.8
 # ADDRESS                          LOSS SENT    LAST     AVG    BEST   WORST STD-DEV STATUS                                                                    
 1 WAN.ip                    0%    7  10.5ms    31.7    10.1    76.4    25.9                                                                           
 2 62.206.254.17                      0%    7  30.5ms    15.3    10.1    30.5       7                                                                           
 3                                  100%    7 timeout                                                                                                           
 4 62.206.254.20                    66..    7  22.4ms    20.9    19.4    22.4     1.5                                                                           
 5                                  100%    1 timeout                                                                                                           
 6 62.206.254.20                      0%    1  17.1ms    17.1    17.1    17.1       0                                                                           

[admin@MikroTik] > /tool traceroute 104.103.92.177
 # ADDRESS                          LOSS SENT    LAST     AVG    BEST   WORST STD-DEV STATUS                                                                    
 1 WAN.ip                    0%    5  13.8ms    16.8    11.3    23.5     4.2                                                                           
 2 62.206.254.17                      0%    5  18.8ms    18.3    12.8    20.8     2.9                                                                           
 3                                  100%    5 timeout                                                                                                           
 4 62.206.254.20                     50%    5  30.7ms    32.4    30.7      34     1.7                                                                           
 5                                  100%    2 timeout                                                                                                           
 6                                  100%    2 timeout                                                                                                           
 7 62.206.254.20                     50%    2  18.7ms    18.7    18.7    18.7       0

sindy · Sun Jan 10, 2021 11:44 pm

OK... and when you do the same while Vigor acts as a router, do 62.206.254.17 and 62.206.254.20 also appear as the first two hops after the Vigor itself?

byteflip · Mon Jan 11, 2021 12:01 am

Yes it's the same behaviour:


traceroute to 8.8.8.8, 30 hops max through WAN1 protocol ICMP
  1  WAN.ip       40 ms
  2  62.206.254.17         20 ms
  3 Request timed out.     *
  4  62.206.254.20         20 ms
Trace complete.


traceroute to 104.103.92.177, 30 hops max through WAN1 protocol ICMP
  1  WAN.ip       20 ms
  2  62.206.254.17         10 ms
  3 Request timed out.     *
  4  62.206.254.20         10 ms
Trace complete.

sindy · Mon Jan 11, 2021 12:13 am

Now I am totally lost. In the previous post, where did you do the traceroute? On some linux machine connected to the Vigor as a DHCP client or on the Vigor itself?

byteflip · Mon Jan 11, 2021 12:19 am

Oh I'm sorry, maybe I misunterstood you. What I did was setting the Vigor in PPPoE-mode (not bridged) and used the built-in traceroute tool. Doing a traceroute from the 2011 while the Vigor is set up in that way results in instant timeouts such as seen here:

sindy · Mon Jan 11, 2021 12:31 am

What you've done was what I've expected you to do (to test while the PPPoE client is up on the Vigor itself), but the result was totally unexpected - so far my understanding was that internet access is working when the PPPoE client is up on the Vigor, whereas the traceroute shows it is blocked at that 62.206.254.20 as well, so no difference to the situation when the PPPoE client runs on the Mikrotik.

Could it be that you must visit some dashboard page of the ISP so that the access to internet would get open?

byteflip · Mon Jan 11, 2021 12:40 am

No, internet access (via HTTPS etc.) does not work at all - neither with the Vigor nor the Mikrotik router.

Could it be that you must visit some dashboard page of the ISP so that the access to internet would get open?

This was never required and I did not get any notice from my ISP. I will call my provider tomorrow because this looks like it's not a hardware problem from my side, which I assumed when I started this topic.

sindy · Mon Jan 11, 2021 9:54 am

Yet another possibility which comes to my mind is that the ISP may have some anti-fraud mechanism in place - if you reconnect too often, and/or if the MAC address of the client keeps changing, they block internet access. And it could be as simple as what @mkx has suggested - it takes some time until a connection is considered down after you disconnect the client, so if you connect the other one before the previous connection has expired, the new one is blocked this way. So maybe configure the bridge mode on the Vigor and the PPPoE client on the 2011, switch the Vigor off for 20 minutes (that should be sufficient with a great margin), and then switch it on again.

byteflip · Tue Jan 12, 2021 9:06 pm

This has been successfully resolved now. It's more than emberassing: Apparently my ISP provided me with special login credentials for this VDSL line. I couldn't find the original letter at first and thought I can just request a new one. Usually you instantly get an encrypted PDF document and a few days later a printed copy via mail. The catch is that these credentials do not work for this type of VDSL connection (MagentaZuhause Regio) and you can literally type in anything into the username / password fields for the PPPoE connection credentials. Your connection will then simply not get routed.

So after finding my credentials everything works now finally.

sindy thank you very much for your patience and feedback and mkx for your input too.

RB2011UiAS-2HnD / Draytek Vigor 130 - PPPoE connection problems

RB2011UiAS-2HnD / Draytek Vigor 130 - PPPoE connection problems

Re: RB2011UiAS-2HnD / Draytek Vigor 130 - PPPoE connection problems

Re: RB2011UiAS-2HnD / Draytek Vigor 130 - PPPoE connection problems

Re: RB2011UiAS-2HnD / Draytek Vigor 130 - PPPoE connection problems

Re: RB2011UiAS-2HnD / Draytek Vigor 130 - PPPoE connection problems

Re: RB2011UiAS-2HnD / Draytek Vigor 130 - PPPoE connection problems

Re: RB2011UiAS-2HnD / Draytek Vigor 130 - PPPoE connection problems

Re: RB2011UiAS-2HnD / Draytek Vigor 130 - PPPoE connection problems

Re: RB2011UiAS-2HnD / Draytek Vigor 130 - PPPoE connection problems

Re: RB2011UiAS-2HnD / Draytek Vigor 130 - PPPoE connection problems

Re: RB2011UiAS-2HnD / Draytek Vigor 130 - PPPoE connection problems

Re: RB2011UiAS-2HnD / Draytek Vigor 130 - PPPoE connection problems

Re: RB2011UiAS-2HnD / Draytek Vigor 130 - PPPoE connection problems

Re: RB2011UiAS-2HnD / Draytek Vigor 130 - PPPoE connection problems

Re: RB2011UiAS-2HnD / Draytek Vigor 130 - PPPoE connection problems

Re: RB2011UiAS-2HnD / Draytek Vigor 130 - PPPoE connection problems

Re: RB2011UiAS-2HnD / Draytek Vigor 130 - PPPoE connection problems

Re: RB2011UiAS-2HnD / Draytek Vigor 130 - PPPoE connection problems

Re: RB2011UiAS-2HnD / Draytek Vigor 130 - PPPoE connection problems

Who is online