/--------------------------------------/
# Jan 16, 2008 12:31pm by RouterOS 2.9.48
# software id = WZER-R9T
#
/ interface ethernet
set E1-WAN name="E1-WAN" mtu=1500 mac-address=00:60:E0:42:B0:81 arp=enabled disable-running-check=yes auto-negotiation=yes \
full-duplex=yes cable-settings=default speed=100Mbps comment="" disabled=no
set E2-LAN name="E2-LAN" mtu=1500 mac-address=00:60:E0:42:B0:82 arp=enabled disable-running-check=yes auto-negotiation=yes \
full-duplex=yes cable-settings=default speed=100Mbps comment="" disabled=no
set E3-MGMT name="E3-MGMT" mtu=1500 mac-address=00:60:E0:42:B0:83 arp=enabled disable-running-check=yes auto-negotiation=yes \
full-duplex=yes cable-settings=default speed=100Mbps comment="" disabled=no
/ interface pppoe-server server
add service-name="pppoe" interface=E2-LAN max-mtu=1480 max-mru=1480 authentication=pap,chap,mschap1,mschap2 \
keepalive-timeout=10 one-session-per-host=yes max-sessions=0 default-profile=pppoe disabled=no
/ ip pool
add name="pool1" ranges=70.xx.116.1-70.xx.116.254 next-pool=pool2
add name="pool2" ranges=70.xx.117.1-70.xx.117.254 next-pool=pool3
add name="pool3" ranges=70.xx.118.1-70.xx.118.254 next-pool=pool4
add name="pool4" ranges=70.xx.119.1-70.xx.119.254 next-pool=pool5
add name="pool5" ranges=70.xx.126.1-70.xx.126.254 next-pool=pool6
add name="pool6" ranges=70.xx.127.1-70.xx.127.254
/ ip dns
set primary-dns=64.xx.xx.138 secondary-dns=64.xx.xx.139 allow-remote-requests=no cache-size=2048KiB cache-max-ttl=1w
/ ip address
add address=64.xx.xx.33/27 network=64.xx.xx.32 broadcast=64.xx.xx.63 interface=E2-LAN comment="Primary LAN (PPPoE) Address" disabled=no
add address=10.1.56.1/21 network=10.1.56.0 broadcast=10.1.63.255 interface=E2-LAN comment="" disabled=no
add address=10.1.32.1/21 network=10.1.32.0 broadcast=10.1.39.255 interface=E2-LAN comment="" disabled=no
add address=10.0.112.1/21 network=10.0.112.0 broadcast=10.0.119.255 interface=E2-LAN comment="" disabled=no
add address=10.1.24.1/21 network=10.1.24.0 broadcast=10.1.31.255 interface=E2-LAN comment="" disabled=no
add address=10.0.16.1/21 network=10.0.16.0 broadcast=10.0.23.255 interface=E2-LAN comment="" disabled=no
add address=10.0.192.1/21 network=10.0.192.0 broadcast=10.0.199.255 interface=E2-LAN comment="" disabled=no
add address=172.16.10.10/29 network=172.16.10.8 broadcast=172.16.10.15 interface=E1-WAN comment="WAN Uplink \(E1-WAN\)" \
disabled=no
add address=192.168.254.200/24 network=192.168.254.0 broadcast=192.168.254.255 interface=E3-MGMT comment="" disabled=no
/ ip neighbor discovery
set E1-WAN discover=yes
set E2-LAN discover=yes
set E3-MGMT discover=yes
/ ip route
add dst-address=0.0.0.0/0 gateway=172.16.10.9 check-gateway=ping distance=1 scope=255 target-scope=10 comment="" disabled=no
/ ip firewall service-port
set ftp ports=21 disabled=no
set tftp ports=69 disabled=no
set irc ports=6667 disabled=no
set h323 disabled=yes
set quake3 disabled=no
set gre disabled=yes
set pptp disabled=yes
/ ip firewall connection tracking
set enabled=yes tcp-syn-sent-timeout=5s tcp-syn-received-timeout=5s tcp-established-timeout=1d tcp-fin-wait-timeout=10s \
tcp-close-wait-timeout=10s tcp-last-ack-timeout=10s tcp-time-wait-timeout=10s tcp-close-timeout=10s udp-timeout=10s \
udp-stream-timeout=3m icmp-timeout=10s generic-timeout=10m tcp-syncookie=no
/ system logging
add topics=info prefix="" action=memory disabled=no
add topics=error prefix="" action=memory disabled=no
add topics=warning prefix="" action=memory disabled=no
add topics=critical prefix="" action=echo disabled=no
add topics=ospf prefix="" action=memory disabled=yes
add topics=pppoe prefix="" action=memory disabled=yes
add topics=ppp prefix="" action=memory disabled=yes
/ system logging action
set memory name="memory" target=memory memory-lines=100 memory-stop-on-full=no
set disk name="disk" target=disk disk-lines=100 disk-stop-on-full=no
set echo name="echo" target=echo remember=yes
set remote name="remote" target=remote remote=64.xx.xx.253:514
/ system upgrade mirror
set enabled=no primary-server=0.0.0.0 secondary-server=0.0.0.0 check-interval=1d user=""
/ system clock manual
set time-zone=+00:00 dst-delta=+00:00 dst-start="jan/01/1970 00:00:00" dst-end="jan/01/1970 00:00:00"
/ system watchdog
set reboot-on-failure=yes watch-address=none watchdog-timer=yes no-ping-delay=5m automatic-supout=yes auto-send-supout=no
/ system console
add port=serial0 term="" disabled=no
set FIXME term="linux" disabled=no
set FIXME term="linux" disabled=no
set FIXME term="linux" disabled=no
set FIXME term="linux" disabled=no
set FIXME term="linux" disabled=no
set FIXME term="linux" disabled=no
set FIXME term="linux" disabled=no
set FIXME term="linux" disabled=no
/ system console screen
set line-count=25
/ system identity
set name="SITE--RTA"
/ system note
set show-at-login=yes note=""
/ system health
set state-after-reboot=enabled
/ system routerboard bios
set
/ system ntp server
set enabled=no broadcast=no multicast=no manycast=yes
/ system ntp client
set enabled=no mode=unicast primary-ntp=0.0.0.0 secondary-ntp=0.0.0.0
/ port
set serial0 name="serial0" baud-rate=9600 data-bits=8 parity=none stop-bits=1 flow-control=hardware
set serial1 name="serial1" baud-rate=9600 data-bits=8 parity=none stop-bits=1 flow-control=hardware
/ ppp profile
set default name="default" use-compression=default use-vj-compression=default use-encryption=default only-one=default \
change-tcp-mss=yes comment=""
add name="pppoe" local-address=64.xx.xx.33 remote-address=pool1 use-compression=yes use-vj-compression=yes \
use-encryption=default only-one=yes change-tcp-mss=default dns-server=64.xx.xx.138,64.xx.xx.139 comment=""
set default-encryption name="default-encryption" use-compression=default use-vj-compression=default use-encryption=yes \
only-one=default change-tcp-mss=yes comment=""
/ ppp aaa
set use-radius=yes accounting=yes interim-update=0s
/ queue type
set default name="default" kind=pfifo pfifo-limit=50
set ethernet-default name="ethernet-default" kind=pfifo pfifo-limit=50
set wireless-default name="wireless-default" kind=sfq sfq-perturb=5 sfq-allot=1514
set synchronous-default name="synchronous-default" kind=red red-limit=60 red-min-threshold=10 red-max-threshold=50 red-burst=20 \
red-avg-packet=1000
set hotspot-default name="hotspot-default" kind=sfq sfq-perturb=5 sfq-allot=1514
add name="default-small" kind=pfifo pfifo-limit=10
/ queue interface
set E1-WAN queue=ethernet-default
set E2-LAN queue=ethernet-default
set E3-MGMT queue=ethernet-default
/ user
add name="admin" group=full address=0.0.0.0/0 comment="system default user" disabled=no
/ user group
add name="read" policy=local,telnet,ssh,reboot,read,test,winbox,password,web,sniff,!ftp,!write,!policy
add name="write" policy=local,telnet,ssh,reboot,read,write,test,winbox,password,web,sniff,!ftp,!policy
add name="full" policy=local,telnet,ssh,ftp,reboot,read,write,policy,test,winbox,password,web,sniff
/ user aaa
set use-radius=no accounting=yes interim-update=0s default-group=read
/ radius
add service=ppp called-id="" domain="" address=64.xx.xx.132 secret="^Radius$" authentication-port=1645 \
accounting-port=1646 timeout=300ms accounting-backup=no realm="" comment="" disabled=no
/ radius incoming
set accept=no port=1700
/ driver
/ snmp
set enabled=yes contact="noc@domain.com" location="Site Location"
/ snmp community
add name="SNMP-ReadString" address=0.0.0.0/0 read-access=yes
/ tool bandwidth-server
set enabled=yes authenticate=yes allocate-udp-ports-from=2000 max-sessions=10
/ tool mac-server ping
set enabled=yes
/ tool e-mail
set server=0.0.0.0 from="<>"
/ tool sniffer
set interface=all only-headers=no memory-limit=10 file-name="" file-limit=10 streaming-enabled=no streaming-server=0.0.0.0 \
filter-stream=yes filter-protocol=ip-only filter-address1=0.0.0.0/0:0-65535 filter-address2=0.0.0.0/0:0-65535
/ tool graphing
set store-every=24hours
/ tool graphing queue
add simple-queue=all allow-address=0.0.0.0/0 store-on-disk=yes allow-target=yes disabled=no
/ tool graphing resource
add allow-address=0.0.0.0/0 store-on-disk=yes disabled=no
/ tool graphing interface
add interface=E1-WAN allow-address=0.0.0.0/0 store-on-disk=yes disabled=no
/ routing ospf
set router-id=172.16.10.10 distribute-default=never redistribute-connected=as-type-2 redistribute-static=as-type-1 \
redistribute-rip=no redistribute-bgp=no metric-default=1 metric-connected=20 metric-static=20 metric-rip=20 metric-bgp=20
/ routing ospf area
set backbone area-id=0.0.0.0 type=default translator-role=translate-candidate authentication=none disabled=no
add name="area1" area-id=0.0.0.1 type=stub translator-role=translate-always authentication=none summary=no default-cost=10 \
disabled=no
/ routing ospf network
add network=172.16.10.8/29 area=backbone disabled=no
/ routing bgp instance
set default name="default" as=65530 router-id=0.0.0.0 redistribute-connected=no redistribute-static=no redistribute-rip=no \
redistribute-ospf=no redistribute-other-bgp=no out-filter="" client-to-client-reflection=yes ignore-as-path-len=no comment="" \
disabled=no
/ routing rip
set distribute-default=never redistribute-static=no redistribute-connected=no redistribute-ospf=no redistribute-bgp=no \
metric-default=1 metric-static=1 metric-connected=1 metric-ospf=1 metric-bgp=1 update-timer=30s timeout-timer=3m \
garbage-timer=2m
/ routing rip interface
add interface=all receive=v2 send=v2 authentication=none authentication-key="" key-chain="" in-filter="" out-filter="" \
disabled=no
/--------------------------------------/
bbmj ... just for reference... the ip address's on the LAN interface ARE required. They provide our management layer to the CPE devices. They have nothing to do with the PPPoE termination.everything imho looks fine. only things i would be doing different is to remove all the addresses from from e2_lan, not needed in order to make ppp work, and to adjust my mtu to 1420.
bbmj ... just for reference... the ip address's on the LAN interface ARE required. They provide our management layer to the CPE devices. They have nothing to do with the PPPoE termination.everything imho looks fine. only things i would be doing different is to remove all the addresses from from e2_lan, not needed in order to make ppp work, and to adjust my mtu to 1420.
Multi-processor on ROS v3 is not working: ROS just stops responding to PPPoE then hangs or reboots:You will also need v3 for dual core support. Good thought to try to upgrade to v3, and turn off connection tracking. See how that does.
Make sure you turn ON multi-processor support in v3 though, its not on by default.
This is not a solution. You will have a lot of problems by turning this off: Cannot open some websites, MSN messenger doesn't working etc.There was also some talk about removing the change TCP MSS value as it creates lots of rules etc.
Yes, this is a big problem for V3.Under a not so heavy load (<200 users) even with multi-cpu turned off there's a problem with dropped packets (5% or more).
... That is the response we received...The only response you get from support will be "turn off multi-cpu".
... and yes, this was the response as well."About multi-core - sorry, I can't give you any estimates."
Lucky man you are... We have a much heavier load, 'cause we need shaping and filtering.We loaded up the system with 2,631 PPPoE sessions, 3,464 OSPF routes from two peer routers, while maintaining a 62% CPU load average for 30 minutes.
I don't buy this. You should:Well... We completed testing last night with PPPoE load. Using the steps listed above we moved over the traffic to 600+ users with CPU running an average of 20-23% utilization. We then moved over a big site (1000+ PPPoE session). The CPU was running good at 33% utilization, memory 90% free, ....
20min into it, approx 1600 PPPoE sessions, traffic throughput of 20-30mb (at 2:30AM that was good) ... the winbox and telnet dropped. Checked my rolling pings and I still had communication with my router interface, checked my SNMP monitoring system of switch interfaces and ALL traffic had flat-lined. ... ... oh boy... this is not good.
Which RouterOS version you are running? How many pppoe tunnels you had active at the time you test ping ?We pinged a good number of customers from remote off-net IPs and never lost more than a single packet. The loss was well under 1%. Nothing like what was reported of 15+% ..
What is the bandwidth? How you test ping ?v3 at the time. 2600 tunnels at once.
This explain it. But there is a lot of issues by not using Change TCP MSS. So, we cannot turn that option off.about 30-35 meg total.. All routed, public IPs, 3500 or so OSPF Routes. PoweRouter 732 with only one core on, v.3. Change TCP MSS was off.
[admin@MT-0] /ip firewall mangle> print
Flags: X - disabled, I - invalid, D - dynamic
0 chain=forward action=accept in-interface=ether1
1 chain=forward action=accept out-interface=ether1
2 chain=forward action=change-mss new-mss=1452 tcp-flags=syn protocol=tcp
tcp-mss=1453-65535
I got recomendation to replace dynamic change-mss to static rules from Mikrotik support and we now have these:0 and 1 should pass all packets via ethernet without modification, 3 should match other packets via ppp interfaces.Code: Select all[admin@MT-0] /ip firewall mangle> print Flags: X - disabled, I - invalid, D - dynamic 0 chain=forward action=accept in-interface=ether1 1 chain=forward action=accept out-interface=ether1 2 chain=forward action=change-mss new-mss=1452 tcp-flags=syn protocol=tcp tcp-mss=1453-65535
Why you think that this is better?I recommend to use MRRU (PPP Multilink protocol) option and forget about Change-mms rules at all
Been running Mikrotik as a PPPoE server for years. Terminating 1200+ PPPoE users between a couple different routers. Have always left "Change TCP MSS" option OFF and have had no issues.This explain it. But there is a lot of issues by not using Change TCP MSS. So, we cannot turn that option off.
Do your users have NAT'ed IP's or public?So do you do anything special regarding MTU issues? I had a huge problem when I first started using PPPoE where users could get to some sites but not others. Didn't seem to matter what I set on the PPPoE server, it didn't seem to help. I ended up manually setting ever user's MTU to 1400 on the client end and haven't had a problem since.
Any suggestions?