Hi!
I have set up 3 MT as PPPoE Servers ( Access Concentrator )
Each one has Public IP Pools, and Private IP Pools ( in case no more public address available ).
There are 5 PPPoE Servers listening on each ( interface named '1'), one in the default VLAN, and one more per VLAN.
All of them take an IP from the same pool, Public first, private later.
But, with users receiving any Public IP from the pool, some strange things happen, ie: logging to any FTP site, the 'dir' command is unsuccessful. Also, using any VPN, after connecting each side, no traffic there!.
Using torch ( having OS 3.10 ) I saw for the ftp example, that the ftp (21) is ok, can log in to FTP Server, but the ftp-data(20) is pointing to the local-address of the profile in ppp setup and cannot 'dir'!
In case the user get any Private IP, this behavior is not reflected, and he can 'dir' any FTP site.
Follows my setup:
[uTik-PPP1] > interface ethernet print
Flags: X - disabled, R - running, S - slave
# NAME MTU MAC-ADDRESS ARP
0 R WAN 1500 00:04:61:92:43:B9 proxy-arp
1 X OnBoard2 1500 00:04:61:92:43:BA enabled
2 R 1 1500 00:0A:5E:5A:38:8C enabled
[uTik-PPP1] /interface> print
Flags: X - disabled, R - running, D - dynamic, S - slave
# NAME TYPE MTU
0 R ;;; Vlan 201 - DSLAMs Norte
201 vlan 1500
1 R ;;; Vlan 101 - DSLAM 9201-1 Centro
101 vlan 1500
2 R ;;; Vlan 251 - DSLAMs Oeste
251 vlan 1500
3 R ;;; Vlan 102 - DSLAM 9210-2 Centro
102 vlan 1500
4 R WAN ether 1500
5 X OnBoard2 ether 1500
6 R 1 ether 1500
[uTik-PPP1] /interface> pppoe-server server print
Flags: X - disabled
0 service-name="PPPoE_1_1" interface=1 max-mtu=1480 max-mru=1480
mrru=disabled authentication=pap,chap keepalive-timeout=10
one-session-per-host=yes max-sessions=400 default-profile=default
1 service-name="PPPoE_1_201" interface=201 max-mtu=1480 max-mru=1480
mrru=disabled authentication=pap,chap keepalive-timeout=10
one-session-per-host=yes max-sessions=300 default-profile=Default_201
2 service-name="PPPoE_1_101" interface=101 max-mtu=1480 max-mru=1480
mrru=disabled authentication=pap,chap keepalive-timeout=10
one-session-per-host=yes max-sessions=400 default-profile=Default_101
3 service-name="PPPoE_1_251" interface=251 max-mtu=1480 max-mru=1480
mrru=disabled authentication=pap,chap keepalive-timeout=10
one-session-per-host=yes max-sessions=200 default-profile=Default_251
4 service-name="PPPoE_1_102" interface=102 max-mtu=1480 max-mru=1480
mrru=disabled authentication=pap,chap keepalive-timeout=10
one-session-per-host=yes max-sessions=400 default-profile=Default_102
[uTik-PPP1] /ppp> profile print
Flags: * - default
0 * name="default" local-address=172.21.1.1 remote-address=Pub_Dyn_01
use-compression=default use-vj-compression=default
use-encryption=default only-one=yes change-tcp-mss=yes
dns-server=XXX.251.1.42,XXX.251.1.34
1 name="remoto1" local-address=172.21.2.1 remote-address=Priv_Res_01
use-compression=default use-vj-compression=default
use-encryption=default only-one=default change-tcp-mss=default
rate-limit=512k/1024k
2 name="Default_101" local-address=172.21.101.1 remote-address=Pub_Dyn_01
use-compression=default use-vj-compression=default
use-encryption=default only-one=yes change-tcp-mss=yes
dns-server=XXX.251.1.42,XXX.251.1.34
3 name="Default_102" local-address=172.21.102.1 remote-address=Pub_Dyn_01
use-compression=default use-vj-compression=default
use-encryption=default only-one=yes change-tcp-mss=yes
dns-server=XXX.251.1.34,XXX.251.1.42
4 name="Default_201" local-address=172.21.201.1 remote-address=Pub_Dyn_01
use-compression=default use-vj-compression=default
use-encryption=default only-one=yes change-tcp-mss=yes
dns-server=XXX.251.1.34,XXX.251.1.42
5 name="Default_251" local-address=172.21.251.1 remote-address=Pub_Dyn_01
use-compression=default use-vj-compression=default
use-encryption=default only-one=yes change-tcp-mss=yes
dns-server=XXX.251.1.34,XXX.251.1.42
6 * name="default-encryption" use-compression=default
use-vj-compression=default use-encryption=yes only-one=default
change-tcp-mss=yes
[uTik-PPP1] /interface> /ip pool print
# NAME RANGES
0 Priv_Res_01 172.21.1.5-172.21.1.254
1 Pub_Ciber_01 XXX.252.255.45
2 Priv_Res_02 172.21.2.5-172.21.2.254
3 Pub_Dyn_00 XXX.251.139.1-XXX.251.139.62
4 Pub_Fijas_01 XXX.252.255.0/26
5 Priv_Res_101_1 172.21.101.5-172.21.101.254
6 Priv_Res_102_1 172.21.102.5-172.21.102.254
7 Priv_Res_101_2 172.21.103.5-172.21.103.254
8 Priv_Res_102_2 172.21.104.5-172.21.104.254
9 Priv_Res_201_1 172.21.201.5-172.21.201.254
10 Priv_Res_201_2 172.21.202.5-172.21.202.254
11 Priv_Res_251_1 172.21.251.5-172.21.251.254
12 Pub_Dyn_02 XXX.251.21.2-XXX.251.21.254
13 Pub_Dyn_01 XXX.136.0.2-XXX.136.0.254
14 Priv_Res_03 172.21.3.5-172.21.3.254
15 Priv_Res_04 172.21.4.5-172.21.4.254
[uTik-PPP1] /interface> /ip address print where ! dynamic
Flags: X - disabled, I - invalid, D - dynamic
# ADDRESS NETWORK BROADCAST INTERFACE
0 X ;;; PA NOSOTROS
172.16.1.1/27 172.16.1.0 172.16.1.255 (unknown)
1 ;;; PUBLICA WAN (TASA)
XXX.251.1.35/24 XXX.251.1.0 XXX.251.1.255 WAN
2 X ;;; MANAGE
192.168.0.38/24 192.168.0.0 192.168.0.255 (unknown)
3 ;;; POOL 1 Clientes Default VLAN
172.21.1.1/24 172.21.1.0 172.21.1.255 1
4 ;;; POOL 2 Clientes Default VLAN
172.21.2.1/24 172.21.2.0 172.21.2.255 1
5 ;;; POOL 1 Clientes VLAN 101
172.21.101.1/24 172.21.101.0 172.21.101.255 1
6 ;;; POOL 1 Clientes VLAN 102
172.21.102.1/24 172.21.102.0 172.21.102.255 1
7 ;;; POOL 2 Clientes VLAN 101
172.21.103.1/24 172.21.103.0 172.21.103.255 1
8 ;;; POOL 1 Clientes VLAN 201
172.21.201.1/24 172.21.201.0 172.21.201.255 1
9 ;;; POOL 2 Clientes VLAN 201
172.21.202.1/24 172.21.202.0 172.21.202.255 1
10 ;;; POOL 1 Clientes VLAN 251
172.21.251.1/24 172.21.251.0 172.21.251.255 1
11 ;;; POOL 2 Clientes VLAN 102
172.21.104.1/24 172.21.104.0 172.21.104.255 1
12 ;;; Pool Publico 1 All VLANs
XXX.136.0.1/24 XXX.136.0.0 XXX.136.0.255 1
13 ;;; POOL 3 Clientes Default VLAN
172.21.3.1/24 172.21.3.0 172.21.3.255 1
14 ;;; POOL 4 Clientes Default VLAN
172.21.4.1/24 172.21.4.0 172.21.4.255 1
15 ;;; Pool Publico 2 All VLANs
XXX.251.21.1/24 XXX.251.21.0 XXX.251.21.255 1
[uTik-PPP1] /ip firewall nat> print
Flags: X - disabled, I - invalid, D - dynamic
0 ;;; Las IPs Publicas no usan Masquerade, salen antes de aca.
chain=srcnat action=return src-address-list=IPs_Publicas_01
1 X chain=dstnat action=log dst-address-list=IPs_Publicas_01
log-prefix="a ver---"
2 X ;;; Las IPs Privadas, usan Masquerade para salir.
chain=srcnat action=masquerade
3 chain=srcnat action=masquerade src-address=172.21.1.0/24
4 chain=srcnat action=masquerade src-address=172.21.2.0/24
5 chain=srcnat action=masquerade src-address=172.21.3.0/24
6 chain=srcnat action=masquerade src-address=172.21.4.0/24
7 chain=srcnat action=masquerade src-address=172.21.101.0/24
8 chain=srcnat action=masquerade src-address=172.21.102.0/24
9 chain=srcnat action=masquerade src-address=172.21.103.0/24
10 chain=srcnat action=masquerade src-address=172.21.104.0/24
11 chain=srcnat action=masquerade src-address=172.21.201.0/24
12 chain=srcnat action=masquerade src-address=172.21.202.0/24
13 chain=srcnat action=masquerade src-address=172.21.251.0/24
Thanks in advance!