Community discussions

 
User avatar
bekax5
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 77
Joined: Thu Apr 30, 2015 11:27 pm

Help! PPPoE and Static same interface

Mon May 04, 2015 1:41 am

Hi all,

I am trying to find out how to make a connection similar to the one I have at the moment but I want to improve the network to RouterOS.

I bought a CRS109 and want to make it my default router at home.

I have a bridge that brings ADSL as a PPPoE, but I would like to still access this bridge's from the LAN.
What I want to do is what I believe it's called a Dual Access PPPoE or Russian PPPoE.

Basically Bridge has IP 192.168.0.1
Router gets this bridge on eth1 and LAN on eth2-8.

I want to access the bridge from the LAN and still have the router connect to the internet via the PPPoE connection.
Is this possible with RouterOS?

Regards!
 
User avatar
bekax5
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 77
Joined: Thu Apr 30, 2015 11:27 pm

Re: Help! PPPoE and Static same interface

Tue May 12, 2015 5:13 pm

I am really interested in knowing if this is possible! (bump)
 
User avatar
ZeroByte
Forum Guru
Forum Guru
Posts: 4051
Joined: Wed May 11, 2011 6:08 pm

Re: Help! PPPoE and Static same interface

Tue May 12, 2015 5:35 pm

I'm not sure which you mean:

a) clients should be able to connect to any port of the Mikrotik and do DHCP request to be "Behind the Mikrotik" or PPPoE to get their own direct IP from the ISP and be "outside of the Mikrotik"

b) clients plugged into certain ports must use DHCP to get an IP address and connectivity via the Mikrotik, or they may connect to other ports where it's the same as if they were plugged directly into the modem, and are "outside" the Mikrotik (dhcp will fail here)

I recommend B, as A will expose your LAN to the DSL bridge, and depending on how the ISP has the bridge configured on the server side, it could bridge you with other DSL customers... a security risk.

To do B, I recommend using hardware switching if your unit supports it. Suppose ether1 is the one plugged into the modem directly, and you want ether2 and ether3 to be PPPoE ports - set those to use ether1 as master port.
Then you must use cpu bridging to connect the remaing ports as LAN - ether4 and ether5 are ports on LanBridge, where IP address, DHCP, firewall rules, etc are all configured on LanBridge.

This configuration is the same as if you bought a basic unmanaged "desktop switch" and plugged it in between the ADSL modem and your Mikrotik. (this might actually be a preferable solution if you have a lot of lan <-> lan traffic, as a CPU bridge will limit performance)
When given a spoon,
you should not cling to your fork.
The soup will get cold.
 
lambert
Long time Member
Long time Member
Posts: 532
Joined: Fri Jul 23, 2010 1:09 am

Re: Help! PPPoE and Static same interface

Tue May 12, 2015 6:10 pm

Hi all,

I am trying to find out how to make a connection similar to the one I have at the moment but I want to improve the network to RouterOS.

I bought a CRS109 and want to make it my default router at home.

I have a bridge that brings ADSL as a PPPoE, but I would like to still access this bridge's from the LAN.
What I want to do is what I believe it's called a Dual Access PPPoE or Russian PPPoE.

Basically Bridge has IP 192.168.0.1
Router gets this bridge on eth1 and LAN on eth2-8.

I want to access the bridge from the LAN and still have the router connect to the internet via the PPPoE connection.
Is this possible with RouterOS?

Regards!
This is not a clear request.

Your ADSL modem, what you are calling the bridge?, is configured with 192.168.0.1/24 on its ethernet interface. Yes / No?

Your ADSL modem also passes through PPPoE so that your CRS109 can get a public IP for Internet access. Yes / No?

You want to use PPPoE on the MikroTik for Internet access and also still be able to manage the ADSL modem from inside your network. Yes / No?

If all three are yes, just:

1) Configure IP address 192.168.0.2/24 on your MikroTik's ether1 interface.
2) Configure PPPoE client interface on the MikroTik.
3) Use any subnet other than 192.168.0.0/24 on your MikroTik's LAN.

If some answers are No, we'll need more information.
 
User avatar
bekax5
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 77
Joined: Thu Apr 30, 2015 11:27 pm

Re: Help! PPPoE and Static same interface

Tue May 12, 2015 7:13 pm

This is not a clear request.

Your ADSL modem, what you are calling the bridge?, is configured with 192.168.0.1/24 on its ethernet interface. Yes / No?

Your ADSL modem also passes through PPPoE so that your CRS109 can get a public IP for Internet access. Yes / No?

You want to use PPPoE on the MikroTik for Internet access and also still be able to manage the ADSL modem from inside your network. Yes / No?

If all three are yes, just:

1) Configure IP address 192.168.0.2/24 on your MikroTik's ether1 interface.
2) Configure PPPoE client interface on the MikroTik.
3) Use any subnet other than 192.168.0.0/24 on your MikroTik's LAN.

If some answers are No, we'll need more information.
Well, I guess it was easier than I thought =)
And all the answers are Yes.

I thought I had to create some routes or somethings like that in order to pass traffic between LAN and eth1.
Guess I was complicating the simple.

Will try that and let know if it did work!
Thanks though.
 
User avatar
ZeroByte
Forum Guru
Forum Guru
Posts: 4051
Joined: Wed May 11, 2011 6:08 pm

Re: Help! PPPoE and Static same interface

Tue May 12, 2015 8:53 pm

You want to use PPPoE on the MikroTik for Internet access and also still be able to manage the ADSL modem from inside your network. Yes / No?
Ah - that was the item that I misunderstood in my answer.
I did the same thing for the DOCSIS address with my router. :)
When given a spoon,
you should not cling to your fork.
The soup will get cold.
 
User avatar
bekax5
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 77
Joined: Thu Apr 30, 2015 11:27 pm

Re: Help! PPPoE and Static same interface

Sat May 16, 2015 11:27 pm

This is not a clear request.

Your ADSL modem, what you are calling the bridge?, is configured with 192.168.0.1/24 on its ethernet interface. Yes / No?

Your ADSL modem also passes through PPPoE so that your CRS109 can get a public IP for Internet access. Yes / No?

You want to use PPPoE on the MikroTik for Internet access and also still be able to manage the ADSL modem from inside your network. Yes / No?

If all three are yes, just:

1) Configure IP address 192.168.0.2/24 on your MikroTik's ether1 interface.
2) Configure PPPoE client interface on the MikroTik.
3) Use any subnet other than 192.168.0.0/24 on your MikroTik's LAN.

If some answers are No, we'll need more information.
So I configured IP on ether1 interface.
I saw that there was a route automatically added to 192.168.0.0/24
Configured PPPoE in that interface.
Subnet for LAN is in 192.168.1.0/24

Problem:
I cannot ping inside 192.168.0.0/24 from LAN.
Mikrotik can ping 192.168.0.0/24 from web portal.

I have although, Internet access on LAN =)
 
User avatar
ZeroByte
Forum Guru
Forum Guru
Posts: 4051
Joined: Wed May 11, 2011 6:08 pm

Re: Help! PPPoE and Static same interface

Sun May 17, 2015 1:42 am

Problem:
I cannot ping inside 192.168.0.0/24 from LAN.
Mikrotik can ping 192.168.0.0/24 from web portal.

I have although, Internet access on LAN =)
Add this rule to your srcnat chain, BEFORE the normal masquerade rule for the pppoe interface:
action=src-nat to-addresses=192.168.0.x dst-address=192.168.0.0/24
(where x = the IP that you put on the wan ethernet interface itself)
When given a spoon,
you should not cling to your fork.
The soup will get cold.
 
User avatar
bekax5
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 77
Joined: Thu Apr 30, 2015 11:27 pm

Re: Help! PPPoE and Static same interface

Sun May 17, 2015 2:41 am

Problem:
I cannot ping inside 192.168.0.0/24 from LAN.
Mikrotik can ping 192.168.0.0/24 from web portal.

I have although, Internet access on LAN =)
Add this rule to your srcnat chain, BEFORE the normal masquerade rule for the pppoe interface:
action=src-nat to-addresses=192.168.0.x dst-address=192.168.0.0/24
(where x = the IP that you put on the wan ethernet interface itself)
Fully functional at first try ! :D
Thank you very much.

In any case, just for self-awareness, shouldn't this case deal only with basic routing without any NAT?
 
User avatar
pukkita
Trainer
Trainer
Posts: 2984
Joined: Wed Dec 04, 2013 11:09 am
Location: Spain

Re: Help! PPPoE and Static same interface

Sun May 17, 2015 12:58 pm

RouterOS routes by default, once you set IP addressing on two given interfaces the proper routes are already set.

The problems that remains are two-fold: your router needs to know how to reach your LAN (you'll need to set a route on it), and you need to open the firewall.

ZeroByte pointed out the most elegant solution as it solves those two problems with a very simple solution: NAT.
Simplicity is the Ultimate Sophistication - Da Vinci
Getting the most out of this forum
 
User avatar
ZeroByte
Forum Guru
Forum Guru
Posts: 4051
Joined: Wed May 11, 2011 6:08 pm

Re: Help! PPPoE and Static same interface

Sun May 17, 2015 5:16 pm

Routing vs. NAT:

Routing = deciding the next hop where a packet should be sent to get it to its destination
NAT = Changing the source and/or destination IP address on the packets for various reasons.

There's a concept that I've noticed most people learning IP seem to have trouble with for a while - and it's painfully obvious: in order for a connection to work on the internet, there must be a complete path of routes pointing toward the destination, AND there must be a complete path of routes pointing toward the source. I think it's because an IP route only points to the destination. When the server replies, the reply packet is moving from the "server" to the "client" - so the server is the source now, and the client is the destination now. So on the reply, the routes must lead all the way to the client.

NAT fits into this picture like this:

If you connect to a network, but the network doesn't create routes for your LAN addresses, then any packet from your LAN IP addresses will make it TO the server, but the server's replies won't be able to reach you. If you do NAT on the packets so the source appears to be in a network the ISP knows about (their public IP range, for instance) then the Internet starts working because now the replies can make it to your router which removes the NAT address and forwards them the rest of the way on your internal network.

The NAT solution I gave for talking to the modem is an example, right? The way to fix this without NAT would be for the modem to add a new route with your LAN as the destination, and your WAN interface as the next hop. Litterally: "to reach my LAN, give the packets to my router"

The NAT solution is easier in the sense that the configurations that make it work are all in one router, and the modem doesn't need config changes in addition to the ones in the router.
When given a spoon,
you should not cling to your fork.
The soup will get cold.
 
User avatar
bekax5
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 77
Joined: Thu Apr 30, 2015 11:27 pm

Re: Help! PPPoE and Static same interface

Sun May 17, 2015 6:59 pm

Ah I guess I got the point!
In fact yes, there was no gateway in the device on the ether1 network so I guess that's why there wasn't any answer back =)
Thanks for the hint!


Let me ask you for a few more questions regarding the security of the Mikrotik.
I configured everything else and now I'm in the Firewall area.

So I noticed that all the Mikrotik services were running unprotected to the WAN.
Honestly I thought that I had to allow them first in the firewall but I guess its services didn't pass on Firewall check and were automatically added to the outside. (I think I'm not mistaken but, please, correct em if I do).

So for now I disabled all the services but webfig (port:80) as a temporary solution for security.
- Is there an option to block the incoming traffic from WAN to the router?

Also, I tried to add a NAT rule to forward FTP from an internal server, but I don't seem able to get it to work.
chain:dstnat protocol:6(tcp) dst.port:21 in.interface:ether1-gateway action:dst-nat To.Addresses:192.168.1.110 ToPorts:21
Is there some error in this rule? Maybe its being overuled by another?
 
User avatar
bekax5
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 77
Joined: Thu Apr 30, 2015 11:27 pm

Re: Help! PPPoE and Static same interface

Sun May 17, 2015 7:18 pm

Well, as for the block incoming traffic question I think I got it to work since I changed one rule blocking all input traffic from interface "ether1-gateway" to interface "pppoe-out" and it stopped previously opened ports =)


Edit:
I did the same with the NAT, changed "ether1-gateway" to "pppoe-out" and the rule started to work.
Seems to be a differentiation with the pppoe connections (mikrotik assumes it not being ether1?)

Well, in any case, problem solved for now =)
 
User avatar
ZeroByte
Forum Guru
Forum Guru
Posts: 4051
Joined: Wed May 11, 2011 6:08 pm

Re: Help! PPPoE and Static same interface

Mon May 18, 2015 2:17 am

They have different IP addresses, they represent IP hops between devices attached to them....
It actually makes a lot more sense on the server side - suppose you have 500 customers all connected to ether1 via PPPoE - you'd have 500 interfaces that you could set up with different queues, IP filters, etc....

The other nice thing about this logical interface is that if ether1 ever fails, you can change it to use ether2 for pppoe and you won't have to modify all of your IP settings and firewall settings etc - because the logical interface never changes.
When given a spoon,
you should not cling to your fork.
The soup will get cold.
 
User avatar
bekax5
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 77
Joined: Thu Apr 30, 2015 11:27 pm

Re: Help! PPPoE and Static same interface

Mon May 18, 2015 2:23 am

They have different IP addresses, they represent IP hops between devices attached to them....
It actually makes a lot more sense on the server side - suppose you have 500 customers all connected to ether1 via PPPoE - you'd have 500 interfaces that you could set up with different queues, IP filters, etc....

The other nice thing about this logical interface is that if ether1 ever fails, you can change it to use ether2 for pppoe and you won't have to modify all of your IP settings and firewall settings etc - because the logical interface never changes.
No, no! I mean't that it does make sense!

I just got "afraid" at the beginning since I saw all the router's services exposed to the outside since the default Firewall rules were set for ether1 and not for pppoe connections =)

I believe that in a few days I'll come back with more doubts on this, but honestly this is an amazing device and it actually puts you on the learning side =)
 
User avatar
bekax5
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 77
Joined: Thu Apr 30, 2015 11:27 pm

Re: Help! PPPoE and Static same interface

Thu Jun 11, 2015 2:38 am

One more question.

I am not able to access inside services if I use my DNS anymore.

Before I could for example use my DNS to open my web server or open an SSH session with DNS:22.
Now if I use it inside of the network it doesn't redirect me.

I believe it's some config I have no idea of. Could you enlighten me about this?

Regards!

Who is online

Users browsing this forum: Google [Bot], MSN [Bot] and 129 guests