Hello there,
we are searching for a valid wireless solution for some of our clients (10-15 clients) which doesn't have an xDSL line because they are to far away from the next DSL-PON.

We are speaking about 2km of distance (clear line of sight to all clients), so not the problem.

Now the question: How should we configure the Mikrotik products to be conform to the European laws - in particular Italian Laws?
As we have discovered we have to use Dynamic Frequency Selection (DFS) and Transmit Power Control (TPC) and limit the maximal power to 30dbm (1000mW)? Is this true?

How to achieve this in RouterOS?

Thank you very much for any response!

I'm speaking natively German.. so sorry about some typos..

Add this to your wireless configuration :

Thanks for your reply!

So setting "regulatory-domain" to the right country implies the right TPC settings?

..and shouldn't it be with radar detection enabled? (DFS=enabled)

Yes setting the regulatory-domain limits your output power according to regulations.
About the type of DFS maybe someone from Italy can say what is the required option for there.

Yeah we absolutely need TPC+DFS for the 5GHz band outdoors (it's a european law and written in 802.11h standart)..
Radar detection and power reduction.. in fact TPC+DFS with automatic frequency selection..

So the frequency is selected in automatic with your supplied settings?

For easy reply about Italian law, I write on Italian.

********

Prima di tutto, se non sei un WISP autorizzato dal Ministero, (non lo so, non lo hai scritto)
non puoi neanche montarli apparecchi che trasmettono al di fuori dei confini della proprietà su cui vengono installati (sia a 5 che a qualsiasi altra frequenza).

Poi per le Hyperlan, il DFS deve essere attivo con il rilevamento radar, puoi usare solo le frequenze da 5500 a 5700 (metti nello scan interval "5500-5700") con canali da 5 / 10 / 20 o 20 + 20 MHz.
Per limitare la potenza al giusto valore devi mettere in antenna gain NON QUANTO VUOI GUADAGNARE come alcuni imbecilli dicono... ma quanto è il guadagno nominale dell'antenna togliendo 3dBi per i collegamenti, per esempio se metti un antenna da 10, devi metterci 7 per compensare la perdita delle connessioni (a meno che l'antenna non sia saldata direttamente alla routerboard).

Mettendo Regulatory domain il software regola automaticamente la potenza di legge in base al guadagno d'antenna che hai scritto.

Spero sia tutto chiaro.

P.S.: Attualmente è vietato fare punto-punto con i 5GHz, si possono fare solo punto-multipunto, quindi metti un diffusore a cui collegare poi tutti i clienti.
Ma ricordati di chiedere l'autorizzazione al Ministero.

For easy reply about Italian law, I write on Italian.

********

Prima di tutto, se non sei un WISP autorizzato dal Ministero, (non lo so, non lo hai scritto)
non puoi neanche montarli apparecchi che trasmettono al di fuori dei confini della proprietà su cui vengono installati (sia a 5 che a qualsiasi altra frequenza).

Poi per le Hyperlan, il DFS deve essere attivo con il rilevamento radar, puoi usare solo le frequenze da 5500 a 5700 (metti nello scan interval "5500-5700") con canali da 5 / 10 / 20 o 20 + 20 MHz.
Per limitare la potenza al giusto valore devi mettere in antenna gain NON QUANTO VUOI GUADAGNARE come alcuni imbecilli dicono... ma quanto è il guadagno nominale dell'antenna togliendo 3dBi per i collegamenti, per esempio se metti un antenna da 10, devi metterci 7 per compensare la perdita delle connessioni (a meno che l'antenna non sia saldata direttamente alla routerboard).

Mettendo Regulatory domain il software regola automaticamente la potenza di legge in base al guadagno d'antenna che hai scritto.

Spero sia tutto chiaro.

P.S.: Attualmente è vietato fare punto-punto con i 5GHz, si possono fare solo punto-multipunto, quindi metti un diffusore a cui collegare poi tutti i clienti.
Ma ricordati di chiedere l'autorizzazione al Ministero.

To simplify I'll backwrite in Italian too..

GRAZIE MILLE! ALMENO UNO CHE SA LEGGERE LE LEGGI!

Anche noi voremmo fare le connessioni a regola d'arte.. non come tante imbecilli che montano delle antenne con potenze di 3-4W e fanno fuori tutte le altre connessioni senza rispettare nulla..
Mi spiego.. vorremmo essere/fare WISP per alcuni clienti che purtroppo hanno una posizione dove la telecom non ci arriva col ADSL (una decina per antenna per intenderci)..

L' allegato 12 (o 11 mi pare) non è più un obbligo, esatto?
Per l'autorizzazione..come faccio?

Scusa se ti chiedo.. ci possiamo scambiare i nostri indirizzi email così magari ci facciamo una chiacchierata privata?

Saluti!

Dal punto di vista burocratico non me ne sono occupato io, non saprei.

Ti consiglio di farti aiutare da assoprovider, ci riunisce tutti e cura i nostri interessi.

Per quanto rigarda il contattarmi, non fornisco ovviamente la mia mail a nessuno, non per cattiveria, ma preferisco rispondere sul forum, in modo che leggano tutti,

e soprattutto quando ho tempo

Ciao e in bocca al lupo!

Dal punto di vista burocratico non me ne sono occupato io, non saprei.

Ti consiglio di farti aiutare da assoprovider, ci riunisce tutti e cura i nostri interessi.

Per quanto rigarda il contattarmi, se hai un problema può darsi che ti posso rispondere pure io, ci dedico ogni tanto un pochetto di tempo...

Ciao e in bocca al lupo!

Grazie! E a loro li chiedo di farmi avere dei documenti o devo essere membro iscritto e pagare una mazza di soldi prima..?

Contatto=ok, anche se non so come ti posso raggiungere siccome non sono in grado di inviare messaggi privati.. boh..

If you have some problem, symply ask on forum, and someone, can be also I, try to answer.

I warn you about ask for help to start from zero: usually is too hard to help someone start from zero...

I suggest some training first and start with the right way.

Usually distributors like S.I.C.E. at Lucca, Italy get some free or near free course if you buy some amount of devices.

Good luck,

Ciao.

Thank you very much for your time!

I'll look further and I'll post my questions in forum!

Thank you very much again!

Saluti!

P.S.: Attualmente è vietato fare punto-punto con i 5GHz, si possono fare solo punto-multipunto, quindi metti un diffusore a cui collegare poi tutti i clienti.
Ma ricordati di chiedere l'autorizzazione al Ministero.

"Considerato quanto sopra, è opportuno che sia chiarito e verificato il rispetto da parte dei
possibili utilizzatori affinché le WAS/RLANs non siano utilizzate per collegamenti fissi in modalità
punto-punto ma soltanto per rilegare gli access point in modalità punto-multipunto, a supporto della
rete che utilizza la stessa banda di frequenze per offrire l’accesso radio alla rete di comunicazione a
terminali nomadici. E’, pertanto, possibile adoperare impianti a 5 GHz per segmenti della rete di
trasporto, purché alimentino Access Point che forniscono accesso al pubblico esclusivamente alla
medesima frequenza di 5 GHz (facendo il “backhauling di se stesse”) e nel rispetto delle
sopracitate condizioni."

Giusto per evitare allarmismi

Bravissimo..

Allora per fare qualcosa del genere ci sono problemi?
Lo stabilimento principale sarebbe sul tetto di un privato che ci fà usare il suo palo d'antenna..

Saluti!

N.B. Renato non dimenticare di leggere i messaggi in Skype..

I suggest:

One RB1100AHx2 as router, gateway, pppoe-server, DNS server, NTP server, RADIUS by user-manager.

For PtMP I can suggest some devices, but depend on the angle of each building from the center of PtMP
If are inside 90°, one SXTG-5HPnD-SAr2 for PtMP master and 3 SXT-5HPnD as slave.

If are more than 90° add one SXTG-5HPnD-SAr2 as separate devices or made PtP using two SXT-5HPnD

At this point one OmniTIK UPA-5HnD as AP for the CPE. The OmniTik also power the SXT-5HnD and is not needed any other router or switch.

For CPE for the client, one STX Lite5 powered by one RB951Ui-2HnD acting also as Home AP.

All the device you need (excluding failover) are:
1x RB1100AHx2 [$349]
1x SXT Sixpack containing one SXTG-5HPnD-SAr2 and 5 SXT-5HPnD (2 are for spare or used instead of SXT Lite5) [$445]
3x OmniTIK UPA-5HnD [$99 x 3]
12x SXT Lite5 (or 10 if the 2 SXT-5HPnD on SXT sixpack are used instead of SXT Lite5) [$59 x 12 (or x 10)]
12x RB951Ui-2HnD [$59,95 x 12]

TOT. $2518 (or $2400) = 1881€ (or 1497€)

I suggest:

One RB1100AHx2 as router, gateway, pppoe-server, DNS server, NTP server, RADIUS by user-manager.

For PtMP I can suggest some devices, but depend on the angle of each building from the center of PtMP
If are inside 90°, one SXTG-5HPnD-SAr2 for PtMP master and 3 SXT-5HPnD as slave.

If are more than 90° add one SXTG-5HPnD-SAr2 as separate devices or made PtP using two SXT-5HPnD

At this point one OmniTIK UPA-5HnD as AP for the CPE. The OmniTik also power the SXT-5HnD and is not needed any other router or switch.

For CPE for the client, one STX Lite5 powered by one RB951Ui-2HnD acting also as Home AP.

All the device you need (excluding failover) are:
1x RB1100AHx2 [$349]
1x SXT Sixpack containing one SXTG-5HPnD-SAr2 and 5 SXT-5HPnD (2 are for spare or used instead of SXT Lite5) [$445]
3x OmniTIK UPA-5HnD [$99 x 3]
12x SXT Lite5 (or 10 if the 2 SXT-5HPnD on SXT sixpack are used instead of SXT Lite5) [$59 x 12 (or x 10)]
12x RB951Ui-2HnD [$59,95 x 12]

TOT. $2518 (or $2400) = 1881€ (or 1497€)

Yeah man! This is more than I would have ever dreamed about!
To make this public i have changed my scheme to show it to everybody out there!

For the RADIUS we would use our external radius server..but for the rest..

I am really impressed about this help!!

Ah, one thing... if one of the three points can be viewed from all clients, you do not need all three backaul, but only one...

If you have the needs to expand wireless signal on home, you can use RB951-2n as WDS repeater without cable (or RB951G-2HnD model as WDS repeater, if you need more coverage).

I miss to write which inside RB951Ui-2HnD, you can also set up VoIP / SIP true QoS....

Ah, one thing... if one of the three points can be viewed from all clients, you do not need all three backaul, but only one...

It qould be nice, but in this case there is no line of sight between them..

I miss to write which inside RB951Ui-2HnD, you can also set up VoIP / SIP true QoS....

This should be the second step..
Using a "simple" VOIP-gateway to connect the traditional client phones to a valid VOIP provider..
Configuring right QoS policies and there you go!

So clients could terminate their expensive phone line contracts..

What do you think.. Should I use use a routed network just from the beginning on? It's more complicated to configure but more valid for upsizing in a second moment, right?

I suggest to start with pppoe server, because later can be very hard change idea....

Internet => RB1100AHx2 => Routing (or NATting if you not provide public IP to end users) => pppoe-server (inside) => Layer 2 network (SXT-SA Backhaul [Access-Point] => SXT Lite5 CPE) => RB951 => pppoe-client (internal) => CPU (routing function) => client network.

I suggest to start with pppoe server, because later can be very hard change idea....

Ok, I'll do that. Also big providers are using it, so it will be sure a very valid solution!

Internet => RB1100AHx2 => Routing (or NATting if you not provide public IP to end users) => pppoe-server (inside) => Layer 2 network (SXT-SA Backhaul [Access-Point] => SXT Lite5 CPE) => RB951 => pppoe-client (internal) => CPU (routing function) => client network.

So i should make a bridge from BH0 over BH1 (SXT-5HP and UPA-5H) to the SXT-Lite on the client building? Right?

P.S.: Attualmente è vietato fare punto-punto con i 5GHz, si possono fare solo punto-multipunto, quindi metti un diffusore a cui collegare poi tutti i clienti.
Ma ricordati di chiedere l'autorizzazione al Ministero.

"Considerato quanto sopra, è opportuno che sia chiarito e verificato il rispetto da parte dei
possibili utilizzatori affinché le WAS/RLANs non siano utilizzate per collegamenti fissi in modalità
punto-punto ma soltanto per rilegare gli access point in modalità punto-multipunto, a supporto della
rete che utilizza la stessa banda di frequenze per offrire l’accesso radio alla rete di comunicazione a
terminali nomadici. E’, pertanto, possibile adoperare impianti a 5 GHz per segmenti della rete di
trasporto, purché alimentino Access Point che forniscono accesso al pubblico esclusivamente alla
medesima frequenza di 5 GHz (facendo il “backhauling di se stesse”) e nel rispetto delle
sopracitate condizioni."

Giusto per evitare allarmismi

Scusate se mi intrometto, vorrei chiedere un chiarimento riguardo questi 2 post.
Di fatto è consentito usare i 5GHz per portare connettività alle bts? (Quando dice backhauling di se stesse si intende anche la possibilità di utilizzare un'altra RB e antenna collegate a quella che farà da PTMP oppure no?)

I will try this test-setup over night (if I have enough spare time..):

First, please have a look at the uploaded scheme:
1. I will use my home network as the "internet backbone": subnet=192.168.178.0/24
2. I will try to route some of the free home IP addresses to the client endpoints using PPPoE
3. On the "WISP starting point" I'll setup a Mikrotik PPPoE server sharing the IP's to the final clients
4. Should I bridge from the "WISP starting point" till the "final clients"? (or EoIP tunnels? MPLS/VPLS?)
5. I will simulate all the wireless and wired connections by using a simple patch connection between my test setup routerboards
6. I will not sleep today..

How should I begin.. have you any hints for me, so I could try to simulate the entire project..

Thank you all in advance!

I suggest to start with pppoe server, because later can be very hard change idea....

Ok, I'll do that. Also big providers are using it, so it will be sure a very valid solution!

Internet => RB1100AHx2 => Routing (or NATting if you not provide public IP to end users) => pppoe-server (inside) => Layer 2 network (SXT-SA Backhaul [Access-Point] => SXT Lite5 CPE) => RB951 => pppoe-client (internal) => CPU (routing function) => client network.

So i should make a bridge from BH0 over BH1 (SXT-5HP and UPA-5H) to the SXT-Lite on the client building? Right?

Sorry, I miss something but the concept is the same:

Internet => RB1100AHx2 => Routing (or NATting if you not provide public IP to end users) => pppoe-server (inside) => Layer 2 network (SXT-SA Backhaul [Access-Point] => SXT 5HPnD => OmniTik UPA-5HnD => SXT Lite5 CPE) => RB951 => pppoe-client (internal) => CPU (routing function) => client network.

On each device (except CPE) ether1 and wlan1 are simply bridged.
All "PTP" are one ap-bridge with WDS and station-wds (without WDS active).
CPE connect as "station" to OmniTik as "ap-bridge" without any form of WDS.
Inside the CPE the pppoe-client is directly linked to ether5 (the PoE out port)

And finally for clarity:
Internet =>
RB1100AHx2 => Routing (or NATting if you not provide public IP to end users) => pppoe-server (inside) =>
ether1 of RB1100AHx2 =>
ether1 of SXT-SA => bridge [STOP. wlan1 is not put on that bridge.] wlan1 as ap-bridge with wds on dynamic mesh and default bridge to bridge =>
wlan1 of SXT 5HPnD as station-wds (no wds configured) => bridge => ether1 =>
ether2 (PoE out) of the OmniTik UPA-5HnD => bridge [STOP. wlan1 is not put on that bridge.] wlan1 as ap-bridge with wds on dynamic mesh and default bridge to bridge =>
wlan1 of SXT Lite5 as station-wds (no wds configured) => bridge => ether1 =>
ether 5 of the RB951 (the PoE out port) => pppoe-client (internal) =>
CPU (routing / natting / etc.) =>
ether1 => VoIP
ether2 as master port + ether3 as slave of ether2 => client network.

OK, I'll try that..

Please take a look at my new testing scheme, I will use the specified parts since I have them as spare parts.
The testing system should run like that, right?

Thank you very much!

If i not see wrong, can be used as test environment.

Should I set IP addresses like in the scheme on the bridge interfaces or on hardware-interfaces?

Because when I am trying to ping from the AP1 (10.0.0.2) to the CPE (10.0.0.5) then i get just a timeout..

Thanks!

client side must not have 10.0.0.x but 192.168.x.x

ppoe must provide 172.16.0.x

On synthesys:

One "NET" 10.0.0.0/24 for the "distribution devices"
One "NET" 172.16.0.0/24 for the pppoe-server / pppoe-clients (on future can be one public IP address pool)
One internal network (the same!) 192.168.0.0/24 for each client.

The route are automatically generated, the only ting you must add are on the CPE the masquerade on pppoe-client out.
And on pppoe-server, if you not have public IP to the clients, must add one masquerade from ppp addresses to WAN out.

client side must not have 10.0.0.x but 192.168.x.x

ppoe must provide 172.16.0.x

On synthesys:

One "NET" 10.0.0.0/24 for the "distribution devices"
One "NET" 172.16.0.0/24 for the pppoe-server / pppoe-clients (on future can be one public IP address pool)
One internal network (the same!) 192.168.0.0/24 for each client.

The route are automatically generated, the only ting you must add are on the CPE the masquerade on pppoe-client out.
And on pppoe-server, if you not have public IP to the clients, must add one masquerade from ppp addresses to WAN out.

Sorry to insist, but WHY can't I connect to AP4 via MAC (with winbox)? Are there to many hops?

[...]
WHY can't I connect to AP4 via MAC (with winbox)? Are there to many hops?

Once is full configured, you can not connect to one MAC outside the local lan of the PC.

The only way is to use on the backhaul / pppoe-server the neighbor list or wireless registration table to launch MAC telnet.

For reach the CPE you must call the IP assigned to pppoe-server at the CPE on pppoe-client.

[...]
WHY can't I connect to AP4 via MAC (with winbox)? Are there to many hops?

Once is full configured, you can not connect to one MAC outside the local lan of the PC.

The only way is to use on the backhaul / pppoe-server the neighbor list or wireless registration table to launch MAC telnet.

For reach the CPE you must call the IP assigned to pppoe-server at the CPE on pppoe-client.

Sorry, probably I'm just to "stupid" to understand this..

I can connect via winbox (on IP and MAC address) to AP3, local PC is in same subnet as the backhauls (10.0.0.0/24);
the PC is directly connected to AP1 via ethernet cable. I'm just testing the bridged part from AP1 to CPE..

BUT

I can NOT reach AP4..
is this really normal? I am not sure..

AND

when I am on AP3 and try to open a MAC telnet to AP4 it is also NOT running..

...is this really normal? I am not sure...

If all is configure correctly you MUST reach wlan1 on CPE from that point.

When you click on "..." winbox, CPE appear?

...is this really normal? I am not sure...

If all is configure correctly you MUST reach wlan1 on CPE from that point.

When you click on "..." winbox, CPE appear?

Yes sure!

I write a sentence in italian for better understanding:
tutto sembra un pò strano siccome riesco a vedere tutto il tragitto incluso il CPE..
poi se voglio connettermi al CPE (e anche già al AP4), winbox si apre però i dati vengono attualizzati solo ogni decina di secondi..
insomma qualche cosa non mi quadra..
E poi essendo anche collegato al AP3 non sono in grado di connettermi al AP4 che è il suo vicino.. :O

I think the problem are AP4 configured as station only.

Set WDS on AP3 and set station-wds on AP4.

Usually pppoe-client are connected to AP4, in this case are moved inside one separate devices...

OH GOOD!
It seemed to be resolved..

You'll never go to guess where the problem was..

It was just an ARP cache issue first on my Windows PC and than on all the bridge..!
I have restartet all the machines and there you go!

"The most stupid errors are the one produced by the user..!"

Now I'll go on reconfiguring the ip addresses as you secified..

step 1:

One "NET" 10.0.0.0/24 for the "distribution devices"

bridge IP AP1=10.0.0.1/24
bridge IP AP2=10.0.0.10/24
bridge IP AP3=10.0.0.11/24
bridge IP AP4=10.0.0.100/24
Is this OK?

step 2:

One internal network (the same!) 192.168.0.0/24 for each client.

ether1 IP CPE=192.168.100.1/24
Is this OK?

step 3:

One "NET" 172.16.0.0/24 for the pppoe-server / pppoe-clients (on future can be one public IP address pool)

ether1 IP PPPoE server (RB2011L)=172.16.0.1/24
ether1 IP CPE=172.16.0.10/24
Is this OK?

So the CPE will have 2 IP's on his ether1, right?

>>>So the CPE will have 2 IP's on his ether1, right?

NOT, one on ether1 (192....)
and one on pppoe-client, but for this simulation are ether5 (172....)

ether5 on CPE are separate from each bridge or switch!

>>>So the CPE will have 2 IP's on his ether1, right?

NOT, one on ether1 (192....)
and one on pppoe-client, but for this simulation are ether5 (172....)

ether5 on CPE are separate from each bridge or switch!

So CPE ether1 IP=192.168.100.1/24 and PPPoE server ether1 IP=172.16.0.1/24?
Then on PPPoE server I create an IP-pool from 172.16.0.10-172.16.0.100 for the pppoe clients?
On the CPE i create a pppoe-client interface wich is connecting to the pppoe server on IP 172.16.0.1?

NOT.

[...]

Now I think I understand..

pppoe server ether1 IP=192.168.100.1
pppoe client (CPE) ehter1 IP=192.168.100.2

pppoe server profile has a local IP=172.16.0.1 and and IP pool in the same subnet..

The IP 172.16.X.x/24 is NEVER be assigned on any ethernet interface (just now for simulating)

Are inside the pppoe-server pool and assigned automatically to the pppoe-server and pppoe-client

the pool must be IP-pool from 172.16.0.1-172.16.0.254 for the pppoe clients AND ppoe server itself.

E' meglio che configuri subito il pppoe-server e il client altimenti si fa casino su come simulare il pppoe-server e il client....

>>>pppoe server ether1 IP=192.168.100.1 NOT
>>>pppoe client (CPE) ehter1 IP=192.168.100.2 NOT

>>>pppoe server profile has a local IP=172.16.0.1 NOT, have same pool for local IP....
>>> and IP pool in the same subnet... YES[/quote]

The IP 172.16.X.x/24 is NEVER be assigned on any ethernet interface (just now for simulating)

Are inside the pppoe-server pool and assigned automatically to the pppoe-server and pppoe-client

the pool must be IP-pool from 172.16.0.1-172.16.0.254 for the pppoe clients AND ppoe server itself.

E' meglio che configuri subito il pppoe-server e il client altimenti si fa casino su come simulare il pppoe-server e il client....

È l'inglese che mi fa morire..

pppoe-server ether1 IP=?
CPU ether1 IP=?
pppoe-server default profile local address=?
pppoe-server pool=from-to?

On 2011:
ether1 => dhcp client for you home network
ether2 => AP 10.0.0.1/24
pppoe-server: local address and remote from pool_pppoe linked on ether 2
pool_pppoe=172.16.0.1-172.16.0.254
masquerade on firewall when out interface= ether1 and src address are 172.16.0.0/24

AP1 bridge => 10.0.0.2/24 ( or any 10.0.0.x/24)

AP2 bridge => 10.0.0.3/24 ( or any 10.0.0.x/24)

AP3 bridge => 10.0.0.4/24 ( or any 10.0.0.x/24)

AP4 bridge => 10.0.0.5/24 ( or any 10.0.0.x/24)

CPE ether5 => NO IP and is linked on ether1 of AP4
ether1 => 192.168.100.1 + DHCP SERVER with 192.168.100.101-192.168.100.199 POOL FOR LEASE
pppoe-client linked on ether5 (and is getting automatically 172.16.0.x/24 address)
masquerade on firewall where out=pppoe-client and src address=192.168.100.0/24

done.

Do not forget:
put on the route 10.0.0.1 as default 0.0.0.0/0 gateway for all AP (do not put any route on the CPE!!! is all dynamic)


Buon lavoro, per oggi chiudo.

It's running! (actually without masquerading, but it won't change that much)

Another question:
To manage the CPE's connected to the pppoe server; whats the best practise?
Telnetting from pppoe server or using a client machine in the 10.0.0.0/24 subnet, or a bridge from 10.0.0.0 to an interface on the pppoe?

simply put 172.16.x.x on winbox or MAC telnet on pppoe-server neighbor list

simply put 172.16.x.x on winbox or MAC telnet on pppoe-server neighbor list

Thats good!

Suppose I have some private clients; they will just get a NATed dynamic IP address.
Then I have some professional clients; they should get a static IP from the 192.168.17.0/24 pool.
So i have to setup the ether1 RB2011 with this ip pool, right?
And then how to forward the single IPs or blocks of IPs to the client?

simply put 172.16.x.x on winbox or MAC telnet on pppoe-server neighbor list

Thats good!

Suppose I have some private clients; they will just get a NATed dynamic IP address.
Then I have some professional clients; they should get a static IP from the 192.168.17.0/24 pool.
So i have to setup the ether1 RB2011 with this ip pool, right?
And then how to forward the single IPs or blocks of IPs to the client?

There is more than one way for do the same...

If you want assign one public ip pool, simply put on pppoe-client account (on user account on server, not on client!) one fixed ip address from 172.16.0.x/24 pool (and reduce the pool of 1)
route all the fixed ip user have to that IP, like
8.8.8.0/29 => 172.16.0.2
put on CPE ether1 8.8.8.1/29
now all the devices connected on ether1 can get it's own address specifing for gateway ether1 address 8.8.8.1/29
!!!AND!!!
DHCP still working for the device not using fixed public IP.
===>>> no more masquerade needed <<<===

If you want give only one public IP address, for open port, simply put it on pppoe-client account (on user account on server, not on client!).
On CPE side you can NAT the port you want

pretty good...!
all running, as far as I can test in my small homelab..

The pppoe-server is connected to my home-network via ether10 (I have changed the ports since it's easier to manage in my lab)
with the IP address 192.168.178.220/24.
I am routing the test "public IPs" from subnet 192.168.178.200/30 over 172.16.0.101 (wich is the pppoe-clients IP on interface "pppoe-out1").
On the CPE I have set the 192.168.178.201/30 on interface "ether1".
When I ping locally from the pppoe-server to the 192.168.178.201 its running perfectly!!

To be able to ping from the CPE back to the home-network (192.168.178.220 interface="ether10" on pppoe-server) I have to set a default gateway on the CPE?
Should I use the IP 172.16.0.1 or just the interface "pppoe-out1"?

simply put 172.16.x.x on winbox or MAC telnet on pppoe-server neighbor list

Thats good!

Suppose I have some private clients; they will just get a NATed dynamic IP address.
Then I have some professional clients; they should get a static IP from the 192.168.17.0/24 pool.
So i have to setup the ether1 RB2011 with this ip pool, right?
And then how to forward the single IPs or blocks of IPs to the client?

There is more than one way for do the same...

If you want assign one public ip pool, simply put on pppoe-client account (on user account on server, not on client!) one fixed ip address from 172.16.0.x/24 pool (and reduce the pool of 1)
route all the fixed ip user have to that IP, like
8.8.8.0/29 => 172.16.0.2
put on CPE ether1 8.8.8.1/29
now all the devices connected on ether1 can get it's own address specifing for gateway ether1 address 8.8.8.1/29
!!!AND!!!
DHCP still working for the device not using fixed public IP.
===>>> no more masquerade needed <<<===

If you want give only one public IP address, for open port, simply put it on pppoe-client account (on user account on server, not on client!).
On CPE side you can NAT the port you want

Well, it's running nicely!
Another question..
How do you control what your clients are doing on their connections? (Traffic flow?)
I thought i could use a firewall logging rule in the forwarding chain which logs every packet that has the "Connection state: NEW"..?!
Is this totally wrong to have enough informations about what the user is doing? You know, if someone is doing "crappy things" then I have to proof WHO is the offender!?