Community discussions

MikroTik App
 
Dalvi
just joined
Topic Author
Posts: 4
Joined: Sun Feb 27, 2022 8:23 pm

Setting 3 PPPoE connections, each has to route to its own network

Fri May 12, 2023 10:18 pm

Hi all,

My ISP gives me 3 public IPs, each via its own PPPoE account. I can get all of them on the same Ethernet port (from the ONT), so one WAN.
Now I need to direct each Internet connection to its own server/network. I defined separate PPPoE interfaces, separate VLANs, but I'm afraid I'm in over my head.

Could I get a simple instruction / command list to set this up?
I have the MikroTik RB3011UiAS-RM, with RouterOS v6.49.7 (stable).
I was thinking:
Port 1 - WAN
Port 4 - LAN1
Port 5 - LAN2
Port 6-10 - LAN3

Thanks.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18958
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Setting 3 PPPoE connections, each has to route to its own network

Sat May 13, 2023 12:20 am

Good idea, do the planning first, get all the requirements listed, draw a network diagram to show what equipment you may be hooking up............. servers, switches, access points etc......

In terms of requirements.
a. identify all user(s)/device(s) and groups of users/device and include yourself as the admin.
b. then identify all the traffic you need to happen from where to where.

Then talk in detail about the three connections.
Do you want to share the 3 connections amongst all the users.
Do you want to divy up connections by subnets.
Is there any failover, primary, secondary type thinking........
 
Dalvi
just joined
Topic Author
Posts: 4
Joined: Sun Feb 27, 2022 8:23 pm

Re: Setting 3 PPPoE connections, each has to route to its own network

Sat May 13, 2023 1:39 am

Thank you so much for the quick reply!

I couldn't find a tool where I could easily draw the diagram, so I used Google Drawing
https://docs.google.com/drawings/d/1chy ... Kro6hAhU0/
Network diagram (1).png
It's actually very simple, with just 3 separate subnets, each corresponding to one PPPoE account and some port mappings.
Right now, the router works just on the 3rd subnet (internal user network) with just a couple of port mappings.

Config attached but really is just clutter from my multiple attempts on setting interfaces, VLANs, DHCP pools and such.
# may/13/2023 01:00:05 by RouterOS 6.49.7
# software id = 8M9R-5B02
#
# model = RB3011UiAS
# serial number = E7E90F0F9E2E
/interface bridge
add admin-mac=DC:2C:6E:65:1A:C5 auto-mac=no comment=defconf name=bridge
add name=bridge54
/interface ethernet
set [ find default-name=ether1 ] name=ether01-WAN1
set [ find default-name=ether2 ] disabled=yes name=ether02-WAN2
set [ find default-name=ether3 ] disabled=yes name=ether03
set [ find default-name=ether4 ] name=ether04
set [ find default-name=ether5 ] name=ether05
set [ find default-name=ether6 ] name=ether06
set [ find default-name=ether7 ] name=ether07
set [ find default-name=ether8 ] name=ether08
set [ find default-name=ether9 ] name=ether09
/interface pppoe-client
add add-default-route=yes disabled=no interface=ether01-WAN1 keepalive-timeout=disabled name=pppoe-out1-54 use-peer-dns=yes user=CRPIS282892727
add add-default-route=yes interface=ether01-WAN1 keepalive-timeout=disabled name=pppoe-out2-55 use-peer-dns=yes user=CRPIS282892821
add add-default-route=yes disabled=no interface=ether01-WAN1 name=pppoe-out3-56 use-peer-dns=yes user=CRPIS282892834
/interface vlan
add interface=ether04 name=VLAN3-IP54 vlan-id=54
add disabled=yes interface=ether03 name=vlan1A-54 vlan-id=1
add disabled=yes interface=ether05 name=vlan1C-54 vlan-id=1
add disabled=yes interface=ether06 name=vlan2A-55 vlan-id=2
add disabled=yes interface=ether07 name=vlan2B-55 vlan-id=2
add interface=ether03 name=vlan3-ether3 vlan-id=3
add disabled=yes interface=ether04 name=vlan3-ether4 vlan-id=3
add interface=ether05 name=vlan3-ether5 vlan-id=3
add interface=ether06 name=vlan3-ether6 vlan-id=3
add interface=ether07 name=vlan3-ether7 vlan-id=3
add interface=ether08 name=vlan3-ether8 vlan-id=3
add interface=ether09 name=vlan3-ether9 vlan-id=3
add interface=ether10 name=vlan3-ether10 vlan-id=3
/interface ethernet switch port
set 2 default-vlan-id=30
set 3 default-vlan-id=54
set 4 default-vlan-id=3
set 5 default-vlan-id=3
set 6 default-vlan-id=3
set 7 default-vlan-id=3
set 8 default-vlan-id=3
set 9 default-vlan-id=3
set 10 default-vlan-id=3
set 11 default-vlan-id=3
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=dhcp ranges=192.168.0.2-192.168.0.254
add name=vpn ranges=192.168.89.2-192.168.89.255
add name=dhcp54 ranges=192.168.1.2-192.168.1.254
/ip dhcp-server
add address-pool=dhcp disabled=no interface=bridge name=DHCP1-IP56
add address-pool=dhcp54 disabled=no interface=bridge54 lease-time=1m name=DHCP3-IP54
/ppp profile
set *FFFFFFFE local-address=192.168.89.1 remote-address=vpn
/interface bridge port
add bridge=bridge comment=defconf disabled=yes interface=ether02-WAN2
add bridge=bridge54 comment="not defconf" interface=ether04
add bridge=bridge comment=defconf hw=no interface=ether05
add bridge=bridge comment=defconf interface=ether07
add bridge=bridge comment=defconf interface=ether08
add bridge=bridge comment=defconf interface=ether09
add bridge=bridge comment=defconf interface=ether10
add bridge=bridge comment=defconf interface=sfp1
add bridge=bridge interface=ether06
add bridge=bridge interface=ether03
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface bridge vlan
add bridge=bridge54 vlan-ids=54
/interface detect-internet
set detect-interface-list=WAN
/interface ethernet switch vlan
add comment="IP 56" independent-learning=no ports=ether06,ether07,ether08,ether09,ether10 switch=switch2 vlan-id=3
add comment="For IP54" independent-learning=no ports=ether03,ether04,ether05 switch=switch1 vlan-id=54
/interface l2tp-server server
set enabled=yes use-ipsec=yes
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether01-WAN1 list=WAN
add interface=pppoe-out3-56 list=WAN
add interface=pppoe-out1-54 list=WAN
add disabled=yes interface=pppoe-out2-55 list=WAN
add interface=bridge54 list=LAN
/interface ovpn-server server
set enabled=yes
/interface pptp-server server
set enabled=yes
/interface sstp-server server
set default-profile=default-encryption enabled=yes
/ip accounting
set account-local-traffic=yes enabled=yes
/ip address
add address=192.168.0.1/24 comment=defconf interface=bridge network=192.168.0.0
/ip cloud
set ddns-enabled=yes
/ip dhcp-client
add comment=defconf interface=ether01-WAN1
/ip dhcp-server lease
add address=192.168.0.105 client-id=0:8:f1:ea:f4:95:16:0:0:0 mac-address=08:F1:EA:F4:95:16
add address=192.168.0.127 client-id=1:8c:89:a5:3f:87:fa mac-address=8C:89:A5:3F:87:FA
add address=192.168.0.124 client-id=1:88:d7:f6:57:23:3e mac-address=88:D7:F6:57:23:3E
add address=192.168.0.100 mac-address=98:F2:B3:26:2B:0F
add address=192.168.0.125 client-id=1:d4:3d:7e:63:97:f1 mac-address=D4:3D:7E:63:97:F1
add address=192.168.0.123 client-id=1:e0:3f:49:79:49:c8 mac-address=E0:3F:49:79:49:C8
add address=192.168.0.122 client-id=1:88:d7:f6:57:23:2f mac-address=88:D7:F6:57:23:2F
add address=192.168.0.203 client-id=1:8c:b8:4a:80:98:f7 mac-address=8C:B8:4A:80:98:F7
add address=192.168.0.141 client-id=1:ec:e5:12:13:d7:f3 mac-address=EC:E5:12:13:D7:F3
add address=192.168.0.126 client-id=1:50:2b:73:c5:d:7c mac-address=74:27:EA:67:B2:8E
add address=192.168.0.133 client-id=1:0:22:58:58:11:2f mac-address=00:22:58:58:11:2F
add address=192.168.0.132 client-id=1:3c:2a:f4:37:19:e0 mac-address=3C:2A:F4:37:19:E0
add address=192.168.0.131 client-id=1:9c:ae:d3:ea:29:c6 mac-address=9C:AE:D3:EA:29:C6
add address=192.168.0.205 client-id=1:8c:25:5:ca:f7:58 mac-address=8C:25:05:CA:F7:58
add address=192.168.0.206 mac-address=10:7B:44:68:92:03
add address=192.168.0.204 client-id=1:82:cc:88:c7:16:f mac-address=82:CC:88:C7:16:0F
add address=192.168.0.121 mac-address=98:29:A6:8F:BE:71
add address=192.168.0.208 client-id=1:de:d3:d1:b8:3b:49 mac-address=DE:D3:D1:B8:3B:49
add address=192.168.0.207 client-id=1:dc:72:9b:68:ee:de mac-address=DC:72:9B:68:EE:DE
add address=192.168.0.116 client-id=1:c6:be:db:38:f7:86 mac-address=C6:BE:DB:38:F7:86
add address=192.168.0.143 mac-address=B0:95:75:E4:CD:C2
add address=192.168.0.142 mac-address=B0:95:75:E4:CE:60
add address=192.168.0.106 client-id=1:6c:1c:71:39:c1:9d mac-address=6C:1C:71:39:C1:9D
add address=192.168.0.111 client-id=1:b6:fb:ba:fe:b7:8f mac-address=B6:FB:BA:FE:B7:8F
add address=192.168.0.114 client-id=1:78:e3:6d:1a:77:38 mac-address=78:E3:6D:1A:77:38
add address=192.168.0.118 client-id=1:34:a:33:30:2:2b mac-address=34:0A:33:30:02:2B
add address=192.168.0.134 client-id=dc:a6:32:c3:44:3a comment="Server SB RPi" mac-address=DC:A6:32:C3:44:3A
add address=192.168.0.103 mac-address=2C:EA:7F:FA:9C:B4
add address=192.168.0.93 client-id=1:6c:1c:71:39:c1:9d mac-address=6C:1C:71:39:C1:9D server=DHCP1-IP56
add address=192.168.0.153 mac-address=DC:A6:32:C3:44:3A
add address=192.168.0.77 mac-address=B0:95:75:E4:CD:AA server=DHCP1-IP56
add address=192.168.0.92 mac-address=B0:95:75:E4:CE:22 server=DHCP1-IP56
/ip dhcp-server network
add address=192.168.0.0/24 comment="default subnet for internal network" gateway=192.168.0.1
add address=192.168.1.0/24 gateway=192.168.1.1
add address=192.168.88.0/24 comment=defconf gateway=192.168.88.1
/ip dns static
add address=192.168.0.1 comment=defconf name=router.lan
/ip firewall filter
add action=accept chain=input comment="Router remote web access" dst-port=1080 protocol=tcp src-port=""
add action=accept chain=forward disabled=yes dst-address=192.168.0.153 dst-port=8444 in-interface=ether01-WAN1 protocol=tcp src-port=""
add action=accept chain=forward disabled=yes in-interface=ether01-WAN1 protocol=tcp src-port=1080
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=established,related,untracked
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related disabled=yes
add action=accept chain=input comment="Router remote WinBox access" dst-port=8291 protocol=tcp
add action=accept chain=input comment=Video disabled=yes dst-port=4480 protocol=tcp src-port=80
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=accept chain=input comment="allow IPsec NAT" dst-port=4500 protocol=udp
add action=accept chain=input comment="allow IKE" dst-port=500 protocol=udp
add action=accept chain=input comment="allow l2tp" dst-port=1701 protocol=udp
add action=accept chain=input comment="allow pptp" dst-port=1723 protocol=tcp
add action=accept chain=input comment="allow sstp" dst-port=443 protocol=tcp
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid disabled=yes
add action=accept chain=input comment="defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" disabled=yes in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" disabled=yes ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" disabled=yes ipsec-policy=out,ipsec
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid disabled=yes
add action=drop chain=forward comment="defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat connection-state=new disabled=yes in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=out,none out-interface-list=WAN
add action=dst-nat chain=dstnat comment="Router remote web access" dst-address=x.x.x.56 dst-port=1080 protocol=tcp to-addresses=192.168.0.1 to-ports=80
add action=dst-nat chain=dstnat dst-address=x.x.x.56 dst-port=8442-8444 protocol=tcp to-addresses=192.168.0.153 to-ports=8442-8444
add action=src-nat chain=srcnat src-address=192.168.0.153 to-addresses=x.x.x.56
add action=masquerade chain=srcnat dst-address=192.168.0.0/24 src-address=192.168.0.0/24
add action=dst-nat chain=dstnat comment=XVR dst-address=x.x.x.56 dst-port=6060 protocol=tcp to-addresses=192.168.0.106 to-ports=443
add action=dst-nat chain=dstnat comment="Force 80 to SB Server" disabled=yes dst-address=x.x.x.56 dst-port=80 protocol=tcp to-addresses=192.168.0.153
add action=dst-nat chain=dstnat disabled=yes dst-port=4480 protocol=tcp to-addresses=192.168.0.140 to-ports=80
add action=dst-nat chain=dstnat comment="DMZ for SB Server" disabled=yes dst-address=x.x.x.56 protocol=tcp to-addresses=192.168.0.103
add action=dst-nat chain=dstnat comment="SB Server" disabled=yes dst-address=x.x.x.56 dst-port=1022 log=yes log-prefix=vlad_ protocol=tcp to-addresses=192.168.0.103 to-ports=22
add action=dst-nat chain=dstnat comment="SB Server e pe vechiul IP" disabled=yes dst-address=x.x.x.56 dst-port=22 in-interface=all-ethernet log=yes log-prefix=vlad_ protocol=tcp to-addresses=192.168.0.103 to-ports=22
add action=masquerade chain=srcnat comment="masq. vpn traffic" disabled=yes src-address=192.168.0.0/24
/ip route
add disabled=yes distance=1 dst-address=10.0.0.54/32 gateway=pppoe-out1-54
add disabled=yes distance=1 dst-address=10.0.0.55/32 gateway=pppoe-out2-55
add distance=1 dst-address=192.168.1.0/24 gateway=pppoe-out1-54 pref-src=192.168.1.1 scope=10
/ip service
set ssh disabled=yes
/ip ssh
set forwarding-enabled=local
/lcd
set time-interval=hour
/ppp secret
add name=vpn
/system clock
set time-zone-name=Europe/Bucharest
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN
You do not have the required permissions to view the files attached to this post.
 
Dalvi
just joined
Topic Author
Posts: 4
Joined: Sun Feb 27, 2022 8:23 pm

Re: Setting 3 PPPoE connections, each has to route to its own network

Tue May 16, 2023 10:15 am

Good idea, do the planning first, get all the requirements listed, draw a network diagram to show........
@anav You raised my hopes, and then silence...
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18958
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Setting 3 PPPoE connections, each has to route to its own network

Tue May 16, 2023 2:13 pm

This is a forum not an answering service LOL.
Reading the response,
you have three IPs, two for servers and one for the router.
I am not conversant on one to one mapping but look at netmap for the two server IPs.
The rest is straightforward in terms of terminating a pppoe connection to the router in PPPOE settings.

In terms of lan structure no need to tie down lans to ports, why not make every port capable of handling multiple LANs using VLANs,]
for each group of users create a vlan (subnet) and they can go on any port ( a dumb device can only handle one vlan, smart devices can accept multiple vlans like a smart switch etc...)

Who is online

Users browsing this forum: GoogleOther [Bot], JDF, mtest001, tangent and 47 guests