Community discussions

MikroTik App
 
galaxyaord
just joined
Topic Author
Posts: 16
Joined: Fri Nov 01, 2019 11:11 pm

[PPPOE] How to disable the secret for 10 seconds when a user disconnects

Mon Sep 27, 2021 12:41 am

Greetings. I have a large pppoe network in which the electrical service fails many times. So the computers restart very quickly and quickly increase the use of the mikrotik cpu by trying to log in repeatedly in a few time intervals. I would like that once a pppoe user disconnects their credentials are not valid until after 20 seconds from the last disconnection.
 
joegoldman
Long time Member
Long time Member
Posts: 670
Joined: Mon May 27, 2013 2:05 am

Re: [PPPOE] How to disable the secret for 10 seconds when a user disconnects

Mon Sep 27, 2021 1:04 am

If you are trying to avoid one username logging in multiple times (-1,-2 interfaces) then you can use 'One Session Per Host' option in PPPoE Server, so if there is an active user with that username logged in already (or still timing out) then they will be refused login.

Alternatively on the ppp profiles you can use up/down scripts - if they are all managed by your secrets in the router rather than external service you could potentially disable the secret sleep for 20s then enable it again - im not sure on the performance hit on this if you are dropping/authing users on a fairly regular basis.

If they ARE an external RADIUS user, then best bet is to look into scripting this in the RADIUS to not send an Accept until x time after last session logout.
 
nescafe2002
Forum Veteran
Forum Veteran
Posts: 842
Joined: Tue Aug 11, 2015 12:46 pm
Location: Netherlands

Re: [PPPOE] How to disable the secret for 10 seconds when a user disconnects

Mon Sep 27, 2021 1:15 am

High CPU is a common issue, have you ruled out usual suspects e.g. NAT (masquerade) and connection tracking?

There are quite a few topics on this issue (search for pppoe cpu in forum).
 
galaxyaord
just joined
Topic Author
Posts: 16
Joined: Fri Nov 01, 2019 11:11 pm

Re: [PPPOE] How to disable the secret for 10 seconds when a user disconnects

Mon Sep 27, 2021 1:17 am

The problem is that many ont's restart up to 10 times in 1 minute filling the mikrotik with pppoe requests, I would like to make the secret of the user when detected in DOWN state is disabled for 10 to 20 seconds until it is valid again. I mean a script on the pppoe server. But I do not know how to do it

Something like this, When the mikrotik detects that the user has disconnected, do /ppp secret disable [Find name=$pppoe_user] I know what I want to do but not how to do it, I don't know the correct command

If you are trying to avoid one username logging in multiple times (-1,-2 interfaces) then you can use 'One Session Per Host' option in PPPoE Server, so if there is an active user with that username logged in already (or still timing out) then they will be refused login.

Alternatively on the ppp profiles you can use up/down scripts - if they are all managed by your secrets in the router rather than external service you could potentially disable the secret sleep for 20s then enable it again - im not sure on the performance hit on this if you are dropping/authing users on a fairly regular basis.

If they ARE an external RADIUS user, then best bet is to look into scripting this in the RADIUS to not send an Accept until x time after last session logout.
 
galaxyaord
just joined
Topic Author
Posts: 16
Joined: Fri Nov 01, 2019 11:11 pm

Re: [PPPOE] How to disable the secret for 10 seconds when a user disconnects

Mon Sep 27, 2021 1:39 am

No, I don't have nat masquerade rules. Just src nat. The problem I present is that when more than 2 thousand users connect and disconnect, the entire pppoe network freezes. The winbox does too. But ip services work normally. I have a mikrotik 1072 with average cpu usage of 14%
High CPU is a common issue, have you ruled out usual suspects e.g. NAT (masquerade) and connection tracking?

There are quite a few topics on this issue (search for pppoe cpu in forum).
 
joegoldman
Long time Member
Long time Member
Posts: 670
Joined: Mon May 27, 2013 2:05 am

Re: [PPPOE] How to disable the secret for 10 seconds when a user disconnects

Mon Sep 27, 2021 1:42 am

The problem is that many ont's restart up to 10 times in 1 minute filling the mikrotik with pppoe requests, I would like to make the secret of the user when detected in DOWN state is disabled for 10 to 20 seconds until it is valid again. I mean a script on the pppoe server. But I do not know how to do it

Well - is the first request hanging up correctly or does it sit there in 'timeout'? You could increase the keepalive/timeout and use One Session Per Host as an 'easy' workaround, as when it tries to connect again while the first session is still timing out then it won't let them on.

Alternatively per your request, you could have a on-down script

/ppp secret disable [ find name=$user ]
:delay 30s // This might need to be in ms
/ppp secret enable [ find name=$user ]

This is untested, and im not sure on if its a good idea to actually run such large delays on down scripts on PPP's - if it halts other processes or causes issues. It may be better to tag it with a comment and have a scheduled script come through every 60 seconds and enable everything with the tagged comment - but this will have a possibility of things only being disabled for a few seconds before being re-enabled depending on when in the 60 second wait time it happened.
 
mducharme
Trainer
Trainer
Posts: 1471
Joined: Tue Jul 19, 2016 6:45 pm

Re: [PPPOE] How to disable the secret for 10 seconds when a user disconnects

Mon Sep 27, 2021 2:51 am

The best way to fix this is for MikroTik to implement what is called "PADI Per-MAC Rate Limiting", similar in idea to ICMP rate limiting, which would ignore additional PPPoE PADI packets if they are received within too short of a timeframe from the same MAC Address. I have wanted such a feature as well, but it wasn't problematic enough for me to request before.
 
galaxyaord
just joined
Topic Author
Posts: 16
Joined: Fri Nov 01, 2019 11:11 pm

Re: [PPPOE] How to disable the secret for 10 seconds when a user disconnects

Mon Sep 27, 2021 6:07 am

Mikrotik simply does not support that a thousand users of a vlan connect and disconnect more than 5 times even if you have the most powerful mikrotik there is. So a script would serve me that disables only the secrets of the users who have disconnected. The problem is that I don't know how to do the script. In ppp/profiles there is an option in each profile for scripts, "On up" and "on Down". What I need is that in On down the secret of the user is disabled for 20 seconds. Something like:
 /ppp secret disable ; Timeout 20s ; / ppp secret enable
. But I don't know how to do it so that it applies only to the user who logged out.

The best way to fix this is for MikroTik to implement what is called "PADI Per-MAC Rate Limiting", similar in idea to ICMP rate limiting, which would ignore additional PPPoE PADI packets if they are received within too short of a timeframe from the same MAC Address. I have wanted such a feature as well, but it wasn't problematic enough for me to request before.
 
joegoldman
Long time Member
Long time Member
Posts: 670
Joined: Mon May 27, 2013 2:05 am

Re: [PPPOE] How to disable the secret for 10 seconds when a user disconnects

Thu Sep 30, 2021 12:53 am

What I need is that in On down the secret of the user is disabled for 20 seconds. Something like:
 /ppp secret disable ; Timeout 20s ; / ppp secret enable
. But I don't know how to do it so that it applies only to the user who logged out.

I gave you that script (just without testing) in my post above for your On Down script:
($user is a passed through variable and matches the user login of the interface going up/down)

/ppp secret disable [ find name=$user ]
:delay 30s // This might need to be in ms
/ppp secret enable [ find name=$user ]
 
galaxyaord
just joined
Topic Author
Posts: 16
Joined: Fri Nov 01, 2019 11:11 pm

Re: [PPPOE] How to disable the secret for 10 seconds when a user disconnects

Tue Oct 12, 2021 6:56 pm

Greetings. I did that when the post was recent, but it didn't fix the problem. In the end I had to implement a firewall on the olt that delayed pppoe re-entry requests
What I need is that in On down the secret of the user is disabled for 20 seconds. Something like:
 /ppp secret disable ; Timeout 20s ; / ppp secret enable
. But I don't know how to do it so that it applies only to the user who logged out.

I gave you that script (just without testing) in my post above for your On Down script:
($user is a passed through variable and matches the user login of the interface going up/down)

/ppp secret disable [ find name=$user ]
:delay 30s // This might need to be in ms
/ppp secret enable [ find name=$user ]

Who is online

Users browsing this forum: No registered users and 9 guests