Community discussions

MikroTik App
  4. RouterOS
  5. Beginner Basics

Stuck on first ROS baby steps: PPPOE-client not connecting

Post Reply
 
runningsystemchanger
just joined
Topic Author
Posts: 7
Joined: Thu Oct 14, 2021 8:40 pm

Stuck on first ROS baby steps: PPPOE-client not connecting

Thu Oct 14, 2021 9:09 pm

Hi all,

so I finally made the leap of faith. I decided to replace my usg-pro-4 with an rb5009 instead of loosing more hair over ubiquity firewalls. Use is SOHO plus one tenant on isolated vlan. No previous MT experience.
I moved my WAN2 (dual stack dsl, modem draytec vigor 130 doing the vlan tagging) from the usg to ether1 on the rb5009. Connected my computer on ether2, nothing else. I cannot for the life of me get the rb5009 to connect as pppoe-client, always ending up with the same symptoms. Connecting, terminating, disconnected loop. Sometimes terminating... -disconnected, sometimes terminating... hungup.
test log small.png
test log long.png
First I followed the MT help > getting started to the word. Upgraded to ROS 7.1rc4. Tried the default settings. Various other stabs in the dark. Tried a lot of different settings in the pppoe-out interface.
For the sake of it a very minimalistic setup:
Code: Select all
export hide-sensitive
# jan/02/1970 00:03:56 by RouterOS 7.1rc4
# software id = NKBZ-YWFF
#
# model = RB5009UG+S+
# serial number = xxx
/interface pppoe-client
add add-default-route=yes interface=ether1 name=pppoe-out1 use-peer-dns=yes \
    user=H1und1/xxx@online.de
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip address
add address=10.0.0.1/24 interface=ether2 network=10.0.0.0
/system logging
add topics=pppoe
/system routerboard settings
set cpu-frequency=auto
Always the same symptoms exactly.

The usg can connect via pppoe with the modem as is, on the same credentials:
ui networks setup.png
usg status.png
Sorry for yet another amateur on here, I realise I'm not in the usual MT demographics. Even more, any help will be highly appreciated.
You do not have the required permissions to view the files attached to this post.
Top
 
runningsystemchanger
just joined
Topic Author
Posts: 7
Joined: Thu Oct 14, 2021 8:40 pm

Re: Stuck on first ROS baby steps: PPPOE-client not connecting

Fri Oct 15, 2021 11:03 pm

After a lot more digging, I'm thinking this is not my fault but a bug. It seems like "received PADO with unknown host-uniq, dropping" is an issue that kept coming up on different ROS versions since at least 2010, cannot find a solution anywhere. I really didn't expect the rb5009 to be incapable of something the ui device could do... :?
Top
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19318
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:
Contact anav

Re: Stuck on first ROS baby steps: PPPOE-client not connecting

Fri Oct 15, 2021 11:56 pm

Does the ISP need to reset at their end, not sure having never used pppoe, but perhaps there is a mac address stored somewhere that needs to be reset?
Many folks are using PPOE with all kinds of MT devices without issue.

Yeah you would not like to hook up that router anyway as you basically have no firewall.
I gather the RB5009 didnt come with any defaults??
Is that really all that is shown by

/export hide-sensitive file=anynameyouwish
Top
 
mducharme
Trainer
Trainer
Posts: 1777
Joined: Tue Jul 19, 2016 6:45 pm
Location: Vancouver, BC, Canada

Re: Stuck on first ROS baby steps: PPPOE-client not connecting

Sat Oct 16, 2021 3:53 am

It seems like "received PADO with unknown host-uniq, dropping" is an issue that kept coming up on different ROS versions since at least 2010, cannot find a solution anywhere.
I don't think this message indicates an issue at all, but is instead a red herring. I would guess that else is trying to authenticate with PPPoE at the same time that your router is, and your router receives the PADO packet meant for the other person's router, and drops it because it doesn't match the host-uniq for your router - which it should do. If the offer is not meant for your router, your router should not accept it. You get up to the PADS stage and then the LCP ConfReq's go unanswered. I agree with anav that you should talk to your ISP and see if they have somehow restricted it to only the MAC of your Ubiquiti router.
Top
 
runningsystemchanger
just joined
Topic Author
Posts: 7
Joined: Thu Oct 14, 2021 8:40 pm

Re: Stuck on first ROS baby steps: PPPOE-client not connecting

Sat Oct 16, 2021 9:03 am

I agree with anav that you should talk to your ISP and see if they have somehow restricted it to only the MAC of your Ubiquiti router.

When I set the Draytek without bridge mode, it connects without problems. So I'm thinking it cannot be a restriction to the Ubiquiti MAC? Also that would be very unusual as the ISP expects me to use the supplied fritzbox router. Back when I installed the second ISP, it took me a bit of negotiation for them to even activate dual stack as the Ubiquiti doesn't handle ds-lite. Their support hotline will not be of any help, people with zero technical knowledge working of flow charts that end with: No fritzbox -> not our problem. Even if the issue is on their side, I will have to identify it with absolute certainty before I contact them.
.
Yeah you would not like to hook up that router anyway as you basically have no firewall.
I gather the RB5009 didnt come with any defaults??

As I wrote. First I tried following the MT help first time config. They have you set up the internet connection before any firewall rules.
PPPOE behaves the same with the default config:
Code: Select all
[admin@MikroTik] > export hide-sensitive
# jan/02/1970 00:04:17 by RouterOS 7.1rc4
# software id = NKBZ-YWFF
#
# model = RB5009UG+S+
# serial number = xxx
/interface bridge
add admin-mac=xxx auto-mac=no comment=defconf name=bridge
/interface pppoe-client
add add-default-route=yes interface=ether1 name=pppoe-out1 use-peer-dns=yes \
    user=H1und1/xxx@online.de
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=dhcp ranges=192.168.88.10-192.168.88.254
/ip dhcp-server
add address-pool=dhcp interface=bridge name=defconf
/interface bridge port
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=ether5
add bridge=bridge comment=defconf interface=ether6
add bridge=bridge comment=defconf interface=ether7
add bridge=bridge comment=defconf interface=ether8
add bridge=bridge comment=defconf interface=sfp-sfpplus1
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
add interface=pppoe-out1 list=WAN
/ip address
add address=192.168.88.1/24 comment=defconf interface=bridge network=\
    192.168.88.0
/ip dhcp-client
add comment=defconf disabled=yes interface=ether1
/ip dhcp-server network
add address=192.168.88.0/24 comment=defconf dns-server=192.168.88.1 gateway=\
    192.168.88.1
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=192.168.88.1 comment=defconf name=router.lan
/ip firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
    "defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
    in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
    ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
    ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related hw-offload=yes
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=\
    invalid
add action=drop chain=forward comment="defconf: drop all from WAN not DSTNATed" \
    connection-nat-state=!dstnat connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=\
    out,none out-interface-list=WAN
/ipv6 firewall address-list
add address=::/128 comment="defconf: unspecified address" list=bad_ipv6
add address=::1/128 comment="defconf: lo" list=bad_ipv6
add address=fec0::/10 comment="defconf: site-local" list=bad_ipv6
add address=::ffff:0.0.0.0/96 comment="defconf: ipv4-mapped" list=bad_ipv6
add address=::/96 comment="defconf: ipv4 compat" list=bad_ipv6
add address=100::/64 comment="defconf: discard only " list=bad_ipv6
add address=2001:db8::/32 comment="defconf: documentation" list=bad_ipv6
add address=2001:10::/28 comment="defconf: ORCHID" list=bad_ipv6
add address=3ffe::/16 comment="defconf: 6bone" list=bad_ipv6
/ipv6 firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMPv6" protocol=icmpv6
add action=accept chain=input comment="defconf: accept UDP traceroute" port=\
    33434-33534 protocol=udp
add action=accept chain=input comment=\
    "defconf: accept DHCPv6-Client prefix delegation." dst-port=546 protocol=\
    udp src-address=fe80::/10
add action=accept chain=input comment="defconf: accept IKE" dst-port=500,4500 \
    protocol=udp
add action=accept chain=input comment="defconf: accept ipsec AH" protocol=\
    ipsec-ah
add action=accept chain=input comment="defconf: accept ipsec ESP" protocol=\
    ipsec-esp
add action=accept chain=input comment=\
    "defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=input comment=\
    "defconf: drop everything else not coming from LAN" in-interface-list=!LAN
add action=accept chain=forward comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=\
    invalid
add action=drop chain=forward comment="defconf: drop packets with bad src ipv6" \
    src-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: drop packets with bad dst ipv6" \
    dst-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: rfc4890 drop hop-limit=1" \
    hop-limit=equal:1 protocol=icmpv6
add action=accept chain=forward comment="defconf: accept ICMPv6" protocol=\
    icmpv6
add action=accept chain=forward comment="defconf: accept HIP" protocol=139
add action=accept chain=forward comment="defconf: accept IKE" dst-port=500,4500 \
    protocol=udp
add action=accept chain=forward comment="defconf: accept ipsec AH" protocol=\
    ipsec-ah
add action=accept chain=forward comment="defconf: accept ipsec ESP" protocol=\
    ipsec-esp
add action=accept chain=forward comment=\
    "defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=forward comment=\
    "defconf: drop everything else not coming from LAN" in-interface-list=!LAN
/system routerboard settings
set cpu-frequency=auto
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN
Last edited by runningsystemchanger on Tue Oct 19, 2021 1:09 pm, edited 1 time in total.
Top
 
mducharme
Trainer
Trainer
Posts: 1777
Joined: Tue Jul 19, 2016 6:45 pm
Location: Vancouver, BC, Canada

Re: Stuck on first ROS baby steps: PPPOE-client not connecting

Sat Oct 16, 2021 2:03 pm

When I set the Draytek without bridge mode, it connects without problems. So I'm thinking it cannot be a restriction to the Ubiquiti MAC?
Sometimes there can be a small number of cached learned MACs on the ISP provided CPE device (usually set to around two or three) to prevent accidentally plugging in a large network directly over layer 2 to the ISP, and it has to be rebooted to reset that. With our own CPEs that we provide to customers they will only learn two MAC addresses and will prevent any further ones from working until a reboot takes place.

If that doesn't help, I must say that issue you are having is highly unusual - I have set up many MikroTik devices to connect via PPPoE and there is never any issue. I think you may need to do a packet capture to figure out what is going on - perhaps the default PPPoE MTU/MRU of 1480 is too large for your ISP? It appears that LCP is failing to negotiate.
Top
 
runningsystemchanger
just joined
Topic Author
Posts: 7
Joined: Thu Oct 14, 2021 8:40 pm

Re: Stuck on first ROS baby steps: PPPOE-client not connecting

Sat Oct 16, 2021 4:21 pm

Thank you for your feedback, very interesting and much appreciated.
I did sniff the ether1 yesterday but I honestly have no clue what to look for. It seems like when the mikrotik is sending a host-uniq, the other end is always responding with the same number. I'm not sure if it would be helpful and/or a good idea to upload the sniffer file here?

I now tried to get a PPPOE connection from a computer plugged directly into the Draytek. Sure enough, that didn't work either. Tried with macOS and ubuntu, there wasn't really any options to get wrong on both. So your theory seems very valid and ROS is probably off the hook. I will try with the ISP support next week but honestly I got no hope for that at all. My tenant is moving out by the end of this year and the dsl connection is running on his name. Maybe I will just try to live with dual nat on wan2 until then and next year try my luck with a different provider.
MTU is not the issue, the Draytek connected fine with MTU 1492.
.
.
I must say that issue you are having is highly unusual

Unfortunately that's rather typical...
Top
 
runningsystemchanger
just joined
Topic Author
Posts: 7
Joined: Thu Oct 14, 2021 8:40 pm

Re: Stuck on first ROS baby steps: PPPOE-client not connecting

Tue Oct 19, 2021 1:09 pm

Back with the next issues, should I have opened a new thread?

So I hooked up my main WAN (1000/50 cable modem in bridge mode) to ether1. Over the bandwith test tool to one of the public community servers I consistently get over 950Mbps download. All clients behind the router get significantly less, heavily fluctuating between 300 and 600 Mbps. No difference if wired directly to the router or through the main switch (USW-24-POE). Zero errors in the ethernet stats.
Any ideas?

Edit: Without any change of config, today I'm getting full line speed on the clients. No clue what happened there. :-?

Current config:
Code: Select all
# oct/19/2021 11:42:29 by RouterOS 7.1rc4
# software id = NKBZ-YWFF
#
# model = RB5009UG+S+
# serial number = xxx
/interface bridge
add admin-mac=xxx auto-mac=no disabled=yes name=bridge
/interface ethernet
set [ find default-name=ether1 ] name=ether1-WAN
set [ find default-name=ether2 ] disabled=yes
set [ find default-name=ether3 ] disabled=yes
set [ find default-name=ether4 ] disabled=yes
set [ find default-name=ether5 ] name=ether5-b
set [ find default-name=ether6 ] name=ether6-b
set [ find default-name=ether7 ] name=ether7-b
set [ find default-name=ether8 ] name=ether8-b
set [ find default-name=sfp-sfpplus1 ] disabled=yes
/interface bonding
add mode=802.3ad name=bonding1 slaves=ether5-b,ether6-b,ether7-b,ether8-b \
    transmit-hash-policy=layer-3-and-4
/interface list
add name=WAN
add name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=default-dhcp ranges=192.168.1.10-192.168.1.254
/ip dhcp-server
add address-pool=default-dhcp interface=bonding1 lease-time=1d name=dhcp
/interface bridge port
add bridge=bridge disabled=yes interface=bonding1
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface list member
add interface=bridge list=LAN
add interface=ether1-WAN list=WAN
add interface=bonding1 list=LAN
/ip address
add address=192.168.1.1/24 interface=bonding1 network=192.168.1.0
/ip dhcp-client
add interface=ether1-WAN
/ip dhcp-server lease
add address=192.168.1.190 client-id=1:18:c0:4d:8e:fa:21 mac-address=\
    18:C0:4D:8E:FA:21 server=dhcp
/ip dhcp-server network
add address=192.168.1.0/24 dns-server=192.168.1.1 gateway=192.168.1.1
/ip dns
set allow-remote-requests=yes servers=1.1.1.1
/ip dns static
add address=192.168.0.1 comment=defconf name=router.lan
/ip firewall address-list
add address=192.168.1.0/24 list=local
add address=0.0.0.0/8 list=Self-Identification
/ip firewall filter
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related hw-offload=yes
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
    ipsec-policy=in,ipsec
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
    "defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
    in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
    ipsec-policy=out,ipsec
add action=drop chain=forward comment="defconf: drop invalid" connection-state=\
    invalid
add action=drop chain=forward comment="defconf: drop all from WAN not DSTNATed" \
    connection-nat-state=!dstnat connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=\
    out,none out-interface-list=WAN
add action=dst-nat chain=dstnat disabled=yes in-interface-list=WAN port=5555 \
    protocol=tcp to-addresses=192.168.0.5
/ipv6 firewall address-list
add address=::/128 comment="defconf: unspecified address" list=bad_ipv6
add address=::1/128 comment="defconf: lo" list=bad_ipv6
add address=fec0::/10 comment="defconf: site-local" list=bad_ipv6
add address=::ffff:0.0.0.0/96 comment="defconf: ipv4-mapped" list=bad_ipv6
add address=::/96 comment="defconf: ipv4 compat" list=bad_ipv6
add address=100::/64 comment="defconf: discard only " list=bad_ipv6
add address=2001:db8::/32 comment="defconf: documentation" list=bad_ipv6
add address=2001:10::/28 comment="defconf: ORCHID" list=bad_ipv6
add address=3ffe::/16 comment="defconf: 6bone" list=bad_ipv6
/ipv6 firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMPv6" protocol=icmpv6
add action=accept chain=input comment="defconf: accept UDP traceroute" port=\
    33434-33534 protocol=udp
add action=accept chain=input comment=\
    "defconf: accept DHCPv6-Client prefix delegation." dst-port=546 protocol=\
    udp src-address=fe80::/10
add action=accept chain=input comment="defconf: accept IKE" dst-port=500,4500 \
    protocol=udp
add action=accept chain=input comment="defconf: accept ipsec AH" protocol=\
    ipsec-ah
add action=accept chain=input comment="defconf: accept ipsec ESP" protocol=\
    ipsec-esp
add action=accept chain=input comment=\
    "defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=input comment=\
    "defconf: drop everything else not coming from LAN" in-interface-list=!LAN
add action=accept chain=forward comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=\
    invalid
add action=drop chain=forward comment="defconf: drop packets with bad src ipv6" \
    src-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: drop packets with bad dst ipv6" \
    dst-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: rfc4890 drop hop-limit=1" \
    hop-limit=equal:1 protocol=icmpv6
add action=accept chain=forward comment="defconf: accept ICMPv6" protocol=\
    icmpv6
add action=accept chain=forward comment="defconf: accept HIP" protocol=139
add action=accept chain=forward comment="defconf: accept IKE" dst-port=500,4500 \
    protocol=udp
add action=accept chain=forward comment="defconf: accept ipsec AH" protocol=\
    ipsec-ah
add action=accept chain=forward comment="defconf: accept ipsec ESP" protocol=\
    ipsec-esp
add action=accept chain=forward comment=\
    "defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=forward comment=\
    "defconf: drop everything else not coming from LAN" in-interface-list=!LAN
/system clock
set time-zone-name=Europe/Berlin
/system package update
set channel=development
/system routerboard settings
set cpu-frequency=auto
/tool bandwidth-server
set enabled=no
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN
Top
Post Reply

Who is online

Users browsing this forum: ips, yosue111 and 35 guests
  4. RouterOS
  5. Beginner Basics