Hello,

With use-firewall-for-pppoe enabled traffic does not work, with it disabled it does. There are no rules added on the bridge/filter. On the outgoing interface i.e. from vlan 1397 on the MT-birdge router you can see the traffic but for some reason it is blocked. PPPoE session is established as seen in the screenshots but there is no IP traffic.
Is this scenario even possible?

Mikrotik (bridge) is on CHR = version 7.1rc4, network card x520-da2
Mikrotik (pppoe-hub) is on CCR1072 = version 7.1rc4

I want to have the firewall-for-pppoe enabled because I want to do queuing on the MT-bridge for pppoe clients going through the "MT bridge".

The most interesting thing is that regular TCP/IP traffic (without pppoe) works fine, i.e. with use-firewall enabled for the bridge the traffic passes and I can queue it. The problem occurs only with PPPoE traffic, but the pppoe session itself is established correctly.

MT-Bridge(queue)

Hello,
I repeat my question - is this scenario even possible? where the bridge (queue) is before the PPPoE hub? I was thinking that use-firewall-for-pppoe on the bridge would allow me to do this.

Do I need to design it differently?
I would appreciate your response.

I dont understand ..........
Dont use non standard settings please.

IF you need firewall rules use in the input chain ( to and from router) or the forward chain (across the router, or in other words wan to lan, lan to wan and lan to lan).
Not sure where you see such ip rules for pppoe but do not use them, rarely required.

Dont use this either, very rarely seen (bridge filter is very advanced usage, not advised to get a working config going).
/interface bridge filter
add action=accept chain=outpt

Okay you are also using vlans in bridge port settings. Vlans are not bridge ports, physical ports and wlans are considered bridge ports normally.

I am getting the sense that you copied crap from youtube and dont know what you are doing.
Recommend if this is the case to reset to defaults and only stray from them with guidance here......

Just to be clear, what is the purpose of the MT device.
Is it supposed to be a router or is behind a router and you only want it to act like a switch????

I want a separate Mikrotik just for cutting bandwidth (queuing) hence the bridge. Vlans are in the bridge and it all works. Bandwidth cutting works for regular IP traffic (no pppoe) that passes through the bridge.

Now I would like it to work for pppoe traffic that goes through the bridge. The PPPoE client establishes a session to the PPPoE hub and everything works up to the point where I have the use-firewall-for-pppoe option turned off, but the moment I turn on the use-firewall-for-pppoe option because I want to run a bandwidth cut , the traffic (simple queueing) is no longer forwarded.


PPPoE (client) ----> MT bridge (queue) -----> MT PPPoE HUB

https://youtu.be/kUc3cBriLs4

There are no rules added to the bridge/filter and traffic is allowed by default.

From Wiki (Sub-menu: /interface bridge settings): use-ip-firewall-for-pppoe (yes | no; Default: no) - Send bridged un-encrypted PPPoE traffic to also be processed by IP/Firewall. This property only has effect when use-ip-firewall is set to yes. This property is required in case you want to assign Simple Queues or global Queue Tree to PPPoE traffic in a bridge.

Have I clarified things a bit, or is it still not clear?
The point is that the PPPoE traffic that is supposed to go through the bridge doesn't quite make it out of the bridge. But the session itself (pppoe) is established. Non-pppoe traffic (static IPs) works fine with the use-fiewall option in the bridge settings. There are no firewall rules and the traffic is allowed by default. Will this scenario work? It looks like it doesn't take much to make it work, but unfortunately it doesn't. I just want to queue traffic on the bridge (a simple queue), so I need to have use-firewall-for-pppoe enabled, as the documentation says. Without that, traffic is passed over the bridge, but not queued.

Do I have something wrong or is this scenario impossible to run at all?

PPPoE client -----> bridge (simple queue) -----> PPPoE HUB