...
- MikroTik RouterOS PPPoE client to any PPPoE server (access concentrator);
- MikroTik RouterOS server (access concentrator) to multiple PPPoE clients (clients are available for almost all operating systems and most routers);
PPPoE Operation
PPPoE has two distinct stages(phases):
...
PPPoE server sends Echo-Request packets to the client to determine the state of the session, otherwise, the server will not be able to determine that session is terminated in cases when a client terminates session without sending Terminate-Request packet.
MTU
Typically, the largest Ethernet frame that can be transmitted without fragmentation is 1500 bytes. PPPoE adds another 6 bytes of overhead and the PPP field adds two more bytes, leaving 1492 bytes for IP datagram. Therefore max PPPoE MRU and MTU values must not be larger than 1492.
...
The workaround for this problem is to adjust MSS if it is too big. By default, RouterOS adds mangle rules to intercept TCP SYN packets and silently adjust any advertised MSS option so they will be appropriate for the PPPoE link.
Configuration Example
PPPoE Client
To configure MikroTik RouterOS to be a PPPoE client, just add a PPPoE-client:
/interface pppoe-client add name=pppoe-user-mike user=user password=passwd interface=wlan1 service-name=internet disabled=noPPPoE Server
To configure MikroTik RouterOS to be an Access Concentrator (PPPoE Server):
- add an address pool for the clients from 10.1.1.62 to 10.1.1.72;
- add PPP profile;
- add PPP secret (username/password);
- add the PPPoE server itself.
...
PPPoE Client
Properties
| Property | Description |
|---|---|
| ac-name (string; Default: "") | Access Concentrator name, this may be left blank and the client will connect to any access concentrator on the broadcast domain |
| add-default-route (yes|no; Default: no) | Enable/Disable whether to add default route automatically |
| allow (mschap2|mschap1|chap|pap; Default: mschap2,mschap1,chap,pap) | allowed authentication methods, by default all methods are allowed |
| default-route-distance (byte [0..255]; Default:1) | sets distance value applied to auto created default route, if add-default-route is also selected |
| dial-on-demand (yes|no; Default: no) | connects to AC only when outbound traffic is generated. If selected, then route with gateway address from 10.112.112.0/24 network will be added while connection is not established. |
| interface (string; Default: ) | interface name on which client will run |
| keepalive-timeout (integer; Default:60) | Sets keepalive timeout in seconds. |
| max-mru (integer; Default: 1460) | Maximum Receive Unit |
| max-mtu (integer; Default: 1460) | Maximum Transmission Unit |
| mrru (integer: 512..65535|disabled; Default: disabled) | maximum packet size that can be received on the link. If a packet is bigger than tunnel MTU, it will be split into multiple packets, allowing full size IP or Ethernet packets to be sent over the tunnel. |
| name (string; Default: pppoe-out[i]) | name of the PPPoE interface, generated by RouterOS if not specified |
| password (string; Default: ) | password used to authenticate |
| profile (string; Default: default) | Specifies which PPP profile configuration will be used when establishing the tunnel. |
| service-name (string; Default: "") | specifies the service name set on the access concentrator, can be left blank to connect to any PPPoE server |
| use-peer-dns (yes|no; Default: no) | enable/disable getting DNS settings from the peer |
| user (string; Default: "") | username used for authentication |
Status
Command /interface pppoe-client monitor will display current PPPoE status.
Available read only properties:
| Property | Description |
|---|---|
| ac-mac (MAC address) | MAC address of the access concentrator (AC) the client is connected to |
| ac-name (string) | name of the Access Concentrator |
| active-links (integer) | Number of bonded MLPPP connections, ('1' if not using MLPPP) |
| encoding (string) | encryption and encoding (if asymmetric, separated with '/') being used in this connection |
| local-address (IP Address) | IP Address allocated to client |
| remote-address (IP Address) | Remote IP Address allocated to server (ie gateway address) |
| mru (integer) | effective MRU of the link |
| mtu (integer) | effective MTU of the link |
| service-name (string) | used service name |
| status (string) | current link status. Available values are:
|
| uptime (time) | connection time displayed in days, hours, minutes and seconds |
Scanner
...
PPPoE Scanner allows scanning all active PPPoE servers in the layer2 broadcast domain. Command to run scanner is as follows:
| Code Block | ||
|---|---|---|
| ||
/interface pppoe-client scan [interface] |
To add and enable PPPoE client on the ether1 interface connecting to the AC that provides 'testSN' service using user name "user" with the password 'passwd':
...
Available read only properties:
| Property | Description |
|---|---|
| service (string) | Service name configured on server |
| mac-address (MAC) | Mac address of detected server |
| ac-name (string) | name of the Access Concentrator |
| Note |
|---|
For Windows, some connection instructions may use the form where the "phone number", such as "MikroTik_AC\mt1", is specified to indicate that "MikroTik_AC" is the access concentrator name and "mt1" is the service name. |
...
| Note |
|---|
Specifying MRRU means enabling MP (Multilink PPP) over a single link. This protocol is used to split big packets into smaller ones. Under Windows, it can be enabled in the Networking tab, Settings button, "Negotiate multi-link for single link connections". MRRU is hardcoded to 1614 on Windows. This setting is useful to overcome PathMTU discovery failures. The MP setting should be enabled on both peers. |
PPPoE Server
...
There are two types of interface (tunnel) items in PPPoE server configuration - static users and dynamic connections. An interface is created for each tunnel established to the given server. Static interfaces are added administratively if there is a need to reference the particular interface name (in firewall rules or elsewhere) created for the particular user. Dynamic interfaces are added to this list automatically whenever a user is connected and its username does not match any existing static entry (or in case the entry is active already, as there can not be two separate tunnel interfaces referenced by the same name - set one-session-per-host value if this is a problem). Dynamic interfaces appear when a user connects and disappear once the user disconnects, so it is impossible to reference the tunnel created for that use in router configuration (for example, in firewall), so if you need a persistent rule for that user, create a static entry for him/her. Otherwise, it is safe to use a dynamic configuration.
| Note |
|---|
In both cases PPP users must be configured properly - static entries do not replace PPP configuration. |
Access concentrator
| Code Block | ||
|---|---|---|
| ||
/interface pppoe-server server |
Properties
| Property | Description |
|---|---|
| authentication ( mschap2 | mschap1 | chap | pap; Default: "mschap2, mschap1, chap, pap") | Authentication algorithm |
| default-profile (string; Default: "default") | |
| interface (string; Default: "") | Interface that the clients are connected to |
| keepalive-timeout (time; Default: "10") | Defines the time period (in seconds) after which the router is starting to send keepalive packets every second. If there is no traffic and no keepalive responses arrive for that period of time (i.e. 2 * keepalive-timeout), the non responding client is proclaimed disconnected. |
| max-mru (integer; Default: "1480") | Maximum Receive Unit. The optimal value is the MTU of the interface the tunnel is working over reduced by 20 (so, for 1500-byte Ethernet link, set the MTU to 1480 to avoid fragmentation of packets) |
| max-mtu (integer; Default: "1480") | Maximum Transmission Unit. The optimal value is the MTU of the interface the tunnel is working over reduced by 20 (so, for 1500-byte Ethernet link, set the MTU to 1480 to avoid fragmentation of packets) |
| max-sessions (integer; Default: "0") | Maximum number of clients that the AC can serve. '0' = no limitations. |
| mrru (integer: 512..65535 | disabled; Default: "disabled") | Maximum packet size that can be received on the link. If a packet is bigger than tunnel MTU, it will be split into multiple packets, allowing full size IP or Ethernet packets to be sent over the tunnel. |
| one-session-per-host (yes | no; Default: "no") | Allow only one session per host (determined by MAC address). If a host tries to establish a new session, the old one will be closed. |
| service-name (string; Default: "") | The PPPoE service name. Server will accept clients which sends PADI message with service-names that matches this setting or if service-name field in PADI message is not set. |
The PPPoE server (access concentrator) supports multiple servers for each interface - with differing service names. The access concentrator name and PPPoE service name are used by clients to identify the access concentrator to register with. The access concentrator name is the same as the identity of the router displayed before the command prompt. The identity may be set within the /system identity submenu.
| Warning |
|---|
Do not assign an IP address to the interface you will be receiving the PPPoE requests on. |
Specifying MRRU means enabling MP (Multilink PPP) over a single link. This protocol is used to split big packets into smaller ones. Their MRRU is hardcoded to 1614. This setting is useful to overcome PathMTU discovery failures. The MP setting should be enabled on both peers.
Configuration example
To add PPPoE server on ether1 interface provided with a service-name of "ServiceName" and allowing only one connection per host:
| Note |
|---|
The default keepalive-timeout value of 10s is OK in most cases. If you set it to 0, the router will not disconnect clients until they explicitly log out or the router is restarted. To resolve this problem, the one-session-per-host property can be used. |
Quick Example
PPPoE Client
To configure MikroTik RouterOS to be a PPPoE client, just add a PPPoE-client with the following parameters as in the example:
| Code Block | ||
|---|---|---|
| ||
[admin@MikroTik] > |
...
interface pppoe- |
...
client add interface= |
...
ether2 password=StrongPass service- |
...
name=pppoeservice name=PPPoE-Out disabled=no user=MT-User [admin@MikroTik] > interface pppoe- |
...
client |
...
print |
...
Flags: X - disabled, I - invalid |
...
, R - running 0 R name=" |
...
PPPoE-Out" |
...
max-mtu=auto max-mru=auto mrru=disabled |
...
interface=ether2 user="MT-User" password="StrongPass" profile=default keepalive-timeout=10 |
...
service-name="pppoeservice" ac-name=""
add-default-route=no dial-on-demand=no use-peer-dns=no allow=pap,chap,mschap1,mschap2 |
PPPoE Server
To configure MikroTik RouterOS to be an Access Concentrator (PPPoE Server):
- add an IP address pool for the clients from 10.0.0.2-10.0.0.5;
- add PPP profile;
- add PPP secret (username/password);
- add the PPPoE server itself;
| Code Block | ||
|---|---|---|
| ||
[admin@MikroTik] > /ip pool
add name=pppoe-pool ranges=10.0.0.2-10.0.0.5
[admin@MikroTik] > /ppp profile
add local-address=10.0.0.1 name=for-pppoe remote-address=pppoe-pool
[admin@MikroTik] > /ppp secret
add name=MT-User password=StrongPass profile=for-pppoe service=pppoe
[admin@MikroTik] > /interface pppoe-server server
add default-profile=for-pppoe disabled=no interface=ether3 service-name=pppoeservice |
Specifying MRRU means enabling MP (Multilink PPP) over a single link. This protocol is used to split big packets into smaller ones. Their MRRU is hardcoded to 1614. This setting is useful to overcome PathMTU discovery failures. The MP setting should be enabled on both peers.
| Note |
|---|
| The default keepalive-timeout value of 10s is OK in most cases. If you set it to 0, the router will not disconnect clients until they explicitly log out or the router is restarted. To resolve this problem, the one-session-per-host property can be used. |