You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 5 Next »

Overview


Point to Point over Ethernet (PPPoE) is simply a method of encapsulating PPP packets into Ethernet frames. PPPoE is an extension of the standard Point to Point Protocol (PPP) and it the successor of PPPoA. PPPoE standard is defined in RFC 2516.

Introduction

PPPoE provides the ability to connect a network of hosts over a simple bridging access device to a remote Access Concentrator.  

Supported connections:

  • MikroTik RouterOS PPPoE client to any PPPoE server (access concentrator)
  • MikroTik RouterOS server (access concentrator) to multiple PPPoE clients (clients are available for almost all operating systems and most routers)

PPPoE Operation

PPPoE has two distinct stages(phases):

  1. Discovery phase;
  2. Session phase;

Discovery phase

There are four steps to the Discovery stage. When it completes, both peers know the PPPoE SESSION_ID and the peer's Ethernet address, which together define the PPPoE session uniquely:

  1.  PPPoE Active Discovery Initialization (PADI) - The PPPoE client sends out a PADI packet to the broadcast address. This packet can also populate the "service-name" field if a service name has been entered in the dial-up networking properties of the PPPoE client. If a service name has not been entered, this field is not populated
  2. PPPoE Active Discovery Offer (PADO) - The PPPoE server, or Access Concentrator, should respond to the PADI with a PADO if the Access Concentrator is able to service the "service-name" field that had been listed in the PADI packet. If no "service-name" field had been listed, the Access Concentrator will respond with a PADO packet that has the "service-name" field populated with the service names that the Access Concentrator can service. The PADO packet is sent to the unicast address of the PPPoE client
  3. PPPoE Active Discovery Request (PADR) - When a PADO packet is received, the PPPoE client responds with a PADR packet. This packet is sent to the unicast address of the Access Concentrator. The client may receive multiple PADO packets, but the client responds to the first valid PADO that the client received. If the initial PADI packet had a blank "service-name" field filed, the client populates the "service-name" field of the PADR packet with the first service name that had been returned in the PADO packet.

  4. PPPoE Active Discovery Session Confirmation (PADS) - When the PADR is received, the Access Concentrator generates a unique session identification (ID) for the Point-to-Point Protocol (PPP) session and returns this ID to the PPPoE client in the PADS packet. This packet is sent to the unicast address of the client.

PPPoE session termination:

  • PPPoE Active Discovery Terminate (PADT) - Can be sent anytime after a session is established to indicate that a PPPoE session terminated. It can be sent by either server or client.

Session phase

When the discovery stage is completed, both peers know PPPoE Session ID and other peer's Ethernet (MAC) address which together defines the PPPoE session. PPP frames are encapsulated in PPPoE session frames, which have Ethernet frame type 0x8864.
When a server sends confirmation and a client receives it, PPP Session is started that consists of the following stages:

  1. LCP negotiation stage
  2. Authentication (CHAP/PAP) stage
  3. IPCP negotiation stage - where the client is assigned an IP address.

If any process fails, the LCP negotiation establishment phase is started again.


PPPoE server sends Echo-Request packets to the client to determine the state of the session, otherwise, the server will not be able to determine that session is terminated in cases when a client terminates session without sending Terminate-Request packet.

MTU

Typically, the largest Ethernet frame that can be transmitted without fragmentation is 1500 bytes. PPPoE adds another 6 bytes of overhead and the PPP field adds two more bytes, leaving 1492 bytes for IP datagram. Therefore max PPPoE MRU and MTU values must not be larger than 1492.

TCP stacks try to avoid fragmentation, so they use an MSS (Maximum Segment Size). By default, MSS is chosen as MTU of the outgoing interface minus the usual size of the TCP and IP headers (40 bytes), which results in 1460 bytes for an Ethernet interface. Unfortunately, there may be intermediate links with lower MTU which will cause fragmentation. In such a case TCP stack performs path MTU discovery. Routers that cannot forward the datagram without fragmentation are supposed to drop the packet and send ICMP-Fragmentation-Required to originating host. When a host receives such an ICMP packet, it tries to lower the MTU. This should work in the ideal world, however in the real world many routers do not generate fragmentation-required datagrams, also many firewalls drop all ICMP datagrams.

The workaround for this problem is to adjust MSS if it is too big. By default, RouterOS adds mangle rules to intercept TCP SYN packets and silently adjust any advertised MSS option so they will be appropriate for the PPPoE link.

Configuration Example

PPPoE Client

To configure MikroTik RouterOS to be a PPPoE client, just add a PPPoE-client:

/interface pppoe-client add name=pppoe-user-mike user=user password=passwd interface=wlan1 service-name=internet disabled=no

PPPoE Server

To configure MikroTik RouterOS to be an Access Concentrator (PPPoE Server):

  • add an address pool for the clients from 10.1.1.62 to 10.1.1.72;
  • add PPP profile;
  • add PPP secret (username/password);
  • add the PPPoE server itself.
/ip pool 
add name="pppoe-pool" ranges=10.1.1.62-10.1.1.72

/ppp profile 
add name="pppoe-profile" local-address=10.1.1.1 remote-address=pppoe-pool

/ppp secret 
add name=user password=passwd service=pppoe profile=pppoe-profile

/interface pppoe-server server 
add service-name=internet interface=wlan1 default-profile=pppoe-profile disabled=no

PPPoE Server Setup (Access Concentrator)

/interface pppoe-server server

The PPPoE server (access concentrator) supports multiple servers for each interface - with differing service names. The access concentrator name and PPPoE service name are used by clients to identify the access concentrator to register with. The access concentrator name is the same as the identity of the router displayed before the command prompt. The identity may be set within the /system identity submenu.

Do not assign an IP address to the interface you will be receiving the PPPoE requests on.

Configuration example

To add PPPoE server on ether1 interface provided with a service-name of "ServiceName" and allowing only one connection per host:

[admin@MikroTik] >/interface pppoe-server server add interface=ether1 one-session-per-host=yes service-name=ServiceName
[admin@MikroTik] > interface pppoe-server server print
Flags: X - disabled, I - invalid 
0 X service-name="ServiceName" interface=ether1 max-mtu=auto max-mru=auto mrru=disabled authentication=pap,chap,mschap1,mschap2 
keepalive-timeout=10 one-session-per-host=yes max-sessions=unlimited pado-delay=0 default-profile=default interface pppoe-server server print

Specifying MRRU means enabling MP (Multilink PPP) over a single link. This protocol is used to split big packets into smaller ones.  Their MRRU is hardcoded to 1614. This setting is useful to overcome PathMTU discovery failures. The MP setting should be enabled on both peers.

The default keepalive-timeout value of 10s is OK in most cases. If you set it to 0, the router will not disconnect clients until they explicitly log out or the router is restarted. To resolve this problem, the one-session-per-host property can be used.





  • No labels