The PPPoE (Point to Point Protocol over Ethernet) protocol provides extensive user management, network management, and accounting benefits to ISPs and network administrators. Currently, PPPoE is used mainly by ISPs to control client connections for xDSL and cable modems. PPPoE is an extension of the standard dial-up and synchronous protocol PPP. The transport is over Ethernet – as opposed to modem transport.
Generally speaking, the PPPoE is used to hand out IP addresses to clients based on the user (and workstation, if desired) authentication as opposed to workstation only authentication, when static IP addresses or DHCP is used. Do not use static IP addresses or DHCP on interfaces, on which the PPPoE is used.
A PPPoE connection is composed of a client and an access concentrator (server). The client may be a Windows computer that has the PPPoE client protocol installed. The MikroTik RouterOS supports both the client and access concentrator implementations of PPPoE. The PPPoE client and server work over any Ethernet level interface on the router – wireless 802.11 (Aironet, Cisco, WaveLAN), 10/100/1000 Mb/s Ethernet, RadioLAN, and EoIP (Ethernet over IP tunnel). No encryption, MPPE 40bit RSA, and MPPE 128bit RSA encryption are supported.
Our RouterOS has a RADIUS client that can be used for authentication of all PPP type connections – including PPPoE. For more information on PPP authentication, see the “PPP Authentication and Accounting” section of the PPP Client and Server Interfaces Manual.
Supported connections:
Topics covered in this manual:
The PPPoE client uses a minimum amount of memory.
The PPPoE server (access concentrator) uses a minimum amount of memory for the basic setup. Each current PPPoE server connection uses approximately 100-200KB of memory. For PPPoE servers (access concentrators) designed for a large number of PPPoE connections, additional RAM should be added. In version 2.5, there is currently a maximum of 5000 connections. For example, a 1,000 user system should have 200MBs of free RAM above the normal operating RAM. For large number of clients a faster processor system is required. We recommend to use a Celeron 600MHz processor or higher. A future rewrite of parts of PPP is expected to significantly reduce the requirements.
The PPPoE client supports high-speed connections. It is fully compatible with the MikroTik PPPoE server (access concentrator). Test with different ISPs and access concentrators are currently underway.
Note for Windows: Some connection instructions may use the form where the “phone number” is “MikroTik_AC\mt1” to indicate that “MikroTik_AC” is the access concentrator name and “mt1” is the service name.
An example of a PPPoE client on the MikroTik RouterOS:
[RemoteOffice] interface pppoe-client> print
0 name=pppoe-out1 interface=gig service-name=testSN user=john pap=no
chap=yes ms-chapv2=no mtu=1492 mru=1492 idle-timeout=0s
session-timeout=0s add-default-route=yes dial-on-demand=no
use-peer-dns=no encryption=none compression=no local-address=0.0.0.0
remote-address=0.0.0.0 ac-name="" mss-update=1452
Descriptions of settings:
name - This settable name will appear in interface and IP address list when the PPPoE session is active.
interface - The PPPoE client can be attached to any Ethernet like interface – for example: wireless, 10/100/1000 Ethernet, and EoIP tunnels.
mtu and mru - Represents the MTU and MRU when the 8 byte PPPoE overhead is subtracted from the standard 1500 byte Ethernet packet. For encryption, subtract four more bits and set the MTU and MRU to 1488.
Pap, chap, ms-chapv2 - It is suggested that chap be set to yes to have encrypted authentication. If there is a special situation that requires an encrypted link, only ms-chapv2 should be set to yes. Encrypted links are only supported when ms-chapv2 is selected. This is a requirement of the protocol.
encryption Will only work in encrypted mode when ms-chapv2 authentication is used. For most links, it should be set to none.user - A user name and password must be added to the client router’s user database. The user must be added with the attribute of group PPP. When the server is authenticating the client, the client will send this user and the password from the client router’s user database. The server user database must have the same user and password and PPP group attribute to authenticate the link – unless the RADIUS client is enabled.
- none – no encryption
- optional – 40bit or 128bit if server requests this
- required – 40bit or 128bit if server agrees, link will be shut down if no agreement
- non-stateless (description) – key is changed approximately every hour or depending on traffic
- stateless – same as required plus key is changed for every packet
idle-timeout - The link will be terminated if there is no activity with-in the time set – in seconds. When set to “0,” there is no timeout.
session-timeout - The maximum time the connection can stay up. When set to “0,” there is no timeout.
dial-on-demand - Connects to AC only when outbound traffic is generated and disconnects when there is no traffic for the period set in the idle-timeout value.
use-peer-dns - Sets the router default DNS to the PPP peer DNS.
compression - May be selected if encryption is not used. The default setting of “no compression” is suggested.
local-address - If the ppp server allows, a local-address may be set. The default setting of 0.0.0.0 is suggested. In this case, the address set by the server will be used.
session-timeout - The maximum time the connection can stay up set in seconds. When set to “0,” there is no timeout.
remote-address - If the ppp server allows, a remote-address may be set. The default setting of 0.0.0.0 is suggested.
service - The service name set on the access concentrator. Many ISPs give user-name and address in the form of “user-name@service-name”
ac-name - This may be left blank and the client will connect to any access concentrator that offers the “service” name selected.
Add-default-route - Select yes to have a default route added automatically. Note, the dynamic default route will not be added if there is already a default route set.
mss-update - This setting changes the mss (maximum segment size) setting of each packet to the selected size. The default of 1452 is suggested. This fixes a common problem for PPPoE when mis-configured servers or networks do not let the IP protocol work properly. The common symptom is a partial download of a web page.
PPPoE Server Setup (Access Concentrator)
The PPPoE server (access concentrator) supports multiple servers for each interface – with differing service names. Currently, a maximum of 5000 PPPoE connections are supported. Currently the throughput of the PPPoE server has been tested to 160Mb/s on a Celeron 600 CPU. Using higher speed CPUs should increase the throughput proportionately.
The setting below is the optimal setting to work with Windows clients such as RASPPPoE client for Win98/2000/ME. The password authentication and encryption are set to “pap no chap yes ms-chapv2 no encryption none” specifically to ensure a quick login by the windows client. In the example below, the login is encrypted with PAP. Currently it is possible to make encrypted links to Windows clients, but usually they quit passing IP after five minutes but remain connected and do show that data is passed – this is a bug which is being worked on. There are no problems with encryption between MikroTik PPPoE client and server.
The access concentrator has a hard limit of 5000 current connections. The user setting for the connections limit is done by setting the 'remote-address' range For example, For a limit of 1020 users, use 'remote-address=10.0.0.1-10.0.4.255'. Even if you are using a RADIUS server for client addresses, the 'remote-address' argument must include an IP address range which will limit/enable the number of current connections.
The “access concentrator name” and PPPoE “service name” are used by clients to identify the access concentrator to register with. The “access concentrator name” is the same as the “identity” of the router displayed before the command prompt. The identity may be set with the command /system identity set xxxxx.
[MikroTik] interface pppoe-server server>
add service-name="office" interface=prism1 \
local-address=10.0.0.217 remote-address=10.0.0.130-10.0.0.135
[MikroTik] interface pppoe-server server> print
Flags: X - disabled
0 service-name=office interface=prism1 mtu=1492 mru=1492 idle-timeout=0s
session-timeout=0s local-address=10.0.0.217
remote-address=10.0.0.130-10.0.0.135 pap=no chap=yes ms-chapv2=no
compression=no encryption=none
[MikroTik] interface pppoe-server server>
Descriptions of settings:
pap, chap, ms-chapv2 - It is suggested that chap always be set to yes. PAP is best disabled because it sends the user-name and password in clear text. ms-chapv2 should be disable as it is not needed unless there is a special situation that requires an encrypted link. Encrypted links are only supported when ms-chapv2 is selected. This is a feature of the protocol.
encryption - Will only work in encrypted mode when ms-chapv2 authentication is used. For most setups, it should be set to none.interface - The PPPoe server can be attached to any Ethernet like interface – for example: wireless, 10/100/1000 Ethernet, and EoIP tunnels.
- none – no encryption
- optional – 40bit or 128bit if client agrees to this
- required – 40bit or 128bit if client agrees, link will be shut down if no agreement
- non-stateless (description) – key is changed approximately every hour or depending on traffic
- stateless – same as required (non-stateless) plus key is changed for every packet
compression - Standard PPP level compression.
service - The PPPoE service name.
mtu, mru - The default MTU nad MRU is set to 1492 because of the PPPoE overhead. For encryption, subtract four more bits and set the MTU and MRU to 1488.
idle-timeout - A standard PPP setting. The link will be terminated if there is no activity with-in the time set – in seconds. When set to “0,” there is no timeout.
session-timeout - The maximum time the connection can stay up in the format of Xh or Xm or Xs. When set to “0,” there is no timeout.
local-address - The IP address or address range of the PPPoE local server for each new PPPoE connection. One local address can be used on multiple static sever interfaces. Usually, it is best that this is not a real IP address. Only the client could have a use for a real IP address. If the IP address range is used, it should include the same number of addresses as used in the 'remote-address' range.
remote-address - The IP address or address range for the PPPoE remote client for each new PPPoE connection. One address must be available for each current connection – the number in the range selected will be the maximum number of current connections. If radius authentication is used to give addresses, it is still required to have a range of addresses set in this server setup.
DO NOT assign an IP address to the Interface you will be receiving the PPPoE requests on. The PPPoE server will create point-to-point connection for each individual client. Each connection will have individual dynamic (virtual) p2p interface. The local-address will be set on its server side, and the remote-address will be given to the client. The addresses do not need to be from 'the same network', since the p2p connections have addresses with 32 bit netmasks anyway. What you set on the server side does not matter so much - it can be address of router's another interface, or some arbitrary address.
Please see the IP Addresses and Address Resolution Protocol (ARP) Manual how to give out addresses to PPPoE clients from the same address space you are using on your local network.
For local authentication, this can be set in the “[MikroTik] user>” menu with the “tx-bit-rate” and “rx-bit-rate” values (identical to bits/s). For Radius authentication, the account of each user in the radius server should be set with:
Parameter: Ascend-Data-Rate (with parameter ID 197 -- in bits/s)
In a wireless network, the PPPoE server may be attached to our PRISMII 2.4GHz Access Point (infrastructure mode) interface. Either our RouterOS client or Windows PPPoE clients may connect to the Access Point for PPPoE authentication. Further, for RouterOS clients, the radio interface may be set to MTU 1600 so that the PPPoE interface may be set to MTU 1500. This optimizes the transmission of 1500 byte packets and avoids any problems associated with MTUs lower than 1500. It has not been determined how to change the MTU of the Windows wireless interface at this moment.
Links for PPPoE documentation:
PPPoE Clients: