Generally speaking, the PPPoE is used to hand out IP addresses to clients based on the user (and workstation, if desired) authentication as opposed to workstation only authentication, when static IP addresses or DHCP is used. Do not use static IP addresses or DHCP on interfaces, on which the PPPoE is used for security reasons.
A PPPoE connection is composed of a client and an access concentrator (server). The client may be a Windows computer that has the PPPoE client protocol installed. The MikroTik RouterOS supports both the client and access concentrator implementations of PPPoE. The PPPoE client and server work over any Ethernet level interface on the router: wireless IEEE802.11 (Aironet, Cisco, WaveLAN, Prism, Atheros), 10/100/1000 Mb/s Ethernet, RadioLAN, and EoIP (Ethernet over IP tunnel). No encryption, MPPE 40bit RSA, and MPPE 128bit RSA encryption are supported.
Supported connections:
The PPPoE client supports high-speed connections. It is fully compatible with the MikroTik PPPoE server (access concentrator).
Note for Windows: Some connection instructions may use the form where the 'phone number' is 'MikroTik_AC\mt1' to indicate that 'MikroTik_AC' is the access concentrator name and 'mt1' is the service name.
[admin@RemoteOffice] interface pppoe-client> add interface=gig \ \... service-name=testSN user=john password=password disabled=no [admin@RemoteOffice] interface pppoe-client> print Flags: X - disabled, R - running 0 R name="pppoe-out1" mtu=1480 mru=1480 interface=gig user="john" password="password" profile=default service-name="testSN" ac-name="" add-default-route=no dial-on-demand=no use-peer-dns=no
status (string) - status of the client:
[admin@MikroTik] interface pppoe-client> monitor pppoe-out1 status: "connected" uptime: 10s encoding: "none" service-name: "testSN" ac-name: "10.0.0.1" ac-mac: 00:C0:DF:07:5E:E6 [admin@MikroTik] interface pppoe-client>
The access concentrator name and PPPoE service name are used by clients to identify the access concentrator to register with. The access concentrator name is the same as the identity of the router displayed before the command prompt. The identity may be set within the /system identity submenu.
Security issue: do not assign an IP address to the interface you will be receiving the PPPoE requests on.
And also note that if service name is not specified in Windows XP, it will use only service with no name. So if you want to serve Windows XP clients, leave your service-name empty.
[admin@MikroTik] interface pppoe-server server> add interface=ether1 \ \... service-name=ex one-session-per-host=yes [admin@MikroTik] interface pppoe-server server> print Flags: X - disabled 0 X service-name="ex" interface=ether1 mtu=1480 mru=1480 authentication=mschap2,mschap,chap,pap keepalive-timeout=10 one-session-per-host=yes default-profile=default [admin@MikroTik] interface pppoe-server server>
name (name) - interface name
service-name (name) - name of the service the user is connected to
remote-address (MAC address) - MAC address of the connected client
user (name) - the name of the connected user
encoding (string) - encryption and encoding (if asymmetric,
separated with '/') being used in this connection
uptime - shows how long the client is connected
[admin@MikroTik] interface pppoe-server> print Flags: R - running # NAME SERVICE REMOTE-ADDRESS USER ENCO... UPTIME 0 R <pppoe-ex> ex 00:C0:CA:16:16:A5 ex 12s [admin@MikroTik] interface pppoe-server>To disconnect the user ex:
[admin@MikroTik] interface pppoe-server> remove [find user=ex] [admin@MikroTik] interface pppoe-server> print [admin@MikroTik] interface pppoe-server>
[admin@MikroTik] ip firewall mangle> add protocol=tcp tcp-options=syn-only \ \.. action=passthrough tcp-mss=1440 [admin@MikroTik] ip firewall mangle> print Flags: X - disabled, I - invalid 0 src-address=0.0.0.0/0:0-65535 in-interface=all dst-address=0.0.0.0/0:0-65535 protocol=tcp tcp-options=syn-only icmp-options=any:any flow="" src-mac-address=00:00:00:00:00:00 limit-count=0 limit-burst=0 limit-time=0s action=passthrough mark-flow="" tcp-mss=1440 [admin@MikroTik] ip firewall mangle>
In a wireless network, the PPPoE server may be attached to an Access Point (as well as to a regular station of wireless infrastructure). Either our RouterOS client or Windows PPPoE clients may connect to the Access Point for PPPoE authentication. Further, for RouterOS clients, the radio interface may be set to MTU 1600 so that the PPPoE interface may be set to MTU 1500. This optimizes the transmission of 1500 byte packets and avoids any problems associated with MTUs lower than 1500. It has not been determined how to change the MTU of the Windows wireless interface at this moment.
Let us consider the following setup where the MikroTik Wireless AP offers wireless clients transparent access to the local network with authentication:
Note that you should have Basic + Wireless + Wireless AP licenses for this setup.
First of all, the Prism interface should be configured:
[admin@MT_Prism_AP] interface prism> set 0 mode=ap-bridge frequency=2442MHz \ \... ssid=mt disabled=no [admin@MT_Prism_AP] interface prism> print Flags: X - disabled, R - running 0 R name="prism1" mtu=1500 mac-address=00:90:4B:02:17:E2 arp=enabled mode=ap-bridge root-ap=00:00:00:00:00:00 frequency=2442MHz ssid="mt" default-authentication=yes default-forwarding=yes max-clients=2007 card-type=generic tx-power=auto supported-rates=1-11 basic-rates=1 hide-ssid=no [admin@MT_Prism_AP] interface prism> /ip addressNow, the Ethernet interface and IP address are to be set:
[admin@MT_Prism_AP] ip address> add address=10.0.0.217/24 interface=Local [admin@MT_Prism_AP] ip address> print Flags: X - disabled, I - invalid, D - dynamic # ADDRESS NETWORK BROADCAST INTERFACE 0 10.0.0.217/24 10.0.0.0 10.0.0.255 Local [admin@MT_Prism_AP] ip address> /ip route [admin@MT_Prism_AP] ip route> add gateway=10.0.0.1 [admin@MT_Prism_AP] ip route> print Flags: X - disabled, I - invalid, D - dynamic, J - rejected, C - connect, S - static, R - rip, O - ospf, B - bgp # DST-ADDRESS G GATEWAY DISTANCE INTERFACE 0 S 0.0.0.0/0 r 10.0.0.1 1 Local 1 DC 10.0.0.0/24 r 0.0.0.0 0 Local [admin@MT_Prism_AP] ip route> /interface ethernet [admin@MT_Prism_AP] interface ethernet> set Local arp=proxy-arp [admin@MT_Prism_AP] interface ethernet> print Flags: X - disabled, R - running # NAME MTU MAC-ADDRESS ARP 0 R Local 1500 00:50:08:00:00:F5 proxy-arp [admin@MT_Prism_AP] interface ethernet>We should add PPPoE server to the Prism interface:
[admin@MT_Prism_AP] interface pppoe-server server> add interface=prism1 \ \... service-name=mt one-session-per-host=yes disabled=no [admin@MT_Prism_AP] interface pppoe-server server> print Flags: X - disabled 0 service-name="mt" interface=prism1 mtu=1480 mru=1480 authentication=mschap2,mschap,chap,pap keepalive-timeout=10 one-session-per-host=yes default-profile=default [admin@MT_Prism_AP] interface pppoe-server server>MSS should be changed for the packets flowing through the PPPoE link:
[admin@MT_Prism_AP] ip firewall mangle> add protocol=tcp tcp-options=syn-only \ \.. action=passthrough tcp-mss=1440 [admin@MT_Prism_AP] ip firewall mangle> print Flags: X - disabled, I - invalid 0 src-address=0.0.0.0/0:0-65535 in-interface=all dst-address=0.0.0.0/0:0-65535 protocol=tcp tcp-options=syn-only icmp-options=any:any flow="" src-mac-address=00:00:00:00:00:00 limit-count=0 limit-burst=0 limit-time=0s action=passthrough mark-flow="" tcp-mss=1440 [admin@MT_Prism_AP] ip firewall mangle>And finally, we can set up PPPoE clients:
[admin@MT_Prism_AP] ip pool> add name=pppoe ranges=10.0.0.230-10.0.0.240 [admin@MT_Prism_AP] ip pool> print # NAME RANGES 0 pppoe 10.0.0.230-10.0.0.240 [admin@MT_Prism_AP] ip pool> /ppp profile [admin@MT_Prism_AP] ppp profile> set default use-encryption=yes \ \... local-address=10.0.0.217 remote-address=pppoe [admin@MT_Prism_AP] ppp profile> print Flags: * - default 0 * name="default" local-address=10.0.0.217 remote-address=pppoe session-timeout=0s idle-timeout=0s use-compression=no use-vj-compression=no use-encryption=yes require-encryption=no only-one=no tx-bit-rate=0 rx-bit-rate=0 incoming-filter="" outgoing-filter="" [admin@MT_Prism_AP] ppp profile> .. secret [admin@MT_Prism_AP] ppp secret> add name=w password=wkst service=pppoe [admin@MT_Prism_AP] ppp secret> add name=l password=ltp service=pppoe [admin@MT_Prism_AP] ppp secret> print Flags: X - disabled # NAME SERVICE CALLER-ID PASSWORD PROFILE 0 w pppoe wkst default 1 l pppoe ltp default [admin@MT_Prism_AP] ppp secret> printThus we have completed the configuration and added two users: w and l who are able to connect using PPPoE client software.
Note that Windows XP built-in client supports encryption, but RASPPPOE does not. So, if it is planned not to support Windows clients older than Windows XP, it is recommended to switch require-encryption to yes value in the default profile configuration. In other case, the server will accept clients that do not encrypt data.
Links for PPPoE documentation:
PPPoE Clients: