|Document revision:||1.6 (Mon Jul 17 14:11:18 GMT 2006)|
The PPPoE (Point to Point Protocol over Ethernet) protocol provides extensive user management, network management and accounting benefits to ISPs and network administrators. Currently PPPoE is used mainly by ISPs to control client connections for xDSL and cable modems as well as plain Ethernet networks. PPPoE is an extension of the standard Point to Point Protocol (PPP). The difference between them is expressed in transport method: PPPoE employs Ethernet instead of modem connection.
Generally speaking, PPPoE is used to hand out IP addresses to clients based on the user (and workstation, if desired) authentication as opposed to workstation only authentication, when static IP addresses or DHCP are used. It is adviced not to use static IP addresses or DHCP on the same interfaces as PPPoE for obvious security reasons.
MikroTik RouterOS can act as a RADIUS client - you can use a RADIUS server to authenticate PPPoE clients and use accounting for them.
A PPPoE connection is composed of a client and an access concentrator (server). The client may be any computer that has the PPPoE client protocol support installed. The MikroTik RouterOS supports both - client and access concentrator implementations of PPPoE. The PPPoE client and server work over any Ethernet level interface on the router - wireless 802.11 (Aironet, Cisco, WaveLan, Prism, Atheros), 10/100/1000 Mbit/s Ethernet, RadioLan and EoIP (Ethernet over IP tunnel). No encryption, MPPE 40bit RSA and MPPE 128bit RSA encryption is supported.
Note that when RADIUS server is authenticating a user with CHAP, MS-CHAPv1 or MS-CHAPv2, the RADIUS protocol does not use shared secret, it is used only in authentication reply. So if you have a wrong shared secret, RADIUS server will accept the request. You can use /radius monitor command to see bad-replies parameter. This value should increase whenever a client tries to connect.
- MikroTik RouterOS PPPoE client to any PPPoE server (access concentrator)
- MikroTik RouterOS server (access concentrator) to multiple PPPoE clients (clients are avaliable for almost all operating systems and most routers)
Quick Setup Guide
To configure MikroTik RouterOS to be a PPPoE client
Just add a pppoe-client:
/interface pppoe-client add name=pppoe-user-mike user=mike password=123 \ \... interface=wlan1 service-name=internet disabled=no
To configure MikroTik RouterOS to be an Access Concentrator (PPPoE Server)
Add an address pool for the clients from 10.1.1.62 to 10.1.1.72, called pppoe-pool:
/ip pool add name="pppoe-pool" ranges=10.1.1.62-10.1.1.72
Add PPP profile, called pppoe-profile where local-address will be the router's address and clients will have an address from pppoe-pool:
/ppp profile add name="pppoe-profile" local-address=10.1.1.1 remote-address=pppoe-pool
Add a user with username mike and password 123:
/ppp secret add name=mike password=123 service=pppoe profile=pppoe-profile
Now add a pppoe server:
/interface pppoe-server server add service-name=internet interface=wlan1 \ \... default-profile=pppoe-profile
SpecificationsPackages required: ppp
License required: Level1 (limited to 1 interface) , Level3 (limited to 200 interfaces) , Level4 (limited to 200 interfaces) , Level5 (limited to 500 interfaces) , Level6 (unlimited)
Submenu level: /interface pppoe-server, /interface pppoe-client
Standards and Technologies: PPPoE (RFC 2516)
Hardware usage: PPPoE server may require additional RAM (uses approx. 9KiB (plus extra 10KiB for packet queue, if data rate limitation is used) for each connection) and CPU power. Maximum of 65535 connections is supported.
Links for PPPoE documentation:
RASPPPoE for Windows 95, 98, 98SE, ME, NT4, 2000, XP, .NEThttp://www.raspppoe.com/
PPPoE Client SetupSubmenu level: /interface pppoe-client
The PPPoE client supports high-speed connections. It is fully compatible with the MikroTik PPPoE server (access concentrator).
Note for Windows. Some connection instructions may use the form where the "phone number", such as "MikroTik_AC\mt1", to indicate that "MikroTik_AC" is the access concentrator name and "mt1" is the service name.
Property Descriptionac-name (text; default: "") - this may be left blank and the client will connect to any access concentrator that offers the "service" name selectedadd-default-route (yes | no; default: no) - whether to add a default route automaticallyallow (multiple choice: mschap2, mschap1, chap, pap; default: mschap2, mschap1, chap, pap) - the protocol to allow the client to use for authenticationdial-on-demand (yes | no; default: no) - connects to AC only when outbound traffic is generated and disconnects when there is no traffic for the period set in the idle-timeout valueinterface (name) - interface the PPPoE server can be connected throughmru (integer; default: 1480) - Maximum Receive Unit. The optimal value is the MTU of the interface the tunnel is working over decreased by 20 (so, for 1500-byte ethernet link, set the MTU to 1480 to avoid fragmentation of packets)mtu (integer; default: 1480) - Maximum Transmission Unit. The optimal value is the MTU of the interface the tunnel is working over decreased by 20 (so, for 1500-byte ethernet link, set the MTU to 1480 to avoid fragmentation of packets)name (name; default: pppoe-out1) - name of the PPPoE interfacepassword (text; default: "") - a user password used to connect the PPPoE serverprofile (name) - default profile for the connectionservice-name (text; default: "") - specifies the service name set on the access concentrator. Leave it blank unless you have many services and need to specify the one you need to connect touse-peer-dns (yes | no; default: no) - whether to set the router's default DNS to the PPP peer DNS (i.e. whether to get DNS settings from the peer)user (text; default: "") - a user name that is present on the PPPoE server
To add and enable PPPoE client on the gig interface connecting to the AC that provides testSN service using user name john with the password password:
[admin@RemoteOffice] interface pppoe-client> add interface=gig \ \... service-name=testSN user=john password=password disabled=no [admin@RemoteOffice] interface pppoe-client> print Flags: X - disabled, R - running 0 R name="pppoe-out1" mtu=1480 mru=1480 interface=gig user="john" password="password" profile=default service-name="testSN" ac-name="" add-default-route=no dial-on-demand=no use-peer-dns=no
Monitoring PPPoE ClientCommand name: /interface pppoe-client monitor
Property Descriptionac-mac (MAC address) - MAC address of the access concentrator (AC) the client is connected toac-name (text) - name of the AC the client is connected toencoding (text) - encryption and encoding (if asymmetric, separated with '/') being used in this connectionservice-name (text) - name of the service the client is connected tostatus (text) - status of the client
Verifying password... - connection has been established to the server, password verification in progress
Connected - self-explanatory
Terminated - interface is not enabled or the other side will not establish a connection uptime (time) - connection time displayed in days, hours, minutes and seconds
To monitor the pppoe-out1 connection:
[admin@MikroTik] interface pppoe-client> monitor pppoe-out1 status: "connected" uptime: 10s encoding: "none" service-name: "testSN" ac-name: "10.0.0.1" ac-mac: 00:C0:DF:07:5E:E6 [admin@MikroTik] interface pppoe-client>
PPPoE Server Setup (Access Concentrator)Submenu level: /interface pppoe-server server
The PPPoE server (access concentrator) supports multiple servers for each interface - with differing service names. Currently the throughput of the PPPoE server has been tested to 160 Mb/s on a Celeron 600 CPU. Using higher speed CPUs, throughput should increase proportionately.
The access concentrator name and PPPoE service name are used by clients to identity the access concentrator to register with. The access concentrator name is the same as the identity of the router displayed before the command prompt. The identity may be set within the /system identity submenu.
PPPoE users are created in /ppp secret menu, see the AAA manual for further information.
Note that if no service name is specified in WindowsXP, it will use only service with no name. So if you want to serve WindowsXP clients, leave your service name empty.
Property Descriptionauthentication (multiple choice: mschap2 | mschap1 | chap | pap; default: mschap2, mschap1, chap, pap) - authentication algorithmdefault-profile (name; default: default) - default profile to useinterface (name) - interface to which the clients will connect tokeepalive-timeout (time; default: 10) - defines the time period (in seconds) after which the router is starting to send keepalive packets every second. If no traffic and no keepalive responses has came for that period of time (i.e. 2 * keepalive-timeout), not responding client is proclaimed disconnected.max-mru (integer; default: 1480) - Maximum Receive Unit. The optimal value is the MTU of the interface the tunnel is working over decreased by 20 (so, for 1500-byte Ethernet link, set the MTU to 1480 to avoid fragmentation of packets)max-mtu (integer; default: 1480) - Maximum Transmission Unit. The optimal value is the MTU of the interface the tunnel is working over decreased by 20 (so, for 1500-byte Ethernet link, set the MTU to 1480 to avoid fragmentation of packets)max-sessions (integer; default: 0) - maximum number of clients that the AC can serve
The default keepalive-timeout value of 10 is OK in most cases. If you set it to 0, the router will not disconnect clients until they log out or router is restarted. To resolve this problem, the one-session-per-host property can be used.
Security issue: do not assign an IP address to the interface you will be receiving the PPPoE requests on.
To add PPPoE server on ether1 interface providing ex service and allowing only one connection per host:
[admin@MikroTik] interface pppoe-server server> add interface=ether1 \ \... service-name=ex one-session-per-host=yes [admin@MikroTik] interface pppoe-server server> print Flags: X - disabled 0 X service-name="ex" interface=ether1 mtu=1480 mru=1480 authentication=mschap2,mschap,chap,pap keepalive-timeout=10 one-session-per-host=yes default-profile=default [admin@MikroTik] interface pppoe-server server>
The PPPoE users are authenticated through a RADIUS server (if configured), and if RADIUS fails, then the local PPP user databese is used. See the respective manual sections for more information:
PPPoE Server User InterfacesSubmenu level: /interface pppoe-server
This menu allows you to see all the connected users, as well as to set static interface names to be used in different configurations, where unchangable interface needs to be specified (and, thus, dynamic names cannot be used)
Property Descriptionencoding (read-only: text) - encryption and encoding (if asymmetric, separated with '/') being used in this connectionname (name) - interface nameremote-address (read-only: MAC address) - MAC address of the connected clientservice-name (name) - name of the service the user is connected touptime (time) - shows how long the client is connecteduser (name) - the name of the connected user (must be present in the user darabase anyway)
To view the currently connected users:
[admin@MikroTik] interface pppoe-server> print Flags: R - running # NAME SERVICE REMOTE-ADDRESS USER ENCO... UPTIME 0 R <pppoe-ex> ex 00:C0:CA:16:16:A5 ex 12s [admin@MikroTik] interface pppoe-server>
To disconnect the user ex:
[admin@MikroTik] interface pppoe-server> remove [find user=ex] [admin@MikroTik] interface pppoe-server> print [admin@MikroTik] interface pppoe-server>
PPPoE in a multipoint wireless 802.11g network
In a wireless network, the PPPoE server may be attached to an Access Point (as well as to a regular station of wireless infrastructure). Either our RouterOS client or Windows PPPoE clients may connect to the Access Point for PPPoE authentication. Further, for RouterOS clients, the radio interface may be set to MTU 1600 so that the PPPoE interface may be set to MTU 1500. This optimizes the transmission of 1500 byte packets and avoids any problems associated with MTUs lower than 1500. It has not been determined how to change the MTU of the Windows wireless interface at this moment.
Let us consider the following setup where the MikroTik Wireless AP offers wireless clients transparent access to the local network with authentication:
First of all, the wireless interface should be configured:
[admin@PPPoE-Server] interface wireless> set 0 mode=ap-bridge \ frequency=2442 band=2.4ghz-b/g ssid=mt disabled=no [admin@PPPoE-Server] interface wireless> print Flags: X - disabled, R - running 0 name="wlan1" mtu=1500 mac-address=00:01:24:70:53:04 arp=enabled disable-running-check=no interface-type=Atheros AR5211 radio-name="000124705304" mode=station ssid="mt" area="" frequency-mode=superchannel country=no_country_set antenna-gain=0 frequency=2412 band=2.4ghz-b scan-list=default rate-set=default supported-rates-b=1Mbps,2Mbps,5.5Mbps,11Mbps supported-rates-a/g=6Mbps,9Mbps,12Mbps,18Mbps,24Mbps,36Mbps,48Mbps, 54Mbps basic-rates-b=1Mbps basic-rates-a/g=6Mbps max-station-count=2007 ack-timeout=dynamic tx-power=default tx-power-mode=default noise-floor-threshold=default periodic-calibration=default burst-time=disabled fast-frames=no dfs-mode=none antenna-mode=ant-a wds-mode=disabled wds-default-bridge=none wds-ignore-ssid=no update-stats-interval=disabled default-authentication=yes default-forwarding=yes default-ap-tx-limit=0 default-client-tx-limit=0 hide-ssid=no security-profile=default disconnect-timeout=3s on-fail-retry-time=100ms preamble-mode=both [admin@PPPoE-Server] interface wireless>
Now, configure the Ethernet interface, add the IP address and set the default route:
[admin@PPPoE-Server] ip address> add address=10.1.0.3/24 interface=Local [admin@PPPoE-Server] ip address> print Flags: X - disabled, I - invalid, D - dynamic # ADDRESS NETWORK BROADCAST INTERFACE 0 10.1.0.3/24 10.1.0.0 10.1.0.255 Local [admin@PPPoE-Server] ip address> /ip route [admin@PPPoE-Server] ip route> add gateway=10.1.0.1 [admin@PPPoE-Server] ip route> print Flags: X - disabled, A - active, D - dynamic, C - connect, S - static, r - rip, b - bgp, o - ospf # DST-ADDRESS G GATEWAY DISTANCE INTERFACE 0 ADC 10.1.0.0/24 Local 1 A S 0.0.0.0/0 r 10.1.0.1 1 Local [admin@PPPoE-Server] ip route> /interface ethernet [admin@PPPoE-Server] interface ethernet> set Local arp=proxy-arp [admin@PPPoE-Server] interface ethernet> print Flags: X - disabled, R - running # NAME MTU MAC-ADDRESS ARP 0 R Local 1500 00:0C:42:03:25:53 proxy-arp [admin@PPPoE-Server] interface ethernet>
We should add PPPoE server to the wireless interface:
[admin@PPPoE-Server] interface pppoe-server server> add interface=wlan1 \ service-name=mt one-session-per-host=yes disabled=no [admin@PPPoE-Server] interface pppoe-server server> print Flags: X - disabled 0 service-name="mt" interface=wlan1 max-mtu=1480 max-mru=1480 authentication=pap,chap,mschap1,mschap2 keepalive-timeout=10 one-session-per-host=yes max-sessions=0 default-profile=default [admin@PPPoE-Server] interface pppoe-server server>
Finally, we can set up PPPoE clients:
[admin@PPPoE-Server] ip pool> add name=pppoe ranges=10.1.0.100-10.1.0.200 [admin@PPPoE-Server] ip pool> print # NAME RANGES 0 pppoe 10.1.0.100-10.1.0.200 [admin@PPPoE-Server] ip pool> /ppp profile [admin@PPPoE-Server] ppp profile> set default use-encryption=yes \ local-address=10.1.0.3 remote-address=pppoe [admin@PPPoE-Server] ppp profile> print Flags: * - default 0 * name="default" local-address=10.1.0.3 remote-address=pppoe use-compression=no use-vj-compression=no use-encryption=yes only-one=no change-tcp-mss=yes 1 * name="default-encryption" use-compression=default use-vj-compression=default use-encryption=yes only-one=default change-tcp-mss=default [admin@PPPoE-Server] ppp profile> .. secret [admin@PPPoE-Server] ppp secret> add name=w password=wkst service=pppoe [admin@PPPoE-Server] ppp secret> add name=l password=ltp service=pppoe [admin@PPPoE-Server] ppp secret> print Flags: X - disabled # NAME SERVICE CALLER-ID PASSWORD PROFILE REMOTE-ADDRESS 0 w pppoe wkst default 0.0.0.0 1 l pppoe ltp default 0.0.0.0 [admin@PPPoE-Server] ppp secret>
Thus we have completed the configuration and added two users: w and l who are able to connect to Internet, using PPPoE client software.
Note that Windows XP built-in client supports encryption, but RASPPPOE does not. So, if it is planned not to support Windows clients older than Windows XP, it is recommended to switch require-encryption to yes value in the default profile configuration. In other case, the server will accept clients that do not encrypt data.
I can connect to my PPPoE server. The ping goes even through it, but I still cannot open web pages
Make sure that you have specified a valid DNS server in the router (in /ip dns or in /ppp profile the dns-server parameter).
The PPPoE server shows more than one active user entry for one client, when the clients disconnect, they are still shown and active
Set the keepalive-timeout parameter (in the PPPoE server configuration) to 10 if You want clients to be considered logged off if they do not respond for 10 seconds.
Note that if the keepalive-timeout parameter is set to 0 and the only-one parameter (in PPP profile settings) is set to yes then the clients might be able to connect only once. To resolve this problem one-session-per-host parameter in PPPoE server configuration should be set to yes
I can get through the PPPoE link only small packets (eg. pings)
You need to change mss of all the packets passing through the PPPoE link to the value of PPPoE link's MTU-40 at least on one of the peers. So for PPPoE link with MTU of 1480:
[admin@MT] interface pppoe-server server> set 0 max-mtu=1440 max-mru=1440 [admin@MT] interface pppoe-server server> print Flags: X - disabled 0 service-name="mt" interface=wlan1 max-mtu=1440 max-mru=1440 authentication=pap,chap,mschap1,mschap2 keepalive-timeout=10 one-session-per-host=yes max-sessions=0 default-profile=default [admin@MT] interface pppoe-server server>
My windows PPPoE client obtains IP address and default gateway from the MikroTik PPPoE server, but it cannot ping beyond the PPPoE server and use the Internet
PPPoE server is not bridging the clients. Configure masquerading for the PPPoE client addresses, or make sure you have proper routing for the address space used by the clients, or you enable Proxy-ARP on the Ethernet interface (See the IP Addresses and Address Resolution Protocol (ARP) Manual)
My Windows XP client cannot connect to the PPPoE server
You have to specify the "Service Name" in the properties of the XP PPPoE client. If the service name is not set, or it does not match the service name of the MikroTik PPPoE server, you get the "line is busy" errors, or the system shows "verifying password - unknown error"
I want to have logs for PPPoE connection establishment
Configure the logging feature under the /system logging facility and enable the PPP type logs