Thought people might be interested in this. I have my clients/CB3's connecting to my wireless. The wireless hand out a dhcp private address but does not route it. Therefore, you can connect to it with a laptop, it will give you an IP, but you cannot surf. No rules setup for that. If you them run your PPPoE connection on the laptop or router, it connects and surfing is fine. I did it this way to allow my mobile users to connect to any of my radio's (authenticate back to one radius server) and they don't get a "limited or no connectivity) message on the laptop. Another reason was, after connecting to the radio without dhcp and connecting to the PPPoE server, I would get dropped from time to time. It appeared to the the client dropping the connection, so I added the dhcp and the disconnects went away.
just thought you might want to know how I'm doing it
-
- BurstNET
This touched on it:
http://forum.mikrotik.com/viewtopic.php ... ight=pppoe
I'm playing with it now, but I can't get that working yet, correctly...
SMA
http://forum.mikrotik.com/viewtopic.php ... ight=pppoe
I'm playing with it now, but I can't get that working yet, correctly...
SMA
-
- BurstNET
These rules seem to have done the trick, but I'm not sure if they affected anything else:
[admin@XXXXXXXXXX] interface bridge filter> print
Flags: X - disabled, I - invalid, D - dynamic
0 chain=forward in-interface=wlan1 mac-protocol=0x8863 action=accept
1 chain=forward in-interface=wlan1 mac-protocol=0x8864 action=accept
2 chain=forward in-interface=wlan1 action=drop
...the odd 0x886* is the PPPOE protocols...
SMA
[admin@XXXXXXXXXX] interface bridge filter> print
Flags: X - disabled, I - invalid, D - dynamic
0 chain=forward in-interface=wlan1 mac-protocol=0x8863 action=accept
1 chain=forward in-interface=wlan1 mac-protocol=0x8864 action=accept
2 chain=forward in-interface=wlan1 action=drop
...the odd 0x886* is the PPPOE protocols...
SMA
-
- BurstNET
This only seems to work for laptop clients.
Mikrotik CPE can't connect to PPPOE with these rules, AND systems behind a bridge cannot either---tried two different bridges.
I opened a support ticket with Mikrotik days ago---but no response yet.
I cannot believe with such high usage of Mikrotik, that more people are not having these problems. I have literally spent 20+ man-hours trying to get this working over the course of past few weeks. Or, do other people just not realize thet clients can get online without PPPOE authentication?@!!!!
The Mikrotik manual is useless, and has so little detail on real world configurations.
Can someone post a working PPPOE config, which does not allow access prior to PPPOE, and works from laptop client in AP > Station mode, and works from a router/laptop going thru a bridge in the middle of it (MT AP > bridge > laptop), and works from a Mikrotik CPE AP > Station and/or Station WDS?
SMA
Mikrotik CPE can't connect to PPPOE with these rules, AND systems behind a bridge cannot either---tried two different bridges.
I opened a support ticket with Mikrotik days ago---but no response yet.
I cannot believe with such high usage of Mikrotik, that more people are not having these problems. I have literally spent 20+ man-hours trying to get this working over the course of past few weeks. Or, do other people just not realize thet clients can get online without PPPOE authentication?@!!!!
The Mikrotik manual is useless, and has so little detail on real world configurations.
Can someone post a working PPPOE config, which does not allow access prior to PPPOE, and works from laptop client in AP > Station mode, and works from a router/laptop going thru a bridge in the middle of it (MT AP > bridge > laptop), and works from a Mikrotik CPE AP > Station and/or Station WDS?
SMA
for v2.9 i've used these in essence.
notice, 34916 is decimal since v2.9 didnt like hexadecimal (they converted wrong) when i first wrote the rules way back when.
add chain=forward mac-protocol=34916 packet-type=other-host
add chain=forward mac-protocol=34915 packet-type=!multicast
add chain=forward action=drop
notice, 34916 is decimal since v2.9 didnt like hexadecimal (they converted wrong) when i first wrote the rules way back when.
add chain=forward mac-protocol=34916 packet-type=other-host
add chain=forward mac-protocol=34915 packet-type=!multicast
add chain=forward action=drop
-
- BurstNET
And this you are saying is the correct way to configure this, and it is not something we are missing/mis-configured elsewhere?
Can you give me the output of the "/interface bridge filter print" please?
I am assuming that is where you entered the rules, and not in the /ip firewall filters area...
Hope this works...so I can move on to other issues
Thank you...
SMA
Can you give me the output of the "/interface bridge filter print" please?
I am assuming that is where you entered the rules, and not in the /ip firewall filters area...
Hope this works...so I can move on to other issues
Thank you...
SMA
Ah, the correct way might be something entirely different all together.And this you are saying is the correct way to configure this, and it is not something we are missing/mis-configured elsewhere?
I'm just saying that in essence i used those two rules to filter out all non-pppoe traffic from being bridged.
If you add bridges between the station and the pppoe router then these rules may not apply.
The configuration will drop any non pppoe traffic from being bridged (forwarded) through the bridge where it is applied.Can you give me the output of the "/interface bridge filter print" please? I am assuming that is where you entered the rules, and not in the /ip firewall filters area...
Hope this works...so I can move on to other issues
-
- BurstNET
OK, thanx, will give it a try.
Please spit out the "/interface bridge filter print", so I can make sure exactly how to set it up...thanx...
<< If you add bridges between the station and the pppoe router then these rules may not apply. >>
So, it may not work on a wds bridged connection---will try that aout as well, as that is one of our common scenarios.
SMA
Please spit out the "/interface bridge filter print", so I can make sure exactly how to set it up...thanx...
<< If you add bridges between the station and the pppoe router then these rules may not apply. >>
So, it may not work on a wds bridged connection---will try that aout as well, as that is one of our common scenarios.
SMA
-
- BurstNET
This does not seem to function properly if you have a bridge (currently testing with an OSbridge and a Linksys) between the Miktrotik AP and the Client's computer/router.
It did seem to function if a laptop was connecting wirelessly directly to the Mikrotik AP.
Mikrotik CPE seemed to work properly even without the rules in place.
Anyone else? Any ideas?
How are you doing it? (stopping access prior to PPPOE)
Also, the Windows XP system sitting on the other side of the bridges cannot PPPOE itself thru the bridge(s) it seems...it just hangs, but can connect if going directy without the bridge--(with or without the bridge establishing PPPOE itself/first)...can't figure that one out yet...
SMA
It did seem to function if a laptop was connecting wirelessly directly to the Mikrotik AP.
Mikrotik CPE seemed to work properly even without the rules in place.
Anyone else? Any ideas?
How are you doing it? (stopping access prior to PPPOE)
Also, the Windows XP system sitting on the other side of the bridges cannot PPPOE itself thru the bridge(s) it seems...it just hangs, but can connect if going directy without the bridge--(with or without the bridge establishing PPPOE itself/first)...can't figure that one out yet...
SMA
-
- BurstNET
Solution for this is to have a PPPOE Aggregation Router and one or more APs in front of that, with the APs not having a route out to the Internet directly, but rather passing traffic (EOIP) thru a tunnel to the router only, and once PPPOE occurs it goes thru the tunnel and authenticates/assigns---and then public access is enabled.
SMA
SMA
I think only that the laptop can use the ip if the outside and inside interfaces are connected to the same layer 2. You should physicaly segment your network. If you need public IPs on the inside, route them. That is the mess I have spent a year fixing for a wisp here in KS. Do not go down the road of connecting the inside and outside nics to the same switch.