I currently have a single Mikrotik on the main link of the network doing everything including PPPoE server and userman RADIUS, the network is fairly small at this stage. Is it best to rather stick a Mikrotik in at each tower and run as PPPoE servers pointing to the main for RADIUS?

Yes, it is better to have the PPPoE server as close to the clients as possible. That will eliminate a lot of troubleshooting for you down the road. It will also allow the customers to connect faster and stay connected longer.

Thanks, I'll do.

What do you suggest with IP's?

- RB's in their own range
- Antennas in their own range
- Clients in their own range

or

- RB's & antennas in their own range
- Clients in their own range

RB's will have at least two ether's connected to antennas
-> Backbone PtP
-> Client Sector

Personally, I prefer to keep the clients on their own subnets and anything else in the distribution or the core on separate subnets. That way if you need block access for security reasons or make routing changes in the future, its much easier to do. You also break up the broadcast domains that way.

In my opinion, the worst way to use pppoe server is to put it closer to the client.

Why?

Unsolicited network traffic going to client, or lecit traffic going to client are NOT filtered before PASSING ALL THE NETWORK till the client.

Like client use P2P how you filter all the world traffic BEFORE reaching the client?

If client pay for example 10Mps, how you limit INBOND traffic (or DDoS / DoS attack) before it traverse all the network till the client?

Using one PPPoE at fiber/connection source is better because you filter unwanted or unpayed bandwidth to the client and all the network are charged only by wanted traffic.




And about IP:
one internal 100.x.x.x pool for the network devices,
NO IP on pppoe interfaces,
NO IP on CPE wlan1 interface,
on CPE ether1 192.168.x.x pool for the client needs.
ppoe-client are getting the public (or NATted) ip address.

The problem I'm experiencing now are clients complaining about no internet, then they reply soon after saying it's fine again. Log shows peer is not responding and drops the connection then reconnects. I've changed keepalive to 0, 10 and up but no difference. I recently implemented the PPPoE server, everything was IP based before and I didn't have these issues.

How does having the PPoE server on main router influence client authentication, don't they bounce around the network first looking for the server? The other problem (I posted another thread about it) is I'm unable to connect to towers or clients now as the ether to the first PtP is the ether where PPPoE server runs from.

It seems it may be best to pop in other RB's at towers where clients connect and run PPPoE servers from there and only have RADIUS on main.

I understand what you're saying rex and it makes sense, the network will basically move data that only gets dropped once reaching the tower RB depending on filters.

In my opinion, the worst way to use pppoe server is to put it closer to the client.

Why?

Unsolicited network traffic going to client, or lecit traffic going to client are NOT filtered before PASSING ALL THE NETWORK till the client.

I agree - even though i have RB's at all sites I tend to tunnel PPPoE to a central location to avoid backhaul being flooded. 2 Big devices in failover at the core of the network makes much more sense for network design and failure resolution.

I'm thinking this:

Main RB
0.0.0.0/0 => 172.16.0.1
ether1 172.16.0.2/16 RADIUS

Towers - 172.16.1.1 >>
Each tower with client connects have a RB with PPPoE

Clients - 10.0.0.10 >>

Userman allows me to specify an IP per account so instead of having a pool I can assign via Userman and setup rules on main RB per client IP.

Good idea, bad idea?

Hello Guys, Need Suggestions if following application is good to implement in live environment,

Estimated PPPoE clients 150.

You really should consider putting RADIUS server on separate vlan (if you have managed switch), and if you don't have managed switch use other mikrotik interface for it. I would also use separate vlan (without IP address on that interface) for customers at site 1, and another vlan for powerbeam. My suggestion is to setup PowerBeam on site 1 as router, to avoid user broadcast going over wireless link.
Routerboard 750 on site 2 cannot work with IP addresses you used (you cannot have address from same subnet on 2 separate interfaces).

In general there are a lot of ways to configure your network, but having everything in same subnet is something I would strongly advise against.

If I can find more time I could use your drawing to make my suggestion for your network.

You really should consider putting RADIUS server on separate vlan (if you have managed switch), and if you don't have managed switch use other mikrotik interface for it. I would also use separate vlan (without IP address on that interface) for customers at site 1, and another vlan for powerbeam. My suggestion is to setup PowerBeam on site 1 as router, to avoid user broadcast going over wireless link.
Routerboard 750 on site 2 cannot work with IP addresses you used (you cannot have address from same subnet on 2 separate interfaces).

In general there are a lot of ways to configure your network, but having everything in same subnet is something I would strongly advise against.

If I can find more time I could use your drawing to make my suggestion for your network.

Thanks for considering my network diagram and suggesting corrections,
I have made following changes, is this ok?
I decided to remove Second Mikrotik and use it as hotspot server on another site.
PowerBeam M5 on site 1 is Access Point, Site 2 is Station [WDS mode]
Last time i configured everything on single network because then i was able to monitor my Mikrotik via web from any customers house. (by simply visiting 100.0.0.1 in web browser with read only user permissions)

Please have a look

This is better, because server is on separate interface and not available to customers. Without second Mikrotik this is the only way you can setup a network (because customers on site 2 will need L2 access to PPPoE server).

One thing you could do to separate UBNTs from customers is to create vlan 11 for example on routerboard's lan 2, add 192.168.11.1/24 on that vlan and in both powerbeams enable option "use management vlan" and setup vlan 11 on them also. After that setup ip addresses on ubnt 1 192.168.11.2/24 and on ubnt 2 192.168.11.3/24, that way management for powerbeams will be separated completely from users (and you can use firewall on routerboard to allow access to them only from your computer). I am aware that this adds complication to your network, but also it increases security
1. because you won't have IP address on interface where you have PPPoE server (that is important because someone can sniff traffic and find out what address you have and simply add static address to his pc/router and use internet for free)
2. Your users won't be able to access ubnt management. Yes, you will have password but someone could try and brute force access to it or it could get infected with one of many ubnt viruses and create a problems for you (sure, in latest versions of ubnt firmware most of those are patched, but who knows if tomorrow something else will appear).

Of course security is always a trade off with usability and you may choose not to do all this if you think it is too complicated for you or your coworkers.

In this configuration still remains issue of broadcast going over wireless link, but without second Mikrotik it is the way it has to be.

This is better, because server is on separate interface and not available to customers. Without second Mikrotik this is the only way you can setup a network (because customers on site 2 will need L2 access to PPPoE server).

One thing you could do to separate UBNTs from customers is to create vlan 11 for example on routerboard's lan 2, add 192.168.11.1/24 on that vlan and in both powerbeams enable option "use management vlan" and setup vlan 11 on them also. After that setup ip addresses on ubnt 1 192.168.11.2/24 and on ubnt 2 192.168.11.3/24, that way management for powerbeams will be separated completely from users (and you can use firewall on routerboard to allow access to them only from your computer). I am aware that this adds complication to your network, but also it increases security
1. because you won't have IP address on interface where you have PPPoE server (that is important because someone can sniff traffic and find out what address you have and simply add static address to his pc/router and use internet for free)
2. Your users won't be able to access ubnt management. Yes, you will have password but someone could try and brute force access to it or it could get infected with one of many ubnt viruses and create a problems for you (sure, in latest versions of ubnt firmware most of those are patched, but who knows if tomorrow something else will appear).

Of course security is always a trade off with usability and you may choose not to do all this if you think it is too complicated for you or your coworkers.

In this configuration still remains issue of broadcast going over wireless link, but without second Mikrotik it is the way it has to be.

Can you draw me the diagram for better network, I can use multiple mikrotiks (Max 2)
First site has upto 90 pppoe clients
Second site has upto 30 pppoe clients

This would be setup with 1 Mikrotik.
You will need to add vlan 11 on ether2 and add IP address 192.168.11.1/24 on it.
Powerbeam 1 would be setup as Bridge, Access Point and Powerbeam 2 would be Bridge, Station WDS. Also, on both powerbeams in Network (in simple management mode) enable Management Vlan and set it to 11, with addresses specified in drawing.
http://imgur.com/gqMJOxE

This would be setup with 1 Mikrotik.
You will need to add vlan 11 on ether2 and add IP address 192.168.11.1/24 on it.
Powerbeam 1 would be setup as Bridge, Access Point and Powerbeam 2 would be Bridge, Station WDS. Also, on both powerbeams in Network (in simple management mode) enable Management Vlan and set it to 11, with addresses specified in drawing.
http://imgur.com/gqMJOxE

Hi, Thanks for the solution,
I Tried this,
I did removed IP from LAN interface, did setup a VLAN with ID 11 on LAN interface, assigned IP, Gateway and Management VLAN to PowerBeams, This completed the network, It is working well as expected, but only with 1 issue,

I am facing Authentication failed issue for each client for 3-10 minutes,
clients are taking time to dial the connection, pppoe connection fails to connect with error authentication failed for almost 5 mins it keep redialing the connection, once connected everything works fine, they are getting 1 to 10 Mbps speed for browsing as assigned.I was not facing the issue in older configuration.

Hmm, it is very weird problem and I honestly don't see how would configuration changes I suggested cause this.
Does it happen on both sites or only on one?
Did you try capturing traffic on interface with pppoe server on it to see what exactly happens? Maybe RADIUS doesn't respond in timely manner, maybe there is L2 forwarding problem somewhere.
If you now return to old config, does problem dissapear?

Hmm, it is very weird problem and I honestly don't see how would configuration changes I suggested cause this.
Does it happen on both sites or only on one?
Did you try capturing traffic on interface with pppoe server on it to see what exactly happens? Maybe RADIUS doesn't respond in timely manner, maybe there is L2 forwarding problem somewhere.
If you now return to old config, does problem dissapear?

Hi, Sorry for late reply,
a small configuration error on second sites PowerBeam and Mikrotik caused me a major downtime of 4 hours (it was not caused by our testing configuration don't worry),
i wont be able to test the configuration for some time now as customers have faced internet downtime,
i will test this again late night tomorrow, will reply you soon with the results,
as for now, my old configuration is dialing pppoe connections in seconds not taking any time to dial.

Can you implement changes one by one and monitor customer logging?
For example (if everything is in same network, radius, customers and powerbeams, like your original design):

1. Move RADIUS to separate interface. Is there a problem with customer logging?
If there is no problem proceed to #2
2. Create vlan 11 on ether2. Is there a problem now?
3. Add address to vlan 11. Is there a problem now?
4. Configure only 1st PowerBeam on management vlan (and don't forget to add address on that powerbeam for vlan 11). Is there a problem now?
5. Configure 2nd PowerBeam on management vlan. Is there a problem now?
6. Disable IP address on ether2. Is there a problem now?

This can be done because your network is relatively simple and you can troubleshoot step by step. Once you identify change that causes the problem, you can look closer to what exactly causes it.
If after change #1 problem starts happening, check RADIUS configuration on Mikrotik. Check config on RADIUS itself, check RADIUS logs to see if there is any indication of problem, etc...
I suspect something RADIUS related (or maybe STP on PowerBeam), but without details it's impossible to know exactly what is causing the issue.

The problem I'm experiencing now are clients complaining about no internet, then they reply soon after saying it's fine again. Log shows peer is not responding and drops the connection then reconnects. I've changed keepalive to 0, 10 and up but no difference. I recently implemented the PPPoE server, everything was IP based before and I didn't have these issues.

How does having the PPoE server on main router influence client authentication, don't they bounce around the network first looking for the server? The other problem (I posted another thread about it) is I'm unable to connect to towers or clients now as the ether to the first PtP is the ether where PPPoE server runs from.

It seems it may be best to pop in other RB's at towers where clients connect and run PPPoE servers from there and only have RADIUS on main.

I understand what you're saying rex and it makes sense, the network will basically move data that only gets dropped once reaching the tower RB depending on filters.

Hi Rae, I am interested to know how you resolved the problem with clients complaining about no internet, then they reply soon after saying it's fine again. I have a mix of UBNT CPEs connecting to Rockect M5 radios on sectors, with a point to point backhaul connected to RB300 pppoe server. I have checked logs and it shows peer is not responding and drops the connection then reconnects. I have also changed keepalive to 0, 10 and up but no difference.