PPPoE client drops with BT Full Fibre 100

usovalx5 · Sun Jan 10, 2021 3:20 am

Hi,

I'm having strange issues trying to use HAP AC2 as router with BT Full Fibre broadband.
I did set it all up successfully, but every once in a while there are short (about 1 minute) outages.
I didn't notice any pattern in the outages -- sometime it will work successfully for multiple days, other times there would be three drops in a day, at what seems like random times.
Once it wasn't able to reconnect for about 5-10 minutes.
I did try connecting via BT hub, and it seems to work fine - I didn't notice any connection drops for over a week, however with BT hub it's impossible to set up IPv6 (hub doesn't support prefix delegation) and I'm not a fan of them adding BT wifi stations.

Did anyone have similar issues or any suggestions where to look?

Here are some relevant parts of the config:

/interface ethernet
set [ find default-name=ether5 ] name=e5-wan
/interface pppoe-client
add add-default-route=yes disabled=no interface=e5-wan name=pppoe-wan user=bthomehub@btbroadband.com

Log file for the dropped connection looks like (here e5-wan is ethernet interface plugged into openreach fibre box):

Jan 9 07:02:00 router.lan interface,info e5-wan link down
Jan 9 07:02:00 router.lan pppoe,ppp,info pppoe-wan: terminating... - disconnected
Jan 9 07:02:00 router.lan pppoe,ppp,info pppoe-wan: disconnected
Jan 9 07:02:00 router.lan pppoe,ppp,info pppoe-wan: initializing...
Jan 9 07:02:00 router.lan pppoe,ppp,info pppoe-wan: connecting...
Jan 9 07:02:00 router.lan pppoe,ppp,info pppoe-wan: terminating...
Jan 9 07:02:00 router.lan pppoe,ppp,info pppoe-wan: disconnected
Jan 9 07:02:00 router.lan pppoe,ppp,info pppoe-wan: initializing...
Jan 9 07:02:00 router.lan pppoe,ppp,info pppoe-wan: connecting...
Jan 9 07:02:01 router.lan interface,info e5-wan link up (speed 1G, full duplex)
Jan 9 07:02:10 router.lan pppoe,ppp,info pppoe-wan: terminating... - disconnected
Jan 9 07:02:10 router.lan pppoe,ppp,info pppoe-wan: disconnected
Jan 9 07:02:10 router.lan pppoe,ppp,info pppoe-wan: initializing...
Jan 9 07:02:10 router.lan pppoe,ppp,info pppoe-wan: connecting...
Jan 9 07:02:20 router.lan pppoe,ppp,info pppoe-wan: terminating... - disconnected
Jan 9 07:02:20 router.lan pppoe,ppp,info pppoe-wan: disconnected
Jan 9 07:02:20 router.lan pppoe,ppp,info pppoe-wan: initializing...
Jan 9 07:02:20 router.lan pppoe,ppp,info pppoe-wan: connecting...
Jan 9 07:02:30 router.lan pppoe,ppp,info pppoe-wan: terminating... - disconnected
Jan 9 07:02:30 router.lan pppoe,ppp,info pppoe-wan: disconnected
Jan 9 07:02:31 router.lan pppoe,ppp,info pppoe-wan: initializing...
Jan 9 07:02:31 router.lan pppoe,ppp,info pppoe-wan: connecting...
Jan 9 07:02:41 router.lan pppoe,ppp,info pppoe-wan: terminating... - disconnected
Jan 9 07:02:41 router.lan pppoe,ppp,info pppoe-wan: disconnected
Jan 9 07:02:42 router.lan pppoe,ppp,info pppoe-wan: initializing...
Jan 9 07:02:42 router.lan pppoe,ppp,info pppoe-wan: connecting...
Jan 9 07:02:52 router.lan pppoe,ppp,info pppoe-wan: terminating... - disconnected
Jan 9 07:02:52 router.lan pppoe,ppp,info pppoe-wan: disconnected
Jan 9 07:02:55 router.lan pppoe,ppp,info pppoe-wan: initializing...
Jan 9 07:02:55 router.lan pppoe,ppp,info pppoe-wan: connecting...
Jan 9 07:02:56 router.lan pppoe,ppp,info pppoe-wan: authenticated
Jan 9 07:02:56 router.lan pppoe,ppp,info pppoe-wan: connected

jprietove · Sun Jan 10, 2021 10:57 am

Would it be the cable? Interface ether goes down and up, so it looks like a L1 problem.
Try changing it

Enviado desde mi Mi A2 mediante Tapatalk

usovalx5 · Sun Jan 10, 2021 9:16 pm

Sorry, forgot to mention it.
I did try connecting with another cable, it didn't help.
The only other idea I have is to use another ehternet port, but it's quite a lot of config changes, because of VLAN setup.

anav · Sun Jan 10, 2021 9:24 pm

Best thing is to post the entire config......to rule out software issues.
/export hide-sensitive file=anynameyouwish

usovalx5 · Sun Jan 10, 2021 10:12 pm

Here's full config.

# jan/10/2021 19:58:37 by RouterOS 6.48
# software id = SXYC-CSVI
#
# model = RBD52G-5HacD2HnD
# serial number = 92F20957FD95
/caps-man channel
add band=2ghz-g/n control-channel-width=20mhz frequency=2412,2437,2462 name=\
    ch-2.4g reselect-interval=30m save-selected=yes skip-dfs-channels=yes
add band=5ghz-a/n/ac control-channel-width=20mhz frequency=\
    5180,5260,5520,5620 name=ch-5g reselect-interval=30m save-selected=yes \
    skip-dfs-channels=no
add band=5ghz-a/n/ac control-channel-width=20mhz name=ch-5g-no-dfs \
    reselect-interval=30m save-selected=yes skip-dfs-channels=yes
/caps-man datapath
add client-to-client-forwarding=yes local-forwarding=yes name=dp-v10-home \
    vlan-id=10 vlan-mode=use-tag
add client-to-client-forwarding=no local-forwarding=yes name=dp-v51-guest \
    vlan-id=51 vlan-mode=use-tag
add client-to-client-forwarding=yes local-forwarding=yes name=dp-v-mgmt \
    vlan-id=159 vlan-mode=use-tag
/interface bridge
add admin-mac=82:AA:89:4D:3A:D7 arp=reply-only auto-mac=no comment=\
    "guest bridge - override MAC for DHCP" name=br-v50-guest protocol-mode=\
    none
add admin-mac=CE:CC:AA:6E:75:98 arp=reply-only auto-mac=no comment=\
    "guest bridge - override MAC for DHCP" name=br-v51-guest protocol-mode=\
    none
add admin-mac=CE:CC:AA:63:65:01 arp=reply-only auto-mac=no comment=\
    "guest bridge - override MAC for DHCP" name=br-v60-tv protocol-mode=none
add admin-mac=B8:69:F4:26:5C:30 auto-mac=no name=br1 priority=0x7000
/interface wireless
# managed by CAPsMAN
# channel: 2437/20-eC/gn(17dBm), SSID: wifi_super, local forwarding
set [ find default-name=wlan1 ] band=2ghz-b/g/n channel-width=20/40mhz-Ce \
    country="united kingdom" disabled=no distance=indoors frequency=2427 \
    installation=indoor mode=ap-bridge ssid=wifi_super station-roaming=\
    enabled vlan-id=10 vlan-mode=use-tag wireless-protocol=802.11 \
    wmm-support=enabled wps-mode=disabled
# managed by CAPsMAN
# channel: 5620/20-Ceee/ac/DP(24dBm), SSID: wifi_super5, local forwarding
set [ find default-name=wlan2 ] band=5ghz-a/n/ac channel-width=\
    20/40/80mhz-Ceee country="united kingdom" disabled=no distance=indoors \
    frequency=5260 installation=indoor mode=ap-bridge ssid=wifi_super5 \
    station-roaming=enabled vlan-id=10 vlan-mode=use-tag wireless-protocol=\
    802.11 wmm-support=enabled wps-mode=disabled
# managed by CAPsMAN
# SSID: wifi_guest, local forwarding
add disabled=no mac-address=BA:69:F4:26:5C:35 master-interface=wlan1 mode=\
    station name=wlan4 station-roaming=enabled
/interface ethernet
set [ find default-name=ether1 ] name=e1-trunk
set [ find default-name=ether2 ] name=e2-nas
set [ find default-name=ether3 ] name=e3-tv
set [ find default-name=ether4 ] name=e4-ps3
set [ find default-name=ether5 ] name=e5-wan
/interface pppoe-client
add add-default-route=yes disabled=no interface=e5-wan name=pppoe-wan user=\
    bthomehub@btbroadband.com
/interface vlan
add interface=br1 name=v10-home vlan-id=10
add interface=br1 name=v50-guest vlan-id=50
add interface=br1 name=v51-guest vlan-id=51
add interface=br1 name=v60-tv vlan-id=60
add interface=br1 name=vlan-mgmt vlan-id=159
/caps-man rates
add basic=6Mbps name="GN standard" supported=\
    6Mbps,9Mbps,12Mbps,18Mbps,24Mbps,36Mbps,48Mbps,54Mbps
add basic=12Mbps name="GN faster" supported=\
    12Mbps,18Mbps,24Mbps,36Mbps,48Mbps,54Mbps
/caps-man security
add authentication-types=wpa2-psk disable-pmkid=yes encryption=aes-ccm \
    group-encryption=aes-ccm group-key-update=5m name=wifi_super
add authentication-types=wpa2-psk disable-pmkid=yes encryption=aes-ccm \
    group-encryption=aes-ccm group-key-update=5m name=wifi_guest
add authentication-types=wpa2-psk disable-pmkid=yes encryption=aes-ccm \
    group-encryption=aes-ccm group-key-update=5m name=mgmt
/caps-man configuration
add channel=ch-2.4g country="united kingdom" datapath=dp-v10-home distance=\
    indoors installation=indoor name=wifi_super rates="GN faster" security=\
    wifi_super ssid=wifi_super
add channel=ch-5g country="united kingdom" datapath=dp-v10-home distance=\
    indoors installation=indoor name=wifi_super5 rates="GN faster" \
    security=wifi_super ssid=wifi_super5
add channel=ch-2.4g country="united kingdom" datapath=dp-v51-guest distance=\
    indoors installation=indoor mode=ap name=wifi_guest rates="GN faster" \
    security=wifi_guest ssid=wifi_guest
add channel=ch-2.4g country="united kingdom" datapath=dp-v-mgmt distance=\
    indoors installation=indoor mode=ap name=MGMT rates="GN faster" security=\
    mgmt ssid=mgmt
/caps-man interface
add channel.frequency=2412,2437,2462 configuration=wifi_super disabled=no \
    l2mtu=1600 mac-address=C4:AD:34:95:10:B1 master-interface=none name=\
    super-cAP radio-mac=C4:AD:34:95:10:B1 radio-name=C4AD349510B1
add channel.frequency=2412,2437,2462 configuration=wifi_guest disabled=no \
    l2mtu=1600 mac-address=C6:AD:34:95:10:B1 master-interface=super-cAP name=\
    super-cAP-guest radio-mac=00:00:00:00:00:00 radio-name=C6AD349510B1
add channel.frequency=2412,2437,2462 configuration=wifi_super disabled=no \
    l2mtu=1600 mac-address=B8:69:F4:26:5C:34 master-interface=none name=\
    super-hAP radio-mac=B8:69:F4:26:5C:34 radio-name=B869F4265C34
add channel.frequency=5180,5260,5520,5620 configuration=wifi_super5 \
    disabled=no l2mtu=1600 mac-address=C4:AD:34:95:10:B2 master-interface=\
    none name=super5-cAP radio-mac=C4:AD:34:95:10:B2 radio-name=C4AD349510B2
add channel.frequency=5180,5260,5520,5620 configuration=wifi_super5 \
    disabled=no l2mtu=1600 mac-address=B8:69:F4:26:5C:35 master-interface=\
    none name=super5-hAP radio-mac=B8:69:F4:26:5C:35 radio-name=B869F4265C35
add channel.frequency=2412,2437,2462 configuration=wifi_guest disabled=no \
    l2mtu=1600 mac-address=BA:69:F4:26:5C:35 master-interface=super-hAP name=\
    sup-guest radio-mac=00:00:00:00:00:00 radio-name=BA69F4265C35
add channel.frequency=2412,2437,2462 configuration=MGMT disabled=yes l2mtu=\
    1600 mac-address=BA:69:F4:26:5C:34 master-interface=super-hAP name=\
    sup-mgmt radio-mac=00:00:00:00:00:00 radio-name=BA69F4265C34
/interface ethernet switch port
set 0 vlan-mode=secure
set 1 default-vlan-id=10 vlan-header=always-strip vlan-mode=secure
set 2 default-vlan-id=60 vlan-header=always-strip vlan-mode=secure
set 3 default-vlan-id=50 vlan-header=always-strip vlan-mode=secure
set 5 vlan-mode=secure
/interface list
add name=WAN
add name=MGMT
add name=VPNs
add name=VLANs
/interface wireless security-profiles
set [ find default=yes ] authentication-types=wpa2-psk disable-pmkid=yes \
    eap-methods="" mode=dynamic-keys supplicant-identity=MikroTik
add authentication-types=wpa2-psk disable-pmkid=yes eap-methods="" \
    management-protection=allowed mode=dynamic-keys name=guest \
    supplicant-identity=""
add authentication-types=wpa2-psk disable-pmkid=yes eap-methods="" \
    management-protection=allowed mode=dynamic-keys name=mgmt \
    supplicant-identity=MikroTik
/interface wireless
add mac-address=BA:69:F4:26:5C:34 master-interface=wlan1 mode=station name=\
    wlan3 security-profile=guest ssid=wifi_guest station-roaming=enabled
/ip dhcp-server option
add code=43 name=disable_netbios value=0x010400000002
/ip pool
add name=guest50 ranges=10.10.50.100-10.10.50.200
add name=home ranges=10.10.10.100-10.10.10.200
add name=guest51 ranges=10.10.51.100-10.10.51.200
add name=mgmt ranges=192.168.89.100-192.168.89.200
add name=guest60 ranges=10.10.60.100-10.10.60.200
add name=vpn-clients ranges=10.10.20.100-10.10.20.200
/ip dhcp-server
add add-arp=yes address-pool=guest50 disabled=no interface=br-v50-guest \
    lease-time=30m name=guest50
add add-arp=yes address-pool=home disabled=no interface=v10-home lease-time=\
    30m name=home
add add-arp=yes address-pool=guest51 disabled=no interface=br-v51-guest \
    lease-time=30m name=guest51
add add-arp=yes address-pool=mgmt disabled=no interface=vlan-mgmt lease-time=\
    30m name=mgmg
add add-arp=yes address-pool=guest60 disabled=no interface=br-v60-tv \
    lease-time=30m name=tv60
/ipv6 pool
add name=site-ula prefix=fd87:8a71:b907::/48 prefix-length=64
/ppp profile
add address-list=vpn_connected_clients change-tcp-mss=yes interface-list=VPNs \
    local-address=10.10.20.1 name=ovpn remote-address=vpn-clients \
    use-encryption=required use-ipv6=no
/queue type
add kind=pcq name=misc-up pcq-classifier=\
    src-address,dst-address,src-port,dst-port pcq-limit=500KiB \
    pcq-total-limit=15000KiB
add kind=sfq name=default-up
add kind=red name=default-dwn red-avg-packet=1400
/queue simple
add disabled=yes name=queue1 target=pppoe-wan total-queue=default
/queue tree
add bucket-size=0.005 max-limit=30M name=UP parent=pppoe-wan queue=default
add bucket-size=0.005 name=OTHER packet-mark=no-mark parent=UP priority=2 \
    queue=misc-up
add limit-at=5M max-limit=26M name=VPN_throttled packet-mark=VPN_likely \
    parent=UP priority=6 queue=default-up
add bucket-size=0.005 disabled=yes max-limit=153M name=DOWN parent=br1 queue=\
    default-dwn
add bucket-size=0.005 name=VOIP packet-mark=VOIP parent=UP priority=1 queue=\
    default-up
add bucket-size=0.005 name=DNS packet-mark=DNS parent=UP priority=1 queue=\
    default-up
add bucket-size=0.005 name=ACK packet-mark=ACK parent=UP priority=1 queue=\
    default-up
add bucket-size=0.005 name=ICMP packet-mark=ICMP parent=UP priority=1 queue=\
    default-up
add bucket-size=0.005 disabled=yes name=H_DOWN packet-mark=VOIP,DNS,ACK,ICMP \
    parent=DOWN priority=1 queue=default-dwn
add bucket-size=0.005 disabled=yes name=L_DOWN packet-mark=VPN_likely,no-mark \
    parent=DOWN priority=2 queue=default-dwn
/system logging action
set 3 remote=10.10.10.21
/user group
set full policy="local,telnet,ssh,ftp,reboot,read,write,policy,test,winbox,pas\
    sword,web,sniff,sensitive,api,romon,dude,tikapp"
/caps-man access-list
add allow-signal-out-of-range=10s client-to-client-forwarding=no comment=\
    "Roku stick" disabled=no mac-address=10:59:32:02:B4:D2 ssid-regexp="" \
    vlan-id=60 vlan-mode=use-tag
add allow-signal-out-of-range=10s client-to-client-forwarding=no comment=\
    "Artem's google tv" disabled=no mac-address=B0:E4:D5:A0:FF:33 \
    ssid-regexp="" vlan-id=60 vlan-mode=use-tag
/caps-man manager
set ca-certificate=LocalCA certificate=CAPsMAN-server enabled=yes \
    require-peer-certificate=yes
/caps-man manager interface
set [ find default=yes ] forbid=yes
add disabled=no interface=vlan-mgmt
/caps-man provisioning
add action=create-disabled hw-supported-modes=ac master-configuration=\
    wifi_super5 name-format=prefix-identity name-prefix=super5
add action=create-disabled hw-supported-modes=g identity-regexp=hAP.* \
    master-configuration=wifi_super name-format=prefix-identity \
    name-prefix=super slave-configurations=MGMT,wifi_guest
add action=create-disabled hw-supported-modes=g master-configuration=\
    wifi_super name-format=prefix-identity name-prefix=super \
    slave-configurations=wifi_guest
/interface bridge port
add bridge=br1 interface=e2-nas
add bridge=br1 interface=e3-tv
add bridge=br1 interface=e4-ps3
add bridge=br-v50-guest interface=v50-guest
add bridge=br-v51-guest interface=v51-guest
add bridge=br-v60-tv interface=v60-tv
add bridge=br1 interface=e1-trunk
/ip neighbor discovery-settings
set discover-interface-list=MGMT
/ip settings
set rp-filter=strict
/interface ethernet switch rule
add new-dst-ports=switch1-cpu ports=e1-trunk,e2-nas,e3-tv,e4-ps3 switch=\
    switch1 vlan-id=50
add new-dst-ports=switch1-cpu ports=e1-trunk,e2-nas,e3-tv,e4-ps3 switch=\
    switch1 vlan-id=51
/interface ethernet switch vlan
add independent-learning=yes ports=switch1-cpu,e2-nas,e1-trunk switch=switch1 \
    vlan-id=10
add independent-learning=yes ports=switch1-cpu,e2-nas,e4-ps3,e1-trunk switch=\
    switch1 vlan-id=50
add independent-learning=yes ports=switch1-cpu,e1-trunk switch=switch1 \
    vlan-id=51
add independent-learning=yes ports=switch1-cpu,e2-nas,e3-tv switch=switch1 \
    vlan-id=60
add independent-learning=yes ports=switch1-cpu,e1-trunk switch=switch1 \
    vlan-id=159
/interface l2tp-server server
set authentication=mschap2 use-ipsec=required
/interface list member
add interface=e5-wan list=WAN
add interface=v10-home list=MGMT
add interface=vlan-mgmt list=MGMT
add interface=v10-home list=VLANs
add interface=br-v50-guest list=VLANs
add interface=br-v51-guest list=VLANs
add interface=br-v60-tv list=VLANs
add interface=vlan-mgmt list=VLANs
add interface=v50-guest list=VLANs
add interface=v51-guest list=VLANs
add interface=v60-tv list=VLANs
add interface=pppoe-wan list=WAN
/interface ovpn-server server
set auth=sha1 certificate=OpenVPN-server cipher=aes128,aes192,aes256 \
    default-profile=ovpn port=11944 require-client-certificate=yes
/interface wireless cap
# 
set bridge=br1 caps-man-addresses=127.0.0.1 certificate=cap-tv enabled=yes \
    interfaces=wlan1,wlan2 static-virtual=yes
/ip address
add address=10.10.50.1/24 interface=br-v50-guest network=10.10.50.0
add address=10.10.10.1/24 interface=v10-home network=10.10.10.0
add address=10.10.51.1/24 interface=br-v51-guest network=10.10.51.0
add address=192.168.89.1/24 interface=vlan-mgmt network=192.168.89.0
add address=10.10.60.1/24 interface=br-v60-tv network=10.10.60.0
/ip cloud
set update-time=no
/ip dhcp-client
add !dhcp-options interface=e5-wan use-peer-dns=no use-peer-ntp=no
/ip dhcp-server network
add address=10.10.10.0/24 dns-server=10.10.10.8 domain=lan gateway=10.10.10.1
add address=10.10.50.0/24 dhcp-option=disable_netbios dns-server=10.10.10.8 \
    gateway=10.10.50.1
add address=10.10.51.0/24 dhcp-option=disable_netbios dns-server=10.10.10.8 \
    gateway=10.10.51.1
add address=10.10.60.0/24 dhcp-option=disable_netbios dns-server=10.10.60.8 \
    gateway=10.10.60.1
add address=192.168.89.0/24 dhcp-option=disable_netbios gateway=192.168.89.1
/ip dns
set allow-remote-requests=yes servers=\
    10.10.10.8,208.67.222.222,208.67.220.220
/ip firewall address-list
add address=0.0.0.0/8 comment=RFC6890 list=not_in_internet
add address=172.16.0.0/12 comment=RFC6890 list=not_in_internet
add address=192.168.0.0/16 comment=RFC6890 list=not_in_internet
add address=10.0.0.0/8 comment=RFC6890 list=not_in_internet
add address=169.254.0.0/16 comment=RFC6890 list=not_in_internet
add address=127.0.0.0/8 comment=RFC6890 list=not_in_internet
add address=224.0.0.0/4 comment=Multicast list=not_in_internet
add address=198.18.0.0/15 comment=RFC6890 list=not_in_internet
add address=192.0.0.0/24 comment=RFC6890 list=not_in_internet
add address=192.0.2.0/24 comment=RFC6890 list=not_in_internet
add address=198.51.100.0/24 comment=RFC6890 list=not_in_internet
add address=203.0.113.0/24 comment=RFC6890 list=not_in_internet
add address=100.64.0.0/10 comment=RFC6890 list=not_in_internet
add address=240.0.0.0/4 comment=RFC6890 list=not_in_internet
add address=192.88.99.0/24 comment="6to4 relay Anycast [RFC 3068]" list=\
    not_in_internet
add address=10.10.10.0/24 list=internal_addresses
add address=10.10.50.0/24 list=internal_addresses
add address=192.168.89.0/24 comment=\
    "Used by stuff in MGMT network (switches) to look for updates, etc." \
    list=internal_addresses
add address=192.168.0.1 disabled=yes list=superhub
add address=192.168.100.1 disabled=yes list=superhub
add address=10.10.51.0/24 list=internal_addresses
add address=10.10.60.0/24 list=internal_addresses
add address=10.10.20.0/24 comment="Used by OpenVPN server" list=internal_ovpn
add address=10.10.50.200 list=voip_hosts
add address=10.10.10.21 list=vpn_candidate_hosts
add address=192.168.1.254 list=superhub
/ip firewall filter
add action=accept chain=input comment="accept established,related,untracked" \
    connection-state=established,related,untracked
add action=drop chain=input comment="drop invalid" connection-state=invalid
add action=drop chain=input comment="drop spoofed packets to locahost" \
    dst-address=127.0.0.0/8 in-interface-list=all
add action=drop chain=input comment="drop spoofed packets from locahost" \
    in-interface-list=all src-address=127.0.0.0/8
add action=accept chain=input comment=\
    "accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=accept chain=input comment="accept DHCP" dst-port=67 \
    in-interface-list=!WAN protocol=udp
add action=accept chain=input comment="MGMT access: mac winbox (counter)" \
    dst-port=20561 in-interface-list=MGMT protocol=udp
add action=accept chain=input comment=\
    "MGMT access: winbox, discovery (counter)" dst-port=5678,8291 \
    in-interface-list=MGMT protocol=tcp
add action=accept chain=input comment="accept ICMP" protocol=icmp
add action=accept chain=input comment="only MGMT can access router itself" \
    in-interface-list=MGMT
add action=accept chain=input comment="accept OpenVPN server" disabled=yes \
    dst-port=11944 in-interface-list=WAN protocol=tcp
add action=drop chain=input comment=\
    "drop everything else (from WAN), keep separate count" in-interface-list=\
    WAN
add action=drop chain=input comment="drop everything else"
add action=fasttrack-connection chain=forward comment=\
    "only fasttrack local connections, need to shape outbound traffic" \
    connection-state=established,related in-interface-list=VLANs \
    out-interface-list=VLANs
add action=accept chain=forward comment=\
    "accept established,related,untracked" connection-state=\
    established,related,untracked
add action=accept chain=forward comment="Allow DNS requests to pihole" \
    dst-address=10.10.10.8 dst-port=53 in-interface-list=VLANs protocol=udp
add action=accept chain=forward comment="Allow DNS requests to pihole" \
    dst-address=10.10.10.8 dst-port=53 in-interface-list=VLANs protocol=tcp
add action=accept chain=forward comment="Allow DNS requests to pihole" \
    dst-address=10.10.10.8 dst-port=53 in-interface-list=VPNs protocol=udp
add action=accept chain=forward comment="Allow DNS requests to pihole" \
    dst-address=10.10.10.8 dst-port=53 in-interface-list=VPNs protocol=tcp
add action=drop chain=forward comment="drop invalid" connection-state=invalid
add action=reject chain=forward comment=\
    "early drop - no forwarding between VLANs" in-interface-list=VLANs \
    log-prefix=fwd-rej-vlans out-interface-list=VLANs reject-with=\
    icmp-admin-prohibited
add action=drop chain=forward comment=\
    "early drop - no forwarding between WANs" in-interface-list=WAN \
    out-interface-list=WAN
add action=drop chain=forward comment="early drop - incoming form WAN with inc\
    orrect src address (likely not needed due to NAT)" in-interface-list=WAN \
    src-address-list=not_in_internet
add action=drop chain=forward comment=\
    "early drop - incoming form WAN with spoofed src address" \
    in-interface-list=WAN src-address-list=internal_addresses
add action=drop chain=forward comment=\
    "early drop - incoming form WAN with spoofed src address" \
    in-interface-list=WAN src-address-list=internal_ovpn
add action=reject chain=forward comment=\
    "early drop - basically rp_filter for VLANs" in-interface-list=VLANs \
    reject-with=icmp-admin-prohibited src-address-list=!internal_addresses
add action=reject chain=forward comment=\
    "early drop - basically rp_filter for VPNs" in-interface-list=VPNs \
    reject-with=icmp-admin-prohibited src-address-list=!vpn_connected_clients
add action=accept chain=forward comment="accept connections out to Internet" \
    dst-address-list=!not_in_internet out-interface-list=WAN
add action=accept chain=forward comment="allow VPN to access lan" disabled=\
    yes in-interface-list=VPNs out-interface=v10-home
add action=accept chain=forward comment="allow VPN to access lan" disabled=\
    yes in-interface=v10-home out-interface-list=VPNs
add action=accept chain=forward comment="Allow connections to Superhub" \
    dst-address-list=superhub in-interface-list=MGMT out-interface-list=WAN
add action=accept chain=forward comment="accept in ipsec policy" \
    ipsec-policy=in,ipsec
add action=accept chain=forward comment="accept out ipsec policy" \
    ipsec-policy=out,ipsec
add action=accept chain=forward comment="allow from WAN DSTNATed" \
    connection-nat-state=dstnat in-interface-list=WAN
add action=reject chain=forward comment="reject everything else" log-prefix=\
    fwd-rej-other reject-with=icmp-network-unreachable
/ip firewall mangle
add action=mark-connection chain=input comment="openvpn for artem" \
    connection-mark=no-mark disabled=yes dst-port=11944 new-connection-mark=\
    VPN_likely passthrough=no protocol=tcp
add action=add-dst-to-address-list address-list=voip_hosts \
    address-list-timeout=1h chain=forward comment=dscp.56 connection-mark=\
    no-mark dscp=56 dst-address-list=!voip_hosts out-interface-list=WAN
add action=add-dst-to-address-list address-list=voip_hosts \
    address-list-timeout=1h chain=forward comment=dscp.40 connection-mark=\
    no-mark dscp=40 dst-address-list=!voip_hosts out-interface-list=WAN
add action=add-dst-to-address-list address-list=voip_hosts \
    address-list-timeout=1h chain=forward comment=dscp.46 connection-mark=\
    no-mark dscp=46 dst-address-list=!voip_hosts out-interface-list=WAN
add action=add-dst-to-address-list address-list=voip_hosts \
    address-list-timeout=1h chain=forward comment=dscp.48 connection-mark=\
    no-mark dscp=48 dst-address-list=!voip_hosts out-interface-list=WAN
add action=mark-connection chain=forward comment=dns connection-mark=no-mark \
    dst-port=53 new-connection-mark=DNS passthrough=no protocol=udp
add action=mark-connection chain=forward comment=VOIP connection-mark=no-mark \
    new-connection-mark=VOIP passthrough=no src-address-list=voip_hosts
add action=mark-connection chain=forward comment=\
    "vpn connection for torrents" connection-mark=no-mark dst-port=80,443 \
    new-connection-mark=VPN_candidate passthrough=no protocol=tcp \
    src-address-list=vpn_candidate_hosts
add action=mark-connection chain=forward comment="nebula vpn" \
    connection-mark=no-mark dst-port=5454 new-connection-mark=VPN_likely \
    passthrough=yes protocol=udp
add action=mark-packet chain=forward comment="small ACK's" new-packet-mark=\
    ACK packet-size=0-200 passthrough=no protocol=tcp tcp-flags=ack
add action=mark-packet chain=forward comment=DNS connection-bytes=0-5000000 \
    connection-mark=DNS new-packet-mark=DNS passthrough=no
add action=mark-packet chain=forward comment="VPN using DNS ports\?" \
    connection-bytes=5000000-0 connection-mark=DNS new-packet-mark=VPN_likely \
    passthrough=no
add action=mark-packet chain=forward comment=ICMP new-packet-mark=ICMP \
    passthrough=no protocol=icmp
add action=mark-packet chain=forward comment=VOIP connection-mark=VOIP \
    new-packet-mark=VOIP passthrough=no
add action=passthrough chain=forward comment="VPN_candidate all" \
    connection-mark=VPN_candidate
add action=passthrough chain=forward comment="VPN_candidate small" \
    connection-bytes=0-100000000 connection-mark=VPN_candidate
add action=mark-packet chain=forward comment="VPN_candidate large" \
    connection-bytes=100000000-0 connection-mark=VPN_candidate \
    new-packet-mark=VPN_likely passthrough=no
add action=mark-packet chain=forward comment=VPN connection-mark=VPN_likely \
    new-packet-mark=VPN_likely passthrough=no
add action=mark-packet chain=output comment=VPN connection-mark=VPN_likely \
    new-packet-mark=VPN_likely passthrough=no
/ip firewall nat
add action=masquerade chain=srcnat comment=masquerade ipsec-policy=out,none \
    out-interface-list=WAN
add action=dst-nat chain=dstnat disabled=yes dst-port=80 in-interface-list=\
    WAN protocol=tcp to-addresses=10.10.10.21
add action=dst-nat chain=dstnat disabled=yes dst-port=443 in-interface-list=\
    WAN protocol=tcp to-addresses=10.10.10.21
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set www-ssl certificate=Webfix-HAP disabled=no
set api disabled=yes
set api-ssl disabled=yes
/ip ssh
set strong-crypto=yes
/ipv6 address
# address pool error: pool not found: bt-pool (4)
add address=::1 from-pool=bt-pool interface=v10-home
# address pool error: pool not found: bt-pool (4)
add address=::1 from-pool=bt-pool interface=br-v50-guest
# address pool error: pool not found: bt-pool (4)
add address=::1 from-pool=bt-pool interface=br-v51-guest
# address pool error: pool not found: bt-pool (4)
add address=::1 from-pool=bt-pool interface=br-v60-tv
add address=::1:0:0:1 from-pool=site-ula interface=v10-home
add address=::1:0:0:1 from-pool=site-ula interface=br-v50-guest
add address=::1:0:0:1 from-pool=site-ula interface=br-v51-guest
add address=::1:0:0:1 from-pool=site-ula interface=br-v60-tv
/ipv6 dhcp-client
add add-default-route=yes disabled=yes interface=pppoe-wan pool-name=bt-pool \
    prefix-hint=2a00:23c7:c59e:2200::/56 request=prefix use-peer-dns=no
/ipv6 firewall address-list
add address=::/128 comment="unspecified address" list=bad_ipv6
add address=::1/128 comment=lo list=bad_ipv6
add address=fec0::/10 comment=site-local list=bad_ipv6
add address=::ffff:0.0.0.0/96 comment=ipv4-mapped list=bad_ipv6
add address=::/96 comment="ipv4 compat" list=bad_ipv6
add address=100::/64 comment="discard only " list=bad_ipv6
add address=2001:db8::/32 comment=documentation list=bad_ipv6
add address=2001:10::/28 comment=ORCHID list=bad_ipv6
add address=3ffe::/16 comment=6bone list=bad_ipv6
add address=::224.0.0.0/100 comment=other list=bad_ipv6
add address=::127.0.0.0/104 comment=other list=bad_ipv6
add address=::/104 comment=other list=bad_ipv6
add address=::255.0.0.0/104 comment=other list=bad_ipv6
add address=ff00::/8 comment="multicast (as src)" list=bad_ipv6_src
add address=fd87:8a71:b907::/48 list=internal_addresses
add address=2a00:23c7:c59e:2200::/56 comment="seems BT is changing ipv6 prefix\
    , add it instead from dhcp client script" disabled=yes list=\
    internal_addresses
/ipv6 firewall filter
add action=drop chain=input disabled=yes in-interface-list=WAN
add action=drop chain=forward disabled=yes in-interface-list=WAN
add action=accept chain=input comment="accept established,related,untracked" \
    connection-state=established,related,untracked
add action=drop chain=input comment="drop invalid" connection-state=invalid
add action=drop chain=input comment="drop spoofed packets to localhost" \
    dst-address=::1/128 in-interface-list=all
add action=drop chain=input comment="drop spoofed packets from localhost" \
    in-interface-list=all src-address=::1/128
add action=accept chain=input comment="accept ICMPv6" protocol=icmpv6
add action=accept chain=input comment="accept UDP traceroute" port=\
    33434-33534 protocol=udp
add action=accept chain=input comment=\
    "accept DHCPv6-Client prefix delegation." dst-port=546 protocol=udp \
    src-address=fe80::/10
add action=drop chain=input comment="drop LL from WAN" in-interface-list=WAN \
    src-address=fe80::/10
add action=accept chain=input comment="accept IKE" disabled=yes dst-port=\
    500,4500 protocol=udp
add action=accept chain=input comment="accept ipsec AH" disabled=yes \
    protocol=ipsec-ah
add action=accept chain=input comment="accept ipsec ESP" disabled=yes \
    protocol=ipsec-esp
add action=accept chain=input comment="accept all that matches ipsec policy" \
    disabled=yes ipsec-policy=in,ipsec
add action=accept chain=input comment="MGMT access: mac winbox (counter)" \
    dst-port=20561 in-interface-list=MGMT protocol=udp
add action=accept chain=input comment=\
    "MGMT access: winbox, discovery (counter)" dst-port=5678,8291 \
    in-interface-list=MGMT protocol=tcp
add action=accept chain=input comment="only MGMT can access router itself" \
    in-interface-list=MGMT
add action=drop chain=input comment=\
    "drop everything else (from WAN), keep separate count" in-interface-list=\
    WAN
add action=drop chain=input comment="drop everything else"
add action=accept chain=forward comment=\
    "accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="drop invalid" connection-state=invalid
add action=drop chain=forward comment=\
    "early drop - no forwarding between VLANs" in-interface-list=VLANs \
    out-interface-list=VLANs
add action=drop chain=forward comment=\
    "early drop - no forwarding between WANs" in-interface-list=WAN \
    out-interface-list=WAN
add action=drop chain=forward comment=\
    "early drop - incoming from WAN with spoofed src address" \
    in-interface-list=WAN src-address-list=internal_addresses
add action=drop chain=forward comment="drop packets with bad src ipv6" \
    src-address-list=bad_ipv6
add action=drop chain=forward comment="drop packets with bad src ipv6" \
    src-address-list=bad_ipv6_src
add action=drop chain=forward comment="drop packets with bad dst ipv6" \
    dst-address-list=bad_ipv6
add action=drop chain=forward comment="rfc4890 drop hop-limit=1" hop-limit=\
    equal:1 protocol=icmpv6
add action=reject chain=forward comment=\
    "early drop - basically rp_filter for VLANs" in-interface-list=VLANs \
    reject-with=icmp-admin-prohibited src-address-list=!internal_addresses
add action=accept chain=forward comment="accept connections out to internet" \
    out-interface-list=WAN
add action=accept chain=forward comment="accept ICMPv6" limit=5,5:packet \
    protocol=icmpv6
add action=accept chain=forward comment="accept HIP" disabled=yes protocol=\
    139
add action=accept chain=forward comment="accept IKE" disabled=yes dst-port=\
    500,4500 protocol=udp
add action=accept chain=forward comment="accept ipsec AH" disabled=yes \
    protocol=ipsec-ah
add action=accept chain=forward comment="accept ipsec ESP" disabled=yes \
    protocol=ipsec-esp
add action=accept chain=forward comment=\
    "accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=forward comment="drop unsolicited from WAN" \
    in-interface-list=WAN
add action=reject chain=forward comment="reject everything else" reject-with=\
    icmp-no-route
/ipv6 firewall mangle
add action=mark-packet chain=forward comment="small ACK's" new-packet-mark=\
    ACK packet-size=0-200 passthrough=no protocol=tcp tcp-flags=ack
add action=mark-connection chain=forward comment=dns dst-port=53 \
    new-connection-mark=DNS passthrough=yes protocol=udp
add action=mark-packet chain=forward connection-bytes=0-5000000 \
    connection-mark=DNS new-packet-mark=DNS passthrough=no
add action=mark-packet chain=forward comment="VPN using DNS ports\?" \
    connection-bytes=5000000-0 connection-mark=DNS new-packet-mark=VPN_likely \
    passthrough=no
add action=mark-packet chain=forward comment=icmp new-packet-mark=ICMP \
    passthrough=no protocol=icmpv6
add action=mark-connection chain=forward comment=VOIP new-connection-mark=\
    VOIP passthrough=yes src-address-list=voip_hosts
add action=mark-packet chain=forward connection-mark=VOIP new-packet-mark=\
    VOIP passthrough=no
add action=add-dst-to-address-list address-list=voip_hosts \
    address-list-timeout=1h chain=forward comment=dscp.56 connection-mark=\
    no-mark dscp=56 dst-address-list=!voip_hosts out-interface-list=WAN
add action=add-dst-to-address-list address-list=voip_hosts \
    address-list-timeout=1h chain=forward comment=dscp.40 connection-mark=\
    no-mark dscp=40 dst-address-list=!voip_hosts out-interface-list=WAN
add action=add-dst-to-address-list address-list=voip_hosts \
    address-list-timeout=1h chain=forward comment=dscp.46 connection-mark=\
    no-mark dscp=46 dst-address-list=!voip_hosts out-interface-list=WAN
add action=add-dst-to-address-list address-list=voip_hosts \
    address-list-timeout=1h chain=forward comment=dscp.48 connection-mark=\
    no-mark dscp=48 dst-address-list=!voip_hosts out-interface-list=WAN
/ipv6 nd prefix default
set preferred-lifetime=12h valid-lifetime=20h
/snmp
set enabled=yes
/system clock
set time-zone-name=Europe/London
/system identity
set name="hAP AC2"
/system logging
add action=remote topics=info
add action=remote topics=critical
add action=remote topics=error
add action=remote topics=warning
/system ntp client
set enabled=yes server-dns-names=\
    0.uk.pool.ntp.org,1.uk.pool.ntp.org,2.uk.pool.ntp.org,3.uk.pool.ntp.org
/system routerboard settings
set auto-upgrade=yes
/system routerboard mode-button
set on-event=toggle-mgmt-wifi
/tool bandwidth-server
set enabled=no
/tool graphing interface
add interface=e1-trunk
add interface=e2-nas
add interface=e3-tv
add interface=e5-wan
add interface=pppoe-wan
/tool graphing resource
add
/tool mac-server
set allowed-interface-list=none
/tool mac-server mac-winbox
set allowed-interface-list=MGMT
/tool sniffer
set filter-interface=e1-trunk

anav · Sun Jan 10, 2021 10:58 pm

Your config, is way too complex for me to address............
I would say simplify down to one bridge as a start.
Dont know what many other settings do,

However this seems wrong to me,,,,,,,,,,
Bridge ports are NOT vlan interfaces.

/interface bridge port
add bridge=br1 interface=e2-nas
add bridge=br1 interface=e3-tv
add bridge=br1 interface=e4-ps3
add bridge=br-v50-guest interface=v50-guest
add bridge=br-v51-guest interface=v51-guest
add bridge=br-v60-tv interface=v60-tv
add bridge=br1 interface=e1-trunk
/ip neighbor discovery-settings

usovalx5 · Sun Jan 10, 2021 11:30 pm

That twist with bridges-over-vlan is basically a hack. Mikrotik doesn't allow to set admin-mac on the VLAN interface.
Normally windows uses MAC address of default gateway to identify different networks (and switch network-specific settings accordingly).
Without those bridge-over-vlan it's behaving a bit strange when switching between guest and main network.

If you look closer there, core set up is plain simple (br1 bridge, vlan filtering on the switch chip).
Those extra bridges are added on top of vlan interfaces to override admin-mac of the interface.

Otherwise it's relatively straightforward. Ignore all of the CAPSman stuff, it's likely unrelated.
There are few different vlans, set up via "/interface vlan" (as opposed to bridge vlan setup), as this is more efficient on AC2.

Another large chunk has to do with queue and firewall filtering and tagging. Quite a bit of set up, but I wouldn't expect it to affect PPPoE.

What is puzzling here for me -- at the times when PPPoE disconnects, it also shows up as ethernet link down.
I didn't have issues with this port when it was connected to either BT hub or VirginMedia cable modem.

I wonder if there are other people using Mikrotik devices with BT/Openreach equipment and whether they have similar issues.

sindy · Sun Jan 10, 2021 11:36 pm

Your config, is way too complex for me to address............
...
However this seems wrong to me,,,,,,,,,,
Bridge ports are NOT vlan interfaces.

@anav, you can have multiple bridges, and you can make the tagless end of an /interface vlan pipe a member port of a bridge; the only thing wrong is when the tagless end is made a member port of the same bridge to which the tagged end of the same pipe is connected. This is not the case here so no need to concentrate at that.

e5-wan, to which the /interface pppoe-client is attached, is not a member of any bridge, so even if something was wrong about the bridges and VLANs, it would not be relevant for the topic.

And above all, the log reports ether5 to go down and up again. So there must be something wrong with L1.

@usovalx5, if it's not the cable, it can be the port, so you'll have to bite the bullet and swap the role of two interfaces, which I agree is a lot of work given that you use even switch chip vlan filtering.

Yet another possibility is that the ports of the Mikrotik don't make good friends with the port on the other end of the WAN cable, so if you can insert a dumb gigabit switch between the two and let it run like that for a while, I'd suggest to do this step before swapping the port roles - it could also give some information.

If the contractual WAN speed is 100 Mbit/s or less, configuring e5-wan to offer only 10,100 full duplex is yet another test step.

anav · Mon Jan 11, 2021 12:21 am

I need a drink, after that dressing down LOL.
This damn ROS is too flexible. "-)

usovalx5 · Mon Jan 11, 2021 2:56 am

Thanks for advice.

I don't have any spare dumb switches laying around, so will leave that option for later.
Contractual WAN is 150Mb, but I can definitely live for couple of days with 100Mb.

Will start with limiting the interface to 100Mb, and then maybe I can try to repurpose my old cable modem to work as switch.
If this turns out to be PHY compatibility issue (e.g. it works via 100Mb / switch), what would be my options? Replace AC2 with some other device?

usovalx5 · Tue Jan 12, 2021 5:15 pm

Sadly switching to 100Mb full duplex doesn't seem to make any difference - link (and pppoe connection) dropped three times in about 1/2 day since I switched it to 100Mb.
For connecting via hub - I guess it should work if I just use either BT hub or old VirginMedia box and plug both AC2 and optical unit to lan side of it?

Also is there any software to monitor connection in eitherer mikrotik or ubuntu?
I'm not sure whether those drops would be visible in mikrotik logs when connected via the hub, e.g. if these is actuall a problem with optical unit.

Jan 12 14:55:42 router.lan interface,info e5-wan link down
Jan 12 14:55:42 router.lan pppoe,ppp,info pppoe-wan: terminating... - disconnected
Jan 12 14:55:42 router.lan pppoe,ppp,info pppoe-wan: disconnected
Jan 12 14:55:42 router.lan pppoe,ppp,info pppoe-wan: initializing...
Jan 12 14:55:42 router.lan pppoe,ppp,info pppoe-wan: connecting...
Jan 12 14:55:43 router.lan interface,info e5-wan link up (speed 100M, full duplex)
Jan 12 14:55:52 router.lan pppoe,ppp,info pppoe-wan: terminating... - disconnected
Jan 12 14:55:52 router.lan pppoe,ppp,info pppoe-wan: disconnected
Jan 12 14:55:52 router.lan pppoe,ppp,info pppoe-wan: initializing...
Jan 12 14:55:52 router.lan pppoe,ppp,info pppoe-wan: connecting...
Jan 12 14:56:01 router.lan pppoe,ppp,info pppoe-wan: terminating... - disconnected
Jan 12 14:56:01 router.lan pppoe,ppp,info pppoe-wan: disconnected
Jan 12 14:56:02 router.lan pppoe,ppp,info pppoe-wan: initializing...
Jan 12 14:56:02 router.lan pppoe,ppp,info pppoe-wan: connecting...
Jan 12 14:56:11 router.lan pppoe,ppp,info pppoe-wan: terminating... - disconnected
Jan 12 14:56:11 router.lan pppoe,ppp,info pppoe-wan: disconnected
Jan 12 14:56:12 router.lan pppoe,ppp,info pppoe-wan: initializing...
Jan 12 14:56:12 router.lan pppoe,ppp,info pppoe-wan: connecting...
Jan 12 14:56:22 router.lan pppoe,ppp,info pppoe-wan: terminating... - disconnected
Jan 12 14:56:22 router.lan pppoe,ppp,info pppoe-wan: disconnected
Jan 12 14:56:24 router.lan pppoe,ppp,info pppoe-wan: initializing...
Jan 12 14:56:24 router.lan pppoe,ppp,info pppoe-wan: connecting...
Jan 12 14:56:34 router.lan pppoe,ppp,info pppoe-wan: terminating... - disconnected
Jan 12 14:56:34 router.lan pppoe,ppp,info pppoe-wan: disconnected
Jan 12 14:56:37 router.lan pppoe,ppp,info pppoe-wan: initializing...
Jan 12 14:56:37 router.lan pppoe,ppp,info pppoe-wan: connecting...
Jan 12 14:56:45 router.lan pppoe,ppp,info pppoe-wan: authenticated
Jan 12 14:56:45 router.lan pppoe,ppp,info pppoe-wan: connected

sindy · Tue Jan 12, 2021 5:58 pm

I guess it should work if I just use either BT hub or old VirginMedia box and plug both AC2 and optical unit to lan side of it?

In general it should, I am just a little bit afraid such a box might react strangely to PPPoE frames arriving on the LAN. It's all consumer grade boxes so they are tested for regular operation, not for unusual scenarios. But the risk is low and so are the possible consequences, so worth trying.

Also is there any software to monitor connection in eitherer mikrotik or ubuntu?

This logging in Mikrotik is your monitoring software - an external machine like the "ubuntu" could query some SNMP OIDs in the Mikrotik which reflect the state of the interface at the best, so no added value, rather the opposite (unless you want to get an e-mail for each event and the Ubuntu has some other connectivity to do that).

I'm not sure whether those drops would be visible in mikrotik logs when connected via the hub, e.g. if these is actuall a problem with optical unit.

Correct, the idea was that

if the PPPoE outages continue but the eth5-WAN down/up events stop coming, you can conclude that the issue is with the optical unit itself,
if everything becomes clean, the issue is the electrical compatibility between the optical unit and the Mikrotik device,
if the eth5-WAN down/up events continue to come, the port on the Mikrotik device is broken.

kai · Wed Jan 13, 2021 2:40 am

I'm on BT full fibre and also on the 152Mbps service.

However, I'm not using a HAP AC2, I'm using a RB1100AHx4.

My ONT is made by Nokia (G-010G-Q). I've had the service for a few months now and I've not noticed any random drops regularly. I think maybe it might've dropped out once in that time? Even then I think it was caused by a mains powercut rather than anything to do with the service.

So although I've nothing to add in technically, I hope it gives you a little insight anyway.

My pppoe client is set up like this:

/interface pppoe-client print
Flags: X - disabled, I - invalid, R - running 
 0  R name="pppoe-out1" max-mtu=auto max-mru=auto mrru=disabled 
      interface=ether13 user="bthomehub@btbroadband.com" password="bt" 
      profile=default keepalive-timeout=10 service-name="" ac-name="" 
      add-default-route=yes default-route-distance=1 dial-on-demand=no 
      use-peer-dns=no allow=pap,chap,mschap1,mschap2

usovalx5 · Thu Jan 14, 2021 2:26 am

Thanks for confirmation, though my ONT unit if from Huawei - HG8010H5-20.

I must admit things are getting stranger by the day -- even connecting via BT hub lan side (acting as a switch), it still drops connection periodically.
This basically leaves a problem either with ONT unit or PPPoE incompatibility.
Configuration-wise, my PPPoE config is exactly the same, just with empty password. Either way works.

Back in December I had to connect via BT Hub, and it didn't seem to drop judging by "connection time" in status page and the fact my external IP wasn't changing all that time.
Maybe it actually did drop connection, just doesn't report it in the status page?

I will try to plug it in via BT hub, and set up pinging external site to monitor if connection actually stays up all that time.

usovalx5 · Fri Jan 15, 2021 12:00 pm

It looks I have overlooked smoking gun when connecting via switch (and now via BT hut itself) - I'm still getting e5 ethernet connection flipping up and down randomly.

Jan 15 01:51:24 router.lan interface,info e1-trunk link down
Jan 15 01:51:24 router.lan interface,info e2-nas link down
Jan 15 04:19:46 router.lan interface,info e5-wan link down
Jan 15 04:19:47 router.lan interface,info e5-wan link up (speed 1G, full duplex)
Jan 15 08:36:02 router.lan interface,info e5-wan link down
Jan 15 08:36:03 router.lan interface,info e5-wan link up (speed 1G, full duplex)
Jan 15 09:08:25 router.lan interface,info e5-wan link down
Jan 15 09:08:26 router.lan interface,info e5-wan link up (speed 1G, full duplex)

Strangely, other active ethernet links (e1 and e2) also flipped down&up together at 1:51:24 (but e5 was still up), though this seems to be one-off event in the last two weeks (didn't try grepping logs any further).

I guess there is some physical issue with e5 ethernet link, will try to reconfigure the router and move WAN connection to another port.

usovalx5 · Mon Jan 18, 2021 2:57 am

Just to confirm - it seems the whole affair was caused by bad ethernet port on HAP AC2.
Moving pppoe wan connection onto another ethernet port things are running fine & stable for the last two days now.
What is curious, that problematic ethernet port periodically detects link-up, even though it's not connected anywhere :/

Thank you for helping to diagnose it.

Jan 15 17:54:21 router.lan interface,info e5-wan link up (speed 100M, full duplex)
Jan 15 17:54:22 router.lan interface,info e5-wan link down
Jan 16 00:03:59 router.lan interface,info e5-wan link up (speed 10M, half duplex)
Jan 16 00:04:00 router.lan interface,info e5-wan link down
Jan 16 06:20:15 router.lan interface,info e5-wan link up (speed 10M, half duplex)
Jan 16 06:20:16 router.lan interface,info e5-wan link down
Jan 17 12:46:31 router.lan interface,info e5-wan link up (speed 10M, half duplex)
Jan 17 12:46:32 router.lan interface,info e5-wan link down

usovalx5 · Thu Jan 28, 2021 3:01 pm

As a follow-up, after a week and a bit - it's running much more stably on another port, though I still seen two ethernet link flip-flops (after moving wan link to e4 on 19th)

Jan 25 07:44:58 router.lan interface,info e4-wan2 link down
Jan 25 07:44:59 router.lan interface,info e4-wan2 link up (speed 1G, full duplex)
Jan 28 12:27:32 router.lan interface,info e4-wan2 link down
Jan 28 12:27:33 router.lan interface,info e4-wan2 link up (speed 1G, full duplex)

What I'm wondering - is it possible to prevent pppoe from dropping conneciton when something like this happens?
E.g. if it didn't just drop the connection, it should be able to recover at the level of ppp, instead of going through minute-long process of trying to re-establish pppoe connection.

So what I was wondering -- if I were to create a bridge on top of wan connection, and then configure PPPoE interface to connect via the bridge, is this supported configuration?
Would this setup prevent PPPoE from dropping connection when ethernet link drops?

sindy · Thu Jan 28, 2021 5:26 pm

It sounds reasonable if the actual interruption is really brief so few enough PPP keepalives get lost.

Something is telling me that protocol-mode must be set to none at that auxiliary bridge, at least so that each outage on the Ethernet port wouldn't get automatically extended to 15 seconds or so until the RSTP decides is is safe to open the port for forwarding. Or maybe protocol-mode different from none even filters PPPoE frames, I hazily remember someone having an issue with that here.

usovalx5 · Fri Jan 29, 2021 2:54 pm

Thanks for advise.
Yes, those ethernet drops/reconnects are short, like 1 second each, so I guess ppp won't even notice.

Just tried to set it up, and was even able to move the cable between e4 & e5 without ppp noticing anything at all.
Will set up some monitoring and keep an eye on it.

usovalx5 · Fri Feb 05, 2021 12:32 pm

Just to confirm, configuring pppoe on top of the bridge did improve the behavior drastically, it stays up rock solid and I didn't see any disconnects in a week now.
Thanks for help.

PPPoE client drops with BT Full Fibre 100 [SOLVED]

PPPoE client drops with BT Full Fibre 100

Re: PPPoE client drops with BT Full Fibre 100

Re: PPPoE client drops with BT Full Fibre 100

Re: PPPoE client drops with BT Full Fibre 100

Re: PPPoE client drops with BT Full Fibre 100

Re: PPPoE client drops with BT Full Fibre 100

Re: PPPoE client drops with BT Full Fibre 100

Re: PPPoE client drops with BT Full Fibre 100

Re: PPPoE client drops with BT Full Fibre 100

Re: PPPoE client drops with BT Full Fibre 100

Re: PPPoE client drops with BT Full Fibre 100

Re: PPPoE client drops with BT Full Fibre 100

Re: PPPoE client drops with BT Full Fibre 100

Re: PPPoE client drops with BT Full Fibre 100

Re: PPPoE client drops with BT Full Fibre 100

Re: PPPoE client drops with BT Full Fibre 100 [SOLVED]

Re: PPPoE client drops with BT Full Fibre 100

Re: PPPoE client drops with BT Full Fibre 100

Re: PPPoE client drops with BT Full Fibre 100

Re: PPPoE client drops with BT Full Fibre 100

Who is online