PPPoE client setup guide

bajzaadmin · Thu May 31, 2018 12:59 pm

Greetings Fellas!

My ISP is going to upgrade their service to optical. They'll setup a device that'll be bridgeing (no double-NAT) internet queries for my network soon.
I'll need to setup PPPoE on my WAN interface.

Currently, the interface I use for this ISP's service is configured as a DHCP client, and NAT is enabled.

I've found the following code on the MikroTik wiki, which seems fairly straightforward:

/interface pppoe-client 
  add name=pppoe-user-mike user=user password=passwd interface=wlan1 \
  service-name=internet disabled=no

My question is this:
Apart from setting up PPPoE client on my WAN interface, will I need to alter any other settings (namely the DHCP client)?
AFAIK, I won't get a static IP.

Thanks in advance!

Kind regards,
– IBR

CZFan · Thu May 31, 2018 2:04 pm

You will also need to amend firewall filter and nat rules to reference the new PPPoE WAN interface

bajzaadmin · Thu May 31, 2018 2:21 pm

You will also need to amend firewall filter and nat rules to reference the new PPPoE WAN interface

Hey There!

Topology wise. there is no panned change on the LAN.
The current WAN interface would stay the same (basically, a Cat6 cable that goes into the current modem will be plugged into a new device), so why do I need to alter NAT or filter rules?
Also, do I keep the DHCP client setup?

Thanks in advance!

mkx · Thu May 31, 2018 7:31 pm

Now your WAN interface is (assuming) ether1 and you're running DHCP client on it to receive your public IP address and default gateway (and DHCP server address and ...).
When you'll switch to fiber and PPPoE, your WAN interface will be pppoe-user-mike (or whatever you'll name it) and you will not run DHCP client as PPPoE connection procedure includes this functionality.
You will need to revise FW rules to change the name of your WAN interface ... or else your network could become completely exposed to the internet (if FW rules aee written in unlucky way - to put it mildly).

ether1 will become only interface to carry PPPoE traffiic and will not have any IP functionality. Well, this statement might not be entirely true, plain IP over ethernet could still be used over ether1 interface to have management access to the fibre2ethernet converting device.

bajzaadmin · Fri Jun 01, 2018 2:52 pm

Now your WAN interface is (assuming) ether1 and you're running DHCP client on it to receive your public IP address and default gateway (and DHCP server address and ...).
When you'll switch to fiber and PPPoE, your WAN interface will be pppoe-user-mike (or whatever you'll name it) and you will not run DHCP client as PPPoE connection procedure includes this functionality.
You will need to revise FW rules to change the name of your WAN interface ... or else your network could become completely exposed to the internet (if FW rules aee written in unlucky way - to put it mildly).

ether1 will become only interface to carry PPPoE traffiic and will not have any IP functionality. Well, this statement might not be entirely true, plain IP over ethernet could still be used over ether1 interface to have management access to the fibre2ethernet converting device.

Hey there and thanks for the reply!

The thing is, I won't have internet to check for help online when the change from the ISP happens. I configured this mikrotik routerOS device for the place I work at (an elementary school).
So, let me try to sum things up as I understand them now:
- I set the PPPoE client pseudo interface and apply it to my WAN interface (ether1 currently).
- I remove DHCP client configuration from that given interface.
- Currently my NAT rule is, as you have guessed configured on out interface WAN, so I change that to new pseudo PPPoE pseudo-interface name.
- Currently I do not have any firewall rules set. Security of the device is done through allowing access from LAN, and a given private IPv4 network only.

Does this sound right, or would you add anything to this checklist?

bajzaadmin · Fri Jun 08, 2018 11:57 am

*bump

Sorry guys, may I get a final nod on my last post, if I am correct or not?

Thanks in advance!

CZFan · Fri Jun 08, 2018 4:04 pm

Yes, you on the right track, BUT

"- Currently I do not have any firewall rules set. Security of the device is done through allowing access from LAN, and a given private IPv4 network only."

Security of the device should not just be from the LAN, but also from internet side, else you might be heading for a disaster

bajzaadmin · Wed Jun 20, 2018 12:23 pm

Yes, you on the right track, BUT

"- Currently I do not have any firewall rules set. Security of the device is done through allowing access from LAN, and a given private IPv4 network only."

Security of the device should not just be from the LAN, but also from internet side, else you might be heading for a disaster

Hey there matey!
Thanks for PPPoE heads up, and also:

What I've meant is, every outside login attempt is blocked basically.
/ip service
set telnet disabled=yes
set ftp address=LAN/Network
set www disabled=yes
set ssh address=LAN/Network
set api disabled=yes
set winbox address=LAN/Network
set api-ssl disabled=yes

Or do you have any suggestions I should build into mangle or filters? Currently they are empty.
I thought that firewalls block everything that is not directly allowed by default.

*Edit:
I've also added the following rules to the mix, because you've scared me a bit!

input chain:
1 accept established, related, untracked
2 drop invalid
3 drop * except LAN

Forward chain:
4 fasttrack
5 accept established, related, untracked
6 drop invalid
7 drop * from WAN interface list

PPPoE client setup guide [SOLVED]

PPPoE client setup guide

Re: PPPoE client setup guide

Re: PPPoE client setup guide

Re: PPPoE client setup guide

Re: PPPoE client setup guide

Re: PPPoE client setup guide

Re: PPPoE client setup guide [SOLVED]

Re: PPPoE client setup guide