I am using a MikroTik Router 2.8 on a college campus. I want to separate traffic based on a VLAN per dormitory floor using switches and have students connect via PPPoE. The switch is a HP 4104gl.

Example: switch port a14=ether2 (real) MikroTik, switch port a15=client
setting both ports to untagged on the same vlan and pppoe works
setting either port or both to tagged breaks pppoe.

Is it possible to setup PPPoE on the MikroTik system and use a VLAN interface instead of a real interface for each service? Is it possible to tag vlan traffic at the switch and get it to the MikroTik box for pppoe access?

This is something I need to get figured out this weekend, so help is greatly appreciated!

Thanks,
Mike

The tagged port should be set up only on the port RouterOS is connected to. Then the same VLAN ID should be set up on the router. If that setup is not working, I guess you should check whether your NIC supports VLAN

Yes, it is possible. I have about 50 VLAN interfaces and many of them have PPPoE servers attached. Everything is ok

How are you doing your vlan tagging on your switches? Like I said in my post, I can only get PPPoE queries to work when both the server port and client port are untagged, but I would like to have client ports tagged on different vlans but keep just the one server NIC which means only one switch port either tagged or untagged - untagged can only be on vlan, can't have more than one vlan untagged...

My solution now is just to use a different real interface for each building (4 total) and untag each interface on its own vlan - 1 for each building... then have each client untagged on that vlan on its own switch... I feel like this is a more complex solution than it needs to be...

but I would like to have client ports tagged on different vlans

This one wish is impossible (and unneeded also) if I understood you correctly. Tagged ports are the ports you connect computers or other network infrastructure that are aware of VLAN (and no Windows computers are even supposed to support VLAN - that is not a missing feature as VLAN should only be supported on routers and switches). It might be true that many switches allow only one VLAN to be untagged on any particular port as there is no need for two untagged VLANs on one wire.

Imagine VLAN tag as a 4-byte addon to the generic Ethernet packet. That tag marks each packet to belong to a particular VLAN, but as that tag is not a standard ethernet frame, no computer can understand it - that is why you need to untag a VLAN in order for standard computers to understand it. Switch may be set up to group a number of ports into one VLAN, it's like dividing the switch into smaller parts (which are dynamic) - virtual switches. Each of that virtual switch has untagged ports which clients are connected to. Now, remember we separated the networks one from other, so the whole idea would be lost if we then put all these VLANs (untagged) into one wire to connect to the router. To eliminate the need of having a separate NIC on the router for each of your VLANs, tagging mechanism was introduced. It marks each packed with 4-byte mark which means which VLAN it does belong. So that kind of port would be called "tagged", and would be connected to a kind of equipment that supports tagging. Also another note: that tagged Ethernet packets would exceed the standard Ethernet frame size, and some NICs (most older ones) just can not get that oversizes frame, so if you have troubles with tagged port, check if your NIC supports IEEE802.1q VLAN tagging.

Anyway, the correct solution is to have client ports untagged (dont they already have PPPoE to separate them?), and tagged port (with many VLANs) on the server side

Thanks, that makes more sense now.

PPPoE is working, but I need to clarify something - each client gets an ip and subnet mask of 255.255.255.255 which basically means a subnet of 1 host. In this kind of setup, when a virus like blaster (nachi) or welchia infects a client machine and starts to scan the subnet, it can only scan the 1 host that is on that subnet, yes? So basically, having clients on PPPoE with a subnet mask of 255.255.255.255 helps keep viruses like blaster from infecting other clients on the network? If that's the case, then I'm good to go and can move on with fixing some other stuff.


Thanks for your help,
Mike

No, viruses usually scan the whole Internet

Intel has windows drivers with vlan support for their cards, so you CAN connect a windows box to tagged port

I know there are no viruses that scan the whole Internet, I just want to make sure I'm understanding how PPPoE works and that each client goes on its own subnet of 255.255.255.255 and that in order to scan other computers, the client traffic would have to go through the MikroTik router (where I can stop virus scans by blocking ports e.g. 4444)...