Difference between revisions of "Manual:Interface/PPPoE"

From MikroTik Wiki
Jump to: navigation, search
m (PPPoE Client: dead link)
 
(37 intermediate revisions by 6 users not shown)
Line 1: Line 1:
 +
{{Versions|v3, v4}}
 +
 
==Summary==
 
==Summary==
 
The PPPoE (Point to Point Protocol over Ethernet) protocol provides extensive user management, network management and accounting benefits to ISPs and network administrators. Currently PPPoE is used mainly by ISPs to control client connections for xDSL and cable modems as well as plain Ethernet networks. PPPoE is an extension of the standard Point to Point Protocol (PPP). The difference between them is expressed in transport method: PPPoE employs Ethernet instead of serial modem connection.
 
The PPPoE (Point to Point Protocol over Ethernet) protocol provides extensive user management, network management and accounting benefits to ISPs and network administrators. Currently PPPoE is used mainly by ISPs to control client connections for xDSL and cable modems as well as plain Ethernet networks. PPPoE is an extension of the standard Point to Point Protocol (PPP). The difference between them is expressed in transport method: PPPoE employs Ethernet instead of serial modem connection.
  
Generally speaking, PPPoE is used to hand out IP addresses to clients based on the username (and workstation, if desired) authentication as opposed to workstation only authentication, when static IP addresses or DHCP are used. It is adviced not to use static IP addresses or DHCP on the same interfaces as PPPoE for obvious security reasons.
+
Generally speaking, PPPoE is used to hand out IP addresses to clients based on authentication by username (and also if required, by workstation) as opposed to workstation only authentication where static IP addresses or DHCP are used. It is advised not to use static IP addresses or DHCP on the same interfaces as PPPoE for obvious security reasons.
  
MikroTik RouterOS can act as a RADIUS client - you can use a RADIUS server to authenticate PPPoE clients and use accounting for them.
+
The PPPoE client and server work over any Layer2 Ethernet level interface on the router - wireless 802.11 (Aironet, Cisco, WaveLan, Prism, Atheros), 10/100/1000 Mbit/s Ethernet, RadioLan and EoIP (Ethernet over IP tunnel).
  
A PPPoE connection is composed of a client and an access concentrator (server). The client may be any computer that has the PPPoE client protocol support installed. MikroTik RouterOS supports both - client and access concentrator sides of PPPoE. The PPPoE client and server work over any Ethernet level interface on the router - wireless 802.11 (Aironet, Cisco, WaveLan, Prism, Atheros), 10/100/1000 Mbit/s Ethernet, RadioLan and EoIP (Ethernet over IP tunnel). MPPE 40bit RSA and MPPE 128bit RSA encryption is supported.
+
=== Feature list ===
 +
 
 +
* PPPoE server and client support;
 +
* Multilink PPP (MLPPP);
 +
* MLPPP over single link (ability to transmit full-sized frames);
 +
* BCP (Bridge Control Protocol) support - allows sending of raw Ethernet frames over PPP links;
 +
* MPPE 128bit RSA encryption;
 +
* pap, chap, mschap v1/v2 authentication;
 +
* RADIUS support for client authentication and accounting.
  
Multilink PPP (MP) is supported in order to provide MRRU (the ability to transmit full-sized 1500 and larger packets) and bridging over PPP links (using Bridge Control Protocol (BCP) that allows to send raw Ethernet frames over PPP links). This way it is possible to setup bridging without EoIP. The bridge should either have an administratively set MAC address or an Ethernet-like interface in it, as PPP links do not have MAC addresses.
 
  
 
Note that when RADIUS server is authenticating a user with CHAP, MS-CHAPv1 or MS-CHAPv2, the RADIUS protocol does not use shared secret, it is used only in authentication reply. So if you have a wrong shared secret, RADIUS server will accept the request. You can use /radius monitor command to see bad-replies parameter. This value should increase whenever a client tries to connect.
 
Note that when RADIUS server is authenticating a user with CHAP, MS-CHAPv1 or MS-CHAPv2, the RADIUS protocol does not use shared secret, it is used only in authentication reply. So if you have a wrong shared secret, RADIUS server will accept the request. You can use /radius monitor command to see bad-replies parameter. This value should increase whenever a client tries to connect.
  
Supported connections
+
Supported connections:
 +
*MikroTik RouterOS PPPoE client to any PPPoE server (access concentrator)
 +
*MikroTik RouterOS server (access concentrator) to multiple PPPoE clients (clients are available for almost all operating systems and most routers)
 +
 
 +
===Specifications===
 +
 
 +
*Packages required: ppp
 +
*License required: Level1 (limited to 1 interface) , Level3 (limited to 200 interfaces) , Level4 (limited to 200 interfaces) , Level5 (limited to 500 interfaces) , Level6 (unlimited)
 +
*Submenu level: /interface pppoe-server, /interface pppoe-client
 +
*Standards and Technologies: PPPoE (RFC 2516)
 +
*Hardware usage: PPPoE server may require additional RAM (uses approx. 9KiB (plus extra 10KiB for packet queue, if data rate limitation is used) for each connection) and CPU power. Maximum of 65535 connections is supported.
 +
 
 +
==Quick Setup Guide==
  
*MikroTik RouterOS PPPoE client to any PPPoE server (access concentrator)
+
To configure MikroTik RouterOS to be a PPPoE client, just add a pppoe-client:
*MikroTik RouterOS server (access concentrator) to multiple PPPoE clients (clients are avaliable for almost all operating systems and most routers)
+
<pre>
 +
/interface pppoe-client
 +
  add name=pppoe-user-mike user=user password=passwd interface=wlan1 \
 +
  service-name=internet disabled=no
 +
</pre>
  
==PPPoE Operation==
+
To configure MikroTik RouterOS to be an Access Concentrator (PPPoE Server):
 +
*add an address pool for the clients from 10.1.1.62 to 10.1.1.72;
 +
*add ppp profile;
 +
*add ppp secret (username/password);
 +
*add pppoe server itself.
  
PPPoE has two stages:
+
<pre>
* Discovery
+
/ip pool
* Session
+
add name="pppoe-pool" ranges=10.1.1.62-10.1.1.72
  
=== Discovery ===
+
/ppp profile
 +
add name="pppoe-profile" local-address=10.1.1.1 remote-address=pppoe-pool
  
The PPPoE discovery stage has four steps: initialization, offer, request and session confirmation:
+
/ppp secret
 +
add name=user password=passwd service=pppoe profile=pppoe-profile
  
1) PPPoE Active Discovery Initialization (PADI) <br />
+
/interface pppoe-server server
The PPPoE client sends out a PADI packet to the broadcast address. This packet can also populate the "service-name" field if a service name has been entered on the dial-up networking properties of the PPPoE broadband connectoid. If a service name has not been entered, this field is not populated.<br />
+
add service-name=internet interface=wlan1 default-profile=pppoe-profile disabled=no
2) PPPoE Active Discovery Offer (PADO)  <br />
+
</pre>
The PPPoE server, or Access Concentrator, should respond to the PADI with a PADO if the Access Concentrator is able to service the "service-name" field that had been listed in the PADI packet. If no "service-name" field had been listed, the Access Concentrator will respond with a PADO packet that has the "service-name" field populated with the service names that the Access Concentrator can service. The PADO packet is sent to the unicast address of the PPPoE client.<br />
 
3) PPPoE Active Discovery Request (PADR) <br />
 
When a PADO packet is received, the PPPoE client responds with a PADR packet. This packet is sent to the unicast address of the Access Concentrator. The client may receive multiple PADO packets, but the client responds to the first valid PADO that the client received. If the initial PADI packet had a blank "service-name" field filed, the client populates the "service-name" field of the PADR packet with the first service name that had been returned in the PADO packet.<br />
 
4) PPPoE Active Discovery Session confirmation (PADS) <br />
 
When the PADR is received, the Access Concentrator generates a unique session identification (ID) for the Point-to-Point Protocol (PPP) session and returns this ID to the PPPoE client in the PADS packet. This packet is sent to the unicast address of the client.
 
<br />
 
  
=== Session ===
+
== PPPoE Operation ==
  
 +
=== Stages ===
 +
PPPoE has two stages:
 +
* <b>Discovery stage</b> - a client discovers all available access concentrators and selects one of them to establish PPPoE session.This stage has four steps: <i>initialization, offer, request and session confirmation </i>. PPPoE Discovery uses special Ethernet frames with their own Ethernet frame type <b>0x8863</b>.
  
 +
[[Image:pppoe-discovery.png]]
  
==PPPoE Client==
+
To initiate discovery, PPPoE client sends <b>PADI</b> frame to the broadcast Ethernet address (FF:FF:FF:FF:FF:FF) and optionally may specify a <i>service name</i>.
  
===Quick Setup Guide===
+
When server receives <b>PADI</b> frame, it responds with <b>PADO</b> frame to Client's unicast Ethernet address. There can be more than one server in broadcast range of the client. In such case client collects PADO frames and picks one (in most cases it picks the server which responds first) to start session.
  
To configure MikroTik RouterOS to be a PPPoE client
+
Client sends <b>PADR</b> frame to unicast Ethernet address of the server it chose. If server agrees to set up a session with this particular client, it allocates resources to set up PPP session and assigns <i>Session ID</i> number. This number is sent back to client in <b>PADS</b> frame. When client receives PADS frame, it knows servers mac address and <i>Session ID</i>, it allocates resources and session can begin.
  
Just add a pppoe-client:
+
* <b>Session</b> - When discovery stage is completed, both peers know <i>PPPoE Session ID</i> and other peer's <i>Etehrnet (MAC) address</i> which together defines PPPoE session. PPP frames are encapsulated in PPPoE session frames, which have Ethernet frame type <b>0x8864</b>. <br /> When server sends confirmation and client receives it, PPP Session stage is started that consists of following steps:
 +
** <b>LCP negotiation</b>
 +
** <b>Authentication</b>
 +
** <b>IPCP negotiation</b> - where client is assigned an IP address.
  
<pre>/interface pppoe-client add name=pppoe-user-mike user=user password=passwd interface=wlan1 service-name=internet disabled=no</pre>
 
  
To configure MikroTik RouterOS to be an Access Concentrator (PPPoE Server)
+
PPPoE server sends Echo-Request packets to the client to determine the state of the session, otherwise server will not be able to determine that session is terminated in cases when client terminates session without sending Terminate-Request packet.
  
Add an address pool for the clients from 10.1.1.62 to 10.1.1.72, called pppoe-pool:
+
More detailed description of PPPoE protocol can be found in RFC 2516
  
<pre>/ip pool add name="pppoe-pool" ranges=10.1.1.62-10.1.1.72</pre>
+
=== Used Packet Types ===
  
Add PPP profile, called pppoe-profile where local-address will be the router's address and clients will have an address from pppoe-pool:
+
<table class="styled_table">
 +
<tr>
 +
  <th width="20%">Packet</th>
 +
  <th >Description</th>
 +
</tr>
 +
<tr>
 +
    <td><var><b>PADI</b></var> </td>
 +
    <td> <b>PPPoE Active Discovery Initialization</b><br /> The PPPoE client sends out a PADI packet to the broadcast address. This packet can also populate the "service-name" field if a service name has been entered in the dial-up networking properties of the PPPoE client. If a service name has not been entered, this field is not populated</td>
 +
</tr>
 +
<tr>
 +
    <td><var><b>PADO</b></var> </td>
 +
    <td> <b>PPPoE Active Discovery Offer</b><br />
 +
The PPPoE server, or Access Concentrator, should respond to the PADI with a PADO if the Access Concentrator is able to service the "service-name" field that had been listed in the PADI packet. If no "service-name" field had been listed, the Access Concentrator will respond with a PADO packet that has the "service-name" field populated with the service names that the Access Concentrator can service. The PADO packet is sent to the unicast address of the PPPoE client</td>
 +
</tr>
 +
<tr>
 +
    <td><var><b>PADR</b></var> </td>
 +
    <td> <b>PPPoE Active Discovery Request</b><br />
 +
When a PADO packet is received, the PPPoE client responds with a PADR packet. This packet is sent to the unicast address of the Access Concentrator. The client may receive multiple PADO packets, but the client responds to the first valid PADO that the client received. If the initial PADI packet had a blank "service-name" field filed, the client populates the "service-name" field of the PADR packet with the first service name that had been returned in the PADO packet.</td>
 +
</tr>
 +
<tr>
 +
    <td><var><b>PADS</b></var> </td>
 +
    <td> <b>PPPoE Active Discovery Session confirmation</b><br />
 +
When the PADR is received, the Access Concentrator generates a unique session identification (ID) for the Point-to-Point Protocol (PPP) session and returns this ID to the PPPoE client in the PADS packet. This packet is sent to the unicast address of the client.</td>
 +
</tr>
 +
<tr>
 +
    <td><var><b>PADT</b></var> </td>
 +
    <td> <b>PPPoE Active Discovery Terminate</b><br />
 +
can be sent anytime after a session is established to indicate that a PPPoE session terminated. It can be sent by either server or client.</td>
 +
</tr>
 +
</table>
 +
<br />
  
<pre>/ppp profile add name="pppoe-profile" local-address=10.1.1.1 remote-address=pppoe-pool</pre>
+
== MTU ==
Add a user with username mike and password 123:
 
  
<pre>/ppp secret add name=user password=passwd service=pppoe profile=pppoe-profile</pre>
+
Typically, the largest Ethernet frame that can be transmitted without fragmentation is 1500 bytes. PPPoE adds another 6 bytes of overhead and PPP field adds two more bytes, leaving 1492 bytes for IP datagram. Therefore max PPPoE MRU and MTU values must not be larger than 1492.
Now add a pppoe server:
 
  
<pre>/interface pppoe-server server add service-name=internet interface=wlan1 default-profile=pppoe-profile</pre>
+
TCP stacks try to avoid fragmentation, so they use an MSS (Maximum Segment Size). By default MSS is chosen as MTU of the outgoing interface minus the usual size of the TCP and IP headers (40 bytes), which results in 1460 bytes for an Ethernet interface. Unfortunately there may be intermediate links with lower MTU which will cause fragmentation. In such case TCP stack performs path MTU discovery. Routers which cannot forward the datagram without fragmentation are supposed to drop packet and send ICMP-Fragmentation-Required to originating host. When host receives such ICMP packet, it tries to lower the MTU.
 +
This should work in the ideal world, however in the real world many routers do not generate fragmentation-required datagrams, also many firewalls drop all ICMP datagrams.
  
====Specifications====
+
The workaround for this problem is to adjust MSS if it is too big. By default RouterOS adds mangle rules to intercept TCP SYN packets and silently adjust any advertised MSS option so they will be appropriate for the PPPoE link.
  
*Packages required: ppp
+
Additional information on maximum supported MTUs for RouterBoards are listed [[ Maximum_Transmission_Unit_on_RouterBoards | here]].
*License required: Level1 (limited to 1 interface) , Level3 (limited to 200 interfaces) , Level4 (limited to 200 interfaces) , Level5 (limited to 500 interfaces) , Level6 (unlimited)
 
*Submenu level: /interface pppoe-server, /interface pppoe-client
 
*Standards and Technologies: PPPoE (RFC 2516)
 
*Hardware usage: PPPoE server may require additional RAM (uses approx. 9KiB (plus extra 10KiB for packet queue, if data rate limitation is used) for each connection) and CPU power. Maximum of 65535 connections is supported.
 
  
====Additional Resources====
+
== PPPoE Client ==
 +
<p id="shbox"><b>Sub-menu:</b> <code>/interface pppoe-client</code></p>
  
Links for PPPoE documentation:
 
  
* http://www.faqs.org/rfcs/rfc2516.html
+
=== Properties ===
 +
<table class="styled_table">
 +
<tr>
 +
  <th width="40%">Property</th>
 +
  <th >Description</th>
 +
</tr>
 +
<tr>
 +
    <td><var><b>ac-name</b></var> (<em>string</em>; Default: <b>""</b>)</td>
 +
    <td>Access Concentrator name, this may be left blank and the client will connect to any access concentrator on the broadcast domain</td>
 +
</tr>
 +
<tr>
 +
    <td><var><b>add-default-route</b></var> (<em>yes|no</em>; Default: <b>no</b>)</td>
 +
    <td>Enable/Disable whether to add default route automatically</td>
 +
</tr>
 +
<tr>
 +
    <td><var><b>allow</b></var> (<em>mschap2|mschap1|chap|pap</em>; Default: <b>mschap2,mschap1,chap,pap</b>)</td>
 +
    <td>allowed authentication methods, by default all methods are allowed</td>
 +
</tr>
 +
<tr>
 +
    <td><var><b>default-route-distance</b></var> (<em>byte [0..255]</em>; Default:<b>1</b>)</td>
 +
    <td>sets distance value applied to auto created default route, if <var>add-default-route</var> is also selected</td>
 +
</tr>
 +
<tr>
 +
    <td><var><b>dial-on-demand</b></var> (<em>yes|no</em>; Default: <b>no</b>)</td>
 +
    <td>connects to AC only when outbound traffic is generated. If selected, then route with gateway address from 10.112.112.0/24 network will be added while connection is not established. </td>
 +
</tr>
 +
<tr>
 +
    <td><var><b>interface</b></var> (<em>string</em>; Default: <b></b>)</td>
 +
    <td>interface name on which client will run</td>
 +
</tr>
 +
<tr>
 +
    <td><var><b>keepalive-timeout</b></var> (<em>integer</em>; Default:<b>60</b>)</td>
 +
    <td>Sets keepalive timeout in seconds.</td>
 +
</tr>
 +
<tr>
 +
    <td><var><b>max-mru</b></var> (<em>integer</em>; Default: <b>1460</b>)</td>
 +
    <td>Maximum Receive Unit</td>
 +
</tr>
 +
<tr>
 +
    <td><var><b>max-mtu</b></var> (<em>integer</em>; Default: <b>1460</b>)</td>
 +
    <td>Maximum Transmission Unit</td>
 +
</tr>
 +
<tr>
 +
    <td><var><b>mrru</b></var> (<em>integer: 512..65535|disabled</em>; Default: <b>disabled</b>)</td>
 +
    <td>maximum packet size that can be received on the link. If a packet is bigger than tunnel MTU, it will be split into multiple packets, allowing full size IP or Ethernet packets to be sent over the tunnel. <code>[[Manual:MLPPP_over_single_and_multiple_links | Read more >>]]</code></td>
 +
</tr>
 +
<tr>
 +
    <td><var><b>name</b></var> (<em>string</em>; Default: <b>pppoe-out[i]</b>)</td>
 +
    <td>name of the PPPoE interface, generated by RouterOS if not specified</td>
 +
</tr>
 +
<tr>
 +
    <td><var><b>password</b></var> (<em>string</em>; Default: <b></b>)</td>
 +
    <td>password used to authenticate</td>
 +
</tr>
 +
<tr>
 +
    <td><var><b>profile</b></var> (<em>string</em>; Default: <b>default</b>)</td>
 +
    <td>default profile for the connection defined in [[PPP_AAA#User_Profiles | /ppp profiles]]</td>
 +
</tr>
 +
<tr>
 +
    <td><var><b>service-name</b></var> (<em>string</em>; Default: <b>""</b>)</td>
 +
    <td>specifies the service name set on the access concentrator, can be left blank to connect to any PPPoE server</td>
 +
</tr>
 +
<tr>
 +
    <td><var><b>use-peer-dns</b></var> (<em>yes|no</em>; Default: <b>no</b>)</td>
 +
    <td>enable/disable getting DNS settings from the peer</td>
 +
</tr>
 +
<tr>
 +
    <td><var><b>user</b></var> (<em>string</em>; Default: <b>""</b>)</td>
 +
    <td>username used for authentication</td>
 +
</tr>
 +
</table>
  
PPPoE Clients:
+
===Status===
  
* [http://www.raspppoe.com/ RASPPPoE ]for Windows 95, 98, 98SE, ME, NT4, 2000, XP, .NET
+
Command <code>/interface pppoe-client monitor</code> will display current PPPoE status.<br />
  
 +
Available read only properties:
 +
<table class="styled_table">
 +
<tr>
 +
  <th width="40%">Property</th>
 +
  <th >Description</th>
 +
</tr>
 +
<tr>
 +
    <td><var><b>ac-mac</b></var> (<em>MAC address</em>)</td>
 +
    <td> MAC address of the access concentrator (AC) the client is connected to</td>
 +
</tr>
 +
<tr>
 +
    <td><var><b>ac-name</b></var> (<em>string</em>)</td>
 +
    <td> name of the Access Concentrator</td>
 +
</tr>
 +
<tr>
 +
    <td><var><b>active-links</b></var> (<em>integer</em>)</td>
 +
    <td>Number of bonded MLPPP connections, ('1' if not using MLPPP)</td>
 +
</tr>
 +
<tr>
 +
    <td><var><b>encoding</b></var> (<em>string</em>)</td>
 +
    <td> encryption and encoding (if asymmetric, separated with '/') being used in this connection</td>
 +
</tr>
 +
<tr>
 +
    <td><var><b>local-address</b></var> (<em>IP Address</em>)</td>
 +
    <td>IP Address allocated to client</td>
 +
</tr>
 +
<tr>
 +
    <td><var><b>remote-address</b></var> (<em>IP Address</em>)</td>
 +
    <td>Remote IP Address allocated to server (ie gateway address)</td>
 +
</tr>
 +
<tr>
 +
    <td><var><b>mru</b></var> (<em>integer</em>)</td>
 +
    <td> effective MRU of the link</td>
 +
</tr>
 +
<tr>
 +
    <td><var><b>mtu</b></var> (<em>integer</em>)</td>
 +
    <td> effective MTU of the link</td>
 +
</tr>
 +
<tr>
 +
    <td><var><b>service-name</b></var> (<em>string</em>)</td>
 +
    <td>used service name</td>
 +
</tr>
 +
<tr>
 +
    <td><var><b>status</b></var> (<em>string</em>)</td>
 +
    <td>current link status. Available values are:
 +
<ul class="bullets">
 +
<li>dialing,
 +
<li>verifying password...,
 +
<li>connected,
 +
<li>disconnected.
 +
</ul>
 +
</td>
 +
</tr>
 +
<tr>
 +
    <td><var><b>uptime</b></var> (<em>time</em>)</td>
 +
    <td>connection time displayed in days, hours, minutes and seconds</td>
 +
</tr>
 +
</table>
  
===PPPoE Client Setup===
+
=== Scanner ===
  
'''Submenu level: /interface pppoe-client'''
+
Starting from v3.21 RouterOS has new tool - PPPoE Scanner. It allows you to scan all active PPPoE servers in broadcast domain.
 +
Command to run scanner is as follows <code>/interface pppoe-client scan <interface></code> <br />
  
====Property Description====
+
Available read only properties:
 +
<table class="styled_table">
 +
<tr>
 +
  <th width="40%">Property</th>
 +
  <th >Description</th>
 +
</tr>
 +
<tr>
 +
    <td><var><b>service</b></var> (<em>string</em>)</td>
 +
    <td>Service name configured on server</td>
 +
</tr>
 +
<tr>
 +
    <td><var><b>mac-address</b></var> (<em>MAC</em>)</td>
 +
    <td>Mac address of detected server</td>
 +
</tr>
 +
<tr>
 +
    <td><var><b>ac-name</b></var> (<em>string</em>)</td>
 +
    <td>name of the Access Concentrator</td>
 +
</tr>
 +
</table>
  
*ac-name (text; default: "") - this may be left blank and the client will connect to any access concentrator that offers the "service" name selected
 
*add-default-route (yes | no; default: no) - whether to add a default route automatically
 
*allow (multiple choice: mschap2, mschap1, chap, pap; default: mschap2, mschap1, chap, pap) - the protocol to allow the client to use for authentication
 
*dial-on-demand (yes | no; default: no) - connects to AC only when outbound traffic is generated and disconnects when there is no traffic for the period set in the idle-timeout value
 
*interface (name) - interface the PPPoE server can be reached through
 
*max-mru (integer; default: 1460) - Maximum Receive Unit. The optimal value is the MRU of the interface the tunnel is working over decreased by 40 (so, for 1500-byte Ethernet link, set the MRU to 1460 to avoid fragmentation of packets)
 
*max-mtu (integer; default: 1460) - Maximum Transmission Unit. The optimal value is the MTU of the interface the tunnel is working over decreased by 40 (so, for 1500-byte Ethernet link, set the MTU to 1460 to avoid fragmentation of packets)
 
*mrru (integer: 512..65535; default: disabled) - maximum packet size that can be received on the link. If a packet is bigger than tunnel MTU, it will be split into multiple packets, allowing full size IP or Ethernet packets to be sent over the tunnel
 
*disabled - disable MRRU on this link
 
*name (name; default: pppoe-out1) - name of the PPPoE interface
 
*password (text; default: "") - a user password used to connect the PPPoE server
 
*profile (name) - default profile for the connection
 
*service-name (text; default: "") - specifies the service name set on the access concentrator. Leave it blank unless you have many *services and need to specify the one you need to connect to
 
*use-peer-dns (yes | no; default: no) - whether to set the router's default DNS to the PPP peer DNS (i.e. whether to get DNS settings from the peer)
 
*user (text; default: "") - a user name that is present on the PPPoE server
 
  
====Notes====
+
=== Notes ===
  
 
Note for Windows. Some connection instructions may use the form where the "phone number", such as "MikroTik_AC\mt1", is specified to indicate that "MikroTik_AC" is the access concentrator name and "mt1" is the service name.
 
Note for Windows. Some connection instructions may use the form where the "phone number", such as "MikroTik_AC\mt1", is specified to indicate that "MikroTik_AC" is the access concentrator name and "mt1" is the service name.
  
Specifying MRRU means enabling MP (Multilink PPP) over single link. This protocol is used to split big packets into smaller ones. Under Windows it can be enabled in Networking tag, Settings button, "Negotiate multi-link for single link connections". Their MRRU is hardcoded to 1614. This setting is usefull to overcome PathMTU discovery failures. The MP should be enabled on both peers.
+
Specifying MRRU means enabling MP (Multilink PPP) over single link. This protocol is used to split big packets into smaller ones. Under Windows it can be enabled in Networking tab, Settings button, "Negotiate multi-link for single link connections". MRRU is hardcoded to 1614 on Windows. This setting is useful to overcome PathMTU discovery failures. The MP setting should be enabled on both peers.
  
====Example====
+
=== Example ===
  
To add and enable PPPoE client on the ether1 interface connecting to the AC that provides testSN service using user name user with the password passwd:
+
To add and enable PPPoE client on the ether1 interface connecting to the AC that provides 'testSN' service using user name user with the password 'passwd':
  
 
<pre>
 
<pre>
[admin@RemoteOffice] interface pppoe-client> add interface=ether1 service-name=testSN user=user password=passwd disabled=no
+
[admin@RemoteOffice] interface pppoe-client> add interface=ether1 service-name=testSN user=user  
 +
password=passwd disabled=no
 
[admin@RemoteOffice] interface pppoe-client> print
 
[admin@RemoteOffice] interface pppoe-client> print
 
Flags: X - disabled, R - running
 
Flags: X - disabled, R - running
Line 126: Line 315:
 
       ac-name="" add-default-route=no dial-on-demand=no use-peer-dns=no
 
       ac-name="" add-default-route=no dial-on-demand=no use-peer-dns=no
 
       allow=pap,chap,mschap1,mschap2
 
       allow=pap,chap,mschap1,mschap2
[admin@RemoteOffice] interface pppoe-client>
 
</pre>
 
     
 
===Monitoring PPPoE Client===
 
 
'''Command name: /interface pppoe-client monitor'''
 
 
====Property Description====
 
 
*ac-mac (MAC address) - MAC address of the access concentrator (AC) the client is connected to
 
*ac-name (text) - name of the AC the client is connected to
 
*encoding (text) - encryption and encoding (if asymmetric, separated with '/') being used in this connection
 
*mru (read-only: integer) - effective MRU of the link
 
*mtu (read-only: integer) - effective MTU of the link
 
*service-name (text) - name of the service the client is connected to
 
*status (text) - status of the client
 
*dialing - attempting to make a connection
 
*verifying password... - connection has been established to the server, password verification in progress
 
*connected - self-explanatory
 
*terminated - interface is not enabled or the other side will not establish a connection
 
*uptime (time) - connection time displayed in days, hours, minutes and seconds
 
 
====Example====
 
 
To monitor the pppoe-out1 connection:
 
  
 
[admin@MikroTik] interface pppoe-client> monitor pppoe-out1
 
[admin@MikroTik] interface pppoe-client> monitor pppoe-out1
Line 162: Line 326:
 
           mtu: 1480
 
           mtu: 1480
 
           mru: 1480
 
           mru: 1480
 +
</pre>
  
[admin@MikroTik] interface pppoe-client>
+
== PPPoE Server Setup (Access Concentrator) ==
PPPoE Server Setup (Access Concentrator)
 
  
Submenu level: /interface pppoe-server server
+
<p id="shbox"><b>Sub-menu:</b> <code>/interface pppoe-server server</code></p>
Description
 
  
 
The PPPoE server (access concentrator) supports multiple servers for each interface - with differing service names. Currently the throughput of the PPPoE server has been tested to 160 Mb/s on a Celeron 600 CPU. Using higher speed CPUs, throughput should increase proportionately.
 
The PPPoE server (access concentrator) supports multiple servers for each interface - with differing service names. Currently the throughput of the PPPoE server has been tested to 160 Mb/s on a Celeron 600 CPU. Using higher speed CPUs, throughput should increase proportionately.
Line 173: Line 336:
 
The access concentrator name and PPPoE service name are used by clients to identity the access concentrator to register with. The access concentrator name is the same as the identity of the router displayed before the command prompt. The identity may be set within the /system identity submenu.
 
The access concentrator name and PPPoE service name are used by clients to identity the access concentrator to register with. The access concentrator name is the same as the identity of the router displayed before the command prompt. The identity may be set within the /system identity submenu.
  
Note that if no service name is specified in WindowsXP, it will use only service with no name. So if you want to serve WindowsXP clients, leave your service name empty.
+
Note that if no service name is specified in WindowsXP, it will only use a service with no name! So if you want to serve WindowsXP clients, leave your service name empty.
  
====Property Description====
 
  
*authentication (multiple choice: mschap2 | mschap1 | chap | pap; default: mschap2, mschap1, chap, pap) - authentication algorithm
+
=== Properties ===
*default-profile (name; default: default) - default user profile to use
 
*interface (name) - interface, which the clients are connected to
 
*keepalive-timeout (time; default: 10) - defines the time period (in seconds) after which the router is starting to send keepalive *packets every second. If no traffic and no keepalive responses has came for that period of time (i.e. 2 * keepalive-timeout), not *responding client is proclaimed disconnected.
 
*max-mru (integer; default: 1480) - Maximum Receive Unit. The optimal value is the MTU of the interface the tunnel is working over *decreased by 20 (so, for 1500-byte Ethernet link, set the MTU to 1480 to avoid fragmentation of packets)
 
*max-mtu (integer; default: 1480) - Maximum Transmission Unit. The optimal value is the MTU of the interface the tunnel is working over decreased by 20 (so, for 1500-byte Ethernet link, set the MTU to 1480 to avoid fragmentation of packets)
 
*max-sessions (integer; default: 0) - maximum number of clients that the AC can serve
 
0 - unlimited
 
*mrru (integer: 512..65535; default: disabled) - maximum packet size that can be received on the link. If a packet is bigger than tunnel MTU, it will be split into multiple packets, allowing full size IP or Ethernet packets to be sent over the tunnel
 
*disabled - disable MRRU on this link
 
*one-session-per-host (yes | no; default: no) - allow only one session per host (determined by MAC address). If a host will try to establish a new session, the old one will be closed
 
*service-name (text) - the PPPoE service name
 
  
====Notes===
+
<table class="styled_table">
 +
<tr>
 +
  <th width="40%">Property</th>
 +
  <th >Description</th>
 +
</tr>
 +
<tr>
 +
    <td><var><b>authentication</b></var> (<em> mschap2 | mschap1 | chap | pap</em>; Default: <b>"mschap2, mschap1, chap, pap"</b>)</td>
 +
    <td>Authentication algorithm</td>
 +
</tr>
 +
<tr>
 +
    <td><var><b>default-profile</b></var> (<em>string</em>; Default: <b>"default"</b>)</td>
 +
    <td>Default [[PPP_AAA#User_Profiles | user profile]] to use</td>
 +
</tr>
 +
<tr>
 +
    <td><var><b>interface</b></var> (<em>string</em>; Default: <b>""</b>)</td>
 +
    <td>Interface that the clients are connected to</td>
 +
</tr>
 +
<tr>
 +
    <td><var><b>keepalive-timeout</b></var> (<em>time</em>; Default: <b>"10"</b>)</td>
 +
    <td>Defines the time period (in seconds) after which the router is starting to send keepalive packets every second. If there is no traffic and no keepalive responses arrive for that period of time (i.e. 2 * keepalive-timeout), the non responding client is proclaimed disconnected.</td>
 +
</tr>
 +
<tr>
 +
    <td><var><b>max-mru</b></var> (<em>integer</em>; Default: <b>"1480"</b>)</td>
 +
    <td>Maximum Receive Unit. The optimal value is the MTU of the interface the tunnel is working over reduced by 20 (so, for 1500-byte Ethernet link, set the MTU to 1480 to avoid fragmentation of packets)</td>
 +
</tr>
 +
<tr>
 +
    <td><var><b>max-mtu</b></var> (<em>integer</em>; Default: <b>"1480"</b>)</td>
 +
    <td>Maximum Transmission Unit. The optimal value is the MTU of the interface the tunnel is working over reduced by 20 (so, for 1500-byte Ethernet link, set the MTU to 1480 to avoid fragmentation of packets)</td>
 +
</tr>
 +
<tr>
 +
    <td><var><b>max-sessions</b></var> (<em>integer</em>; Default: <b>"0"</b>)</td>
 +
    <td>Maximum number of clients that the AC can serve. '0' = no limitations.</td>
 +
</tr>
 +
<tr>
 +
    <td><var><b>mrru</b></var> (<em>integer: 512..65535 | disabled</em>; Default: <b>"disabled"</b>)</td>
 +
    <td>Maximum packet size that can be received on the link. If a packet is bigger than tunnel MTU, it will be split into multiple packets, allowing full size IP or Ethernet packets to be sent over the tunnel. <code>[[Manual:MLPPP_over_single_and_multiple_links | Read more >>]]</code></td>
 +
</tr>
 +
<tr>
 +
    <td><var><b>one-session-per-host</b></var> (<em>yes | no</em>; Default: <b>"no"</b>)</td>
 +
    <td>Allow only one session per host (determined by MAC address). If a host tries to establish a new session, the old one will be closed.</td>
 +
</tr>
 +
<tr>
 +
    <td><var><b>service-name</b></var> (<em>string</em>; Default: <b>""</b>)</td>
 +
    <td>The PPPoE service name. Server will accept clients which sends PADI message with service-names that matches this setting or if service-name field in PADI message is not set.</td>
 +
</tr>
 +
</table>
  
The default keepalive-timeout value of 10 is OK in most cases. If you set it to 0, the router will not disconnect clients until they explicitly log out or the router is restarted. To resolve this problem, the one-session-per-host property can be used.
+
==== Notes ====
  
Security issue: do not assign an IP address to the interface you will be receiving the PPPoE requests on.
+
The default keepalive-timeout value of 10s is OK in most cases. If you set it to 0, the router will not disconnect clients until they explicitly log out or the router is restarted. To resolve this problem, the one-session-per-host property can be used.
  
Specifying MRRU means enabling MP (Multilink PPP) over single link. This protocol is used to split big packets into smaller ones. Under Windows it can be enabled in Networking tag, Settings button, "Negotiate multi-link for single link connections". Their MRRU is hardcoded to 1614. This setting is usefull to overcome PathMTU discovery failures. The MP should be enabled on both peers.
+
{{Note|Security issue: do not assign an IP address to the interface you will be receiving the PPPoE requests on.}}
  
====Example====
+
Specifying MRRU means enabling MP (Multilink PPP) over a single link. This protocol is used to split big packets into smaller ones. Under Windows it can be enabled in Networking tag, Settings button, "Negotiate multi-link for single link connections". Their MRRU is hardcoded to 1614. This setting is useful to overcome PathMTU discovery failures. The MP setting should be enabled on both peers.
 +
 
 +
==== Example ====
  
To add PPPoE server on ether1 interface providing ex service and allowing only one connection per host:
+
To add PPPoE server on ether1 interface provided with a service-name of "ex" and allowing only one connection per host:
  
 
<pre>
 
<pre>
[admin@MikroTik] interface pppoe-server server> add interface=ether1 service-name=ex one-session-per-host=yes
+
[admin@MikroTik] interface pppoe-server server> add interface=ether1 service-name=ex  
 +
  one-session-per-host=yes
 
[admin@MikroTik] interface pppoe-server server> print
 
[admin@MikroTik] interface pppoe-server server> print
 
Flags: X - disabled
 
Flags: X - disabled
Line 212: Line 411:
 
</pre>
 
</pre>
  
==PPPoE Server==
+
== PPPoE Server ==
  
'''Submenu level: /interface pppoe-server'''
+
<p id="shbox"><b>Sub-menu:</b> <code>/interface pppoe-server </code></p>
  
There are two types of interface (tunnel) items in PPTP server configuration - static users and dynamic connections. An interface is created for each tunnel established to the given server. Static interfaces are added administratively if there is a need to reference the particular interface name (in firewall rules or elsewhere) created for the particular user. Dynamic interfaces are added to this list automatically whenever a user is connected and its username does not match any existing static entry (or in case the entry is active already, as there can not be two separate tunnel interfaces referenced by the same name). Dynamic interfaces appear when a user connects and disappear once the user disconnects, so it is impossible to reference the tunnel created for that use in router configuration (for example, in firewall), so if you need a persistent rules for that user, create a static entry for him/her. Otherwise it is safe to use dynamic configuration. Note that in both cases PPP users must be configured properly - static entries do not replace PPP configuration.
+
There are two types of interface (tunnel) items in PPPoE server configuration - static users and dynamic connections. An interface is created for each tunnel established to the given server. Static interfaces are added administratively if there is a need to reference the particular interface name (in firewall rules or elsewhere) created for the particular user. Dynamic interfaces are added to this list automatically whenever a user is connected and its username does not match any existing static entry (or in case the entry is active already, as there can not be two separate tunnel interfaces referenced by the same name - set <var>one-session-per-host</var> value if this is a problem). Dynamic interfaces appear when a user connects and disappear once the user disconnects, so it is impossible to reference the tunnel created for that use in router configuration (for example, in firewall), so if you need a persistent rules for that user, create a static entry for him/her. Otherwise it is safe to use dynamic configuration. Note that in both cases PPP users must be configured properly - static entries do not replace PPP configuration.
  
====Property Description====
+
==== Property Description ====
  
 
*encoding (read-only: text) - encryption and encoding (if asymmetric, separated with '/') being used in this connection
 
*encoding (read-only: text) - encryption and encoding (if asymmetric, separated with '/') being used in this connection
Line 250: Line 449:
  
 
===PPPoE in a multipoint wireless 802.11g network===
 
===PPPoE in a multipoint wireless 802.11g network===
 
+
<p>
In a wireless network, the PPPoE server may be attached to an Access Point (as well as to a regular station of wireless infrastructure). Either our RouterOS client or Windows PPPoE clients may connect to the Access Point for PPPoE authentication. Further, for RouterOS clients, the radio interface may be set to MTU 1600 so that the PPPoE interface may be set to MTU 1500. This optimizes the transmission of 1500 byte packets and avoids any problems associated with MTUs lower than 1500. It has not been determined how to change the MTU of the Windows wireless interface at this moment.
+
In a wireless network, the PPPoE server may be attached to an Access Point (as well as to a regular station of wireless infrastructure). Either our RouterOS client or Windows PPPoE clients may connect to the Access Point for PPPoE authentication. Further, for RouterOS clients, the radio interface may be set to MTU 1600 so that the PPPoE interface may be set to MTU 1500. This optimizes the transmission of 1500 byte packets and avoids any problems associated with MTUs lower than 1500. It is not discussed here, how to change the MTU of the Windows wireless interface.
 
+
</p>
 +
<p>
 
Let us consider the following setup where the MikroTik Wireless AP offers wireless clients transparent access to the local network with authentication:
 
Let us consider the following setup where the MikroTik Wireless AP offers wireless clients transparent access to the local network with authentication:
 
+
</p>
 +
[[File:pppoe-apex.png]]
 +
<p>
 
First of all, the wireless interface should be configured:
 
First of all, the wireless interface should be configured:
 
 
<pre>
 
<pre>
 
[admin@PPPoE-Server] interface wireless> set 0 mode=ap-bridge \
 
[admin@PPPoE-Server] interface wireless> set 0 mode=ap-bridge \
Line 295: Line 496:
 
  0  R Local                                  1500  00:0C:42:03:25:53 proxy-arp
 
  0  R Local                                  1500  00:0C:42:03:25:53 proxy-arp
 
[admin@PPPoE-Server] interface ethernet>
 
[admin@PPPoE-Server] interface ethernet>
 +
</pre>
  
 
We should add PPPoE server to the wireless interface:
 
We should add PPPoE server to the wireless interface:
 
+
<pre>
 
[admin@PPPoE-Server] interface pppoe-server server> add interface=wlan1 \
 
[admin@PPPoE-Server] interface pppoe-server server> add interface=wlan1 \
 
   service-name=mt one-session-per-host=yes disabled=no
 
   service-name=mt one-session-per-host=yes disabled=no
Line 306: Line 508:
 
     one-session-per-host=yes max-sessions=0 default-profile=default
 
     one-session-per-host=yes max-sessions=0 default-profile=default
 
[admin@PPPoE-Server] interface pppoe-server server>
 
[admin@PPPoE-Server] interface pppoe-server server>
 +
</pre>
 
Finally, we can set up PPPoE clients:
 
Finally, we can set up PPPoE clients:
 
+
<pre>
 
[admin@PPPoE-Server] ip pool> add name=pppoe ranges=10.1.0.100-10.1.0.200
 
[admin@PPPoE-Server] ip pool> add name=pppoe ranges=10.1.0.100-10.1.0.200
 
[admin@PPPoE-Server] ip pool> print
 
[admin@PPPoE-Server] ip pool> print
Line 335: Line 538:
 
</pre>
 
</pre>
  
Thus we have completed the configuration and added two users: w and l who are able to connect to Internet, using PPPoE client software.
+
We have now completed the configuration and added two users: w and l who are able to connect to Internet, using PPPoE client software.
 +
</p>
 +
<p>
 +
Note that Windows XP built-in client supports encryption, but RASPPPOE does not. So, if it is planned to support Windows clients older than Windows XP, it is recommended not to require encryption. In either case, the server is able to support clients that cannot encrypt the data.
 +
</p>
  
Note that Windows XP built-in client supports encryption, but RASPPPOE does not. So, if it is planned not to support Windows clients older than Windows XP, it is recommended not to require encryption. In other case, the server will accept clients that do not encrypt data.
+
==FAQ==
 +
* <b>What are those numbers in PPPoE client disconnect logs?</b>
  
==Troubleshooting==
+
Numbers in log message contain following information: <b>Uptime Bytes-In Bytes-Out Packets-In Packets-Out</b>
  
I can connect to my PPPoE server. The ping goes even through it, but I still cannot open web pages
+
* <b>I can connect to my PPPoE server. I can even ping through it, but I still cannot open web pages</b>
  
Make sure that you have specified a valid DNS server in the router (in /ip dns or in /ppp profile the dns-server parameter).
+
Make sure that you have specified a valid [[DNS]] server in the router (in /ip dns or in /ppp profile the dns-server parameter).
  
The PPPoE server shows more than one active user entry for one client, when the clients disconnect, they are still shown and active
+
* <b>The PPPoE server shows more than one active user entry for one client, when the clients disconnect, they are still shown and active</b>
  
Set the keepalive-timeout parameter (in the PPPoE server configuration) to 10 if You want clients to be considered logged off if they do not respond for 10 seconds.
+
Set the <var>keepalive-timeout</var> parameter (in the PPPoE server configuration) to 10 if you want clients to be considered logged off if they do not respond for 10 seconds.
  
Note that if the keepalive-timeout parameter is set to 0 and the only-one parameter (in PPP profile settings) is set to yes then the clients might be able to connect only once. To resolve this problem one-session-per-host parameter in PPPoE server configuration should be set to yes
+
Note that if the <var>keepalive-timeout</var> parameter is set to 0 and the <var>only-one</var> parameter (in PPP profile settings) is set to 'yes' then the clients may be able to connect only the once. To resolve this problem <var>one-session-per-host</var> parameter in PPPoE server configuration should be set to 'yes'
  
My Windows XP client cannot connect to the PPPoE server
+
* <b>My Windows XP client cannot connect to the PPPoE server</b>
  
 
You have to specify the "Service Name" in the properties of the XP PPPoE client. If the service name is not set, or it does not match the service name of the MikroTik PPPoE server, you get the "line is busy" errors, or the system shows "verifying password - unknown error"
 
You have to specify the "Service Name" in the properties of the XP PPPoE client. If the service name is not set, or it does not match the service name of the MikroTik PPPoE server, you get the "line is busy" errors, or the system shows "verifying password - unknown error"
  
I want to have logs for PPPoE connection establishment
+
* <b>I want to have logs for PPPoE connection establishment</b>
 +
 
 +
Configure the logging feature under the /system logging facility and enable the PPP type logs. [[Log | Read more >>]]
  
Configure the logging feature under the /system logging facility and enable the PPP type logs
+
{{Cont}}
  
[[Category:Manual]]
+
[[Category:Manual|P]]
 +
[[Category:VPN|P]]
 +
[[Category:Interface|P]]

Latest revision as of 10:09, 29 March 2019

Version.png

Applies to RouterOS: v3, v4

Summary

The PPPoE (Point to Point Protocol over Ethernet) protocol provides extensive user management, network management and accounting benefits to ISPs and network administrators. Currently PPPoE is used mainly by ISPs to control client connections for xDSL and cable modems as well as plain Ethernet networks. PPPoE is an extension of the standard Point to Point Protocol (PPP). The difference between them is expressed in transport method: PPPoE employs Ethernet instead of serial modem connection.

Generally speaking, PPPoE is used to hand out IP addresses to clients based on authentication by username (and also if required, by workstation) as opposed to workstation only authentication where static IP addresses or DHCP are used. It is advised not to use static IP addresses or DHCP on the same interfaces as PPPoE for obvious security reasons.

The PPPoE client and server work over any Layer2 Ethernet level interface on the router - wireless 802.11 (Aironet, Cisco, WaveLan, Prism, Atheros), 10/100/1000 Mbit/s Ethernet, RadioLan and EoIP (Ethernet over IP tunnel).

Feature list

  • PPPoE server and client support;
  • Multilink PPP (MLPPP);
  • MLPPP over single link (ability to transmit full-sized frames);
  • BCP (Bridge Control Protocol) support - allows sending of raw Ethernet frames over PPP links;
  • MPPE 128bit RSA encryption;
  • pap, chap, mschap v1/v2 authentication;
  • RADIUS support for client authentication and accounting.


Note that when RADIUS server is authenticating a user with CHAP, MS-CHAPv1 or MS-CHAPv2, the RADIUS protocol does not use shared secret, it is used only in authentication reply. So if you have a wrong shared secret, RADIUS server will accept the request. You can use /radius monitor command to see bad-replies parameter. This value should increase whenever a client tries to connect.

Supported connections:

  • MikroTik RouterOS PPPoE client to any PPPoE server (access concentrator)
  • MikroTik RouterOS server (access concentrator) to multiple PPPoE clients (clients are available for almost all operating systems and most routers)

Specifications

  • Packages required: ppp
  • License required: Level1 (limited to 1 interface) , Level3 (limited to 200 interfaces) , Level4 (limited to 200 interfaces) , Level5 (limited to 500 interfaces) , Level6 (unlimited)
  • Submenu level: /interface pppoe-server, /interface pppoe-client
  • Standards and Technologies: PPPoE (RFC 2516)
  • Hardware usage: PPPoE server may require additional RAM (uses approx. 9KiB (plus extra 10KiB for packet queue, if data rate limitation is used) for each connection) and CPU power. Maximum of 65535 connections is supported.

Quick Setup Guide

To configure MikroTik RouterOS to be a PPPoE client, just add a pppoe-client:

/interface pppoe-client 
  add name=pppoe-user-mike user=user password=passwd interface=wlan1 \
  service-name=internet disabled=no

To configure MikroTik RouterOS to be an Access Concentrator (PPPoE Server):

  • add an address pool for the clients from 10.1.1.62 to 10.1.1.72;
  • add ppp profile;
  • add ppp secret (username/password);
  • add pppoe server itself.
/ip pool 
add name="pppoe-pool" ranges=10.1.1.62-10.1.1.72

/ppp profile 
add name="pppoe-profile" local-address=10.1.1.1 remote-address=pppoe-pool

/ppp secret 
add name=user password=passwd service=pppoe profile=pppoe-profile

/interface pppoe-server server 
add service-name=internet interface=wlan1 default-profile=pppoe-profile disabled=no

PPPoE Operation

Stages

PPPoE has two stages:

  • Discovery stage - a client discovers all available access concentrators and selects one of them to establish PPPoE session.This stage has four steps: initialization, offer, request and session confirmation . PPPoE Discovery uses special Ethernet frames with their own Ethernet frame type 0x8863.

Pppoe-discovery.png

To initiate discovery, PPPoE client sends PADI frame to the broadcast Ethernet address (FF:FF:FF:FF:FF:FF) and optionally may specify a service name.

When server receives PADI frame, it responds with PADO frame to Client's unicast Ethernet address. There can be more than one server in broadcast range of the client. In such case client collects PADO frames and picks one (in most cases it picks the server which responds first) to start session.

Client sends PADR frame to unicast Ethernet address of the server it chose. If server agrees to set up a session with this particular client, it allocates resources to set up PPP session and assigns Session ID number. This number is sent back to client in PADS frame. When client receives PADS frame, it knows servers mac address and Session ID, it allocates resources and session can begin.

  • Session - When discovery stage is completed, both peers know PPPoE Session ID and other peer's Etehrnet (MAC) address which together defines PPPoE session. PPP frames are encapsulated in PPPoE session frames, which have Ethernet frame type 0x8864.
    When server sends confirmation and client receives it, PPP Session stage is started that consists of following steps:
    • LCP negotiation
    • Authentication
    • IPCP negotiation - where client is assigned an IP address.


PPPoE server sends Echo-Request packets to the client to determine the state of the session, otherwise server will not be able to determine that session is terminated in cases when client terminates session without sending Terminate-Request packet.

More detailed description of PPPoE protocol can be found in RFC 2516

Used Packet Types

Packet Description
PADI PPPoE Active Discovery Initialization
The PPPoE client sends out a PADI packet to the broadcast address. This packet can also populate the "service-name" field if a service name has been entered in the dial-up networking properties of the PPPoE client. If a service name has not been entered, this field is not populated
PADO PPPoE Active Discovery Offer
The PPPoE server, or Access Concentrator, should respond to the PADI with a PADO if the Access Concentrator is able to service the "service-name" field that had been listed in the PADI packet. If no "service-name" field had been listed, the Access Concentrator will respond with a PADO packet that has the "service-name" field populated with the service names that the Access Concentrator can service. The PADO packet is sent to the unicast address of the PPPoE client
PADR PPPoE Active Discovery Request
When a PADO packet is received, the PPPoE client responds with a PADR packet. This packet is sent to the unicast address of the Access Concentrator. The client may receive multiple PADO packets, but the client responds to the first valid PADO that the client received. If the initial PADI packet had a blank "service-name" field filed, the client populates the "service-name" field of the PADR packet with the first service name that had been returned in the PADO packet.
PADS PPPoE Active Discovery Session confirmation
When the PADR is received, the Access Concentrator generates a unique session identification (ID) for the Point-to-Point Protocol (PPP) session and returns this ID to the PPPoE client in the PADS packet. This packet is sent to the unicast address of the client.
PADT PPPoE Active Discovery Terminate
can be sent anytime after a session is established to indicate that a PPPoE session terminated. It can be sent by either server or client.


MTU

Typically, the largest Ethernet frame that can be transmitted without fragmentation is 1500 bytes. PPPoE adds another 6 bytes of overhead and PPP field adds two more bytes, leaving 1492 bytes for IP datagram. Therefore max PPPoE MRU and MTU values must not be larger than 1492.

TCP stacks try to avoid fragmentation, so they use an MSS (Maximum Segment Size). By default MSS is chosen as MTU of the outgoing interface minus the usual size of the TCP and IP headers (40 bytes), which results in 1460 bytes for an Ethernet interface. Unfortunately there may be intermediate links with lower MTU which will cause fragmentation. In such case TCP stack performs path MTU discovery. Routers which cannot forward the datagram without fragmentation are supposed to drop packet and send ICMP-Fragmentation-Required to originating host. When host receives such ICMP packet, it tries to lower the MTU. This should work in the ideal world, however in the real world many routers do not generate fragmentation-required datagrams, also many firewalls drop all ICMP datagrams.

The workaround for this problem is to adjust MSS if it is too big. By default RouterOS adds mangle rules to intercept TCP SYN packets and silently adjust any advertised MSS option so they will be appropriate for the PPPoE link.

Additional information on maximum supported MTUs for RouterBoards are listed here.

PPPoE Client

Sub-menu: /interface pppoe-client


Properties

Property Description
ac-name (string; Default: "") Access Concentrator name, this may be left blank and the client will connect to any access concentrator on the broadcast domain
add-default-route (yes|no; Default: no) Enable/Disable whether to add default route automatically
allow (mschap2|mschap1|chap|pap; Default: mschap2,mschap1,chap,pap) allowed authentication methods, by default all methods are allowed
default-route-distance (byte [0..255]; Default:1) sets distance value applied to auto created default route, if add-default-route is also selected
dial-on-demand (yes|no; Default: no) connects to AC only when outbound traffic is generated. If selected, then route with gateway address from 10.112.112.0/24 network will be added while connection is not established.
interface (string; Default: ) interface name on which client will run
keepalive-timeout (integer; Default:60) Sets keepalive timeout in seconds.
max-mru (integer; Default: 1460) Maximum Receive Unit
max-mtu (integer; Default: 1460) Maximum Transmission Unit
mrru (integer: 512..65535|disabled; Default: disabled) maximum packet size that can be received on the link. If a packet is bigger than tunnel MTU, it will be split into multiple packets, allowing full size IP or Ethernet packets to be sent over the tunnel. Read more >>
name (string; Default: pppoe-out[i]) name of the PPPoE interface, generated by RouterOS if not specified
password (string; Default: ) password used to authenticate
profile (string; Default: default) default profile for the connection defined in /ppp profiles
service-name (string; Default: "") specifies the service name set on the access concentrator, can be left blank to connect to any PPPoE server
use-peer-dns (yes|no; Default: no) enable/disable getting DNS settings from the peer
user (string; Default: "") username used for authentication

Status

Command /interface pppoe-client monitor will display current PPPoE status.

Available read only properties:

Property Description
ac-mac (MAC address) MAC address of the access concentrator (AC) the client is connected to
ac-name (string) name of the Access Concentrator
active-links (integer) Number of bonded MLPPP connections, ('1' if not using MLPPP)
encoding (string) encryption and encoding (if asymmetric, separated with '/') being used in this connection
local-address (IP Address) IP Address allocated to client
remote-address (IP Address) Remote IP Address allocated to server (ie gateway address)
mru (integer) effective MRU of the link
mtu (integer) effective MTU of the link
service-name (string) used service name
status (string) current link status. Available values are:
  • dialing,
  • verifying password...,
  • connected,
  • disconnected.
uptime (time) connection time displayed in days, hours, minutes and seconds

Scanner

Starting from v3.21 RouterOS has new tool - PPPoE Scanner. It allows you to scan all active PPPoE servers in broadcast domain. Command to run scanner is as follows /interface pppoe-client scan <interface>

Available read only properties:

Property Description
service (string) Service name configured on server
mac-address (MAC) Mac address of detected server
ac-name (string) name of the Access Concentrator


Notes

Note for Windows. Some connection instructions may use the form where the "phone number", such as "MikroTik_AC\mt1", is specified to indicate that "MikroTik_AC" is the access concentrator name and "mt1" is the service name.

Specifying MRRU means enabling MP (Multilink PPP) over single link. This protocol is used to split big packets into smaller ones. Under Windows it can be enabled in Networking tab, Settings button, "Negotiate multi-link for single link connections". MRRU is hardcoded to 1614 on Windows. This setting is useful to overcome PathMTU discovery failures. The MP setting should be enabled on both peers.

Example

To add and enable PPPoE client on the ether1 interface connecting to the AC that provides 'testSN' service using user name user with the password 'passwd':

[admin@RemoteOffice] interface pppoe-client> add interface=ether1 service-name=testSN user=user 
 password=passwd disabled=no
[admin@RemoteOffice] interface pppoe-client> print
Flags: X - disabled, R - running
 0  R name="pppoe-out1" max-mtu=1480 max-mru=1480 mrru=disabled interface=ether1
      user="user" password="passwd" profile=default service-name="testSN"
      ac-name="" add-default-route=no dial-on-demand=no use-peer-dns=no
      allow=pap,chap,mschap1,mschap2

[admin@MikroTik] interface pppoe-client> monitor pppoe-out1
        status: "connected"
        uptime: 6s
     idle-time: 6s
      encoding: "MPPE128 stateless"
  service-name: "testSN"
       ac-name: "MikroTik"
        ac-mac: 00:0C:42:04:00:73
           mtu: 1480
           mru: 1480

PPPoE Server Setup (Access Concentrator)

Sub-menu: /interface pppoe-server server

The PPPoE server (access concentrator) supports multiple servers for each interface - with differing service names. Currently the throughput of the PPPoE server has been tested to 160 Mb/s on a Celeron 600 CPU. Using higher speed CPUs, throughput should increase proportionately.

The access concentrator name and PPPoE service name are used by clients to identity the access concentrator to register with. The access concentrator name is the same as the identity of the router displayed before the command prompt. The identity may be set within the /system identity submenu.

Note that if no service name is specified in WindowsXP, it will only use a service with no name! So if you want to serve WindowsXP clients, leave your service name empty.


Properties

Property Description
authentication ( mschap2 | mschap1 | chap | pap; Default: "mschap2, mschap1, chap, pap") Authentication algorithm
default-profile (string; Default: "default") Default user profile to use
interface (string; Default: "") Interface that the clients are connected to
keepalive-timeout (time; Default: "10") Defines the time period (in seconds) after which the router is starting to send keepalive packets every second. If there is no traffic and no keepalive responses arrive for that period of time (i.e. 2 * keepalive-timeout), the non responding client is proclaimed disconnected.
max-mru (integer; Default: "1480") Maximum Receive Unit. The optimal value is the MTU of the interface the tunnel is working over reduced by 20 (so, for 1500-byte Ethernet link, set the MTU to 1480 to avoid fragmentation of packets)
max-mtu (integer; Default: "1480") Maximum Transmission Unit. The optimal value is the MTU of the interface the tunnel is working over reduced by 20 (so, for 1500-byte Ethernet link, set the MTU to 1480 to avoid fragmentation of packets)
max-sessions (integer; Default: "0") Maximum number of clients that the AC can serve. '0' = no limitations.
mrru (integer: 512..65535 | disabled; Default: "disabled") Maximum packet size that can be received on the link. If a packet is bigger than tunnel MTU, it will be split into multiple packets, allowing full size IP or Ethernet packets to be sent over the tunnel. Read more >>
one-session-per-host (yes | no; Default: "no") Allow only one session per host (determined by MAC address). If a host tries to establish a new session, the old one will be closed.
service-name (string; Default: "") The PPPoE service name. Server will accept clients which sends PADI message with service-names that matches this setting or if service-name field in PADI message is not set.

Notes

The default keepalive-timeout value of 10s is OK in most cases. If you set it to 0, the router will not disconnect clients until they explicitly log out or the router is restarted. To resolve this problem, the one-session-per-host property can be used.

Icon-note.png

Note: Security issue: do not assign an IP address to the interface you will be receiving the PPPoE requests on.


Specifying MRRU means enabling MP (Multilink PPP) over a single link. This protocol is used to split big packets into smaller ones. Under Windows it can be enabled in Networking tag, Settings button, "Negotiate multi-link for single link connections". Their MRRU is hardcoded to 1614. This setting is useful to overcome PathMTU discovery failures. The MP setting should be enabled on both peers.

Example

To add PPPoE server on ether1 interface provided with a service-name of "ex" and allowing only one connection per host:

[admin@MikroTik] interface pppoe-server server> add interface=ether1 service-name=ex 
  one-session-per-host=yes
[admin@MikroTik] interface pppoe-server server> print
Flags: X - disabled
  0 X service-name="ex" interface=ether1 mtu=1480 mru=1480 mrru=disabled
      authentication=mschap2,mschap,chap,pap keepalive-timeout=10
      one-session-per-host=yes max-sessions=0 default-profile=default
[admin@MikroTik] interface pppoe-server server>

PPPoE Server

Sub-menu: /interface pppoe-server

There are two types of interface (tunnel) items in PPPoE server configuration - static users and dynamic connections. An interface is created for each tunnel established to the given server. Static interfaces are added administratively if there is a need to reference the particular interface name (in firewall rules or elsewhere) created for the particular user. Dynamic interfaces are added to this list automatically whenever a user is connected and its username does not match any existing static entry (or in case the entry is active already, as there can not be two separate tunnel interfaces referenced by the same name - set one-session-per-host value if this is a problem). Dynamic interfaces appear when a user connects and disappear once the user disconnects, so it is impossible to reference the tunnel created for that use in router configuration (for example, in firewall), so if you need a persistent rules for that user, create a static entry for him/her. Otherwise it is safe to use dynamic configuration. Note that in both cases PPP users must be configured properly - static entries do not replace PPP configuration.

Property Description

  • encoding (read-only: text) - encryption and encoding (if asymmetric, separated with '/') being used in this connection
  • mru (read-only: integer) - client's MRU
  • mtu (read-only: integer) - client's MTU
  • name (name) - interface name
  • remote-address (read-only: MAC address) - MAC address of the connected client
  • service (name) - name of the service the user is connected to
  • uptime (read-only: time) - shows how long the client is connected
  • user (name) - the name of the connected user (must be present in the user darabase anyway)

Example

To view the currently connected users:

[admin@MikroTik] interface pppoe-server> print
Flags: X - disabled, D - dynamic, R - running 
 #     NAME       USER      SERVICE   REMOTE... ENCODING  UPTIME
 0  DR <pppoe-ex> user      ex        00:0C:... MPPE12... 40m45s
[admin@MikroTik] interface pppoe-server>

To disconnect the user ex:

[admin@MikroTik] interface pppoe-server> remove [find user=ex]
[admin@MikroTik] interface pppoe-server> print
[admin@MikroTik] interface pppoe-server>

Application Examples

PPPoE in a multipoint wireless 802.11g network

In a wireless network, the PPPoE server may be attached to an Access Point (as well as to a regular station of wireless infrastructure). Either our RouterOS client or Windows PPPoE clients may connect to the Access Point for PPPoE authentication. Further, for RouterOS clients, the radio interface may be set to MTU 1600 so that the PPPoE interface may be set to MTU 1500. This optimizes the transmission of 1500 byte packets and avoids any problems associated with MTUs lower than 1500. It is not discussed here, how to change the MTU of the Windows wireless interface.

Let us consider the following setup where the MikroTik Wireless AP offers wireless clients transparent access to the local network with authentication:

Pppoe-apex.png

First of all, the wireless interface should be configured:

[admin@PPPoE-Server] interface wireless> set 0 mode=ap-bridge \
   frequency=2442 band=2.4ghz-b/g ssid=mt disabled=no
[admin@PPPoE-Server] interface wireless> print
Flags: X - disabled, R - running 
 0 X  name="wlan1" mtu=1500 mac-address=00:0C:42:18:5C:3D arp=enabled
      interface-type=Atheros AR5413 mode=ap-bridge ssid="mt" frequency=2442
      band=2.4ghz-b/g scan-list=default antenna-mode=ant-a wds-mode=disabled
      wds-default-bridge=none wds-ignore-ssid=no default-authentication=yes
      default-forwarding=yes default-ap-tx-limit=0 default-client-tx-limit=0
      hide-ssid=no security-profile=default compression=no
[admin@PPPoE-Server] interface wireless>

Now, configure the Ethernet interface, add the IP address and set the default route:

[admin@PPPoE-Server] ip address> add address=10.1.0.3/24 interface=Local
[admin@PPPoE-Server] ip address> print
Flags: X - disabled, I - invalid, D - dynamic
 #   ADDRESS            NETWORK         BROADCAST       INTERFACE
 0   10.1.0.3/24        10.1.0.0        10.1.0.255      Local
[admin@PPPoE-Server] ip address> /ip route
[admin@PPPoE-Server] ip route> add gateway=10.1.0.1
[admin@PPPoE-Server] ip route> print
Flags: X - disabled, A - active, D - dynamic, 
C - connect, S - static, r - rip, b - bgp, o - ospf, m - mme, 
B - blackhole, U - unreachable, P - prohibit 
 #      DST-ADDRESS        PREF-SRC        G GATEWAY         DISTANCE INTER...
 0 ADC  10.1.0.0/24        10.1.0.3                          0        Local
 1 A S  0.0.0.0/0                          r 10.1.0.1        1        Local
[admin@PPPoE-Server] ip route> /interface ethernet
[admin@PPPoE-Server] interface ethernet> set Local arp=proxy-arp
[admin@PPPoE-Server] interface ethernet> print
Flags: X - disabled, R - running
 #    NAME                                   MTU   MAC-ADDRESS       ARP
 0  R Local                                  1500  00:0C:42:03:25:53 proxy-arp
[admin@PPPoE-Server] interface ethernet>

We should add PPPoE server to the wireless interface:

[admin@PPPoE-Server] interface pppoe-server server> add interface=wlan1 \
   service-name=mt one-session-per-host=yes disabled=no
[admin@PPPoE-Server] interface pppoe-server server> print
Flags: X - disabled
 0   service-name="mt" interface=wlan1 max-mtu=1480 max-mru=1480 mrru=disabled
     authentication=pap,chap,mschap1,mschap2 keepalive-timeout=10
     one-session-per-host=yes max-sessions=0 default-profile=default
[admin@PPPoE-Server] interface pppoe-server server>

Finally, we can set up PPPoE clients:

[admin@PPPoE-Server] ip pool> add name=pppoe ranges=10.1.0.100-10.1.0.200
[admin@PPPoE-Server] ip pool> print
 # NAME                                         RANGES
 0 pppoe                                        10.1.0.100-10.1.0.200
[admin@PPPoE-Server] ip pool> /ppp profile
[admin@PPPoE-Server] ppp profile> set default use-encryption=yes \
   local-address=10.1.0.3 remote-address=pppoe
[admin@PPPoE-Server] ppp profile> print
Flags: * - default
 0 * name="default" local-address=10.1.0.3 remote-address=pppoe
     use-compression=no use-vj-compression=no use-encryption=yes only-one=no
     change-tcp-mss=yes

 1 * name="default-encryption" use-compression=default
     use-vj-compression=default use-encryption=yes only-one=default
     change-tcp-mss=default
[admin@PPPoE-Server] ppp profile> .. secret
[admin@PPPoE-Server] ppp secret> add name=w password=wkst service=pppoe
[admin@PPPoE-Server] ppp secret> add name=l password=ltp service=pppoe
[admin@PPPoE-Server] ppp secret> print
Flags: X - disabled
 #   NAME        SERVICE CALLER-ID PASSWORD  PROFILE            REMOTE-ADDRESS
 0   w           pppoe             wkst      default            0.0.0.0
 1   l           pppoe             ltp       default            0.0.0.0
[admin@PPPoE-Server] ppp secret>

We have now completed the configuration and added two users: w and l who are able to connect to Internet, using PPPoE client software.

Note that Windows XP built-in client supports encryption, but RASPPPOE does not. So, if it is planned to support Windows clients older than Windows XP, it is recommended not to require encryption. In either case, the server is able to support clients that cannot encrypt the data.

FAQ

  • What are those numbers in PPPoE client disconnect logs?

Numbers in log message contain following information: Uptime Bytes-In Bytes-Out Packets-In Packets-Out

  • I can connect to my PPPoE server. I can even ping through it, but I still cannot open web pages

Make sure that you have specified a valid DNS server in the router (in /ip dns or in /ppp profile the dns-server parameter).

  • The PPPoE server shows more than one active user entry for one client, when the clients disconnect, they are still shown and active

Set the keepalive-timeout parameter (in the PPPoE server configuration) to 10 if you want clients to be considered logged off if they do not respond for 10 seconds.

Note that if the keepalive-timeout parameter is set to 0 and the only-one parameter (in PPP profile settings) is set to 'yes' then the clients may be able to connect only the once. To resolve this problem one-session-per-host parameter in PPPoE server configuration should be set to 'yes'

  • My Windows XP client cannot connect to the PPPoE server

You have to specify the "Service Name" in the properties of the XP PPPoE client. If the service name is not set, or it does not match the service name of the MikroTik PPPoE server, you get the "line is busy" errors, or the system shows "verifying password - unknown error"

  • I want to have logs for PPPoE connection establishment

Configure the logging feature under the /system logging facility and enable the PPP type logs. Read more >>

[ Top | Back to Content ]