Geekzone: technology news, blogs, forums
Guest
Welcome Guest.
You haven't logged in yet. If you don't have an account you can register now.




424 posts

Ultimate Geek


# 243927 9-Jan-2019 11:30
Send private message

Hi everyone

I am trying to configure the MikroTik RB750gr3 to be a ppoe bridge to a firewall, so that the firewall will have the public IP at the WAN interface with full control of traffic, port forwarding and HAproxy rules.

The RB750 will be on a gig fiber connection with  


Connection:

 

 UFF-ONT -----> (eth1)  RB750  (eth2) -----> (WAN)  firewall (LAN) ----> devices.

 

I have managed to get ppoe working but i cant seem to get the ip address to pass through the mikrotik to the wan interface on the firewall, I have had a poke around in threads here and on google but most people are just using them for the Vlan tagging for older hardware.

To get it to where I am I have been using winbox to configure the rules/settings and get it to the point that i am at but i just cant quite figure it out.

I am new to MikroTik product and RouterOS so not 100% sure the correct setup or if this is even possible, Im sure that it would be possible some how.

 

So if there are ant RouterOS guru's or MikroTik gurus that could shed some light on this it would be greatly appreciated.



Thanks


Create new topic
4244 posts

Uber Geek


  # 2156941 9-Jan-2019 11:41
One person supports this post
Send private message

What's the reasoning for terminating the PPPoE on the Mikrotik? Can you not do a PPPoE interface on your firewall?

 

Edit: Oh and post your current config (run /export) - obviously redact your pppoe user/pass if needed.


'That VDSL Cat'
11210 posts

Uber Geek

Trusted
Spark
Subscriber

  # 2156942 9-Jan-2019 11:41
Send private message

Does your firewall support doing vlan taggging itself?

 

 





#include <std_disclaimer>

 

Any comments made are personal opinion and do not reflect directly on the position my current or past employers may have.


 
 
 
 




424 posts

Ultimate Geek


  # 2156945 9-Jan-2019 11:50
Send private message

chevrolux:

 

What's the reasoning for terminating the PPPoE on the Mikrotik? Can you not do a PPPoE interface on your firewall?

 

Edit: Oh and post your current config (run /export) - obviously redact your pppoe user/pass if needed.

 

 

i am using opnsense as the os for the firewall and it currently has some issues with the ppoe traffic due to the some limiting factor on the interface/hardware, thus it is affecting the speed of the connection so my thoughts were if i could set up a transparent bridge that would handle the pppoe connection and that is all it would do




424 posts

Ultimate Geek


  # 2156946 9-Jan-2019 11:51
Send private message

hio77:

 

Does your firewall support doing vlan taggging itself?

 

 

 

 

yes the firewall will support VLAN tagging but when i set up my connection (at the Isp end) i turned that off as i didnt want it tagged


7058 posts

Uber Geek

Trusted
Subscriber

  # 2156951 9-Jan-2019 12:02
4 people support this post
Send private message

Hi, I remember your previous thread where PPPoE on the opensense has throughput issue, is this the right story?

 

You could bridge it, but I have not done that before, as simpler solution might be to setup the Mikrotik with the PPPoE wan (and yes tagged if required) and create a transport lan, use the mikrotik to do all the NAT'ing (ie masqurade enabled to the pppoe interface) and add a route to the opensense network via the transport, and a corresponding route from the opensense back to the Mikrotik, make sure NAT is off on the opensense.

 

Cyril




424 posts

Ultimate Geek


  # 2157032 9-Jan-2019 13:56
Send private message

cyril7:

 

Hi, I remember your previous thread where PPPoE on the opensense has throughput issue, is this the right story?

 

You could bridge it, but I have not done that before, as simpler solution might be to setup the Mikrotik with the PPPoE wan (and yes tagged if required) and create a transport lan, use the mikrotik to do all the NAT'ing (ie masqurade enabled to the pppoe interface) and add a route to the opensense network via the transport, and a corresponding route from the opensense back to the Mikrotik, make sure NAT is off on the opensense.

 

Cyril

 

 

yeah this is the story, seems to be something to do with the hardware and how it just cant handle pppoe traffic correctly, and its a well known issue now from what i have seen on a few forums.

 

https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=203856

 

 

 

i have been trying to bridge the connection by adding ether1 and ether2 to the bridge and then adding the pppoe interface to the bridge and thats about as far as i have made it, the pppoe connects and resolves the wan address which isnt what i want.

 

so what your saying and the way you have mentioned to configure it up is that the mikrotik would still retain the WAN IP address? and then all the masquerading and vpns will need to be set up in the mikrotik?

 

 


7058 posts

Uber Geek

Trusted
Subscriber

  # 2157042 9-Jan-2019 14:07
Send private message

Hi, ahh so you have VPN's to terminate on the opensense, that should not be a problem, just forward all the ports and protocols needed to terminate the VPN technology you are using to the opensense and voila. What type of VPN's

 

How farmiliar are you with RouterOS, I could paste some commands to set it all up. 

 

Cyril


 
 
 
 




424 posts

Ultimate Geek


  # 2157059 9-Jan-2019 14:29
Send private message

cyril7:

 

Hi, ahh so you have VPN's to terminate on the opensense, that should not be a problem, just forward all the ports and protocols needed to terminate the VPN technology you are using to the opensense and voila. What type of VPN's

 

How farmiliar are you with RouterOS, I could paste some commands to set it all up. 

 

Cyril

 

 

 

 

yeah i have about 5 vpns that terminate on the opnsense, 

 

Click to see full size

 

 

 

This is my very first mikrotik router that i have played with so not alot of know how on this, but it looks simple enough in winbox so far


5563 posts

Uber Geek

Trusted
Lifetime subscriber

  # 2157077 9-Jan-2019 14:49
Send private message

Can you move to an ISP that does DHCP?

 

 





Chorus has spent $1.4 billion on making their xDSL broadband network faster and even more now as they are upgrading their rural Conklins. If your still stuck on ADSL or VDSL, why not spend $195 on a master filter install to make sure you are getting the most out of your connection?
I install - Naked DSL, DSL Master Splitters, VoIP, data cabling and general computer support for home and small business.
Rural Broadband RBI installer for Ultimate Broadband and Full Flavour

 

Need help in Auckland, Waikato or BoP? Click my email button, or email me direct: [my user name] at geekzonemail dot com


7058 posts

Uber Geek

Trusted
Subscriber

  # 2157083 9-Jan-2019 14:54
Send private message

Hi, so based on a reset Mikrotik (pull power, hold reset button in, apply power wait till USR led start blinking and release, wait till it beeps approx 20-30sec) the following commends should work, this is for Spark, who have a higher MTU of 1520, so might pay to start with it at default.

 

The  following commands could be pasted into a telnet or ssh session or in the terminal box, or just interpreted and put in via web or winfig. It assumes IPSec is used with UDP 500, 4500 and ESP (50) in use, if AH is used then add protocol 51 also. It also assumes the following network, with the Mikrotik transport lan at 192.168.88.1/24 and the OpenSense Wan at 192.168.88.2/24

 

-----WAN------------[Mikrotik]----------192.168.88.0/24-------[OpenSense]-------192.168.2.0/24--------local_lan--------

 

 

 

/interface vlan
add interface=ether1 mtu=1520 name=vlan10 vlan-id=10

 

/interface pppoe-client
add add-default-route=yes disabled=no interface=vlan10 keepalive-timeout=60 name=pppoe-out1 password=password use-peer-dns=yes user=user@xtra.co.nz

 

/ip route
add distance=1 dst-address=192.168.2.0/24 gateway=192.168.88.2

 

/ip firewall nat
add action=dst-nat chain=dstnat disabled=yes dst-port=500 protocol=udp to-addresses=192.168.88.2 to-ports=500
add action=dst-nat chain=dstnat disabled=yes dst-port=4500 protocol=udp to-addresses=192.168.88.2 to-ports=4500
add action=dst-nat chain=dstnat protocol=ipsec-esp to-addresses=192.168.88.2

 

In IP DHCP disable the instance.

 

 

 

Cyril




424 posts

Ultimate Geek


  # 2157187 9-Jan-2019 17:31
Send private message

coffeebaron:

 

Can you move to an ISP that does DHCP?

 

 

 

 

I moved from the ISP that we had that supplied DHCP due to the lack of support and faffing about in april of last year, 

 

https://www.geekzone.co.nz/forums.asp?forumId=165&topicId=232206

 

i have just signed up for a contract with another supplier that is really good at the moment, everything just works




424 posts

Ultimate Geek


  # 2157188 9-Jan-2019 17:34
Send private message

cyril7:

 

Hi, so based on a reset Mikrotik (pull power, hold reset button in, apply power wait till USR led start blinking and release, wait till it beeps approx 20-30sec) the following commends should work, this is for Spark, who have a higher MTU of 1520, so might pay to start with it at default.

 

The  following commands could be pasted into a telnet or ssh session or in the terminal box, or just interpreted and put in via web or winfig. It assumes IPSec is used with UDP 500, 4500 and ESP (50) in use, if AH is used then add protocol 51 also. It also assumes the following network, with the Mikrotik transport lan at 192.168.88.1/24 and the OpenSense Wan at 192.168.88.2/24

 

-----WAN------------[Mikrotik]----------192.168.88.0/24-------[OpenSense]-------192.168.2.0/24--------local_lan--------

 

 

 

/interface vlan
add interface=ether1 mtu=1520 name=vlan10 vlan-id=10

 

/interface pppoe-client
add add-default-route=yes disabled=no interface=vlan10 keepalive-timeout=60 name=pppoe-out1 password=password use-peer-dns=yes user=user@xtra.co.nz

 

/ip route
add distance=1 dst-address=192.168.2.0/24 gateway=192.168.88.2

 

/ip firewall nat
add action=dst-nat chain=dstnat disabled=yes dst-port=500 protocol=udp to-addresses=192.168.88.2 to-ports=500
add action=dst-nat chain=dstnat disabled=yes dst-port=4500 protocol=udp to-addresses=192.168.88.2 to-ports=4500
add action=dst-nat chain=dstnat protocol=ipsec-esp to-addresses=192.168.88.2

 

In IP DHCP disable the instance.

 

 

 

Cyril

 

 

 

 

ok so what i can understand of that is that i dont need the /interface vlan part of the config, but on the pppoe part for interface=vlan10 would i replace the vlan 10 with ether1?


7058 posts

Uber Geek

Trusted
Subscriber

  # 2157204 9-Jan-2019 17:59
Send private message

Hi, correct if your ISP is not tagging the WAN on vlan10 then just connect the pppoe to Interface1

 

Cyril




424 posts

Ultimate Geek


  # 2163986 20-Jan-2019 09:42
Send private message

so i have been playing around and trying to configure this and do some testing, but it seems as if im doing something wrong, i can get the mikrotik connected to pppoe using the router mode in quick set and my speed tests are far worse than on my opnsense box, i must be missing something?

 

also i have tried the config that has been posted and altered it to suit the connection that i have but i cant seem to get it to work, and win box didnt want to connect to the mikrotik even after a roboot.

 

here is the config i was trying,

 

add admin-mac=B8:69:F4:80:3B:12 auto-mac=no comment=defconf name=bridgeLocal
/interface pppoe-client
# Client is on slave interface
add add-default-route=yes disabled=no interface=ether1 keepalive-timeout=60 name=pppoe-out1 password=IB*^&%hjf89fg use-peer-dns=yes user=\
user@ispthatworks.nz
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/interface bridge port
add bridge=bridgeLocal comment=defconf interface=ether1
add bridge=bridgeLocal comment=defconf interface=ether2
add bridge=bridgeLocal comment=defconf interface=ether3
add bridge=bridgeLocal comment=defconf interface=ether4
add bridge=bridgeLocal comment=defconf interface=ether5
/ip dhcp-client
add comment=defconf dhcp-options=hostname,clientid disabled=no interface=bridgeLocal
/ip firewall nat
add action=dst-nat chain=dstnat disabled=yes dst-port=500 protocol=udp to-addresses=192.168.88.2 to-ports=500
add action=dst-nat chain=dstnat disabled=yes dst-port=4500 protocol=udp to-addresses=192.168.88.2 to-ports=4500
add action=dst-nat chain=dstnat protocol=ipsec-esp to-addresses=192.168.88.2
/ip route
add distance=1 dst-address=192.168.2.0/24 gateway=192.168.88.2
/system clock
set time-zone-name=Pacific/Auckland
[admin@MikroTik] >

 

 

 

From what i can make out from that config is that it should connect on the ether1 interface with my pppoe username and password and then if i have a static of 192.168.88.2 set on my lap top i should get a connection to the internet? or not?

 

also on another note when looking at winbox pppoe tab it mentions that the pppoe client is on a slave interface which is leading me to think that the interface is not setup correctly and its not connecting using the pppoe credentials.

 

ideally all i want the mikrotik to do is authenticate with the pppoe server and pass the public ip and all data to the opnsense box with out natting and forwarding rules.

 

 

 

let me know what your thoughts are

 

 

 

thanks


Create new topic



Twitter and LinkedIn »



Follow us to receive Twitter updates when new discussions are posted in our forums:



Follow us to receive Twitter updates when news items and blogs are posted in our frontpage:



Follow us to receive Twitter updates when tech item prices are listed in our price comparison site:





News »

Chorus to launch Hyperfibre service
Posted 18-Nov-2019 15:00


Microsoft launches first Experience Center worldwide for Asia Pacific in Singapore
Posted 13-Nov-2019 13:08


Disney+ comes to LG Smart TVs
Posted 13-Nov-2019 12:55


Spark launches new wireless broadband "Unplan Metro"
Posted 11-Nov-2019 08:19


Malwarebytes overhauls flagship product with new UI, faster engine and lighter footprint
Posted 6-Nov-2019 11:48


CarbonClick launches into Digital Marketplaces
Posted 6-Nov-2019 11:42


Kordia offers Microsoft Azure Peering Service
Posted 6-Nov-2019 11:41


Spark 5G live on Auckland Harbour for Emirates Team New Zealand
Posted 4-Nov-2019 17:30


BNZ and Vodafone partner to boost NZ Tech for SME
Posted 31-Oct-2019 17:14


Nokia 7.2 available in New Zealand
Posted 31-Oct-2019 16:24


2talk launches Microsoft Teams Direct Routing product
Posted 29-Oct-2019 10:35


New Breast Cancer Foundation app puts power in Kiwi women's hands
Posted 25-Oct-2019 16:13


OPPO Reno2 Series lands, alongside hybrid noise-cancelling Wireless Headphones
Posted 24-Oct-2019 15:32


Waikato Data Scientists awarded $13 million from the Government
Posted 24-Oct-2019 15:27


D-Link launches Wave 2 Unified Access Points
Posted 24-Oct-2019 15:07



Geekzone Live »

Try automatic live updates from Geekzone directly in your browser, without refreshing the page, with Geekzone Live now.


Support Geekzone »

Our community of supporters help make Geekzone possible. Click the button below to join them.

Support Geezone on PressPatron



Are you subscribed to our RSS feed? You can download the latest headlines and summaries from our stories directly to your computer or smartphone by using a feed reader.

Alternatively, you can receive a daily email with Geekzone updates.