Geekzone: technology news, blogs, forums
Guest
Welcome Guest.
You haven't logged in yet. If you don't have an account you can register now.


66 posts

Master Geek
+1 received by user: 2


Topic # 202109 17-Sep-2016 16:27
Send private message

Hey All.

 

I have a Mikrotik CRS109 which I plan to use when fibre is installed (they have marked my street for the drilling - yay)

 

Ive recently moved to this house, previously I had Vodashame Cable which the Mikrotik was great for.  At the moment to get VDSL I acquired a Draytek Vigor 2750 and the poor Mikrotik has been acting as basically a switch.   I Followed some instructions from snappernet to turn the Vigour into a bridge and have an alternative device into the PPPoE client, this didnt seem to work on my mikrotik, but plugging a Laptop in and setting up a PPPoE connection into the modem did work, so I can assume by that that the Draytek modem config was correct.

 

The Modem was setup to do this by putting the modem into bridge mode, disabling the PPPoE dialer and enabling multi-vlan bridging the WAN and Port 4 of the modem and tagging port 4 with VLAN ID 10.  This worked for the Windows Laptop to PPPoE without havng to tag it with vlan ID 10.

 

 

 

On this principal I setup a PPPoE connection on the Mikrotik with my credentials and the interface ether1 (standalone port not connected to a bridge or switch port) which was linked into the same port on the Draytek.   This just did not connect at all.

 

 

 

The PPPoE interface as set up with my given username, password, profile default and 'use peer dns' and 'add default route' checked with all authentication methods allowed and interface was ether1.

 

 

 

I realise when I go for UFB ill need to add a vlan with vlan ID 10, create a bridge, add ether1 to it, and attach the PPPoE profile to the vlan with ID 10.. but as the modem is doing all the tagging and untagging its not needed yet.

 

 

 

Has anyone successfully configured a mikrotik router to use Fibre and have the PPPoE dialer working on it?  most of the stuff ive worked thru says t use l2mtu of 1522 but my rotuer seems to fix that on 1584 and it cannot be changed, not sure if this is the issue


View this topic in a long page with up to 500 replies per page Create new topic
 1 | 2
Meow
8006 posts

Uber Geek
+1 received by user: 4003

Moderator
Trusted
Lifetime subscriber

  Reply # 1632202 17-Sep-2016 16:43
Send private message

Here is a basic guide I created some time ago: http://www.geekzone.co.nz/forums.asp?forumid=66&topicid=161676

 

Note, the interfaces will be different on the CRS109 along with the fact you'll not be using the VLAN. It should however point you to the right direction. I was using WinBox to set it up. I no-longer have a Mikrotik device so won't be much more help other than that. 





1633 posts

Uber Geek
+1 received by user: 418


  Reply # 1632207 17-Sep-2016 17:07
Send private message

Go into logging and add everything for ppp.

675 posts

Ultimate Geek
+1 received by user: 117


  Reply # 1632208 17-Sep-2016 17:08
Send private message

I have multiple Mikrotik's running on UFB connections as well as half bridged DSL connections, they all work without an issue.

 

Have you checked of the PPPoE connection status is connected? (you can see this under the PPPoE interface). If not, what does it state?


27123 posts

Uber Geek
+1 received by user: 6565

Moderator
Trusted
Biddle Corp
Lifetime subscriber

  Reply # 1632213 17-Sep-2016 17:15
Send private message

Beaker:

 

 

 

I realise when I go for UFB ill need to add a vlan with vlan ID 10, create a bridge, add ether1 to it, and attach the PPPoE profile to the vlan with ID 10.. but as the modem is doing all the tagging and untagging its not needed yet.

 

 

 

You don't create a bridge or do anything with ether1 - you simply create VLAN10 on an interface (say ether1) and run the PPPoE client on VLAN10

 

 

 

 

 

 


3614 posts

Uber Geek
+1 received by user: 1338

Subscriber

  Reply # 1632303 17-Sep-2016 19:04
Send private message

Snappernet have a config available to set your router up for VDSL bridging as well as one for PPPoA-PPPoE translation (or pppoa adsl connections).

 

Download that, load up to your DV130, create PPPoE client on ether1 (or whatever interface you wish to use) and all done.

 

Then when UFB comes along, simply remove the DV130, create a VLAN interface on your 'wan' port of the mikrotik, move the PPPoE client to that VLAN interface and all done.


27123 posts

Uber Geek
+1 received by user: 6565

Moderator
Trusted
Biddle Corp
Lifetime subscriber

  Reply # 1632305 17-Sep-2016 19:14
Send private message

And most importantly ensure your firewall rules are set to PPPoE not ether1 if you're just modifying the base config.

 

 

 

 


3614 posts

Uber Geek
+1 received by user: 1338

Subscriber

  Reply # 1632308 17-Sep-2016 19:43
Send private message

sbiddle:

 

And most importantly ensure your firewall rules are set to PPPoE not ether1 if you're just modifying the base config.

 

 

 

 

 

 

Or don't, and have fun watching your lots of red entries in your log, and your CPU (and there isn't a lot of it on a CRS) getting absolutely hammered from DNS amplification attacks.

 

Actually did this to see how long it would take - less than 40 minutes.




66 posts

Master Geek
+1 received by user: 2


  Reply # 1635599 18-Sep-2016 20:09
Send private message

Thanks Guys, I repeated the process and it all worked, I think ive identified my error, I entered 'Voyager' where it asked for 'AC Name' thinking this is just a field to fill in, turns out it breaks it.

 

 

 

So this is my working config with a Draytek 2750.

 

Modem in Bridge Mode

 

 

Disabled PPPoE on the Draytek

 

 

Bridge WAN to Port 4 tagging vlan 10 on Port 4  according to Snappernet just use any vlan on WAN as its a placeholder

 

 

 

 

Mikrotik Ether1 plugged into Port 4 on Draytek

 

 

 

PPPoE attached to Ether1

 

Added PPPoE Credentials

 

Routes Setup

 

Filter Rules reconfigured (as well as NAT rules).. yes I like to be able to ICMP home :)

 

 

 

 

 

 


1633 posts

Uber Geek
+1 received by user: 418


  Reply # 1636030 19-Sep-2016 18:58
One person supports this post
Send private message

^ you need to update:

 

From winbox, System -> Packages -> Check for updates -> Download and Install
Or from a terminal session, /system package update install

 

The above will perform a reset and a ~ minute later the device will be back up n running again

 

After that check System -> Routerboard for any upgrade (or again, terminal: /system routerboard upgrade)

 

Double check your firewall filters after the update that none are red. I also suggest running the tests at https://www.grc.com/ 


27123 posts

Uber Geek
+1 received by user: 6565

Moderator
Trusted
Biddle Corp
Lifetime subscriber

  Reply # 1636045 19-Sep-2016 19:10
Send private message

I'm not sure why you have your primary interface (Voyager?) as the out interface on the forward rules.

 

I also assume you're running a very old version of routeros so should upgrade if they are the default rules, they're from the really old days where there was an individual rule for established & related. The new default rules are a lot better. I'd also recommend adding the rules I use which I've added to another couple of very similar threads on here recently that drop port scanners and SYN floods.

 

 

 

 


1633 posts

Uber Geek
+1 received by user: 418


  Reply # 1636050 19-Sep-2016 19:13
Send private message

^ haha yes was going to provide some suggestions once he had performed the upgrades :p




66 posts

Master Geek
+1 received by user: 2


  Reply # 1639484 23-Sep-2016 15:38
Send private message

Done the Upgrades, it was only a few versions out.

 

What are the suggestions you make?

 

There is another Annoying issue I face.   sustaining a gigabit connection between ether1 on the mikrotik and the draytek simply doesnt work.

 

If I set it at Auto Negation, it negotiates at 1gbps, but it keeps dropping connection and the PPPoE session.   if I try fix both of them to 1000FDX they wont talk to each other.  but if I set them them 100FDX they talk to each other fine and stable, its OK for now while VDSL is only 58mb/s but when I go fibre then I intend to push it as far as I can.

 

 

 

Its hard to pinpoint if its the Draytek Modem with the issue or the Mikrotik Box.  Its CAT6 between them, less than 1m cable, tried several brands / type of Cat5e and Cat6 and all have the same issue. Perhaps when I get the Huawei PON the issue will disappear but who nows.


1633 posts

Uber Geek
+1 received by user: 418


  Reply # 1639629 23-Sep-2016 21:38
One person supports this post
Send private message

Probably easier to factory reset the device and start with the defaults as suggested by sbiddle.

 

Hopefully it then has fasttrack enabled.  Post a screenshot of the firewall rules after that.  If allowing ICMP, I suggest adding a limit to the rule: extra -> limit, set rate of 50/5 burst 5, packet mode.

 

You can get pretty carried away with firewall rules, here's most of mine for my own home connection which you won't want to use unless you had the same address lists as me otherwise you'd get locked out of your device short of connecting to it over MAC with winbox

 

/ip firewall filter
add action=fasttrack-connection chain=forward comment="Accept established/related" connection-state=established,related
add action=accept chain=forward comment="Accept established/related" connection-state=established,related
add action=accept chain=input comment="Accept established/related" connection-state=established,related
add action=drop chain=forward comment="Drop Invalid Forward" connection-state=invalid log-prefix=drop_inv_fwd
add action=drop chain=input comment="Drop Invalid Input" connection-state=invalid
add action=drop chain=input comment="Drop Void" src-address-list=void
add action=accept chain=input comment="Accept Trusted" in-interface=Lan src-address-list=our-nets
add action=drop chain=input comment="dropping port scanners" log=yes log-prefix=Port_Scnr src-address-list="port scanners"
add action=add-src-to-address-list address-list="port scanners" address-list-timeout=2w chain=input comment="Port scanners to list " log=yes protocol=tcp psd=21,3s,3,1
add action=add-src-to-address-list address-list="port scanners" address-list-timeout=2w chain=input comment="Port scanners to list " log=yes protocol=udp psd=21,3s,3,1 src-port=!53
add action=accept chain=input comment="Accept Trusted" in-interface=all-ppp src-address-list=our-nets
add action=accept chain=input comment="IPSec, ISAKMP, L2TP" dst-port=4500,500,1701 protocol=udp
add action=accept chain=input comment="Accept limited ICMP" limit=50/5s,5:packet protocol=icmp
add action=drop chain=input comment="Drop Other Input" log-prefix=other_drop
add action=accept chain=forward comment="Accept local new forward" connection-state=new src-address-list=our-nets
add action=accept chain=forward comment="Accept marked port forwards" connection-mark=mnnnn
add action=drop chain=forward comment="Drop other forward" log=yes log-prefix=DropOtherFwd

 

/ip firewall raw
add action=drop chain=prerouting comment="drop port scanners" log=yes log-prefix=Port_Scnr_Raw src-address-list="port scanners" tcp-flags=""
add action=drop chain=prerouting comment="drop void" in-interface=!Lan log=yes log-prefix=raw_drop_void src-address-list=void

 

Some notes: The new Raw filter (missing from your screenshots) saves some cpu work.  I should probably remove the duplicate filters now that I'm using that function.  The exception for port 53 on the port scanner is due to multiple rapid dns queries (thanks Chrome) using sequential port numbers which would trigger the rule.   "Our-nets" is for internal addresses. "Void" are address ranges that are not routed (including classes a and b, reserved etc). "mnnnn" is what I use for port forwarding (NAT). Note that I use connection filtering by tagging in mangle rather than every packet to save CPU work.  Every chain should end with a blanket deny all.

 

I often play with the rules as an ongoing curio. I used to employ port knocking/fail2bans but figured I had enough rules already :)


1633 posts

Uber Geek
+1 received by user: 418


  Reply # 1639635 23-Sep-2016 21:47
Send private message

 As for your port flapping, double check that both the firmware and OS are updated as i mentioned previously.  How are you powering the two devices?




66 posts

Master Geek
+1 received by user: 2


  Reply # 1639728 24-Sep-2016 10:13
Send private message

MadEngineer:

 

Probably easier to factory reset the device and start with the defaults as suggested by sbiddle.

 

Hopefully it then has fasttrack enabled.  Post a screenshot of the firewall rules after that.  If allowing ICMP, I suggest adding a limit to the rule: extra -> limit, set rate of 50/5 burst 5, packet mode.

 

You can get pretty carried away with firewall rules, here's most of mine for my own home connection which you won't want to use unless you had the same address lists as me otherwise you'd get locked out of your device short of connecting to it over MAC with winbox

 

/ip firewall filter
add action=fasttrack-connection chain=forward comment="Accept established/related" connection-state=established,related
add action=accept chain=forward comment="Accept established/related" connection-state=established,related
add action=accept chain=input comment="Accept established/related" connection-state=established,related
add action=drop chain=forward comment="Drop Invalid Forward" connection-state=invalid log-prefix=drop_inv_fwd
add action=drop chain=input comment="Drop Invalid Input" connection-state=invalid
add action=drop chain=input comment="Drop Void" src-address-list=void
add action=accept chain=input comment="Accept Trusted" in-interface=Lan src-address-list=our-nets
add action=drop chain=input comment="dropping port scanners" log=yes log-prefix=Port_Scnr src-address-list="port scanners"
add action=add-src-to-address-list address-list="port scanners" address-list-timeout=2w chain=input comment="Port scanners to list " log=yes protocol=tcp psd=21,3s,3,1
add action=add-src-to-address-list address-list="port scanners" address-list-timeout=2w chain=input comment="Port scanners to list " log=yes protocol=udp psd=21,3s,3,1 src-port=!53
add action=accept chain=input comment="Accept Trusted" in-interface=all-ppp src-address-list=our-nets
add action=accept chain=input comment="IPSec, ISAKMP, L2TP" dst-port=4500,500,1701 protocol=udp
add action=accept chain=input comment="Accept limited ICMP" limit=50/5s,5:packet protocol=icmp
add action=drop chain=input comment="Drop Other Input" log-prefix=other_drop
add action=accept chain=forward comment="Accept local new forward" connection-state=new src-address-list=our-nets
add action=accept chain=forward comment="Accept marked port forwards" connection-mark=mnnnn
add action=drop chain=forward comment="Drop other forward" log=yes log-prefix=DropOtherFwd

 

/ip firewall raw
add action=drop chain=prerouting comment="drop port scanners" log=yes log-prefix=Port_Scnr_Raw src-address-list="port scanners" tcp-flags=""
add action=drop chain=prerouting comment="drop void" in-interface=!Lan log=yes log-prefix=raw_drop_void src-address-list=void

 

Some notes: The new Raw filter (missing from your screenshots) saves some cpu work.  I should probably remove the duplicate filters now that I'm using that function.  The exception for port 53 on the port scanner is due to multiple rapid dns queries (thanks Chrome) using sequential port numbers which would trigger the rule.   "Our-nets" is for internal addresses. "Void" are address ranges that are not routed (including classes a and b, reserved etc). "mnnnn" is what I use for port forwarding (NAT). Note that I use connection filtering by tagging in mangle rather than every packet to save CPU work.  Every chain should end with a blanket deny all.

 

I often play with the rules as an ongoing curio. I used to employ port knocking/fail2bans but figured I had enough rules already :)

 

 

 

 

OK Disabled all existing filters and added these, but the last rule seemed to stop everything working, any ideas whats unmatched?

 

 

 

 

 

Also my terminal is being smashed with this which is the pppoe

 

10:14:24 echo: pppoe,ppp,debug,packet Voyager: rcvd LCP EchoReq id=0x4f
10:14:24 echo: pppoe,ppp,debug,packet <magic 0x2416adfa>
10:14:24 echo: pppoe,ppp,debug,packet <data len=4>
10:14:24 echo: pppoe,ppp,debug,packet Voyager: sent LCP EchoRep id=0x4f
10:14:24 echo: pppoe,ppp,debug,packet <magic 0x37f838a7>
10:14:24 echo: pppoe,ppp,debug,packet <data len=4>

 

 


 1 | 2
View this topic in a long page with up to 500 replies per page Create new topic

Twitter »

Follow us to receive Twitter updates when new discussions are posted in our forums:



Follow us to receive Twitter updates when news items and blogs are posted in our frontpage:



Follow us to receive Twitter updates when tech item prices are listed in our price comparison site:



Geekzone Live »

Try automatic live updates from Geekzone directly in your browser, without refreshing the page, with Geekzone Live now.



Are you subscribed to our RSS feed? You can download the latest headlines and summaries from our stories directly to your computer or smartphone by using a feed reader.

Alternatively, you can receive a daily email with Geekzone updates.