MikroTik Fibre Untagged PPPoE Routing Issue

Forums › LAN (ethernet/Wifi/routers/Bluetooth) › MikroTik Fibre Untagged PPPoE Routing Issue

godber

75 posts

Master Geek
+1 received by user: 46

ID Verified

Trusted

Lifetime subscriber

#302476 26-Nov-2022 12:32

The ISP that I use for fibre uses PPPoE that is untagged.

Username and Password are changed below, but the correct password is required to connect.

I can get it working on an old Spark router but on my CCR2116-12G-4S+ it does not appear to route correctly.

The script I am using is as follows.

# RouterOS 7.6
# model = CCR2116-12G-4S+
/interface bridge
add name=local
/interface pppoe-client
add add-default-route=yes disabled=no interface=ether1 name=pppoe-out1 \
use-peer-dns=yes user=username@ISP password=password
/interface list
add name=WAN
add name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=dhcp_pool0 ranges=192.168.88.2-192.168.88.254
/ip dhcp-server
add address-pool=dhcp_pool0 interface=local name=dhcp1
/port
set 0 name=serial0
/interface bridge port
add bridge=local interface=ether2
/interface list member
add interface=ether2 list=LAN
add interface=pppoe-out1 list=WAN
/ip address
add address=192.168.88.1/24 interface=local network=192.168.88.0
/ip dhcp-server network
add address=192.168.88.0/24 dns-server=192.168.88.1 gateway=192.168.88.1
/ip dns
set allow-remote-requests=yes
/ip firewall filter
add action=accept chain=input comment="accept established,related,untracked" \
connection-state=established,related,untracked
add action=drop chain=input comment="drop invalid" connection-state=invalid
add action=accept chain=input comment="accept ICMP" protocol=icmp
add action=accept chain=input comment=\
"accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="drop all not coming from LAN" \
in-interface-list=!LAN
add action=accept chain=forward comment="accept in ipsec policy" \
ipsec-policy=in,ipsec
add action=accept chain=forward comment="accept out ipsec policy" \
ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment=fasttrack \
connection-state=established,related hw-offload=yes
add action=accept chain=forward comment=\
"accept established,related, untracked" connection-state=\
established,related,untracked
add action=drop chain=forward comment="drop invalid" connection-state=invalid
add action=drop chain=forward comment="drop all from WAN not DSTNATed" \
connection-nat-state=!dstnat connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment=masquerade ipsec-policy=out,none \
out-interface-list=WAN

As per the address list below I get an address

/ip address print
Flags: D - DYNAMIC
Columns: ADDRESS, NETWORK, INTERFACE
# ADDRESS NETWORK INTERFACE
0 192.168.88.1/24 192.168.88.0 local
1 D 202.27.197.66/32 10.1.1.2 pppoe-out1

Routes are as follows

[admin@MikroTik] > /routing route print
Flags: A - ACTIVE; c, v, y - COPY; H - HW-OFFLOADED
Columns: DST-ADDRESS, GATEWAY, AFI, DISTANCE, SCOPE, TARGET-SCOPE, IMMEDIATE-GW
DST-ADDRESS GATEWAY AFI DISTANCE SCOPE TA IMMEDIATE-GW
Av 0.0.0.0/0 pppoe-out1 ip4 1 30 10 pppoe-out1
Ac 10.1.1.2/32 pppoe-out1 ip4 0 10 pppoe-out1
Ac 192.168.88.0/24 local ip4 0 10 local
Av ::/0 pppoe-out1 ip6 1 30 10 pppoe-out1
Ac fe80::%ether1/64 ether1 ip6 0 10 ether1
Ac fe80::%local/64 local ip6 0 10 local
Ac fe80::%pppoe-out1/64 pppoe-out1 ip6 0 10 pppoe-out1
A H ether1 link 0
A H ether2 link 0
A H local link 0
A H pppoe-out1 link 0

Traceroute stops at the 10.1.1.2 address

[admin@MikroTik] > tool/traceroute 8.8.8.8
Columns: ADDRESS, LOSS, SENT, LAST, AVG, BEST, WORST, STD-DEV
# ADDRESS LOSS SENT LAST AVG BEST WORST STD-DEV
1 10.1.1.2 0% 1 3.5ms 3.5 3.5 3.5 0
2 100% 1 timeout
3 100% 1 timeout
4 100% 1 timeout
5 0% 1 0ms

From Windows tracert reports the router IP 192.168.88.1 and 10.1.1.2

>tracert 8.8.8.8

Tracing route to 8.8.8.8 over a maximum of 30 hops

1 2 ms 4 ms 2 ms 192.168.88.1
2 7 ms 5 ms 9 ms 10.1.1.2
3 * * * Request timed out.

Am guessing something is wrong but I am out of ideas.

@nztim you mentioned "I have Tagged/Untagged and PPPoE/DHCP scripts (all four combinations)" Would you be willing to share or advise me of the error in my script?

Many Thanks

Godfrey
Auckland/Coroglen, New Zealand
Quic Broadband - 4G Hyperfibre

Referral Link:
Quic (use R71004E9PVBJ on checkout for free setup)

RunningMan

9185 posts

Uber Geek
+1 received by user: 4838

#3001689 26-Nov-2022 13:35

Can you post traceroute with Spark router? Curious as to why the private IP is showing outside the WAN. It's not a CG-NAT address - is the ISP redirecting to a closed portal or similar? What happens with a web browswer trying to access a site?

godber

75 posts

Master Geek
+1 received by user: 46

ID Verified

Trusted

Lifetime subscriber

#3001692 26-Nov-2022 13:49

RunningMan:

Can you post traceroute with Spark router? Curious as to why the private IP is showing outside the WAN. It's not a CG-NAT address - is the ISP redirecting to a closed portal or similar? What happens with a web browser trying to access a site?

Thanks for assisting.

Using old Spark Router - trace route fails to 8.8.8.8

>tracert 8.8.8.8

Tracing route to dns.google [8.8.8.8]
over a maximum of 30 hops:

1 * 10 ms 10 ms 10.80.108.193
2 * * * Request timed out.
3 ^C

As does ping

>ping 8.8.8.8

Pinging 8.8.8.8 with 32 bytes of data:
Request timed out.
Request timed out.

Ping statistics for 8.8.8.8:
Packets: Sent = 2, Received = 0, Lost = 2 (100% loss),

Using spark router ping www.stuff.co.nz works

>ping www.stuff.co.nz

Pinging e14449.dscx.akamaiedge.net [23.212.169.182] with 32 bytes of data:
Reply from 23.212.169.182: bytes=32 time=17ms TTL=60
Reply from 23.212.169.182: bytes=32 time=11ms TTL=60
Reply from 23.212.169.182: bytes=32 time=10ms TTL=60
Reply from 23.212.169.182: bytes=32 time=10ms TTL=60

Ping statistics for 23.212.169.182:
Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 10ms, Maximum = 17ms, Average = 12ms

Trace Route to www.stuff.co.nz also works using old Spark router

>tracert www.stuff.co.nz

Tracing route to e14449.dscx.akamaiedge.net [23.212.169.182]
over a maximum of 30 hops:

1 3 ms 2 ms 2 ms smart.mesh [192.168.118.254]
2 6 ms 6 ms 5 ms 10.1.1.2
3 10 ms 12 ms 9 ms 202.27.202.233
4 10 ms 11 ms 10 ms 202.27.202.241
5 283 ms 235 ms 115 ms as20940.akl.ix.nz [43.243.21.53]
6 10 ms 9 ms 9 ms a23-212-169-182.deploy.static.akamaitechnologies.com [23.212.169.182]

Trace complete.

Using MikroTik trace route fails

>tracert www.stuff.co.nz
Unable to resolve target system name www.stuff.co.nz.

Using MikroTik trace route fails even using the IP

>tracert 23.212.169.182

Tracing route to 23.212.169.182 over a maximum of 30 hops

1 8 ms 2 ms 3 ms 192.168.88.1
2 26 ms 6 ms 5 ms 10.1.1.2
3 * * Transmit error: code 1232.

Trace complete.

Using MikroTik ping to IP address fails

>ping 23.212.169.182

Pinging 23.212.169.182 with 32 bytes of data:
PING: transmit failed. General failure.
PING: transmit failed. General failure.
PING: transmit failed. General failure.
PING: transmit failed. General failure.

Ping statistics for 23.212.169.182:
Packets: Sent = 4, Received = 0, Lost = 4 (100% loss),

Finally any web site using the MikroTik router fails.

Godfrey
Auckland/Coroglen, New Zealand
Quic Broadband - 4G Hyperfibre

Referral Link:
Quic (use R71004E9PVBJ on checkout for free setup)