The PPPoE (Point to Point Protocol over Ethernet) protocol provides extensive user management, network management and accounting benefits to ISPs and network administrators. Currently, PPPoE is used mainly by ISPs to control client connections for xDSL and cable modems. PPPoE is an extension of the standard dial-up and synchronous protocol PPP. The transport is over Ethernet – as opposed to modem transport.
Generally speaking, the PPPoE is used to hand out IP addresses to clients based on the user (and workstation, if desired) authentication as opposed to workstation only authentication, when static IP addresses or DHCP is used. Do not use static IP addresses or DHCP on interfaces, on which the PPPoE is used for security reasons.
A PPPoE connection is composed of a client and an access concentrator (server). The client may be a Windows computer that has the PPPoE client protocol installed. The MikroTik RouterOS supports both the client and access concentrator implementations of PPPoE. The PPPoE client and server work over any Ethernet level interface on the router – wireless 802.11 (Aironet, Cisco, WaveLAN, Prism, Atheros), 10/100/1000 Mb/s Ethernet, RadioLAN, and EoIP (Ethernet over IP tunnel). No encryption, MPPE 40bit RSA, and MPPE 128bit RSA encryption are supported.
Our RouterOS has a RADIUS client that can be used for authentication of all PPP type connections – including PPPoE. For more information on PPP authentication, see the General Point to Point Settings manual.
Supported connections:
Topics covered in this manual:
The pppoe-2.6.x.npk package and the ppp-2.6.x.npk
are required. The packages can be downloaded from MikroTik’s web
page www.mikrotik.com . To install the packages, please upload them to the
router with ftp and reboot.
The PPPoE client uses a minimum amount of memory.
The PPPoE server (access concentrator) uses a minimum amount of memory for the basic setup.
Each current PPPoE server connection uses approximately 100-200KB of memory.
For PPPoE servers (access concentrators) designed for a large number of PPPoE connections,
additional RAM should be added. In version 2.6, there is currently a maximum of
5000 connections. For example, a 1,000 user system should have 200MBs of free
RAM above the normal operating RAM. For large number of clients a faster processor system
is required. We recommend to use a Celeron 600MHz processor or higher.
A future rewrite of parts of PPP is expected to significantly reduce the requirements.
The PPPoE client supports high-speed connections. It is fully compatible with
the MikroTik PPPoE server (access concentrator). Test with different ISPs and
access concentrators are currently underway.
Note for Windows: Some connection instructions may use the form where the
“phone number” is “MikroTik_AC\mt1” to indicate that “MikroTik_AC” is the access
concentrator name and “mt1” is the service name.
An example of a PPPoE client on the MikroTik RouterOS:
Descriptions of settings:
The PPPoE server (access concentrator) supports multiple servers for each
interface – with differing service names. Currently the throughput of the PPPoE
server has been tested to 160Mb/s on a Celeron 600 CPU. Using higher speed CPUs
should increase the throughput proportionately.
The setting below is the optimal setting to work with Windows clients such as
RASPPPoE client for all versions of Windows greater than 3.x. The password
authentication and encryption are set to authentication=chap specifically
to ensure a quick login by the windows client. In the example below, the login is
encrypted with PAP.
The access concentrator has a hard limit of 5000 current connections. The
user setting for the connections limit is done by setting the IP pools in
the remote-address configuration.
The access concentrator name and PPPoE service name are used by clients
to identify the access concentrator to register with. The access concentrator
name is the same as the identity of the router displayed before the command prompt.
The identity may be set within the /system identity submenu.
Descriptions of settings:
Security issue: do not assign an IP address to the Interface you will be
receiving the PPPoE requests on.
The PPPoE server will create point-to-point connection for each individual client.
Each connection will have individual dynamic (virtual) P2P interface.
The local-address will be set on its server side, and the remote-address will be given to the
client. The addresses do not need to be from 'the same network', since the P2P connections
have addresses with 32 bit netmasks anyway. What you set on the server side does not matter
so much - it can be address of router's another interface, or some arbitrary address.
Please consult General Point to Point Settings manual on authorization,
filtering and accounting settings.
Please see the IP Addresses and Address Resolution Protocol (ARP) Manual how to give
out addresses to PPPoE clients from the same address space you are using on your local network.
For local authentication, this can be set in the /ppp profile menu
with the tx-bit-rate and rx-bit-rate values (identical to bits/s). For Radius authentication, the
account of each user in the radius server should be set with:
PPPoE Installation on the MikroTik RouterOS
[admin@RemoteOffice] interface pppoe-client> print
Flags: X - disabled, R - running
0 X name="pppoe-out1" mtu=1460 mru=1460 interface=gig user="john"
password="password" profile=default service-name="testSN" ac-name=""
add-default-route=no dial-on-demand=no use-peer-dns=no
name - this settable name will appear in interface and IP
address list when the PPPoE session is active.
interface - interface through which the PPPoE server can be connected. The PPPoE
client can be attached to any Ethernet like interface – for example: wireless,
10/100/1000 Ethernet, and EoIP tunnels.
mtu and mru - represents the MTU and MRU when the 8 byte PPPoE overhead
is subtracted from the standard 1500 byte Ethernet packet.
For encryption, subtract four more bits and set the MTU and MRU to 1488
user - a user name that is present on the PPPoE server
password - a user password used to connect the PPPoE server
profile - default profile for the connection
service-name - The service name set on the access concentrator. Many
ISPs give user-name and address in the form of “user-name@service-name”
ac-name - This may be left blank and the client will connect to any
access concentrator that offers the “service” name selected
add-default-route - Select yes to have a default route added
automatically. Note, the dynamic default route will not be added if there is
already a default route set
dial-on-demand - Connects to AC only when outbound traffic is generated
and disconnects when there is no traffic for the period set in the idle-timeout
value
use-peer-dns - Sets the router default DNS to the PPP peer DNS.
PPPoE Server Setup (Access Concentrator)
[admin@MikroTik] interface pppoe-server> server print
Flags: X - disabled
0 X service-name="office" interface=prism1 mtu=1492 mru=1492
authentication=chap keepalive-timeout=10 default-profile=default
[admin@MikroTik] interface pppoe-server server>
service-name - The PPPoE service name
mtu, mru - The default MTU nad MRU is set to 1480, but the maximum values
they can be set to on the ethernet interface is 1492 because of the PPPoE
overhead. For encryption, subtract four more bits and set the MTU and MRU to 1488
authentication - authentication algorithm. One or more of: mschap2,
chap, pap
keepalive-timeout - defines the time period (in seconds) after which not
responding client is proclaimed disconnected. The default value of 10 is
OK in most cases. If you set it to 0, the router will not disconnect
clients until they log out or router is restarted
default-profile - default profile to use for the clients
Parameter: Ascend-Data-Rate (vendor id: 529, attribute id:197 -- in bits/s)
If there is one attribute sent then both tx and rx are set to that rate in b/s.
If there two attributes sent then the first will be the tx and the second will
be the rx (in bits/s). This means you need to add two lines to your radius
attributes if you want to set tx and rx to different speeds.
PPPoE in a multipoint wireless 802.11b network
In a wireless network, the PPPoE server may be attached to our PRISMII 2.4GHz Access Point (station mode) interface. Either our RouterOS client or Windows PPPoE clients may connect to the Access Point for PPPoE authentication. Further, for RouterOS clients, the radio interface may be set to MTU 1600 so that the PPPoE interface may be set to MTU 1500. This optimizes the transmission of 1500 byte packets and avoids any problems associated with MTUs lower than 1500. It has not been determined how to change the MTU of the Windows wireless interface at this moment.
Links for PPPoE documentation:
PPPoE Clients: