PPPoE Server: ISP Subscriber Access Configuration
PPPoE Server: ISP Subscriber Access Configuration
Section titled “PPPoE Server: ISP Subscriber Access Configuration”TL;DR (quick start)
Section titled “TL;DR (quick start)”For the impatient: basic PPPoE server with one subscriber.
# Create IP pool for subscribers/ip pool add name=pppoe-pool ranges=10.0.0.2-10.0.0.254
# Create PPP profile/ppp profile add name=pppoe-profile local-address=10.0.0.1 \ remote-address=pppoe-pool dns-server=8.8.8.8,8.8.4.4
# Add subscriber/ppp secret add name=user1 password=pass123 service=pppoe profile=pppoe-profile
# Create PPPoE server on subscriber-facing interface/interface pppoe-server server add interface=ether2 service-name=MyISP \ default-profile=pppoe-profile disabled=no
# NAT for internet access/ip firewall nat add chain=srcnat src-address=10.0.0.0/24 action=masqueradeVerify: /ppp active print shows connected subscribers.
Overview
Section titled “Overview”What this does: A PPPoE server (Access Concentrator) authenticates subscribers and assigns IP addresses, enabling per-user management, bandwidth control, and accounting. PPPoE is widely used by ISPs and WISPs for subscriber access.
When to use this:
- Operating as an ISP or WISP
- Providing authenticated internet access to subscribers
- Managing per-subscriber bandwidth limits
- Tracking subscriber usage for billing
- Integrating with RADIUS for centralized management
Prerequisites:
- RouterOS 6.x or 7.x
- Dedicated interface(s) for subscriber connections
- IP address pool planned for subscribers
- Understanding of PPP architecture (profiles, secrets)
Critical
Do not assign an IP address to the PPPoE server interface. PPPoE operates at Layer 2 - the PPP tunnel handles IP addressing. Assigning an IP causes routing issues.
Architecture overview
Section titled “Architecture overview”
Key components
Section titled “Key components”| Component | Menu Path | Purpose |
|---|---|---|
| PPPoE Server | /interface pppoe-server server | Listens for subscriber connections |
| PPP Profile | /ppp profile | Defines session parameters (IP, DNS, limits) |
| PPP Secret | /ppp secret | Subscriber credentials (local auth) |
| IP Pool | /ip pool | Address range for subscribers |
| RADIUS | /radius + /ppp aaa | External authentication server |
Connection flow
Section titled “Connection flow”
- Subscriber sends PADI (PPPoE Active Discovery Initiation)
- Server responds with PADO (Discovery Offer)
- Subscriber sends PADR (Discovery Request)
- Server responds with PADS (Session Confirmation)
- PPP session established with LCP negotiation
- Authentication (PAP/CHAP/MSCHAPv2)
- IPCP assigns IP address to subscriber
Configuration steps
Section titled “Configuration steps”Step 1: Create IP address pool
Section titled “Step 1: Create IP address pool”Create a pool of addresses for subscriber assignment:
/ip pool add name=pppoe-pool ranges=10.0.0.2-10.0.0.254For larger deployments, use multiple ranges or pools:
/ip pool add name=pppoe-pool ranges=10.0.0.2-10.0.255.254Step 2: Create PPP profile
Section titled “Step 2: Create PPP profile”The profile defines default settings for all subscribers using it:
/ppp profile add \ name=pppoe-profile \ local-address=10.0.0.1 \ remote-address=pppoe-pool \ dns-server=8.8.8.8,8.8.4.4 \ change-tcp-mss=yesKey profile properties:
| Property | Purpose |
|---|---|
local-address | Router’s address on PPP tunnels (gateway for subscribers) |
remote-address | Pool name or specific IP for subscribers |
dns-server | DNS servers pushed to subscribers |
change-tcp-mss | Adjust TCP MSS to prevent fragmentation (recommended) |
rate-limit | Bandwidth limit (upload/download) |
Step 3: Create subscriber accounts
Section titled “Step 3: Create subscriber accounts”Add users who can authenticate to your PPPoE server:
/ppp secret add \ name=subscriber1 \ password=SecurePass123 \ service=pppoe \ profile=pppoe-profileFor multiple subscribers:
/ppp secret add name=sub001 password=pass001 service=pppoe profile=pppoe-profile/ppp secret add name=sub002 password=pass002 service=pppoe profile=pppoe-profile/ppp secret add name=sub003 password=pass003 service=pppoe profile=pppoe-profileStep 4: Create PPPoE server
Section titled “Step 4: Create PPPoE server”Bind the server to the subscriber-facing interface:
/interface pppoe-server server add \ interface=ether2 \ service-name=MyISP \ default-profile=pppoe-profile \ authentication=mschap2,mschap1,chap \ one-session-per-host=yes \ disabled=noKey server properties:
| Property | Purpose |
|---|---|
interface | Interface where subscribers connect |
service-name | Name advertised to subscribers (can be blank) |
default-profile | Profile applied to all connections |
authentication | Allowed auth methods (avoid PAP for security) |
one-session-per-host | Prevent multiple sessions from same MAC |
max-sessions | Limit total connections (0 = unlimited) |
Step 5: Configure NAT
Section titled “Step 5: Configure NAT”Enable NAT so subscribers can access the internet:
/ip firewall nat add chain=srcnat src-address=10.0.0.0/24 \ out-interface=ether1-wan action=masquerade \ comment="NAT for PPPoE subscribers"Verification
Section titled “Verification”Check server status
Section titled “Check server status”/interface pppoe-server server printExpected Output:
Flags: X - disabled 0 interface=ether2 service-name="MyISP" max-mtu=1480 max-mru=1480 mrru=disabled authentication=chap,mschap1,mschap2 keepalive-timeout=10 one-session-per-host=yes max-sessions=0 default-profile=pppoe-profileView active connections
Section titled “View active connections”/ppp active printExpected Output:
Flags: R - RADIUS # NAME SERVICE CALLER-ID ADDRESS UPTIME 0 subscriber1 pppoe AA:BB:CC:DD:EE:FF 10.0.0.2 1h23m45sView dynamic PPPoE interfaces
Section titled “View dynamic PPPoE interfaces”/interface pppoe-server printShows all currently connected subscriber sessions with interface names.
Monitor specific session
Section titled “Monitor specific session”/ppp active print statsShows bytes and packets transferred per session.
Common scenarios
Section titled “Common scenarios”Scenario: Multiple service plans with rate limiting
Section titled “Scenario: Multiple service plans with rate limiting”Create different profiles for different bandwidth tiers:
# 10 Mbps plan/ppp profile add name=plan-10m local-address=10.0.0.1 \ remote-address=pppoe-pool dns-server=8.8.8.8 \ rate-limit=10M/10M
# 50 Mbps plan/ppp profile add name=plan-50m local-address=10.0.0.1 \ remote-address=pppoe-pool dns-server=8.8.8.8 \ rate-limit=50M/50M
# 100 Mbps plan/ppp profile add name=plan-100m local-address=10.0.0.1 \ remote-address=pppoe-pool dns-server=8.8.8.8 \ rate-limit=100M/100MAssign subscribers to plans:
/ppp secret add name=basic-user password=pass service=pppoe profile=plan-10m/ppp secret add name=premium-user password=pass service=pppoe profile=plan-50mRate-limit format: rx-rate/tx-rate where rx = subscriber upload, tx = subscriber download (from router’s perspective).
Scenario: RADIUS authentication
Section titled “Scenario: RADIUS authentication”
Use RADIUS for centralized subscriber management:
# Add RADIUS server/radius add address=192.168.1.100 secret=RadiusSecret123 service=ppp
# Enable RADIUS for PPP/ppp aaa set use-radius=yes accounting=yes interim-update=5m
# Create profile (RADIUS overrides these settings)/ppp profile add name=radius-profile local-address=10.0.0.1 \ remote-address=pppoe-pool change-tcp-mss=yes
# Create server using RADIUS profile/interface pppoe-server server add interface=ether2 service-name=ISP \ default-profile=radius-profile disabled=noScenario: PPPoE server on VLAN
Section titled “Scenario: PPPoE server on VLAN”Serve subscribers on a specific VLAN:
# Create VLAN interface/interface vlan add name=vlan100-subscribers vlan-id=100 interface=ether2
# Bind PPPoE server to VLAN/interface pppoe-server server add interface=vlan100-subscribers \ service-name=ISP default-profile=pppoe-profile disabled=noScenario: PPPoE over multiple VLANs
Section titled “Scenario: PPPoE over multiple VLANs”Serve PPPoE across a range of VLANs without creating individual interfaces:
/interface pppoe-server server add interface=bridge1 \ service-name=MultiVLAN-ISP \ default-profile=pppoe-profile \ pppoe-over-vlan-range=100-150 \ disabled=noVLAN Conflict
Do not create VLAN interfaces with IDs that overlap with pppoe-over-vlan-range. The PPPoE server manages these VLANs internally.
Scenario: PPPoE server on bridge
Section titled “Scenario: PPPoE server on bridge”
For subscribers connecting through multiple physical ports:
# Create bridge for subscriber ports/interface bridge add name=bridge-subscribers
# Add subscriber-facing ports/interface bridge port add bridge=bridge-subscribers interface=ether2/interface bridge port add bridge=bridge-subscribers interface=ether3/interface bridge port add bridge=bridge-subscribers interface=ether4
# Bind PPPoE server to bridge/interface pppoe-server server add interface=bridge-subscribers \ service-name=ISP default-profile=pppoe-profile disabled=noScenario: Static IP for specific subscriber
Section titled “Scenario: Static IP for specific subscriber”Assign a fixed IP to a subscriber (bypassing the pool):
/ppp secret add name=static-user password=pass service=pppoe \ profile=pppoe-profile remote-address=10.0.0.100The remote-address in the secret overrides the profile’s pool.
Scenario: On-up/on-down scripts
Section titled “Scenario: On-up/on-down scripts”Execute scripts when subscribers connect/disconnect:
/ppp profile set pppoe-profile on-up="/log info \"User \$user connected from \$caller-id\""/ppp profile set pppoe-profile on-down="/log info \"User \$user disconnected\""Available script variables: $user, $local-address, $remote-address, $caller-id, $interface
MTU considerations
Section titled “MTU considerations”PPPoE adds 8 bytes overhead (6 PPPoE + 2 PPP), reducing effective MTU from 1500 to 1492 bytes.
| Scenario | Physical MTU | PPPoE MTU | Notes |
|---|---|---|---|
| Standard | 1500 | 1492 | Default, may cause fragmentation |
| Baby Jumbo | 1508 | 1500 | Recommended - eliminates fragmentation |
| VLAN Tagged | 1504 | 1492 | Additional 4 bytes for VLAN tag |
Configure baby jumbo (recommended)
Section titled “Configure baby jumbo (recommended)”If your network supports it, use baby jumbo frames:
# Set physical interface MTU/interface ethernet set ether2 mtu=1508 l2mtu=1508
# Server will negotiate 1500 MTU with clients/interface pppoe-server server set 0 max-mtu=1500 max-mru=1500TCP MSS clamping
Section titled “TCP MSS clamping”Ensure TCP sessions don’t exceed MTU (already handled by change-tcp-mss=yes in profile):
# Additional mangle rule for extra reliability/ip firewall mangle add chain=forward protocol=tcp tcp-flags=syn \ action=change-mss new-mss=clamp-to-pmtu passthrough=yesTroubleshooting
Section titled “Troubleshooting”Problem: Subscribers can’t connect
Section titled “Problem: Subscribers can’t connect”| Symptom | Cause | Solution |
|---|---|---|
| No PADO response | Server disabled or wrong interface | Check /interface pppoe-server server print for X flag |
| ”No PPPoE server” | Service-name mismatch | Set service-name="" to accept any |
| Auth failed | Wrong credentials | Verify /ppp secret print |
| ”RADIUS timeout” | RADIUS unreachable | Check /radius print, verify connectivity |
Enable debug logging:
/system logging add topics=pppoe,ppp,debug action=memory/log print where topics~"ppp"Problem: Connection loop (connect → disconnect)
Section titled “Problem: Connection loop (connect → disconnect)”| Symptom | Cause | Solution |
|---|---|---|
| Cycles repeatedly | MTU mismatch | Set physical interface MTU to 1492 or 1508 |
| Authenticates then drops | Profile misconfiguration | Check pool exists, local-address valid |
| Works briefly then dies | Keepalive timeout | Adjust keepalive-timeout |
Problem: Connected but no internet
Section titled “Problem: Connected but no internet”| Check | Command | Solution |
|---|---|---|
| NAT configured | /ip firewall nat print | Add masquerade rule |
| Route exists | /ip route print | Verify PPPoE subnet routed |
| DNS working | /ip dns print | Verify DNS servers in profile |
| Firewall blocking | /ip firewall filter print | Allow PPPoE interface in forward chain |
Problem: RADIUS authentication issues
Section titled “Problem: RADIUS authentication issues”| Symptom | Cause | Solution |
|---|---|---|
| ”Access denied” | Shared secret mismatch | Verify RADIUS secret |
| Timeout | RADIUS unreachable | Check firewall, UDP 1812/1813 |
| Auth OK but disconnects | Profile/attribute mismatch | Check RADIUS attributes match RouterOS |
# Check RADIUS status/radius print
# Monitor RADIUS requests/radius monitor 0Common Mistakes
- Assigning IP to PPPoE interface - Don’t do it. PPP handles addressing.
- Using PAP authentication - Sends passwords in cleartext. Use CHAP/MSCHAPv2.
- Forgetting NAT - Subscribers won’t reach internet without masquerade.
- MTU issues - Most “partial page loads” are MTU problems. Use baby jumbo or MSS clamping.
Security considerations
Section titled “Security considerations”Disable PAP authentication
Section titled “Disable PAP authentication”PAP sends passwords in cleartext:
/interface pppoe-server server set 0 authentication=mschap2,mschap1,chapLimit sessions per host
Section titled “Limit sessions per host”Prevent credential sharing:
/interface pppoe-server server set 0 one-session-per-host=yesLimit maximum sessions
Section titled “Limit maximum sessions”Prevent resource exhaustion:
/interface pppoe-server server set 0 max-sessions=500Firewall for subscriber traffic
Section titled “Firewall for subscriber traffic”Control what subscribers can access:
# Add PPPoE interface list/interface list add name=pppoe-clients
# Auto-add PPPoE interfaces to list (use profile)/ppp profile set pppoe-profile interface-list=pppoe-clients
# Apply firewall rules/ip firewall filter add chain=forward in-interface-list=pppoe-clients \ connection-state=established,related action=accept/ip firewall filter add chain=forward in-interface-list=pppoe-clients \ action=drop comment="Block inter-subscriber traffic"Properties reference
Section titled “Properties reference”PPPoE server properties
Section titled “PPPoE server properties”| Property | Type | Default | Description |
|---|---|---|---|
interface | string | - | Subscriber-facing interface (required) |
service-name | string | "" | Name advertised to clients (blank = accept all) |
default-profile | string | default | PPP profile for connections |
authentication | enum | mschap2,mschap1,chap,pap | Allowed auth methods |
max-mtu | integer | 1480 | Maximum transmission unit |
max-mru | integer | 1480 | Maximum receive unit |
keepalive-timeout | time | 10 | LCP echo timeout |
one-session-per-host | yes/no | no | One session per MAC address |
max-sessions | integer | 0 | Session limit (0 = unlimited) |
pppoe-over-vlan-range | ranges | - | VLAN IDs to serve PPPoE |
disabled | yes/no | yes | Enable/disable server |
PPP profile properties (key subset)
Section titled “PPP profile properties (key subset)”| Property | Type | Default | Description |
|---|---|---|---|
local-address | IP/pool | - | Router’s tunnel address |
remote-address | IP/pool | - | Client’s assigned address |
dns-server | IP list | - | DNS servers for clients |
rate-limit | string | - | Bandwidth limit (rx/tx) |
change-tcp-mss | yes/no | no | Adjust TCP MSS |
only-one | yes/no | no | Single session per user |
interface-list | string | - | Add sessions to interface list |
on-up | script | - | Script on connect |
on-down | script | - | Script on disconnect |
Related topics
Section titled “Related topics”Prerequisites
Section titled “Prerequisites”- IP Pool - Address pool configuration
- Bridge Configuration - Bridge for multiple ports
Authentication
Section titled “Authentication”- RADIUS - Centralized authentication
- User Manager - Built-in RADIUS server
Bandwidth Management
Section titled “Bandwidth Management”- Simple Queues - Per-user limits
- Queue Tree - Advanced QoS
Related PPP
Section titled “Related PPP”- PPPoE Client - Connecting to ISPs
- L2TP VPN Server - VPN with L2TP
Reference
Section titled “Reference”- MikroTik PPPoE Documentation
- PPP AAA
- PPP Profiles
- RFC 2516 - PPPoE Protocol