PPPoE Client Configuration

PPPoE Client Configuration

Version Info

RouterOS 7.16 | Min: v6.0+ | ⏱️ 10 minutes | 🟢 Beginner

Tested on: 7.16 7.14

Version-specific notes

• v7.20: Changed keepalive behavior - disabled keepalive now disables LCP echo for MTU probing
• v7.0: Enhanced VLAN range support for PPPoE server
• v6.x: Same commands work on RouterOS 6.x

TL;DR (Quick Start)

For the impatient: create a PPPoE client with your ISP credentials.

/interface pppoe-client add interface=ether1 user=your_username password=your_password \
    add-default-route=yes use-peer-dns=yes disabled=no name=pppoe-wan

Verify with:

/interface pppoe-client monitor pppoe-wan once

Look for status: connected with assigned IP addresses.

Overview

What this does: PPPoE (Point-to-Point Protocol over Ethernet) Client enables authenticated WAN connections commonly used by DSL, fiber, and cable ISPs. The client authenticates with a username/password and receives an IP address, default gateway, and DNS servers.

When to use this:

• DSL/ADSL connections requiring PPPoE authentication
• Fiber-to-the-home (FTTH) ISP connections
• Any ISP requiring username/password authentication for WAN access
• Replacing ISP-provided router with MikroTik

Prerequisites:

• An Ethernet interface connected to ISP modem/ONT (bridge mode)
• Username and password from your ISP
• No IP address or DHCP client configured on the WAN interface
• Modem/ONT configured in bridge mode (not router mode)

Configuration Steps

Step 1: Prepare the WAN Interface

Ensure the WAN interface has no IP address assigned. PPPoE runs directly on the Ethernet layer.

/ip address print where interface=ether1

If any addresses exist, remove them:

/ip address remove [find interface=ether1]
/ip dhcp-client remove [find interface=ether1]

Step 2: Create PPPoE Client

Create the PPPoE client with your ISP credentials:

/interface pppoe-client add interface=ether1 user=your_username password=your_password \
    add-default-route=yes use-peer-dns=yes disabled=no name=pppoe-wan

This configuration will:

• Create a PPPoE connection on ether1
• Authenticate with your ISP credentials
• Automatically add a default route when connected
• Use DNS servers provided by the ISP

Step 3: Verify Connection

Monitor the PPPoE client to verify successful connection:

/interface pppoe-client monitor pppoe-wan once

Expected output:

          status: connected
          uptime: 1h23m45s
    active-links: 1
        encoding:
         service:
         ac-name: ISP-AC
          ac-mac: AA:BB:CC:DD:EE:FF
             mtu: 1480
             mru: 1480
   local-address: 203.0.113.25
  remote-address: 203.0.113.1

Key indicators: status: connected with valid local-address and remote-address.

Step 4: Configure NAT for LAN

Enable masquerade NAT so LAN clients can access the internet:

/ip firewall nat add chain=srcnat out-interface=pppoe-wan action=masquerade

Common Scenarios

Scenario: Use Custom DNS Servers

If you prefer using your own DNS servers instead of ISP-provided ones:

/interface pppoe-client set pppoe-wan use-peer-dns=no
/ip dns set servers=1.1.1.1,8.8.8.8

Scenario: Dual-WAN with PPPoE Backup

For setups where PPPoE is the backup connection:

# Primary WAN via DHCP
/ip dhcp-client add interface=ether1 disabled=no default-route-distance=1

# Backup WAN via PPPoE
/interface pppoe-client add interface=ether2 user=backup_user password=backup_pass \
    add-default-route=yes default-route-distance=2 use-peer-dns=no disabled=no name=pppoe-backup

Scenario: PPPoE with Specific Service Name

Some ISPs require a specific service name:

/interface pppoe-client set pppoe-wan service-name="ISP_SERVICE"

To discover available services on the network:

/interface pppoe-client scan ether1

Scenario: PPPoE over VLAN

If your ISP requires PPPoE on a tagged VLAN:

# Create VLAN interface first
/interface vlan add interface=ether1 vlan-id=10 name=vlan10-wan

# Create PPPoE client on VLAN interface
/interface pppoe-client add interface=vlan10-wan user=myuser password=mypass \
    add-default-route=yes disabled=no name=pppoe-wan

Scenario: RFC 4638 (MTU 1500 over PPPoE)

If your ISP supports baby jumbo frames for full 1500 MTU:

# Set underlying interface to 1508 bytes
/interface ethernet set ether1 mtu=1508

# Request 1500 MTU on PPPoE
/interface pppoe-client set pppoe-wan max-mtu=1500 max-mru=1500

Scenario: Dial-on-Demand

Connect only when there’s outbound traffic (useful for metered connections):

/interface pppoe-client set pppoe-wan dial-on-demand=yes

Verification

Confirm your PPPoE client configuration is working:

Check 1: Verify Client is Connected

/interface pppoe-client print where running

Expected: Shows R (running) flag and status=connected.

Check 2: Monitor Connection Details

/interface pppoe-client monitor pppoe-wan once

Expected: Shows status: connected with valid IP addresses.

Check 3: Verify Default Route

/ip route print where dst-address=0.0.0.0/0 gateway-status~"reachable"

Expected: Active default route via PPPoE gateway.

Check 4: Test Internet Connectivity

/tool ping 8.8.8.8 count=3

Expected: 3 packets transmitted, 3 received.

Check 5: Verify DNS Resolution

/tool dns-query google.com

Expected: Returns IP address(es) for google.com.

Troubleshooting

Symptom	Cause	Solution
Status stuck on “dialing”	No PPPoE server responding	Verify modem is in bridge mode; check cable connection
Status stuck on “dialing”	VLAN header issue on switch chip	Set /interface ethernet switch port set switch1-cpu vlan-header=always-strip
Status “verifying password” then disconnect	Wrong credentials	Double-check username/password with ISP
Status “verifying password” then disconnect	Wrong authentication method	Try different auth: /interface pppoe-client set pppoe-wan allow=pap,chap,mschap1,mschap2
Connected but no internet	NAT not configured	Add masquerade rule for pppoe-wan interface
Connected but some sites fail	MTU/MSS issues	Enable MSS clamping (see MTU Issues section)
Disconnects and won’t reconnect (v7.20+)	Keepalive disabled	Set keepalive-timeout=10 on PPPoE client
Connection drops periodically	ISP timeout or line quality	Check ISP; verify keepalive-timeout setting

MTU Issues (Common Problem)

PPPoE adds 8 bytes overhead, reducing effective MTU to 1492 (or less). When Path MTU Discovery fails, TCP connections may hang.

Symptoms:

• Some websites fail to load completely
• Large downloads stall
• Apps like Telegram or video calls fail

Solution - Enable MSS Clamping:

/ip firewall mangle add chain=forward protocol=tcp tcp-flags=syn \
    action=change-mss new-mss=clamp-to-pmtu passthrough=yes

Or via PPP profile (if using one):

/ppp profile set default change-tcp-mss=yes

Common Mistakes

• Don’t configure IP address on the physical interface - PPPoE creates its own interface with IP
• Don’t run DHCP client on the same interface - PPPoE and DHCP client conflict
• Don’t forget the NAT rule - LAN clients need masquerade on the PPPoE interface, not the physical interface
• Don’t set keepalive-timeout=0 on v7.20+ - This breaks MTU probing; use a positive value

Community Tips

Discovering PPPoE Servers: Use scan to find available services:

/interface pppoe-client scan ether1

Automatic Reconnection: PPPoE should reconnect automatically. If not:

• Check for conflicting DHCP client on same interface
• Verify dial-on-demand=no for always-on connections
• Check ISP isn’t rate-limiting reconnections

Modem Bridge Mode: Most issues are caused by modem still routing. Verify:

• Modem shows “bridge mode” or “pass-through”
• Modem doesn’t have a WAN IP (it passes PPPoE through)
• Only one device authenticates (router, not modem)

PPPoE Client Status Reference

Status	Description
dialing	Sending PADI discovery packets, waiting for server
verifying password	Authentication in progress (LCP/PAP/CHAP)
connected	Session established, IP assigned
disconnected	Session not active
terminating	Session being closed

Related Topics

Prerequisites

• Interfaces Overview - interface fundamentals

Alternative WAN Methods

• DHCP Client - dynamic IP from ISP
• Static IP - fixed IP assignment

Next Steps

• NAT Masquerade - enable internet for LAN
• Firewall Basics - protect PPPoE interface
• Simple Queues - bandwidth management

Related PPP Topics

• PPPoE Server - run your own PPPoE server
• L2TP VPN - VPN over PPP

Reference

• MikroTik PPPoE Documentation
• Version changes:
  • v7.20: Keepalive behavior change affecting LCP echo/MTU probing
  • v7.0: Enhanced VLAN range support

Key Properties Reference

Property	Type	Default	Description
interface	string	-	Physical interface for PPPoE (required)
user	string	""	Authentication username
password	string	""	Authentication password
service-name	string	""	Target service name (blank accepts any)
ac-name	string	""	Access Concentrator name (blank accepts any)
add-default-route	yes/no	no	Install default route when connected
default-route-distance	0-255	1	Administrative distance for default route
use-peer-dns	yes/no	no	Accept DNS servers from ISP
max-mtu	integer	1460	Maximum Transmission Unit
max-mru	integer	1460	Maximum Receive Unit
keepalive-timeout	integer	60	LCP echo timeout in seconds
dial-on-demand	yes/no	no	Connect only when traffic detected
allow	enum	mschap2,mschap1,chap,pap	Permitted authentication methods
disabled	yes/no	yes	Whether client is disabled

Command Reference

Command	Description
/interface pppoe-client add	Create a new PPPoE client
/interface pppoe-client print	List all PPPoE clients with status
/interface pppoe-client monitor	Real-time monitoring of connection
/interface pppoe-client set	Modify existing client configuration
/interface pppoe-client remove	Delete a PPPoE client
/interface pppoe-client scan	Discover PPPoE servers on an interface
/interface pppoe-client enable	Enable a disabled client
/interface pppoe-client disable	Disable an active client

Summary

PPPoE Client enables authenticated WAN connections for DSL, fiber, and cable ISPs:

1. Prepare interface - Remove any IP addresses or DHCP client from WAN port
2. Create client with ISP credentials, add-default-route=yes, use-peer-dns=yes
3. Add NAT masquerade rule for the PPPoE interface (not the physical interface)
4. Verify with /interface pppoe-client monitor for status: connected

Key points:

• Modem/ONT must be in bridge mode (not router mode)
• Don’t configure IP on the physical interface - PPPoE creates its own interface
• PPPoE adds 8 bytes overhead (MTU typically 1492); enable MSS clamping for reliability
• Use scan to discover available PPPoE services on a network
• For v7.20+, keep keepalive-timeout set to a positive value (breaks MTU probing if disabled)
• For ISP-required VLANs, create VLAN interface first then run PPPoE on it