PPPoE Server: ISP Subscriber Access Configuration
PPPoE Server: ISP Subscriber Access Configuration
Section titled âPPPoE Server: ISP Subscriber Access ConfigurationâTL;DR (Quick Start)
Section titled âTL;DR (Quick Start)âFor the impatient: basic PPPoE server with one subscriber.
# Create IP pool for subscribers/ip pool add name=pppoe-pool ranges=10.0.0.2-10.0.0.254
# Create PPP profile/ppp profile add name=pppoe-profile local-address=10.0.0.1 \ remote-address=pppoe-pool dns-server=8.8.8.8,8.8.4.4
# Add subscriber/ppp secret add name=user1 password=pass123 service=pppoe profile=pppoe-profile
# Create PPPoE server on subscriber-facing interface/interface pppoe-server server add interface=ether2 service-name=MyISP \ default-profile=pppoe-profile disabled=no
# NAT for internet access/ip firewall nat add chain=srcnat src-address=10.0.0.0/24 action=masqueradeVerify: /ppp active print shows connected subscribers.
Overview
Section titled âOverviewâWhat this does: A PPPoE server (Access Concentrator) authenticates subscribers and assigns IP addresses, enabling per-user management, bandwidth control, and accounting. PPPoE is widely used by ISPs and WISPs for subscriber access.
When to use this:
- Operating as an ISP or WISP
- Providing authenticated internet access to subscribers
- Managing per-subscriber bandwidth limits
- Tracking subscriber usage for billing
- Integrating with RADIUS for centralized management
Prerequisites:
- RouterOS 6.x or 7.x
- Dedicated interface(s) for subscriber connections
- IP address pool planned for subscribers
- Understanding of PPP architecture (profiles, secrets)
Critical
Do not assign an IP address to the PPPoE server interface. PPPoE operates at Layer 2 - the PPP tunnel handles IP addressing. Assigning an IP causes routing issues.
Architecture Overview
Section titled âArchitecture OverviewâKey Components
Section titled âKey Componentsâ| Component | Menu Path | Purpose |
|---|---|---|
| PPPoE Server | /interface pppoe-server server | Listens for subscriber connections |
| PPP Profile | /ppp profile | Defines session parameters (IP, DNS, limits) |
| PPP Secret | /ppp secret | Subscriber credentials (local auth) |
| IP Pool | /ip pool | Address range for subscribers |
| RADIUS | /radius + /ppp aaa | External authentication server |
Connection Flow
Section titled âConnection Flowâ- Subscriber sends PADI (PPPoE Active Discovery Initiation)
- Server responds with PADO (Discovery Offer)
- Subscriber sends PADR (Discovery Request)
- Server responds with PADS (Session Confirmation)
- PPP session established with LCP negotiation
- Authentication (PAP/CHAP/MSCHAPv2)
- IPCP assigns IP address to subscriber
Configuration Steps
Section titled âConfiguration StepsâStep 1: Create IP Address Pool
Section titled âStep 1: Create IP Address PoolâCreate a pool of addresses for subscriber assignment:
/ip pool add name=pppoe-pool ranges=10.0.0.2-10.0.0.254For larger deployments, use multiple ranges or pools:
/ip pool add name=pppoe-pool ranges=10.0.0.2-10.0.255.254Step 2: Create PPP Profile
Section titled âStep 2: Create PPP ProfileâThe profile defines default settings for all subscribers using it:
/ppp profile add \ name=pppoe-profile \ local-address=10.0.0.1 \ remote-address=pppoe-pool \ dns-server=8.8.8.8,8.8.4.4 \ change-tcp-mss=yesKey profile properties:
| Property | Purpose |
|---|---|
local-address | Routerâs address on PPP tunnels (gateway for subscribers) |
remote-address | Pool name or specific IP for subscribers |
dns-server | DNS servers pushed to subscribers |
change-tcp-mss | Adjust TCP MSS to prevent fragmentation (recommended) |
rate-limit | Bandwidth limit (upload/download) |
Step 3: Create Subscriber Accounts
Section titled âStep 3: Create Subscriber AccountsâAdd users who can authenticate to your PPPoE server:
/ppp secret add \ name=subscriber1 \ password=SecurePass123 \ service=pppoe \ profile=pppoe-profileFor multiple subscribers:
/ppp secret add name=sub001 password=pass001 service=pppoe profile=pppoe-profile/ppp secret add name=sub002 password=pass002 service=pppoe profile=pppoe-profile/ppp secret add name=sub003 password=pass003 service=pppoe profile=pppoe-profileStep 4: Create PPPoE Server
Section titled âStep 4: Create PPPoE ServerâBind the server to the subscriber-facing interface:
/interface pppoe-server server add \ interface=ether2 \ service-name=MyISP \ default-profile=pppoe-profile \ authentication=mschap2,mschap1,chap \ one-session-per-host=yes \ disabled=noKey server properties:
| Property | Purpose |
|---|---|
interface | Interface where subscribers connect |
service-name | Name advertised to subscribers (can be blank) |
default-profile | Profile applied to all connections |
authentication | Allowed auth methods (avoid PAP for security) |
one-session-per-host | Prevent multiple sessions from same MAC |
max-sessions | Limit total connections (0 = unlimited) |
Step 5: Configure NAT
Section titled âStep 5: Configure NATâEnable NAT so subscribers can access the internet:
/ip firewall nat add chain=srcnat src-address=10.0.0.0/24 \ out-interface=ether1-wan action=masquerade \ comment="NAT for PPPoE subscribers"Verification
Section titled âVerificationâCheck Server Status
Section titled âCheck Server Statusâ/interface pppoe-server server printExpected Output:
Flags: X - disabled 0 interface=ether2 service-name="MyISP" max-mtu=1480 max-mru=1480 mrru=disabled authentication=chap,mschap1,mschap2 keepalive-timeout=10 one-session-per-host=yes max-sessions=0 default-profile=pppoe-profileView Active Connections
Section titled âView Active Connectionsâ/ppp active printExpected Output:
Flags: R - RADIUS # NAME SERVICE CALLER-ID ADDRESS UPTIME 0 subscriber1 pppoe AA:BB:CC:DD:EE:FF 10.0.0.2 1h23m45sView Dynamic PPPoE Interfaces
Section titled âView Dynamic PPPoE Interfacesâ/interface pppoe-server printShows all currently connected subscriber sessions with interface names.
Monitor Specific Session
Section titled âMonitor Specific Sessionâ/ppp active print statsShows bytes and packets transferred per session.
Common Scenarios
Section titled âCommon ScenariosâScenario: Multiple Service Plans with Rate Limiting
Section titled âScenario: Multiple Service Plans with Rate LimitingâCreate different profiles for different bandwidth tiers:
# 10 Mbps plan/ppp profile add name=plan-10m local-address=10.0.0.1 \ remote-address=pppoe-pool dns-server=8.8.8.8 \ rate-limit=10M/10M
# 50 Mbps plan/ppp profile add name=plan-50m local-address=10.0.0.1 \ remote-address=pppoe-pool dns-server=8.8.8.8 \ rate-limit=50M/50M
# 100 Mbps plan/ppp profile add name=plan-100m local-address=10.0.0.1 \ remote-address=pppoe-pool dns-server=8.8.8.8 \ rate-limit=100M/100MAssign subscribers to plans:
/ppp secret add name=basic-user password=pass service=pppoe profile=plan-10m/ppp secret add name=premium-user password=pass service=pppoe profile=plan-50mRate-limit format: rx-rate/tx-rate where rx = subscriber upload, tx = subscriber download (from routerâs perspective).
Scenario: RADIUS Authentication
Section titled âScenario: RADIUS AuthenticationâUse RADIUS for centralized subscriber management:
# Add RADIUS server/radius add address=192.168.1.100 secret=RadiusSecret123 service=ppp
# Enable RADIUS for PPP/ppp aaa set use-radius=yes accounting=yes interim-update=5m
# Create profile (RADIUS overrides these settings)/ppp profile add name=radius-profile local-address=10.0.0.1 \ remote-address=pppoe-pool change-tcp-mss=yes
# Create server using RADIUS profile/interface pppoe-server server add interface=ether2 service-name=ISP \ default-profile=radius-profile disabled=noScenario: PPPoE Server on VLAN
Section titled âScenario: PPPoE Server on VLANâServe subscribers on a specific VLAN:
# Create VLAN interface/interface vlan add name=vlan100-subscribers vlan-id=100 interface=ether2
# Bind PPPoE server to VLAN/interface pppoe-server server add interface=vlan100-subscribers \ service-name=ISP default-profile=pppoe-profile disabled=noScenario: PPPoE Over Multiple VLANs
Section titled âScenario: PPPoE Over Multiple VLANsâServe PPPoE across a range of VLANs without creating individual interfaces:
/interface pppoe-server server add interface=bridge1 \ service-name=MultiVLAN-ISP \ default-profile=pppoe-profile \ pppoe-over-vlan-range=100-150 \ disabled=noVLAN Conflict
Do not create VLAN interfaces with IDs that overlap with pppoe-over-vlan-range. The PPPoE server manages these VLANs internally.
Scenario: PPPoE Server on Bridge
Section titled âScenario: PPPoE Server on BridgeâFor subscribers connecting through multiple physical ports:
# Create bridge for subscriber ports/interface bridge add name=bridge-subscribers
# Add subscriber-facing ports/interface bridge port add bridge=bridge-subscribers interface=ether2/interface bridge port add bridge=bridge-subscribers interface=ether3/interface bridge port add bridge=bridge-subscribers interface=ether4
# Bind PPPoE server to bridge/interface pppoe-server server add interface=bridge-subscribers \ service-name=ISP default-profile=pppoe-profile disabled=noScenario: Static IP for Specific Subscriber
Section titled âScenario: Static IP for Specific SubscriberâAssign a fixed IP to a subscriber (bypassing the pool):
/ppp secret add name=static-user password=pass service=pppoe \ profile=pppoe-profile remote-address=10.0.0.100The remote-address in the secret overrides the profileâs pool.
Scenario: On-Up/On-Down Scripts
Section titled âScenario: On-Up/On-Down ScriptsâExecute scripts when subscribers connect/disconnect:
/ppp profile set pppoe-profile on-up="/log info \"User \$user connected from \$caller-id\""/ppp profile set pppoe-profile on-down="/log info \"User \$user disconnected\""Available script variables: $user, $local-address, $remote-address, $caller-id, $interface
MTU Considerations
Section titled âMTU ConsiderationsâPPPoE adds 8 bytes overhead (6 PPPoE + 2 PPP), reducing effective MTU from 1500 to 1492 bytes.
| Scenario | Physical MTU | PPPoE MTU | Notes |
|---|---|---|---|
| Standard | 1500 | 1492 | Default, may cause fragmentation |
| Baby Jumbo | 1508 | 1500 | Recommended - eliminates fragmentation |
| VLAN Tagged | 1504 | 1492 | Additional 4 bytes for VLAN tag |
Configure Baby Jumbo (Recommended)
Section titled âConfigure Baby Jumbo (Recommended)âIf your network supports it, use baby jumbo frames:
# Set physical interface MTU/interface ethernet set ether2 mtu=1508 l2mtu=1508
# Server will negotiate 1500 MTU with clients/interface pppoe-server server set 0 max-mtu=1500 max-mru=1500TCP MSS Clamping
Section titled âTCP MSS ClampingâEnsure TCP sessions donât exceed MTU (already handled by change-tcp-mss=yes in profile):
# Additional mangle rule for extra reliability/ip firewall mangle add chain=forward protocol=tcp tcp-flags=syn \ action=change-mss new-mss=clamp-to-pmtu passthrough=yesTroubleshooting
Section titled âTroubleshootingâProblem: Subscribers Canât Connect
Section titled âProblem: Subscribers Canât Connectâ| Symptom | Cause | Solution |
|---|---|---|
| No PADO response | Server disabled or wrong interface | Check /interface pppoe-server server print for X flag |
| âNo PPPoE serverâ | Service-name mismatch | Set service-name="" to accept any |
| Auth failed | Wrong credentials | Verify /ppp secret print |
| âRADIUS timeoutâ | RADIUS unreachable | Check /radius print, verify connectivity |
Enable debug logging:
/system logging add topics=pppoe,ppp,debug action=memory/log print where topics~"ppp"Problem: Connection Loop (Connect â Disconnect)
Section titled âProblem: Connection Loop (Connect â Disconnect)â| Symptom | Cause | Solution |
|---|---|---|
| Cycles repeatedly | MTU mismatch | Set physical interface MTU to 1492 or 1508 |
| Authenticates then drops | Profile misconfiguration | Check pool exists, local-address valid |
| Works briefly then dies | Keepalive timeout | Adjust keepalive-timeout |
Problem: Connected But No Internet
Section titled âProblem: Connected But No Internetâ| Check | Command | Solution |
|---|---|---|
| NAT configured | /ip firewall nat print | Add masquerade rule |
| Route exists | /ip route print | Verify PPPoE subnet routed |
| DNS working | /ip dns print | Verify DNS servers in profile |
| Firewall blocking | /ip firewall filter print | Allow PPPoE interface in forward chain |
Problem: RADIUS Authentication Issues
Section titled âProblem: RADIUS Authentication Issuesâ| Symptom | Cause | Solution |
|---|---|---|
| âAccess deniedâ | Shared secret mismatch | Verify RADIUS secret |
| Timeout | RADIUS unreachable | Check firewall, UDP 1812/1813 |
| Auth OK but disconnects | Profile/attribute mismatch | Check RADIUS attributes match RouterOS |
# Check RADIUS status/radius print
# Monitor RADIUS requests/radius monitor 0Common Mistakes
- Assigning IP to PPPoE interface - Donât do it. PPP handles addressing.
- Using PAP authentication - Sends passwords in cleartext. Use CHAP/MSCHAPv2.
- Forgetting NAT - Subscribers wonât reach internet without masquerade.
- MTU issues - Most âpartial page loadsâ are MTU problems. Use baby jumbo or MSS clamping.
Security Considerations
Section titled âSecurity ConsiderationsâDisable PAP Authentication
Section titled âDisable PAP AuthenticationâPAP sends passwords in cleartext:
/interface pppoe-server server set 0 authentication=mschap2,mschap1,chapLimit Sessions Per Host
Section titled âLimit Sessions Per HostâPrevent credential sharing:
/interface pppoe-server server set 0 one-session-per-host=yesLimit Maximum Sessions
Section titled âLimit Maximum SessionsâPrevent resource exhaustion:
/interface pppoe-server server set 0 max-sessions=500Firewall for Subscriber Traffic
Section titled âFirewall for Subscriber TrafficâControl what subscribers can access:
# Add PPPoE interface list/interface list add name=pppoe-clients
# Auto-add PPPoE interfaces to list (use profile)/ppp profile set pppoe-profile interface-list=pppoe-clients
# Apply firewall rules/ip firewall filter add chain=forward in-interface-list=pppoe-clients \ connection-state=established,related action=accept/ip firewall filter add chain=forward in-interface-list=pppoe-clients \ action=drop comment="Block inter-subscriber traffic"Properties Reference
Section titled âProperties ReferenceâPPPoE Server Properties
Section titled âPPPoE Server Propertiesâ| Property | Type | Default | Description |
|---|---|---|---|
interface | string | - | Subscriber-facing interface (required) |
service-name | string | "" | Name advertised to clients (blank = accept all) |
default-profile | string | default | PPP profile for connections |
authentication | enum | mschap2,mschap1,chap,pap | Allowed auth methods |
max-mtu | integer | 1480 | Maximum transmission unit |
max-mru | integer | 1480 | Maximum receive unit |
keepalive-timeout | time | 10 | LCP echo timeout |
one-session-per-host | yes/no | no | One session per MAC address |
max-sessions | integer | 0 | Session limit (0 = unlimited) |
pppoe-over-vlan-range | ranges | - | VLAN IDs to serve PPPoE |
disabled | yes/no | yes | Enable/disable server |
PPP Profile Properties (Key Subset)
Section titled âPPP Profile Properties (Key Subset)â| Property | Type | Default | Description |
|---|---|---|---|
local-address | IP/pool | - | Routerâs tunnel address |
remote-address | IP/pool | - | Clientâs assigned address |
dns-server | IP list | - | DNS servers for clients |
rate-limit | string | - | Bandwidth limit (rx/tx) |
change-tcp-mss | yes/no | no | Adjust TCP MSS |
only-one | yes/no | no | Single session per user |
interface-list | string | - | Add sessions to interface list |
on-up | script | - | Script on connect |
on-down | script | - | Script on disconnect |
Related Topics
Section titled âRelated TopicsâPrerequisites
Section titled âPrerequisitesâ- IP Pool - Address pool configuration
- Bridge Configuration - Bridge for multiple ports
Authentication
Section titled âAuthenticationâ- RADIUS - Centralized authentication
- User Manager - Built-in RADIUS server
Bandwidth Management
Section titled âBandwidth Managementâ- Simple Queues - Per-user limits
- Queue Tree - Advanced QoS
Related PPP
Section titled âRelated PPPâ- PPPoE Client - Connecting to ISPs
- L2TP VPN Server - VPN with L2TP
Reference
Section titled âReferenceâ- MikroTik PPPoE Documentation
- PPP AAA
- PPP Profiles
- RFC 2516 - PPPoE Protocol