ISP Subscriber Management
ISP Subscriber Management
Section titled “ISP Subscriber Management”Summary
Section titled “Summary”RouterOS is widely deployed as a broadband access concentrator (BRAS/BNG) for ISP subscriber delivery. The typical architecture uses:
- PPPoE or DHCP for subscriber access
- RADIUS for centralized authentication, authorization, and accounting (AAA)
- IP pools for dynamic address assignment
- Mikrotik-Rate-Limit VSA or PCQ queues for per-subscriber bandwidth enforcement
This guide covers the end-to-end configuration for both PPPoE and DHCP subscriber models.
Architecture Overview
Section titled “Architecture Overview”Subscriber CPE │ PPPoE / DHCP ▼RouterOS (BNG/BRAS) ├── /interface pppoe-server or /ip dhcp-server ├── /radius → AAA server ├── /ip pool (address pools) └── /queue (bandwidth enforcement) │ ▼RADIUS Server (FreeRADIUS, Radiusd, etc.) ├── Authentication database ├── Returns: Framed-IP-Address / Framed-Pool ├── Returns: Mikrotik-Rate-Limit └── Accounting: Start / Interim / StopPPPoE Subscriber Model
Section titled “PPPoE Subscriber Model”Step 1 — Create Address Pools
Section titled “Step 1 — Create Address Pools”/ip pooladd name=pppoe-standard ranges=100.64.0.2-100.64.0.254add name=pppoe-premium ranges=100.64.1.2-100.64.1.254add name=pppoe-business ranges=100.64.2.2-100.64.2.30Step 2 — Configure PPP Profiles
Section titled “Step 2 — Configure PPP Profiles”Profiles set defaults; RADIUS attributes override them per-subscriber:
/ppp profileadd name=isp-standard \ local-address=100.64.0.1 \ remote-address=pppoe-standard \ dns-server=8.8.8.8,8.8.4.4 \ use-compression=no \ use-encryption=no
add name=isp-premium \ local-address=100.64.1.1 \ remote-address=pppoe-premium \ dns-server=8.8.8.8,8.8.4.4Step 3 — Add RADIUS Server
Section titled “Step 3 — Add RADIUS Server”/radiusadd address=10.10.0.5 \ secret=ISPSecret \ service=ppp \ authentication-port=1812 \ accounting-port=1813Step 4 — Enable RADIUS AAA for PPP
Section titled “Step 4 — Enable RADIUS AAA for PPP”/ppp aaaset use-radius=yes \ accounting=yes \ interim-update=5mStep 5 — Create PPPoE Server
Section titled “Step 5 — Create PPPoE Server”/interface pppoe-server serveradd interface=ether1 \ service-name=isp \ default-profile=isp-standard \ authentication=chap,mschap2 \ one-session-per-host=yes \ disabled=noone-session-per-host=yes prevents MAC address spoofing from generating duplicate sessions.
Step 6 — Enable CoA/Disconnect
Section titled “Step 6 — Enable CoA/Disconnect”/radius incomingset accept=yes port=3799DHCP Subscriber Model
Section titled “DHCP Subscriber Model”For cable or fixed-line deployments using DHCP instead of PPPoE:
/ip pooladd name=dhcp-subscribers ranges=10.20.0.2-10.20.255.254
/ip dhcp-serveradd name=subscriber-dhcp \ interface=bridge-subs \ address-pool=dhcp-subscribers \ use-radius=yes \ accounting=yes \ interim-update=5m \ lease-time=1d
/ip dhcp-server networkadd address=10.20.0.0/16 \ gateway=10.20.0.1 \ dns-server=8.8.8.8
/radiusadd address=10.10.0.5 \ secret=ISPSecret \ service=dhcp \ authentication-port=1812 \ accounting-port=1813Per-Subscriber Bandwidth Enforcement
Section titled “Per-Subscriber Bandwidth Enforcement”Method 1 — Mikrotik-Rate-Limit VSA (Recommended)
Section titled “Method 1 — Mikrotik-Rate-Limit VSA (Recommended)”The Mikrotik-Rate-Limit vendor-specific attribute (VSA) is the simplest method. The RADIUS server returns this attribute in Access-Accept and RouterOS automatically creates a simple queue for the subscriber.
Attribute format:
Mikrotik-Rate-Limit = "rx-rate[/tx-rate] [rx-burst-rate[/tx-burst-rate] [rx-burst-threshold[/tx-burst-threshold] [rx-burst-time[/tx-burst-time] [priority] [rx-rate-min[/tx-rate-min]]]]]"All rates are in bits per second. Suffixes: k = kbps, M = Mbps, G = Gbps.
Common examples:
# 20 Mbps down / 5 Mbps upMikrotik-Rate-Limit = "20M/5M"
# 100M down / 20M up with burst# Burst to 150M/30M up to 10M/5M threshold for 10 secondsMikrotik-Rate-Limit = "100M/20M 150M/30M 10M/5M 10s"
# 1 Gbps symmetricalMikrotik-Rate-Limit = "1G"RouterOS applies this as a per-PPP-session simple queue, visible in /queue simple.
Note: Mikrotik-Rate-Limit for DHCPv6 bindings requires RouterOS v6.43 or later.
Method 2 — PCQ Queues (Shared Fairness)
Section titled “Method 2 — PCQ Queues (Shared Fairness)”Per-Connection Queuing (PCQ) provides automatic fair-share distribution across subscribers without per-subscriber configuration. Useful for managed contention rather than individual rate limits.
/queue typeadd name=pcq-download kind=pcq pcq-classifier=dst-address pcq-rate=10M pcq-limit=50KiBadd name=pcq-upload kind=pcq pcq-classifier=src-address pcq-rate=2M pcq-limit=50KiB
/queue treeadd name=download parent=global packet-mark=subs-down queue=pcq-downloadadd name=upload parent=global packet-mark=subs-up queue=pcq-uploadClassify traffic with mangle before it reaches the queue tree:
/ip firewall mangleadd chain=forward src-address=100.64.0.0/10 action=mark-packet new-packet-mark=subs-up passthrough=noadd chain=forward dst-address=100.64.0.0/10 action=mark-packet new-packet-mark=subs-down passthrough=noMethod 3 — Queue Tree per Subscriber (Advanced)
Section titled “Method 3 — Queue Tree per Subscriber (Advanced)”For maximum control, dynamically build queue-tree entries via scripts triggered on PPP login/logout. This is appropriate for large deployments where Mikrotik-Rate-Limit simple queues degrade performance.
Use PPP event scripts (on-up/on-down in the PPP profile):
/ppp profileset isp-standard \ on-up="/queue tree add name=$user parent=global limit-at=$\"rate-limit\" max-limit=$\"rate-limit\"" \ on-down="/queue tree remove [find name=$user]"RADIUS Attributes Reference for ISP Use
Section titled “RADIUS Attributes Reference for ISP Use”| Attribute | Direction | Effect on RouterOS |
|---|---|---|
Framed-IP-Address | Access-Accept | Assign specific IP to subscriber |
Framed-Pool | Access-Accept | Allocate from named local /ip pool |
Mikrotik-Rate-Limit | Access-Accept | Set upload/download rate (simple queue) |
Session-Timeout | Access-Accept | Force disconnect after N seconds |
Idle-Timeout | Access-Accept | Disconnect after N seconds of inactivity |
Mikrotik-Recv-Limit | Access-Accept | Total download byte cap for session |
Mikrotik-Xmit-Limit | Access-Accept | Total upload byte cap for session |
Ascend-Data-Rate | Access-Accept | Alternative rate-limit (upstream compat) |
Acct-Session-Id | Accounting | Session correlation identifier |
Acct-Input-Octets | Accounting | Bytes received by subscriber |
Acct-Output-Octets | Accounting | Bytes sent by subscriber |
Monitoring Active Subscribers
Section titled “Monitoring Active Subscribers”# All active PPPoE sessions/ppp active print
# Sessions with address and service details/ppp active print detail
# Count active sessions/ppp active print count-only
# Active DHCP leases (RADIUS-authenticated)/ip dhcp-server lease print where radius=yesTroubleshooting
Section titled “Troubleshooting”Subscriber authenticates but no rate limit applied
Verify Mikrotik-Rate-Limit is in the Access-Accept (check RADIUS server logs). Confirm the attribute uses correct syntax — a malformed value is silently ignored. Check /queue simple to see if RouterOS created a queue entry.
Pool exhausted — new subscribers get no IP
/ip pool print/ip pool used printAdd ranges to the pool or configure next-pool for overflow. Consider whether stale sessions are holding leases.
Old sessions not disconnecting
Use Disconnect-Message from RADIUS to force termination:
# Verify incoming CoA is enabled/radius incoming printHigh CPU with many subscribers
Simple queues created by Mikrotik-Rate-Limit are processed in order and can become a bottleneck above ~1000 concurrent sessions. Consider PCQ or queue-tree approaches, or upgrade to CCR hardware with multi-core queue processing.
Related Documentation
Section titled “Related Documentation”- RADIUS Client — RADIUS server setup
- RADIUS Dynamic Address Assignment — Framed-IP-Address and Framed-Pool detail
- RADIUS Accounting and CoA — Accounting, interim updates, CoA, Disconnect Messages
- IP Pools — Pool creation and management