PPPoE Client
PPPoE Client
Section titled “PPPoE Client”RouterOS can operate as a PPPoE client, connecting to an ISP’s Broadband Remote Access Server (BRAS) over any Ethernet-type interface. This is the typical configuration for home routers, CPE devices, and branch-office gateways on DSL, GPON fiber, or Ethernet-based broadband services.
The PPPoE client negotiates credentials and IP addressing over the WAN link, then presents a routable pppoe-outN interface to the rest of the router where routing, NAT, and firewall rules apply as normal.
Summary
Section titled “Summary”| Feature | Value |
|---|---|
| Sub-menu | /interface pppoe-client |
| Monitor | /interface pppoe-client monitor |
| Authentication | PAP, CHAP, MS-CHAPv1, MS-CHAPv2 |
| Address assignment | From ISP IPCP (dynamic) or static override |
| Default route | Optional — add-default-route=yes |
| DNS | Optional — use-peer-dns=yes |
| Available since | RouterOS v2.9 |
How PPPoE Client Works
Section titled “How PPPoE Client Works”Discovery and Session Phases
Section titled “Discovery and Session Phases”When the PPPoE client interface is enabled, RouterOS initiates the standard two-phase PPPoE handshake:
- Discovery phase — RouterOS broadcasts a PADI on the WAN interface. The ISP BRAS responds with a PADO, RouterOS sends a PADR selecting the concentrator, and the BRAS confirms with a PADS containing the session ID.
- Session phase — PPP negotiation begins over the established session. LCP negotiates MTU/MRU and authentication method. The chosen protocol (CHAP, MS-CHAPv2, etc.) authenticates the subscriber credentials. IPCP assigns the client’s IP address, default gateway, and DNS servers.
RouterOS (CPE) ISP BRAS │──── PADI (broadcast) ─────────────────────────▶│ │◀─── PADO (AC-Name, service-name) ──────────────│ │──── PADR (select AC) ──────────────────────────▶│ │◀─── PADS (session-id) ──────────────────────────│ │ │ │══════════ PPP (LCP → Auth → IPCP) ══════════════│ │◀─── IP address + gateway + DNS (via IPCP) ──────│Interface Model
Section titled “Interface Model”A PPPoE client creates a named pppoe-outN interface (user-defined name). When connected, the interface has an assigned IP address and is visible in /interface print. All routing, firewall, NAT, and queue rules referencing this interface apply once the session is established.
The underlying physical interface (e.g., ether1) carries raw Ethernet frames; the PPPoE session is layered on top. The physical interface itself does not carry IP traffic — all routed traffic flows through the pppoe-outN interface.
Configuration
Section titled “Configuration”Basic Setup
Section titled “Basic Setup”The minimum required configuration is the physical interface, ISP username, and password:
/interface pppoe-clientadd name=pppoe-out1 \ interface=ether1 \ user=ispuser \ password=isppassword \ add-default-route=yes \ use-peer-dns=yes \ disabled=no| Parameter | Description |
|---|---|
name | Logical name for this PPPoE client interface |
interface | Physical (or VLAN) interface connected to the ISP |
user | PPP username provided by the ISP |
password | PPP password provided by the ISP |
add-default-route | Automatically install a default route via the PPPoE gateway when connected |
use-peer-dns | Accept DNS server addresses pushed by the ISP via IPCP |
disabled | Set to no to enable the client immediately |
Authentication Methods
Section titled “Authentication Methods”By default, RouterOS negotiates the best authentication method supported by both sides. To restrict to specific methods:
/interface pppoe-clientset pppoe-out1 allow=chap,mschap2| Value | Protocol |
|---|---|
pap | Password Authentication Protocol (plaintext — avoid if possible) |
chap | Challenge Handshake Authentication Protocol |
mschap1 | Microsoft CHAP version 1 |
mschap2 | Microsoft CHAP version 2 (most common on modern ISPs) |
Most ISPs require MS-CHAPv2. If the connection fails with authentication failed, check that the ISP’s required method is included in allow=.
MTU, MRU, and TCP MSS
Section titled “MTU, MRU, and TCP MSS”PPPoE adds an 8-byte header to each Ethernet frame. On a standard 1500-byte Ethernet path, this leaves 1492 bytes for the PPP payload, yielding a PPPoE MTU of 1480 bytes (1492 minus the 12-byte PPP/HDLC headers).
/interface pppoe-clientset pppoe-out1 max-mtu=1480 max-mru=1480To prevent fragmentation of TCP sessions (PMTUD black holes), clamp TCP MSS on traffic entering the PPPoE interface:
/ip firewall mangleadd chain=forward protocol=tcp tcp-flags=syn \ in-interface=pppoe-out1 \ action=change-mss new-mss=clamp-to-pmtu \ comment="Clamp TCP MSS for PPPoE WAN"
add chain=forward protocol=tcp tcp-flags=syn \ out-interface=pppoe-out1 \ action=change-mss new-mss=clamp-to-pmtu \ comment="Clamp TCP MSS for PPPoE WAN (outbound)"Alternatively, enable MSS clamping in the PPP profile applied to this client:
/ppp profileset default change-tcp-mss=yesISP-Specific Service and AC Names
Section titled “ISP-Specific Service and AC Names”Some ISPs require the client to specify a particular Access Concentrator (AC) name or service name. Use /interface pppoe-client scan to discover what the ISP is advertising before committing to a configuration:
/interface pppoe-client scan ether1This displays the AC names and service names offered by concentrators visible on the interface. Then bind to the specific values:
/interface pppoe-clientset pppoe-out1 ac-name=isp-bras-01 service-name=broadbandIf the ISP does not enforce these values, leave them empty (default) to accept any AC and service name.
VLAN-Tagged PPPoE (Fiber/ONT)
Section titled “VLAN-Tagged PPPoE (Fiber/ONT)”Many fiber ISPs deliver PPPoE over a VLAN-tagged interface (e.g., VLAN 10 for internet, VLAN 20 for IPTV). Create a VLAN subinterface first, then bind the PPPoE client to it:
/interface vlanadd name=vlan-wan interface=ether1 vlan-id=10
/interface pppoe-clientadd name=pppoe-out1 interface=vlan-wan \ user=ispuser password=isppassword \ add-default-route=yes use-peer-dns=yes \ disabled=noKeepalive and Dial-on-Demand
Section titled “Keepalive and Dial-on-Demand”/interface pppoe-clientset pppoe-out1 keepalive-timeout=30 dial-on-demand=no| Parameter | Description |
|---|---|
keepalive-timeout | Seconds without an LCP echo reply before the session is torn down and re-dialled (default: 60) |
dial-on-demand | If yes, the session is only established when outbound traffic is present; otherwise it connects immediately and stays up persistently |
For always-on internet connections, keep dial-on-demand=no. Use dial-on-demand=yes only for backup links that should not generate unnecessary uptime.
Default Route and DNS Handling
Section titled “Default Route and DNS Handling”Automatic Default Route
Section titled “Automatic Default Route”When add-default-route=yes, RouterOS installs a 0.0.0.0/0 route pointing at the PPPoE gateway as soon as the session is established. The route is removed when the session drops.
If you manage routes manually (for dual-WAN or policy routing), set add-default-route=no and install routes explicitly:
/interface pppoe-clientset pppoe-out1 add-default-route=no
/ip routeadd dst-address=0.0.0.0/0 gateway=pppoe-out1 distance=1 check-gateway=pingPeer DNS
Section titled “Peer DNS”When use-peer-dns=yes, RouterOS updates /ip dns with the DNS servers pushed by the ISP via IPCP. To use static DNS servers regardless:
/interface pppoe-clientset pppoe-out1 use-peer-dns=no
/ip dnsset servers=9.9.9.9,1.1.1.1NAT for Internet Access
Section titled “NAT for Internet Access”For a simple home/branch setup where LAN clients share the ISP-assigned IP:
/ip firewall natadd chain=srcnat out-interface=pppoe-out1 action=masquerade \ comment="NAT LAN traffic to PPPoE WAN"Dual-WAN Failover
Section titled “Dual-WAN Failover”RouterOS supports multiple PPPoE client interfaces for active/standby (or load-balanced) WAN configurations. Disable automatic default-route on both clients and manage routing distance manually:
/interface pppoe-clientadd name=pppoe-wan1 interface=ether1 user=user1 password=pass1 \ add-default-route=no use-peer-dns=no disabled=noadd name=pppoe-wan2 interface=ether2 user=user2 password=pass2 \ add-default-route=no use-peer-dns=no disabled=no
/ip routeadd dst-address=0.0.0.0/0 gateway=pppoe-wan1 distance=1 check-gateway=pingadd dst-address=0.0.0.0/0 gateway=pppoe-wan2 distance=2 check-gateway=pingWith check-gateway=ping, RouterOS pings the PPPoE gateway on each route. If the primary gateway stops responding, RouterOS automatically promotes the secondary route.
Add NAT rules for both WAN interfaces:
/ip firewall natadd chain=srcnat out-interface=pppoe-wan1 action=masqueradeadd chain=srcnat out-interface=pppoe-wan2 action=masqueradeMonitoring
Section titled “Monitoring”Check Connection Status
Section titled “Check Connection Status”/interface pppoe-client monitor pppoe-out1Output includes:
| Field | Description |
|---|---|
status | connected, disconnected, or connecting |
uptime | Duration of the current session |
local-address | IP address assigned by the ISP |
remote-address | IP address of the ISP gateway |
encoding | PPP compression/encryption negotiated (typically none) |
Detailed Interface View
Section titled “Detailed Interface View”/interface pppoe-client print detailShows all configured parameters alongside runtime state.
Watch Interface State
Section titled “Watch Interface State”/interface print detail where name=pppoe-out1Troubleshooting
Section titled “Troubleshooting”Enable Debug Logging
Section titled “Enable Debug Logging”/system loggingadd topics=pppoe,debug action=memoryadd topics=ppp,debug action=memoryThen watch logs:
/log print follow where topics~"pppoe"Common Issues
Section titled “Common Issues”| Symptom | Likely Cause | Fix |
|---|---|---|
Status stuck at connecting | Wrong interface=, ISP BRAS unreachable, or VLAN mismatch | Verify physical cable, VLAN ID, and use scan to confirm BRAS is visible |
authentication failed | Wrong username/password, or auth method rejected | Confirm credentials with ISP; check allow= includes ISP-required method |
| Connected but no internet | Default route not installed, or NAT missing | Check /ip route print for 0.0.0.0/0; verify masquerade rule on pppoe-out1 |
| Session drops every 30–60 seconds | LCP keepalive timeout | Check link stability; increase keepalive-timeout or investigate L2 path |
| Large downloads stall or fail | MTU/MSS mismatch | Verify max-mtu=1480; add TCP MSS clamp mangle rules |
| Can ping IP but not hostnames | ISP DNS not applied | Enable use-peer-dns=yes or configure static DNS in /ip dns |
| Failover not switching | check-gateway not configured | Add check-gateway=ping to /ip route entries |
Verify Assigned Address
Section titled “Verify Assigned Address”/ip address print where interface=pppoe-out1View Route Installed by PPPoE
Section titled “View Route Installed by PPPoE”/ip route print where gateway=pppoe-out1Log Full PPP Exchange
Section titled “Log Full PPP Exchange”Capture the full authentication sequence to diagnose login failures:
/system loggingadd topics=ppp,packet action=memory
/log print follow where topics~"ppp"Remove the logging rule after diagnosis to avoid excessive log volume:
/system logging remove [find topics~"packet"]