PPPoE Server and Client in RouterOS: A Complete Guide

PPPoE Server and Client in RouterOS: A Complete Guide

RouterOS Version: 7.x+ Difficulty: Intermediate Estimated Time: 30 minutes

Overview

PPPoE (Point-to-Point Protocol over Ethernet) encapsulates PPP packets in Ethernet frames, enabling IP address distribution based on username authentication over Layer 2 networks. RouterOS supports both PPPoE client (for connecting to ISPs) and PPPoE server (Access Concentrator for providing subscriber access).

Common use cases:

• ISP subscriber connection - Connect to provider via PPPoE client
• ISP service delivery - Provide subscriber access with authentication
• Bandwidth management - Per-user rate limiting via PPP profiles
• RADIUS integration - Centralized authentication and accounting

Key concepts:

• PPPoE operates at Layer 2 - do not assign IP addresses to PPPoE interfaces
• MTU is reduced to 1492 bytes due to 8-byte PPPoE overhead
• Connection phases: Discovery (PADI/PADO/PADR/PADS) then Session (LCP/Auth/IPCP)

Menu Reference

Menu	Purpose
/interface pppoe-client	PPPoE client configuration
/interface pppoe-server server	PPPoE server configuration
/ppp profile	Connection profiles (addresses, rate limits)
/ppp secret	User credentials for local authentication
/ppp active	Active PPPoE sessions
/ppp aaa	RADIUS and accounting settings

PPPoE Client Properties

Configuration Properties

Property	Type	Default	Description
name	string	pppoe-out[i]	Interface identifier
interface	string	-	Physical interface to run PPPoE on (required)
user	string	""	Username for authentication
password	string	""	Password for authentication
service-name	string	""	Target service name; blank accepts any
ac-name	string	""	Access Concentrator name; blank accepts any
allow	enum	mschap2,mschap1,chap,pap	Permitted authentication methods
profile	string	default	PPP profile to use
max-mtu	integer	1460	Maximum Transmission Unit
max-mru	integer	1460	Maximum Receive Unit
keepalive-timeout	integer	60	Echo packet timeout in seconds
add-default-route	yes/no	no	Automatically add default route
default-route-distance	byte	1	Administrative distance for default route
dial-on-demand	yes/no	no	Connect only when outbound traffic detected
use-peer-dns	yes/no	no	Accept DNS servers from peer
disabled	yes/no	yes	Whether client is disabled

Read-Only Properties

Property	Type	Description
status	enum	Current connection state
ac-mac	MAC	Access Concentrator MAC address
local-address	IP	Allocated client IP address
remote-address	IP	Gateway/server IP address
mtu	integer	Effective MTU
uptime	time	Connection duration
encoding	string	Encryption/encoding details

Status Values

Status	Description
dialing	Sending PADI, waiting for PADO
verifying password	Authentication in progress
connected	Session established successfully
disconnected	Session not active
terminating	Session being closed

PPPoE Server Properties

Property	Type	Default	Description
interface	string	-	Client-facing interface (required)
service-name	string	""	Server identifier; "" accepts all clients
default-profile	string	default	PPP profile for clients
authentication	enum	mschap2,mschap1,chap,pap	Allowed authentication methods
max-mtu	integer	1480	Maximum Transmission Unit
max-mru	integer	1480	Maximum Receive Unit
keepalive-timeout	time	10	Echo interval before disconnect
max-sessions	integer	0	Client limit; 0 = unlimited
one-session-per-host	yes/no	no	Disconnect previous session if MAC reconnects
pppoe-over-vlan-range	integer	-	VLAN IDs for tagged clients (v7+)
disabled	yes/no	no	Whether server is disabled

PPP Profile Properties

Property	Type	Default	Description
name	string	-	Profile name
local-address	IP/pool	-	IP assigned to server side
remote-address	IP/pool	-	IP assigned to client (or pool name)
dns-server	IP	-	DNS server(s) sent to client
rate-limit	rx/tx	-	Speed limit (creates dynamic simple queue)
only-one	yes/no/default	default	Limit user to single connection
change-tcp-mss	yes/no/default	default	Enable MSS clamping
bridge	string	-	Bridge to add interface to
address-list	string	-	Address list to add client IP
on-up	script	-	Script executed on connection
on-down	script	-	Script executed on disconnection

PPP Secret Properties

Property	Type	Description
name	string	Username for authentication
password	string	Password for authentication
service	enum	Service type (pppoe, pptp, l2tp, etc.)
profile	string	Associated PPP profile
local-address	IP	Override profile local-address
remote-address	IP	Static IP for this user
routes	string	Routes pushed to client
limit-bytes-in	integer	Download limit in bytes
limit-bytes-out	integer	Upload limit in bytes

Configuration Examples

Example 1: Basic PPPoE Client

Connect to ISP with automatic default route:

# Create PPPoE client on WAN interface
/interface pppoe-client add interface=ether1 name=pppoe-wan \
    user=myusername password=mypassword \
    add-default-route=yes use-peer-dns=no disabled=no

# Set local DNS servers
/ip dns set servers=8.8.8.8,1.1.1.1

# Configure NAT for LAN clients
/ip firewall nat add chain=srcnat out-interface=pppoe-wan action=masquerade

# Verify connection
/interface pppoe-client monitor pppoe-wan once

Example 2: PPPoE Client with Custom Route Distance

For failover scenarios with multiple connections:

# Primary connection (lower distance = preferred)
/interface pppoe-client add interface=ether1 name=pppoe-primary \
    user=user1 password=pass1 \
    add-default-route=yes default-route-distance=1 disabled=no

# Backup connection (higher distance = failover only)
/interface pppoe-client add interface=ether2 name=pppoe-backup \
    user=user2 password=pass2 \
    add-default-route=yes default-route-distance=10 disabled=no

Example 3: Basic PPPoE Server

Provide subscriber access with local authentication:

# Create IP pool for clients
/ip pool add name=pppoe-pool ranges=10.0.0.2-10.0.0.254

# Create PPP profile
/ppp profile add name=subscriber-profile \
    local-address=10.0.0.1 remote-address=pppoe-pool \
    dns-server=10.0.0.1 change-tcp-mss=yes

# Create PPPoE server on client-facing interface
/interface pppoe-server server add interface=ether2 \
    service-name=MYISP default-profile=subscriber-profile \
    authentication=chap,mschap1,mschap2 disabled=no

# Create user credentials
/ppp secret add name=customer1 password=custpass1 \
    service=pppoe profile=subscriber-profile
/ppp secret add name=customer2 password=custpass2 \
    service=pppoe profile=subscriber-profile

Example 4: PPPoE Server with Bandwidth Plans

Multiple service tiers with rate limiting:

# Create pools for each plan
/ip pool add name=pool-basic ranges=10.10.1.2-10.10.1.254
/ip pool add name=pool-premium ranges=10.10.2.2-10.10.2.254

# Create profiles with rate limits
/ppp profile add name=plan-10mbps \
    local-address=10.10.1.1 remote-address=pool-basic \
    rate-limit=10M/10M dns-server=10.10.1.1 change-tcp-mss=yes

/ppp profile add name=plan-50mbps \
    local-address=10.10.2.1 remote-address=pool-premium \
    rate-limit=50M/50M dns-server=10.10.2.1 change-tcp-mss=yes

# Assign users to plans
/ppp secret add name=user1 password=pass1 service=pppoe profile=plan-10mbps
/ppp secret add name=user2 password=pass2 service=pppoe profile=plan-50mbps

# Create server
/interface pppoe-server server add interface=ether2 \
    service-name=MYISP default-profile=plan-10mbps \
    one-session-per-host=yes disabled=no

Example 5: PPPoE Server with RADIUS

Centralized authentication for larger deployments:

# Configure RADIUS server
/radius add address=192.168.1.100 secret=radiussecret service=ppp

# Enable RADIUS for PPP
/ppp aaa set use-radius=yes accounting=yes interim-update=5m

# Create default profile (RADIUS can override)
/ppp profile add name=radius-profile \
    local-address=10.0.0.1 remote-address=pppoe-pool \
    dns-server=10.0.0.1 change-tcp-mss=yes

# Create PPPoE server
/interface pppoe-server server add interface=ether2 \
    service-name=MYISP default-profile=radius-profile disabled=no

Example 6: PPPoE Client Scan

Discover available PPPoE servers on a network:

# Scan for PPPoE servers
/interface pppoe-client scan ether1

# Output shows:
# SERVICE-NAME  AC-NAME        AC-MAC
# ISP-Service   ISP-Router     AA:BB:CC:DD:EE:FF

Example 7: Static IP Assignment

Assign fixed IP to specific customer:

# Create user with static IP (overrides pool)
/ppp secret add name=premium-customer password=prempass \
    service=pppoe profile=plan-50mbps \
    remote-address=10.10.2.100

Example 8: Connection Scripts

Execute scripts on connect/disconnect:

# Profile with on-up script
/ppp profile add name=scripted-profile \
    local-address=10.0.0.1 remote-address=pppoe-pool \
    on-up={
        /ip firewall address-list add list=active-pppoe address=$"remote-address"
        :log info "PPPoE client connected: $user"
    } \
    on-down={
        /ip firewall address-list remove [find address=$"remote-address" list=active-pppoe]
        :log info "PPPoE client disconnected: $user"
    }

MTU and MSS Clamping

Standard Ethernet MTU is 1500 bytes. PPPoE adds 8 bytes overhead, leaving 1492 bytes maximum for IP packets.

MTU Hierarchy

Layer	Max Size	Notes
Ethernet	1500	Standard frame payload
PPPoE	1492	After 8-byte PPPoE overhead
TCP payload	~1452	After IP and TCP headers

MSS Clamping Solutions

When Path MTU Discovery fails (often due to ICMP blocking), TCP connections hang. Solutions:

Via PPP Profile (IPv4 only):

/ppp profile set [find] change-tcp-mss=yes

Via Mangle Rules (IPv4 and IPv6):

# IPv4
/ip firewall mangle add chain=forward protocol=tcp tcp-flags=syn \
    action=change-mss new-mss=clamp-to-pmtu passthrough=yes

# IPv6 (profile setting doesn't cover IPv6)
/ipv6 firewall mangle add chain=forward protocol=tcp tcp-flags=syn \
    action=change-mss new-mss=clamp-to-pmtu passthrough=yes

RFC 4638 Baby Jumbo Frames

Some ISPs support MTU 1500 over PPPoE:

# Set physical interface to 1508
/interface ethernet set ether1 mtu=1508
# Set PPPoE client to request 1500
/interface pppoe-client set pppoe-wan max-mtu=1500 max-mru=1500

Common Problems and Solutions

Problem 1: PPPoE Client Stuck in “Dialing”

Symptoms: Client perpetually sends PADI but never connects.

Causes:

• VLAN header handling issue on switch chip
• DHCP client running on same interface
• Modem not in bridge mode

Solutions:

# Check 1: Fix VLAN header handling
/interface ethernet switch port set switch1-cpu vlan-header=always-strip

# Check 2: Remove conflicting DHCP client
/ip dhcp-client print
/ip dhcp-client remove [find interface=ether1]

# Check 3: Verify modem is bridging PPPoE frames
/interface pppoe-client scan ether1
# Should show available servers

Problem 2: RouterOS 7.20+ Connection Failure

Symptom: PPPoE worked before upgrade, now fails.

Cause: Version 7.20 changed behavior where disabled keepalive also disables LCP echo requests.

Solution:

/interface pppoe-client set [find] keepalive-timeout=10

Problem 3: Some Websites/Apps Not Working

Symptom: Connection works but Telegram, large downloads, or certain sites fail.

Cause: MTU black hole - Path MTU Discovery fails when ICMP is blocked.

Solution:

# Enable MSS clamping in profile
/ppp profile set [find] change-tcp-mss=yes

# Or add mangle rule
/ip firewall mangle add chain=forward protocol=tcp tcp-flags=syn \
    action=change-mss new-mss=clamp-to-pmtu passthrough=yes

Problem 4: PPPoE Not Reconnecting Automatically

Symptom: After disconnect, client stays down until manual intervention.

Causes:

• dial-on-demand=yes without traffic
• Keepalive timeout issue

Solutions:

# Disable dial-on-demand for always-on
/interface pppoe-client set [find] dial-on-demand=no

# Ensure keepalive is enabled
/interface pppoe-client set [find] keepalive-timeout=60

# Watchdog script for persistent issues
/system scheduler add name=pppoe-watchdog interval=5m on-event={
    :if ([/interface pppoe-client get [find name=pppoe-wan] running] = false) do={
        /interface pppoe-client disable [find name=pppoe-wan]
        :delay 2s
        /interface pppoe-client enable [find name=pppoe-wan]
    }
}

Problem 5: Queues Not Limiting PPPoE Traffic

Symptom: Simple queues based on IP don’t affect PPPoE clients.

Cause: PPPoE traffic is encapsulated; queue sees interface, not IP.

Solutions:

# Solution 1: Use rate-limit in profile (recommended)
/ppp profile set [find name=myprofile] rate-limit=10M/10M

# Solution 2: Use address-list and queue tree
/ppp profile set [find] address-list=pppoe-clients
/ip firewall mangle add chain=forward src-address-list=pppoe-clients \
    action=mark-packet new-packet-mark=pppoe-down passthrough=no

Problem 6: NAT Not Working for PPPoE

Symptom: LAN clients can’t access internet.

Cause: Masquerade rule references physical interface instead of PPPoE.

Solution:

# Wrong: out-interface=ether1
# Correct: out-interface=pppoe-wan
/ip firewall nat add chain=srcnat out-interface=pppoe-wan action=masquerade

Problem 7: RADIUS Returns Accept but Client Gets Error 691

Symptom: Authentication fails despite RADIUS accepting.

Cause: Profile mismatch or missing RADIUS attributes.

Solution:

# Enable debugging
/system logging add topics=radius,ppp,debug

# Verify profile exists
/ppp profile print

# Check RADIUS attributes match RouterOS expectations

Problem 8: PPPoE Server on Bridge Not Working

Symptom: Server doesn’t respond to clients on bridge interface.

Cause: Bridge filtering or hardware offload affecting PPPoE frames.

Solution:

# Option 1: Run PPPoE server on physical interface
# Option 2: Adjust bridge settings
/interface bridge set [find name=bridge1] protocol-mode=none

Scaling Considerations

Device Class	Recommended Sessions	Notes
RB750/hEX	100-200	Light WISP usage
RB4011/RB5009	500-1000	Medium deployments
CCR1009	2000-3000	Professional ISP
CCR1036/CCR2004	5000+	Large ISP

Scaling tips:

• Over 1200 sessions: migrate from simple queues to queue tree
• Use RADIUS for centralized management at scale
• Consider address-list marking for efficient QoS

Verification Commands

# List all PPPoE clients
/interface pppoe-client print

# Monitor client connection details
/interface pppoe-client monitor [find] once

# Scan for available PPPoE servers
/interface pppoe-client scan ether1

# List PPPoE servers
/interface pppoe-server server print

# View active PPPoE sessions
/ppp active print

# View configured users
/ppp secret print

# Check routes via PPPoE
/ip route print where gateway-status~"pppoe"

# Check PPP logs
/log print where topics~"pppoe"

Related Features

• IP Pools (/ip pool) - Address ranges for PPPoE clients
• RADIUS (/radius) - External authentication and accounting
• User Manager - MikroTik’s built-in RADIUS server
• Simple Queues - Auto-created when rate-limit set in profile
• Queue Tree - Advanced QoS for large deployments
• Scripts (/system script) - Profile on-up/on-down automation
• Firewall (/ip firewall) - Protect PPPoE server and clients
• Address Lists (/ip firewall address-list) - Track connected client IPs

Related Topics

PPPoE Specific

• PPPoE Client - detailed client-only configuration
• PPPoE Server/Client - alternative PPPoE guide

User Management

• RADIUS - centralized PPPoE authentication
• User Manager - MikroTik’s built-in RADIUS server
• User Management - local user accounts

Bandwidth Control

• Simple Queues - per-user rate limiting
• Queue Tree - advanced QoS for large deployments
• Firewall Mangle - traffic marking for queues

Related Services

• DHCP Server - alternative IP assignment method
• IP Pool - address pools for PPPoE clients
• NAT - masquerade for PPPoE clients

Summary

PPPoE provides authenticated IP connectivity over Ethernet:

1. Client setup - Specify interface, credentials, enable add-default-route
2. Server setup - Create pool, profile, server, and user secrets
3. Enable MSS clamping - Prevents MTU black hole issues
4. Use rate-limit in profiles - For per-user bandwidth control

Key points:

• Do not assign IP addresses to interfaces used for PPPoE
• MTU is 1492 bytes maximum (1500 - 8 byte overhead)
• Enable change-tcp-mss=yes in profiles to prevent connection issues
• Use one-session-per-host=yes to prevent duplicate connections
• RouterOS 7.20+ requires non-zero keepalive-timeout
• For scale, use RADIUS and queue tree instead of simple queues