PPPoE Server and Client Configuration

PPPoE Server and Client Configuration

Version Info

RouterOS 7.16 | Min: v7.0+ | ⏱️ 20 minutes | 🟡 Intermediate

Tested on: 7.16 7.14

Version-specific notes

• v7.x: PPPoE server configuration under /interface pppoe-server server
• v6.x: Same basic commands work, menu structure may differ slightly

TL;DR (Quick Start)

PPPoE Client (connecting to an ISP):

/interface pppoe-client add interface=ether1 user=myuser password=mypass \
    add-default-route=yes use-peer-dns=yes name=pppoe-wan disabled=no

PPPoE Server (providing access to subscribers):

/ip pool add name=pppoe-pool ranges=10.0.0.2-10.0.0.254
/ppp profile add name=pppoe-profile local-address=10.0.0.1 remote-address=pppoe-pool
/ppp secret add name=user1 password=pass1 service=pppoe profile=pppoe-profile
/interface pppoe-server server add interface=ether2 service-name=MyISP \
    default-profile=pppoe-profile disabled=no

Overview

What this covers: PPPoE (Point-to-Point Protocol over Ethernet) client configuration for connecting to ISPs, and PPPoE server configuration for providing subscriber access.

When to use PPPoE Client:

• Connecting to DSL/ADSL broadband providers
• Connecting to fiber ISPs that use PPPoE authentication
• Replacing an ISP-provided modem/router with MikroTik

When to use PPPoE Server:

• Operating as a small ISP or WISP
• Providing authenticated internet access to subscribers
• Managing bandwidth and access per user

Prerequisites:

• A MikroTik router running RouterOS 7.x or later
• PPPoE credentials from your ISP (for client)
• Understanding of IP addressing (for server)

Part 1: PPPoE Client Configuration

The PPPoE client connects your router to an ISP that requires PPPoE authentication.

Step 1: Identify the WAN Interface

First, identify which interface connects to your ISP modem or ONT. In this example, we use ether1 as the WAN interface.

/interface print

Common Mistake

Do not run a DHCP client on the same interface as PPPoE. If your ISP modem was previously providing DHCP, remove the DHCP client before configuring PPPoE:

/ip dhcp-client remove [find interface=ether1]

Step 2: Create the PPPoE Client Interface

Create the PPPoE client with your ISP credentials:

/interface pppoe-client add \
    interface=ether1 \
    user=your-isp-username \
    password=your-isp-password \
    add-default-route=yes \
    use-peer-dns=yes \
    name=pppoe-wan \
    disabled=no

Parameter explanation:

Parameter	Purpose
interface	Physical interface connected to ISP modem
user / password	ISP-provided credentials
add-default-route	Automatically add default gateway when connected
use-peer-dns	Accept DNS servers from ISP
name	Friendly name for the interface

Step 3: Configure NAT Masquerade

Enable NAT so LAN clients can access the internet through the PPPoE connection:

/ip firewall nat add chain=srcnat out-interface=pppoe-wan action=masquerade

Step 4: Verify PPPoE Client Status

Check if the connection is established:

/interface pppoe-client print

Expected Output:

Flags: X - disabled, R - running
 0  R name="pppoe-wan" max-mtu=auto max-mru=auto mrru=disabled interface=ether1
      user="your-username" password="your-password" profile=default
      service-name="" ac-name="" add-default-route=yes default-route-distance=1
      dial-on-demand=no use-peer-dns=yes allow=pap,chap,mschap1,mschap2
      keepalive-timeout=60

The R flag indicates the connection is running.

Monitor the Connection

/interface pppoe-client monitor pppoe-wan once

Expected Output:

         status: connected
         uptime: 2h45m32s
    local-address: 203.0.113.45
   remote-address: 203.0.113.1
            mtu: 1492
            mru: 1492
       encoding: none

Scan for Available PPPoE Servers

Before configuring, you can discover available PPPoE servers:

/interface pppoe-client scan ether1

This shows available service-name and ac-name values if your ISP requires specific settings.

Part 2: PPPoE Server Configuration

Configure your MikroTik as a PPPoE server to provide authenticated internet access to subscribers.

Step 1: Create an IP Address Pool

Create a pool of addresses to assign to PPPoE clients:

/ip pool add name=pppoe-pool ranges=10.0.0.2-10.0.0.254

This pool provides 253 addresses for subscribers.

Step 2: Create a PPP Profile

The profile defines settings applied to all connections using it:

/ppp profile add \
    name=pppoe-profile \
    local-address=10.0.0.1 \
    remote-address=pppoe-pool \
    dns-server=8.8.8.8,8.8.4.4 \
    change-tcp-mss=yes

Parameter explanation:

Parameter	Purpose
local-address	Router’s address on PPPoE tunnels (gateway)
remote-address	Pool or address for clients
dns-server	DNS servers pushed to clients
change-tcp-mss	Adjust MSS to prevent fragmentation issues

Step 3: Create User Secrets

Add users who can connect to your PPPoE server:

/ppp secret add \
    name=subscriber1 \
    password=securepass123 \
    service=pppoe \
    profile=pppoe-profile

For multiple users, repeat with different credentials:

/ppp secret add name=subscriber2 password=pass456 service=pppoe profile=pppoe-profile
/ppp secret add name=subscriber3 password=pass789 service=pppoe profile=pppoe-profile

Step 4: Create the PPPoE Server

Bind the server to an interface:

/interface pppoe-server server add \
    interface=ether2 \
    service-name=MyISP \
    default-profile=pppoe-profile \
    authentication=mschap2,mschap1,chap \
    one-session-per-host=yes \
    disabled=no

Parameter explanation:

Parameter	Purpose
interface	Interface where clients connect
service-name	Name advertised to clients
default-profile	Profile applied to connections
authentication	Allowed auth methods (avoid PAP for security)
one-session-per-host	Prevent multiple connections from same MAC

Important

Do not assign an IP address to the PPPoE server interface. The PPP tunnel handles addressing - assigning an IP to the underlying interface can cause routing issues.

Step 5: Configure Routing and NAT

Ensure PPPoE clients can reach the internet:

# Add the server interface IP (if not using from profile)
/ip address add address=10.0.0.1/24 interface=ether2 disabled=yes comment="Not needed - PPP handles this"

# NAT for PPPoE clients
/ip firewall nat add chain=srcnat src-address=10.0.0.0/24 out-interface=ether1 action=masquerade comment="NAT for PPPoE clients"

Step 6: Verify PPPoE Server Status

Check server status:

/interface pppoe-server server print

Expected Output:

Flags: X - disabled
 0   interface=ether2 service-name="MyISP" max-mtu=1480 max-mru=1480
     mrru=disabled authentication=chap,mschap1,mschap2 keepalive-timeout=10
     one-session-per-host=yes max-sessions=0 default-profile=pppoe-profile

View Active Connections

/interface pppoe-server print

Expected Output (when clients are connected):

Flags: D - dynamic, R - running
 #    NAME              USER         SERVICE   CALLER-ID     UPTIME
 0 DR <pppoe-subscriber1> subscriber1 pppoe     AA:BB:CC:DD:EE:FF 1h23m

View PPP Secrets

/ppp secret print

View Active Sessions

/ppp active print

Common Scenarios

Scenario: PPPoE Client with Static IP

Some ISPs assign static IPs but still use PPPoE for authentication. The configuration is the same - the ISP assigns your static IP through the PPP session.

Scenario: PPPoE over VLAN

If your ISP requires a specific VLAN tag:

# Create VLAN interface
/interface vlan add name=vlan100-wan vlan-id=100 interface=ether1

# Create PPPoE client on VLAN
/interface pppoe-client add interface=vlan100-wan user=myuser password=mypass \
    add-default-route=yes use-peer-dns=yes name=pppoe-wan disabled=no

Scenario: PPPoE Server with Rate Limiting

Apply bandwidth limits per subscriber using profiles:

# Create profile with rate limit (10M download / 5M upload)
/ppp profile add name=plan-10m local-address=10.0.0.1 remote-address=pppoe-pool \
    rate-limit=5M/10M

# Assign to user
/ppp secret set [find name=subscriber1] profile=plan-10m

Scenario: PPPoE Server on Multiple VLANs

Serve PPPoE on multiple VLANs without creating individual interfaces:

/interface pppoe-server server add \
    interface=bridge1 \
    service-name=MultiVLAN-ISP \
    default-profile=pppoe-profile \
    pppoe-over-vlan-range=100-110,200 \
    disabled=no

VLAN Conflict

Do not create VLAN interfaces with IDs that overlap with pppoe-over-vlan-range. The PPPoE server manages these VLANs internally.

Scenario: Dual WAN with PPPoE

Configure failover between PPPoE and another connection:

# Primary PPPoE
/interface pppoe-client add interface=ether1 user=primary password=pass \
    add-default-route=yes default-route-distance=1 name=pppoe-primary disabled=no

# Backup connection (different type)
/ip dhcp-client add interface=ether2 add-default-route=yes default-route-distance=2

# NAT for both
/ip firewall nat add chain=srcnat out-interface=pppoe-primary action=masquerade
/ip firewall nat add chain=srcnat out-interface=ether2 action=masquerade

MTU Considerations

PPPoE adds 8 bytes of overhead to each packet (6 bytes PPPoE + 2 bytes PPP), reducing the effective MTU from 1500 to 1492 bytes.

Recommended Settings

Setting	Value	Notes
PPPoE MTU	1492	Maximum for PPPoE
PPPoE MRU	1492	Maximum for PPPoE
TCP MSS	1452	1492 - 40 bytes IP/TCP headers

Fix MSS Clamping

To prevent issues with large packets not being delivered:

/ip firewall mangle add chain=forward protocol=tcp tcp-flags=syn \
    action=change-mss new-mss=clamp-to-pmtu passthrough=yes

Community Tip

If websites partially load or HTTPS connections stall, MTU/MSS issues are the likely cause. The change-tcp-mss=yes in the PPP profile usually handles this, but add the mangle rule for extra reliability.

Troubleshooting

Problem: PPPoE Client Won’t Connect

Symptom	Likely Cause	Solution
”PADI timeout” in log	No PPPoE server responding	Check cable, verify ISP modem is in bridge mode
”Authentication failed”	Wrong credentials	Verify username/password with ISP
”Service name not found”	ISP requires specific service name	Use scan command to find service name
Interface shows “X” flag	Interface disabled	Enable with /interface pppoe-client enable

Enable debug logging:

/system logging add topics=pppoe,debug action=memory
/log print where topics~"pppoe"

Problem: Connected but No Internet

Check	Command	What to Look For
Default route exists	/ip route print	Route via PPPoE interface
NAT configured	/ip firewall nat print	Masquerade on PPPoE interface
DNS working	/ip dns print	Servers configured

Problem: PPPoE Server Not Responding to Clients

Symptom	Likely Cause	Solution
No clients connect	Server disabled	Check /interface pppoe-server server print for X flag
Clients see no server	Wrong interface	Verify server bound to correct interface
Auth failures	Wrong secrets	Verify /ppp secret print has matching credentials

Problem: Slow Speeds or Packet Loss

Check	Solution
MTU mismatches	Lower max-mtu to 1480 or 1460
TCP MSS issues	Enable change-tcp-mss=yes in profile
Duplex mismatch	Check underlying Ethernet interface settings

Problem: Intermittent Disconnections

Community Tip

If PPPoE disconnects overnight or periodically, check the ISP modem logs. Many modems have power-saving features that drop the connection. Also verify keepalive settings - some ISPs have aggressive timeout values.

# Adjust keepalive if ISP times out quickly
/interface pppoe-client set pppoe-wan keepalive-timeout=30

Common Mistake

Having both DHCP client and PPPoE client on the same interface causes conflicts. Always remove DHCP client before configuring PPPoE:

/ip dhcp-client remove [find interface=ether1]

Security Considerations

For PPPoE Servers

1. Disable PAP authentication - it sends passwords in cleartext:

   /interface pppoe-server server set 0 authentication=mschap2,mschap1,chap

2. Enable one-session-per-host to prevent connection abuse:

   /interface pppoe-server server set 0 one-session-per-host=yes

3. Use strong passwords in PPP secrets

For PPPoE Clients

1. Add the PPPoE interface to your WAN interface list:

   /interface list member add interface=pppoe-wan list=WAN

2. Ensure firewall protects the PPPoE interface like any WAN connection

Related Topics

Server Prerequisites

• IP Address Configuration - server interface IP
• IP Pool - address pool for PPPoE clients
• Bridge Configuration - PPPoE server on bridge

Client Configuration

• PPPoE Client - detailed client setup
• NAT Masquerade - NAT for PPPoE
• Firewall Basics - protect WAN interface

Authentication

• RADIUS - centralized PPPoE authentication
• User Management - local PPP secrets

Related Topics

• Simple Queues - per-user bandwidth
• VLAN Configuration - VLAN tagging for PPPoE

Reference

Official Documentation

• MikroTik PPPoE Documentation
• PPP Profiles
• PPP Secrets

Quick Reference Commands

# PPPoE Client
/interface pppoe-client print           # View client status
/interface pppoe-client monitor         # Monitor connection
/interface pppoe-client scan ether1     # Discover servers

# PPPoE Server
/interface pppoe-server server print    # View server config
/interface pppoe-server print           # View active connections
/ppp secret print                       # View user accounts
/ppp active print                       # View active sessions
/ppp profile print                      # View profiles