IP / ADDRES

Summary

Sub-menu: /ip address


IP addresses serve for a general host identification purposes in IP networks. Typical (IPv4) address consists of four octets. For proper addressing the router also needs the network mask value, id est which bits of the complete IP address refer to the address of the host, and which - to the address of the network. The network address value is calculated by binary AND operation from network mask and IP address values. It's also possible to specify IP address followed by slash "/" and the amount of bits that form the network address.

In most cases, it is enough to specify the address, the netmask, and the interface arguments. The network prefix and the broadcast address are calculated automatically.

It is possible to add multiple IP addresses to an interface or to leave the interface without any addresses assigned to it. In case of bridging or PPPoE connection, the physical interface may bot have any address assigned, yet be perfectly usable. Putting an IP address to a physical interface included in a bridge would mean actually putting it on the bridge interface itself. You can use /ip address print detail to see to which interface the address belongs to.

MikroTik RouterOS has following types of addresses:

• Static - manually assigned to the interface by a user
• Dynamic - automatically assigned to the interface by DHCP or an estabilished PPP connections

IP / ARP

Summary

Sub-menu: /ip arp
Standards: ARP RFC 826

Even though IP packets are addressed using IP addresses, hardware addresses must be used to actually transport data from one host to another. Address Resolution Protocol is used to map OSI level 3 IP addresses to OSI level 2 MAC addreses. Router has a table of currently used ARP entries. Normally the table is built dynamically, but to increase network security, it can be partialy or completely built statically by means of adding static entries.

Properties
Property Description
address (IP; Default: ) IP address to be mapped
interface (string; Default: ) Interface name the IP address is assigned to
mac-address (MAC; Default: 00:00:00:00:00:00) MAC address to be mapped to

Read only properties:

Property Description
dhcp (yes | no) Whether ARP entry is added by DHCP server
dynamic (yes | no) Whether entry is dynamically created
invalid (yes | no) Whether entry is not valid


Note: Maximal number of ARP entries is 8192.


ARP Modes


It is possible to set several ARP modes in interface configuration .....

Disabled
If ARP feature is turned off on the interface, i.e., arp=disabled is used, ARP requests from clients are not answered by the router. Therefore, static arp entry should be added to the clients as well. For example, the router's IP and MAC addresses should be added to the Windows workstations using the arp command:

C:\> arp -s 10.5.8.254  00-aa-00-62-c6-09

Enabled
This mode is enabled by default on all interfaces. ARPs will be discovered automatically and new dynamic entries will be added to ARP table.

Proxy ARP
A router with properly configured proxy ARP feature acts like a transparent ARP proxy between directly connected networks.

This behaviour can be usefull, for example, if you want to assign dial-in (ppp, pppoe, pptp) clients IP addresses from the same address space as used on the connected LAN.

Lets look at example setup from image above. Host A (172.16.1.2) on Subnet A wants to send packets to Host D (172.16.2.3) on Subnet B. Host A has a /16 subnet mask which means that Host A believes that it is directly connected to all 172.16.0.0/16 network (the same LAN). Since the Host A believes that is directly connected it sends an ARP request to the destination to clarify MAC address of Host D. (in case when Host A finds that destination IP address is not from the same subnet it send packet to default gateway.)

Host A broadcasts an ARP request on Subnet A:

Info from packet analyzer software:

No.     Time   Source             Destination       Protocol  Info

 12   5.133205  00:1b:38:24:fc:13  ff:ff:ff:ff:ff:ff  ARP      Who has 173.16.2.3?  Tell 173.16.1.2


Packet details:

Ethernet II, Src: (00:1b:38:24:fc:13), Dst: (ff:ff:ff:ff:ff:ff)
    Destination: Broadcast (ff:ff:ff:ff:ff:ff)
    Source: (00:1b:38:24:fc:13)
    Type: ARP (0x0806)
Address Resolution Protocol (request)
    Hardware type: Ethernet (0x0001)
    Protocol type: IP (0x0800)
    Hardware size: 6
    Protocol size: 4
    Opcode: request (0x0001)
    [Is gratuitous: False]
    Sender MAC address: 00:1b:38:24:fc:13
    Sender IP address: 173.16.1.2
    Target MAC address: 00:00:00:00:00:00
    Target IP address: 173.16.2.3

With this ARP request, Host A (172.16.1.2) is asking Host D (172.16.2.3) to send its MAC address. The ARP request packet is then encapsulated in an Ethernet frame with the MAC address of Host A as the source address and a broadcast (FF:FF:FF:FF:FF:FF) as the destination address. Layer 2 broadcast means that frame will be sent to all hosts in the same layer 2 broadcast domain which includes the ether0 interface of the router, but does not reach Host D, because router by default does not forward layer 2 broadcast.

Since the router knows that the target address (172.16.2.3) is on another subnet but it can reach Host D, it replies with its own MAC address to Host A.

No.     Time   Source            Destination         Protocol   Info

13   5.133378  00:0c:42:52:2e:cf  00:1b:38:24:fc:13   ARP        172.16.2.3 is at 00:0c:42:52:2e:cf

Packet details:

Ethernet II, Src: 00:0c:42:52:2e:cf, Dst: 00:1b:38:24:fc:13
   Destination: 00:1b:38:24:fc:13
   Source: 00:0c:42:52:2e:cf
   Type: ARP (0x0806)
Address Resolution Protocol (reply)
   Hardware type: Ethernet (0x0001)
   Protocol type: IP (0x0800)
   Hardware size: 6
   Protocol size: 4
   Opcode: reply (0x0002)
   [Is gratuitous: False]
   Sender MAC address: 00:0c:42:52:2e:cf
   Sender IP address: 172.16.1.254
   Target MAC address: 00:1b:38:24:fc:13
   Target IP address: 172.16.1.2

This is the Proxy ARP reply that the router sends to Host A. Router sends back unicast proxy ARP reply with its own MAC address as the source address and the MAC address of Host A as the destination address, by saying "send these packets to me, and I'll get it to where it needs to go."


When Host A receives ARP response it updates its ARP table, as shown:

C:\Users\And>arp -a

Interface: 173.16.2.1 --- 0x8
  Internet Address      Physical Address      Type
  173.16.1.254          00-0c-42-52-2e-cf    dynamic
  173.16.2.3            00-0c-42-52-2e-cf    dynamic
  173.16.2.2            00-0c-42-52-2e-cf    dynamic

After MAC table update, Host A forwards all the packets intended for Host D (172.16.2.3) directly to router interface ether0 (00:0c:42:52:2e:cf) and the router forwards packets to Host D. The ARP cache on the hosts in Subnet A is populated with the MAC address of the router for all the hosts on Subnet B. Hence, all packets destined to Subnet B are sent to the router. The router forwards those packets to the hosts in Subnet B.

Multiple IP addresses by host are mapped to a single MAC address (the MAC address of this router) when proxy ARP is used.


Proxy ARP can be enabled on each interface individually with command arp=proxy-arp:

Setup proxy ARP:

[admin@MikroTik] /interface ethernet> set 1 arp=proxy-arp

 [admin@MikroTik] /interface ethernet> print

 Flags: X - disabled, R - running
   #    NAME                 MTU   MAC-ADDRESS         ARP
   0  R ether1              1500  00:30:4F:0B:7B:C1 enabled
   1  R ether2              1500  00:30:4F:06:62:12 proxy-arp
 [admin@MikroTik] interface ethernet>

Reply Only
If arp property is set to reply-only on the interface, then router only replies to ARP requests. Neighbour MAC addresses will be resolved using /ip arp statically, but there will be no need to add the router's MAC address to other hosts' ARP tables like in case if arp is disabled.

Columbia College

Columbia College is based in Columbia, Missouri, and offers an array of accelerated bachelor's and master's degrees that cater to working adults and military students.

THE GOOD

Affordable tuition:

Tuition per credit hour is very affordable at all degree levels, but Columbia College really stands out for having some of the lowest tuition rates for graduate credits when compared with other top online schools. Tuition rates at Columbia College are also very transparent in that they do not tack on extra fees each term, such as a technology fee or activities fee, which is common at many other schools. You should keep in mind that since Columbia College offers five terms a year and you can take as many or as few credits as you want, your costs per term can vary but are likely to remain comparatively low.
Respectable rankings:

The latest online education rankings from U.S. News & World Report name Columbia College with three different rankings in the top 100. The Columbia College online bachelor's program is ranked number 69 out of 160 different online programs, and offers a wide selection of 15 different majors. The school also earned rankings for two graduate programs, including a number 95 ranked online graduate business program and a number 90 ranked online graduate education program. Aside from the online programs, the university itself was included in the U.S. News & World Report list of top 100 Regional University Midwest rankings.
Multiple year-round start dates:

At Columbia College you can get started on completing coursework towards your degree with five different academic start dates. Many schools limit new students to one set of spring or fall start dates, but Columbia College gives you more flexibility with start dates in January, March, June, August, and October. Online classes run for eight-week sessions, which is why there are so many new term starts per year. The eight-week schedule is considered an accelerated pace that can be especially accommodating if you have work, military, family, or other obligations.
THE BAD

Certain programs not offered in every state:

Prospective online students should keep in mind that four of the specific degree programs are not available in every state due to current accreditation regulations. If you are considering a master's of education in educational leadership, or a bachelor of arts in political science, public administration, or English, you should check on the eligibility of your home state before applying. In some cases the degrees are strictly not available to residents of certain states. It is something to keep your eye on, though, as Columbia College is currently seeking approval to offer these degrees through their online campus.
Relatively low graduation rates:

There are consistently low graduation rates across several online degree programs at Columbia College. The online bachelor's program has a reported 42% graduation rate for the 2011-2012 academic year, and near exact figures were reported for each of the previous three years. The online graduate business program has better figures with a 2011-2012 graduation rate of 59%, which is an improvement over 43% from the previous year. Finally, the online graduate education program has a reported 53% graduation rate for 2011-2012 which is a huge improvement over 35% from the previous year. Columbia College may be inching towards improvement, but the school still comes up short when compared to other top online colleges which have consistently higher graduation rates.

Mikrotik Proxy

MikroTik RouterOS performs proxying of HTTP and HTTP-proxy (for FTP and HTTP protocols) requests. Proxy server performs Internet object cache function by storing requested Internet objects, i.e., data available via HTTP and FTP protocols on a system positioned closer to the recipient in the form of speeding up customer browsing by delivering them requested file copies from proxy cache at local network speed. MikroTik RouterOS implements the following proxy server features:

Regular HTTP proxy – customer (itself) specify what is proxy server for him
Transparent proxy – customer does not know about the proxy being enabled and there isn’t need any additional configuration for web browser of client.
Access list by source, destination, URL and requested method (HTTP firewall)
Cache access list to specify which objects to cache, and which not.
Direct Access List – to specify which resources should be accessed directly, and which - through another proxy server
Logging facility – allows to get and to store information about proxy operation
Parent proxy support – allows to specify other proxy server, ('if they don’t have the requested object ask their parents, or to the original server.)

A proxy server usually is placed at various points between users and the destination server (also known as origin server) on the Internet. (see Figure 10.1).

A Web proxy (cache) watches requests coming from client, saving copies of the responses for itself. Then, if there is another request for the same URL, it can use the response that it has, instead of asking the origin server for it again. If proxy has not requested file, it downloads that from the original server.

There can be many potential purpose of proxy server:

• To decrease access speed to resources (it takes less time for the client to get the object).
• Works as HTTP firewall (deny access to undesirable web pages),

Allows to filter web content (by specific parameters, like source address, destination address and port, URL, HTTP request method) scan outbound content, e.g., for data leak protection.

Proxy configuration example
In MikroTik RouterOS proxy configuration is performed in /ip proxy menu. See below how to enable the proxy on port 8080 and set up 195.10.10.1 as proxy source address:

 [admin@MikroTik] ip proxy> set enabled=yes port=8080 src-address=195.10.10.1

 [admin@MikroTik] ip proxy> print
                      enabled: yes
                  src-address: 195.10.10.1
                         port: 8080
                 parent-proxy: 0.0.0.0:0
                  cache-drive: system
          cache-administrator: "admin@mikrotik.com"
          max-disk-cache-size: none
           max-ram-cache-size: 100000KiB
           cache-only-on-disk: yes
   maximal-client-connections: 1000
   maximal-server-connections: 1000
               max-fresh-time: 3d

When setting up regular proxy service, make sure it serves only your clients and prevent unauthorised access to it by creating firewall that allow only your clients to use proxy, otherwise it may be used as an open proxy.

Transparent proxy configuration example
RouterOS can also act as a Transparent Caching server, with no configuration required in the customer’s web browser. Transparent proxy does not modify requested URL or response. RouterOS will take all HTTP requests and redirect them to the local proxy service. This process will be entirely transparent to the user (users may not know anything about proxy server that is located between them and original server), and the only difference to them will be the increased browsing speed.


To enable the transparent mode, firewall rule in destination NAT has to be added, specifying which connections (to which ports) should be transparently redirected to the proxy. Check proxy settings above and redirect us users (192.168.1.0/24) to proxy server.

[admin@MikroTik] ip firewall nat> add chain=dstnat protocol=tcp src-address=192.168.1.0/24 \
dst-port=80 action=redirect to-ports=8080

 [admin@MikroTik] ip firewall nat> print
 Flags: X - disabled, I - invalid, D - dynamic
  0   chain=dstnat protocol=tcp dst-port=80 action=redirect to-ports=8000
 [admin@MikroTik] ip firewall nat>

The web proxy can be used as transparent and normal web proxy at the same time. In transparent mode it is possible to use it as standard web proxy, too. However, in this case, proxy users may have trouble to reach web pages which are accessed transparently.


Proxy based firewall – Access List
Access list is implemented in the same way as MikroTik firewall rules processed from the top to the bottom. First matching rule specifies decision of what to do with this connection. Connections can be matched by its source address, destination address, destination port, sub-string of requested URL (Uniform Resource Locator) or request method. If none of these parameters is specified, every connection will match this rule.

If connection is matched by a rule, action property of this rule specifies whether connection will be allowed or not (deny). If connection does not match any rule, it will be allowed.

In this example assume that we have configured transparent proxy server as given in example above.

Block particular Websites.

 /ip proxy access add dst-host=www.facebook.com action=deny

It will block website http://www.facebook.com, we can always block the same for different networks by giving src-address.

/ip proxy access add src-address=192.168.1.0/24 dst-host=www.facebook.com action=deny
Users from network 192.168.1.0/24 will not be able to access website www.facebook.com.


You can block also websites that contain specific words in URL:

 /ip proxy access add dst-host=:mail action=deny
This statement will block all websites which contain word “mail” in URL. Like www.mail.com, www.hotmail.com, mail.yahoo.com etc.

We can also stop downloading specific types of files like .flv, .avi, .mp4, .mp3, .exe, .dat, …etc.

 /ip proxy access
 add path=*.flv action=deny
 add path=*.avi action=deny
 add path=*.mp4 action=deny
 add path=*.mp3 action=deny
 add path=*.zip action=deny
 add path=*.rar action=deny.
Here are available also different wildcard characters, to creating specific conditions and to match it by proxy access list.

Wildcard properties (dst-host and dst-path) match a complete string (i.e., they will not match "example.com" if they are set to "example"). Available wildcards are '*' (match any number of any characters) and '?' (match any one character).

Regular expressions are also accepted here, but if the property should be treated as a regular expression, it should start with a colon (':').

To show that no symbols are allowed before the given pattern, we use ^ symbol at the beginning of the pattern.

To specify that no symbols are allowed after the given pattern, we use $ symbol at the end of the pattern.


Enabling RAM or Store based caching.
In this example it will presumed that you already have proxy configured and working and you just want to enable caching. If command/parameter detailed description is required check reference section which is located right below example section.

• RAM based caching:
• Good if you have device with considerable amount of RAM for caching. Enabling this on device with RAM 256MB or less will not give your network any benefit.
• Way faster cache write/read than one that is stored on usb or sata connected mediums.
• Store based caching:
• Larger proxy caches available simply due to medium capacity differences.

RAM proxy cache:

Important commands:

• max-cache-size=
• max-cache-object-size=
• cache-on-disk=

[admin@MikroTik] /ip proxy> set max-cache-size=unlimited max-cache-object-size=50000KiB cache-on-disk=no
...
[admin@MikroTik] /ip proxy> print
                 enabled: yes
             src-address: ::
                    port: 8080
               anonymous: no
            parent-proxy: 0.0.0.0
       parent-proxy-port: 0
     cache-administrator: webmaster
          max-cache-size: unlimited  <-------
   max-cache-object-size: 500000KiB  <-------
           cache-on-disk: no  <-------
  max-client-connections: 600
  max-server-connections: 600
          max-fresh-time: 3d
   serialize-connections: no
       always-from-cache: no
          cache-hit-dscp: 4
              cache-path: proxy-cache


Store proxy cache:

Important commands:

• max-cache-size=
• max-cache-object-size=
• cache-on-disk=
• cache-path=

[admin@MikroTik] > ip proxy set cache-on-disk=yes cache-path=/usb1/proxy/cache

[admin@MikroTik] > ip proxy print                                              
                 enabled: yes
             src-address: ::
                    port: 8080
               anonymous: no
            parent-proxy: 0.0.0.0
       parent-proxy-port: 0
     cache-administrator: webmaster
          max-cache-size: unlimited  <-------
   max-cache-object-size: 50000KiB  <-------
           cache-on-disk: yes  <-------
  max-client-connections: 600
  max-server-connections: 600
          max-fresh-time: 3d
   serialize-connections: no
       always-from-cache: no
          cache-hit-dscp: 4
              cache-path: usb1/proxy/cache  <-------

[admin@MikroTik] > file print                                                  
 # NAME                                                           TYPE            
 0 skins                                                          directory      
 5 usb1/proxy                                                     directory          
 6 usb1/proxy/cache                                               web-proxy store   <-------    
 7 usb1/lost+found                                                directory      

Notes:

• This example shows how to configure caching for version starting from v6.20 as stores are now located in file menu as directories.

Check if cache is working:

[admin@MikroTik] > ip proxy monitor
                 status: running
                 uptime: 2w20h28m25s
     client-connections: 15
     server-connections: 7
               requests: 79772
                   hits: 30513
             cache-used: 481KiB
         total-ram-used: 1207KiB
  received-from-servers: 4042536KiB
        sent-to-clients: 4399757KiB
   hits-sent-to-clients: 176934KiB

Menu Specific commands
Access List

Access list is configured like a regular firewall rules. Rules are processed from the top to the bottom. First matching rule specifies decision of what to do with this connection. There is a total of 6 classifiers that specify matching constraints. If none of these classifiers is specified, the particular rule will match every connection.

If connection is matched by a rule, action property of this rule specifies whether connection will be allowed or not. If the particular connection does not match any rule, it will be allowed.

Wildcard properties (dst-host and dst-path) match a complete string (i.e., they will not match "example.com" if they are set to "example"). Available wildcards are '*' (match any number of any characters) and '?' (match any one character). Regular expressions are also accepted here, but if the property should be treated as a regular expression, it should start with a colon (':').


Small hints in using regular expressions:

• \\ symbol sequence is used to enter \ character in console
• \. pattern means . only (in regular expressions single dot in pattern means any symbol)
• to show that no symbols are allowed before the given pattern, we use ^ symbol at the beginning of the pattern
• to specify that no symbols are allowed after the given pattern, we use $ symbol at the end of the pattern
• to enter [ or ] symbols, you should escape them with backslash \.
• It is strongly recommended to deny all IP addresses except those behind the router as the proxy still may be used to access your internal-use-only (intranet) web servers. Also, consult examples in Firewall Manual on how to protect your router.

Direct Access

If parent-proxy property is specified, it is possible to tell proxy server whether to try to pass the request to the parent proxy or to resolve it connecting to the requested server directly. Direct Access List is managed just like Proxy Access List described in the previous chapter except the action argument.

Unlike the access list, the direct proxy access list has default action equal to deny. It takes place when no rules are specified or a particular request did not match any rule.

HTTP Methods
Options
This method is a request of information about the communication options available on the chain between the client and the server identified by the Request-URI. The method allows the client to determine the options and (or) the requirements associated with a resource without initiating any resource retrieval

GET
This method retrieves whatever information identified by the Request-URI. If the Request-URI refers to a data processing process than the response to the GET method should contain data produced by the process, not the source code of the process procedure(-s), unless the source is the result of the process.

The GET method can become a conditional GET if the request message includes an If-Modified-Since, If-Unmodified-Since, If-Match, If-None-Match, or If-Range header field. The conditional GET method is used to reduce the network traffic specifying that the transfer of the entity should occur only under circumstances described by conditional header field(-s).

The GET method can become a partial GET if the request message includes a Range header field. The partial GET method intends to reduce unnecessary network usage by requesting only parts of entities without transferring data already held by client.

The response to a GET request is cacheable if and only if it meets the requirements for HTTP caching.

HEAD
This method shares all features of GET method except that the server must not return a message-body in the response. This retrieves the metainformation of the entity implied by the request which leads to a wide usage of it for testing hypertext links for validity, accessibility, and recent modification.

The response to a HEAD request may be cacheable in the way that the information contained in the response may be used to update previously cached entity identified by that Request-URI.

POST
This method requests that the origin server accept the entity enclosed in the request as a new subordinate of the resource identified by the Request-URI.

The actual action performed by the POST method is determined by the origin server and usually is Request-URI dependent.

Responses to POST method are not cacheable, unless the response includes appropriate Cache-Control or Expires header fields.

PUT
This method requests that the enclosed entity be stored under the supplied Request-URI. If another entity exists under specified Request-URI, the enclosed entity should be considered as updated (newer) version of that residing on the origin server. If the Request-URI is not pointing to an existing resource, the origin server should create a resource with that URI.


If the request passes through a cache and the Request-URI identifies one or more currently cached entities, those entries should be treated as stale. Responses to this method are not cacheable.


TRACE
This method invokes a remote, application-layer loop-back of the request message. The final recipient of the request should reflect the message received back to the client as the entity-body of a 200 (OK) response. The final recipient is either the origin server or the first proxy or gateway to receive a Max-Forwards value of 0 in the request. A TRACE request must not include an entity.

Mikrotik PPPOE

The PPPoE (Point to Point Protocol over Ethernet) protocol provides extensive user management, network management and accounting benefits to ISPs and network administrators. Currently PPPoE is used mainly by ISPs to control client connections for xDSL and cable modems as well as plain Ethernet networks. PPPoE is an extension of the standard Point to Point Protocol (PPP). The difference between them is expressed in transport method: PPPoE employs Ethernet instead of serial modem connection.

Generally speaking, PPPoE is used to hand out IP addresses to clients based on authentication by username (and also if required, by workstation) as opposed to workstation only authentication where static IP addresses or DHCP are used. It is advised not to use static IP addresses or DHCP on the same interfaces as PPPoE for obvious security reasons.

The PPPoE client and server work over any Layer2 Ethernet level interface on the router - wireless 802.11 (Aironet, Cisco, WaveLan, Prism, Atheros), 10/100/1000 Mbit/s Ethernet, RadioLan and EoIP (Ethernet over IP tunnel).

Feature list

• PPPoE server and client support;
• Multilink PPP (MLPPP);
• MLPPP over single link (ability to transmit full-sized frames);
• BCP (Bridge Control Protocol) support - allows sending of raw Ethernet frames over PPP links;
• MPPE 40bit and MPPE 128bit RSA encryption;
• pap, chap, mschap v1/v2 authentication;
• RADIUS support for client authentication and accounting.

Note that when RADIUS server is authenticating a user with CHAP, MS-CHAPv1 or MS-CHAPv2, the RADIUS protocol does not use shared secret, it is used only in authentication reply. So if you have a wrong shared secret, RADIUS server will accept the request. You can use /radius monitor command to see bad-replies parameter. This value should increase whenever a client tries to connect.

Supported connections:

• MikroTik RouterOS PPPoE client to any PPPoE server (access concentrator)
• MikroTik RouterOS server (access concentrator) to multiple PPPoE clients (clients are available for almost all operating systems and most routers)

Specifications

• Packages required: ppp
• License required: Level1 (limited to 1 interface) , Level3 (limited to 200 interfaces) , Level4 (limited to 200 interfaces) , Level5 (limited to 500 interfaces) , Level6 (unlimited)
• Submenu level: /interface pppoe-server, /interface pppoe-client
• Standards and Technologies: PPPoE 
• Hardware usage: PPPoE server may require additional RAM (uses approx. 9KiB (plus extra 10KiB for packet queue, if data rate limitation is used) for each connection) and CPU power. Maximum of 65535 connections is supported.

Quick Setup Guide
To configure MikroTik RouterOS to be a PPPoE client, just add a pppoe-client:

/interface pppoe-client
  add name=pppoe-user-mike user=user password=passwd interface=wlan1 \
  service-name=internet disabled=no
To configure MikroTik RouterOS to be an Access Concentrator (PPPoE Server):

• add an address pool for the clients from 10.1.1.62 to 10.1.1.72;
• add ppp profile;
• add ppp secret (username/password);
• add pppoe server itself.

/ip pool
add name="pppoe-pool" ranges=10.1.1.62-10.1.1.72

/ppp profile
add name="pppoe-profile" local-address=10.1.1.1 remote-address=pppoe-pool

/ppp secret
add name=user password=passwd service=pppoe profile=pppoe-profile

/interface pppoe-server server
add service-name=internet interface=wlan1 default-profile=pppoe-profile disabled=no

PPPoE Operation
Stages
PPPoE has two stages:

Discovery stage - a client discovers all available access concentrators and selects one of them to establish PPPoE session.This stage has four steps: initialization, offer, request and session confirmation . PPPoE Discovery uses special Ethernet frames with their own Ethernet frame type 0x8863.

To initiate discovery, PPPoE client sends PADI frame to the broadcast Ethernet address (FF:FF:FF:FF:FF:FF) and optionally may specify a service name.

When server receives PADI frame, it responds with PADO frame to Client's unicast Ethernet address. There can be more than one server in broadcast range of the client. In such case client collects PADO frames and picks one (in most cases it picks the server which responds first) to start session.

Client sends PADR frame to unicast Ethernet address of the server it chose. If server agrees to set up a session with this particular client, it allocates resources to set up PPP session and assigns Session ID number. This number is sent back to client in PADS frame. When client receives PADS frame, it knows servers mac address and Session ID, it allocates resources and session can begin.

Session - When discovery stage is completed, both peers know PPPoE Session ID and other peer's Etehrnet (MAC) address which together defines PPPoE session. PPP frames are encapsulated in PPPoE session frames, which have Ethernet frame type 0x8864.
When server sends confirmation and client receives it, PPP Session stage is started that consists of following steps:

• LCP negotiation
• Authentication
• IPCP negotiation - where client is assigned an IP address.

PPPoE server sends Echo-Request packets to the client to determine the state of the session, otherwise server will not be able to determine that session is terminated in cases when client terminates session without sending Terminate-Request packet.

MTU
Typically, the largest Ethernet frame that can be transmitted without fragmentation is 1500 bytes. PPPoE adds another 6 bytes of overhead and PPP field adds two more bytes, leaving 1492 bytes for IP datagram. Therefore max PPPoE MRU and MTU values must not be larger than 1492.

TCP stacks try to avoid fragmentation, so they use an MSS (Maximum Segment Size). By default MSS is chosen as MTU of the outgoing interface minus the usual size of the TCP and IP headers (40 bytes), which results in 1460 bytes for an Ethernet interface. Unfortunately there may be intermediate links with lower MTU which will cause fragmentation. In such case TCP stack performs path MTU discovery. Routers which cannot forward the datagram without fragmentation are supposed to drop packet and send ICMP-Fragmentation-Required to originating host. When host receives such ICMP packet, it tries to lower the MTU. This should work in the ideal world, however in the real world many routers do not generate fragmentation-required datagrams, also many firewalls drop all ICMP datagrams.

The workaround for this problem is to adjust MSS if it is too big. By default RouterOS adds mangle rules to intercept TCP SYN packets and silently adjust any advertised MSS option so they will be appropriate for the PPPoE link.

PPPoE Server Setup (Access Concentrator)

The PPPoE server (access concentrator) supports multiple servers for each interface - with differing service names. Currently the throughput of the PPPoE server has been tested to 160 Mb/s on a Celeron 600 CPU. Using higher speed CPUs, throughput should increase proportionately.

The access concentrator name and PPPoE service name are used by clients to identity the access concentrator to register with. The access concentrator name is the same as the identity of the router displayed before the command prompt. The identity may be set within the /system identity submenu.

Note that if no service name is specified in WindowsXP, it will only use a service with no name! So if you want to serve WindowsXP clients, leave your service name empty.

Specifying MRRU means enabling MP (Multilink PPP) over a single link. This protocol is used to split big packets into smaller ones. Under Windows it can be enabled in Networking tag, Settings button, "Negotiate multi-link for single link connections". Their MRRU is hardcoded to 1614. This setting is useful to overcome PathMTU discovery failures. The MP setting should be enabled on both peers.

Example
To add PPPoE server on ether1 interface provided with a service-name of "ex" and allowing only one connection per host:

[admin@MikroTik] interface pppoe-server server> add interface=ether1 service-name=ex
  one-session-per-host=yes
[admin@MikroTik] interface pppoe-server server> print
Flags: X - disabled
  0 X service-name="ex" interface=ether1 mtu=1480 mru=1480 mrru=disabled
      authentication=mschap2,mschap,chap,pap keepalive-timeout=10
      one-session-per-host=yes max-sessions=0 default-profile=default
[admin@MikroTik] interface pppoe-server server>

PPPoE Server

There are two types of interface (tunnel) items in PPTP server configuration - static users and dynamic connections. An interface is created for each tunnel established to the given server. Static interfaces are added administratively if there is a need to reference the particular interface name (in firewall rules or elsewhere) created for the particular user. Dynamic interfaces are added to this list automatically whenever a user is connected and its username does not match any existing static entry (or in case the entry is active already, as there can not be two separate tunnel interfaces referenced by the same name - set one-session-per-host value if this is a problem). Dynamic interfaces appear when a user connects and disappear once the user disconnects, so it is impossible to reference the tunnel created for that use in router configuration (for example, in firewall), so if you need a persistent rules for that user, create a static entry for him/her. Otherwise it is safe to use dynamic configuration. Note that in both cases PPP users must be configured properly - static entries do not replace PPP configuration.

Property Description

• encoding (read-only: text) - encryption and encoding (if asymmetric, separated with '/') being used in this connection
• mru (read-only: integer) - client's MRU
• mtu (read-only: integer) - client's MTU
• name (name) - interface name
• remote-address (read-only: MAC address) - MAC address of the connected client
• service (name) - name of the service the user is connected to
• uptime (read-only: time) - shows how long the client is connected
• user (name) - the name of the connected user (must be present in the user darabase anyway)

Example
To view the currently connected users:

[admin@MikroTik] interface pppoe-server> print
Flags: X - disabled, D - dynamic, R - running
 #     NAME       USER      SERVICE   REMOTE... ENCODING  UPTIME
 0  DR <pppoe-ex> user      ex        00:0C:... MPPE12... 40m45s
[admin@MikroTik] interface pppoe-server>
To disconnect the user ex:

[admin@MikroTik] interface pppoe-server> remove [find user=ex]
[admin@MikroTik] interface pppoe-server> print
[admin@MikroTik] interface pppoe-server>

Application Examples

PPPoE in a multipoint wireless 802.11g network
In a wireless network, the PPPoE server may be attached to an Access Point (as well as to a regular station of wireless infrastructure). Either our RouterOS client or Windows PPPoE clients may connect to the Access Point for PPPoE authentication. Further, for RouterOS clients, the radio interface may be set to MTU 1600 so that the PPPoE interface may be set to MTU 1500. This optimizes the transmission of 1500 byte packets and avoids any problems associated with MTUs lower than 1500. It is not discussed here, how to change the MTU of the Windows wireless interface.

Let us consider the following setup where the MikroTik Wireless AP offers wireless clients transparent access to the local network with authentication:

First of all, the wireless interface should be configured:

[admin@PPPoE-Server] interface wireless> set 0 mode=ap-bridge \
   frequency=2442 band=2.4ghz-b/g ssid=mt disabled=no
[admin@PPPoE-Server] interface wireless> print
Flags: X - disabled, R - running
 0 X  name="wlan1" mtu=1500 mac-address=00:0C:42:18:5C:3D arp=enabled
      interface-type=Atheros AR5413 mode=ap-bridge ssid="mt" frequency=2442
      band=2.4ghz-b/g scan-list=default antenna-mode=ant-a wds-mode=disabled
      wds-default-bridge=none wds-ignore-ssid=no default-authentication=yes
      default-forwarding=yes default-ap-tx-limit=0 default-client-tx-limit=0
      hide-ssid=no security-profile=default compression=no
[admin@PPPoE-Server] interface wireless>

Now, configure the Ethernet interface, add the IP address and set the default route:

[admin@PPPoE-Server] ip address> add address=10.1.0.3/24 interface=Local
[admin@PPPoE-Server] ip address> print
Flags: X - disabled, I - invalid, D - dynamic
 #   ADDRESS            NETWORK         BROADCAST       INTERFACE
 0   10.1.0.3/24        10.1.0.0        10.1.0.255      Local
[admin@PPPoE-Server] ip address> /ip route
[admin@PPPoE-Server] ip route> add gateway=10.1.0.1
[admin@PPPoE-Server] ip route> print
Flags: X - disabled, A - active, D - dynamic,
C - connect, S - static, r - rip, b - bgp, o - ospf, m - mme,
B - blackhole, U - unreachable, P - prohibit
 #      DST-ADDRESS        PREF-SRC        G GATEWAY         DISTANCE INTER...
 0 ADC  10.1.0.0/24        10.1.0.3                          0        Local
 1 A S  0.0.0.0/0                          r 10.1.0.1        1        Local
[admin@PPPoE-Server] ip route> /interface ethernet
[admin@PPPoE-Server] interface ethernet> set Local arp=proxy-arp
[admin@PPPoE-Server] interface ethernet> print
Flags: X - disabled, R - running
 #    NAME                                   MTU   MAC-ADDRESS       ARP
 0  R Local                                  1500  00:0C:42:03:25:53 proxy-arp
[admin@PPPoE-Server] interface ethernet>

We should add PPPoE server to the wireless interface:

[admin@PPPoE-Server] interface pppoe-server server> add interface=wlan1 \
   service-name=mt one-session-per-host=yes disabled=no
[admin@PPPoE-Server] interface pppoe-server server> print
Flags: X - disabled
 0   service-name="mt" interface=wlan1 max-mtu=1480 max-mru=1480 mrru=disabled
     authentication=pap,chap,mschap1,mschap2 keepalive-timeout=10
     one-session-per-host=yes max-sessions=0 default-profile=default
[admin@PPPoE-Server] interface pppoe-server server>

Finally, we can set up PPPoE clients:

[admin@PPPoE-Server] ip pool> add name=pppoe ranges=10.1.0.100-10.1.0.200
[admin@PPPoE-Server] ip pool> print
 # NAME                                         RANGES
 0 pppoe                                        10.1.0.100-10.1.0.200
[admin@PPPoE-Server] ip pool> /ppp profile
[admin@PPPoE-Server] ppp profile> set default use-encryption=yes \
   local-address=10.1.0.3 remote-address=pppoe
[admin@PPPoE-Server] ppp profile> print
Flags: * - default
 0 * name="default" local-address=10.1.0.3 remote-address=pppoe
     use-compression=no use-vj-compression=no use-encryption=yes only-one=no
     change-tcp-mss=yes

 1 * name="default-encryption" use-compression=default
     use-vj-compression=default use-encryption=yes only-one=default
     change-tcp-mss=default
[admin@PPPoE-Server] ppp profile> .. secret
[admin@PPPoE-Server] ppp secret> add name=w password=wkst service=pppoe
[admin@PPPoE-Server] ppp secret> add name=l password=ltp service=pppoe
[admin@PPPoE-Server] ppp secret> print
Flags: X - disabled
 #   NAME        SERVICE CALLER-ID PASSWORD  PROFILE            REMOTE-ADDRESS
 0   w           pppoe             wkst      default            0.0.0.0
 1   l           pppoe             ltp       default            0.0.0.0
[admin@PPPoE-Server] ppp secret>

We have now completed the configuration and added two users: w and l who are able to connect to Internet, using PPPoE client software.

Note that Windows XP built-in client supports encryption, but RASPPPOE does not. So, if it is planned to support Windows clients older than Windows XP, it is recommended not to require encryption. In either case, the server is able to support clients that cannot encrypt the data.

Troubleshooting

• I can connect to my PPPoE server. I can even ping through it, but I still cannot open web pages

Make sure that you have specified a valid DNS server in the router (in /ip dns or in /ppp profile the dns-server parameter).

• The PPPoE server shows more than one active user entry for one client, when the clients disconnect, they are still shown and active

Set the keepalive-timeout parameter (in the PPPoE server configuration) to 10 if you want clients to be considered logged off if they do not respond for 10 seconds.

Note that if the keepalive-timeout parameter is set to 0 and the only-one parameter (in PPP profile settings) is set to 'yes' then the clients may be able to connect only the once. To resolve this problem one-session-per-host parameter in PPPoE server configuration should be set to 'yes'

• My Windows XP client cannot connect to the PPPoE server

You have to specify the "Service Name" in the properties of the XP PPPoE client. If the service name is not set, or it does not match the service name of the MikroTik PPPoE server, you get the "line is busy" errors, or the system shows "verifying password - unknown error"

• I want to have logs for PPPoE connection establishment

Configure the logging feature under the /system logging facility and enable the PPP type logs.

BCP Bridging ( PPP Tunnel Bridging )

RouterOS supports BCP (Bridge Control Protocol) for PPP, PPTP, L2TP and PPPoE interfaces. BCP allows to bridge Ethernet packets through the PPP link. Established BCP is independent part of the PPP tunnel, it is not related to any IP address of PPP interface, bridging and routing can happen at the same time independently. BCP can be used instead of EoIP + used VPN Tunnel or WDS link over the wireless network.

BCP (Bridge Control Protocol) should be enabled on both sides (PPP server and PPP client) to make it work. MikroTik RouterOS can be used with other PPP device, that supports BCP accordingly to the standards, but BCP enabled is necessary.

Configuration Example

We need to interconnect two remote offices and make them in one Ethernet network. We have requirement to use encryption to protect data exchange between two offices. Let's see, how it is possible with PPTP tunnel and BCP protocol usage

Configuration Diagram

Simple configuration is like this. We have two offices, which are remotely located. Office I is going to be used as PPTP server, Office 2 is going to be used PPTP client. Below you will see how to set configuration using Winbox and CLI.

BCP Configuration (CLI)

Office 1 configuration

First we need to create bridge interface and make sure that bridge will always have MAC address of existing interface. Reason for that is simple - when BCP is used PPP bridge port do not have any MAC address.

/interface bridge add name=bridge_local protocol-mode=rstp
/interface bridge port add bridge=bridge_local interface=ether1_local
/interface bridge set bridge_local admin-mac=xx:xx:xx:xx:xx:xx          
//// where xx:xx:xx:xx:xx:xx is MAC address of the ether1_local interface
Now we can assign local and public addresses to proper interfaces.

/ip address add address=192.168.88.1/24 interface=bridge_local
/ip address add address=1.1.1.1/24 interface=ether2_public
In case you use PPP only for bridging, configuration of the ppp profile and secret is very easy - just assign user name and password in secret) and specify bridge option in the profile.

/ppp profile add name=ppp_bridging bridge=bridge_local use-encryption=yes
/ppp secret add profile=ppp_bridging name=ppp1 password=ppp1
When bridging packets PPP tunnel need to pass packets with Layer-2 (MAC) header included , so default interface MTU (in case of pptp it is 1460) is not sufficient for this task. To ensure proper operation itbis suggested to override the value by specifying MRRU option in server settings to a higher value.

MRRU allows to enable multi-link support over single link, it divides the packet to multiple channels therefore increasing possible MTU and MRU (up to 65535 bytes)

/interface pptp-server server set enabled=yes mrru=1600

Office 2 configuration

First we need to create bridge interface and make sure that bridge will always have MAC address of existing interface. Reason for that is simple - when BCP is used PPP bridge port do not have any MAC address.

/interface bridge add name=bridge_local protocol-mode=rstp
/interface bridge port add bridge=bridge_local interface=ether1_local
/interface bridge set bridge_local admin-mac=xx:xx:xx:xx:xx:xx          
//// where xx:xx:xx:xx:xx:xx is MAC address of the ether1_local interface
Assign local and public addresses to proper interfaces.
/ip address add address=192.168.88.254/24 interface=bridge_local
/ip address add address=2.2.2.2/24 interface=ether2_public
Configure ppp profile so it will corespond to the profile used on the server side.

/ppp profile add name=ppp_bridging bridge=bridge_local use-encryption=yes
Create an pptp-client interface. Do not forget to specify MRRU option to ensure that bridged frames get trough the ppp tunnel.

/interface pptp-client
add profile=ppp_bridging mrru=1600 connect-to=1.1.1.1 user=ppp1 password=ppp1 disabled=no

BCP Configuration (Winbox)

Office 1 Configuration

Bridge Configuration:

• Add Bridge,

• Add Bridge Port,

• Add Bridge MAC-address,

• Assign IP addresses,

• Create PPP profile for bridging,

• Add PPP client,

• Enable PPTP-server,

Office 2 Configuration
The client router configuration is the same, except that you need to configure and enable PPTP client,

• Add PPTP client,

Mikrotik L2TP

L2TP is a secure tunnel protocol for transporting IP traffic using PPP. L2TP encapsulates PPP in virtual lines that run over IP, Frame Relay and other protocols (that are not currently supported by MikroTik RouterOS). L2TP incorporates PPP and MPPE (Microsoft Point to Point Encryption) to make encrypted links. The purpose of this protocol is to allow the Layer 2 and PPP endpoints to reside on different devices interconnected by a packet-switched network. With L2TP, a user has a Layer 2 connection to an access concentrator - LAC (e.g., modem bank, ADSL DSLAM, etc.), and the concentrator then tunnels individual PPP frames to the Network Access Server - NAS. This allows the actual processing of PPP packets to be separated from the termination of the Layer 2 circuit. From the user's perspective, there is no functional difference between having the L2 circuit terminate in a NAS directly or using L2TP.

It may also be useful to use L2TP just as any other tunneling protocol with or without encryption. The L2TP standard says that the most secure way to encrypt data is using L2TP over IPsec (Note that it is default mode for Microsoft L2TP client) as all L2TP control and data packets for a particular tunnel appear as homogeneous UDP/IP data packets to the IPsec system.

Multilink PPP (MP) is supported in order to provide MRRU (the ability to transmit full-sized 1500 and larger packets) and bridging over PPP links (using Bridge Control Protocol (BCP) that allows to send raw Ethernet frames over PPP links). This way it is possible to setup bridging without EoIP. The bridge should either have an administratively set MAC address or an Ethernet-like interface in it, as PPP links do not have MAC addresses.

L2TP includes PPP authentication and accounting for each L2TP connection. Full authentication and accounting of each connection may be done through a RADIUS client or locally.

MPPE 40bit RC4 and MPPE 128bit RC4 encryption are supported.

L2TP traffic uses UDP protocol for both control and data packets. UDP port 1701 is used only for link establishment, further traffic is using any available UDP port (which may or may not be 1701). This means that L2TP can be used with most firewalls and routers (even with NAT) by enabling UDP traffic to be routed through the firewall or router.

Quick example

This example demonstrates how to set up L2TP client with username "l2tp-hm", password "123" and server 10.1.101.100

[admin@dzeltenais_burkaans] /interface l2tp-client>add name=l2tp-hm user=l2tp-hm password=123 \
\... connect-to=10.1.101.100 disabled=no
[admin@dzeltenais_burkaans] /interface l2tp-client> print detail  
Flags: X - disabled, R - running
 0    name="l2tp-hm" max-mtu=1460 max-mru=1460 mrru=disabled
      connect-to=10.1.101.100 user="l2tp-hm" password="123"
      profile=default-encryption add-default-route=no dial-on-demand=no
      allow=pap,chap,mschap1,mschap2

L2TP Server

This sub-menu shows interfaces for each connected L2TP clients.

An interface is created for each tunnel established to the given server. There are two types of interfaces in L2TP server's configuration

• Static interfaces are added administratively if there is a need to reference the particular interface name (in firewall rules or elsewhere) created for the particular user.
• Dynamic interfaces are added to this list automatically whenever a user is connected and its username does not match any existing static entry (or in case the entry is active already, as there can not be two separate tunnel interfaces referenced by the same name).

Dynamic interfaces appear when a user connects and disappear once the user disconnects, so it is impossible to reference the tunnel created for that use in router configuration (for example, in firewall), so if you need persistent rules for that user, create a static entry for him/her. Otherwise it is safe to use dynamic configuration.

To enable L2TP server:

[admin@MikroTik] interface l2tp-server server> set enabled=yes
[admin@MikroTik] interface l2tp-server server> print
          enabled: yes
          max-mtu: 1460
          max-mru: 1460
             mrru: disabled
   authentication: pap,chap,mschap1,mschap2
  default-profile: default-encryption
[admin@MikroTik] interface l2tp-server server>

Monitoring

Monitor command can be used to monitor status of the tunnel on both client and server.

[admin@dzeltenais_burkaans] /interface l2tp-client> monitor 0
     status: "connected"
     uptime: 7h24m18s
  idle-time: 6h21m4s
   encoding: "MPPE128 stateless"
        mtu: 1460
        mru: 1460

Application Examples

Connecting Remote Client

The following example shows how to connect a computer to a remote office network over L2TP encrypted tunnel giving that computer an IP address from the same network as the remote office has (without any need of bridging over EoIP tunnels)

Consider following setup:

Office router is connected to internet through ether1. Workstations are connected to ether2. Laptop is connected to the internet and can reach Office router's public IP (in our example it is 192.168.80.1).

First step is to create a user

[admin@RemoteOffice] /ppp secret> add name=Laptop service=l2tp password=123
local-address=10.1.101.1 remote-address=10.1.101.100
[admin@RemoteOffice] /ppp secret> print detail
Flags: X - disabled
  0   name="Laptop" service=l2tp caller-id="" password="123" profile=default
      local-address=10.1.101.1 remote-address=10.1.101.100 routes==""

[admin@RemoteOffice] /ppp secret>
Notice that L2TP local address is the same as routers address on local interface and remote address is from the same range as local network (10.1.101.0/24).


Next step is to enable L2TP server and L2TP client on the laptop.

[admin@RemoteOffice] /interface l2tp-server server> set enabled=yes
[admin@RemoteOffice] /interface l2tp-server server> print
            enabled: yes
            max-mtu: 1460
            max-mru: 1460
               mrru: disabled
     authentication: mschap2
    default-profile: default-encryption
[admin@RemoteOffice] /interface l2tp-server server>

L2TP client from the laptop should connect to routers public IP which in our example is 192.168.80.1.
Please, consult the respective manual on how to set up a L2TP client with the software you are using.

At this point (when L2TP client is successfully connected) if you will try to ping any workstation from the laptop, ping will time out, because Laptop is unable to get ARPs from workstations. Solution is to set up proxy-arp on local interface

[admin@RemoteOffice] interface ethernet> set ether2 arp=proxy-arp
[admin@RemoteOffice] interface ethernet> print
Flags: X - disabled, R - running
  #    NAME                 MTU   MAC-ADDRESS         ARP
  0  R ether1              1500  00:30:4F:0B:7B:C1 enabled
  1  R ether2              1500  00:30:4F:06:62:12 proxy-arp
[admin@RemoteOffice] interface ethernet>
After proxy-arp is enabled client can now successfully reach all workstations in local network behind the router.

Site-to-Site L2TP

The following is an example of connecting two Intranets using a L2TP tunnel over the Internet.

Consider following setup:

Office and Home routers are connected to internet through ether1, workstations and laptops are connected to ether2. Both local networks are routed through L2TP client, thus they are not in the same broadcast domain. If both networks should be in the same broadcast domain then you need to use BCP and bridge L2TP tunnel with local interface.

First step is to create a user

[admin@RemoteOffice] /ppp secret> add name=Home service=l2tp password=123

local-address=172.16.1.1 remote-address=172.16.1.2 routes="10.1.202.0/24 172.16.1.2 1"

[admin@RemoteOffice] ppp secret> print detail

Flags: X - disabled

  0   name="Home" service=l2tp caller-id="" password="123" profile=default

      local-address=172.16.1.1 remote-address=172.16.1.2 routes=="10.1.202.0/24 172.16.1.2 1"

[admin@RemoteOffice] /ppp secret>

Notice that we set up L2TP to add route whenever client connects. If this option is not set, then you will need static routing configuration on the server to route traffic between sites through L2TP tunnel.

Next step is to enable L2TP server on the office router and configure L2TP client on the Home router.

[admin@RemoteOffice] /interface l2tp-server server> set enabled=yes

[admin@RemoteOffice] /interface l2tp-server server> print

            enabled: yes

            max-mtu: 1460

            max-mru: 1460

               mrru: disabled

     authentication: mschap2

    default-profile: default-encryption

[admin@RemoteOffice] /interface l2tp-server server>

[admin@Home] /interface l2tp-client> add user=Home password=123 connect-to=192.168.80.1 disabled=no

[admin@Home] /interface l2tp-client> print

Flags: X - disabled, R - running

 0 R  name="l2tp-out1" max-mtu=1460 max-mru=1460 mrru=disabled connect-to=192.168.80.1 user="Home" 

       password="123" profile=default-encryption add-default-route=no dial-on-demand=no 

       allow=pap,chap,mschap1,mschap2

[admin@Home] /interface l2tp-client>

On home router if you wish traffic for the remote office to go over tunnel you will need to add a specific static route as follows:

[admin@Home] /ip route> add dst-address=10.1.101.0/24 gateway=l2tp-out1

After tunnel is established and routes are set, you should be able to ping remote network.

L2TP/IpSec setup

This example demonstrates how to easily setup L2TP/IpSec server on Mikrotik router (with installed 6.16 or newer version) for road warrior connections (works with Windows, Android And iPhones).

First step is to enable L2TP server:

/interface l2tp-server server

set enabled=yes use-ipsec=yes ipsec-secret=mySecret default-profile=default

Now what it does is enables L2TP server and creates dynamic ipsec peer iwth specified secret

[admin@MikroTik] /ip ipsec peer> print 

 0  D address=0.0.0.0/0 local-address=0.0.0.0 passive=yes port=500 

      auth-method=pre-shared-key secret="123" generate-policy=port-strict 

      exchange-mode=main-l2tp send-initial-contact=yes nat-traversal=yes 

      hash-algorithm=sha1 enc-algorithm=3des,aes-128,aes-192,aes-256 

      dh-group=modp1024 lifetime=1d dpd-interval=2m dpd-maximum-failures=5 

Next step is to create VPN pool and add some users.

/ip pool add name=vpn-pool range=192.168.99.2-192.168.99.100

/ppp profile
set default local-address=192.168.99.1 remote-address=vpn-pool

/ppp secret
add name=user1 password=123
add name=user2 password=234
If there are strict firewall policies, do not forget to add rules which accepts l2tp and ipsec.

/ip firewall filter
add chain=input protocol=udp port=1701,500,4500
add chain=input protocol=ipsec-esp
Now router is ready to accept L2TP/IpSec client connections.

PPTP

PPTP is a secure tunnel for transporting IP traffic using PPP. PPTP encapsulates PPP in virtual lines that run over IP. PPTP incorporates PPP and MPPE (Microsoft Point to Point Encryption) to make encrypted links. The purpose of this protocol is to make well-managed secure connections between routers as well as between routers and PPTP clients (clients are available for and/or included in almost all OSs including Windows).

Multilink PPP (MP) is supported in order to provide MRRU (the ability to transmit full-sized 1500 and larger packets) and bridging over PPP links (using Bridge Control Protocol (BCP) that allows the sending of raw Ethernet frames over PPP links). This way it is possible to setup bridging without EoIP. The bridge should either have an administratively set MAC address or an Ethernet-like interface in it, as PPP links do not have MAC addresses.

PPTP includes PPP authentication and accounting for each PPTP connection. Full authentication and accounting of each connection may be done through a RADIUS client or locally.

MPPE 40bit RC4 and MPPE 128bit RC4 encryption are supported.

PPTP traffic uses TCP port 1723 and IP protocol GRE (Generic Routing Encapsulation, IP protocol ID 47), as assigned by the Internet Assigned Numbers Authority (IANA). PPTP can be used with most firewalls and routers by enabling traffic destined for TCP port 1723 and protocol 47 traffic to be routed through the firewall or router.

PPTP connections may be limited or impossible to setup though a masqueraded/NAT IP connection. Please see the Microsoft and RFC links listed below for more information.

Quick example
This example demonstrates how to set up PPTP client with username "pptp-hm", password "123" and server 10.1.101.100

/interface pptp-client add name=pptp-hm user=pptp-hm password=123 connect-to=10.1.101.100 disabled=no
/interface pptp-client print detail  
Flags: X - disabled, R - running
 0    name="pptp-hm" max-mtu=1460 max-mru=1460 mrru=disabled
      connect-to=10.1.101.100 user="pptp-hm" password="123"
      profile=default-encryption add-default-route=no dial-on-demand=no
      allow=pap,chap,mschap1,mschap2

PPTP Server
Sub-menu: /interface pptp-server
This sub-menu shows interfaces for each connected PPTP clients.

An interface is created for each tunnel established to the given server. There are two types of interfaces in PPTP server's configuration

Static interfaces are added administratively if there is a need to reference the particular interface name (in firewall rules or elsewhere) created for the particular user.
Dynamic interfaces are added to this list automatically whenever a user is connected and its username does not match any existing static entry (or in case the entry is active already, as there can not be two separate tunnel interfaces referenced by the same name).
Dynamic interfaces appear when a user connects and disappear once the user disconnects, so it is impossible to reference the tunnel created for that use in router configuration (for example, in firewall), so if you need persistent rules for that user, create a static entry for him/her. Otherwise it is safe to use dynamic configuration.

To enable PPTP server:

/interface pptp-server server set enabled=yes
/interface pptp-server server print
            enabled: yes
            max-mtu: 1460
            max-mru: 1460
               mrru: disabled
     authentication: mschap2,mschap1
  keepalive-timeout: 30
    default-profile: default
Monitoring
Monitor command can be used to monitor status of the tunnel on both client and server.

/interface pptp-client monitor 0
     status: "connected"
     uptime: 7h24m18s
  idle-time: 6h21m4s
   encoding: "MPPE128 stateless"
        mtu: 1460
        mru: 1460

Application Examples

Connecting Remote Client

The following example shows how to connect a computer to a remote office network over a PPTP encrypted tunnel giving that computer an IP address from the same network that the remote office has (without any need of bridging over EoIP tunnels).

Consider following setup:

Office router is connected to internet through ether1. Workstations are connected to ether2. Laptop is connected to the internet and can reach Office router's public IP (in our example it is 192.168.80.1).


First step is to create a user

/ppp secret add name=Laptop service=pptp password=123 local-address=10.1.101.1 \
   remote-address=10.1.101.100
/ppp secret print detail
Flags: X - disabled
  0   name="Laptop" service=pptp caller-id="" password="123" profile=default
      local-address=10.1.101.1 remote-address=10.1.101.100 routes==""
Notice that the PPTP local address is the same as the router's address on the local interface and the remote address is from the same range as the local network (10.1.101.0/24).

Next step is to enable the PPTP server and the PPTP client on the laptop.

/interface pptp-server server set enabled=yes
/interface pptp-server server print
            enabled: yes
            max-mtu: 1460
            max-mru: 1460
               mrru: disabled
     authentication: mschap2
  keepalive-timeout: 30
    default-profile: default
PPTP client from the laptop should connect to routers public IP which in our example is 192.168.80.1.
(Consult the respective manual on how to set up a PPTP client with the operating system software you are using).

At this point (when PPTP client is successfully connected) if you try to ping any workstation form the laptop, the ping will time out because the Laptop is unable to get ARPs from workstations. The solution is to set up proxy-arp on the local interface.

/interface ethernet set Office arp=proxy-arp
/interface ethernet print
Flags: X - disabled, R - running
  #    NAME                 MTU   MAC-ADDRESS         ARP
  0  R ether1              1500  00:30:4F:0B:7B:C1 enabled
  1  R ether2              1500  00:30:4F:06:62:12 proxy-arp
After proxy-arp is enabled, the remote client can successfully reach all workstations in the local network behind the router.

Site-to-Site PPTP

The following is an example of connecting two Intranets using PPTP tunnel over the Internet.

Consider following setup:

Office and Home routers are connected to the internet through ether1, workstations and laptops are connected to ether2. Both local networks are routed through a PPTP client, thus they are not in the same broadcast domain. If both networks should be in the same broadcast domain then you need to use BCP and bridge the PPTP tunnel with the local interface.

First step is to create a user

/ppp secret add name=Home service=pptp password=123 local-address=172.16.1.1 \
  remote-address=172.16.1.2 routes="10.1.202.0/24 172.16.1.2 1"
/ppp secret print detail
Flags: X - disabled
  0   name="Home" service=pptp caller-id="" password="123" profile=default
      local-address=172.16.1.1 remote-address=172.16.1.2 routes=="10.1.202.0/24 172.16.1.2 1"
Notice that we set up PPTP server's PPP secret where a route is added automatically whenever the client connects. If this option is not set, then you will need to add static routing on the server to route traffic between the two sites through the PPTP tunnel. (See PPP User Database for more info on routes variable).

Next step is to enable the PPTP server on the office router and configure the PPTP client on the Home router.

/interface pptp-server server set enabled=yes
/interface pptp-server server> print
            enabled: yes
            max-mtu: 1460
            max-mru: 1460
               mrru: disabled
     authentication: mschap2
  keepalive-timeout: 30
    default-profile: default
/interface pptp-client add user=Home password=123 connect-to=192.168.80.1 disabled=no
/interface pptp-client print
Flags: X - disabled, R - running
 0    name="pptp-out1" max-mtu=1460 max-mru=1460 mrru=disabled connect-to=192.168.80.1 user="Home"
       password="123" profile=default-encryption add-default-route=no dial-on-demand=no
       allow=pap,chap,mschap1,mschap2
Now we need to add the route to reach the local network behind the Home router

/ip route add dst-address=10.1.101.0/24 gateway=pptp-out1
Now after the tunnel is established and routes are set, you should be able to ping remote network.

Mikrotik VLAN

Virtual Local Area Network (VLAN) is a Layer 2 method that allows multiple Virtual LANs on a single physical interface (ethernet, wireless, etc.), giving the ability to segregate LANs efficiently.

You can use MikroTik RouterOS (as well as Cisco IOS, Linux and other router systems) to mark these packets as well as to accept and route marked ones.

As VLAN works on OSI Layer 2, it can be used just as any other network interface without any restrictions. VLAN successfully passes through regular Ethernet bridges.

You can also transport VLANs over wireless links and put multiple VLAN interfaces on a single wireless interface. Note that as VLAN is not a full tunnel protocol (i.e., it does not have additional fields to transport MAC addresses of sender and recipient), the same limitation applies to bridging over VLAN as to bridging plain wireless interfaces. In other words, while wireless clients may participate in VLANs put on wireless interfaces, it is not possible to have VLAN put on a wireless interface in station mode bridged with any other interface.

802.1Q
The most commonly used protocol for Virtual LANs (VLANs) is IEEE 802.1Q. It is a standardized encapsulation protocol that defines how to insert a four-byte VLAN identifier into Ethernet header. (see Figure 12.1.)

Each VLAN is treated as a separate subnet. It means that by default, a host in a specific VLAN cannot communicate with a host that is a member of another VLAN, although they are connected in the same switch. So if you want inter-VLAN communication you need a router. RouterOS supports up to 4095 VLAN interfaces, each with a unique VLAN ID, per interface. VLAN priorities may also be used and manipulated.

When the VLAN extends over more than one switch, the inter-switch link has to become a 'trunk', where packets are tagged to indicate which VLAN they belong to. A trunk carries the traffic of multiple VLANs; it is like a point-to-point link that carries tagged packets between switches or between a switch and router.

Q-in-Q
Original 802.1Q allows only one vlan header, Q-in-Q on the other hand allows two or more vlan headers. In RouterOS Q-in-Q can be configured by adding one vlan interface over another. Example:

/interface vlan
add name=vlan1 vlan-id=11 interface=ether1
add name=vlan2 vlan-id=12 interface=vlan1
If any packet is sent over 'vlan2' interface, two vlan tags will be added to ethernet header - '11' and '12'.

Simple Example
Lets assume that we have several MikroTik routers connected to a hub. Remember that a hub is an OSI physical layer device (if there is a hub between routers, then from L3 point of view it is the same as an Ethernet cable connection between them). For simplification assume that all routers are connected to the hub using ether1 interface and has assigned IP addresses as illustrated in figure below. Then on each of them the VLAN interface is created.

Configuration for R2 and R4 is shown below:

R2:

[admin@MikroTik] /interface vlan> add name=VLAN2 vlan-id=2 interface=ether1 disabled=no

[admin@MikroTik] /interface vlan> print
Flags: X - disabled, R - running, S - slave
 #    NAME                  MTU   ARP        VLAN-ID INTERFACE              
0 R  VLAN2                 1500  enabled    2       ether1

R4:

[admin@MikroTik] /interface vlan> add name=VLAN2 vlan-id=2 interface=ether1 disabled=no

[admin@MikroTik] /interface vlan> print
Flags: X - disabled, R - running, S - slave
 #    NAME                  MTU   ARP        VLAN-ID INTERFACE              
0 R  VLAN2                 1500  enabled    2       ether1

The next step is to assign IP addresses to the VLAN interfaces.

R2:

 [admin@MikroTik] ip address> add address=10.10.10.3/24 interface=VLAN2
 [admin@MikroTik] ip address> print
 Flags: X - disabled, I - invalid, D - dynamic
   #   ADDRESS            NETWORK         BROADCAST       INTERFACE
   0   10.0.1.4/24        10.0.1.0        10.0.1.255      ether1
   1   10.20.0.1/24       10.20.0.0       10.20.0.255     pc1
   2   10.10.10.3/24      10.10.10.0      10.10.10.255    vlan2

 [admin@MikroTik] ip address>

R4:

 [admin@MikroTik] ip address> add address=10.10.10.5/24 interface=VLAN2
 [admin@MikroTik] ip address> print
 Flags: X - disabled, I - invalid, D - dynamic
   #   ADDRESS            NETWORK         BROADCAST       INTERFACE
   0   10.0.1.5/24        10.0.1.0        10.0.1.255      ether1
   1   10.30.0.1/24       10.30.0.0       10.30.0.255     pc2
   2   10.10.10.5/24      10.10.10.0      10.10.10.255    vlan2

[admin@MikroTik] ip address>

At this point it should be possible to ping router R4 from router R2 and vice versa:

 "Ping from R2 to R4:"

 [admin@MikroTik] ip address> /ping 10.10.10.5

 10.10.10.5 64 byte ping: ttl=255 time=4 ms

 10.10.10.5 64 byte ping: ttl=255 time=1 ms

 2 packets transmitted, 2 packets received, 0% packet loss

 round-trip min/avg/max = 1/2.5/4 ms


 "From R4 to R2:"

 [admin@MikroTik] ip address> /ping 10.10.10.3
 10.10.10.3 64 byte ping: ttl=255 time=6 ms
 10.10.10.3 64 byte ping: ttl=255 time=1 ms
 2 packets transmitted, 2 packets received, 0% packet loss
 round-trip min/avg/max = 1/3.5/6 ms
To make sure if VLAN setup is working properly, try to ping R1 from R2. If pings are timing out then VLANs are successfully isolated.


 "From R2 to R1:"

 [admin@MikroTik] ip address> /ping 10.10.10.2
 10.10.10.2 ping timeout
 10.10.10.2 ping timeout
 3 packets transmitted, 0 packets received, 100% packet loss

Create 'trunks' and implement routing between VLANs
If separate VLANs are implemented on a switch, then a router is required to provide communication between VLANs. Switch works at OSI layer 2 so it uses only Ethernet header to forward and does not check IP header. For this reason we must use the router that is working as a gateway for each VLAN. Without a router, a host is unable to communicate outside of its own VLAN. Routing process between VLANs described above is called inter-VLAN communication.

To illustrate inter-VLAN communication, we will create a trunk that will carry traffic from three VLANs (VLAN2 and VLAN3, VLAN4) across a single link between a Mikrotik router and a manageable switch that supports VLAN trunking.

Each VLAN has its own separate subnet (broadcast domain) as we see in figure above:

VLAN 2 – 10.10.20.0/24;
VLAN 3 – 10.10.30.0/24;
VLAN 4 – 10.10.40.0./24.
VLAN configuration on most switches is straightforward, basically we need to define which ports are members of the VLANs and define a 'trunk' port that can carry tagged frames between the switch and the router.

"Configuration example on MikroTik router:"

"Create VLAN interfaces:"

/interface vlan
add name=VLAN2 vlan-id=2 interface=ether1 disabled=no
add name=VLAN3 vlan-id=3 interface=ether1 disabled=no
add name=VLAN4 vlan-id=4 interface=ether1 disabled=no
"Add IP addresses to VLANs:"

/ip address
add address=10.10.20.1/24 interface=VLAN2
add address=10.10.30.1/24 interface=VLAN3
add address=10.10.40.1/24 interface=VLAN4

RouterOS /32 and IP unnumbered addresses
In RouterOS, to create a point-to-point tunnel with addresses you have to use address with a network mask of '/32' that effectively brings you the same features as some vendors unnumbered IP address.

There are 2 routers RouterA and RouterB where each is part of networks 10.22.0.0/24 and 10.23.0.0/24 respectively and to connect these routers using VLANs as a carrier with the following configuration:

RouterA:

 /ip address add address=10.22.0.1/24 interface=ether1
 /interface vlan add interface=ether2 vlan-id=1 name=vlan1
 /ip address add address=10.22.0.1/32 interface=vlan1 network=10.23.0.1
 /ip route add gateway=10.23.0.1 dst-address=10.23.0.0/24

RouterB:

 /ip address add address=10.23.0.1/24 interface=ether1
 /interface vlan add interface=ether2 vlan-id=1 name=vlan1
 /ip address add address=10.23.0.1/32 interface=vlan1 network=10.22.0.1
 /ip route add gateway=10.22.0.1 dst-address=10.22.0.0/24