Difference between revisions of "Router - RouterOS and Routerboard"

From AAISP Support Site
Jump to: navigation, search
(Removed line which should have been removed from example!)
m (Fix IRC server wording slightly.)
 
(30 intermediate revisions by 9 users not shown)
Line 1: Line 1:
  +
*Also see: [[Router - RouterOS and Routerboard bonding]]
  +
*[irc://irc.z.je/routerboard irc://irc.z.je/routerboard] - which is hosted on the Z.JE IRC server and contains (among others) lots of AAISP customers using Mikrotik. You might also find some users in the main [[IRC]] channel.
  +
 
= Overview =
 
= Overview =
Here we will build a basic configuration for RouterOS. The examples are relevant for ADSL (Be and BT) as well as FTTC/FTTP through AAISP.
 
   
  +
*Page created by Nicholas Barnes - [http://www.vitell.co.uk/ Vitell] - [http://www.vitell.co.uk/ RouterOS Consultants].
With the exception of IPv6, the examples shown should work on any stable release. IPv6 requires versions prior to and including 3.17 or version 5.xbeta onwards.
 
  +
*Additions by Nick Shore [http://linitx.com/ LinITX.com] - [http://linitx.com/category/166 MikroTik Sales, Consultancy and Training].
  +
  +
  +
Here we will build a basic configuration for RouterOS/Routerboard. The examples are relevant for ADSL (Be and BT) as well as FTTC/FTTP through AAISP.
  +
  +
With the exception of IPv6, the examples shown should work on any stable release. IPv6 requires versions prior to or including 3.17 or version 5.0rc7 onwards.
   
 
We have an AAISP ADSL line with the following details:
 
We have an AAISP ADSL line with the following details:
   
*Username= abc@a.1
+
*Username= abc@a.1
 
*Password=secret
 
*Password=secret
*Routed IPv4 block = 192.0.2.0/28 (we will allocate 192.0.2.1 to the router)
+
*Routed IPv4 block = 192.0.2.0/28 (we will allocate 192.0.2.1 to the router)
*Routed IPv6 block = 2001:DB8::/48 (we will allocate 2001:DB8::1/64 to the router)
+
*Routed IPv6 block = 2001:DB8::/48 (we will allocate 2001:DB8::/64 to the router)
  +
  +
Note that the IPv4 block 192.0.2.0/24 and the IPv6 block 2001:DB8::/32 are special blocks reserved for documentation (RFC5737 and RFC3849). Also note that A&A supplies a /48 block of IPv6 addresses by default and this example will only use the first /64 in this block.
   
  +
= Default Configuration =
Note that the IPv4 block 192.0.2.0/24 and the IPv6 block 2001:DB8::/32 are special blocks reserved for documentation (rfc5737 and rfc3849). Also note that A&A supply a /48 block of IPv6s by default and this example will only use the first /64 in this block.
 
   
  +
This example assumes that the router is at its default configuration with any example/demo/supplied settings removed. Furthermore, it is assumed that your WAN (ADSL/VDSL/whatever modem) is plugged into interface 'ether1' and LAN into 'ether2'. The following snippet changes the default interface names so that the examples below won't depend as closely on your hardware setup.
= Default Config =
 
   
  +
<pre>
This example assumes that the router is at its default configuration with any example/demo/supplied settings removed. Further, it is assumed that your WAN (ADSL/VDSL/whatever modem) is plugged into interface 'ether1' and LAN into 'ether2'.
 
  +
/interface ethernet
  +
set [ find default-name=ether1 ] name=uplink-wan
  +
set [ find default-name=ether2 ] name=lan
  +
</pre>
   
 
= Configuring Initial Basic Settings =
 
= Configuring Initial Basic Settings =
   
Set a password for the admin user:
+
Set a password for the admin user:
<pre>/user set admin password=NEWPASSWORD</pre>
+
<pre>/user set admin password=NEWPASSWORD</pre>
Define which services we want to run:
+
Define which services we want to run:
 
<pre>/ip service
 
<pre>/ip service
set telnet disabled=yes
+
set telnet disabled=yes
set ftp disabled=yes
+
set ftp disabled=yes
set www disabled=yes
+
set www disabled=yes
set ssh disabled=no port=22
+
set ssh disabled=no port=22
set www-ssl disabled=yes
+
set www-ssl disabled=yes
set api disabled=yes
+
set api disabled=yes
set winbox disabled=no port=8291</pre>
+
set winbox disabled=no port=8291</pre>
And then which helpers we want. Usually you want none as they tend to get in the way!
+
And then which helpers we want. Usually you want none as they tend to get in the way!
 
<pre>/ip firewall service-port
 
<pre>/ip firewall service-port
set ftp disabled=yes
+
set ftp disabled=yes
set tftp disabled=yes
+
set tftp disabled=yes
set irc disabled=yes
+
set irc disabled=yes
set h323 disabled=yes
+
set h323 disabled=yes
set sip disabled=yes
+
set sip disabled=yes
set pptp disabled=yes</pre>
+
set pptp disabled=yes</pre>
Set IP addresses on LAN
+
Set IP addresses on LAN
 
<pre>/ip address add \
 
<pre>/ip address add \
 
address=192.0.2.1/28 \
 
address=192.0.2.1/28 \
 
broadcast=192.0.2.15 \
 
broadcast=192.0.2.15 \
 
disabled=no \
 
disabled=no \
interface=ether2 \
+
interface=lan \
 
network=192.0.2.0
 
network=192.0.2.0
 
/ipv6 address add \
 
/ipv6 address add \
address=2001:db8::1/64 \
+
address=2001:db8::/64 \
 
advertise=yes \
 
advertise=yes \
 
disabled=no \
 
disabled=no \
 
eui-64=no \
 
eui-64=no \
interface=ether2</pre>
+
interface=lan
  +
</pre>
Set basic firewalling (all out, none in!)
 
  +
  +
Set basic firewalling (all out, none in!)
 
<pre>/ip firewall filter
 
<pre>/ip firewall filter
add action=accept chain=forward comment="LAN traffic can go anywhere" disabled=no in-interface=ether2
+
add action=accept chain=forward comment="LAN traffic can go anywhere" disabled=no in-interface=lan
 
add action=accept chain=forward comment="Established traffic" connection-state=established disabled=no
 
add action=accept chain=forward comment="Established traffic" connection-state=established disabled=no
 
add action=accept chain=forward comment="Related traffic" connection-state=related disabled=no
 
add action=accept chain=forward comment="Related traffic" connection-state=related disabled=no
Line 59: Line 75:
 
add action=drop chain=forward comment="Drop the rest" disabled=no
 
add action=drop chain=forward comment="Drop the rest" disabled=no
 
add action=accept chain=output disabled=no
 
add action=accept chain=output disabled=no
add action=accept chain=input comment="LAN traffic can go anywhere" disabled=no in-interface=ether2
+
add action=accept chain=input comment="LAN traffic can go anywhere" disabled=no in-interface=lan
 
add action=accept chain=input comment="Established traffic" connection-state=established disabled=no
 
add action=accept chain=input comment="Established traffic" connection-state=established disabled=no
 
add action=accept chain=input comment="Related traffic" connection-state=related disabled=no
 
add action=accept chain=input comment="Related traffic" connection-state=related disabled=no
Line 66: Line 82:
   
 
/ipv6 firewall filter
 
/ipv6 firewall filter
add action=accept chain=forward disabled=no in-interface=ether2
+
add action=accept chain=forward comment="LAN traffic can go anywhere" disabled=no in-interface=lan
add action=accept chain=forward comment="LAN traffic can go anywhere" disabled=no in-interface=ether2
 
 
add action=accept chain=forward comment="Established traffic" connection-state=established disabled=no
 
add action=accept chain=forward comment="Established traffic" connection-state=established disabled=no
 
add action=accept chain=forward comment="Related traffic" connection-state=related disabled=no
 
add action=accept chain=forward comment="Related traffic" connection-state=related disabled=no
Line 73: Line 88:
 
add action=drop chain=forward comment="Drop the rest" disabled=no
 
add action=drop chain=forward comment="Drop the rest" disabled=no
 
add action=accept chain=output disabled=no
 
add action=accept chain=output disabled=no
add action=accept chain=input comment="LAN traffic can go anywhere" disabled=no in-interface=ether2
+
add action=accept chain=input comment="LAN traffic can go anywhere" disabled=no in-interface=lan
 
add action=accept chain=input comment="Established traffic" connection-state=established disabled=no
 
add action=accept chain=input comment="Established traffic" connection-state=established disabled=no
 
add action=accept chain=input comment="Related traffic" connection-state=related disabled=no
 
add action=accept chain=input comment="Related traffic" connection-state=related disabled=no
 
add action=accept chain=input comment=ICMP disabled=no protocol=icmpv6
 
add action=accept chain=input comment=ICMP disabled=no protocol=icmpv6
add action=drop chain=input comment="Drop the rest" disabled=no</pre>
+
add action=drop chain=input comment="Drop the rest" disabled=no</pre>
Then create the profile to use for PPPoE.
+
Then create the profile to use for PPPoE.
 
<pre>/ppp profile add \
 
<pre>/ppp profile add \
 
change-tcp-mss=yes \
 
change-tcp-mss=yes \
Line 87: Line 102:
 
use-ipv6=yes \
 
use-ipv6=yes \
 
use-mpls=no \
 
use-mpls=no \
use-vj-compression=default</pre>
+
use-vj-compression=default</pre>
Create the PPP interface.
+
Create the PPP interface.
 
<pre>/interface pppoe-client add \
 
<pre>/interface pppoe-client add \
 
ac-name="" \
 
ac-name="" \
Line 95: Line 110:
 
dial-on-demand=no \
 
dial-on-demand=no \
 
disabled=no \
 
disabled=no \
interface=ether1 \
+
interface=uplink-wan \
 
max-mru=1492 \
 
max-mru=1492 \
 
max-mtu=1492 \
 
max-mtu=1492 \
Line 104: Line 119:
 
service-name="" \
 
service-name="" \
 
use-peer-dns=no \
 
use-peer-dns=no \
user=abc@a.1</pre>
+
user=abc@a.1</pre>
This should create and bring up the PPPoE interface. Check the logs to make sure it does! However, you still won't have connectivity... Configure DNS:
+
This should create and bring up the PPPoE interface. Check the logs to make sure it does! However, you still won't have connectivity... Configure DNS:
 
<pre>/ip dns set \
 
<pre>/ip dns set \
 
allow-remote-requests=yes \
 
allow-remote-requests=yes \
Line 111: Line 126:
 
cache-size=2048KiB \
 
cache-size=2048KiB \
 
max-udp-packet-size=512 \
 
max-udp-packet-size=512 \
servers=217.169.20.20,217.169.20.21,2001:8b0::2020,2001:8b0::2021</pre>
+
servers=217.169.20.20,217.169.20.21,2001:8b0::2020,2001:8b0::2021</pre>
And then configure routing:
+
And then configure routing:
 
<pre>/ipv6 route add \
 
<pre>/ipv6 route add \
 
disabled=no \
 
disabled=no \
Line 126: Line 141:
 
gateway=AAISP \
 
gateway=AAISP \
 
scope=30 \
 
scope=30 \
target-scope=10</pre>
+
target-scope=10</pre>
 
Which should give you full connectivity. Note that you could skip the add routes bit by changing 'add-default-route' to 'yes' in the PPPoE interface definition. Adding routes manually is more flexible, but for a basic configuration probably isn't required.
 
Which should give you full connectivity. Note that you could skip the add routes bit by changing 'add-default-route' to 'yes' in the PPPoE interface definition. Adding routes manually is more flexible, but for a basic configuration probably isn't required.
   
  +
Now add any firewall filter and mangle rules required followed by any queue entries.
Then, make sure IPv6 neighbour detection is configured properly.
 
  +
  +
Then, make sure IPv6 neighbour detection is configured properly.
 
<pre>/ipv6 nd remove [find]
 
<pre>/ipv6 nd remove [find]
 
/ipv6 nd add \
 
/ipv6 nd add \
Line 136: Line 153:
 
disabled=no \
 
disabled=no \
 
hop-limit=64 \
 
hop-limit=64 \
interface=ether2 \
+
interface=lan \
 
managed-address-configuration=no \
 
managed-address-configuration=no \
 
mtu=1492 \
 
mtu=1492 \
Line 144: Line 161:
 
ra-lifetime=30m \
 
ra-lifetime=30m \
 
reachable-time=unspecified \
 
reachable-time=unspecified \
retransmit-interval=unspecified</pre>
+
retransmit-interval=unspecified</pre>
Set the time:
+
Set the time:
 
<pre>/system ntp client set \
 
<pre>/system ntp client set \
 
enabled=yes \
 
enabled=yes \
 
mode=unicast \
 
mode=unicast \
 
primary-ntp=90.155.53.32
 
primary-ntp=90.155.53.32
/system clock set time-zone-name=Europe/London</pre>
+
/system clock set time-zone-name=Europe/London</pre>
  +
= Next Steps, Bonding a Second, or multiple Lines =
  +
  +
See: [[Router - RouterOS and Routerboard bonding]]
  +
or, the original at: [http://0hq.net/RB/ros.txt] for hints
  +
  +
= QoS =
  +
  +
One of many ways of avoiding a saturated upstream, is using Queue trees.
  +
  +
<pre>
  +
/queue tree add max-limit=YOUR_UPLOAD_SPEED name=Upload parent=AAISP queue=default
  +
</pre>
  +
  +
To determine YOUR_UPLOAD_SPEED, you could query your line details, like so:
  +
  +
<pre>
  +
curl -s -H "Content-Type: application/json" -X POST \
  +
-d '{"control_login": "YOUR_LOGIN@a","control_password":"CONTROL_PASSWORD", "service": "YOUR_NUMBER"}' https://chaos2.aa.net.uk/broadband/info |
  +
jq .info[].rx_rate
  +
</pre>
  +
  +
More details on this configuration, including how to optimise for Apple Facetime (UDP) can be found at https://natalian.org/2017/08/20/Choosing_Mikrotik_over_Ubiquiti/
  +
  +
= Native IPv6 over PPPoE =
  +
  +
Once you have enabled the IPv6 package in RouterOS, and have an IPv6 range assigned on clueless, the PPPoE client will automatically create an IPv6 link.
  +
  +
To be able to use your address assignment add the address to a local interface or bridge:
  +
<pre>/ipv6 address
  +
add address=2001:8b0:XXX::1/64 advertise=yes comment="advertise on lan" disabled=no eui-64=no \
  +
interface=lan
  +
</pre>
  +
  +
To route your traffic add a static route, or check Add Default Route on the PPPoE client:
  +
<pre>/ipv6 route
  +
add comment="" disabled=no distance=1 dst-address=::/0 gateway=pppoe-out scope=255 \
  +
target-scope=10
  +
</pre>
  +
  +
= 1500 MTU over PPPoE using baby jumbo frames =
  +
  +
PPPoE requires an 8 byte header to be added to each packet. This causes the payload to be restricted to a 1492 MTU if the underlying medium is regular Ethernet. The BT VDSL2 modem supports using baby jumbo frames of 1508 bytes so the PPP payload is now 1500 bytes which is the same as regular Ethernet.
  +
  +
A 1500 MTU is important because there are many networks and hosts out on the internet which are poorly configured and block all ICMP packets in an attempt to gain extra security but inadvertently breaking Path MTU Discovery.
  +
  +
Assuming the first Ethernet interface is used for PPPoE, set the MTU:
  +
<pre>
  +
/interface ethernet
  +
set 0 comment="WAN Interface" disabled=no l2mtu=1526 mtu=1508 name=WAN
  +
</pre>
  +
  +
Now add the pppoe-client ensuring MRU is set correctly:
  +
<pre>/interface pppoe-client add-default-route=yes allow=chap comment="A&A" dial-on-demand=no disabled=no interface=WAN \ max-mru=1500 max-mtu=1500 name=PPPoE password=xxx profile=pppoe-client-default use-peer-dns=no user=xxx@xxx
  +
</pre>
  +
The LCPFix option needs to be enabled, and the MTU set to 1500 for this FTTC line on the Clueless configuration pages. RouterOS doesn't support RFC4638 so needs these options enabled.
  +
  +
Once all these changes have been made and the LCPFix option is enabled, the PPPoE connection should be restarted.
  +
  +
= WebFig and PPPoE =
  +
  +
Configuration via WebFig is possible, though this does not always do what it looks like it will do. Specifically, if you do not specify 'Keepalive timeout' on the PPPoE client it does *not* default to the default value of 10 seconds, but actually creates a config including 'keepalive-timeout=disabled' which disables keepalive LCP probes altogether, and consequently if the PPPoE goes or the line loses sync the router will not restart PPPoE and the line will just stay down.
   
  +
Note: This is being documented for the benefit of anyone else who experiences this and spends as long as I have trying to fix it. This may be the wrong place for this information so please do move it if needed (and/or delete this comment!).
= Next Steps, Bonding a Second Line =
 
   
  +
[[Category:3rd Party Routers|RouterOS]]
To be continued.....
 

Latest revision as of 09:30, 30 April 2020

Overview


Here we will build a basic configuration for RouterOS/Routerboard. The examples are relevant for ADSL (Be and BT) as well as FTTC/FTTP through AAISP.

With the exception of IPv6, the examples shown should work on any stable release. IPv6 requires versions prior to or including 3.17 or version 5.0rc7 onwards.

We have an AAISP ADSL line with the following details:

  • Username= abc@a.1
  • Password=secret
  • Routed IPv4 block = 192.0.2.0/28 (we will allocate 192.0.2.1 to the router)
  • Routed IPv6 block = 2001:DB8::/48 (we will allocate 2001:DB8::/64 to the router)

Note that the IPv4 block 192.0.2.0/24 and the IPv6 block 2001:DB8::/32 are special blocks reserved for documentation (RFC5737 and RFC3849). Also note that A&A supplies a /48 block of IPv6 addresses by default and this example will only use the first /64 in this block.

Default Configuration

This example assumes that the router is at its default configuration with any example/demo/supplied settings removed. Furthermore, it is assumed that your WAN (ADSL/VDSL/whatever modem) is plugged into interface 'ether1' and LAN into 'ether2'. The following snippet changes the default interface names so that the examples below won't depend as closely on your hardware setup.

/interface ethernet
set [ find default-name=ether1 ] name=uplink-wan
set [ find default-name=ether2 ] name=lan

Configuring Initial Basic Settings

Set a password for the admin user:

/user set admin password=NEWPASSWORD

Define which services we want to run:

/ip service
  set telnet disabled=yes
  set ftp disabled=yes
  set www disabled=yes
  set ssh disabled=no port=22
  set www-ssl disabled=yes
  set api disabled=yes
  set winbox disabled=no port=8291

And then which helpers we want. Usually you want none as they tend to get in the way!

/ip firewall service-port
  set ftp disabled=yes
  set tftp disabled=yes
  set irc disabled=yes
  set h323 disabled=yes
  set sip disabled=yes
  set pptp disabled=yes

Set IP addresses on LAN

/ip address add \
  address=192.0.2.1/28 \
  broadcast=192.0.2.15 \
  disabled=no \
  interface=lan \
  network=192.0.2.0
/ipv6 address add \
  address=2001:db8::/64 \
  advertise=yes \
  disabled=no \
  eui-64=no \
  interface=lan

Set basic firewalling (all out, none in!)

/ip firewall filter
  add action=accept chain=forward comment="LAN traffic can go anywhere" disabled=no in-interface=lan
  add action=accept chain=forward comment="Established traffic" connection-state=established disabled=no
  add action=accept chain=forward comment="Related traffic" connection-state=related disabled=no
  add action=accept chain=forward comment=ICMP disabled=no protocol=icmp
  add action=drop chain=forward comment="Drop the rest" disabled=no
  add action=accept chain=output disabled=no
  add action=accept chain=input comment="LAN traffic can go anywhere" disabled=no in-interface=lan
  add action=accept chain=input comment="Established traffic" connection-state=established disabled=no
  add action=accept chain=input comment="Related traffic" connection-state=related disabled=no
  add action=accept chain=input comment=ICMP disabled=no protocol=icmp
  add action=drop chain=input comment="Drop the rest" disabled=no

/ipv6 firewall filter
  add action=accept chain=forward comment="LAN traffic can go anywhere" disabled=no in-interface=lan
  add action=accept chain=forward comment="Established traffic" connection-state=established disabled=no
  add action=accept chain=forward comment="Related traffic" connection-state=related disabled=no
  add action=accept chain=forward comment=ICMP disabled=no protocol=icmpv6
  add action=drop chain=forward comment="Drop the rest" disabled=no
  add action=accept chain=output disabled=no
  add action=accept chain=input comment="LAN traffic can go anywhere" disabled=no in-interface=lan
  add action=accept chain=input comment="Established traffic" connection-state=established disabled=no
  add action=accept chain=input comment="Related traffic" connection-state=related disabled=no
  add action=accept chain=input comment=ICMP disabled=no protocol=icmpv6
  add action=drop chain=input comment="Drop the rest" disabled=no

Then create the profile to use for PPPoE.

/ppp profile add \
  change-tcp-mss=yes \
  name=aaisp \
  only-one=yes \
  use-compression=default \
  use-encryption=default \
  use-ipv6=yes \
  use-mpls=no \
  use-vj-compression=default

Create the PPP interface.

/interface pppoe-client add \
  ac-name="" \
  add-default-route=no \
  allow=pap,chap,mschap1,mschap2 \
  dial-on-demand=no \
  disabled=no \
  interface=uplink-wan \
  max-mru=1492 \
  max-mtu=1492 \
  mrru=disabled \
  name=AAISP \
  password=secret \
  profile=aaisp \
  service-name="" \
  use-peer-dns=no \
  user=abc@a.1

This should create and bring up the PPPoE interface. Check the logs to make sure it does! However, you still won't have connectivity... Configure DNS:

/ip dns set \
  allow-remote-requests=yes \
  cache-max-ttl=1w \
  cache-size=2048KiB \
  max-udp-packet-size=512 \
  servers=217.169.20.20,217.169.20.21,2001:8b0::2020,2001:8b0::2021

And then configure routing:

/ipv6 route add \
  disabled=no \
  distance=1 \
  dst-address=::/0 \
  gateway=AAISP \
  scope=30 \
  target-scope=10
/ip route add \
  disabled=no \
  distance=1 \
  dst-address=0.0.0.0/0 \
  gateway=AAISP \
  scope=30 \
  target-scope=10

Which should give you full connectivity. Note that you could skip the add routes bit by changing 'add-default-route' to 'yes' in the PPPoE interface definition. Adding routes manually is more flexible, but for a basic configuration probably isn't required.

Now add any firewall filter and mangle rules required followed by any queue entries.

Then, make sure IPv6 neighbour detection is configured properly.

/ipv6 nd remove [find]
/ipv6 nd add \
  advertise-dns=yes \
  advertise-mac-address=yes \
  disabled=no \
  hop-limit=64 \
  interface=lan \
  managed-address-configuration=no \
  mtu=1492 \
  other-configuration=no \
  ra-delay=3s \
  ra-interval=3m20s-10m \
  ra-lifetime=30m \
  reachable-time=unspecified \
  retransmit-interval=unspecified

Set the time:

/system ntp client set \
  enabled=yes \
  mode=unicast \
  primary-ntp=90.155.53.32
/system clock set time-zone-name=Europe/London

Next Steps, Bonding a Second, or multiple Lines

See: Router - RouterOS and Routerboard bonding or, the original at: [1] for hints

QoS

One of many ways of avoiding a saturated upstream, is using Queue trees.

/queue tree add max-limit=YOUR_UPLOAD_SPEED name=Upload parent=AAISP queue=default

To determine YOUR_UPLOAD_SPEED, you could query your line details, like so:

curl -s -H "Content-Type: application/json" -X POST \
        -d '{"control_login": "YOUR_LOGIN@a","control_password":"CONTROL_PASSWORD", "service": "YOUR_NUMBER"}' https://chaos2.aa.net.uk/broadband/info |
        jq .info[].rx_rate

More details on this configuration, including how to optimise for Apple Facetime (UDP) can be found at https://natalian.org/2017/08/20/Choosing_Mikrotik_over_Ubiquiti/

Native IPv6 over PPPoE

Once you have enabled the IPv6 package in RouterOS, and have an IPv6 range assigned on clueless, the PPPoE client will automatically create an IPv6 link.

To be able to use your address assignment add the address to a local interface or bridge:

/ipv6 address
add address=2001:8b0:XXX::1/64 advertise=yes comment="advertise on lan" disabled=no eui-64=no \
    interface=lan

To route your traffic add a static route, or check Add Default Route on the PPPoE client:

/ipv6 route
add comment="" disabled=no distance=1 dst-address=::/0 gateway=pppoe-out scope=255 \
    target-scope=10

1500 MTU over PPPoE using baby jumbo frames

PPPoE requires an 8 byte header to be added to each packet. This causes the payload to be restricted to a 1492 MTU if the underlying medium is regular Ethernet. The BT VDSL2 modem supports using baby jumbo frames of 1508 bytes so the PPP payload is now 1500 bytes which is the same as regular Ethernet.

A 1500 MTU is important because there are many networks and hosts out on the internet which are poorly configured and block all ICMP packets in an attempt to gain extra security but inadvertently breaking Path MTU Discovery.

Assuming the first Ethernet interface is used for PPPoE, set the MTU:

/interface ethernet
set 0 comment="WAN Interface" disabled=no l2mtu=1526 mtu=1508 name=WAN

Now add the pppoe-client ensuring MRU is set correctly:

/interface pppoe-client add-default-route=yes allow=chap comment="A&A" dial-on-demand=no disabled=no interface=WAN \ max-mru=1500 max-mtu=1500 name=PPPoE password=xxx profile=pppoe-client-default use-peer-dns=no user=xxx@xxx

The LCPFix option needs to be enabled, and the MTU set to 1500 for this FTTC line on the Clueless configuration pages. RouterOS doesn't support RFC4638 so needs these options enabled.

Once all these changes have been made and the LCPFix option is enabled, the PPPoE connection should be restarted.

WebFig and PPPoE

Configuration via WebFig is possible, though this does not always do what it looks like it will do. Specifically, if you do not specify 'Keepalive timeout' on the PPPoE client it does *not* default to the default value of 10 seconds, but actually creates a config including 'keepalive-timeout=disabled' which disables keepalive LCP probes altogether, and consequently if the PPPoE goes or the line loses sync the router will not restart PPPoE and the line will just stay down.

Note: This is being documented for the benefit of anyone else who experiences this and spends as long as I have trying to fix it. This may be the wrong place for this information so please do move it if needed (and/or delete this comment!).