MikroTik PPPoE Server Complete Setup Guide — ISP Edition

M
Madan KC — ISP Network Engineer
Running MikroTik PPPoE servers in live ISP environments daily since 2017
MikroTik ISP Expert RouterOS v6 & v7 Updated 2026
⚡ Quick Answer

MikroTik PPPoE Server setup: 1) Create IP pool → 2) Create PPP profile with pool → 3) Add PPP secret (user+password) → 4) Enable PPPoE server on LAN interface → 5) Add NAT masquerade → 6) Set firewall rules. Subscriber connects their router as PPPoE client using username and password you create.

MikroTik PPPoE Server is how most small-to-medium ISPs authenticate and manage their subscribers. It gives you per-user bandwidth control, IP assignment, and authentication — all without expensive RADIUS in small deployments. This guide covers every step from a blank MikroTik to a live PPPoE server with multiple bandwidth plans and proper NAT/firewall — written from real ISP deployment experience.

🔍 Quick Fix — Click Your Issue

🖥️
Login via Winbox
First time access
📊
Bandwidth Plans
10M/50M/100M setup
👤
Add New User
Quick subscriber add
🔒
Disable/Block User
Suspend subscriber
📡
Active Sessions
Who is connected
Kick User
Force disconnect

Reference

📘

1. What Is MikroTik PPPoE & Why ISPs Use It

PPPoE (Point-to-Point Protocol over Ethernet) creates an authenticated, individual tunnel between each subscriber’s router and your MikroTik. When a subscriber connects, they enter a username and password — your MikroTik verifies it, assigns an IP from a pool, and applies the bandwidth limits you configured for that profile.

FeaturePPPoE ✅DHCP only ❌
User authentication✅ Username + password❌ Anyone with cable gets IP
Per-user bandwidth limit✅ Per profile❌ Manual queue only
IP management✅ Automatic pool assignmentManual or DHCP
Subscriber isolation✅ Separate tunnel per user❌ Shared segment
Session accounting✅ Login/logout logs❌ No tracking
📡
ISP Field Note

In my ISP work, we use MikroTik PPPoE for all FTTH subscribers. When a customer doesn’t pay, we simply disable their PPP secret — they lose internet instantly without touching their hardware. When they pay, we re-enable it. This alone makes PPPoE worth it for ISP operations.

🖥️

2. Login & Initial MikroTik Access

Winbox is the native MikroTik GUI tool — fastest and most reliable.

  1. Download Winbox from mikrotik.com/download
  2. Connect Ethernet cable from PC to any MikroTik port (except ether1 if WAN)
  3. Open Winbox → click Neighbors tab → your router appears by MAC address
  4. Click the MAC address → Username: admin → Password: blank (new device) → Connect
  5. Change password immediately: System → Password
📌 New RouterOS 7 devices ship with a random admin password printed on the label. Check the sticker on the bottom of the device.

Default IP: 192.168.88.1. Set your PC to 192.168.88.2/24, then open browser and go to http://192.168.88.1. Login: admin / blank password.

# SSH to MikroTik (after IP is configured)
ssh [email protected]

# Or from MikroTik terminal in Winbox:
[admin@MikroTik] > password
# Set new password when prompted
🌐

3. WAN / Uplink Configuration

Configure how your MikroTik connects to your upstream ISP or bandwidth provider on ether1.

# WAN as DHCP client (most common)
[admin@MikroTik] > /ip dhcp-client
add interface=ether1 add-default-route=yes use-peer-dns=yes disabled=no

# Verify WAN got an IP
/ip dhcp-client print
# Assign static WAN IP (replace with your ISP details)
[admin@MikroTik] > /ip address
add address=203.0.113.10/29 interface=ether1

/ip route add gateway=203.0.113.1
/ip dns set servers=8.8.8.8,8.8.4.4

If your upstream bandwidth provider uses PPPoE:

[admin@MikroTik] > /interface pppoe-client
add name=pppoe-wan interface=ether1 \
  user=your-isp-username password=your-isp-password \
  add-default-route=yes use-peer-dns=yes \
  disabled=no

# Verify connection
/interface pppoe-client print
# Status should show: connected
⚠️ Important: After this, all NAT rules should use out-interface=pppoe-wan not ether1.
🏊

4. Create IP Address Pools

Each bandwidth plan gets its own IP pool. When a subscriber connects with a 10 Mbps plan, they automatically get an IP from the 10 Mbps pool. This lets you group subscribers by plan for easier firewall and queue management.

# Create separate pools per bandwidth plan
[admin@MikroTik] > /ip pool

# 10 Mbps subscribers pool
add name=pool-10M ranges=192.168.10.2-192.168.10.254

# 25 Mbps subscribers pool
add name=pool-25M ranges=192.168.25.2-192.168.25.254

# 50 Mbps subscribers pool
add name=pool-50M ranges=192.168.50.2-192.168.50.254

# 100 Mbps subscribers pool
add name=pool-100M ranges=192.168.100.2-192.168.100.254

# Verify pools created
/ip pool print
📌 IP Planning: Each /24 pool holds 253 subscriber IPs. For larger deployments use wider ranges like 192.168.10.2-192.168.10.254 or split across subnets. Keep pools well within private IP ranges (RFC 1918).
📊

5. PPP Profiles — Bandwidth Plans

A PPP Profile is a bandwidth plan template. Each plan defines: the local gateway IP, which pool to assign from, and the rate-limit (download/upload speed). Create one profile per internet package you sell.

[admin@MikroTik] > /ppp profile

# 10 Mbps plan (10M download / 5M upload)
add name=plan-10M \
  local-address=192.168.10.1 \
  remote-address=pool-10M \
  rate-limit=10M/5M \
  dns-server=8.8.8.8,8.8.4.4

# 25 Mbps plan
add name=plan-25M \
  local-address=192.168.25.1 \
  remote-address=pool-25M \
  rate-limit=25M/10M \
  dns-server=8.8.8.8,8.8.4.4

# 50 Mbps plan
add name=plan-50M \
  local-address=192.168.50.1 \
  remote-address=pool-50M \
  rate-limit=50M/25M \
  dns-server=8.8.8.8,8.8.4.4

# 100 Mbps plan (1 Gbps = 1000M)
add name=plan-100M \
  local-address=192.168.100.1 \
  remote-address=pool-100M \
  rate-limit=100M/50M \
  dns-server=8.8.8.8,8.8.4.4

# Verify profiles
/ppp profile print
💡 Rate-limit format: download/upload — so 100M/50M = 100 Mbps down, 50 Mbps up. Use k for Kbps, M for Mbps, G for Gbps. The local-address is the router’s gateway IP for that subnet — it must NOT be in the pool range.
👤

6. PPP Secrets — Subscriber Accounts

Each subscriber gets a PPP Secret entry — a username and password. When they connect, MikroTik matches their credentials to a profile and applies the bandwidth limits.

[admin@MikroTik] > /ppp secret

# Add subscriber on 10M plan
add name=ram.prasad \
  password=Pass@1234 \
  service=pppoe \
  profile=plan-10M \
  comment="Flat 3 - Ram Prasad - 10M Plan"

# Add subscriber on 50M plan
add name=sita.devi \
  password=Pass@5678 \
  service=pppoe \
  profile=plan-50M \
  comment="House 7 - Sita Devi - 50M Plan"

# Disable subscriber (e.g. unpaid bill)
/ppp secret set disabled=yes ram.prasad

# Re-enable subscriber
/ppp secret set disabled=no ram.prasad

# Change subscriber plan (upgrade from 10M to 50M)
/ppp secret set profile=plan-50M ram.prasad

# List all subscribers
/ppp secret print
✅ ISP Tip: Always add a comment with subscriber name, location, and plan. With 500+ users this saves hours when troubleshooting. Use consistent naming like firstname.lastname or zone-number.
🖧

7. Enable PPPoE Server

The PPPoE server listens on your LAN interface (the port where subscriber switches/ONTs connect). Never run PPPoE server on your WAN (ether1) interface.

[admin@MikroTik] > /interface pppoe-server server

add service-name=ISP-PPPoE \
  interface=ether2 \
  authentication=mschap2 \
  keepalive-timeout=10 \
  max-mru=1492 \
  max-mtu=1492 \
  default-profile=plan-10M \
  disabled=no

# If subscribers are on multiple ports (bridge)
# First create a bridge, add all subscriber ports to it:
# /interface bridge add name=bridge-sub
# /interface bridge port add interface=ether2 bridge=bridge-sub
# /interface bridge port add interface=ether3 bridge=bridge-sub
# Then run PPPoE server on bridge-sub

# Verify server is running
/interface pppoe-server server print
⚠️ MTU is 1492, not 1500. PPPoE adds 8 bytes of overhead per packet — so maximum payload is 1492 bytes. If you set MTU to 1500 on the PPPoE server, large packets will fragment causing slow browsing and broken websites. Always use 1492.
🔒

8. NAT Masquerade & Firewall Rules

Without NAT, your subscribers’ private IPs can’t reach the internet. Without firewall rules, your router is exposed. Both are essential.

# ── NAT Masquerade ──
[admin@MikroTik] > /ip firewall nat
add chain=srcnat \
  out-interface=ether1 \
  action=masquerade \
  comment="NAT all PPPoE subscribers to WAN"

# If WAN is PPPoE client, use:
# out-interface=pppoe-wan

# ── Basic Firewall Rules (paste all at once) ──
[admin@MikroTik] > /ip firewall filter

# Accept established/related connections (performance rule)
add chain=input connection-state=established,related,untracked action=accept

# Drop invalid connections
add chain=input connection-state=invalid action=drop

# Accept from loopback
add chain=input in-interface=lo action=accept

# Accept ICMP (ping) - useful for troubleshooting
add chain=input protocol=icmp action=accept

# Accept Winbox from LAN only (block from WAN)
add chain=input protocol=tcp dst-port=8291 \
  in-interface=ether2 action=accept

# Drop everything else from WAN
add chain=input in-interface=ether1 action=drop

# Forward rules
add chain=forward connection-state=established,related,untracked action=accept
add chain=forward connection-state=invalid action=drop
add chain=forward in-interface=ether1 action=drop
🔒
Security Note

The most important firewall rule is dropping all WAN input. Without this, anyone on the internet can attempt to access your MikroTik management interface. I’ve seen ISP routers with no firewall get brute-forced and turned into spam relays within hours of getting a public IP.

🛡️

9. DNS, Security Hardening & Final Setup

# ── DNS Configuration ──
[admin@MikroTik] > /ip dns
set servers=8.8.8.8,1.1.1.1 \
  allow-remote-requests=yes
# allow-remote-requests lets subscribers use this router as DNS

# ── Disable unused services (security) ──
[admin@MikroTik] > /ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set api disabled=yes
set api-ssl disabled=yes
# Leave: winbox (8291), ssh (22) enabled

# ── Set system identity ──
[admin@MikroTik] > /system identity
set name="ISP-MikroTik-PPPoE-01"

# ── Set NTP time sync ──
[admin@MikroTik] > /system ntp client
set enabled=yes primary-ntp=pool.ntp.org
📡

10. Monitor Active Sessions & Manage Users

# ── Show all active PPPoE sessions ──
[admin@MikroTik] > /ppp active print

# ── Show active with uptime and IP details ──
/ppp active print detail

# ── Find specific user session ──
/ppp active print where name="ram.prasad"

# ── Disconnect (kick) a specific user ──
/ppp active remove [find name="ram.prasad"]

# ── Show session logs ──
/log print where message~"pppoe"

# ── Check current bandwidth usage per user ──
/queue simple print
# Active PPPoE sessions create auto-queues when rate-limit is set

# ── Count total active connections ──
/ppp active print count-only
🏠

11. How Subscribers Configure Their PPPoE Client

Give your subscribers these instructions to connect their home router as a PPPoE client to your server:

If subscriber also has a MikroTik router:

/interface pppoe-client
add name=pppoe-isp \
  interface=ether1 \
  user=ram.prasad \
  password=Pass@1234 \
  add-default-route=yes \
  use-peer-dns=yes \
  disabled=no

For TP-Link (Archer/TL-WR series):

  1. Open browser → 192.168.0.1 → Login admin/admin
  2. Go to Quick Setup or Basic → Internet
  3. Select PPPoE as connection type
  4. Enter Username and Password given by ISP
  5. Click Next / Save
  6. Router connects automatically
📌 For detailed TP-Link WiFi setup, see our TP-Link WiFi Guide

For Huawei ONT/Router (HG8145V5, HG8245H etc):

  1. Open browser → 192.168.100.1 → Login telecomadmin/admintelecom
  2. Go to WAN or Internet settings
  3. Select WAN Mode: PPPoE
  4. Enter username and password provided
  5. Click Apply — device connects within 30 seconds

Direct PPPoE from Windows PC (no router needed):

  1. Press Win + R → type ncpa.cpl → Enter
  2. Click File → New Incoming Connection (or use Network and Sharing Center → Set up a new connection)
  3. Select Connect to the Internet → Broadband (PPPoE)
  4. Enter username and password → Connect
📌 For Windows, go to Control Panel → Network and Sharing Center → Set up a new connection → Connect to the Internet → Broadband (PPPoE)
🔧

12. Troubleshooting Common PPPoE Issues

Subscriber can’t establish PPPoE connection:

  1. Verify PPP secret exists: /ppp secret print where name="username"
  2. Check secret is not disabled: /ppp secret print detail → disabled=no
  3. Confirm PPPoE server is running on correct interface: /interface pppoe-server server print
  4. Check subscriber’s cable is plugged into the correct LAN port (ether2, not ether1)
  5. Check for authentication errors in logs: /log print where message~"pap\|chap\|mschap"
  6. Verify correct service type: service=pppoe (not pptp or any)

Subscriber connected but getting less than plan speed:

  1. Check what profile is assigned: /ppp secret print where name="username"
  2. Check active session queue: /queue simple print where name~"username"
  3. Verify WAN uplink itself has enough bandwidth: test from MikroTik with /tool bandwidth-test address=8.8.8.8
  4. Check CPU usage — high CPU can throttle throughput: /system resource print
  5. Confirm MTU is 1492 — wrong MTU causes fragmentation and slowness
  6. Check if queue parent is limiting: /queue tree print

PPPoE session drops every few minutes:

  1. Check keepalive-timeout — too low causes drops: set to 30 or 60 seconds
  2. Look at logs: /log print where message~"pppoe" forward=50
  3. Check for line errors on the physical port: /interface ethernet print stats — look for high error counts
  4. If on WiFi link, check signal quality — unstable wireless causes PPPoE drops
  5. Check if the OLT/ONU is rebooting (check optical power if FTTH)

Subscriber is connected (session shows active) but no internet:

  1. Check NAT rule exists: /ip firewall nat print — masquerade rule must be there
  2. Verify subscriber can ping router gateway: from subscriber PC, ping the local-address in their profile
  3. Check WAN is connected: /ip route print — default route (0.0.0.0/0) must be active
  4. Test DNS: /ip dns cache flush then try again from subscriber
  5. Check firewall forward chain — rules must allow forward from PPPoE interfaces
📋

13. Essential Quick Commands

CommandWhat It Does
/ppp active printShow all active PPPoE sessions
/ppp secret printList all subscriber accounts
/ppp profile printShow all bandwidth plans
/ip pool printShow IP pools and usage
/ip address printShow all IP assignments
/ip route printShow routing table (check default route)
/ip firewall nat printVerify NAT masquerade rule
/queue simple printShow active bandwidth queues per user
/system resource printCPU, RAM, uptime
/log printSystem logs (PPPoE events)
/interface printAll interfaces and status
/ip dhcp-client printWAN DHCP status
/ppp active remove [find name=”x”]Kick/disconnect specific user
/ppp secret set disabled=yes xBlock subscriber (disable)
/tool bandwidth-test 8.8.8.8Test WAN bandwidth from router
/system backup saveBackup full configuration
/export file=configExport config as text script
📚

14. All MikroTik Guides on This Site

🕐Set Time on MikroTikNTP and time configuration 🔌CRS106-1C-5S SetupSwitch config guide ⚙️CRS212 Configuration10G switch setup 🔄Redundant FailoverAuto WAN failover setup 🚦Limit TorrentsBlock/throttle P2P traffic 💡Useful Config TipsEssential RouterOS configs 💾Config BackupBackup and restore guide 📂All MikroTik PostsBrowse full MikroTik archive

Related ISP & Network Guides

📡BDCOM OLT Complete GuideConnect MikroTik to BDCOM OLT 🔶Huawei OLT Complete GuideGPON setup with PPPoE integration 🐌Why Is My Internet Slow?Diagnose ISP network issues 🌐192.168.0.1 Login GuideRouter admin panel access

Frequently Asked Questions — MikroTik PPPoE Server

MikroTik PPPoE Server turns your RouterOS device into an Access Concentrator — it authenticates subscribers by username and password, assigns IP addresses from a pool, and enforces per-user bandwidth limits. ISPs use it because it gives full control: disable non-paying subscribers instantly, assign different speed plans per user, track login/logout times, and segregate subscriber traffic. Over 60% of small-to-medium ISPs worldwide use PPPoE for subscriber management.
PPPoE Server runs on your ISP-side MikroTik — it accepts incoming connections from subscribers, verifies credentials, and assigns IPs. PPPoE Client runs on the subscriber’s router (or on your MikroTik if connecting to an upstream ISP) — it initiates the connection, authenticates with a username/password, and receives an IP. An ISP typically runs PPPoE Server on one MikroTik, while subscribers run PPPoE Client on their home routers.
Set the rate-limit in the PPP Profile: /ppp profile set plan-10M rate-limit=10M/5M. The format is download/upload. All subscribers assigned to that profile automatically get those limits enforced by RouterOS simple queues. To change a specific subscriber’s speed, change their profile: /ppp secret set profile=plan-50M ram.prasad. The change takes effect on their next connection.
PPPoE adds an 8-byte header to every Ethernet frame. Since standard Ethernet MTU is 1500 bytes, the maximum PPPoE payload is 1500 − 8 = 1492 bytes. If you configure MTU as 1500 on a PPPoE link, large packets will be fragmented, causing slow website loading, broken HTTPS connections, and VPN issues. Always set max-mtu=1492 and max-mru=1492 in your PPPoE server configuration.
RouterOS technically supports up to 65,535 PPPoE sessions. Practically, it depends on hardware: a CCR1009 handles around 800 concurrent sessions with QoS at ~60% CPU. A hEX (RB750Gr3) handles around 100–200 light sessions. License also matters — Level 3 is limited to 200 PPP tunnels, Level 4 to 200, Level 5 to 500, Level 6 is unlimited. For ISP deployments with 500+ subscribers, use CCR series hardware and Level 5 or 6 license.
Run: /ppp secret set disabled=yes ram.prasad. This suspends the account — if they’re currently connected, their active session continues until it naturally expires or you kick them with /ppp active remove [find name="ram.prasad"]. To re-enable: /ppp secret set disabled=no ram.prasad. This is the standard method for suspending non-paying subscribers.
Default username is admin with a blank password on RouterOS 6 and older. On RouterOS 7, new devices ship with a randomly generated password printed on the label on the device. Access via Winbox by clicking your router’s MAC address under Neighbors. Change the password immediately after first login: System → Password in Winbox or /password in terminal.
Yes, but on different interfaces or bridge groups. Run PPPoE server on the subscriber-facing interface (e.g. ether2 or a bridge) and DHCP on a separate LAN interface for your office/management network. Never run both PPPoE and DHCP on the same interface — they will conflict, with DHCP handing out IPs before PPPoE authentication completes.