MikroTik PPPoE Server Setup Step by Step (2026)
Contents
- 1 MikroTik PPPoE Server Setup Step by Step (2026)
- 2 1. What is PPPoE? (And Why ISPs Love It)
- 3 2. Requirements Before Setup
- 4 3โ8. Step-by-Step Configuration Guide
- 5 9. Full CLI Command Reference (Copy-Paste Ready)
- 6 10. Winbox Screenshot Guide
- 7 11. Troubleshooting โ Common PPPoE Problems & Fixes
- 8 12. FAQ โ MikroTik PPPoE Server
- 9 13. Related Posts & Internal Links
RouterOS v7
ISP / WISP
2026 Updated
MikroTik PPPoE Server Setup Step by Step (2026)
1. What is PPPoE? (And Why ISPs Love It)
PPPoE (Point-to-Point Protocol over Ethernet) is a network protocol that wraps PPP frames inside Ethernet packets. In plain language, it lets an ISP assign individual authenticated sessions to each subscriber โ giving each user their own IP address, bandwidth policy, and login credentials over a shared Ethernet or fiber network.
Unlike a plain DHCP setup (where your router just hands out IPs with no authentication), PPPoE requires every client to log in with a username and password before they get internet access. That small difference has huge practical benefits for ISPs, WISPs, and even office networks.
PPPoE vs DHCP vs Hotspot โ Which Should You Use?
| Feature | PPPoE | DHCP | Hotspot |
|---|---|---|---|
| User Authentication | โ Username + Password | โ No auth | โ Web login page |
| Per-user Bandwidth | โ PPP Profile queue | โ ๏ธ Manual queues | โ User profile |
| Session Tracking | โ Full session log | โ ๏ธ MAC-based | โ Full session log |
| Client Device | PPPoE client (router/OS) | Any device | Any browser |
| Best For | ISP / WISP subscribers | Simple LAN | Cafรฉ / hotel WiFi |
๐ก When to choose PPPoE
Use PPPoE when you need per-user authentication, per-user speed limits, and full session accounting โ especially for ISP/WISP deployments. If you only have a flat office LAN with trusted users, plain DHCP is simpler.
2. Requirements Before Setup
Before touching Winbox, confirm everything below is ready. Skipping any item is the #1 cause of failed PPPoE setups.
- โ MikroTik router (any model: hEX, CCR, RB4011, RB750Gr3, etc.)
- โ RouterOS v7.x installed โ always update: System โ Packages โ Check for Updates
- โ Winbox 3.41+ downloaded from mikrotik.com/download
- โ
WAN (uplink) interface configured โ e.g.,
ether1connected to your upstream ISP - โ
LAN interface ready โ e.g.,
ether2(or a bridge) for client-side - โ
IP pool plan decided โ e.g.,
192.168.10.1โ192.168.10.254for PPPoE clients - โ NAT already working for direct internet โ or you’ll set it up in Step 5
- โ Admin password set on the MikroTik (never leave it blank)
โ ๏ธ Important for RouterOS v7
In v7, the default firewall uses nftables-style filter chains. Make sure you’re not blocking PPPoE service ports (UDP 1701, TCP 1723) in an existing firewall. This guide adds the correct rules in Step 6.
3โ8. Step-by-Step Configuration Guide
1
Create IP Pool for PPPoE Clients
An IP pool defines the range of addresses your MikroTik will assign to PPPoE clients when they connect. Plan a range that doesn’t overlap your LAN or WAN addresses.
Winbox path: IP โ Pool โ Add (+)
- Name:
pppoe-pool - Addresses:
192.168.10.2-192.168.10.254 - Next Pool: none
RouterOS CLI
/ip pool add name=pppoe-pool ranges=192.168.10.2-192.168.10.254
๐ธ Screenshot: IP โ Pool โ showing pppoe-pool with range 192.168.10.2โ192.168.10.254
2
Create PPP Profile
The PPP Profile defines the default settings applied to all PPPoE users assigned to it โ including the local IP (server gateway), remote IP pool, DNS, and speed limits.
Winbox path: PPP โ Profiles โ Add (+)
- Name:
pppoe-profile - Local Address:
192.168.10.1(MikroTik’s PPPoE gateway IP) - Remote Address:
pppoe-pool(select your pool) - DNS Server:
8.8.8.8or your ISP’s DNS - Rate Limit (optional):
5M/5Mโ up to 5 Mbps upload/download per user
RouterOS CLI
/ppp profile
add name=pppoe-profile \
local-address=192.168.10.1 \
remote-address=pppoe-pool \
dns-server=8.8.8.8 \
rate-limit=5M/5M
๐ก Pro Tip: Per-user Rate Limits
Leave
rate-limit blank in the profile and set it individually in each PPP Secret instead. This gives you per-user bandwidth control without creating multiple profiles.
๐ธ Screenshot: PPP โ Profiles โ pppoe-profile โ showing Local Address, Remote Address (pool), DNS, Rate Limit fields
3
Enable PPPoE Server
Now we bind the PPPoE server to the LAN-facing interface (the side your subscribers connect to). Do not bind it to your WAN/ether1.
Winbox path: PPP โ PPPoE Servers โ Add (+)
- Service Name:
pppoe-server - Interface:
ether2(or your LAN bridge) - Default Profile:
pppoe-profile - Authentication: โ
chap, โmschap2(uncheck PAP for security) - Keepalive Timeout:
10seconds - One Session Per Host: โ Enabled (prevents duplicate sessions)
RouterOS CLI
/interface pppoe-server server
add name=pppoe-server \
interface=ether2 \
default-profile=pppoe-profile \
authentication=chap,mschap2 \
keepalive-timeout=10 \
one-session-per-host=yes \
disabled=no
๐ธ Screenshot: PPP โ PPPoE Servers โ pppoe-server entry showing interface=ether2, profile=pppoe-profile, Status: Enabled
4
Add PPP Secrets (User Accounts)
Each subscriber needs a PPP Secret โ their username and password. You can also assign a static IP and individual rate limit per user here.
Winbox path: PPP โ Secrets โ Add (+)
- Name (Username): e.g.,
user1 - Password: e.g.,
pass123 - Service:
pppoe - Profile:
pppoe-profile - Local Address: (optional) static IP override
- Rate Limit: (optional) e.g.,
10M/10Mfor this user only
RouterOS CLI โ Add multiple users
/ppp secret add name=user1 password=pass123 service=pppoe profile=pppoe-profile add name=user2 password=secure456 service=pppoe profile=pppoe-profile rate-limit=10M/10M add name=user3 password=mypass789 service=pppoe profile=pppoe-profile
๐ธ Screenshot: PPP โ Secrets โ list showing user1, user2, user3 with service=pppoe and their profiles
5
Configure NAT (Masquerade)
PPPoE clients get private IPs. NAT masquerades them behind your WAN IP so they can reach the internet.
Winbox path: IP โ Firewall โ NAT โ Add (+)
- Chain:
srcnat - Out. Interface:
ether1(your WAN interface) - Action:
masquerade
RouterOS CLI
/ip firewall nat add chain=srcnat out-interface=ether1 action=masquerade comment="PPPoE clients NAT"
๐ธ Screenshot: IP โ Firewall โ NAT โ srcnat rule with out-interface=ether1, action=masquerade
6
Set Firewall Rules
A minimal firewall for PPPoE servers should: (a) allow established/related traffic, (b) drop invalid packets, (c) accept PPPoE discovery packets, and (d) block unsolicited inbound on WAN.
RouterOS CLI โ Firewall Filter
/ip firewall filter # Allow established and related connections add chain=input connection-state=established,related action=accept comment="Allow established" # Drop invalid connections add chain=input connection-state=invalid action=drop comment="Drop invalid" # Allow PPPoE discovery (ether2 LAN side) add chain=input in-interface=ether2 protocol=ether-type action=accept comment="Allow PPPoE discovery" # Allow ICMP (ping) for testing add chain=input protocol=icmp action=accept comment="Allow ICMP" # Allow Winbox management from LAN only add chain=input in-interface=ether2 dst-port=8291 protocol=tcp action=accept comment="Winbox LAN only" # Drop everything else on WAN input add chain=input in-interface=ether1 action=drop comment="Drop WAN input"
๐ด Order Matters!
Firewall rules are processed top-to-bottom. Always put established/related โ drop invalid โ specific allows โ drop all in that order. Adding a “drop all” rule before your allow rules will lock you out.
9. Full CLI Command Reference (Copy-Paste Ready)
Run this entire block in MikroTik’s terminal (New Terminal in Winbox) for a complete one-shot setup. Edit the pool range, interface names, and user credentials to match your network.
Complete Setup Script โ RouterOS v7
# โโ 1. IP Pool โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
/ip pool
add name=pppoe-pool ranges=192.168.10.2-192.168.10.254
# โโ 2. PPP Profile โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
/ppp profile
add name=pppoe-profile \
local-address=192.168.10.1 \
remote-address=pppoe-pool \
dns-server=8.8.8.8,8.8.4.4 \
rate-limit=5M/5M \
use-compression=no \
use-encryption=no
# โโ 3. PPPoE Server โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
/interface pppoe-server server
add name=pppoe-server \
interface=ether2 \
default-profile=pppoe-profile \
authentication=chap,mschap2 \
keepalive-timeout=10 \
one-session-per-host=yes \
disabled=no
# โโ 4. PPP Secrets (Users) โโโโโโโโโโโโโโโโโโโโโโโโโโ
/ppp secret
add name=user1 password=pass123 service=pppoe profile=pppoe-profile
add name=user2 password=secure456 service=pppoe profile=pppoe-profile rate-limit=10M/10M
add name=user3 password=mypass789 service=pppoe profile=pppoe-profile
# โโ 5. NAT Masquerade โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
/ip firewall nat
add chain=srcnat out-interface=ether1 action=masquerade \
comment="PPPoE clients NAT"
# โโ 6. Firewall โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
/ip firewall filter
add chain=input connection-state=established,related action=accept \
comment="Allow established/related"
add chain=input connection-state=invalid action=drop \
comment="Drop invalid"
add chain=input protocol=icmp action=accept \
comment="Allow ping"
add chain=input in-interface=ether2 dst-port=8291 protocol=tcp \
action=accept comment="Winbox from LAN"
add chain=input in-interface=ether1 action=drop \
comment="Drop WAN unsolicited"
# โโ Done! Verify active sessions: โโโโโโโโโโโโโโโโโโโ
/ppp active print
โ
Verify PPPoE is Working
After running the script, open a New Terminal and run
/ppp active print. When a client connects, you’ll see their username, assigned IP, uptime, and traffic counters here.10. Winbox Screenshot Guide
If you prefer GUI over terminal, here’s the Winbox navigation path for each step with what to look for on screen.
| Step | Winbox Path | Key Fields to Check |
|---|---|---|
| IP Pool | IP โ Pool | Name=pppoe-pool, Addresses=192.168.10.2โ254 |
| PPP Profile | PPP โ Profiles | Local=192.168.10.1, Remote=pppoe-pool, DNS=8.8.8.8 |
| PPPoE Server | PPP โ PPPoE Servers | Interface=ether2, Profile=pppoe-profile, Status=enabled (R) |
| PPP Secrets | PPP โ Secrets | Name, Password, Service=pppoe, Profile=pppoe-profile |
| NAT | IP โ Firewall โ NAT | Chain=srcnat, Out-Interface=ether1, Action=masquerade |
| Active Sessions | PPP โ Active Connections | Username, IP, Uptime, Rx/Tx bytes visible per session |
๐ธ Screenshot: PPP โ Active Connections โ showing live sessions with user1, assigned IP 192.168.10.2, uptime 00:04:32
๐ Winbox Tip
In Winbox, any row with a green “R” flag means the entry is running/active. If the PPPoE server row shows no “R”, click it and verify the interface is up and the profile is correctly assigned.
11. Troubleshooting โ Common PPPoE Problems & Fixes
| Problem | Likely Cause | Fix |
|---|---|---|
| PPPoE not connecting at all | Server bound to wrong interface; PPPoE server disabled | Check PPP โ PPPoE Servers โ confirm interface matches client side (ether2, not ether1). Ensure disabled=no. |
| Authentication Failed | Wrong username/password; auth method mismatch | Double-check credentials in PPP โ Secrets. Enable CHAP + MSCHAPv2 in server settings. Check client’s PPPoE auth method. |
| Connected but No Internet | NAT masquerade missing; default route not set | Verify IP โ Firewall โ NAT has srcnat masquerade on ether1. Run /ip route print to confirm a default gateway exists. |
| Duplicate Sessions / One User Multiple Connections | one-session-per-host disabled | Edit PPPoE server: set one-session-per-host=yes. Manually disconnect old sessions: PPP โ Active โ select โ Remove. |
| IP Pool Exhausted | Pool range too small; ghost sessions consuming IPs | Run /ppp active print and disconnect idle sessions. Expand pool range in IP โ Pool. Lower keepalive-timeout to drop dead sessions faster. |
| Client gets IP but slow speed | Rate limit set too low in profile or secret | Edit the PPP Secret or Profile: increase rate-limit=. Use /queue simple print to see dynamic queues created per PPPoE session. |
| Winbox can’t reach router after firewall | Drop-all rule placed before Winbox allow rule | Connect via MAC address in Winbox (no IP needed). Reorder firewall rules so Winbox port 8291 accept rule comes before the drop rule. |
Quick Diagnostic Commands
RouterOS CLI โ Diagnostics
# View active PPPoE sessions /ppp active print # View all PPP secrets and their last-logged details /ppp secret print detail # Check IP pool usage /ip pool used print # Test NAT is working /ip firewall nat print # View interface stats (check ether2 for traffic) /interface print stats # Watch log for PPPoE events in real time /log print follow where topics~"ppp"
๐ง Need a Network Tools Converter?
Use our free online converter for IP subnet calculations, unit conversions, and more โ trusted by IT professionals across Nepal.
Visit converter.thenepal.io โ12. FAQ โ MikroTik PPPoE Server
What is PPPoE in MikroTik?
PPPoE (Point-to-Point Protocol over Ethernet) in MikroTik is a feature that lets your MikroTik router act as a PPPoE server, requiring subscribers to authenticate with a username and password before getting internet access. It is the standard protocol used by ISPs and WISPs to manage multiple subscriber sessions, assign dynamic IPs, enforce bandwidth limits, and log usage โ all from a single RouterOS device.
PPPoE vs DHCP โ What is the difference?
DHCP simply assigns an IP address to any device on the network without authentication โ it’s fast and simple but anyone can connect. PPPoE requires a username and password login before any IP is assigned, making it ideal for ISPs who need to track, bill, and limit individual subscribers. PPPoE also allows per-user speed limits through PPP profiles, while DHCP requires separate queue setups.
How many PPPoE users can a MikroTik router handle?
It depends on the router model and your IP pool size. A MikroTik hEX (RB750Gr3) can comfortably handle 50โ100 simultaneous PPPoE sessions. A CCR2004 or RB4011 can handle 500โ1000+ sessions with proper queue configuration. The /24 pool in this guide supports up to 253 concurrent users. For large ISPs with thousands of subscribers, MikroTik recommends combining PPPoE with RADIUS (FreeRADIUS or Mikrotik RADIUS) for centralized management.
Is PPPoE secure?
PPPoE is reasonably secure for ISP use. Credentials are hashed using CHAP or MSCHAPv2 โ never sent in plain text. However, PPPoE itself does not encrypt the data payload; only the authentication phase is protected. For secure data transmission, combine PPPoE with VPN (L2TP/IPSec or WireGuard). Also disable PAP authentication in your PPPoE server settings to prevent plaintext password exposure.
Can I use RADIUS with MikroTik PPPoE?
Yes. MikroTik supports RADIUS authentication for PPPoE natively via RADIUS โ Add in Winbox. Configure FreeRADIUS (or any RADIUS server) with your MikroTik’s IP as a NAS client, then enable RADIUS in
PPP โ AAA. This offloads all user management to the RADIUS server, allowing you to manage thousands of users, quotas, and sessions from a central database โ essential for large ISP deployments.Do I need a static WAN IP to run a PPPoE server?
No. The PPPoE server operates on your LAN/subscriber side โ it has nothing to do with your WAN IP. You can run a PPPoE server even if your own WAN connection from the upstream ISP is dynamic DHCP. Your PPPoE clients connect to your MikroTik on the LAN side, and the MikroTik NATs their traffic out through whatever WAN connection you have.