Migrate Telfort to KPN fiber internet

21 Sep, 2021

I here document how I migrated my Telfort VLAN34/DHCP configuration to KPN VLAN6/PPPoE/IPv6 on Mikrotik using SFP to directly connect ISP fibre to my router.

Mikrotik DHCP lease expiration ¶

You should get this log message when you’re migrated, meaning you’re on a new DHCP pool.

sep/21/2021 01:19:28 dhcp,critical,error dhcp-client on WAN_VLAN lost IP address 
145.130.200.76 - lease expired

KPN config ¶

From KPN’s website (kpn.com)

PPPoE via VLAN 6 (802.1q).
PPPoE authentication PAP with username and password (e.g. internet / internet).
Maximum packet size (MTU) 1500 bytes (rfc4638)
Obtain IPv4 address + DNS servers via PPPoE
Obtain IPv6 address range + DNS servers (IPv6) via DHCPv6-PD request (in PPPoE). Use one address for the router from this range.

Mikrotik config for KPN ¶

# Set SFP VLAN to 6 (KPN internet value)
/interface vlan set vlan-id=6 [find interface=sfp1]

# Disable DHCP (KPN uses PPPOE)
/ip dhcp-client disable [find interface=WAN_VLAN]

# Disable auto-negotiation
/interface ethernet set [ find default-name=sfp1 ] auto-negotiation=no arp=proxy-arp l2mtu=1598 

# Just to be sure
/routing bgp instance set default disabled=yes

# Add PPPoE, with or without IPv6
/ppp profile set *0                only-one=yes use-compression=yes use-upnp=no use-ipv6=no
/ppp profile add name=default-ipv6 only-one=yes use-compression=yes use-upnp=no use-ipv6=yes

/interface pppoe-client add add-default-route=yes allow=pap disabled=no interface=WAN_VLAN keepalive-timeout=20 max-mru=1500 max-mtu=1500 name=pppoe-client profile=default-ipv6 use-peer-dns=yes password=internet user=internet
/interface pppoe-client add add-default-route=yes allow=pap disabled=no interface=WAN_VLAN keepalive-timeout=20 max-mru=1500 max-mtu=1500 name=pppoe-kpn-client profile=default use-peer-dns=yes password=internet user=internet

# Set proxy-arp on bridge
/interface bridge set 0 arp=proxy-arp

# Fix firewall such that outgoing interface is not WAN_VLAN but pppoe-client. The PPPoE client runs on top of the VLAN tagged interface.
/ip firewall
# add action=accept chain=forward comment="VLAN Internet Access only" connection-state=new in-interface-list=\
    VLAN2WAN out-interface-list=WAN-PPPOE
# add action=masquerade chain=srcnat comment="Default masquerade" out-interface-list=WAN-PPPOE
# add action=drop chain=forward comment="Prevent logging filling up" in-interface-list=!VLAN2WAN \
    out-interface-list=WAN-PPPOE

# Fix IPv6

/ipv6 dhcp-client add add-default-route=yes interface=pppoe-client pool-name=KPN_POOL request=prefix

/ipv6 address add address=::1 from-pool=KPN_POOL interface=BASE_VLAN
/ipv6 address add address=::1 from-pool=KPN_POOL interface=GUEST_VLAN
/ipv6 address add address=::1 from-pool=KPN_POOL interface=IoT_VLAN

/ipv6 nd set [ find default=yes ] disabled=yes
/ipv6 nd add advertise-dns=no advertise-mac-address=no hop-limit=64 interface=BASE_VLAN
/ipv6 nd add advertise-dns=no advertise-mac-address=no hop-limit=64 interface=GUEST_VLAN
/ipv6 nd add advertise-dns=no advertise-mac-address=no hop-limit=64 interface=IoT_VLAN

Mikrotik config for Telfort (for reference) ¶

# Set SFP VLAN to 34 (Telfort internet value)
/interface vlan set vlan-id=34 [find interface=sfp1]

# Enable DHCP
/ip dhcp-client enable [find interface=WAN_VLAN]

# Disable auto-negotiation
/interface ethernet set [ find default-name=sfp1 ] auto-negotiation=no arp=enabled

# Set arp to normal 'enabled' on bridge
/interface bridge set 0 arp=enabled


# Disable PPPOE

# Set firewall on WAN interfance (=VLAN tagged interface called WAN_VLAN)

Sources ¶

#Networking