Assuming you start with the default config and the "Internet" port is not part of the bridge.
Go to Interface > VLAN
Add VLAN:
MTU: Set to max
VLAN ID: 500
Interface: <name of Internet port>

That's it. VLAN is done.

Go to PPP.
Add PPPoE client.
MRU: 1500
MTU: 1500
Interface: <name of VLAN you just created>
Fill in username and password.

You should have internet by now but no IPv6..

Maybe check the PON stick thread for IPv6 setup. I posted one there recently.

IP > UPnP > interface
Set your PPPoE name to external. "bridge" to internal. Then enable.

I think that's it. Left QoS.

Thank you. So I don't actually need to add VLAN600 interface to the internet port and internet would still function. That clears up a lot.

Noted about the IPv6 guide as well. I think I actually read it there a few days back.

It still works because VLAN 600 just get dropped without affecting VLAN500. There's other VLAN like 400 and 209 on TM network as well.

For NAT-PMP, the step is same as UPnP, just annotate the interface.

I need to test the QoS before I post it since I don't use it. But should be very straightforward as well.

Is NAT-PMP still used by games and devices today? I'm not sure if my current router even has that. I only remember a UPnP option.

No worries. I have a limited window to set everything up and make sure it all runs correctly first, so will be focusing on that.

Not sure if NAT-PMP is still used but you can actually enable both in Mikrotik. So you do get the best of both worlds

blackbox14
After you add the PPPoE client, remember:
Go to Interface > Interface List tab
Add your pppoe interface to WAN

This will simplify a lot of things, including NAT configuration.


QoS setup:
Go to Queues > Queue Types tab
Add:
Type Name: <anything you like>
Kind: cake -or- fq-codel

Go to Queue Tree tab
Add:
Name: Download-500M
Parent: bridge
Packet Marks: no-mark
Queue Type: <the name you chose above>
Max Limit: 500M

Add:
Name: Upload-200M
Parent: <pppoe interface>
Packet Marks: no-mark
Queue Type: <the name you chose above>
Max Limit: 200M

That's all.

Now you need to compare your bufferbloat with both rules enabled and disabled.
If the latency is poorer with the rules enabled, it means your CPU is not powerful enough. To verify if it is CPU problem, lower the download speed to something like 100M and upload speed to 50M.

I tried pcq but the result is not as good as fq-codel and cake.
Keep in mind RouterOS doesn't use DPDK or any form of ASIC for QoS hence performance seriously sucks donkey ball.

You must also remember QoS works by forcing packet to buffer so they can be selectively discarded. The more headroom you reserve (hence lower throughput) the better they perform.
You cannot try to tune for max throughput while still having low queuing delay. By doing that, you actually lower the chance that it will perform accordingly.

Example with arbitrary value:
By adhering to 500M max limit, the chance of it working according to spec might be 90%.
However if you increase it to 550M just to get more throughput, the chance of it working according to spec might drop to 50%.

Ok. Strange that few of the articles and videos mention this step even though it looks quite helpful.

To test, the website is that waveform one right?

I've read that lowering the max limit to -10% of the full limit of my internet package speed would be a good place to start, is that true?
So for example mine is 500, I should start at 450.

Also fq-codel seems to use less CPU, so I will try that one first and see.

Thanks again and appreciate all the help.

This post has been edited by blackbox14: Aug 3 2025, 11:34 AM

Mikrotik keep doing things differently with different version of RouterOS. If I remember correctly the most recent one they default to using Interface List by default to configure NAT.
I know simply because I netinstall my router to due misbehaving switch chip.
There are other reason why people don't write it as well. They might not know about it. They might not use it even if they know about it. Their setup might be tiny so they never have to think about ease of changing things down the road, etc.

Imagine you have a few NAT rules and configured a massive list of firewall rules. One day you need to swap some port, or add in a 5G modem as backup. Suddenly you have to redo every single NAT and firewall rules.
With Interface List, you just need to annotate your new 5G modem and you do not even need to retest all the firewall rules.
Changing rules manually is error prone.

Yes I test with Waveform.

If you use TM Unifi, they already put in 10% extra for you in the line profile so you do not have to do that.

Real world performance differs. If your CPU is powerful enough to QoS a lot of connections, cake will give you better bufferbloat score because internally it is actually HQoS and has a built-in pacing mechanism. Test it to find out.

You can also try just QoS your upload only. Test it and see if your download latency is acceptable. This will save you CPU power because you only need to QoS a much slower upload speed.

I think I made a mistake in my previous post. 500M package is 100M upload only. Adjust accordingly.

If I add a static route coming from the ONU to MikroTik don't I have to allow the address of the ONU in the firewall since all packets not coming from WAN is dropped unless specified?

I'm trying to set up a FreePBX trunk with the VOIP.. so far I tried to forward the VLAN400 to my FreePBX instance but that obviously did not work


Is this srcnat rule still required with your current setup?

Forwarding VLAN 400 no longer works because TM no longer tag it.
No, the NAT rule is no longer required because we are doing pure routing.
Technically when you add a static route to both the ONU and your Mikrotik, it is not on WAN Interface List, unless you annotate it that way. If so, then you need to adjust your firewall rules accordingly.
The reason is your PPPoE is the WAN link. But the native VLAN of the port itself is not a WAN link.

I have since updated my static route setting by not specifying the default gateway. Reason is I noticed they do change and render the route invalid. Specifying the interface is enough for it to work. Also note my route for Wireguard.

I understand what you mean by not being on the WAN interface and to change the config if it is. i.e. remove eth 1 as being on the WAN, set the PPPoE as the only WAN.

sorry a bit more question:
1. since it's no longer a tagged VLAN that means VOIP is untagged coming out of the eth port from the ONU? But without DHCP and hence we need to manually set up the ip address on the mikrotik?
2. what would the config be on the mikrotik? Does it need to be connected to the bridge? Do I assign an address to the eth port? I think I am now a bit more confused thinking about it.

Received my hAP AX2 earlier. First impression: the router is smaller than I expected it to be.

Unfortunately, I won't be able to install it as the main router until my family members aren't home for a day. They will always be using the internet if at home, even downloading while they sleep.

In the meantime, to test if the ports and WiFi are functioning, I have set it up as an access point, replacing the TP-Link Archer C7 running OpenWRT in my room. I finally realized that my Archer C7 AP was capping my wired internet speed to about 300Mbps (before this suspected the main router or cable issue), while the hAP AX2 as an AP allows me to use the full 500Mbps...

Anyway, waiting for the opportunity to be able to set hAP AX2 up as the main router. Then I will reset configuration on it and do it properly.



This is what I plan to do. Just hope that the Archer C9 will cooperate in Access Point Mode.

This post has been edited by blackbox14: Aug 7 2025, 02:24 AM

Yes eth1 is no longer in the WAN Interface List, only PPPoE. You need to make sure all your firewall and NAT rules are using "Interface List" instead of "Interface" or else you will break your network. I suggest taking a backup before making any changes.

Question 1:
Yes VOIP is untagged and come out from the native VLAN of eth1 from the ONU.
Yes you set the static IP address of eth1 in IPv4 > Addresses.
If you follow my screenshot, that would be 192.168.1.10

Question 2:
First you must configure static route in your ONU per my screenshot. The Network Address you use for your "VOIP Interface" is from your ONU VOIP configuration. Those are derived from your Primary and Secondary Outbound Proxy Server.

Example:
Primary: 10.225.15.220
Secondary: 10.225.17.220

Your Network address will be 10.255.0.0

For "Interior", you can follow mine if you didn't change your Mikrotik default subnet. Else just adjust accordingly.
No, do not connect it to your bridge. They will be L3 routed instead of L2 bridged.

Mikrotik config:
IP > Addresses
Add new:
Interface: eth1
Address: 192.168.1.10/24
Network: 192.168.1.0

IP > Routes
Add new:
Dst Address: 10.225.0.0/16
Gateway: 192.168.1.1

IP > Firewall > NAT
Disable your NAT rule for ONU


Validate your configuration:
Open the command prompt or shell.
Traceroute to your primary outbound proxy.
If you do it right then you should see your Mikrotik in 1st hop, ONU in 2nd hop. The rest of the hop are the VOIP VRF.

Example:

A bit of background about TM's VLAN and VRF inside the ONU

Here is just to help people understand better the why and how towards making VOIP work externally.

TM have multiple VLAN: 209, 400, 500, 600.

I will just focus on 209 and 400 since they are using VRF inside the ONU.
In Layer 2 network, isolation is done using VLAN, which many people are familiar.
In Layer 3 network, isolation is done using Virtual Routing and Forwarding Table (VRF).

In VLAN 209, it is terminated inside the ONU with the ACS VRF.
In VLAN 400, it is the VOIP VRF.

What happen then is this:
All VOIP traffic will use the VOIP VRF. Meaning they can use / route to the exact same 10.0.0.0/8 address.
The same goes for ACS VRF.

Since TM no longer tag VLAN 400 out of port 1, there is no way you can access it from your Mikrotik or any other router. The VLAN just terminate inside the ONU.

To workaround this, we use the routing function of the ONU to do what is called a "route leak" or VRF Lite.
You can see that we are adding the /16 of the Primary and Secondary Outbound Proxy inside the ONU routing table, and tag it to the VOIP VRF.
This /16 is small enough to not cause problem but big enough to reach the call server.
We then wire up the routing table into the Mikrotik and effectively done a VRF Route Leak

mikrotik RB5009 is very capable router to run for hotel, or medium size office. but since mikrotik website only say its a great for merely heavy-duty homelab use, would you still use it for enterprise clients?

I mean since mikrotik not officially tell it for enterprise use.

Maybe you want to list down some of the features you are looking for?
How you intent to connect guest or staff?
How many rooms your hotel has? If it's like Genting First World then I honestly don't think it's going to work.
What's your uplink speed? To how many telco?

Generally I think hotel usage is bursty in the evening, unless you also got conference hall and do event.

It's a small hotel, with expected guest device capacity can fit in one /24 subnet at a time. And their hall, well more like seminar room. you get the idea. Config wise maybe 3 or 4 VLANs and QoS on traffic shaping and priority on VoIP, blocking certain ports and websites. Overall, I know RB5009 can handle.

what I'm asking for if you're in networking business, do you use consumer-grade or in this case prosumer-grade for enterprise environment knowing well it can do the job just as good? Because I heard some people insist on using enterprise grade no matter what.

I can instead choose CCR2004-16G-2S which is proper enterprise grade but seems waste of money.

If you know rb5009 fits your need then just go and get it.
The ONU you will be using isn't any prosumer or enterprise grade either.
Buy another one for spare if you are really that concerned. That spare unit can be your lab unit while unused.
Nothing beats an actual spare part.

Sorry, just want to confirm something after these steps: the default configuration for the hAP AX2 includes a DHCP Client set up. Do I need to disable the DHCP Client since the PPPoE Client is what we use for Unifi?

You can just delete the DHCP Client on the "Internet" port