nowdays lots of isp using separate router for firewall nat and pppoe user,
they assign bandwidth limit in core router, distribution router will only handle pppoe without bandwidth limit.
i would like to know is there any way to work zima with those kind of setup ?
Let me make sure I understand the use case correctly:
The proposal is to centralize the shaping in a core router while letting the edge routers handle authentication.
Authentication could be via PPP (or DHCP, it doesn’t really matter), which assigns an IP address to the authenticated connection. That IP is then shaped in the core router.
This is technically feasible, and we could work on implementing it.
Let’s look further into the benefits of this approach:
Configuration simplicity: Instead of configuring shaping rules across multiple routers, everything can be managed centrally in one place.
Reduced risk: Edge routers could be handed over to managers without the concern of misconfiguring core networking rules. Their role would be limited to monitoring bandwidth and connectivity.
However, shaping is resource-intensive. Wouldn’t it be better to distribute the load across multiple routers instead of centralizing it on a single core?
Are there other clear benefits to centralizing shaping in the core?
On another note, I’d like to hear from other ISPs: do you see value in this approach? Would any ISP actually need this?
2 Likes
You said that the ISP adds the PPPoE connection in the router and then distributes it further from the same router. Did I understand you correctly? If yes, I can guide you through it.?
This is a dual MikroTik routing setup (sometimes called distributed role setup) where you separate responsibilities:
- MikroTik #1 (Gateway/Firewall Router):
- Handles WAN uplinks, NAT, firewall rules, routing, bandwidth queues.
- Provides the “edge security” of the network.
- MikroTik #2 (PPPoE/Authentication Router):
- Works as a PPPoE server for user authentication (local database, RADIUS, or external billing system like FreeRADIUS/daloRadius).
- Only deals with subscriber management (usernames, passwords, sessions, profiles).
- Doesn’t need to handle complex firewall rules.
lots of isp using this method for reduce their server cpu load, even i am using this method.
How It Works
- MikroTik #1 connects to ISP uplinks and acts as the main gateway.
- Default route goes here.
- Has firewall, NAT, and routing rules.
- Sends traffic to/from MikroTik #2.
- MikroTik #2 runs the PPPoE server.
- Clients connect via PPPoE.
- Authenticates using local secrets or via RADIUS (billing system).
- Once authenticated, clients’ traffic is routed through MikroTik #1 to the internet.
We can work on that, technically it is possible for Zima to separate shaping in Router1 and Authentication in Router2.
From a UX perspective:
We go to Router2, edit
How about a dropdown “Traffic Shaper” that contains all routers.
By default, it is blank, it means that the router will do Auth and Shaping (as it is the case now with all routers).
If the “Traffic shaper” drop down is set on a specific router, then Zima will propagate the shaping config to that router.
This should be enough to instruct Zima about this new setup. Do you agree with this method? Any other considerations?
sounds good to me,
can you explain more on this ?
sure, currently Zima propagates config to all routers the same: Auth, Queues (ratelimit + traffic accounting).
What you asked for is the following:
they assign bandwidth limit in core router
distribution router will only handle pppoe without bandwidth limit
So in order to instruct Zima about this config we need a new field called: “Traffic shaper” (It is a dropdown that is empty by default).
Here is how it could be implemented:
Suppose you have 2 routers called:
a/ core_router
b/ distribution_router
Steps:
1/ You select distribution_router >> Edit
2/ You go to the field “Traffic shaper” and assign core_router and you save.
This will instruct Zima that:
distribution_router will only handle authentication of clients routers while core_router will handle traffic shaping.
Does this explanation make the idea clearer for you?
And does it cover your use case, or are there any caveats we should still address?
1 Like