Better ISP Management

Speaking of payment getaway integration, there is an informative article by [Cleveroad](https://www.cleveroad.com/blog/all-you-need-to-know-about-the-payment-gateway-integration-into-an-app) about that.

Below is a simple scenario of how a basic ISP works and the minimum requirements:  What you need: - A Mikrotik router. - A backbone network that provides Layer 2 connectivity. It consists of cables, switches, wireless point-to-point, fiber, etc... In this setup, the subscribers are connected via 2 switches to **ether2** and **ether3** on the router, and they use PPPoE to authenticate with their unique username and password. # Router Configuration: ## 1. **IP > DHCP Client:** - Create new DHCP Client for **ether1**:  ## 2. **PPP > PPPoE Servers:** - Create PPPoE server for **ether2** and **ether3**:  ## 3. **IP > Routes:** - Verify default route:  ## 4. **IP > DNS:** - Check **Allow Remote Requests**:  ## 5. IP > Pool: - Create IP Pool to be used for pppoe clients:  ## 6. IP > Firewall > NAT: - Add a **masquerade** rule for your IP Pool:  ## 7. PPP > Profiles: - Create a PPP profile. Select your **IP Pool** as remote address. Use **an IP outside the selected pool** for local address:  ## 8. PPP > Secrets: - Create a PPP secret with the previously created profile:  # Client Configuration: - On client router, select PPPoE as the WAN connection and enter the ppp username and password. 

The Local Address serves as **gateway address** on client-side. Since PPP is a one-to-one communication, the local address doesn't have to belong to any range.  The default local address (10.0.0.1) works in most cases and doesn't need to be changed. Here's an example: - **IP Range:** 192.168.100.0/24 - **Local Address:** 10.0.0.1 ### PPPoE connection details:  ### Routes:  ### Conclusion As we can see, the example above with the gateway 10.0.0.1 works despite that it does not belong to the same range.

Our previous default config created 4 IP pools. For a simpler management experience, we have narrowed the default IP pools config to just two: online-pool and offline-pool. If you happen to have 4 IP pools, no worries. This guide shows you how you can clean the unnecessary pools to simplify your configuration. # Two Steps ## 1. Edit the service plans - Log in as admin and go to Settings > Service Plans:  - Select a service plan:  - Instead of having default-blocked, default-ruleBlocked as separate pools, we will set them all to **default-expired** as displayed in the screenshot below:  **Repeat the steps for ALL your service plans.** ## 2. Delete the unused pools After that you have edited the IP pools section of all your service plans. - Go to Settings > IP Pools  - Now we can delete **default-blocked** and **default-ruleBlocked** as shown in the screenshot below:  ## Optional: Rename the expired pool to **offline-pool** - Select **default-expired** and click the edit button:  - Rename it to **offline-pool** and click Save Changes:  Congratulations, you have cleaned up the unnecessary IP pools for a simpler management experience.

Thanks for the explanation. I had an issue that was all my customers was masquerade behind the WAN IP of the router for all outbound traffic and not the WAN IP normaly assigned by Zima. I had to create a scrnat rules before the NAT rule to get back in the correct way. Now I disabled it and through zima disable NAT also and everything woks fine. Thanks Best Regards

The Online pool has the option of NAT. If selected it takes care of updating the router with a masquerade rule that gives internet access for the online pool. If not selected, it will not be updated. Let us know if this was clear, and of you got any other questions.

Thanks for your answer. But before to remove it, I would like to understand the purpose/role of this rules ? Thanks Best Regards

Yes, in order to remove it: Go to /settings/IP Pools choose the active pool and edit it. Unselect the NAT option then save. Now this rule will not be synchronized to your router. Let us know if this answered your question.

Hi there, I have a question about a firewall rules on a Mikrotik that is created automatically by zima :slight_smile: Chain : scrnat src address : xxx.xxx.xxx.xxx/24 ( the subnet of pppoe IP we assign to our customer) Action : masquerade Does it comes from zima cause when I try to delete it it comes automatically within 1 min ? What is it made for ? Thanks for your help Best Regards

As a general rule, to protect your router from attacks, you simply need to block all the services that you are are not currently using. Here are the steps: ### 1. Go to **IP > Services**:  ### 2. Disable any services that you are not using:  ### 3. API service config For the API section, you can block all access except for the local Zima VPN range so that Zima can still access the API safely. Here's how: Edit API service field Available From: 10.214.0.0/16 as shown in the screenshot below:  Congrats, you are done. Now your router is safe from unsolicited access and attacks.