MikroTik hEX S — Bell Canada PPPoE Setup Procedure

21 May 2026

Table of contents

Table of contents

MikroTik hEX S Bell Canada PPPoE Setup (VLAN 40) + Safe Backup Strategy

Step-by-step RouterOS v7.21.4 long-term setup for Bell PPPoE on VLAN 40, with backup and RSC recovery best practices before and after changes.

Important Security Note

Do not publish real PPPoE credentials in a public blog post. Replace username/password with placeholders before posting.

Video

Watch the tutorial on YouTube:

Open Video

Quick Environment Details

Date: 2026-05-21

Router: MikroTik hEX S

RouterOS: v7.21.4 (long-term)

LAN Router IP: 192.168.1.254/24

WAN Method: Bell PPPoE over VLAN 40 on SFP1

Network Diagram

Internet (Bell Canada) | [ Bell Modem ] (Bridge Mode) | sfp1 (sfp1-to-internet) | [ VLAN 40: vlan40-bell ] | [ PPPoE: pppoe-bell ] | [ MikroTik hEX S ] LAN: 192.168.1.254/24 | ether1 (ether1-to-pc) | Local Network 192.168.1.0/24

Pre-Change Checklist

  • Confirm current DHCP client, VLAN, PPPoE, NAT, and firewall state.
  • Create backup files before any change: one .backup and one .rsc.
  • Confirm Bell modem is in bridge mode.
  • Use placeholders in documentation: YOUR_BELL_USERNAME and YOUR_BELL_PASSWORD.

Step-by-Step RouterOS Commands

1) Review existing config:

/ip dhcp-client print /ip address print /interface bridge print /interface pppoe-client print /interface vlan print /ip dhcp-server print /ip firewall nat print /ip firewall filter print

2) Remove old DHCP client on WAN (if present):

/ip dhcp-client remove 0

3) Remove incorrect NAT rule (if it points to raw sfp1):

/ip firewall nat remove 0

4) Create VLAN 40 on SFP1:

/interface vlan add name=vlan40-bell vlan-id=40 interface=sfp1-to-internet comment="Bell VLAN 40 on SFP1"

5) Create PPPoE client on VLAN 40:

/interface pppoe-client add name=pppoe-bell interface=vlan40-bell user="YOUR_BELL_USERNAME" password="YOUR_BELL_PASSWORD" profile=default keepalive-timeout=10 add-default-route=yes default-route-distance=1 dial-on-demand=no use-peer-dns=yes allow=pap,chap,mschap1,mschap2

6) LAN IP on ether1 (if not already set):

/ip address add address=192.168.1.254/24 interface=ether1-to-pc

7) DHCP pool + server + network:

/ip pool add name=dhcp-pool-lan ranges=192.168.1.1-192.168.1.253 /ip dhcp-server add name=dhcp-lan interface=ether1-to-pc address-pool=dhcp-pool-lan lease-time=30m disabled=no /ip dhcp-server network add address=192.168.1.0/24 gateway=192.168.1.254 dns-server=8.8.8.8,8.8.4.4

8) NAT masquerade via PPPoE interface:

/ip firewall nat add chain=srcnat action=masquerade out-interface=pppoe-bell comment="Bell PPPoE NAT"

9) Basic firewall rules:

/ip firewall filter add chain=input connection-state=established,related action=accept comment="Allow established/related to router" /ip firewall filter add chain=input connection-state=invalid action=drop comment="Drop invalid to router" /ip firewall filter add chain=input in-interface=ether1-to-pc action=accept comment="Allow LAN to router" /ip firewall filter add chain=input in-interface=pppoe-bell action=drop comment="Drop unsolicited WAN to router" /ip firewall filter add chain=forward connection-state=established,related action=accept comment="Allow established/related forward" /ip firewall filter add chain=forward connection-state=invalid action=drop comment="Drop invalid forward" /ip firewall filter add chain=forward in-interface=pppoe-bell out-interface=ether1-to-pc action=drop comment="Drop unsolicited WAN to LAN"

Verification Commands

/interface vlan print /interface pppoe-client print detail /ip address print /ip dhcp-server print /ip dhcp-server network print /ip pool print /ip firewall nat print /ip firewall filter print /interface pppoe-client monitor 0 /ping 8.8.8.8 count=4

Backup and Recovery Plan

  • Create pre-change binary backup: backup-YYYY-MM-DD.backup
  • Create pre-change export: export-YYYY-MM-DD.rsc
  • Create post-change final backup after validation.
  • Download all backup files off-router (never keep only one copy).
  • If binary backup fails, rebuild using .rsc and re-import missing sensitive items.

When to Update and When to Wait

Update when: security fixes apply, critical bugs affect your setup, or required features are needed.

Wait when: no clear benefit exists, the site is remote with weak fallback access, or stability feedback is poor.

Quick Reference

  • PPPoE status: /interface pppoe-client monitor 0
  • Public IP check: /ip address print
  • DHCP leases: /ip dhcp-server lease print
  • NAT rules: /ip firewall nat print
  • Firewall rules: /ip firewall filter print
  • Routing table: /ip route print
  • Logs: /log print
Tags: bell canada mikrotik pppoe sfp |
Categories: MikroTik Fundamentals & Insights
Hani Rahrouh

MikroTik-only network engineer and trainer, helping Canadian businesses design, deploy, and understand MikroTik networks since 2002.

Leave a comment

x Reset

Related Posts

MikroTik RouterOS Update Safety: Backup, RSC Export, and Recovery Plan

15 April 2026

Before updating MikroTik RouterOS, create both a binary backup and an .rsc export to ensure a full recovery path. This guide follows the video timeline and shows what to check before updates, when to update or wait, and how to recover if a backup is corrupted.

Read More

Introduction to MikroTik RouterOS: v6 to v7 Upgrade Tips and Common Mistakes

18 March 2026

RouterOS powers MikroTik hardware, x86 servers, and CHR virtual deployments. This guide explains the key v6-to-v7 changes, how to choose the right architecture/channel/version, and how to upgrade safely with a backup-first workflow. It also highlights common mistakes to avoid, including incorrect package selection, skipped changelog checks, firmware mismatches, and missing wireless packages during manual upgrades.

Read More

Understanding the New MikroTik Website: Hardware, Software, Training & Support Explained

04 February 2026

https://mikrotik.com/aboutus/company

The MikroTik website has been redesigned—and it works very differently than before.
This guide walks you through the new MikroTik website section by section, explaining how to navigate hardware, software, training, distributors, support, and documentation efficiently. It also explains where MikroTik comes from, how RouterOS changed networking, and how MikroTik Canada and Wireless Netware support users across Canada and the US with training, consulting, hardware, and real-world expertise.

Read More

MikroTik RB5009 Series – Compact High-Performance Routing for Real Networks

19 December 2025

The MikroTik RB5009 series is a compact, fanless routing platform designed for high-performance networks. 

With 10G, 2.5G, PoE options, and indoor or outdoor models, it fits studios, offices, ISPs, and field deployments.

Read More

MikroTik hEX vs hEX Refresh (E50UG) – Same Price, Smarter Hardware

15 December 2025

MikroTik refreshed its most popular wired router without changing the price. This post compares the classic hEX (RB750Gr3) with the new hEX Refresh (E50UG), focusing on hardware changes, real performance gains, and which one actually makes sense to deploy today.

Read More

MikroTik hEX S (2025) vs hEX S: Real-World Comparison

05 December 2025

Side-by-side comparison of the legacy MikroTik hEX S and the new hEX S (2025) — CPU, RAM, storage, SFP, PoE, block diagrams, and real test results to help you choose the right router.

Read More