I am asking some advice on securing ptmp connections.
Currently I have firewall rules on all AP that drops client - client connections.
Below is the rules I use.
Code: Select all
/ip firewall filter
add chain=forward action=drop protocol=tcp dst-address=10.0.0.0/8 in-interface=[/interface wireless find] dst-port=21 comment="Drop FTP From Clients to Clients"
add chain=forward action=drop protocol=tcp dst-address=10.0.0.0/8 in-interface=[/interface wireless find] dst-port=22 comment="Drop SSH From Clients to Clients"
add chain=forward action=drop protocol=tcp dst-address=10.0.0.0/8 in-interface=[/interface wireless find] dst-port=23 comment="Drop Telnet From Clients to Clients"
add chain=forward action=drop protocol=tcp dst-address=10.0.0.0/8 in-interface=[/interface wireless find] dst-port=80 comment="Drop HTTP From Clients to Clients"
add chain=forward action=drop protocol=tcp dst-address=10.0.0.0/8 in-interface=[/interface wireless find] dst-port=443 comment="Drop HTTPS From Clients to Clients"
add chain=forward action=drop protocol=tcp dst-address=10.0.0.0/8 in-interface=[/interface wireless find] dst-port=8291 comment="Drop Winbox From Clients to Clients"
add chain=forward action=drop protocol=tcp dst-address=10.0.0.0/8 in-interface=[/interface wireless find] dst-port=8728 comment="Drop API From Clients to Clients"
add chain=forward action=drop protocol=tcp dst-address=10.0.0.0/8 in-interface=[/interface wireless find] dst-port=8729 comment="Drop API-SSL From Clients to Clients"
Now the only issue I have is device discovery.
If I forget to disable default authenticate one day for some reason, then someone can connect to the ap and using ip neighbors they can see the clients with discovery still enabled on the radio.
Then they can use mac telnet to log into cpe's and cause trouble.
99% of the cpe's has discovery turned off on the wlan, but some of them enables discovery on all interfaces if you update ROS.
Now the question is, Can I somehow block device discovery om my AP's? Also discovery is turned off on all ap's wlans