Avoiding clients to ping my PPPoE server

jackwisp · May 18, 2009, 11:20pm

I’m trying to make more secure my PPPoE server.
I have an installation with some RB411 acting as APs, they connects to the LAN, PPPoE clients connects wiressly trough those APs and end our PPPoE tunnels in the PPPoE Server, as you can see in the following picture.

I’m playing around with chains and some rules to avoid pppoe clients mac telnet/ping my APs/pppoe and some lan servers (before ppp is established). All works well, except that I can’t filter the traffic from ppp clients to the pppoe server after ppp is established, I have no clue to avoid users pinging my pppoe server (no problem with other lan servers that I’m already filtering traffic using the outging chain in pppoe server).
Also It’s hard to me to understand what is “LOCAL ADDRESS” for? (in the ppp profile), I have configured a non-routeable private address and all works well, except that the ppp client can ping and use this ip to connect to the pppoe server, and if I leave this value empty I can’t establish the ppp session (error 629 from my windows).

Thank you for your help.

omega-00 · May 19, 2009, 2:05am

what’s the reason you want to stop them pinging the device for?
Icmp is an invaluable part of network diagnostics imho.

jackwisp · May 19, 2009, 8:36pm

ICMP is not really the problem, but for example, is not very funny for me to leave winbox protocol opened to my ppp clients.

Muqatil · May 20, 2009, 8:09am

limit your winbox access to your management IPs
/ip service winbox set address=10.0.0.0/8
while 10.0.0.0/8 is the range of one of your management IPs.
Customers with the PPP pool 192.168.0.0/24 will be not able to winbox your machine.
You can set the same behaviour for the other services (ssh telnet)

jackwisp · May 26, 2009, 1:02am

any client can configure a 10.x.x.x ip in his computer before lunching the ppp session, it’s bridged.