Block everything EXCEPT PPPoE

andreacoppini · May 26, 2021, 3:15pm

I’m trying to build a firewall rule to block EVERYTHING except PPPoE traffic on an interface.

I know I can do this using Bridge Filter rule as there is a MAC-Protocol-Num option, but I don’t see this option available in the Firewall->Filter or Firewall->Raw rules, and this interface is not in a bridge,

Is there no MAC-Protocol-Num option in firewall or am I missing something?

rextended · May 26, 2021, 3:32pm

PPPoE is layer 2 protocol using ID 0x8864 (session) and 0x8863 (discovery)
You can not block it with layer 3 firewall

You must put the interface in a bridge and apply filters like accepting all pppoe and drop everything else:

/interface bridge filter
add action=accept chain=forward in-interface=ether2 mac-protocol=pppoe-discovery
add action=accept chain=forward in-interface=ether2 mac-protocol=pppoe
add action=drop chain=forward in-interface=ether2

some routerboard have configurable rules on internal switch to do the same better (redirect to null port / discard the packet)

anav · May 26, 2021, 4:21pm

What is the use case for this setup?

andreacoppini · May 26, 2021, 4:25pm

Ensuring only PPPOE traffic reaches my ISP.

It would also be a use case for ISPs in the forum to secure their PPPOE ACs, they might not want to put their ACs in a bridge.

Cablenut9 · May 26, 2021, 5:04pm

What’s the point? Route everything that comes into the router over PPPoE and than you don’t need any filters.

andreacoppini · May 26, 2021, 5:52pm

The point is so that nothing comes into or out of my router except PPPoE traffic. No MNDP/LLDP/CDP, no STP, no ARP, no OSPF, no RIP… need I go on?

My ISP is an all-bridged WISP, I plugged my “WAN-side” interface into their CPE so that interface is part of the whole WISP’s L2. I know it’s their responsibility to secure their network, but I can do my part by not accidentally flooding their entire L2 with STP PRIO=0.

Also besides my use-case, an ISP using MT as their PPPOE Access Concentrator (AC) would have that AC on the same L2 as all their customers. They would want to ensure customers can only reach that AC with PPPoE and not try to port-scan, ping-flood, or try to do DoS the AC using MNDP/LLDP/CDP or STP.

anav · May 26, 2021, 8:58pm

No worries I was not questioning the validity just to understand it as its unusual to see, plus I have no experience with WISP.