Blocking PPPoE Discovery on BRIDGE with vlan-filtering on

loloski · June 5, 2025, 2:08am

Hi All,

Good day, today i have a few hour to spare to lab PPPoE over VLAN range it works fine and very neat with just one problem I can’t filter any src mac address to block/filter PPPoE discovery mac protocol because I can’t see any packet in the bridge called “PPPoE” I don’t think this is a bug most likely a misconfiguration on my part. If this is normal bridge configuration I’m pretty sure it will work.

p.s

The reason I configure this way because I want to enable hardware off load using vlan aware bridge, I can do multitude of permutation to achieved what I want but that’s not the point here today

# 2025-06-05 01:57:06 by RouterOS 7.19beta8
# system id = I+xjXCcogAI
#
/interface bridge
add admin-mac=0C:4F:1A:10:00:01 auto-mac=no name=PPPoE vlan-filtering=yes
/interface ethernet
set [ find default-name=ether1 ] disable-running-check=no
set [ find default-name=ether2 ] disable-running-check=no
set [ find default-name=ether3 ] disable-running-check=no
set [ find default-name=ether4 ] disable-running-check=no
set [ find default-name=ether5 ] disable-running-check=no
set [ find default-name=ether6 ] disable-running-check=no
set [ find default-name=ether7 ] disable-running-check=no
set [ find default-name=ether8 ] disable-running-check=no
set [ find default-name=ether9 ] disable-running-check=no
set [ find default-name=ether10 ] disable-running-check=no
set [ find default-name=ether11 ] disable-running-check=no
set [ find default-name=ether12 ] disable-running-check=no
/interface vlan
add interface=PPPoE name=VLAN13 vlan-id=13
/ip pool
add name=POOL ranges=192.168.100.2-192.168.100.254
add name=dhcp_pool1 ranges=192.168.13.2-192.168.13.254
/ip dhcp-server
add address-pool=dhcp_pool1 interface=VLAN13 name=dhcp1
/port
set 0 name=serial0
/ppp profile
add local-address=192.168.10.1 name=10MB remote-address=POOL use-ipv6=no
/interface bridge port
add bridge=PPPoE interface=ether2
/interface bridge vlan
add bridge=PPPoE tagged=PPPoE,ether2 vlan-ids=11,12
add bridge=PPPoE tagged=PPPoE,ether2 vlan-ids=13
/interface pppoe-server server
add disabled=no interface=PPPoE pppoe-over-vlan-range=11-12 service-name=BRAS
/ip address
add address=10.10.10.2/30 interface=ether1 network=10.10.10.0
add address=192.168.13.1/24 interface=VLAN13 network=192.168.13.0
/ip dhcp-server network
add address=192.168.13.0/24 dns-server=8.8.8.8 gateway=192.168.13.1
/ppp secret
add name=1TEST profile=10MB service=pppoe
add name=2TEST profile=10MB service=pppoe
/system identity
set name=BRAS
/tool romon
set enabled=yes

loloski · June 5, 2025, 2:25am

I’m just thinking bridge filter works only on untagged packet inside the bridge with no vlan-filtering set to yes

p.s I also tried this on live CCR2116 same configuration with or without hardware offload but it doesn’t work either

EDIT: @MT could you please confirm if this is misconfiguration / limitation or better yet give me some documentation on how this will ever gonna work, thanks

Amm0 · June 5, 2025, 5:35am

Mostly right. There is no “inner” mac-protocol= is why it doesn’t work. The mac-protocol= (i.e.. ether-type) is “vlan”, not “ip” or “pppoe-discovery”. The bridge filter has no way to inspect any further, so it cannot match on pppoe since packets with vlan-filtering=yes will always be mac-protocol=vlan.

e.g. with PPPoE discovery ether-type, to bridge, is 0x8100 (vlan)… even though in same packet contains the 0x8863 pppoe discovery ethertype, there is not matcher for the “inner-mac-protocol” within the vlan packets (and all packets are vlan tagged when vlan-filtering=yes).

Now whether there is some trick with bridge filter or firewall to workaround this IDK off the top of my head… maybe someone else has more practical advice there.

loloski · June 5, 2025, 6:23am

Thanks ammo for the wonderful explanation it make sense, I wish MT could somehow do something on this use case or at least make some clarity in the docs that this is the limitation. I can’t imagine deploying PPPoe server with this caveat

Amm0 · June 5, 2025, 6:29am

But now that I look at this again you might want to try:

/interface/bridge/filter/add mac-protocol=vlan vlan-encap=pppoe-discovery  ...

I forgot there is the vlan-encap= that might work — since you want to match on inner ether-type, not IP headers. But it the VLAN with IP matchers that I know don’t work… but pppoe-discovery I hadn’t thought about

loloski · June 5, 2025, 6:33am

Wow, will try this later and report what i find and thanks a lot for helping

loloski · June 5, 2025, 10:12pm

@ ammo

Yes it works, I thought at first it didn’t work

[admin@BRAS] > /interface/bridge/filter/add mac-protocol=vlan vlan-encap=pppoe-disc
overy chain=input action=drop src-mac-address=0C:B2:BE:6D:00:03