Is there a way to have a crs switch (that’s being used as a building delivery switch) that won’t pass traffic if a client incorrectly plugs their router’s lan port into their feed line?
Care to explain a bit more what you are trying to accomplish ?
I work for a WISP and I get a bunch of service calls for people plugging in their delivery line (CAT5e from the CRS) into their LAN ports vs the WAN port and telling me it works when I show up, I swap the cables back but it’s kinda annoying that it works at all it would be great if I could prevent this from working.
Various options:
If you are providing their WAN address using DHCP use DHCP option 82 insertion and limit each port to a single lease (you can’t use the Mikrotik DHCP server for this).
Use 802.1x MAC auth, requires a RADIUS server and restricts them to only connecting devices which are known, e.g. if they have to use your router.
Use PPPoE, unless the router authenticates with provided credentials they don’t get any internet access.
The other issue is if their incorrectly connected router is running a DHCP server then other clients may pick up one of their ‘LAN’ addresses rather than the WAN address you provide leading to all sorts of connectivity issues, for this various options:
Switch DHCP snooping.
Switch ACL rules / bridge filter.
Switch port isolation / bridge horizon.