Hi,
I have switched over to RouterOS from OpenWRT recently and trying to get to grips with the platform. I have a big problem with dynamic internet detection on the PPPoE interface. I have disabled detect internet completely from what I can tell and all lists are configured manually. ether1 is assigned as the underlying interface for the pppoe interface. ether1 is also not part of the bridge either.
interface/detect-internet print
detect-interface-list: none
lan-interface-list: none
wan-interface-list: none
internet-interface-list: none
interface/list/member print
Columns: LIST, INTERFACE
# LIST INTERFACE
;;; defconf
0 LAN bridge
1 WAN ether1
2 WAN Plusnet WAN
3 LAN wireguard1
4 LAN sfp-sfpplus1
5 LAN ether2
6 LAN ether3
7 LAN ether4
8 LAN ether5
9 LAN ether6
10 LAN ether7
11 LAN ether8
12 LAN ether9
13 LAN ether10
interface/bridge/port print
Flags: I - INACTIVE; H - HW-OFFLOAD
Columns: INTERFACE, BRIDGE, HW, PVID, PRIORITY, PATH-COST, INTERNAL-PATH-COST, HORIZON
# INTERFACE BRIDGE HW PVID PRIORITY PATH-COST INTERNAL-PATH-COST HORIZON
;;; defconf
0 H ether3 bridge yes 1 0x80 10 10 none
;;; defconf
1 H ether4 bridge yes 1 0x80 10 10 none
;;; defconf
2 IH ether5 bridge yes 1 0x80 10 10 none
;;; defconf
3 H ether6 bridge yes 1 0x80 10 10 none
;;; defconf
4 H ether7 bridge yes 1 0x80 10 10 none
;;; defconf
5 IH ether8 bridge yes 1 0x80 10 10 none
;;; defconf
6 IH ether9 bridge yes 1 0x80 10 10 none
;;; defconf
7 IH ether10 bridge yes 1 0x80 10 10 none
;;; defconf
8 I sfp-sfpplus1 bridge yes 1 0x80 10 10 none
9 H ether2 bridge yes 1 0x80 10 10 none
But when the PPPoE client connection drops and reconnects, which is another problem I am having that did not exist with OpenWRT (same internet provider, no other changes), the PPPoE connection gets categorised within the LAN list and then of course I am open to attack with every man and his dog port scanning and trying to brute force creds over SSH and the web console.
Does anyone know why RouterOS insists on dynamically adding the PPPoE connection to the LAN list ever after detected internet has been disabled?
Thanks.
anav
May 8, 2024, 11:27am
3
Without seeing your config, one is guessing…rather work on facts…
/export file=anynameyouwish ( minus router serial number, any public WANIP information, keys etc. )
Here you go, full config. The PPPoE interface has already been added to the WAN interface.
# 2024-05-09 20:39:42 by RouterOS 7.12.1
# software id = WM3G-V9LM
#
# model = RB4011iGS+
/interface bridge
add admin-mac=DC:2C:6E:3A:87:C8 auto-mac=no comment=defconf name=bridge
/interface wireguard
add listen-port=13231 mtu=1420 name=wireguard1
/interface pppoe-client
add add-default-route=yes disabled=no interface=ether1 keepalive-timeout=60 \
max-mru=1450 max-mtu=1450 mrru=1580 name="Plusnet WAN" user=*****
/interface list
add comment=defconf include=static name=WAN
add comment=defconf exclude=static name=LAN
/interface lte apn
set [ find default=yes ] ip-type=ipv4 use-network-apn=no
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=dhcp ranges=192.168.64.11-192.168.64.254
/ip dhcp-server
add address-pool=dhcp interface=bridge lease-time=10m name=dhcp1
/port
set 0 name=serial0
set 1 name=serial1
/ppp profile
set *0 interface-list=LAN use-compression=no
/system logging action
set 1 disk-lines-per-file=10000
/interface bridge port
add bridge=bridge comment=defconf ingress-filtering=no interface=ether3
add bridge=bridge comment=defconf ingress-filtering=no interface=ether4
add bridge=bridge comment=defconf ingress-filtering=no interface=ether5
add bridge=bridge comment=defconf ingress-filtering=no interface=ether6
add bridge=bridge comment=defconf ingress-filtering=no interface=ether7
add bridge=bridge comment=defconf ingress-filtering=no interface=ether8
add bridge=bridge comment=defconf ingress-filtering=no interface=ether9
add bridge=bridge comment=defconf ingress-filtering=no interface=ether10
add bridge=bridge comment=defconf ingress-filtering=no interface=sfp-sfpplus1
add bridge=bridge interface=ether2
/ip neighbor discovery-settings
set discover-interface-list=LAN
/ip settings
set max-neighbor-entries=8192
/ipv6 settings
set disable-ipv6=yes max-neighbor-entries=8192
/interface list member
add comment=defconf interface=bridge list=LAN
add interface=ether1 list=WAN
add interface="Plusnet WAN" list=WAN
add interface=wireguard1 list=LAN
add interface=sfp-sfpplus1 list=LAN
add interface=ether2 list=LAN
add interface=ether3 list=LAN
add interface=ether4 list=LAN
add interface=ether5 list=LAN
add interface=ether6 list=LAN
add interface=ether7 list=LAN
add interface=ether8 list=LAN
add interface=ether9 list=LAN
add interface=ether10 list=LAN
/interface ovpn-server server
set auth=sha1,md5
/interface wireguard peers
add allowed-address=192.168.32.2/32 interface=wireguard1 \
persistent-keepalive=15s public-key=****
/ip address
add address=192.168.64.1/24 comment=defconf interface=ether2 network=\
192.168.64.0
add address=192.168.32.1/24 interface=wireguard1 network=192.168.32.0
/ip dhcp-client
add comment=defconf disabled=yes interface=ether1
/ip dhcp-server lease
add address=192.168.64.254 client-id=1:74:83:c2:c3:7e:6e mac-address=\
74:83:C2:C3:7E:6E server=dhcp1
add address=192.168.64.226 client-id=1:b8:27:eb:b8:66:f2 mac-address=\
B8:27:EB:B8:66:F2 server=dhcp1
add address=192.168.64.225 client-id=\
ff:99:e6:38:91:0:2:0:0:ab:11:86:a1:e1:3f:75:70:50:b9 mac-address=\
AE:5F:6B:EB:81:34 server=dhcp1
/ip dhcp-server network
add address=192.168.64.0/24 dns-server=192.168.64.1 gateway=192.168.64.1 \
ntp-server=192.168.64.1
/ip dns
set allow-remote-requests=yes servers=1.1.1.1,1.0.0.1
/ip dns static
/ip firewall address-list
add address=222.138.178.106 list=block
add address=149.56.246.81 list=block
add address=141.98.7.232 list=block
/ip firewall filter
add action=drop chain=input disabled=yes src-address-list=block
add action=drop chain=forward disabled=yes dst-address=76.223.14.162
add action=drop chain=forward disabled=yes dst-address=13.248.140.163
add action=drop chain=forward disabled=yes dst-address=75.2.18.146
add action=drop chain=forward disabled=yes dst-address=52.112.120.235
add action=drop chain=forward disabled=yes src-address=192.168.64.43
add action=accept chain=input comment=\
"defconf: accept established,related,untracked" connection-state=\
established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
"defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=accept chain=input dst-port=13231 protocol=udp
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
connection-state=established,related hw-offload=yes
add action=accept chain=forward comment=\
"defconf: accept established,related, untracked" connection-state=\
established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
connection-state=invalid
add action=accept chain=forward connection-nat-state="" connection-state="" \
in-interface=bridge
add action=drop chain=forward comment=\
"defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
ipsec-policy=out,none out-interface-list=WAN
/ip service
set telnet disabled=yes
set ftp disabled=yes
/ip traffic-flow
set enabled=yes interfaces="Plusnet WAN"
/ip traffic-flow target
add dst-address=192.168.64.5
/radius
add address=192.168.64.253 service=dot1x
/routing bfd configuration
add disabled=no
/system clock
set time-zone-name=Europe/London
/system identity
set name=gw
/system logging
add topics=radius
add action=disk topics=pppoe
/system note
set show-at-login=no
/system ntp server
set enabled=yes
/system resource irq rps
set sfp-sfpplus1 disabled=no
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN