Hi friends,
since my ISP provides PPPoE connection type, I want to change default security scheme on RB751U-2HnD/5.21 I’m currently using (default is three generic rules on ether1-gateway, while this interface isn’t IP interface - it just transport for PPPoE frames). Ok, I want to do the following:
- disable everything except PPPoE frames (ethertype 0x8864/0x8863) and ARP frames (ethertype 0x806).
- setup packet filter on pppoe-out interface.
But I can’t go over first step:
/interface bridge filter print
Flags: X - disabled, I - invalid, D - dynamic
0 chain=input action=accept in-interface=ether1-gateway mac-protocol=pppoe-discovery
1 chain=input action=accept in-interface=ether1-gateway mac-protocol=pppoe
2 chain=input action=accept in-interface=ether1-gateway mac-protocol=arp
3 chain=input action=drop in-interface=ether1-gateway
And this doesn’t work, since ether1-gateway isn’t member of bridge-local. I tried two different ways -
a) include ether1-gateway into bridge-local. This break internet connection. Supposedly, because bridge-local runs STP and upon adding ether1-gateway to bridge it start sending BPDUs to ISP port. If I was an ISP, I would have blocked such port 
b) create separate bridge-wan and include ether1-gatewat there. This also break internet connection. Supposedly, these are two different bridges?
Could you, please, suggest me, how to achieve what I want - block on Ethernet everything except PPPoE frames and ARP?
Thanks!