Hi,
I am thinking about the following situation.
In a flat topology (no VLANs, a simple home-network), will LAN-Broadcasts (and Multicasts/Unknown Unicasts) “leak” to the WAN if the client is via PPPoE connected?
I think they will, because the regualr PPPoE/PADI is a L2-Broadcast too and will/must reach the ISP-AC.
My question, is this a security concern if my assumption is true? I think these L2-Broadcasts (beside the wanted PPPoE-stuff) will arrive on a ISP device?
If your physical WAN interface (e.g. ether1) is part of LAN bridge for some reason, then yes, LAN broadcasts will egress through that bridge port. If by saying “PPPoE client” you mean that client is running on 3rd party device in LAN side, then this is indeed the case … and you have to make RB to work in “bridge mode”.
If physical WAN interface is not part of LAN bridge and thus doesn’t belong to same L2 domain, then LAN broadcasts should not be leaking towards WAN.
Unless you try to run some multicast helper (mDNS or some such) which is there expressly to break L2 barriers in the first place.
hi
if this is the topology/setup…
then there will no broadcast forwarding to WAN (1) naturally
Neither will PPPoE work (because that requires L2 transparency ... at least as far as PPPoE L2 protocols go).
MikroTik - Teaching Networking 101 classes since 1996, except IPv6.
I meant such a topology, the Router (PPPoE-Client) is not in the same room where the DSL-Modem is located:
VLAN2 = the “home-network”
Will Layer2-Brodcasts “leak” via the Modem to the ISP? Remeber these Broadcasts are normal stuff (like ARP…) without a PPP-Header. I think they will reach the ISP but get discared because they have no PPPoE-Header??
If you configure VLANs properly and with all the security properties enabled (frame-types and ingress filtering), then LAN will be isolated from VLAN2 (kind-of WAN). That’s particularly important on the VLAN-SWy which is border device of your network. But all devices gave to be configured properly (VLAN-SWx, router), any could “bleed” traffic across (V)LAN boundaries.
So LAN broadcasts should not bleed towards ISP modem.
And, BTW, having VLANs … your topology is far from “flat”, so the title of this thread misleads us 
You missed this part 
:
VLAN2 = the “home-network”
VLAN2 is not a special “WAN-transfer-VLAN”. Everytihng is in this VLAN, printer, PCs, Laptops… and the DSL-Modem.
Your opening post says:
In a flat topology (no VLANs
So I still think you misled us.
In this case yes, LAN broadcasts will reach ISP modem … because ISP modem is part of your LAN. There are no ifs or ors or buts.
Whether your LAN is reachable from internet … you’re at your ISP’s mercy I’m afraid.
When I had this issue (I wanted to switch the ISP device to bridge mode and still use it as a switch for the LAN), I had to use ACL rules on that device to prevent other than pppoe and pppoe-discovery frames from being forwarded between the WAN port and the rest. Of course not every IPS device allows that. If you don’t need to use the ISP device as a switch, you can do the same L2 filtering at the switch connected to it.
why setting the ISP CPE to BRIDGE and still use it as a switch for your LAN? this goes against any (if not all) best practices.
From the technical perspective it doesnt matter, a VLAN or a LAN. Both are a single Layer2-Broadcast domains. But you are right, my drawing is in this way misleading (a bit )
@sindy, thats exactly the point! 
From your answer I assume L2-Broadcasts are being forwarded to the WAN without filtering? Unfortunately my DSL-Modem doesnt allow me to do a PCAP-sniffing whats going out the WAN-Port.
The modem is in the same network/L2-Domain as the PPPoE-Client. So I assume every (regular) broadcast is going out to the ISP (but without PPPoE-Header). I assume further it gets discarded, because the is not PPPoE-Header. But coming to the point: In such a setting Layer2-Brodcasts leak out to the WAN?
introduce a new VLAN for WAN transport.
that should be the most clean way and you would not need to worry about any BC/MC to be “leaking” to your ISP
What ISP modem does to ethernet broadcast frames is everybody’s guess. But usually PPPoE is terminated on some core node and CPE doesn’t filter anything in bridge mode. Why should it, somebody put it in friggin’ bridge mode (as in: bridge with multiple ports).
I can only agree with @spippan that using ISP’s device in bridge mode as part of LAN is against every good practice. If you trust your ISP so much, why do you bother with your own router, surely ISP’s CPE can terminate PPPoE for you?
Hard to say, it mostly depends on how exactly the bridge mode of the particular ISP device works. Those I have seen kept communicating on the LAN IP address even after switching to bridge mode, which kind of makes sense (otherwise the only way out of the bridge mode would be through reset to defaults), so it is well possible that they actually only bridge pppoe and pppoe-discovery traffic (no matter whether broadcast or unicast one) even without any extra measures. But like you, I did not have a possibility to sniff on the WAN interface, so I’ve decided to use the ACL anyway - better safe than sorry.
I’ve got a plan to test that on an ISP device that has an Ethernet WAN (rather than DSL), so external sniffing is possible, but it’s not high on my ToDo list, and the result will only be valid for that particular model of ISP device or for that manufacturer (Zyxel in this case) at the best.
I’m still waiting for someone to create an SDR application that will allow to sniff on a DSL line